diff --git a/.github/scripts/generate-positive-expected-results/generate_positive_expected_result.py b/.github/scripts/generate-positive-expected-results/generate_positive_expected_result.py new file mode 100644 index 00000000000..62019120255 --- /dev/null +++ b/.github/scripts/generate-positive-expected-results/generate_positive_expected_result.py @@ -0,0 +1,434 @@ +import argparse +import json +import os +import re +import shutil +import subprocess +import sys +import tempfile + +from models import ( + FIELD_ORDER, + KICS_RESULT_CODES, + ExpectedResultEntry, + PositiveTest, + ScanFailure, + natural_sort_key, +) + +SCRIPT_DIR = os.path.dirname(os.path.abspath(__file__)) +REPO_ROOT = os.path.normpath(os.path.join(SCRIPT_DIR, "../../..")) +QUERIES_DIR = os.path.join(REPO_ROOT, "assets", "queries") + + +def parse_args(): + parser = argparse.ArgumentParser(description="Run a KICS scan for a given query.") + group = parser.add_mutually_exclusive_group(required=True) + group.add_argument("--run-all", action="store_true", help="Run scans for all queries under assets/queries.") + group.add_argument("--queryID", help="The query ID to scan.") + parser.add_argument("--queryPath", help="The base path of the query (required without --run-all).") + return parser.parse_args() + + +def build_command(query_id: str, scan_path: str, payload_path: str, output_path: str, output_name: str) -> list[str]: + main_go = os.path.join(REPO_ROOT, "cmd", "console", "main.go") + + return [ + "go", "run", main_go, + "scan", + "-p", scan_path, + "-o", output_path, + "--output-name", output_name, + "-i", query_id, + "-d", payload_path, + "-v", + "--experimental-queries", + "--bom", + "--enable-openapi-refs", + "--kics_compute_new_simid" + ] + + +def _copy_auxiliary_files(src_dir: str, dst_dir: str) -> None: + """Copy non-positive/negative helper files (e.g. .pem certs) into dst_dir.""" + for name in os.listdir(src_dir): + if name.startswith("positive") or name.startswith("negative"): + continue + src = os.path.join(src_dir, name) + dst = os.path.join(dst_dir, name) + if os.path.isfile(src) and not os.path.exists(dst): + shutil.copy2(src, dst) + + +def _run_kics(query_id: str, scan_root: str, payload_path: str, + output_path: str, output_name: str) -> int: + command = build_command(query_id, scan_root, payload_path, output_path, output_name) + print("Running command:") + print(" ".join(command)) + print("-" * 60) + try: + result = subprocess.run(command, cwd=REPO_ROOT) + if result.returncode not in KICS_RESULT_CODES: + print(f"\n[ERROR] Scan failed with return code {result.returncode}.", file=sys.stderr) + return result.returncode + except FileNotFoundError: + print("\n[ERROR] 'go' not found. Make sure Go is installed and in your PATH.", file=sys.stderr) + return 1 + +def run_scan(query_id: str, scan_path: str, payload_path: str, output_path: str, + output_name: str) -> int: + """Run a KICS scan using a temporary directory that mirrors the assets/queries/structure for a single file.""" + rel_to_queries = os.path.relpath(scan_path, QUERIES_DIR) + + with tempfile.TemporaryDirectory() as tmpdir: + target_path = os.path.join(tmpdir, rel_to_queries) + if os.path.isdir(scan_path): + shutil.copytree(scan_path, target_path) + else: + os.makedirs(os.path.dirname(target_path), exist_ok=True) + shutil.copy2(scan_path, target_path) + + _copy_auxiliary_files(os.path.dirname(scan_path), os.path.dirname(target_path)) + + return _run_kics(query_id, tmpdir, payload_path, output_path, output_name) + + +def run_directory_scan(query_id: str, scan_paths: list[str], payload_path: str, output_path: str, + output_name: str) -> int: + """Run a KICS scan with all given files copied into a single temporary directory + that mirrors the assets/queries/ structure for an entire directory. + """ + if not scan_paths: + return 0 + + src_dir = os.path.dirname(scan_paths[0]) + rel_dir = os.path.relpath(src_dir, QUERIES_DIR) + + with tempfile.TemporaryDirectory() as tmpdir: + target_dir = os.path.join(tmpdir, rel_dir) + os.makedirs(target_dir, exist_ok=True) + + # Copy all positive files. + for scan_path in scan_paths: + dst = os.path.join(target_dir, os.path.basename(scan_path)) + shutil.copy2(scan_path, dst) + + _copy_auxiliary_files(src_dir, target_dir) + + return _run_kics(query_id, tmpdir, payload_path, output_path, output_name) + + +def find_positive_tests(query_path: str) -> list[PositiveTest]: + test_dir = os.path.join(query_path, "test") + if not os.path.isdir(test_dir): + return [] + + positives = [] + for entry in os.listdir(test_dir): + if not entry.startswith("positive"): + continue + full_path = os.path.join(test_dir, entry) + if os.path.isdir(full_path): + for file in os.listdir(full_path): + file_path = os.path.join(full_path, file) + if not os.path.isfile(file_path): + continue + base_label = os.path.splitext(file)[0] + after = base_label[len("positive"):] + if not after or not after[0].isdigit(): + continue + ext = os.path.splitext(file)[1].lstrip(".") + positives.append(PositiveTest(f"{base_label}_{ext}", file_path, f"test/{entry}")) + else: + suffix = entry[len("positive"):].split(".")[0] + if suffix and not suffix.isdigit(): + continue + ext = os.path.splitext(entry)[1].lstrip(".") + positives.append(PositiveTest(f"positive{suffix}_{ext}", full_path, "test")) + + positives.sort(key=lambda x: natural_sort_key(x.label)) + return positives + + +def run_query_scans(query_id: str, query_path: str) -> tuple[list[ScanFailure], bool]: + positives = find_positive_tests(query_path) + if not positives: + print(f"[WARN] No positive tests found in {query_path}/test, skipping.", file=sys.stderr) + return [], False + + has_subdir_tests = any(t.group != "test" for t in positives) + loose_tests = [t for t in positives if t.group == "test"] + + with tempfile.TemporaryDirectory() as tmpdir: + payloads_dir = os.path.join(tmpdir, "payloads") + results_dir = os.path.join(tmpdir, "results") + os.makedirs(payloads_dir) + os.makedirs(results_dir) + + label_to_group = {} + failed = [] + + is_secrets_query = query_path.endswith(os.path.join("common", "passwords_and_secrets")) + + if not has_subdir_tests and loose_tests: + + # 1. Directory scan (all loose files at once). + all_paths = [t.scan_path for t in loose_tests] + dir_label = "directory_scan" + label_to_group[dir_label] = "test" + payload_path = os.path.join(payloads_dir, f"{dir_label}.json") + output_name = f"{dir_label}.json" + print(f"\n -> directory scan: {[os.path.relpath(p, REPO_ROOT) for p in all_paths]}") + rc = run_directory_scan(query_id, all_paths, payload_path, results_dir + os.sep, output_name) + if rc not in KICS_RESULT_CODES: + failed.append(ScanFailure(query_path, payload_path, rc)) + + # 2. Individual file scans (skip for passwords_and_secrets). + if not is_secrets_query: + for test in loose_tests: + label_to_group[test.label] = test.group + payload_path = os.path.join(payloads_dir, f"{test.label}.json") + output_name = f"{test.label}.json" + print(f"\n -> {test.label}: {os.path.relpath(test.scan_path, REPO_ROOT)}") + rc = run_scan(query_id, test.scan_path, payload_path, results_dir + os.sep, output_name) + if rc not in KICS_RESULT_CODES: + failed.append(ScanFailure(test.scan_path, payload_path, rc)) + else: + # 1. Directory scan for all loose positive files in test/. + if loose_tests: + all_loose_paths = [t.scan_path for t in loose_tests] + dir_label = "directory_scan" + label_to_group[dir_label] = "test" + payload_path = os.path.join(payloads_dir, f"{dir_label}.json") + output_name = f"{dir_label}.json" + print(f"\n -> directory scan (loose): {[os.path.relpath(p, REPO_ROOT) for p in all_loose_paths]}") + rc = run_directory_scan(query_id, all_loose_paths, payload_path, results_dir + os.sep, output_name) + if rc not in KICS_RESULT_CODES: + failed.append(ScanFailure(query_path, payload_path, rc)) + + # 2. For each subdirectory, scan all files inside it together. + subdir_groups: dict[str, list[PositiveTest]] = {} + for test in positives: + if test.group != "test": + subdir_groups.setdefault(test.group, []).append(test) + + for group, tests in sorted(subdir_groups.items()): + all_paths = [t.scan_path for t in tests] + dir_label = group.replace("/", "_") + "_scan" + label_to_group[dir_label] = group + payload_path = os.path.join(payloads_dir, f"{dir_label}.json") + output_name = f"{dir_label}.json" + print(f"\n -> directory scan ({group}): {[os.path.relpath(p, REPO_ROOT) for p in all_paths]}") + rc = run_directory_scan(query_id, all_paths, payload_path, results_dir + os.sep, output_name) + if rc not in KICS_RESULT_CODES: + failed.append(ScanFailure(query_path, payload_path, rc)) + + written = collect_and_write_expected_results(query_path, results_dir, label_to_group) + + return failed, written + + +def _load_duplicate_rules(rules_path: str) -> tuple[set[str], list[tuple[str, re.Pattern]]]: + """Return duplicate-ID rule names and their compiled regex patterns.""" + with open(rules_path, encoding="utf-8") as f: + rules = json.load(f).get("rules", []) + + id_to_rules: dict[str, list[dict]] = {} + for rule in rules: + id_to_rules.setdefault(rule.get("id", ""), []).append(rule) + + duplicate_names: set[str] = set() + compiled: list[tuple[str, re.Pattern]] = [] + for rlist in id_to_rules.values(): + if len(rlist) <= 1: + continue + for rule in rlist: + duplicate_names.add(rule["name"]) + try: + compiled.append((rule["name"], re.compile(rule["regex"]))) + except (re.error, KeyError): + continue + + return duplicate_names, compiled + + +def _get_cached_lines(file_path: str, file_cache: dict[str, list[str]]) -> list[str]: + """Return lines for file_path, reading and caching on first access.""" + if file_path not in file_cache: + try: + with open(file_path, encoding="utf-8") as f: + file_cache[file_path] = f.readlines() + except (OSError, UnicodeDecodeError): + file_cache[file_path] = [] + return file_cache[file_path] + + +def _fix_entry_name( + entry: ExpectedResultEntry, + prefix: str, + duplicate_names: set[str], + compiled_dup_rules: list[tuple[str, re.Pattern]], + test_dir: str, + file_cache: dict[str, list[str]], +) -> None: + """Correct the queryName of a single entry when it belongs to a duplicate-ID rule group.""" + if not entry.queryName.startswith(prefix): + return + if entry.queryName[len(prefix):] not in duplicate_names: + return + + lines = _get_cached_lines(os.path.join(test_dir, entry.fileName), file_cache) + if not lines or not (0 < entry.line <= len(lines)): + return + + line_content = lines[entry.line - 1] + for rule_name, pattern in compiled_dup_rules: + if pattern.search(line_content): + entry.queryName = prefix + rule_name + break + + +def fix_secrets_query_names(entries: list[ExpectedResultEntry], query_path: str) -> None: + """Fix query names for entries from the passwords_and_secrets query.""" + rules_path = os.path.join(query_path, "regex_rules.json") + if not os.path.isfile(rules_path): + return + + duplicate_names, compiled_dup_rules = _load_duplicate_rules(rules_path) + if not compiled_dup_rules: + return + + with open(os.path.join(query_path, "metadata.json"), encoding="utf-8") as f: + base_name = json.load(f).get("queryName", "") + prefix = base_name + " - " if base_name else "" + if not prefix: + return + + test_dir = os.path.join(query_path, "test") + file_cache: dict[str, list[str]] = {} + for entry in entries: + _fix_entry_name(entry, prefix, duplicate_names, compiled_dup_rules, test_dir, file_cache) + + +def collect_and_write_expected_results(query_path: str, results_dir: str, + label_to_group: dict[str, str]) -> bool: + """Read all results files from results_dir and write positive_expected_result.json files. + + Groups findings by scan group ("test" for loose files, "test/" for subdirectory files) + and writes the results sorted into the respective output files. + """ + if not os.path.isdir(results_dir): + return False + + grouped_entries: dict[str, list[ExpectedResultEntry]] = {} + + for filename in sorted(os.listdir(results_dir)): + if not filename.endswith(".json"): + continue + + label = os.path.splitext(filename)[0] + if label not in label_to_group: + continue + + group = label_to_group[label] + + with open(os.path.join(results_dir, filename), encoding="utf-8") as f: + data = json.load(f) + + all_findings = data.get("queries", []) + data.get("bill_of_materials", []) + for query in all_findings: + query_name = query.get("query_name", "") + severity = query.get("severity", "") + for file_entry in query.get("files", []): + entry = ExpectedResultEntry.from_kics_result(query_name, severity, file_entry) + grouped_entries.setdefault(group, []).append(entry) + + if query_path.endswith(os.path.join("common", "passwords_and_secrets")): + for entries in grouped_entries.values(): + fix_secrets_query_names(entries, query_path) + + for group in grouped_entries: + seen = set() + unique = [] + for entry in grouped_entries[group]: + key = tuple(getattr(entry, k) for k in FIELD_ORDER) + if key not in seen: + seen.add(key) + unique.append(entry) + grouped_entries[group] = unique + + if not grouped_entries: + return False + + # If subdirectory results exist but no loose-file results, still write an empty main expected file + if any(g != "test" for g in grouped_entries) and "test" not in grouped_entries: + grouped_entries["test"] = [] + + written_any = False + for group, entries in grouped_entries.items(): + entries.sort(key=lambda e: e.sort_key()) + + out_path = os.path.join(query_path, group, "positive_expected_result.json") + with open(out_path, "w", encoding="utf-8") as f: + json.dump([e.to_ordered_dict() for e in entries], f, indent=2) + f.write("\n") + + print(f" -> Written {len(entries)} entries to {os.path.relpath(out_path, REPO_ROOT)}") + written_any = True + + return written_any + + +def iter_queries(): + """Yield (query_id, query_path) for every query found under assets/queries.""" + for dirpath, _, filenames in os.walk(QUERIES_DIR): + if "metadata.json" not in filenames: + continue + metadata = os.path.join(dirpath, "metadata.json") + with open(metadata, encoding="utf-8") as f: + data = json.load(f) + query_id = data.get("id") + if not query_id: + print(f"[WARN] No 'id' field in {metadata}, skipping.", file=sys.stderr) + continue + yield query_id, dirpath + + +def main(): + args = parse_args() + + if args.run_all: + all_failed = [] + written_count = 0 + queries = list(iter_queries()) + total = len(queries) + width = len(str(total)) + print(f"Found {total} queries. Starting scans...\n") + for idx, (query_id, query_path) in enumerate(queries, start=1): + print(f"\n[{idx:{width}d}/{total}] {os.path.relpath(query_path, REPO_ROOT)}") + failed, written = run_query_scans(query_id, query_path) + all_failed.extend(failed) + if written: + written_count += 1 + + print("\n" + "=" * 60) + print(f"[SUMMARY] {written_count}/{total} positive_expected_result.json written") + if all_failed: + print(f" {len(all_failed)} scan(s) failed:") + for failure in all_failed: + print(f" - {os.path.relpath(failure.scan_path, REPO_ROOT)} → exit {failure.return_code}") + sys.exit(1) + else: + print(" All scans completed successfully.") + sys.exit(0) + else: + if not args.queryPath: + print("[ERROR] --queryPath is required when not using --run-all.", file=sys.stderr) + sys.exit(1) + query_path = os.path.normpath(os.path.join(REPO_ROOT, args.queryPath)) + failed, _ = run_query_scans(args.queryID, query_path) + sys.exit(1 if failed else 0) + + +if __name__ == "__main__": + main() diff --git a/.github/scripts/generate-positive-expected-results/models.py b/.github/scripts/generate-positive-expected-results/models.py new file mode 100644 index 00000000000..cbeaee1fd87 --- /dev/null +++ b/.github/scripts/generate-positive-expected-results/models.py @@ -0,0 +1,93 @@ +import os +import re +from dataclasses import dataclass + + +FIELD_ORDER = [ + "queryName", "severity", "line", "fileName", + "resourceType", "resourceName", "searchKey", "searchValue", + "expectedValue", "actualValue", "issueType", "similarityID", "search_line", +] + +KICS_RESULT_CODES = {0, 1, 20, 30, 40, 50, 60} + + +def natural_sort_key(s: str): + """'positive2.tf' → ['positive', 2, '.tf'] so numeric parts sort numerically.""" + return [int(c) if c.isdigit() else c for c in re.split(r'(\d+)', s)] + + +@dataclass +class PositiveTest: + """A positive test file to scan.""" + + label: str + scan_path: str + group: str # "test" for loose files, "test/" for subdirectory files + + +@dataclass +class ScanFailure: + """A scan that failed with an unexpected return code.""" + + scan_path: str + payload_path: str + return_code: int + + +@dataclass +class ExpectedResultEntry: + """A single expected vulnerability finding.""" + + queryName: str = "" + severity: str = "" + line: int = 0 + fileName: str = "" + resourceType: str = "" + resourceName: str = "" + searchKey: str = "" + searchValue: str = "" + expectedValue: str = "" + actualValue: str = "" + issueType: str = "" + similarityID: str = "" + search_line: int = -1 + + @classmethod + def from_kics_result(cls, query_name: str, severity: str, file_entry: dict) -> "ExpectedResultEntry": + """Build an entry from a KICS scan result file_entry.""" + return cls( + queryName=query_name, + severity=severity, + line=file_entry.get("line", 0), + fileName=os.path.basename(file_entry.get("file_name", "")), + resourceType=file_entry.get("resource_type", ""), + resourceName=file_entry.get("resource_name", ""), + searchKey=file_entry.get("search_key", ""), + searchValue=file_entry.get("search_value", ""), + expectedValue=file_entry.get("expected_value", ""), + actualValue=file_entry.get("actual_value", ""), + issueType=file_entry.get("issue_type", ""), + similarityID=file_entry.get("similarity_id", ""), + search_line=file_entry.get("search_line", -1), + ) + + def to_ordered_dict(self) -> dict: + """Return a dict with keys in FIELD_ORDER.""" + return {k: getattr(self, k) for k in FIELD_ORDER} + + def sort_key(self) -> tuple: + return ( + natural_sort_key(self.fileName), + self.line, + self.searchKey, + self.searchValue, + self.resourceType, + self.resourceName, + self.queryName, + self.expectedValue, + self.actualValue, + self.issueType, + self.similarityID, + self.search_line, + ) diff --git a/assets/queries/ansible/aws/alb_listening_on_http/test/positive_expected_result.json b/assets/queries/ansible/aws/alb_listening_on_http/test/positive_expected_result.json index 40450933989..94e5c947375 100644 --- a/assets/queries/ansible/aws/alb_listening_on_http/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/alb_listening_on_http/test/positive_expected_result.json @@ -2,11 +2,31 @@ { "queryName": "ALB Listening on HTTP", "severity": "MEDIUM", - "line": 11 + "line": 11, + "fileName": "positive.yaml", + "resourceType": "community.aws.elb_application_lb", + "resourceName": "my_elb_application", + "searchKey": "name={{my_elb_application}}.{{community.aws.elb_application_lb}}.listeners.Protocol=HTTP", + "searchValue": "", + "expectedValue": "'aws_elb_application_lb' Protocol should be 'HTTP'", + "actualValue": "'aws_elb_application_lb' Protocol it's not 'HTTP'", + "issueType": "IncorrectValue", + "similarityID": "607f2f1c612a246aadce48454d34acfb08c461d2bcf9955e6c83e4c1c623a394", + "search_line": -1 }, { "queryName": "ALB Listening on HTTP", "severity": "MEDIUM", - "line": 29 + "line": 29, + "fileName": "positive.yaml", + "resourceType": "community.aws.elb_application_lb", + "resourceName": "my_elb_application2", + "searchKey": "name={{my_elb_application2}}.{{community.aws.elb_application_lb}}.listeners", + "searchValue": "", + "expectedValue": "'aws_elb_application_lb' Protocol should be 'HTTP'", + "actualValue": "'aws_elb_application_lb' Protocol is missing", + "issueType": "MissingAttribute", + "similarityID": "b8bad394a7838d266d3b23cbd20fffa0b9695e9b9ce815983d45b422a420d195", + "search_line": -1 } -] \ No newline at end of file +] diff --git a/assets/queries/ansible/aws/ami_not_encrypted/test/positive_expected_result.json b/assets/queries/ansible/aws/ami_not_encrypted/test/positive_expected_result.json index d31968ad825..a526928930a 100644 --- a/assets/queries/ansible/aws/ami_not_encrypted/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/ami_not_encrypted/test/positive_expected_result.json @@ -2,11 +2,31 @@ { "queryName": "AMI Not Encrypted", "severity": "MEDIUM", - "line": 6 + "line": 6, + "fileName": "positive.yaml", + "resourceType": "amazon.aws.ec2_ami", + "resourceName": "Basic AMI Creation", + "searchKey": "name={{Basic AMI Creation}}.{{amazon.aws.ec2_ami}}.device_mapping.encrypted", + "searchValue": "", + "expectedValue": "ec2_ami.device_mapping.encrypted should be set to true", + "actualValue": "ec2_ami.device_mapping.encrypted is set to false", + "issueType": "IncorrectValue", + "similarityID": "1019507ea6b5dc1e86ed66df617c66e37d9820bf3f232b628ff0202ed08f649e", + "search_line": -1 }, { "queryName": "AMI Not Encrypted", "severity": "MEDIUM", - "line": 13 + "line": 13, + "fileName": "positive.yaml", + "resourceType": "amazon.aws.ec2_ami", + "resourceName": "Basic AMI Creation2", + "searchKey": "name={{Basic AMI Creation2}}.{{amazon.aws.ec2_ami}}", + "searchValue": "", + "expectedValue": "ec2_ami.device_mapping.device_name.encrypted should be set to true", + "actualValue": "ec2_ami.device_mapping.device_name.encrypted is undefined", + "issueType": "MissingAttribute", + "similarityID": "9512ff434c3adcfecc7caf5b9717c1e1896b41010d2f428ce4ef7bb62e49929c", + "search_line": -1 } -] \ No newline at end of file +] diff --git a/assets/queries/ansible/aws/ami_shared_with_multiple_accounts/test/positive_expected_result.json b/assets/queries/ansible/aws/ami_shared_with_multiple_accounts/test/positive_expected_result.json index 88b18dd84e1..5e7ab7257dd 100644 --- a/assets/queries/ansible/aws/ami_shared_with_multiple_accounts/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/ami_shared_with_multiple_accounts/test/positive_expected_result.json @@ -2,11 +2,31 @@ { "queryName": "AMI Shared With Multiple Accounts", "severity": "MEDIUM", - "line": 5 + "line": 5, + "fileName": "positive.yaml", + "resourceType": "amazon.aws.ec2_ami", + "resourceName": "Update AMI Launch Permissions, making it public", + "searchKey": "name={{Update AMI Launch Permissions, making it public}}.{{amazon.aws.ec2_ami}}.launch_permissions", + "searchValue": "", + "expectedValue": "ec2_ami.launch_permissions just allows one user to launch the AMI", + "actualValue": "ec2_ami.launch_permissions allows more than one user to launch the AMI", + "issueType": "IncorrectValue", + "similarityID": "c9fb9becbae73675895b861b79d0a5ab275dd56551b224e5502c6e1b53b0f039", + "search_line": -1 }, { "queryName": "AMI Shared With Multiple Accounts", "severity": "MEDIUM", - "line": 11 + "line": 11, + "fileName": "positive.yaml", + "resourceType": "amazon.aws.ec2_ami", + "resourceName": "Allow AMI to be launched by another account", + "searchKey": "name={{Allow AMI to be launched by another account}}.{{amazon.aws.ec2_ami}}.launch_permissions", + "searchValue": "", + "expectedValue": "ec2_ami.launch_permissions just allows one user to launch the AMI", + "actualValue": "ec2_ami.launch_permissions allows more than one user to launch the AMI", + "issueType": "IncorrectValue", + "similarityID": "d9d6be03b8285c258824251592a50a5025987ae73334efa87c313b7dfa49c547", + "search_line": -1 } ] diff --git a/assets/queries/ansible/aws/api_gateway_endpoint_config_is_not_private/test/positive_expected_result.json b/assets/queries/ansible/aws/api_gateway_endpoint_config_is_not_private/test/positive_expected_result.json index 1ed39fc54bd..b5bf4a0ffe3 100644 --- a/assets/queries/ansible/aws/api_gateway_endpoint_config_is_not_private/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/api_gateway_endpoint_config_is_not_private/test/positive_expected_result.json @@ -2,6 +2,16 @@ { "queryName": "API Gateway Endpoint Config is Not Private", "severity": "MEDIUM", - "line": 8 + "line": 8, + "fileName": "positive.yaml", + "resourceType": "community.aws.aws_api_gateway", + "resourceName": "Setup AWS API Gateway setup on AWS and deploy API definition", + "searchKey": "name={{Setup AWS API Gateway setup on AWS and deploy API definition}}.{{community.aws.aws_api_gateway}}.endpoint_type", + "searchValue": "", + "expectedValue": "'aws_api_gateway.endpoint_type' should be set to 'PRIVATE'", + "actualValue": "'aws_api_gateway.endpoint_type' is not 'PRIVATE'", + "issueType": "IncorrectValue", + "similarityID": "afbad0b8491f6423e427a5b02ade6b0dda8368c355eb2377d9b774291cf0b4e7", + "search_line": -1 } ] diff --git a/assets/queries/ansible/aws/api_gateway_with_cloudwatch_logging_disabled/test/positive_expected_result.json b/assets/queries/ansible/aws/api_gateway_with_cloudwatch_logging_disabled/test/positive_expected_result.json index aef74f95ba2..96f518c3bbf 100644 --- a/assets/queries/ansible/aws/api_gateway_with_cloudwatch_logging_disabled/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/api_gateway_with_cloudwatch_logging_disabled/test/positive_expected_result.json @@ -2,6 +2,16 @@ { "queryName": "API Gateway With CloudWatch Logging Disabled", "severity": "MEDIUM", - "line": 3 + "line": 3, + "fileName": "positive.yaml", + "resourceType": "community.aws.cloudwatchlogs_log_group", + "resourceName": "Setup AWS API Gateway setup on AWS cloudwatchlogs", + "searchKey": "name={{Setup AWS API Gateway setup on AWS cloudwatchlogs}}.{{community.aws.cloudwatchlogs_log_group}}", + "searchValue": "", + "expectedValue": "cloudwatchlogs_log_grouptracing_enabled should contain log_group_name", + "actualValue": "cloudwatchlogs_log_group does not contain log_group_name defined", + "issueType": "MissingAttribute", + "similarityID": "d9c365cf6b6e094fce902d9ef3572fc723f092e8ca343c0d36fe5a41c7bb63c6", + "search_line": -1 } ] diff --git a/assets/queries/ansible/aws/api_gateway_without_configured_authorizer/test/positive_expected_result.json b/assets/queries/ansible/aws/api_gateway_without_configured_authorizer/test/positive_expected_result.json index 9be124eee7b..aced45fd77b 100644 --- a/assets/queries/ansible/aws/api_gateway_without_configured_authorizer/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/api_gateway_without_configured_authorizer/test/positive_expected_result.json @@ -3,24 +3,60 @@ "queryName": "API Gateway Without Configured Authorizer", "severity": "MEDIUM", "line": 3, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "community.aws.aws_api_gateway", + "resourceName": "Setup AWS API Gateway setup on AWS and deploy API definition", + "searchKey": "name={{Setup AWS API Gateway setup on AWS and deploy API definition}}.{{community.aws.aws_api_gateway}}.swagger_dict", + "searchValue": "", + "expectedValue": "'community.aws.aws_api_gateway.swagger_dict' should have an authorizer set", + "actualValue": "'community.aws.aws_api_gateway.swagger_dict' does not have a authorizer set", + "issueType": "IncorrectValue", + "similarityID": "fe3e377c6f66b5ec4b204a63bd1d92d5bd0940f7709d64d1c8020c8a22d12b3c", + "search_line": -1 }, { "queryName": "API Gateway Without Configured Authorizer", "severity": "MEDIUM", "line": 2, - "fileName": "positive2.yaml" + "fileName": "positive2.yaml", + "resourceType": "aws_api_gateway", + "resourceName": "Setup AWS API Gateway setup on AWS and deploy API definition2", + "searchKey": "name={{Setup AWS API Gateway setup on AWS and deploy API definition2}}.{{aws_api_gateway}}", + "searchValue": "", + "expectedValue": "'aws_api_gateway' should have swagger_file, swagger_text or swagger_dict set", + "actualValue": "'aws_api_gateway' does not have swagger_file, swagger_text or swagger_dict set", + "issueType": "IncorrectValue", + "similarityID": "ddfb7af6321147fc9725e8e859bb0e19cf96060b80fc3977302df93344a243ec", + "search_line": -1 }, { "queryName": "API Gateway Without Configured Authorizer", "severity": "MEDIUM", "line": 3, - "fileName": "positive3.yaml" + "fileName": "positive3.yaml", + "resourceType": "aws_api_gateway", + "resourceName": "Setup AWS API Gateway setup on AWS and deploy API 222", + "searchKey": "name={{Setup AWS API Gateway setup on AWS and deploy API 222}}.{{aws_api_gateway}}.swagger_file", + "searchValue": "", + "expectedValue": "'aws_api_gateway.swagger_file' should have an authorizer set", + "actualValue": "'aws_api_gateway.swagger_file' does not have a authorizer set", + "issueType": "IncorrectValue", + "similarityID": "54d917d994910ab583e416d8ed3ffbfbc5c3b76e4e389d4ec001c942a5895542", + "search_line": 0 }, { "queryName": "API Gateway Without Configured Authorizer", "severity": "MEDIUM", "line": 3, - "fileName": "positive4.yaml" + "fileName": "positive4.yaml", + "resourceType": "aws_api_gateway", + "resourceName": "Setup AWS API Gateway setup on AWS and deploy API 222", + "searchKey": "name={{Setup AWS API Gateway setup on AWS and deploy API 222}}.{{aws_api_gateway}}.swagger_text", + "searchValue": "", + "expectedValue": "'aws_api_gateway.swagger_text' should have an authorizer set", + "actualValue": "'aws_api_gateway.swagger_text' does not have a authorizer set", + "issueType": "IncorrectValue", + "similarityID": "7eeb99b352c87ebbcec5de88dfe2e950b218a1f367b6215a0c9f7f7b5297bc54", + "search_line": -1 } ] diff --git a/assets/queries/ansible/aws/api_gateway_without_ssl_certificate/test/positive_expected_result.json b/assets/queries/ansible/aws/api_gateway_without_ssl_certificate/test/positive_expected_result.json index 211045f9e04..18743ff6547 100644 --- a/assets/queries/ansible/aws/api_gateway_without_ssl_certificate/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/api_gateway_without_ssl_certificate/test/positive_expected_result.json @@ -1,25 +1,62 @@ [ - { - "queryName": "API Gateway Without SSL Certificate", - "severity": "MEDIUM", - "line": 6 - }, - - { - "queryName": "API Gateway Without SSL Certificate", - "severity": "MEDIUM", - "line": 8 - }, - - { - "queryName": "API Gateway Without SSL Certificate", - "severity": "MEDIUM", - "line": 21 - }, - - { - "queryName": "API Gateway Without SSL Certificate", - "severity": "MEDIUM", - "line": 23 - } + { + "queryName": "API Gateway Without SSL Certificate", + "severity": "MEDIUM", + "line": 6, + "fileName": "positive.yaml", + "resourceType": "aws_api_gateway", + "resourceName": "update API", + "searchKey": "name={{update API}}.{{aws_api_gateway}}.validate_certs", + "searchValue": "", + "expectedValue": "aws_api_gateway.validate_certs should be set to yes", + "actualValue": "aws_api_gateway.validate_certs is not set to yes", + "issueType": "IncorrectValue", + "similarityID": "5c46a089b29a823bedcbf51c4e833b03ae397256d5ad889cf25e60064dd20f39", + "search_line": -1 + }, + { + "queryName": "API Gateway Without SSL Certificate", + "severity": "MEDIUM", + "line": 8, + "fileName": "positive.yaml", + "resourceType": "aws_api_gateway", + "resourceName": "update API v1", + "searchKey": "name={{update API v1}}.{{aws_api_gateway}}", + "searchValue": "", + "expectedValue": "aws_api_gateway.validate_certs should be set", + "actualValue": "aws_api_gateway.validate_certs is undefined", + "issueType": "MissingAttribute", + "similarityID": "cbf1cde1a0cc1fe648d3c6d3d6e55ccb4d76e087abdceb87744f7737ac8a55f2", + "search_line": -1 + }, + { + "queryName": "API Gateway Without SSL Certificate", + "severity": "MEDIUM", + "line": 21, + "fileName": "positive.yaml", + "resourceType": "community.aws.aws_api_gateway", + "resourceName": "Setup AWS API Gateway setup on AWS and deploy API definition", + "searchKey": "name={{Setup AWS API Gateway setup on AWS and deploy API definition}}.{{community.aws.aws_api_gateway}}.validate_certs", + "searchValue": "", + "expectedValue": "aws_api_gateway.validate_certs should be set to yes", + "actualValue": "aws_api_gateway.validate_certs is not set to yes", + "issueType": "IncorrectValue", + "similarityID": "2e77f7861dc2f396095e45ac172a705a566d59798cbdc5f752be8f1df09aa8f3", + "search_line": -1 + }, + { + "queryName": "API Gateway Without SSL Certificate", + "severity": "MEDIUM", + "line": 23, + "fileName": "positive.yaml", + "resourceType": "community.aws.aws_api_gateway", + "resourceName": "Setup AWS API Gateway setup on AWS and deploy API definition v1", + "searchKey": "name={{Setup AWS API Gateway setup on AWS and deploy API definition v1}}.{{community.aws.aws_api_gateway}}", + "searchValue": "", + "expectedValue": "aws_api_gateway.validate_certs should be set", + "actualValue": "aws_api_gateway.validate_certs is undefined", + "issueType": "MissingAttribute", + "similarityID": "94d19a8449a34828a18c4ae4488edf623f806c7b1bcfa67b27ec4651c1a14fd6", + "search_line": -1 + } ] diff --git a/assets/queries/ansible/aws/api_gateway_without_waf/test/positive_expected_result.json b/assets/queries/ansible/aws/api_gateway_without_waf/test/positive_expected_result.json index 02ac980101b..7e4fdc4aae7 100644 --- a/assets/queries/ansible/aws/api_gateway_without_waf/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/api_gateway_without_waf/test/positive_expected_result.json @@ -1,8 +1,17 @@ [ - { - "queryName": "API Gateway without WAF", - "severity": "MEDIUM", - "line": 8, - "fileName": "positive.yaml" - } + { + "queryName": "API Gateway without WAF", + "severity": "MEDIUM", + "line": 8, + "fileName": "positive.yaml", + "resourceType": "community.aws.aws_api_gateway", + "resourceName": "Setup AWS API Gateway setup on AWS and deploy API definition2", + "searchKey": "name={{Setup AWS API Gateway setup on AWS and deploy API definition2}}.{{community.aws.aws_api_gateway}}", + "searchValue": "", + "expectedValue": "API Gateway Stage should be associated with a Web Application Firewall", + "actualValue": "API Gateway Stage is not associated with a Web Application Firewall", + "issueType": "MissingAttribute", + "similarityID": "9cbcfe5e8565dc00849abb844c7886491dce873e260d7f53facca6fb5384b4fa", + "search_line": 8 + } ] diff --git a/assets/queries/ansible/aws/api_gateway_xray_disabled/test/positive_expected_result.json b/assets/queries/ansible/aws/api_gateway_xray_disabled/test/positive_expected_result.json index dbe97c3a028..983d704e763 100644 --- a/assets/queries/ansible/aws/api_gateway_xray_disabled/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/api_gateway_xray_disabled/test/positive_expected_result.json @@ -2,11 +2,31 @@ { "queryName": "API Gateway X-Ray Disabled", "severity": "LOW", - "line": 8 + "line": 8, + "fileName": "positive.yaml", + "resourceType": "community.aws.aws_api_gateway", + "resourceName": "Setup AWS API Gateway setup on AWS and deploy API definition", + "searchKey": "name={{Setup AWS API Gateway setup on AWS and deploy API definition}}.{{community.aws.aws_api_gateway}}.tracing_enabled", + "searchValue": "", + "expectedValue": "aws_api_gateway.tracing_enabled should be true", + "actualValue": "aws_api_gateway.tracing_enabled is false", + "issueType": "IncorrectValue", + "similarityID": "a4bfd27485407d0ae95b6482412dba8405ddc8fb658736e4c96929cccb0942b6", + "search_line": -1 }, { "queryName": "API Gateway X-Ray Disabled", "severity": "LOW", - "line": 12 + "line": 12, + "fileName": "positive.yaml", + "resourceType": "community.aws.aws_api_gateway", + "resourceName": "Update API definition to deploy new version", + "searchKey": "name={{Update API definition to deploy new version}}.{{community.aws.aws_api_gateway}}", + "searchValue": "", + "expectedValue": "aws_api_gateway.tracing_enabled should be defined", + "actualValue": "aws_api_gateway.tracing_enabled is undefined", + "issueType": "MissingAttribute", + "similarityID": "6ea68590704c074e40d25b3f4881fdb4ee56ca108a3b49638cae87ce9e8ed305", + "search_line": -1 } -] \ No newline at end of file +] diff --git a/assets/queries/ansible/aws/authentication_without_mfa/test/positive_expected_result.json b/assets/queries/ansible/aws/authentication_without_mfa/test/positive_expected_result.json index 27bfe61de31..103da74d8b3 100644 --- a/assets/queries/ansible/aws/authentication_without_mfa/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/authentication_without_mfa/test/positive_expected_result.json @@ -2,16 +2,46 @@ { "queryName": "Authentication Without MFA", "severity": "LOW", - "line": 2 + "line": 2, + "fileName": "positive.yaml", + "resourceType": "community.aws.sts_assume_role", + "resourceName": "Assume an existing role", + "searchKey": "name={{Assume an existing role}}.{{community.aws.sts_assume_role}}", + "searchValue": "mfa_token", + "expectedValue": "sts_assume_role.mfa_token should be set", + "actualValue": "sts_assume_role.mfa_token is undefined", + "issueType": "MissingAttribute", + "similarityID": "027d0830dc63d3b41d3c0c4b00ed48542e2abfc5bca9961fd7151c9a42940bf0", + "search_line": 2 }, { "queryName": "Authentication Without MFA", "severity": "LOW", - "line": 9 + "line": 9, + "fileName": "positive.yaml", + "resourceType": "sts_assume_role", + "resourceName": "Hello", + "searchKey": "name={{Hello}}.{{sts_assume_role}}", + "searchValue": "mfa_serial_number", + "expectedValue": "sts_assume_role.mfa_serial_number should be set", + "actualValue": "sts_assume_role.mfa_serial_number is undefined", + "issueType": "MissingAttribute", + "similarityID": "7030d8db76a168ad17cd77312249dfe6c6194548032e908cc9623d505812f7b6", + "search_line": 9 }, { "queryName": "Authentication Without MFA", "severity": "LOW", - "line": 9 + "line": 9, + "fileName": "positive.yaml", + "resourceType": "sts_assume_role", + "resourceName": "Hello", + "searchKey": "name={{Hello}}.{{sts_assume_role}}", + "searchValue": "mfa_token", + "expectedValue": "sts_assume_role.mfa_token should be set", + "actualValue": "sts_assume_role.mfa_token is undefined", + "issueType": "MissingAttribute", + "similarityID": "2c699f62fc7e56dece58817cd13a3283472ce7b0eefacd398805b622e48ac4e0", + "search_line": 9 } -] \ No newline at end of file +] diff --git a/assets/queries/ansible/aws/auto_scaling_group_with_no_associated_elb/test/positive_expected_result.json b/assets/queries/ansible/aws/auto_scaling_group_with_no_associated_elb/test/positive_expected_result.json index ba9b8c747ce..8241af5a7f3 100644 --- a/assets/queries/ansible/aws/auto_scaling_group_with_no_associated_elb/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/auto_scaling_group_with_no_associated_elb/test/positive_expected_result.json @@ -3,12 +3,30 @@ "queryName": "Auto Scaling Group With No Associated ELB", "severity": "MEDIUM", "line": 4, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "community.aws.ec2_asg", + "resourceName": "elb1", + "searchKey": "name={{elb1}}.{{community.aws.ec2_asg}}.load_balancers", + "searchValue": "", + "expectedValue": "community.aws.ec2_asg.load_balancers should not be empty", + "actualValue": "community.aws.ec2_asg.load_balancers is empty", + "issueType": "IncorrectValue", + "similarityID": "dd87d87bb8601e6c533efc069847539f4ff728627445a1a8a73d1bcd2786cac5", + "search_line": -1 }, { "queryName": "Auto Scaling Group With No Associated ELB", "severity": "MEDIUM", "line": 2, - "fileName": "positive2.yaml" + "fileName": "positive2.yaml", + "resourceType": "ec2_asg", + "resourceName": "elb2", + "searchKey": "name={{elb2}}.{{ec2_asg}}", + "searchValue": "", + "expectedValue": "ec2_asg.load_balancers should be set and not empty", + "actualValue": "ec2_asg.load_balancers is undefined", + "issueType": "MissingAttribute", + "similarityID": "5e49dec3b58c85547f0e325550552f74557c0f82462dc22bb344e2cbac473682", + "search_line": -1 } ] diff --git a/assets/queries/ansible/aws/automatic_minor_upgrades_disabled/test/positive_expected_result.json b/assets/queries/ansible/aws/automatic_minor_upgrades_disabled/test/positive_expected_result.json index 2cff287eee5..285afea17a7 100644 --- a/assets/queries/ansible/aws/automatic_minor_upgrades_disabled/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/automatic_minor_upgrades_disabled/test/positive_expected_result.json @@ -2,11 +2,31 @@ { "queryName": "Automatic Minor Upgrades Disabled", "severity": "LOW", - "line": 10 + "line": 10, + "fileName": "positive.yaml", + "resourceType": "community.aws.rds_instance", + "resourceName": "community - create minimal aurora instance in default VPC and default subnet group", + "searchKey": "name={{community - create minimal aurora instance in default VPC and default subnet group}}.{{community.aws.rds_instance}}.auto_minor_version_upgrade", + "searchValue": "", + "expectedValue": "rds_instance.auto_minor_version_upgrade should be true", + "actualValue": "rds_instance.auto_minor_version_upgrade is false", + "issueType": "IncorrectValue", + "similarityID": "165d6ffa941d25645b4dbcf858af810bbe6846008a56dd62cb6ed00ca7b1205d", + "search_line": -1 }, { "queryName": "Automatic Minor Upgrades Disabled", "severity": "LOW", - "line": 12 + "line": 12, + "fileName": "positive.yaml", + "resourceType": "community.aws.rds_instance", + "resourceName": "community - Create a DB instance using the default AWS KMS encryption key", + "searchKey": "name={{community - Create a DB instance using the default AWS KMS encryption key}}.{{community.aws.rds_instance}}", + "searchValue": "", + "expectedValue": "rds_instance.auto_minor_version_upgrade should be set", + "actualValue": "rds_instance.auto_minor_version_upgrade is undefined", + "issueType": "MissingAttribute", + "similarityID": "7801469296e86bf6441223d1b3c2e47db80b5f89b9e77cc8776ea22ed378e628", + "search_line": -1 } ] diff --git a/assets/queries/ansible/aws/aws_password_policy_with_unchangeable_passwords/test/positive_expected_result.json b/assets/queries/ansible/aws/aws_password_policy_with_unchangeable_passwords/test/positive_expected_result.json index 858725018b5..5f2fe63f46d 100644 --- a/assets/queries/ansible/aws/aws_password_policy_with_unchangeable_passwords/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/aws_password_policy_with_unchangeable_passwords/test/positive_expected_result.json @@ -2,11 +2,31 @@ { "queryName": "AWS Password Policy With Unchangeable Passwords", "severity": "LOW", - "line": 9 + "line": 9, + "fileName": "positive.yaml", + "resourceType": "community.aws.iam_password_policy", + "resourceName": "Password policy for AWS account", + "searchKey": "name={{Password policy for AWS account}}.{{community.aws.iam_password_policy}}.allow_pw_change", + "searchValue": "", + "expectedValue": "iam_password_policy should have the property 'allow_pw_change/allow_password_change' true", + "actualValue": "iam_password_policy has the property 'allow_pw_change/allow_password_change' undefined or false", + "issueType": "IncorrectValue", + "similarityID": "d15d103018f96e42227509deb5eef7654f49fb3e842b2543c4879a1719a1fd3f", + "search_line": -1 }, { "queryName": "AWS Password Policy With Unchangeable Passwords", "severity": "LOW", - "line": 21 + "line": 21, + "fileName": "positive.yaml", + "resourceType": "community.aws.iam_password_policy", + "resourceName": "Alias Password policy for AWS account", + "searchKey": "name={{Alias Password policy for AWS account}}.{{community.aws.iam_password_policy}}.allow_password_change", + "searchValue": "", + "expectedValue": "iam_password_policy should have the property 'allow_pw_change/allow_password_change' true", + "actualValue": "iam_password_policy has the property 'allow_pw_change/allow_password_change' undefined or false", + "issueType": "IncorrectValue", + "similarityID": "4680ee3a12cff8b0ae04d1d210db68184be0153295932923803d19c88985fd53", + "search_line": -1 } -] \ No newline at end of file +] diff --git a/assets/queries/ansible/aws/batch_job_definition_with_privileged_container_properties/test/positive_expected_result.json b/assets/queries/ansible/aws/batch_job_definition_with_privileged_container_properties/test/positive_expected_result.json index f1d91515e25..7db52015d44 100644 --- a/assets/queries/ansible/aws/batch_job_definition_with_privileged_container_properties/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/batch_job_definition_with_privileged_container_properties/test/positive_expected_result.json @@ -1,7 +1,17 @@ [ { - "line": 9, "queryName": "Batch Job Definition With Privileged Container Properties", - "severity": "HIGH" + "severity": "HIGH", + "line": 9, + "fileName": "positive.yaml", + "resourceType": "community.aws.aws_batch_job_definition", + "resourceName": "My Batch Job Definition", + "searchKey": "name={{My Batch Job Definition}}.{{community.aws.aws_batch_job_definition}}.privileged", + "searchValue": "", + "expectedValue": "name={{My Batch Job Definition}}.{{community.aws.aws_batch_job_definition}}.privileged should be set to 'false' or not set", + "actualValue": "name={{My Batch Job Definition}}.{{community.aws.aws_batch_job_definition}}.privileged is 'true'", + "issueType": "IncorrectValue", + "similarityID": "e9463622a05be8328e98fd57c204615468d6018b077c01b391c036a3007c3682", + "search_line": -1 } ] diff --git a/assets/queries/ansible/aws/ca_certificate_identifier_is_outdated/test/positive_expected_result.json b/assets/queries/ansible/aws/ca_certificate_identifier_is_outdated/test/positive_expected_result.json index 222b4d17cd8..89d89e93440 100644 --- a/assets/queries/ansible/aws/ca_certificate_identifier_is_outdated/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/ca_certificate_identifier_is_outdated/test/positive_expected_result.json @@ -2,11 +2,31 @@ { "queryName": "CA Certificate Identifier Is Outdated", "severity": "MEDIUM", - "line": 10 + "line": 10, + "fileName": "positive.yaml", + "resourceType": "community.aws.rds_instance", + "resourceName": "create minimal aurora instance in default VPC and default subnet group", + "searchKey": "name={{create minimal aurora instance in default VPC and default subnet group}}.{{community.aws.rds_instance}}.ca_certificate_identifier", + "searchValue": "", + "expectedValue": "rds_instance.ca_certificate_identifier should equal to 'rds-ca-2019'", + "actualValue": "rds_instance.ca_certificate_identifier is not equal to 'rds-ca-2019'", + "issueType": "IncorrectValue", + "similarityID": "15fe13134217b56d732b7c47a63dc0d133e1b68578992ce21b351f0f2a6b66f3", + "search_line": -1 }, { "queryName": "CA Certificate Identifier Is Outdated", "severity": "MEDIUM", - "line": 12 + "line": 12, + "fileName": "positive.yaml", + "resourceType": "community.aws.rds_instance", + "resourceName": "create a DB instance using the default AWS KMS encryption key", + "searchKey": "name={{create a DB instance using the default AWS KMS encryption key}}.{{community.aws.rds_instance}}", + "searchValue": "", + "expectedValue": "rds_instance.ca_certificate_identifier should be defined", + "actualValue": "rds_instance.ca_certificate_identifier is undefined", + "issueType": "MissingAttribute", + "similarityID": "7a1e0499e6514b45066f446801b9daa3223a8c5f541e78a8db3c9431c87e6109", + "search_line": -1 } -] \ No newline at end of file +] diff --git a/assets/queries/ansible/aws/cdn_configuration_is_missing/test/positive_expected_result.json b/assets/queries/ansible/aws/cdn_configuration_is_missing/test/positive_expected_result.json index b448a833b84..3c19279ca6a 100644 --- a/assets/queries/ansible/aws/cdn_configuration_is_missing/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/cdn_configuration_is_missing/test/positive_expected_result.json @@ -2,11 +2,31 @@ { "queryName": "CDN Configuration Is Missing", "severity": "LOW", - "line": 2 + "line": 2, + "fileName": "positive.yaml", + "resourceType": "community.aws.cloudfront_distribution", + "resourceName": "create a distribution without an origin and with enabled=false", + "searchKey": "name={{create a distribution without an origin and with enabled=false}}.{{community.aws.cloudfront_distribution}}", + "searchValue": "origins", + "expectedValue": "name={{create a distribution without an origin and with enabled=false}}.{{community.aws.cloudfront_distribution}}.origins should be defined", + "actualValue": "name={{create a distribution without an origin and with enabled=false}}.{{community.aws.cloudfront_distribution}}.origins is not defined", + "issueType": "MissingAttribute", + "similarityID": "82e17d1eb3262bc3cac2875c2995e6652b6704398a92457fe0f24843a91d1dba", + "search_line": 2 }, { "queryName": "CDN Configuration Is Missing", "severity": "LOW", - "line": 23 + "line": 23, + "fileName": "positive.yaml", + "resourceType": "community.aws.cloudfront_distribution", + "resourceName": "create a distribution without an origin and with enabled=false", + "searchKey": "name={{create a distribution without an origin and with enabled=false}}.{{community.aws.cloudfront_distribution}}.enabled", + "searchValue": "", + "expectedValue": "name={{create a distribution without an origin and with enabled=false}}.{{community.aws.cloudfront_distribution}}.enabled should be set to 'true'", + "actualValue": "name={{create a distribution without an origin and with enabled=false}}.{{community.aws.cloudfront_distribution}}.enabled is set to 'false'", + "issueType": "IncorrectValue", + "similarityID": "66c04fbe689faa360af03845ec9944996b3ab4116657b2ea17e3c4c33091a386", + "search_line": 23 } ] diff --git a/assets/queries/ansible/aws/certificate_has_expired/test/positive_expected_result.json b/assets/queries/ansible/aws/certificate_has_expired/test/positive_expected_result.json index 58dbbac7544..7ba775813e4 100644 --- a/assets/queries/ansible/aws/certificate_has_expired/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/certificate_has_expired/test/positive_expected_result.json @@ -2,6 +2,16 @@ { "queryName": "Certificate Has Expired", "severity": "MEDIUM", - "line": 3 + "line": 3, + "fileName": "positive.yaml", + "resourceType": "community.aws.aws_acm", + "resourceName": "upload a self-signed certificate", + "searchKey": "name={{upload a self-signed certificate}}.community.aws.aws_acm.certificate", + "searchValue": "", + "expectedValue": "'community.aws.aws_acm.certificate' should not have expired", + "actualValue": "'community.aws.aws_acm.certificate' has expired", + "issueType": "IncorrectValue", + "similarityID": "05b27a7539bd47f61d4e8aebd02ddb5189b55c225c5538a19ad2267aaa9aedc1", + "search_line": -1 } ] diff --git a/assets/queries/ansible/aws/certificate_rsa_key_bytes_lower_than_256/test/positive_expected_result.json b/assets/queries/ansible/aws/certificate_rsa_key_bytes_lower_than_256/test/positive_expected_result.json index 26c7b277c74..ce4346cc8cd 100644 --- a/assets/queries/ansible/aws/certificate_rsa_key_bytes_lower_than_256/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/certificate_rsa_key_bytes_lower_than_256/test/positive_expected_result.json @@ -2,6 +2,16 @@ { "queryName": "Certificate RSA Key Bytes Lower Than 256", "severity": "MEDIUM", - "line": 3 + "line": 3, + "fileName": "positive.yaml", + "resourceType": "community.aws.aws_acm", + "resourceName": "upload a self-signed certificate", + "searchKey": "name={{upload a self-signed certificate}}.community.aws.aws_acm.certificate", + "searchValue": "", + "expectedValue": "'community.aws.aws_acm.certificate' should use a RSA key with a length equal to or higher than 256 bytes", + "actualValue": "'community.aws.aws_acm.certificate' does not use a RSA key with a length equal to or higher than 256 bytes", + "issueType": "IncorrectValue", + "similarityID": "9069dd768988a607eb013cba648c0fd0afad991c230844d883c7617d23c10cd3", + "search_line": -1 } ] diff --git a/assets/queries/ansible/aws/cloudfront_logging_disabled/test/positive_expected_result.json b/assets/queries/ansible/aws/cloudfront_logging_disabled/test/positive_expected_result.json index 45d5f284ccf..b40f97d78e7 100644 --- a/assets/queries/ansible/aws/cloudfront_logging_disabled/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/cloudfront_logging_disabled/test/positive_expected_result.json @@ -2,11 +2,31 @@ { "queryName": "CloudFront Logging Disabled", "severity": "MEDIUM", - "line": 2 + "line": 2, + "fileName": "positive.yaml", + "resourceType": "community.aws.cloudfront_distribution", + "resourceName": "create a distribution with an origin, logging and default cache behavior", + "searchKey": "name={{create a distribution with an origin, logging and default cache behavior}}.{{community.aws.cloudfront_distribution}}", + "searchValue": "", + "expectedValue": "cloudfront_distribution.logging should be defined", + "actualValue": "cloudfront_distribution.logging is undefined", + "issueType": "MissingAttribute", + "similarityID": "fa4b9512a6758bd0aff6aeb07f3863eb018b184fac2162c3a7be81a379111ed5", + "search_line": -1 }, { "queryName": "CloudFront Logging Disabled", "severity": "MEDIUM", - "line": 62 + "line": 62, + "fileName": "positive.yaml", + "resourceType": "community.aws.cloudfront_distribution", + "resourceName": "create a second distribution with an origin, logging and default cache behavior", + "searchKey": "name={{create a second distribution with an origin, logging and default cache behavior}}.{{community.aws.cloudfront_distribution}}.logging.enabled", + "searchValue": "", + "expectedValue": "cloudfront_distribution.logging.enabled should be true", + "actualValue": "cloudfront_distribution.logging.enabled is false", + "issueType": "IncorrectValue", + "similarityID": "6c2e50be37514f6860360fd203fe7fe63ca464f695f26dd3c640684ec0200c2a", + "search_line": -1 } ] diff --git a/assets/queries/ansible/aws/cloudfront_without_minimum_protocol_tls_1.2/test/positive_expected_result.json b/assets/queries/ansible/aws/cloudfront_without_minimum_protocol_tls_1.2/test/positive_expected_result.json index f5d18279262..ebd6a36258d 100644 --- a/assets/queries/ansible/aws/cloudfront_without_minimum_protocol_tls_1.2/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/cloudfront_without_minimum_protocol_tls_1.2/test/positive_expected_result.json @@ -2,16 +2,46 @@ { "queryName": "CloudFront Without Minimum Protocol TLS 1.2", "severity": "MEDIUM", - "line": 18 + "line": 18, + "fileName": "positive.yaml", + "resourceType": "community.aws.cloudfront_distribution", + "resourceName": "create a distribution with an origin and logging", + "searchKey": "name={{create a distribution with an origin and logging}}.{{community.aws.cloudfront_distribution}}.viewer_certificate.minimum_protocol_version", + "searchValue": "", + "expectedValue": "name={{create a distribution with an origin and logging}}.{{community.aws.cloudfront_distribution}}.viewer_certificate.minimum_protocol_version' should be TLSv1.2_x", + "actualValue": "name={{create a distribution with an origin and logging}}.{{community.aws.cloudfront_distribution}}.viewer_certificate.minimum_protocol_version' is TLSv1", + "issueType": "IncorrectValue", + "similarityID": "fc510998f1a574a521b5e849efb931d266e891fea384e4d04c87bdca70a1ccb7", + "search_line": 18 }, { "queryName": "CloudFront Without Minimum Protocol TLS 1.2", "severity": "MEDIUM", - "line": 37 + "line": 37, + "fileName": "positive.yaml", + "resourceType": "community.aws.cloudfront_distribution", + "resourceName": "create another distribution with an origin and logging", + "searchKey": "name={{create another distribution with an origin and logging}}.{{community.aws.cloudfront_distribution}}.viewer_certificate.minimum_protocol_version", + "searchValue": "", + "expectedValue": "name={{create another distribution with an origin and logging}}.{{community.aws.cloudfront_distribution}}.viewer_certificate.minimum_protocol_version' should be TLSv1.2_x", + "actualValue": "name={{create another distribution with an origin and logging}}.{{community.aws.cloudfront_distribution}}.viewer_certificate.minimum_protocol_version' is TLSv1.1_2016", + "issueType": "IncorrectValue", + "similarityID": "b1c9c384e11710745ba74f0152dda19a32ff01f259341a4ee9e9e9d937236231", + "search_line": 37 }, { - "line": 40, "queryName": "CloudFront Without Minimum Protocol TLS 1.2", - "severity": "MEDIUM" + "severity": "MEDIUM", + "line": 40, + "fileName": "positive.yaml", + "resourceType": "community.aws.cloudfront_distribution", + "resourceName": "create a third distribution", + "searchKey": "name={{create a third distribution}}.{{community.aws.cloudfront_distribution}}", + "searchValue": "", + "expectedValue": "cloudfront_distribution.viewer_certificate should be defined", + "actualValue": "cloudfront_distribution.viewer_certificate is undefined", + "issueType": "MissingAttribute", + "similarityID": "3aa770ae5f1f19c2fc038d6cff4d88692a4f17f9416b52302380ed28509144a2", + "search_line": 40 } -] \ No newline at end of file +] diff --git a/assets/queries/ansible/aws/cloudfront_without_waf/test/positive_expected_result.json b/assets/queries/ansible/aws/cloudfront_without_waf/test/positive_expected_result.json index f4dbbfce596..6650b0aa030 100644 --- a/assets/queries/ansible/aws/cloudfront_without_waf/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/cloudfront_without_waf/test/positive_expected_result.json @@ -2,6 +2,16 @@ { "queryName": "CloudFront Without WAF", "severity": "MEDIUM", - "line": 2 + "line": 2, + "fileName": "positive.yaml", + "resourceType": "community.aws.cloudfront_distribution", + "resourceName": "create a basic distribution with defaults and tags", + "searchKey": "name={{create a basic distribution with defaults and tags}}.{{community.aws.cloudfront_distribution}}", + "searchValue": "", + "expectedValue": "cloudfront_distribution.web_acl_id should be defined", + "actualValue": "cloudfront_distribution.web_acl_id is undefined", + "issueType": "MissingAttribute", + "similarityID": "6165853314a4dc9452476e590cde691ba175d16a4b1d0941f9d077c16e45d06f", + "search_line": -1 } -] \ No newline at end of file +] diff --git a/assets/queries/ansible/aws/cloudtrail_log_file_validation_disabled/test/positive_expected_result.json b/assets/queries/ansible/aws/cloudtrail_log_file_validation_disabled/test/positive_expected_result.json index 4e971a4b33b..3ef147ceba0 100644 --- a/assets/queries/ansible/aws/cloudtrail_log_file_validation_disabled/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/cloudtrail_log_file_validation_disabled/test/positive_expected_result.json @@ -2,11 +2,31 @@ { "queryName": "CloudTrail Log File Validation Disabled", "severity": "LOW", - "line": 2 + "line": 2, + "fileName": "positive.yaml", + "resourceType": "community.aws.cloudtrail", + "resourceName": "create multi-region trail with validation and tags", + "searchKey": "name={{create multi-region trail with validation and tags}}.{{community.aws.cloudtrail}}", + "searchValue": "", + "expectedValue": "cloudtrail.enable_log_file_validation or cloudtrail.log_file_validation_enabled should be defined", + "actualValue": "cloudtrail.enable_log_file_validation and cloudtrail.log_file_validation_enabled are undefined", + "issueType": "MissingAttribute", + "similarityID": "6d085c2a5e9578f3fc6aff55e7be89c4c7fbf876f457886ff1b28a2f2fe4108c", + "search_line": -1 }, { "queryName": "CloudTrail Log File Validation Disabled", "severity": "LOW", - "line": 21 + "line": 21, + "fileName": "positive.yaml", + "resourceType": "community.aws.cloudtrail", + "resourceName": "create multi-region trail with validation and tags v7", + "searchKey": "name={{create multi-region trail with validation and tags v7}}.{{community.aws.cloudtrail}}.enable_log_file_validation", + "searchValue": "", + "expectedValue": "cloudtrail.enable_log_file_validation should be set to true or yes", + "actualValue": "cloudtrail.enable_log_file_validation is not set to true nor yes", + "issueType": "IncorrectValue", + "similarityID": "d2161003bcc6780e59adaacf790c0b0e0fae5c58af3d0bd16778bf4429d60b94", + "search_line": -1 } ] diff --git a/assets/queries/ansible/aws/cloudtrail_log_files_not_encrypted_with_kms/test/positive_expected_result.json b/assets/queries/ansible/aws/cloudtrail_log_files_not_encrypted_with_kms/test/positive_expected_result.json index f8ba4b8005d..5e4b4d20c08 100644 --- a/assets/queries/ansible/aws/cloudtrail_log_files_not_encrypted_with_kms/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/cloudtrail_log_files_not_encrypted_with_kms/test/positive_expected_result.json @@ -2,6 +2,16 @@ { "queryName": "CloudTrail Log Files Not Encrypted With KMS", "severity": "LOW", - "line": 2 + "line": 2, + "fileName": "positive.yaml", + "resourceType": "community.aws.cloudtrail", + "resourceName": "no sns topic name", + "searchKey": "name={{no sns topic name}}.{{community.aws.cloudtrail}}", + "searchValue": "", + "expectedValue": "cloudtrail.kms_key_id should be set", + "actualValue": "cloudtrail.kms_key_id is undefined", + "issueType": "MissingAttribute", + "similarityID": "0b266385091bf46d58a859af45ce3c5bfb27cf4e9e2b56b91e9133a7be99ecac", + "search_line": -1 } ] diff --git a/assets/queries/ansible/aws/cloudtrail_logging_disabled/test/positive_expected_result.json b/assets/queries/ansible/aws/cloudtrail_logging_disabled/test/positive_expected_result.json index 8e57b93dc88..619603fee1c 100644 --- a/assets/queries/ansible/aws/cloudtrail_logging_disabled/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/cloudtrail_logging_disabled/test/positive_expected_result.json @@ -2,6 +2,16 @@ { "queryName": "CloudTrail Logging Disabled", "severity": "MEDIUM", - "line": 5 + "line": 5, + "fileName": "positive.yaml", + "resourceType": "community.aws.cloudtrail", + "resourceName": "example", + "searchKey": "name={{example}}.{{community.aws.cloudtrail}}.enable_logging", + "searchValue": "", + "expectedValue": "cloudtrail.enable_logging should be true", + "actualValue": "cloudtrail.enable_logging is false", + "issueType": "IncorrectValue", + "similarityID": "9ec673320b4aac5f721fbea1afb094187686f40251d15bc06d8bcc22709d153a", + "search_line": -1 } -] \ No newline at end of file +] diff --git a/assets/queries/ansible/aws/cloudtrail_multi_region_disabled/test/positive_expected_result.json b/assets/queries/ansible/aws/cloudtrail_multi_region_disabled/test/positive_expected_result.json index f69ea5b8494..11925bbf221 100644 --- a/assets/queries/ansible/aws/cloudtrail_multi_region_disabled/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/cloudtrail_multi_region_disabled/test/positive_expected_result.json @@ -2,11 +2,31 @@ { "queryName": "CloudTrail Multi Region Disabled", "severity": "LOW", - "line": 7 + "line": 7, + "fileName": "positive.yaml", + "resourceType": "community.aws.cloudtrail", + "resourceName": "example1", + "searchKey": "name={{example1}}.{{community.aws.cloudtrail}}.is_multi_region_trail", + "searchValue": "", + "expectedValue": "cloudtrail.is_multi_region_trail should be true", + "actualValue": "cloudtrail.is_multi_region_trail is false", + "issueType": "IncorrectValue", + "similarityID": "2f7502bb272611bf3815b1ea2dd0d8992f7d7b40f54da514179e270efbb3665b", + "search_line": -1 }, { "queryName": "CloudTrail Multi Region Disabled", "severity": "LOW", - "line": 18 + "line": 18, + "fileName": "positive.yaml", + "resourceType": "community.aws.cloudtrail", + "resourceName": "example2", + "searchKey": "name={{example2}}.{{community.aws.cloudtrail}}", + "searchValue": "", + "expectedValue": "cloudtrail.is_multi_region_trail should be defined and set to true", + "actualValue": "cloudtrail.is_multi_region_trail is undefined", + "issueType": "MissingAttribute", + "similarityID": "b1e2359f75d99a9dd3b3d445600e1f0156dd4f590c433a37a5e2917ad9747771", + "search_line": -1 } -] \ No newline at end of file +] diff --git a/assets/queries/ansible/aws/cloudtrail_not_integrated_with_cloudwatch/test/positive_expected_result.json b/assets/queries/ansible/aws/cloudtrail_not_integrated_with_cloudwatch/test/positive_expected_result.json index 1a0aa93a791..38927b304f2 100644 --- a/assets/queries/ansible/aws/cloudtrail_not_integrated_with_cloudwatch/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/cloudtrail_not_integrated_with_cloudwatch/test/positive_expected_result.json @@ -1,22 +1,62 @@ [ { + "queryName": "CloudTrail Not Integrated With CloudWatch", "severity": "LOW", "line": 2, - "queryName": "CloudTrail Not Integrated With CloudWatch" + "fileName": "positive.yaml", + "resourceType": "community.aws.cloudtrail", + "resourceName": "positive1", + "searchKey": "name={{positive1}}.{{community.aws.cloudtrail}}", + "searchValue": "cloudwatch_logs_log_group_arn", + "expectedValue": "name={{positive1}}.{{community.aws.cloudtrail}}.cloudwatch_logs_log_group_arn should be defined", + "actualValue": "name={{positive1}}.{{community.aws.cloudtrail}}.cloudwatch_logs_log_group_arn is not defined", + "issueType": "MissingAttribute", + "similarityID": "be244b51cf36a2a7f9cf09550db0846727ae6c6972fd5024d6b52241a31f95be", + "search_line": 2 }, { + "queryName": "CloudTrail Not Integrated With CloudWatch", "severity": "LOW", "line": 2, - "queryName": "CloudTrail Not Integrated With CloudWatch" + "fileName": "positive.yaml", + "resourceType": "community.aws.cloudtrail", + "resourceName": "positive1", + "searchKey": "name={{positive1}}.{{community.aws.cloudtrail}}", + "searchValue": "cloudwatch_logs_role_arn", + "expectedValue": "name={{positive1}}.{{community.aws.cloudtrail}}.cloudwatch_logs_role_arn should be defined", + "actualValue": "name={{positive1}}.{{community.aws.cloudtrail}}.cloudwatch_logs_role_arn is not defined", + "issueType": "MissingAttribute", + "similarityID": "e73168985dab91fda7b497467cfd447b30dd936975c145d56a87fea932ae1161", + "search_line": 2 }, { "queryName": "CloudTrail Not Integrated With CloudWatch", "severity": "LOW", - "line": 14 + "line": 14, + "fileName": "positive.yaml", + "resourceType": "community.aws.cloudtrail", + "resourceName": "positive2", + "searchKey": "name={{positive2}}.{{community.aws.cloudtrail}}", + "searchValue": "cloudwatch_logs_log_group_arn", + "expectedValue": "name={{positive2}}.{{community.aws.cloudtrail}}.cloudwatch_logs_log_group_arn should be defined", + "actualValue": "name={{positive2}}.{{community.aws.cloudtrail}}.cloudwatch_logs_log_group_arn is not defined", + "issueType": "MissingAttribute", + "similarityID": "e2b51128a51952cc11e34cdf41e43534bcb2f214c8074bf9eef9acdc0c4003d9", + "search_line": 14 }, { "queryName": "CloudTrail Not Integrated With CloudWatch", "severity": "LOW", - "line": 27 + "line": 27, + "fileName": "positive.yaml", + "resourceType": "community.aws.cloudtrail", + "resourceName": "positive3", + "searchKey": "name={{positive3}}.{{community.aws.cloudtrail}}", + "searchValue": "cloudwatch_logs_role_arn", + "expectedValue": "name={{positive3}}.{{community.aws.cloudtrail}}.cloudwatch_logs_role_arn should be defined", + "actualValue": "name={{positive3}}.{{community.aws.cloudtrail}}.cloudwatch_logs_role_arn is not defined", + "issueType": "MissingAttribute", + "similarityID": "4e81940d5584845acf2132b90c20682314520d9ce56dcf2aa9dca476c5918de5", + "search_line": 27 } -] \ No newline at end of file +] diff --git a/assets/queries/ansible/aws/cloudtrail_sns_topic_name_undefined/test/positive_expected_result.json b/assets/queries/ansible/aws/cloudtrail_sns_topic_name_undefined/test/positive_expected_result.json index 85466e93e7a..728cf330ab8 100644 --- a/assets/queries/ansible/aws/cloudtrail_sns_topic_name_undefined/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/cloudtrail_sns_topic_name_undefined/test/positive_expected_result.json @@ -2,11 +2,31 @@ { "queryName": "CloudTrail SNS Topic Name Undefined", "severity": "LOW", - "line": 2 + "line": 2, + "fileName": "positive.yaml", + "resourceType": "community.aws.cloudtrail", + "resourceName": "no sns topic name", + "searchKey": "name={{no sns topic name}}.{{community.aws.cloudtrail}}", + "searchValue": "", + "expectedValue": "cloudtrail.sns_topic_name should be set", + "actualValue": "cloudtrail.sns_topic_name is undefined", + "issueType": "MissingAttribute", + "similarityID": "c0f8058b38e395c5fc591d023627791a6d361cc02b1f0479fba6d28adb4fad09", + "search_line": -1 }, { "queryName": "CloudTrail SNS Topic Name Undefined", "severity": "LOW", - "line": 15 + "line": 15, + "fileName": "positive.yaml", + "resourceType": "community.aws.cloudtrail", + "resourceName": "sns topic name defined", + "searchKey": "name={{sns topic name defined}}.{{community.aws.cloudtrail}}.sns_topic_name", + "searchValue": "", + "expectedValue": "cloudtrail.sns_topic_name should be set", + "actualValue": "cloudtrail.sns_topic_name is empty", + "issueType": "IncorrectValue", + "similarityID": "1f84dbf2b99809cd6d4ab050c8bbfde4297bb95a05b1e5bb6f5b5be5a1152d95", + "search_line": -1 } -] \ No newline at end of file +] diff --git a/assets/queries/ansible/aws/cloudwatch_without_retention_period_specified/test/positive_expected_result.json b/assets/queries/ansible/aws/cloudwatch_without_retention_period_specified/test/positive_expected_result.json index 09180c09cd9..0d3cc9fbef1 100644 --- a/assets/queries/ansible/aws/cloudwatch_without_retention_period_specified/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/cloudwatch_without_retention_period_specified/test/positive_expected_result.json @@ -2,11 +2,31 @@ { "queryName": "CloudWatch Without Retention Period Specified", "severity": "INFO", - "line": 2 + "line": 2, + "fileName": "positive.yaml", + "resourceType": "community.aws.cloudwatchlogs_log_group", + "resourceName": "example ec2 group", + "searchKey": "name={{example ec2 group}}.{{community.aws.cloudwatchlogs_log_group}}", + "searchValue": "", + "expectedValue": "cloudwatchlogs_log_group.retention should be set", + "actualValue": "cloudwatchlogs_log_group.retention is undefined", + "issueType": "MissingAttribute", + "similarityID": "25d0202a945a82586dbbac08d9d5f64dce476ce27a86bceaad8a035b8c712f98", + "search_line": -1 }, { "queryName": "CloudWatch Without Retention Period Specified", "severity": "INFO", - "line": 7 + "line": 7, + "fileName": "positive.yaml", + "resourceType": "community.aws.cloudwatchlogs_log_group", + "resourceName": "example2 ec2 group", + "searchKey": "name={{example2 ec2 group}}.{{community.aws.cloudwatchlogs_log_group}}.retention", + "searchValue": "", + "expectedValue": "cloudwatchlogs_log_group.retention should be set and valid", + "actualValue": "cloudwatchlogs_log_group.retention is set and invalid", + "issueType": "IncorrectValue", + "similarityID": "fd81a044c084b8da376b7140c76c585919d9343e18c46986995adeacfc49dc47", + "search_line": -1 } -] \ No newline at end of file +] diff --git a/assets/queries/ansible/aws/cmk_is_unusable/test/positive_expected_result.json b/assets/queries/ansible/aws/cmk_is_unusable/test/positive_expected_result.json index e29e5d54553..0e8999fb711 100644 --- a/assets/queries/ansible/aws/cmk_is_unusable/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/cmk_is_unusable/test/positive_expected_result.json @@ -3,12 +3,30 @@ "queryName": "CMK Is Unusable", "severity": "MEDIUM", "line": 6, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "community.aws.aws_kms", + "resourceName": "Update IAM policy on an existing KMS key1", + "searchKey": "name={{Update IAM policy on an existing KMS key1}}.{{community.aws.aws_kms}}.enabled", + "searchValue": "", + "expectedValue": "community.aws.aws_kms.enabled should be set to true", + "actualValue": "community.aws.aws_kms.enabled is set to false", + "issueType": "IncorrectValue", + "similarityID": "33a1e252780be9bff31494319f33309075e9b7b99bedbb889b49c94dcb7155aa", + "search_line": -1 }, { "queryName": "CMK Is Unusable", "severity": "MEDIUM", "line": 6, - "fileName": "positive2.yaml" + "fileName": "positive2.yaml", + "resourceType": "community.aws.aws_kms", + "resourceName": "Update IAM policy on an existing KMS key2", + "searchKey": "name={{Update IAM policy on an existing KMS key2}}.{{community.aws.aws_kms}}.pending_window", + "searchValue": "", + "expectedValue": "community.aws.aws_kms.pending_window should be undefined", + "actualValue": "community.aws.aws_kms.pending_windowis is set", + "issueType": "IncorrectValue", + "similarityID": "9e73f1892cb5748430e707efa5ee393dd0d3ed2e5a935b4d6fcb3525a9985759", + "search_line": -1 } ] diff --git a/assets/queries/ansible/aws/cmk_rotation_disabled/test/positive_expected_result.json b/assets/queries/ansible/aws/cmk_rotation_disabled/test/positive_expected_result.json index 1515aadbc47..2d131161b72 100644 --- a/assets/queries/ansible/aws/cmk_rotation_disabled/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/cmk_rotation_disabled/test/positive_expected_result.json @@ -3,12 +3,30 @@ "queryName": "CMK Rotation Disabled", "severity": "LOW", "line": 2, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "community.aws.aws_kms", + "resourceName": "Update IAM policy on an existing KMS key", + "searchKey": "name={{Update IAM policy on an existing KMS key}}.{{community.aws.aws_kms}}", + "searchValue": "", + "expectedValue": "community.aws.aws_kms.enable_key_rotation should be set", + "actualValue": "community.aws.aws_kms.enable_key_rotation is undefined", + "issueType": "MissingAttribute", + "similarityID": "9c2e5a89e9aa8bd3b8cfb59b495733384ad1c44edeb8806565a10ca7ec014d70", + "search_line": -1 }, { "queryName": "CMK Rotation Disabled", "severity": "LOW", "line": 7, - "fileName": "positive2.yaml" + "fileName": "positive2.yaml", + "resourceType": "community.aws.aws_kms", + "resourceName": "Update IAM policy on an existing KMS key2", + "searchKey": "name={{Update IAM policy on an existing KMS key2}}.{{community.aws.aws_kms}}.enable_key_rotation", + "searchValue": "", + "expectedValue": "community.aws.aws_kms.enable_key_rotation should be set to true", + "actualValue": "community.aws.aws_kms.enable_key_rotation is set to false", + "issueType": "IncorrectValue", + "similarityID": "1f27998157c86dff32764501f883596d4bd32d5fb07231fc6765e799301cb3ce", + "search_line": -1 } -] \ No newline at end of file +] diff --git a/assets/queries/ansible/aws/codebuild_not_encrypted/test/positive_expected_result.json b/assets/queries/ansible/aws/codebuild_not_encrypted/test/positive_expected_result.json index 73a4efdc353..eabca958c05 100644 --- a/assets/queries/ansible/aws/codebuild_not_encrypted/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/codebuild_not_encrypted/test/positive_expected_result.json @@ -1,8 +1,17 @@ [ - { - "queryName": "CodeBuild Not Encrypted", - "severity": "MEDIUM", - "line": 2 - } - + { + "queryName": "CodeBuild Not Encrypted", + "severity": "MEDIUM", + "line": 2, + "fileName": "positive.yaml", + "resourceType": "community.aws.aws_codebuild", + "resourceName": "My project", + "searchKey": "name={{My project}}.{{community.aws.aws_codebuild}}", + "searchValue": "", + "expectedValue": "aws_codebuild.encryption_key should be set", + "actualValue": "aws_codebuild.encryption_key is undefined", + "issueType": "MissingAttribute", + "similarityID": "8e2a206d92f3fe55055ecbed8e4592349dd8d7d058d3849f7b8007b6d07f7e92", + "search_line": -1 + } ] diff --git a/assets/queries/ansible/aws/config_configuration_aggregator_to_all_regions_disabled/test/positive_expected_result.json b/assets/queries/ansible/aws/config_configuration_aggregator_to_all_regions_disabled/test/positive_expected_result.json index db2fb69850e..0087a6d6d4e 100644 --- a/assets/queries/ansible/aws/config_configuration_aggregator_to_all_regions_disabled/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/config_configuration_aggregator_to_all_regions_disabled/test/positive_expected_result.json @@ -2,11 +2,31 @@ { "queryName": "Configuration Aggregator to All Regions Disabled", "severity": "LOW", - "line": 10 + "line": 10, + "fileName": "positive.yaml", + "resourceType": "community.aws.aws_config_aggregator", + "resourceName": "Create cross-account aggregator", + "searchKey": "name={{Create cross-account aggregator}}.{{community.aws.aws_config_aggregator}}.account_sources.all_aws_regions", + "searchValue": "", + "expectedValue": "'aws_config_aggregator.account_sources' should have all_aws_regions set to true", + "actualValue": "'aws_config_aggregator.account_sources' has all_aws_regions set to false", + "issueType": "IncorrectValue", + "similarityID": "022c2eaefbe6bf31e9575ea851af5f0c00b5a6f6d1da3fdb3591663e1f0f0cee", + "search_line": -1 }, { "queryName": "Configuration Aggregator to All Regions Disabled", "severity": "LOW", - "line": 24 + "line": 24, + "fileName": "positive.yaml", + "resourceType": "community.aws.aws_config_aggregator", + "resourceName": "Create cross-account aggregator2", + "searchKey": "name={{Create cross-account aggregator2}}.{{community.aws.aws_config_aggregator}}.organization_source.all_aws_regions", + "searchValue": "", + "expectedValue": "'aws_config_aggregator.organization_source' should have all_aws_regions set to true", + "actualValue": "'aws_config_aggregator.organization_source' has all_aws_regions set to false", + "issueType": "IncorrectValue", + "similarityID": "951ec65790adb27904189405bc4e7461928f893712f8098bfb1a11a1b58db6dd", + "search_line": -1 } -] \ No newline at end of file +] diff --git a/assets/queries/ansible/aws/config_rule_for_encrypted_volumes_is_disabled/test/positive_expected_result.json b/assets/queries/ansible/aws/config_rule_for_encrypted_volumes_is_disabled/test/positive_expected_result.json index 8310f19905b..07441306d95 100644 --- a/assets/queries/ansible/aws/config_rule_for_encrypted_volumes_is_disabled/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/config_rule_for_encrypted_volumes_is_disabled/test/positive_expected_result.json @@ -2,6 +2,16 @@ { "queryName": "Config Rule For Encrypted Volumes Disabled", "severity": "HIGH", - "line": 2 + "line": 2, + "fileName": "positive.yaml", + "resourceType": "community.aws.aws_config_rule", + "resourceName": "foo", + "searchKey": "name={{foo}}", + "searchValue": "", + "expectedValue": "There should be a aws_config_rule with source.identifier equal to 'ENCRYPTED_VOLUMES'", + "actualValue": "There is no aws_config_rule with source.identifier equal to 'ENCRYPTED_VOLUMES'", + "issueType": "MissingAttribute", + "similarityID": "f153f3db27338e3063c0a11876300da3f19dce82c4863b97bb54d6398865bf2b", + "search_line": -1 } -] \ No newline at end of file +] diff --git a/assets/queries/ansible/aws/cross_account_iam_assume_role_policy_without_external_id_or_mfa/test/positive_expected_result.json b/assets/queries/ansible/aws/cross_account_iam_assume_role_policy_without_external_id_or_mfa/test/positive_expected_result.json index a68d8c5122c..978f082b295 100644 --- a/assets/queries/ansible/aws/cross_account_iam_assume_role_policy_without_external_id_or_mfa/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/cross_account_iam_assume_role_policy_without_external_id_or_mfa/test/positive_expected_result.json @@ -3,18 +3,45 @@ "queryName": "Cross-Account IAM Assume Role Policy Without ExternalId or MFA", "severity": "HIGH", "line": 4, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "community.aws.iam_role", + "resourceName": "Create a role with description and tags", + "searchKey": "name={{Create a role with description and tags}}.{{community.aws.iam_role}}.assume_role_policy_document", + "searchValue": "", + "expectedValue": "assume_role_policy_document should not contain ':root", + "actualValue": "assume_role_policy_document contains ':root'", + "issueType": "IncorrectValue", + "similarityID": "ba0e1edfdbb6fc80f92057030345c5783db939f7adba9f97a722f6e1cf244ff4", + "search_line": 4 }, { "queryName": "Cross-Account IAM Assume Role Policy Without ExternalId or MFA", "severity": "HIGH", "line": 4, - "fileName": "positive2.yaml" + "fileName": "positive2.yaml", + "resourceType": "community.aws.iam_role", + "resourceName": "Create a role with description and tags2", + "searchKey": "name={{Create a role with description and tags2}}.{{community.aws.iam_role}}.assume_role_policy_document", + "searchValue": "", + "expectedValue": "assume_role_policy_document should not contain ':root", + "actualValue": "assume_role_policy_document contains ':root'", + "issueType": "IncorrectValue", + "similarityID": "66e05e182dc9994b6ccd0d31bb9afe40a157334e3a59dff8907167208a2884a9", + "search_line": 4 }, { "queryName": "Cross-Account IAM Assume Role Policy Without ExternalId or MFA", "severity": "HIGH", "line": 4, - "fileName": "positive3.yaml" + "fileName": "positive3.yaml", + "resourceType": "community.aws.iam_role", + "resourceName": "Create a role with description and tags3", + "searchKey": "name={{Create a role with description and tags3}}.{{community.aws.iam_role}}.assume_role_policy_document", + "searchValue": "", + "expectedValue": "assume_role_policy_document should not contain ':root", + "actualValue": "assume_role_policy_document contains ':root'", + "issueType": "IncorrectValue", + "similarityID": "80ae83319a958da5a911cd58c81b9798d81e97cb7970b2ccbbe82104ff681f9c", + "search_line": 4 } -] \ No newline at end of file +] diff --git a/assets/queries/ansible/aws/db_instance_storage_not_encrypted/test/positive_expected_result.json b/assets/queries/ansible/aws/db_instance_storage_not_encrypted/test/positive_expected_result.json index 3f8f176a5fa..2355c953028 100644 --- a/assets/queries/ansible/aws/db_instance_storage_not_encrypted/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/db_instance_storage_not_encrypted/test/positive_expected_result.json @@ -1,17 +1,47 @@ [ - { - "queryName": "DB Instance Storage Not Encrypted", - "severity": "HIGH", - "line": 7 - }, - { - "queryName": "DB Instance Storage Not Encrypted", - "severity": "HIGH", - "line": 17 - }, - { - "queryName": "DB Instance Storage Not Encrypted", - "severity": "HIGH", - "line": 23 - } + { + "queryName": "DB Instance Storage Not Encrypted", + "severity": "HIGH", + "line": 7, + "fileName": "positive.yaml", + "resourceType": "community.aws.rds_instance", + "resourceName": "foo", + "searchKey": "name={{foo}}.{{community.aws.rds_instance}}.storage_encrypted", + "searchValue": "", + "expectedValue": "rds_instance.storage_encrypted should be set to true", + "actualValue": "rds_instance.storage_encrypted is set to false", + "issueType": "IncorrectValue", + "similarityID": "ae714fb69a5cdb4f9ed36ae2945e6b24c92b89b6eeddaf32e18c3591f54c1cb9", + "search_line": -1 + }, + { + "queryName": "DB Instance Storage Not Encrypted", + "severity": "HIGH", + "line": 17, + "fileName": "positive.yaml", + "resourceType": "community.aws.rds_instance", + "resourceName": "foo2", + "searchKey": "name={{foo2}}.{{community.aws.rds_instance}}.storage_encrypted", + "searchValue": "", + "expectedValue": "rds_instance.storage_encrypted should be set to true", + "actualValue": "rds_instance.storage_encrypted is set to false", + "issueType": "IncorrectValue", + "similarityID": "b10bc98897c130e36b5f43fb1296f3ea1a9e277bc1622a8679f48a496a8919b6", + "search_line": -1 + }, + { + "queryName": "DB Instance Storage Not Encrypted", + "severity": "HIGH", + "line": 23, + "fileName": "positive.yaml", + "resourceType": "community.aws.rds_instance", + "resourceName": "foo3", + "searchKey": "name={{foo3}}.{{community.aws.rds_instance}}", + "searchValue": "", + "expectedValue": "rds_instance.storage_encrypted should be set to true", + "actualValue": "rds_instance.storage_encrypted is undefined", + "issueType": "MissingAttribute", + "similarityID": "d98aaed5bf8b579fe0db4fd341998fac09f69176c7dd96051d3e8723a927c2f5", + "search_line": -1 + } ] diff --git a/assets/queries/ansible/aws/db_security_group_open_to_large_scope/test/positive_expected_result.json b/assets/queries/ansible/aws/db_security_group_open_to_large_scope/test/positive_expected_result.json index 0c0d773c5d5..6f5b37cffbe 100644 --- a/assets/queries/ansible/aws/db_security_group_open_to_large_scope/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/db_security_group_open_to_large_scope/test/positive_expected_result.json @@ -2,6 +2,16 @@ { "queryName": "DB Security Group Open To Large Scope", "severity": "HIGH", - "line": 22 + "line": 22, + "fileName": "positive.yaml", + "resourceType": "ec2_group", + "resourceName": "example ec2 group", + "searchKey": "name={{example ec2 group}}.{{ec2_group}}.rules.cidr_ip", + "searchValue": "", + "expectedValue": "'ec2_group.rules.cidr_ip' should be one of [10.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12]", + "actualValue": "'ec2_group.rules.cidr_ip' is [0.0.0.0/0,10.0.0.0/8,192.168.1.0/24]", + "issueType": "IncorrectValue", + "similarityID": "8d3b53d214ec03443d86428d87a49055a1138d5ace8be6eeee28fb744a007045", + "search_line": -1 } ] diff --git a/assets/queries/ansible/aws/db_security_group_with_public_scope/test/positive_expected_result.json b/assets/queries/ansible/aws/db_security_group_with_public_scope/test/positive_expected_result.json index dc66872abf9..fe51d0719ca 100644 --- a/assets/queries/ansible/aws/db_security_group_with_public_scope/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/db_security_group_with_public_scope/test/positive_expected_result.json @@ -2,11 +2,31 @@ { "queryName": "DB Security Group With Public Scope", "severity": "CRITICAL", - "line": 22 + "line": 22, + "fileName": "positive.yaml", + "resourceType": "ec2_group", + "resourceName": "example ec2 group", + "searchKey": "name={{example ec2 group}}.{{ec2_group}}.rules.cidr_ip", + "searchValue": "", + "expectedValue": "'ec2_group.rules.cidr_ip' should be one of [10.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12]", + "actualValue": "'ec2_group.rules.cidr_ip' is [0.0.0.0/0]", + "issueType": "IncorrectValue", + "similarityID": "85167ab7762f9d20d0239e63c892848cfd3a66a5140c4ee66f141db59dcaf395", + "search_line": -1 }, { "queryName": "DB Security Group With Public Scope", "severity": "CRITICAL", - "line": 53 + "line": 53, + "fileName": "positive.yaml", + "resourceType": "ec2_group", + "resourceName": "example ec2 group", + "searchKey": "name={{example ec2 group}}.{{ec2_group}}.rules_egress.cidr_ip", + "searchValue": "", + "expectedValue": "'ec2_group.rules_egress.cidr_ip' should be one of [10.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12]", + "actualValue": "'ec2_group.rules_egress.cidr_ip' is [0.0.0.0/0]", + "issueType": "IncorrectValue", + "similarityID": "2c2b6dc22a87382fabadcf2ece3b230e35f1eb4cc7a609ea0cba616804ee08cb", + "search_line": -1 } -] \ No newline at end of file +] diff --git a/assets/queries/ansible/aws/default_security_groups_with_unrestricted_traffic/test/positive_expected_result.json b/assets/queries/ansible/aws/default_security_groups_with_unrestricted_traffic/test/positive_expected_result.json index fbf9d83dbd4..c8a3609c2f3 100644 --- a/assets/queries/ansible/aws/default_security_groups_with_unrestricted_traffic/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/default_security_groups_with_unrestricted_traffic/test/positive_expected_result.json @@ -2,26 +2,76 @@ { "queryName": "Default Security Groups With Unrestricted Traffic", "severity": "HIGH", - "line": 17 + "line": 17, + "fileName": "positive.yaml", + "resourceType": "amazon.aws.ec2_group", + "resourceName": "example ec2 group", + "searchKey": "name={{example ec2 group}}.{{amazon.aws.ec2_group}}.rules.cidr_ip.{{0.0.0.0/0}}", + "searchValue": "", + "expectedValue": "ec2_group.rules.cidr_ip should not contain the value '0.0.0.0/0'", + "actualValue": "ec2_group.rules.cidr_ip contains value '0.0.0.0/0'", + "issueType": "IncorrectValue", + "similarityID": "ca8ccc6220ced6369d8c6ca0fcc377900f2f634c3467977fffe3837a85b504cf", + "search_line": -1 }, { "queryName": "Default Security Groups With Unrestricted Traffic", "severity": "HIGH", - "line": 30 + "line": 30, + "fileName": "positive.yaml", + "resourceType": "amazon.aws.ec2_group", + "resourceName": "example2 ec2 group", + "searchKey": "name={{example2 ec2 group}}.{{amazon.aws.ec2_group}}.rules_egress.cidr_ip={{0.0.0.0/0}}", + "searchValue": "", + "expectedValue": "ec2_group.rules_egress.cidr_ip should not contain the value '0.0.0.0/0'", + "actualValue": "ec2_group.rules_egress.cidr_ip contains value '0.0.0.0/0'", + "issueType": "IncorrectValue", + "similarityID": "32e787da1cb2b5ec025dcd1fa905dfb6ed3b65bfb4039bc38196c4bd275f556b", + "search_line": -1 }, { "queryName": "Default Security Groups With Unrestricted Traffic", "severity": "HIGH", - "line": 48 + "line": 48, + "fileName": "positive.yaml", + "resourceType": "amazon.aws.ec2_group", + "resourceName": "example3 ec2 group", + "searchKey": "name={{example3 ec2 group}}.{{amazon.aws.ec2_group}}.rules.cidr_ipv6={{::/0}}", + "searchValue": "", + "expectedValue": "ec2_group.rules.cidr_ipv6 should not contain the value '::/0'", + "actualValue": "ec2_group.rules.cidr_ipv6 contains value '::/0'", + "issueType": "IncorrectValue", + "similarityID": "0fdf946b87b91b47963038d47d7ae2278679e42d7cc0fbf3c3b519ad7fc46c0d", + "search_line": -1 }, { "queryName": "Default Security Groups With Unrestricted Traffic", "severity": "HIGH", - "line": 61 + "line": 61, + "fileName": "positive.yaml", + "resourceType": "amazon.aws.ec2_group", + "resourceName": "example4 ec2 group", + "searchKey": "name={{example4 ec2 group}}.{{amazon.aws.ec2_group}}.rules_egress.cidr_ipv6={{::/0}}", + "searchValue": "", + "expectedValue": "ec2_group.rules_egress.cidr_ipv6 should not contain the value '::/0'", + "actualValue": "ec2_group.rules_egress.cidr_ipv6 contains value '::/0'", + "issueType": "IncorrectValue", + "similarityID": "293032568f5f4927218769c8f4941915bb8a3f2d4e57767b38e309090fa74636", + "search_line": -1 }, { "queryName": "Default Security Groups With Unrestricted Traffic", "severity": "HIGH", - "line": 83 + "line": 83, + "fileName": "positive.yaml", + "resourceType": "amazon.aws.ec2_group", + "resourceName": "example5 ec2 group", + "searchKey": "name={{example5 ec2 group}}.{{amazon.aws.ec2_group}}.rules_egress.cidr_ipv6.{{::/0}}", + "searchValue": "", + "expectedValue": "ec2_group.rules_egress.cidr_ipv6 should not contain the value '::/0'", + "actualValue": "ec2_group.rules_egress.cidr_ipv6 contains value '::/0'", + "issueType": "IncorrectValue", + "similarityID": "ca887fdd403b588f1922e9ba444a2a1da7701e127d0b7f23653aeee2dd42c17d", + "search_line": -1 } ] diff --git a/assets/queries/ansible/aws/ebs_volume_encryption_disabled/test/positive_expected_result.json b/assets/queries/ansible/aws/ebs_volume_encryption_disabled/test/positive_expected_result.json index 7c506eb099d..fd4c3b8e828 100644 --- a/assets/queries/ansible/aws/ebs_volume_encryption_disabled/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/ebs_volume_encryption_disabled/test/positive_expected_result.json @@ -2,21 +2,61 @@ { "queryName": "EBS Volume Encryption Disabled", "severity": "HIGH", - "line": 5 + "line": 5, + "fileName": "positive.yaml", + "resourceType": "amazon.aws.ec2_vol", + "resourceName": "Creating EBS volume01", + "searchKey": "name={{Creating EBS volume01}}.{{amazon.aws.ec2_vol}}.encrypted", + "searchValue": "", + "expectedValue": "ec2_vol.encrypted should be enabled", + "actualValue": "ec2_vol.encrypted is disabled", + "issueType": "IncorrectValue", + "similarityID": "8d23ebaaa57db577a5c0971659ce9c1aa0e4ede12b94ea32632852ec64e00905", + "search_line": -1 }, { "queryName": "EBS Volume Encryption Disabled", "severity": "HIGH", - "line": 12 + "line": 12, + "fileName": "positive.yaml", + "resourceType": "amazon.aws.ec2_vol", + "resourceName": "Creating EBS volume02", + "searchKey": "name={{Creating EBS volume02}}.{{amazon.aws.ec2_vol}}.encrypted", + "searchValue": "", + "expectedValue": "ec2_vol.encrypted should be enabled", + "actualValue": "ec2_vol.encrypted is disabled", + "issueType": "IncorrectValue", + "similarityID": "2d28739344599199726eb3ded03eed2d4762d7e3c7bbaf3a42a460919836bdb2", + "search_line": -1 }, { "queryName": "EBS Volume Encryption Disabled", "severity": "HIGH", - "line": 19 + "line": 19, + "fileName": "positive.yaml", + "resourceType": "amazon.aws.ec2_vol", + "resourceName": "Creating EBS volume03", + "searchKey": "name={{Creating EBS volume03}}.{{amazon.aws.ec2_vol}}.encrypted", + "searchValue": "", + "expectedValue": "ec2_vol.encrypted should be enabled", + "actualValue": "ec2_vol.encrypted is disabled", + "issueType": "IncorrectValue", + "similarityID": "5497c810d5636e51a920bf9424b3cd55e3b7a8017302af680cbcea425bf31005", + "search_line": -1 }, { "queryName": "EBS Volume Encryption Disabled", "severity": "HIGH", - "line": 24 + "line": 24, + "fileName": "positive.yaml", + "resourceType": "amazon.aws.ec2_vol", + "resourceName": "Creating EBS volume04", + "searchKey": "name={{Creating EBS volume04}}.{{amazon.aws.ec2_vol}}", + "searchValue": "", + "expectedValue": "ec2_vol.encrypted should be defined", + "actualValue": "ec2_vol.encrypted is undefined", + "issueType": "MissingAttribute", + "similarityID": "09fab184885fe5ddd91df69dffcb208c9efeda7dae3adeeb7ff3f2423c98e735", + "search_line": -1 } -] \ No newline at end of file +] diff --git a/assets/queries/ansible/aws/ec2_group_has_public_interface/test/positive_expected_result.json b/assets/queries/ansible/aws/ec2_group_has_public_interface/test/positive_expected_result.json index 422c66bd094..dd2579dcdd8 100644 --- a/assets/queries/ansible/aws/ec2_group_has_public_interface/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/ec2_group_has_public_interface/test/positive_expected_result.json @@ -1,8 +1,17 @@ [ - { - "queryName": "EC2 Group Has Public Interface", - "severity": "HIGH", - "line": 22, - "fileName": "positive.yaml" - } + { + "queryName": "EC2 Group Has Public Interface", + "severity": "HIGH", + "line": 22, + "fileName": "positive.yaml", + "resourceType": "ec2_group", + "resourceName": "example ec2 group", + "searchKey": "name={{example ec2 group}}.{{ec2_group}}.rules.cidr_ip", + "searchValue": "", + "expectedValue": "'ec2_group.rules.cidr_ip' should not be 0.0.0.0/0", + "actualValue": "'ec2_group.rules.cidr_ip' is 0.0.0.0/0", + "issueType": "IncorrectValue", + "similarityID": "ca9b0f6e89feec49abb7ab0a2abb5383ebd35b093b0c7ce1fbb1a024da59a0b4", + "search_line": 22 + } ] diff --git a/assets/queries/ansible/aws/ec2_instance_has_public_ip/test/positive_expected_result.json b/assets/queries/ansible/aws/ec2_instance_has_public_ip/test/positive_expected_result.json index a9c99cf8b4d..ca8acd620e6 100644 --- a/assets/queries/ansible/aws/ec2_instance_has_public_ip/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/ec2_instance_has_public_ip/test/positive_expected_result.json @@ -2,16 +2,46 @@ { "queryName": "EC2 Instance Has Public IP", "severity": "MEDIUM", - "line": 7 + "line": 7, + "fileName": "positive.yaml", + "resourceType": "amazon.aws.ec2", + "resourceName": "example", + "searchKey": "name={{example}}.{{amazon.aws.ec2}}.assign_public_ip", + "searchValue": "", + "expectedValue": "ec2.assign_public_ip should be set to false, 'no' or undefined", + "actualValue": "ec2.assign_public_ip is 'yes'", + "issueType": "IncorrectValue", + "similarityID": "5123aaacae434949dece62fb54db57ea1eb3cad33f62dc0383b8387c43e4d7e8", + "search_line": -1 }, { "queryName": "EC2 Instance Has Public IP", "severity": "MEDIUM", - "line": 15 + "line": 15, + "fileName": "positive.yaml", + "resourceType": "community.aws.ec2_launch_template", + "resourceName": "Create an ec2 launch template", + "searchKey": "name={{Create an ec2 launch template}}.{{community.aws.ec2_launch_template}}.network_interfaces.associate_public_ip_address", + "searchValue": "", + "expectedValue": "ec2_launch_template.network_interfaces.associate_public_ip_address should be set to false, 'no' or undefined", + "actualValue": "ec2_launch_template.network_interfaces.associate_public_ip_address is 'true'", + "issueType": "IncorrectValue", + "similarityID": "4fdbb169956852a32f254f98057c6745cfbd4cdbaa592c8315eadd3a41c47983", + "search_line": -1 }, { "queryName": "EC2 Instance Has Public IP", "severity": "MEDIUM", - "line": 24 + "line": 24, + "fileName": "positive.yaml", + "resourceType": "community.aws.ec2_instance", + "resourceName": "start an instance with a public IP address", + "searchKey": "name={{start an instance with a public IP address}}.{{community.aws.ec2_instance}}.network.assign_public_ip", + "searchValue": "", + "expectedValue": "ec2_instance.network.assign_public_ip should be set to false, 'no' or undefined", + "actualValue": "ec2_instance.network.assign_public_ip is 'true'", + "issueType": "IncorrectValue", + "similarityID": "554c07fc19f434d85e5bef4f17f3a4816d088b5cea6a111e5ea8350d0c3bd061", + "search_line": -1 } -] \ No newline at end of file +] diff --git a/assets/queries/ansible/aws/ec2_instance_using_default_security_group/test/positive_expected_result.json b/assets/queries/ansible/aws/ec2_instance_using_default_security_group/test/positive_expected_result.json index 0d4b8742ab6..1c6d2ab1c1e 100644 --- a/assets/queries/ansible/aws/ec2_instance_using_default_security_group/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/ec2_instance_using_default_security_group/test/positive_expected_result.json @@ -3,12 +3,30 @@ "queryName": "EC2 Instance Using Default Security Group", "severity": "MEDIUM", "line": 7, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "amazon.aws.ec2", + "resourceName": "example", + "searchKey": "name={{example}}.{{amazon.aws.ec2}}.group", + "searchValue": "", + "expectedValue": "'group' should not be using default security group", + "actualValue": "'group' is using default security group", + "issueType": "IncorrectValue", + "similarityID": "a8d89a01f009b7e046fd8029b57a068510bad702bd9db795ce84598b3a0ce4b2", + "search_line": 7 }, { "queryName": "EC2 Instance Using Default Security Group", "severity": "MEDIUM", "line": 8, - "fileName": "positive2.yaml" + "fileName": "positive2.yaml", + "resourceType": "amazon.aws.ec2", + "resourceName": "example2", + "searchKey": "name={{example2}}.{{amazon.aws.ec2}}.group", + "searchValue": "", + "expectedValue": "'group' should not be using default security group", + "actualValue": "'group' is using default security group", + "issueType": "IncorrectValue", + "similarityID": "8e108b1b048373c56762ecdaa7d581a79c5a3fd9de376c93b6ba7adbb861c21a", + "search_line": 8 } -] \ No newline at end of file +] diff --git a/assets/queries/ansible/aws/ec2_instance_using_default_vpc/test/positive_expected_result.json b/assets/queries/ansible/aws/ec2_instance_using_default_vpc/test/positive_expected_result.json index 8007e2c024b..b608fa44448 100644 --- a/assets/queries/ansible/aws/ec2_instance_using_default_vpc/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/ec2_instance_using_default_vpc/test/positive_expected_result.json @@ -1,8 +1,17 @@ [ - { - "queryName": "EC2 Instance Using Default VPC", - "severity": "LOW", - "line": 8, - "fileName": "positive.yaml" - } + { + "queryName": "EC2 Instance Using Default VPC", + "severity": "LOW", + "line": 8, + "fileName": "positive.yaml", + "resourceType": "amazon.aws.ec2", + "resourceName": "example", + "searchKey": "name={{example}}.{{amazon.aws.ec2}}.vpc_subnet_id", + "searchValue": "", + "expectedValue": "'vpc_subnet_id' should not be associated with a default VPC", + "actualValue": "'vpc_subnet_id' is associated with a default VPC", + "issueType": "IncorrectValue", + "similarityID": "dc793eb868e1a1312bb7d2fc39f9c70c1a8105a921b802097a5398946adb449b", + "search_line": 8 + } ] diff --git a/assets/queries/ansible/aws/ec2_not_ebs_optimized/test/positive_expected_result.json b/assets/queries/ansible/aws/ec2_not_ebs_optimized/test/positive_expected_result.json index d41d61c38f5..98989f3653f 100644 --- a/assets/queries/ansible/aws/ec2_not_ebs_optimized/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/ec2_not_ebs_optimized/test/positive_expected_result.json @@ -3,18 +3,45 @@ "queryName": "EC2 Not EBS Optimized", "severity": "INFO", "line": 2, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "amazon.aws.ec2", + "resourceName": "example", + "searchKey": "name={{example}}.{{amazon.aws.ec2}}", + "searchValue": "", + "expectedValue": "ec2 to have ebs_optimized set to true.", + "actualValue": "ec2 doesn't have ebs_optimized set to true.", + "issueType": "MissingAttribute", + "similarityID": "72b0bbe36c98dc9e61088c27744fcd7a57c5b864a3ea33b96206938b9c7ed38d", + "search_line": -1 }, { "queryName": "EC2 Not EBS Optimized", "severity": "INFO", "line": 10, - "fileName": "positive2.yaml" + "fileName": "positive2.yaml", + "resourceType": "amazon.aws.ec2", + "resourceName": "example2", + "searchKey": "name={{example2}}.{{amazon.aws.ec2}}.ebs_optimized", + "searchValue": "", + "expectedValue": "ec2 to have ebs_optimized set to true.", + "actualValue": "ec2 ebs_optimized is set to false.", + "issueType": "IncorrectValue", + "similarityID": "e2f4722aa0a6a6c8a9940b5041e6662d508a3560c208c16a421257b1335b3a80", + "search_line": -1 }, { "queryName": "EC2 Not EBS Optimized", "severity": "INFO", "line": 2, - "fileName": "positive3.yaml" + "fileName": "positive3.yaml", + "resourceType": "amazon.aws.ec2", + "resourceName": "example3", + "searchKey": "name={{example3}}.{{amazon.aws.ec2}}", + "searchValue": "", + "expectedValue": "ec2 to have ebs_optimized set to true.", + "actualValue": "ec2 doesn't have ebs_optimized set to true.", + "issueType": "MissingAttribute", + "similarityID": "e94901248730933cff4e3412880721ac15468d82337677d38a3bf71cb95f5157", + "search_line": -1 } ] diff --git a/assets/queries/ansible/aws/ecr_image_tag_not_immutable/test/positive_expected_result.json b/assets/queries/ansible/aws/ecr_image_tag_not_immutable/test/positive_expected_result.json index 738ab12a4ba..c3cb491fea1 100644 --- a/assets/queries/ansible/aws/ecr_image_tag_not_immutable/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/ecr_image_tag_not_immutable/test/positive_expected_result.json @@ -1,13 +1,32 @@ [ - { - "queryName": "ECR Image Tag Not Immutable", - "severity": "MEDIUM", - "line": 2 - }, - - { - "queryName": "ECR Image Tag Not Immutable", - "severity": "MEDIUM", - "line": 7 - } + { + "queryName": "ECR Image Tag Not Immutable", + "severity": "MEDIUM", + "line": 2, + "fileName": "positive.yaml", + "resourceType": "community.aws.ecs_ecr", + "resourceName": "create immutable ecr-repo", + "searchKey": "name={{create immutable ecr-repo}}.{{community.aws.ecs_ecr}}", + "searchValue": "", + "expectedValue": "ecs_ecr.image_tag_mutability should be set ", + "actualValue": "ecs_ecr.image_tag_mutability is undefined", + "issueType": "MissingAttribute", + "similarityID": "6544b14e6dfd0cd7b98f4dea80757d735790ca5d6e804db55ee8516b48ef4af1", + "search_line": -1 + }, + { + "queryName": "ECR Image Tag Not Immutable", + "severity": "MEDIUM", + "line": 7, + "fileName": "positive.yaml", + "resourceType": "community.aws.ecs_ecr", + "resourceName": "create immutable ecr-repo v2", + "searchKey": "name={{create immutable ecr-repo v2}}.{{community.aws.ecs_ecr}}.image_tag_mutability", + "searchValue": "", + "expectedValue": "ecs_ecr.image_tag_mutability should be set to 'immutable'", + "actualValue": "ecs_ecr.image_tag_mutability is not set to 'immutable'", + "issueType": "IncorrectValue", + "similarityID": "953823f081846137ddad26af4692f1b4b0c4ffd849c1e8aa7ba017ed5744acf9", + "search_line": -1 + } ] diff --git a/assets/queries/ansible/aws/ecr_repository_is_publicly_accessible/test/positive_expected_result.json b/assets/queries/ansible/aws/ecr_repository_is_publicly_accessible/test/positive_expected_result.json index 5676de08d61..0f66aa98ced 100644 --- a/assets/queries/ansible/aws/ecr_repository_is_publicly_accessible/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/ecr_repository_is_publicly_accessible/test/positive_expected_result.json @@ -2,11 +2,31 @@ { "queryName": "ECR Repository Is Publicly Accessible", "severity": "CRITICAL", - "line": 4 + "line": 4, + "fileName": "positive.yaml", + "resourceType": "community.aws.ecs_ecr", + "resourceName": "set-policy as object", + "searchKey": "name={{set-policy as object}}.{{community.aws.ecs_ecr}}.policy", + "searchValue": "", + "expectedValue": "ecs_ecr.policy.Principal should not equal to '*'", + "actualValue": "ecs_ecr.policy.Principal is equal to '*'", + "issueType": "IncorrectValue", + "similarityID": "5ddcfb29ab1360a3d1c6ca7877075a1c698d386de6d7c9cca25387f178de2575", + "search_line": 4 }, { "queryName": "ECR Repository Is Publicly Accessible", "severity": "CRITICAL", - "line": 17 + "line": 17, + "fileName": "positive.yaml", + "resourceType": "community.aws.ecs_ecr", + "resourceName": "set-policy as string", + "searchKey": "name={{set-policy as string}}.{{community.aws.ecs_ecr}}.policy", + "searchValue": "", + "expectedValue": "ecs_ecr.policy.Principal should not equal to '*'", + "actualValue": "ecs_ecr.policy.Principal is equal to '*'", + "issueType": "IncorrectValue", + "similarityID": "f965589bbd954a7eb8f31f68391f0e16f0a8e8a8c212de390329c9cca22b64b2", + "search_line": 17 } -] \ No newline at end of file +] diff --git a/assets/queries/ansible/aws/ecs_service_admin_role_is_present/test/positive_expected_result.json b/assets/queries/ansible/aws/ecs_service_admin_role_is_present/test/positive_expected_result.json index 0b9e1c22307..b36677fdb94 100644 --- a/assets/queries/ansible/aws/ecs_service_admin_role_is_present/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/ecs_service_admin_role_is_present/test/positive_expected_result.json @@ -1,7 +1,17 @@ [ - { - "queryName": "ECS Service Admin Role Is Present", - "severity": "HIGH", - "line": 9 - } + { + "queryName": "ECS Service Admin Role Is Present", + "severity": "HIGH", + "line": 9, + "fileName": "positive.yaml", + "resourceType": "community.aws.ecs_service", + "resourceName": "ECS Service", + "searchKey": "name={{ECS Service}}.{{community.aws.ecs_service}}.role", + "searchValue": "", + "expectedValue": "ecs_service.role should not be an admin role", + "actualValue": "ecs_service.role is an admin role", + "issueType": "IncorrectValue", + "similarityID": "263d85c6d8b3e8d013beafe65de16b2446fc7cce1dedfef4142689de50130ead", + "search_line": -1 + } ] diff --git a/assets/queries/ansible/aws/ecs_service_without_running_tasks/test/positive_expected_result.json b/assets/queries/ansible/aws/ecs_service_without_running_tasks/test/positive_expected_result.json index b8fd110dab6..6ae15246fb2 100644 --- a/assets/queries/ansible/aws/ecs_service_without_running_tasks/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/ecs_service_without_running_tasks/test/positive_expected_result.json @@ -2,6 +2,16 @@ { "queryName": "ECS Service Without Running Tasks", "severity": "LOW", - "line": 2 + "line": 2, + "fileName": "positive.yaml", + "resourceType": "community.aws.ecs_service", + "resourceName": "ECS Service", + "searchKey": "name={{ECS Service}}.{{community.aws.ecs_service}}", + "searchValue": "", + "expectedValue": "community.aws.ecs_service.deployment_configuration should be defined", + "actualValue": "%!&(string=community.aws.ecs_service)s.deployment_configuration is undefined", + "issueType": "MissingAttribute", + "similarityID": "a4629f3da859196d0216e1e24153bb5842d276c9a842752f089d5ca6993b4bcf", + "search_line": -1 } -] \ No newline at end of file +] diff --git a/assets/queries/ansible/aws/ecs_services_assigned_with_public_ip_address/test/positive_expected_result.json b/assets/queries/ansible/aws/ecs_services_assigned_with_public_ip_address/test/positive_expected_result.json index a40ef0f6b38..e83487a61b7 100644 --- a/assets/queries/ansible/aws/ecs_services_assigned_with_public_ip_address/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/ecs_services_assigned_with_public_ip_address/test/positive_expected_result.json @@ -1,14 +1,32 @@ [ { + "queryName": "ECS Services assigned with public IP address", "severity": "MEDIUM", "line": 19, - "queryName": "ECS Services assigned with public IP address", - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "community.aws.ecs_service", + "resourceName": "Create ECS service with network configuration", + "searchKey": "name={{Create ECS service with network configuration}}.{{community.aws.ecs_service}}.network_configuration.assign_public_ip", + "searchValue": "", + "expectedValue": "'community.aws.ecs_service.network_configuration.assign_public_ip' should be set to false (default value is false)", + "actualValue": "'community.aws.ecs_service.network_configuration.assign_public_ip' is set to true", + "issueType": "IncorrectValue", + "similarityID": "b5cb8550e898b0343a0176a17fdb329b79b42176f0a6499d6c7ee209e44f9027", + "search_line": 19 }, { + "queryName": "ECS Services assigned with public IP address", "severity": "MEDIUM", "line": 19, - "queryName": "ECS Services assigned with public IP address", - "fileName": "positive2.yaml" + "fileName": "positive2.yaml", + "resourceType": "ecs_service", + "resourceName": "Create ECS service with network configuration", + "searchKey": "name={{Create ECS service with network configuration}}.{{ecs_service}}.network_configuration.assign_public_ip", + "searchValue": "", + "expectedValue": "'ecs_service.network_configuration.assign_public_ip' should be set to false (default value is false)", + "actualValue": "'ecs_service.network_configuration.assign_public_ip' is set to true", + "issueType": "IncorrectValue", + "similarityID": "71b30572dbb1248fa098e886b2a6603f0dd639c18435aeee9a47c18155a3e09a", + "search_line": 19 } -] \ No newline at end of file +] diff --git a/assets/queries/ansible/aws/ecs_task_definition_network_mode_not_recommended/test/positive_expected_result.json b/assets/queries/ansible/aws/ecs_task_definition_network_mode_not_recommended/test/positive_expected_result.json index 84a0f173861..7d0e66b679e 100644 --- a/assets/queries/ansible/aws/ecs_task_definition_network_mode_not_recommended/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/ecs_task_definition_network_mode_not_recommended/test/positive_expected_result.json @@ -2,11 +2,31 @@ { "queryName": "ECS Task Definition Network Mode Not Recommended", "severity": "MEDIUM", - "line": 15 + "line": 15, + "fileName": "positive.yaml", + "resourceType": "community.aws.ecs_taskdefinition", + "resourceName": "Create task definition", + "searchKey": "name={{Create task definition}}.{{community.aws.ecs_taskdefinition}}.network_mode", + "searchValue": "", + "expectedValue": "'ecs_taskdefinition.network_mode' should be set to 'awsvpc'", + "actualValue": "'ecs_taskdefinition.network_mode' is 'default'", + "issueType": "IncorrectValue", + "similarityID": "d385d700dbee98fe645678efabac377fe703f982cdbb2c85407b7c7576cf4118", + "search_line": -1 }, { "queryName": "ECS Task Definition Network Mode Not Recommended", "severity": "MEDIUM", - "line": 31 + "line": 31, + "fileName": "positive.yaml", + "resourceType": "community.aws.ecs_taskdefinition", + "resourceName": "Create task definition2", + "searchKey": "name={{Create task definition2}}.{{community.aws.ecs_taskdefinition}}.network_mode", + "searchValue": "", + "expectedValue": "'ecs_taskdefinition.network_mode' should be set to 'awsvpc'", + "actualValue": "'ecs_taskdefinition.network_mode' is 'none'", + "issueType": "IncorrectValue", + "similarityID": "5c96fb397dd9f7b399803bcdeb738071a409a31d90cce4d3b16010a485e054c3", + "search_line": -1 } -] \ No newline at end of file +] diff --git a/assets/queries/ansible/aws/efs_not_encrypted/test/positive_expected_result.json b/assets/queries/ansible/aws/efs_not_encrypted/test/positive_expected_result.json index 970263b7fe3..c220735e563 100644 --- a/assets/queries/ansible/aws/efs_not_encrypted/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/efs_not_encrypted/test/positive_expected_result.json @@ -2,16 +2,46 @@ { "queryName": "EFS Not Encrypted", "severity": "HIGH", - "line": 6 + "line": 6, + "fileName": "positive.yaml", + "resourceType": "community.aws.efs", + "resourceName": "foo", + "searchKey": "name={{foo}}.{{community.aws.efs}}.encrypt", + "searchValue": "", + "expectedValue": "efs.encrypt should be set to true", + "actualValue": "efs.encrypt is set to false", + "issueType": "IncorrectValue", + "similarityID": "f457e8599c6a3bc5dc87d18043824d7f39aea503babad08abed878a81d84e7bf", + "search_line": -1 }, { "queryName": "EFS Not Encrypted", "severity": "HIGH", - "line": 17 + "line": 17, + "fileName": "positive.yaml", + "resourceType": "community.aws.efs", + "resourceName": "foo2", + "searchKey": "name={{foo2}}.{{community.aws.efs}}.encrypt", + "searchValue": "", + "expectedValue": "efs.encrypt should be set to true", + "actualValue": "efs.encrypt is set to false", + "issueType": "IncorrectValue", + "similarityID": "a0e02eebc1f56fbdf3f5ba5644f914e94a9cea5bc30755ceb16e2fb0207a19f7", + "search_line": -1 }, { "queryName": "EFS Not Encrypted", "severity": "HIGH", - "line": 25 + "line": 25, + "fileName": "positive.yaml", + "resourceType": "community.aws.efs", + "resourceName": "foo3", + "searchKey": "name={{foo3}}.{{community.aws.efs}}", + "searchValue": "", + "expectedValue": "efs.encrypt should be set to true", + "actualValue": "efs.encrypt is undefined", + "issueType": "MissingAttribute", + "similarityID": "724a3001d538cbc1586a0d40174c61368442abadcbf12f8fa4b0e91cc26e2fe9", + "search_line": -1 } ] diff --git a/assets/queries/ansible/aws/efs_without_kms/test/positive_expected_result.json b/assets/queries/ansible/aws/efs_without_kms/test/positive_expected_result.json index 8995f772a8e..7af683bf942 100644 --- a/assets/queries/ansible/aws/efs_without_kms/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/efs_without_kms/test/positive_expected_result.json @@ -2,6 +2,16 @@ { "queryName": "EFS Without KMS", "severity": "LOW", - "line": 3 + "line": 3, + "fileName": "positive.yaml", + "resourceType": "community.aws.efs", + "resourceName": "foo", + "searchKey": "name={{foo}}.{{community.aws.efs}}", + "searchValue": "", + "expectedValue": "efs.kms_key_id should be set", + "actualValue": "efs.kms_key_id is undefined", + "issueType": "MissingAttribute", + "similarityID": "fa02b70671ab9c968ddc8595c9e9ecee1eb6c0e1342c847be55e6ace4c631f8d", + "search_line": -1 } -] \ No newline at end of file +] diff --git a/assets/queries/ansible/aws/efs_without_tags/test/positive_expected_result.json b/assets/queries/ansible/aws/efs_without_tags/test/positive_expected_result.json index 8594bf83818..2d93bf51b0c 100644 --- a/assets/queries/ansible/aws/efs_without_tags/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/efs_without_tags/test/positive_expected_result.json @@ -2,6 +2,16 @@ { "queryName": "EFS Without Tags", "severity": "LOW", - "line": 2 + "line": 2, + "fileName": "positive.yaml", + "resourceType": "community.aws.efs", + "resourceName": "EFS provisioning without tags", + "searchKey": "name={{EFS provisioning without tags}}.{{community.aws.efs}}", + "searchValue": "", + "expectedValue": "name={{EFS provisioning without tags}}.{{community.aws.efs}}.tags should be set", + "actualValue": "name={{EFS provisioning without tags}}.{{community.aws.efs}}.tags is not defined", + "issueType": "MissingAttribute", + "similarityID": "85c4c0a4b5db626c2fe10434fe747f42032f6c5ac3838a4a89bfc1253ee5cfda", + "search_line": -1 } ] diff --git a/assets/queries/ansible/aws/elasticache_using_default_port/test/positive_expected_result.json b/assets/queries/ansible/aws/elasticache_using_default_port/test/positive_expected_result.json index a729b0e9d1c..f441211fab2 100644 --- a/assets/queries/ansible/aws/elasticache_using_default_port/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/elasticache_using_default_port/test/positive_expected_result.json @@ -3,12 +3,30 @@ "queryName": "ElastiCache Using Default Port", "severity": "LOW", "line": 9, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "community.aws.elasticache", + "resourceName": "Basic example", + "searchKey": "name={{Basic example}}.{{community.aws.elasticache}}.cache_port", + "searchValue": "", + "expectedValue": "'cache_port' should not be set to 11211", + "actualValue": "'cache_port' is set to 11211", + "issueType": "IncorrectValue", + "similarityID": "0fb4ef1f0e47cc6df56d9363527c4c7faa2afa069b04854dd867d11b0fa07dac", + "search_line": 9 }, { "queryName": "ElastiCache Using Default Port", "severity": "LOW", "line": 9, - "fileName": "positive2.yaml" + "fileName": "positive2.yaml", + "resourceType": "community.aws.elasticache", + "resourceName": "Basic example2", + "searchKey": "name={{Basic example2}}.{{community.aws.elasticache}}.cache_port", + "searchValue": "", + "expectedValue": "'cache_port' should not be set to 6379", + "actualValue": "'cache_port' is set to 6379", + "issueType": "IncorrectValue", + "similarityID": "7a43aab58e513c90febce284a82c02ae8ebe2e4a39d56ab85ea555d56bd07570", + "search_line": 9 } ] diff --git a/assets/queries/ansible/aws/elasticache_without_vpc/test/positive_expected_result.json b/assets/queries/ansible/aws/elasticache_without_vpc/test/positive_expected_result.json index 6367ea5e9ee..ff8fff2d5ed 100644 --- a/assets/queries/ansible/aws/elasticache_without_vpc/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/elasticache_without_vpc/test/positive_expected_result.json @@ -1,8 +1,17 @@ [ - { - "queryName": "ElastiCache Without VPC", - "severity": "LOW", - "line": 2, - "fileName": "positive.yaml" - } + { + "queryName": "ElastiCache Without VPC", + "severity": "LOW", + "line": 2, + "fileName": "positive.yaml", + "resourceType": "community.aws.elasticache", + "resourceName": "Basic example", + "searchKey": "name={{Basic example}}.{{community.aws.elasticache}}", + "searchValue": "", + "expectedValue": "'cache_subnet_group' should be defined and not null", + "actualValue": "'cache_subnet_group' is undefined or null", + "issueType": "IncorrectValue", + "similarityID": "e137d9fc9c4f0f8ef22bdf0f75e2084c6044495431aa6967a1b5eaaa402e1a69", + "search_line": 2 + } ] diff --git a/assets/queries/ansible/aws/elasticsearch_with_https_disabled/test/positive_expected_result.json b/assets/queries/ansible/aws/elasticsearch_with_https_disabled/test/positive_expected_result.json index db63e1ea6e3..c983c4f2f8a 100644 --- a/assets/queries/ansible/aws/elasticsearch_with_https_disabled/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/elasticsearch_with_https_disabled/test/positive_expected_result.json @@ -3,18 +3,45 @@ "queryName": "Elasticsearch with HTTPS disabled", "severity": "MEDIUM", "line": 11, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "community.aws.opensearch", + "resourceName": "Create OpenSearch domain for dev environment, no zone awareness, no dedicated masters", + "searchKey": "name={{Create OpenSearch domain for dev environment, no zone awareness, no dedicated masters}}.{{community.aws.opensearch}}.domain_endpoint_options.enforce_https", + "searchValue": "", + "expectedValue": "name={{Create OpenSearch domain for dev environment, no zone awareness, no dedicated masters}}.{{community.aws.opensearch}}.domain_endpoint_options.enforce_https should be set to 'true'", + "actualValue": "name={{Create OpenSearch domain for dev environment, no zone awareness, no dedicated masters}}.{{community.aws.opensearch}}.domain_endpoint_options.enforce_https is set to 'false'", + "issueType": "IncorrectValue", + "similarityID": "8cf8cee2a4dd771470e059a9047a5199dd2800d5a031746cab7273e38fb85c91", + "search_line": 11 }, { "queryName": "Elasticsearch with HTTPS disabled", "severity": "MEDIUM", "line": 10, - "fileName": "positive2.yaml" + "fileName": "positive2.yaml", + "resourceType": "community.aws.opensearch", + "resourceName": "Create OpenSearch domain for dev environment, no zone awareness, no dedicated masters", + "searchKey": "name={{Create OpenSearch domain for dev environment, no zone awareness, no dedicated masters}}.{{community.aws.opensearch}}.domain_endpoint_options", + "searchValue": "", + "expectedValue": "name={{Create OpenSearch domain for dev environment, no zone awareness, no dedicated masters}}.{{community.aws.opensearch}}.domain_endpoint_options.enforce_https should be defined and set to 'true'", + "actualValue": "name={{Create OpenSearch domain for dev environment, no zone awareness, no dedicated masters}}.{{community.aws.opensearch}}.domain_endpoint_options.enforce_https is not set", + "issueType": "MissingAttribute", + "similarityID": "39df102fc1373d1280734fef2d42ef4ca2bbd6286bb1d74d3594a1e8f9cdf12e", + "search_line": 10 }, { "queryName": "Elasticsearch with HTTPS disabled", "severity": "MEDIUM", "line": 2, - "fileName": "positive3.yaml" + "fileName": "positive3.yaml", + "resourceType": "community.aws.opensearch", + "resourceName": "Create OpenSearch domain for dev environment, no zone awareness, no dedicated masters", + "searchKey": "name={{Create OpenSearch domain for dev environment, no zone awareness, no dedicated masters}}.{{community.aws.opensearch}}", + "searchValue": "", + "expectedValue": "name={{Create OpenSearch domain for dev environment, no zone awareness, no dedicated masters}}.{{community.aws.opensearch}}.domain_endpoint_options.enforce_https should be defined and set to 'true'", + "actualValue": "name={{Create OpenSearch domain for dev environment, no zone awareness, no dedicated masters}}.{{community.aws.opensearch}}.domain_endpoint_options.enforce_https is not set", + "issueType": "MissingAttribute", + "similarityID": "c5b63b8e9a876196cf2d6e126767962bc7db99a92f590ec06c6a086d2e070e8e", + "search_line": 2 } -] \ No newline at end of file +] diff --git a/assets/queries/ansible/aws/elb_using_insecure_protocols/test/positive_expected_result.json b/assets/queries/ansible/aws/elb_using_insecure_protocols/test/positive_expected_result.json index 0c3e3ad87ae..da87d590937 100644 --- a/assets/queries/ansible/aws/elb_using_insecure_protocols/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/elb_using_insecure_protocols/test/positive_expected_result.json @@ -2,31 +2,91 @@ { "queryName": "ELB Using Insecure Protocols", "severity": "MEDIUM", - "line": 3 + "line": 3, + "fileName": "positive.yaml", + "resourceType": "community.aws.elb_application_lb", + "resourceName": "elb1", + "searchKey": "name={{elb1}}.{{community.aws.elb_application_lb}}", + "searchValue": "", + "expectedValue": "community.aws.elb_application_lb.listeners should be defined", + "actualValue": "%!&(string=community.aws.elb_application_lb)s.listeners is undefined", + "issueType": "MissingAttribute", + "similarityID": "7d3f5ac0041ba8fe79107e747caea47ce5492741d099e1ff13c4e5884869ba93", + "search_line": -1 }, { "queryName": "ELB Using Insecure Protocols", "severity": "MEDIUM", - "line": 21 + "line": 21, + "fileName": "positive.yaml", + "resourceType": "community.aws.elb_application_lb", + "resourceName": "elb2", + "searchKey": "name={{elb2}}.{{community.aws.elb_application_lb}}.listeners.%!s(int=0)", + "searchValue": "", + "expectedValue": "community.aws.elb_application_lb.listeners.SslPolicy should be defined", + "actualValue": "community.aws.elb_application_lb.listeners.SslPolicy is undefined", + "issueType": "MissingAttribute", + "similarityID": "35bb360056c6043bbcbb5e85823c0e3a95a55b8d622b4e7651c9ac67a1dae890", + "search_line": -1 }, { "queryName": "ELB Using Insecure Protocols", "severity": "MEDIUM", - "line": 40 + "line": 40, + "fileName": "positive.yaml", + "resourceType": "community.aws.elb_application_lb", + "resourceName": "elb3", + "searchKey": "name={{elb3}}.{{community.aws.elb_application_lb}}.listeners.%!s(int=0)", + "searchValue": "", + "expectedValue": "community.aws.elb_application_lb.listeners.SslPolicy is a secure protocol", + "actualValue": "community.aws.elb_application_lb.listeners.SslPolicy is an insecure protocol", + "issueType": "IncorrectValue", + "similarityID": "8d339f02098fc51a0765ce33b2c9d3d14a3edee5663ebed9fbd590471097c068", + "search_line": -1 }, { "queryName": "ELB Using Insecure Protocols", "severity": "MEDIUM", - "line": 52 + "line": 52, + "fileName": "positive.yaml", + "resourceType": "community.aws.elb_network_lb", + "resourceName": "elb4", + "searchKey": "name={{elb4}}.{{community.aws.elb_network_lb}}", + "searchValue": "", + "expectedValue": "community.aws.elb_network_lb.listeners should be defined", + "actualValue": "%!&(string=community.aws.elb_network_lb)s.listeners is undefined", + "issueType": "MissingAttribute", + "similarityID": "df22c2fb9d55cec458a0fa896087696099272c4b0cb42c4fffe454d31cec2607", + "search_line": -1 }, { "queryName": "ELB Using Insecure Protocols", "severity": "MEDIUM", - "line": 70 + "line": 70, + "fileName": "positive.yaml", + "resourceType": "community.aws.elb_network_lb", + "resourceName": "elb5", + "searchKey": "name={{elb5}}.{{community.aws.elb_network_lb}}.listeners.%!s(int=0)", + "searchValue": "", + "expectedValue": "community.aws.elb_network_lb.listeners.SslPolicy should be defined", + "actualValue": "community.aws.elb_network_lb.listeners.SslPolicy is undefined", + "issueType": "MissingAttribute", + "similarityID": "06389fe44c2acf4292888d3b405263872c273c861ff552dfe5dd0a4ecb43b3b7", + "search_line": -1 }, { "queryName": "ELB Using Insecure Protocols", "severity": "MEDIUM", - "line": 89 + "line": 89, + "fileName": "positive.yaml", + "resourceType": "community.aws.elb_network_lb", + "resourceName": "elb6", + "searchKey": "name={{elb6}}.{{community.aws.elb_network_lb}}.listeners.%!s(int=0)", + "searchValue": "", + "expectedValue": "community.aws.elb_network_lb.listeners.SslPolicy is a secure protocol", + "actualValue": "community.aws.elb_network_lb.listeners.SslPolicy is an insecure protocol", + "issueType": "IncorrectValue", + "similarityID": "30896c7bb8e7950d3f1f76b6cfbe733c0f32d2004ee21ee78ad37c792c26d1fb", + "search_line": -1 } -] \ No newline at end of file +] diff --git a/assets/queries/ansible/aws/elb_using_weak_ciphers/test/positive_expected_result.json b/assets/queries/ansible/aws/elb_using_weak_ciphers/test/positive_expected_result.json index deda62d1c26..10bab3adf78 100644 --- a/assets/queries/ansible/aws/elb_using_weak_ciphers/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/elb_using_weak_ciphers/test/positive_expected_result.json @@ -1,32 +1,92 @@ [ - { - "queryName": "ELB Using Weak Ciphers", - "severity": "HIGH", - "line": 3 - }, - { - "queryName": "ELB Using Weak Ciphers", - "severity": "HIGH", - "line": 21 - }, - { - "queryName": "ELB Using Weak Ciphers", - "severity": "HIGH", - "line": 40 - }, - { - "queryName": "ELB Using Weak Ciphers", - "severity": "HIGH", - "line": 52 - }, - { - "queryName": "ELB Using Weak Ciphers", - "severity": "HIGH", - "line": 70 - }, - { - "queryName": "ELB Using Weak Ciphers", - "severity": "HIGH", - "line": 89 - } + { + "queryName": "ELB Using Weak Ciphers", + "severity": "HIGH", + "line": 3, + "fileName": "positive.yaml", + "resourceType": "community.aws.elb_application_lb", + "resourceName": "elb1", + "searchKey": "name={{elb1}}.{{community.aws.elb_application_lb}}", + "searchValue": "", + "expectedValue": "community.aws.elb_application_lb.listeners should be defined", + "actualValue": "%!&(string=community.aws.elb_application_lb)s.listeners is undefined", + "issueType": "MissingAttribute", + "similarityID": "552e6d3c914d939949dfe56260985debc6e9723991890cf71f7fa41a2ecc0fdd", + "search_line": -1 + }, + { + "queryName": "ELB Using Weak Ciphers", + "severity": "HIGH", + "line": 21, + "fileName": "positive.yaml", + "resourceType": "community.aws.elb_application_lb", + "resourceName": "elb2", + "searchKey": "name={{elb2}}.{{community.aws.elb_application_lb}}.listeners.%!s(int=0)", + "searchValue": "", + "expectedValue": "community.aws.elb_application_lb.listeners.SslPolicy should be defined", + "actualValue": "community.aws.elb_application_lb.listeners.SslPolicy is undefined", + "issueType": "MissingAttribute", + "similarityID": "9cacf78be7f5ff6c6285160bb4cc42ea10900bfeca305086a7b5a8e0390cebae", + "search_line": -1 + }, + { + "queryName": "ELB Using Weak Ciphers", + "severity": "HIGH", + "line": 40, + "fileName": "positive.yaml", + "resourceType": "community.aws.elb_application_lb", + "resourceName": "elb3", + "searchKey": "name={{elb3}}.{{community.aws.elb_application_lb}}.listeners.%!s(int=0)", + "searchValue": "", + "expectedValue": "community.aws.elb_application_lb.listeners.SslPolicy should not be a weak cipher", + "actualValue": "community.aws.elb_application_lb.listeners.SslPolicy is a weak cipher", + "issueType": "IncorrectValue", + "similarityID": "2fde74f5ff60584e73ee11075d7741147f07b44f500e005d2cecae16d84f1c01", + "search_line": -1 + }, + { + "queryName": "ELB Using Weak Ciphers", + "severity": "HIGH", + "line": 52, + "fileName": "positive.yaml", + "resourceType": "community.aws.elb_network_lb", + "resourceName": "elb4", + "searchKey": "name={{elb4}}.{{community.aws.elb_network_lb}}", + "searchValue": "", + "expectedValue": "community.aws.elb_network_lb.listeners should be defined", + "actualValue": "%!&(string=community.aws.elb_network_lb)s.listeners is undefined", + "issueType": "MissingAttribute", + "similarityID": "23c333cfcf61c63568243d972a0022008edabef6b10bc93f046fd5f710705e02", + "search_line": -1 + }, + { + "queryName": "ELB Using Weak Ciphers", + "severity": "HIGH", + "line": 70, + "fileName": "positive.yaml", + "resourceType": "community.aws.elb_network_lb", + "resourceName": "elb5", + "searchKey": "name={{elb5}}.{{community.aws.elb_network_lb}}.listeners.%!s(int=0)", + "searchValue": "", + "expectedValue": "community.aws.elb_network_lb.listeners.SslPolicy should be defined", + "actualValue": "community.aws.elb_network_lb.listeners.SslPolicy is undefined", + "issueType": "MissingAttribute", + "similarityID": "b07a22b23b58987d3c1ade08cccbc5eaa4c93f07a8bdf5cca46ff4afcc3ebfef", + "search_line": -1 + }, + { + "queryName": "ELB Using Weak Ciphers", + "severity": "HIGH", + "line": 89, + "fileName": "positive.yaml", + "resourceType": "community.aws.elb_network_lb", + "resourceName": "elb6", + "searchKey": "name={{elb6}}.{{community.aws.elb_network_lb}}.listeners.%!s(int=0)", + "searchValue": "", + "expectedValue": "community.aws.elb_network_lb.listeners.SslPolicy should not be a weak cipher", + "actualValue": "community.aws.elb_network_lb.listeners.SslPolicy is a weak cipher", + "issueType": "IncorrectValue", + "similarityID": "3837d7de62cefc08c054d3e12a9a8c3c378e30610abb53d373e6d6f614711922", + "search_line": -1 + } ] diff --git a/assets/queries/ansible/aws/hardcoded_aws_access_key/test/positive_expected_result.json b/assets/queries/ansible/aws/hardcoded_aws_access_key/test/positive_expected_result.json index af7fa0f090a..1786f0f2da6 100644 --- a/assets/queries/ansible/aws/hardcoded_aws_access_key/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/hardcoded_aws_access_key/test/positive_expected_result.json @@ -2,6 +2,16 @@ { "queryName": "Hardcoded AWS Access Key", "severity": "HIGH", - "line": 7 + "line": 7, + "fileName": "positive.yaml", + "resourceType": "community.aws.ec2_instance", + "resourceName": "start an instance with a cpu_options", + "searchKey": "name={{start an instance with a cpu_options}}.{{community.aws.ec2_instance}}.user_data", + "searchValue": "", + "expectedValue": "'ec2_instance.user_data' shouldn't contain access key", + "actualValue": "'ec2_instance.user_data' contains access key", + "issueType": "IncorrectValue", + "similarityID": "68fd88450271f236a08a034f78a9f91245dc2215dac49e29a907ca53257e22f5", + "search_line": -1 } -] \ No newline at end of file +] diff --git a/assets/queries/ansible/aws/hardcoded_aws_access_key_in_lambda/test/positive_expected_result.json b/assets/queries/ansible/aws/hardcoded_aws_access_key_in_lambda/test/positive_expected_result.json index e0069607293..38cf30c6653 100644 --- a/assets/queries/ansible/aws/hardcoded_aws_access_key_in_lambda/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/hardcoded_aws_access_key_in_lambda/test/positive_expected_result.json @@ -2,11 +2,31 @@ { "queryName": "Hardcoded AWS Access Key In Lambda", "severity": "HIGH", - "line": 3 + "line": 3, + "fileName": "positive.yaml", + "resourceType": "community.aws.lambda", + "resourceName": "looped creation", + "searchKey": "name={{looped creation}}.{{community.aws.lambda}}.aws_access_key", + "searchValue": "", + "expectedValue": "lambda.aws_access_key should not be in plaintext", + "actualValue": "lambda.aws_access_key is in plaintext", + "issueType": "IncorrectValue", + "similarityID": "fb3b72c817fa7e138f90e0838991d05f7aaedfe381bb71d3a740e988e49bf61e", + "search_line": -1 }, { "queryName": "Hardcoded AWS Access Key In Lambda", "severity": "HIGH", - "line": 32 + "line": 32, + "fileName": "positive.yaml", + "resourceType": "community.aws.lambda", + "resourceName": "remove tags", + "searchKey": "name={{remove tags}}.{{community.aws.lambda}}.aws_access_key", + "searchValue": "", + "expectedValue": "lambda.aws_access_key should not be in plaintext", + "actualValue": "lambda.aws_access_key is in plaintext", + "issueType": "IncorrectValue", + "similarityID": "927a54ad65372e8b6502fa7a473b539df675d10c5fecff90e194d33f19536893", + "search_line": -1 } -] \ No newline at end of file +] diff --git a/assets/queries/ansible/aws/http_port_open_to_internet/test/positive_expected_result.json b/assets/queries/ansible/aws/http_port_open_to_internet/test/positive_expected_result.json index 094f0bad534..aeac81ab8e1 100644 --- a/assets/queries/ansible/aws/http_port_open_to_internet/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/http_port_open_to_internet/test/positive_expected_result.json @@ -2,36 +2,106 @@ { "queryName": "HTTP Port Open To Internet", "severity": "MEDIUM", - "line": 9 + "line": 9, + "fileName": "positive.yaml", + "resourceType": "amazon.aws.ec2_group", + "resourceName": "example ec2 group1", + "searchKey": "name={{example ec2 group1}}.{{amazon.aws.ec2_group}}.rules", + "searchValue": "", + "expectedValue": "ec2_group.rules[0] shouldn't open the http port (80)", + "actualValue": "ec2_group.rules[0] opens the http port (80)", + "issueType": "IncorrectValue", + "similarityID": "c1d04758b255ff1c22c8ac1be3012a27aec8edca74faf5292852dca12ac7a38b", + "search_line": -1 }, { "queryName": "HTTP Port Open To Internet", "severity": "MEDIUM", - "line": 23 + "line": 23, + "fileName": "positive.yaml", + "resourceType": "amazon.aws.ec2_group", + "resourceName": "example ec2 group2", + "searchKey": "name={{example ec2 group2}}.{{amazon.aws.ec2_group}}.rules", + "searchValue": "", + "expectedValue": "ec2_group.rules[0] shouldn't open the http port (80)", + "actualValue": "ec2_group.rules[0] opens the http port (80)", + "issueType": "IncorrectValue", + "similarityID": "5e2db8db2753f15223e4b6197e9c96f77fb9b757d514dc30007c6c4e1ec0cda1", + "search_line": -1 }, { "queryName": "HTTP Port Open To Internet", "severity": "MEDIUM", - "line": 36 + "line": 36, + "fileName": "positive.yaml", + "resourceType": "amazon.aws.ec2_group", + "resourceName": "example ec2 group3", + "searchKey": "name={{example ec2 group3}}.{{amazon.aws.ec2_group}}.rules", + "searchValue": "", + "expectedValue": "ec2_group.rules[0] shouldn't open the http port (80)", + "actualValue": "ec2_group.rules[0] opens the http port (80)", + "issueType": "IncorrectValue", + "similarityID": "a8d8d71a4fd12cc8d647dd886974fac1b8da977297979052c862ffe58a24ed49", + "search_line": -1 }, { "queryName": "HTTP Port Open To Internet", "severity": "MEDIUM", - "line": 49 + "line": 49, + "fileName": "positive.yaml", + "resourceType": "amazon.aws.ec2_group", + "resourceName": "example ec2 group4", + "searchKey": "name={{example ec2 group4}}.{{amazon.aws.ec2_group}}.rules", + "searchValue": "", + "expectedValue": "ec2_group.rules[0] shouldn't open the http port (80)", + "actualValue": "ec2_group.rules[0] opens the http port (80)", + "issueType": "IncorrectValue", + "similarityID": "f1598f6ad761c03e0f8ebe0ebafe50aed2d0efb95b9de6d338b1e6c79586aa70", + "search_line": -1 }, { "queryName": "HTTP Port Open To Internet", "severity": "MEDIUM", - "line": 64 + "line": 64, + "fileName": "positive.yaml", + "resourceType": "amazon.aws.ec2_group", + "resourceName": "example ec2 group5", + "searchKey": "name={{example ec2 group5}}.{{amazon.aws.ec2_group}}.rules", + "searchValue": "", + "expectedValue": "ec2_group.rules[0] shouldn't open the http port (80)", + "actualValue": "ec2_group.rules[0] opens the http port (80)", + "issueType": "IncorrectValue", + "similarityID": "e0453e5e2cff68f234cd4e0830c8ee286bbb9bd8f40b7a691ffe2303ba27985c", + "search_line": -1 }, { "queryName": "HTTP Port Open To Internet", "severity": "MEDIUM", - "line": 79 + "line": 79, + "fileName": "positive.yaml", + "resourceType": "amazon.aws.ec2_group", + "resourceName": "example ec2 group6", + "searchKey": "name={{example ec2 group6}}.{{amazon.aws.ec2_group}}.rules", + "searchValue": "", + "expectedValue": "ec2_group.rules[0] shouldn't open the http port (80)", + "actualValue": "ec2_group.rules[0] opens the http port (80)", + "issueType": "IncorrectValue", + "similarityID": "f269ba096f8c0a1339df543f47114314094999c4b203495901ee22869ad6ac4e", + "search_line": -1 }, { "queryName": "HTTP Port Open To Internet", "severity": "MEDIUM", - "line": 93 + "line": 93, + "fileName": "positive.yaml", + "resourceType": "amazon.aws.ec2_group", + "resourceName": "example ec2 group7", + "searchKey": "name={{example ec2 group7}}.{{amazon.aws.ec2_group}}.rules", + "searchValue": "", + "expectedValue": "ec2_group.rules[0] shouldn't open the http port (80)", + "actualValue": "ec2_group.rules[0] opens the http port (80)", + "issueType": "IncorrectValue", + "similarityID": "a7be7cd8914ded73cf6c2e869f55095b405a58913e5270fab04b4d1f8f90dd35", + "search_line": -1 } -] \ No newline at end of file +] diff --git a/assets/queries/ansible/aws/iam_access_key_is_exposed/test/positive_expected_result.json b/assets/queries/ansible/aws/iam_access_key_is_exposed/test/positive_expected_result.json index 0935349027b..794b9a56926 100644 --- a/assets/queries/ansible/aws/iam_access_key_is_exposed/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/iam_access_key_is_exposed/test/positive_expected_result.json @@ -1,17 +1,47 @@ [ - { - "queryName": "IAM Access Key Is Exposed", - "severity": "MEDIUM", - "line": 7 - }, - { - "queryName": "IAM Access Key Is Exposed", - "severity": "MEDIUM", - "line": 26 - }, - { - "queryName": "IAM Access Key Is Exposed", - "severity": "MEDIUM", - "line": 36 - } + { + "queryName": "IAM Access Key Is Exposed", + "severity": "MEDIUM", + "line": 7, + "fileName": "positive.yaml", + "resourceType": "community.aws.iam", + "resourceName": "Create two new IAM users with API keys", + "searchKey": "name={{Create two new IAM users with API keys}}.{{community.aws.iam}}.access_key_state", + "searchValue": "", + "expectedValue": "iam.name should be 'root' for an active access key", + "actualValue": "iam.name is '{{ item }}' for an active access key", + "issueType": "IncorrectValue", + "similarityID": "b597bc9d5c10503d787e68b78e43a2a4fb78361f25be389f5da765baeb7786c6", + "search_line": -1 + }, + { + "queryName": "IAM Access Key Is Exposed", + "severity": "MEDIUM", + "line": 26, + "fileName": "positive.yaml", + "resourceType": "community.aws.iam", + "resourceName": "Create Two Groups, Mario and Luigi", + "searchKey": "name={{Create Two Groups, Mario and Luigi}}.{{community.aws.iam}}.access_key_state", + "searchValue": "", + "expectedValue": "iam.name should be 'root' for an active access key", + "actualValue": "iam.name is '{{ item }}' for an active access key", + "issueType": "IncorrectValue", + "similarityID": "22702f72322eb16654c96461e3d02094233b86699081c60ddb5d96e9c6092f46", + "search_line": -1 + }, + { + "queryName": "IAM Access Key Is Exposed", + "severity": "MEDIUM", + "line": 36, + "fileName": "positive.yaml", + "resourceType": "community.aws.iam", + "resourceName": "Update user", + "searchKey": "name={{Update user}}.{{community.aws.iam}}.access_key_state", + "searchValue": "", + "expectedValue": "iam.name should be 'root' for an active access key", + "actualValue": "iam.name is 'jdavila' for an active access key", + "issueType": "IncorrectValue", + "similarityID": "908ac85a4deb5e3852efd1ed8dc02a9d5d2e4daf94409c60337cb5409af1b756", + "search_line": -1 + } ] diff --git a/assets/queries/ansible/aws/iam_database_auth_not_enabled/test/positive_expected_result.json b/assets/queries/ansible/aws/iam_database_auth_not_enabled/test/positive_expected_result.json index 3e10b8cd6a2..47a4fe1df5e 100644 --- a/assets/queries/ansible/aws/iam_database_auth_not_enabled/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/iam_database_auth_not_enabled/test/positive_expected_result.json @@ -2,11 +2,31 @@ { "queryName": "IAM Database Auth Not Enabled", "severity": "MEDIUM", - "line": 9 + "line": 9, + "fileName": "positive.yaml", + "resourceType": "community.aws.rds_instance", + "resourceName": "create minimal aurora instance in default VPC and default subnet group", + "searchKey": "name={{create minimal aurora instance in default VPC and default subnet group}}.{{community.aws.rds_instance}}.enable_iam_database_authentication", + "searchValue": "", + "expectedValue": "rds_instance.enable_iam_database_authentication should be enabled", + "actualValue": "rds_instance.enable_iam_database_authentication is disabled", + "issueType": "IncorrectValue", + "similarityID": "cab4310cf75d611f35ad438a5169befd12111a0ef1b5c13d9010ce359a16f324", + "search_line": -1 }, { "queryName": "IAM Database Auth Not Enabled", "severity": "MEDIUM", - "line": 22 + "line": 22, + "fileName": "positive.yaml", + "resourceType": "community.aws.rds_instance", + "resourceName": "Create a DB instance using the default AWS KMS encryption key", + "searchKey": "name={{Create a DB instance using the default AWS KMS encryption key}}.{{community.aws.rds_instance}}.enable_iam_database_authentication", + "searchValue": "", + "expectedValue": "rds_instance.enable_iam_database_authentication should be enabled", + "actualValue": "rds_instance.enable_iam_database_authentication is disabled", + "issueType": "IncorrectValue", + "similarityID": "66f5eb1942ececf787127d172aeeaac23f7e5b21e8c1d31d2c5b1ad9355a6d88", + "search_line": -1 } -] \ No newline at end of file +] diff --git a/assets/queries/ansible/aws/iam_group_without_users/test/positive_expected_result.json b/assets/queries/ansible/aws/iam_group_without_users/test/positive_expected_result.json index 476d69ce3c0..21bdd555763 100644 --- a/assets/queries/ansible/aws/iam_group_without_users/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/iam_group_without_users/test/positive_expected_result.json @@ -3,12 +3,30 @@ "queryName": "IAM Group Without Users", "severity": "MEDIUM", "line": 2, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "iam_group", + "resourceName": "Group1", + "searchKey": "name={{Group1}}.{{iam_group}}", + "searchValue": "", + "expectedValue": "iam_group.users should be defined and not null", + "actualValue": "iam_group.users is undefined or null", + "issueType": "MissingAttribute", + "similarityID": "728da82af31e061560eca75b356fbfc127e565fed7ef4aa2f83b869c6077dbc2", + "search_line": -1 }, { "queryName": "IAM Group Without Users", "severity": "MEDIUM", "line": 2, - "fileName": "positive2.yaml" + "fileName": "positive2.yaml", + "resourceType": "iam_group", + "resourceName": "Group2", + "searchKey": "name={{Group2}}.{{iam_group}}", + "searchValue": "", + "expectedValue": "iam_group.users should be defined and not null", + "actualValue": "iam_group.users is undefined or null", + "issueType": "MissingAttribute", + "similarityID": "50f515d066b99d486a1875a63d2e7663071b382489007737d0f157606721c11f", + "search_line": -1 } -] \ No newline at end of file +] diff --git a/assets/queries/ansible/aws/iam_password_without_minimum_length/test/positive_expected_result.json b/assets/queries/ansible/aws/iam_password_without_minimum_length/test/positive_expected_result.json index 11e6af830a7..5e31619cab1 100644 --- a/assets/queries/ansible/aws/iam_password_without_minimum_length/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/iam_password_without_minimum_length/test/positive_expected_result.json @@ -2,16 +2,46 @@ { "queryName": "IAM Password Without Minimum Length", "severity": "LOW", - "line": 2 + "line": 2, + "fileName": "positive.yaml", + "resourceType": "community.aws.iam_password_policy", + "resourceName": "Password policy for AWS account", + "searchKey": "name={{Password policy for AWS account}}.{{community.aws.iam_password_policy}}", + "searchValue": "", + "expectedValue": "iam_password_policy.min_pw_length/minimum_password_length should be set and no less than 8", + "actualValue": "iam_password_policy.min_pw_length/minimum_password_length is undefined", + "issueType": "MissingAttribute", + "similarityID": "50c2d908458dff7e5f2d5e805d3710edfc4afa78a39c21bd4af846b03b2ca067", + "search_line": -1 }, { "queryName": "IAM Password Without Minimum Length", "severity": "LOW", - "line": 16 + "line": 16, + "fileName": "positive.yaml", + "resourceType": "community.aws.iam_password_policy", + "resourceName": "aws_iam_account_password_policy", + "searchKey": "name={{aws_iam_account_password_policy}}.{{community.aws.iam_password_policy}}.{{min_pw_length}}", + "searchValue": "", + "expectedValue": "iam_password_policy.min_pw_length should be set and no less than 8", + "actualValue": "iam_password_policy.min_pw_length is less than 8", + "issueType": "IncorrectValue", + "similarityID": "7d0fe8f205476937ce64a73e0e8209d1fdf643c28e81eb2e70feb1a6ae6dadd5", + "search_line": -1 }, { "queryName": "IAM Password Without Minimum Length", "severity": "LOW", - "line": 27 + "line": 27, + "fileName": "positive.yaml", + "resourceType": "community.aws.iam_password_policy", + "resourceName": "aws_iam_account_password_policy_2", + "searchKey": "name={{aws_iam_account_password_policy_2}}.{{community.aws.iam_password_policy}}.{{min_pw_length}}", + "searchValue": "", + "expectedValue": "iam_password_policy.minimum_password_length should be set and no less than 8", + "actualValue": "iam_password_policy.minimum_password_length is less than 8", + "issueType": "IncorrectValue", + "similarityID": "138f2b20040e7a4c877616e57adc9ec5e9ec45e56436b40ef3566c109d4af406", + "search_line": -1 } -] \ No newline at end of file +] diff --git a/assets/queries/ansible/aws/iam_policies_attached_to_user/test/positive_expected_result.json b/assets/queries/ansible/aws/iam_policies_attached_to_user/test/positive_expected_result.json index 3eb0b178029..b82d5c674d8 100644 --- a/assets/queries/ansible/aws/iam_policies_attached_to_user/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/iam_policies_attached_to_user/test/positive_expected_result.json @@ -1,7 +1,17 @@ [ - { - "queryName": "IAM Policies Attached To User", - "severity": "MEDIUM", - "line": 3 - } + { + "queryName": "IAM Policies Attached To User", + "severity": "MEDIUM", + "line": 3, + "fileName": "positive.yaml", + "resourceType": "community.aws.iam_policy", + "resourceName": "Assign a policy called Admin to user", + "searchKey": "name={{Assign a policy called Admin to user}}.{{community.aws.iam_policy}}.iam_type", + "searchValue": "", + "expectedValue": "iam_policy.iam_type should be configured with group or role", + "actualValue": "iam_policy.iam_type is configured with user", + "issueType": "IncorrectValue", + "similarityID": "60f3e48b15650cc25c97711539111452662beca790d3c200a33208abf2ea6039", + "search_line": -1 + } ] diff --git a/assets/queries/ansible/aws/iam_policies_with_full_privileges/test/positive_expected_result.json b/assets/queries/ansible/aws/iam_policies_with_full_privileges/test/positive_expected_result.json index c8eb04cd6f1..b8bc247bc02 100644 --- a/assets/queries/ansible/aws/iam_policies_with_full_privileges/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/iam_policies_with_full_privileges/test/positive_expected_result.json @@ -3,6 +3,15 @@ "queryName": "IAM Policies With Full Privileges", "severity": "MEDIUM", "line": 4, - "fileName": "positive.yaml" + "fileName": "positive.yaml", + "resourceType": "community.aws.iam_managed_policy", + "resourceName": "Create IAM Managed Policy", + "searchKey": "name={{Create IAM Managed Policy}}.{{community.aws.iam_managed_policy}}.policy", + "searchValue": "", + "expectedValue": "iam_managed_policy.policy.Statement.Action should not contain '*'", + "actualValue": "iam_managed_policy.policy.Statement.Action contains '*'", + "issueType": "MissingAttribute", + "similarityID": "f8ade327fc8d4ea20b2219ea0f9fba0e7d94bf8fce1d6feb76aed1e3addbcc87", + "search_line": 4 } -] \ No newline at end of file +] diff --git a/assets/queries/ansible/aws/iam_policy_grants_assumerole_permission_across_all_services/test/positive_expected_result.json b/assets/queries/ansible/aws/iam_policy_grants_assumerole_permission_across_all_services/test/positive_expected_result.json index 4caf867fb9d..08e60cd2ab5 100644 --- a/assets/queries/ansible/aws/iam_policy_grants_assumerole_permission_across_all_services/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/iam_policy_grants_assumerole_permission_across_all_services/test/positive_expected_result.json @@ -3,6 +3,15 @@ "queryName": "IAM Policy Grants 'AssumeRole' Permission Across All Services", "severity": "MEDIUM", "line": 4, - "fileName": "positive.yaml" + "fileName": "positive.yaml", + "resourceType": "community.aws.iam_managed_policy", + "resourceName": "Create IAM Managed Policy", + "searchKey": "name={{Create IAM Managed Policy}}.{{community.aws.iam_managed_policy}}.policy", + "searchValue": "", + "expectedValue": "iam_managed_policy.policy.Statement.Principal.AWS should not contain '*'", + "actualValue": "iam_managed_policy.policy.Statement.Principal.AWS contains '*'", + "issueType": "IncorrectValue", + "similarityID": "49c802666b586a073e0fc8816f7fec5d76a13835be48858ef57494986428d2df", + "search_line": 4 } -] \ No newline at end of file +] diff --git a/assets/queries/ansible/aws/iam_policy_grants_full_permissions/test/positive_expected_result.json b/assets/queries/ansible/aws/iam_policy_grants_full_permissions/test/positive_expected_result.json index 6b957568732..4f5fb78d7b0 100644 --- a/assets/queries/ansible/aws/iam_policy_grants_full_permissions/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/iam_policy_grants_full_permissions/test/positive_expected_result.json @@ -3,6 +3,15 @@ "queryName": "IAM Policy Grants Full Permissions", "severity": "HIGH", "line": 4, - "fileName": "positive.yaml" + "fileName": "positive.yaml", + "resourceType": "community.aws.iam_managed_policy", + "resourceName": "Create IAM Managed Policy", + "searchKey": "name={{Create IAM Managed Policy}}.{{community.aws.iam_managed_policy}}.policy", + "searchValue": "", + "expectedValue": "'policy.Statement.Resource' and 'policy.Statement.Action' should no be equal to '*'", + "actualValue": "'policy.Statement.Resource' and 'policy.Statement.Action' are equal to '*'", + "issueType": "IncorrectValue", + "similarityID": "ab60ac9b03d8fa441f2f39ff385ecead11b5607f957a3d9a3caf7024fa4c7491", + "search_line": 4 } ] diff --git a/assets/queries/ansible/aws/iam_role_allows_all_principals_to_assume/test/positive_expected_result.json b/assets/queries/ansible/aws/iam_role_allows_all_principals_to_assume/test/positive_expected_result.json index 770a1a9129e..3479444f0c4 100644 --- a/assets/queries/ansible/aws/iam_role_allows_all_principals_to_assume/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/iam_role_allows_all_principals_to_assume/test/positive_expected_result.json @@ -3,12 +3,30 @@ "queryName": "IAM Role Allows All Principals To Assume", "severity": "MEDIUM", "line": 4, - "fileName": "positive.yaml" + "fileName": "positive.yaml", + "resourceType": "community.aws.iam_managed_policy", + "resourceName": "Create IAM Managed Policy", + "searchKey": "name={{Create IAM Managed Policy}}.{{community.aws.iam_managed_policy}}.policy", + "searchValue": "", + "expectedValue": "iam_managed_policy.policy.Statement.Principal.AWS should not contain ':root", + "actualValue": "iam_managed_policy.policy.Statement.Principal.AWS contains ':root'", + "issueType": "IncorrectValue", + "similarityID": "f946a6d47c2de72e57acc1ebf25fbdd0e2bc51e6edd1e8bccbd9a0a94a989a11", + "search_line": 4 }, { "queryName": "IAM Role Allows All Principals To Assume", "severity": "MEDIUM", "line": 17, - "fileName": "positive.yaml" + "fileName": "positive.yaml", + "resourceType": "community.aws.iam_managed_policy", + "resourceName": "Create2 IAM Managed Policy", + "searchKey": "name={{Create2 IAM Managed Policy}}.{{community.aws.iam_managed_policy}}.policy", + "searchValue": "", + "expectedValue": "iam_managed_policy.policy.Statement.Principal.AWS should not contain ':root", + "actualValue": "iam_managed_policy.policy.Statement.Principal.AWS contains ':root'", + "issueType": "IncorrectValue", + "similarityID": "381c805c7f0d58b86ca4c03283ac7b0fed643c176dde2da66fb7f2b042405d1e", + "search_line": 17 } -] \ No newline at end of file +] diff --git a/assets/queries/ansible/aws/instance_uses_metadata_service_IMDSv1/test/positive_expected_result.json b/assets/queries/ansible/aws/instance_uses_metadata_service_IMDSv1/test/positive_expected_result.json index f43bdfb60d9..4af7b645fa5 100644 --- a/assets/queries/ansible/aws/instance_uses_metadata_service_IMDSv1/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/instance_uses_metadata_service_IMDSv1/test/positive_expected_result.json @@ -1,122 +1,302 @@ [ - { - "queryName": "Instance Uses Metadata Service IMDSv1", - "severity": "LOW", - "line": 10, - "fileName": "positive1.yaml" - }, - { - "queryName": "Instance Uses Metadata Service IMDSv1", - "severity": "LOW", - "line": 20, - "fileName": "positive1.yaml" - }, - { - "queryName": "Instance Uses Metadata Service IMDSv1", - "severity": "LOW", - "line": 32, - "fileName": "positive1.yaml" - }, - { - "queryName": "Instance Uses Metadata Service IMDSv1", - "severity": "LOW", - "line": 42, - "fileName": "positive1.yaml" - }, - { - "queryName": "Instance Uses Metadata Service IMDSv1", - "severity": "LOW", - "line": 2, - "fileName": "positive2.yaml" - }, - { - "queryName": "Instance Uses Metadata Service IMDSv1", - "severity": "LOW", - "line": 11, - "fileName": "positive2.yaml" - }, - { - "queryName": "Instance Uses Metadata Service IMDSv1", - "severity": "LOW", - "line": 20, - "fileName": "positive2.yaml" - }, - { - "queryName": "Instance Uses Metadata Service IMDSv1", - "severity": "LOW", - "line": 29, - "fileName": "positive2.yaml" - }, - { - "queryName": "Instance Uses Metadata Service IMDSv1", - "severity": "LOW", - "line": 11, - "fileName": "positive3.yaml" - }, - { - "queryName": "Instance Uses Metadata Service IMDSv1", - "severity": "LOW", - "line": 23, - "fileName": "positive3.yaml" - }, - { - "queryName": "Instance Uses Metadata Service IMDSv1", - "severity": "LOW", - "line": 35, - "fileName": "positive3.yaml" - }, - { - "queryName": "Instance Uses Metadata Service IMDSv1", - "severity": "LOW", - "line": 47, - "fileName": "positive3.yaml" - }, - { - "queryName": "Instance Uses Metadata Service IMDSv1", - "severity": "LOW", - "line": 9, - "fileName": "positive4.yaml" - }, - { - "queryName": "Instance Uses Metadata Service IMDSv1", - "severity": "LOW", - "line": 20, - "fileName": "positive4.yaml" - }, - { - "queryName": "Instance Uses Metadata Service IMDSv1", - "severity": "LOW", - "line": 31, - "fileName": "positive4.yaml" - }, - { - "queryName": "Instance Uses Metadata Service IMDSv1", - "severity": "LOW", - "line": 42, - "fileName": "positive4.yaml" - }, - { - "queryName": "Instance Uses Metadata Service IMDSv1", - "severity": "LOW", - "line": 9, - "fileName": "positive5.yaml" - }, - { - "queryName": "Instance Uses Metadata Service IMDSv1", - "severity": "LOW", - "line": 20, - "fileName": "positive5.yaml" - }, - { - "queryName": "Instance Uses Metadata Service IMDSv1", - "severity": "LOW", - "line": 31, - "fileName": "positive5.yaml" - }, - { - "queryName": "Instance Uses Metadata Service IMDSv1", - "severity": "LOW", - "line": 42, - "fileName": "positive5.yaml" - } + { + "queryName": "Instance Uses Metadata Service IMDSv1", + "severity": "LOW", + "line": 10, + "fileName": "positive1.yaml", + "resourceType": "amazon.aws.ec2_instance", + "resourceName": "start an instance with metadata options", + "searchKey": "name={{start an instance with metadata options}}.{{amazon.aws.ec2_instance}}.metadata_options.http_tokens", + "searchValue": "", + "expectedValue": "'amazon.aws.ec2_instance.metadata_options.http_tokens' should be defined to 'required'", + "actualValue": "'amazon.aws.ec2_instance.metadata_options.http_tokens' is not defined to 'required'", + "issueType": "IncorrectValue", + "similarityID": "a170bce6c4b48e81aa2713bac54f987a56f76b57f0ca157fbedd89a5c2c96d68", + "search_line": 10 + }, + { + "queryName": "Instance Uses Metadata Service IMDSv1", + "severity": "LOW", + "line": 20, + "fileName": "positive1.yaml", + "resourceType": "community.aws.autoscaling_launch_config", + "resourceName": "create launch configuration with metadata options", + "searchKey": "name={{create launch configuration with metadata options}}.{{community.aws.autoscaling_launch_config}}.metadata_options.http_tokens", + "searchValue": "", + "expectedValue": "'community.aws.autoscaling_launch_config.metadata_options.http_tokens' should be defined to 'required'", + "actualValue": "'community.aws.autoscaling_launch_config.metadata_options.http_tokens' is not defined to 'required'", + "issueType": "IncorrectValue", + "similarityID": "4884a5b998fee8bd0e3543aa65636b40d2a14863992c13bf24ab3f748e58e28f", + "search_line": 20 + }, + { + "queryName": "Instance Uses Metadata Service IMDSv1", + "severity": "LOW", + "line": 32, + "fileName": "positive1.yaml", + "resourceType": "community.aws.ec2_instance", + "resourceName": "start an instance with legacy naming and metadata options", + "searchKey": "name={{start an instance with legacy naming and metadata options}}.{{community.aws.ec2_instance}}.metadata_options.http_tokens", + "searchValue": "", + "expectedValue": "'community.aws.ec2_instance.metadata_options.http_tokens' should be defined to 'required'", + "actualValue": "'community.aws.ec2_instance.metadata_options.http_tokens' is not defined to 'required'", + "issueType": "IncorrectValue", + "similarityID": "d778bc85bba6862a37e3848134ca543116de4a5ea4555f042a9bf493420a4148", + "search_line": 32 + }, + { + "queryName": "Instance Uses Metadata Service IMDSv1", + "severity": "LOW", + "line": 42, + "fileName": "positive1.yaml", + "resourceType": "community.aws.ec2_lc", + "resourceName": "create launch configuration with legacy naming and metadata options", + "searchKey": "name={{create launch configuration with legacy naming and metadata options}}.{{community.aws.ec2_lc}}.metadata_options.http_tokens", + "searchValue": "", + "expectedValue": "'community.aws.ec2_lc.metadata_options.http_tokens' should be defined to 'required'", + "actualValue": "'community.aws.ec2_lc.metadata_options.http_tokens' is not defined to 'required'", + "issueType": "IncorrectValue", + "similarityID": "bcb6fb61ccfab58d6be005cf53514607fd566ee70e3fd0dbdf305a57606f81b5", + "search_line": 42 + }, + { + "queryName": "Instance Uses Metadata Service IMDSv1", + "severity": "LOW", + "line": 2, + "fileName": "positive2.yaml", + "resourceType": "amazon.aws.ec2_instance", + "resourceName": "start an instance", + "searchKey": "name={{start an instance}}.{{amazon.aws.ec2_instance}}", + "searchValue": "", + "expectedValue": "'amazon.aws.ec2_instance.metadata_options' should be defined with 'http_tokens' field set to 'required'", + "actualValue": "'amazon.aws.ec2_instance.metadata_options' is not defined", + "issueType": "MissingAttribute", + "similarityID": "f8c7eaa2a36dd417e286186d49fc197111e5d0417d96d0c6ab8c384c47521e36", + "search_line": 2 + }, + { + "queryName": "Instance Uses Metadata Service IMDSv1", + "severity": "LOW", + "line": 11, + "fileName": "positive2.yaml", + "resourceType": "community.aws.autoscaling_launch_config", + "resourceName": "create launch configuration", + "searchKey": "name={{create launch configuration}}.{{community.aws.autoscaling_launch_config}}", + "searchValue": "", + "expectedValue": "'community.aws.autoscaling_launch_config.metadata_options' should be defined with 'http_tokens' field set to 'required'", + "actualValue": "'community.aws.autoscaling_launch_config.metadata_options' is not defined", + "issueType": "MissingAttribute", + "similarityID": "d62498ec031580160e8e6fc4b17b6590baa94682339c431affbd9089e165c26b", + "search_line": 11 + }, + { + "queryName": "Instance Uses Metadata Service IMDSv1", + "severity": "LOW", + "line": 20, + "fileName": "positive2.yaml", + "resourceType": "community.aws.ec2_instance", + "resourceName": "start an instance with legacy naming", + "searchKey": "name={{start an instance with legacy naming}}.{{community.aws.ec2_instance}}", + "searchValue": "", + "expectedValue": "'community.aws.ec2_instance.metadata_options' should be defined with 'http_tokens' field set to 'required'", + "actualValue": "'community.aws.ec2_instance.metadata_options' is not defined", + "issueType": "MissingAttribute", + "similarityID": "91b59b33d668ec5a98fce9b98922cf182c4cd2ee2e2781c09a1d9cbaba4dec00", + "search_line": 20 + }, + { + "queryName": "Instance Uses Metadata Service IMDSv1", + "severity": "LOW", + "line": 29, + "fileName": "positive2.yaml", + "resourceType": "community.aws.ec2_lc", + "resourceName": "create launch configuration with legacy naming", + "searchKey": "name={{create launch configuration with legacy naming}}.{{community.aws.ec2_lc}}", + "searchValue": "", + "expectedValue": "'community.aws.ec2_lc.metadata_options' should be defined with 'http_tokens' field set to 'required'", + "actualValue": "'community.aws.ec2_lc.metadata_options' is not defined", + "issueType": "MissingAttribute", + "similarityID": "173b5844d901e6036999f7ebfe1c6c549b7cd0e1ac064440b19b253816696cde", + "search_line": 29 + }, + { + "queryName": "Instance Uses Metadata Service IMDSv1", + "severity": "LOW", + "line": 11, + "fileName": "positive3.yaml", + "resourceType": "amazon.aws.ec2_instance", + "resourceName": "start an instance with metadata options", + "searchKey": "name={{start an instance with metadata options}}.{{amazon.aws.ec2_instance}}.metadata_options.http_tokens", + "searchValue": "", + "expectedValue": "'amazon.aws.ec2_instance.metadata_options.http_tokens' should be defined to 'required'", + "actualValue": "'amazon.aws.ec2_instance.metadata_options.http_tokens' is not defined to 'required'", + "issueType": "IncorrectValue", + "similarityID": "b2ef164c7190e30c55d54cf36e74bba2143dc48cbac11b818f3f04a5824aaef8", + "search_line": 11 + }, + { + "queryName": "Instance Uses Metadata Service IMDSv1", + "severity": "LOW", + "line": 23, + "fileName": "positive3.yaml", + "resourceType": "community.aws.autoscaling_launch_config", + "resourceName": "create launch configuration with metadata options", + "searchKey": "name={{create launch configuration with metadata options}}.{{community.aws.autoscaling_launch_config}}.metadata_options.http_tokens", + "searchValue": "", + "expectedValue": "'community.aws.autoscaling_launch_config.metadata_options.http_tokens' should be defined to 'required'", + "actualValue": "'community.aws.autoscaling_launch_config.metadata_options.http_tokens' is not defined to 'required'", + "issueType": "IncorrectValue", + "similarityID": "79fe0a7e96df48a6599165198874134cf365f83a00fcd418260d427cf55c74ec", + "search_line": 23 + }, + { + "queryName": "Instance Uses Metadata Service IMDSv1", + "severity": "LOW", + "line": 35, + "fileName": "positive3.yaml", + "resourceType": "community.aws.ec2_instance", + "resourceName": "start an instance with legacy naming and metadata options", + "searchKey": "name={{start an instance with legacy naming and metadata options}}.{{community.aws.ec2_instance}}.metadata_options.http_tokens", + "searchValue": "", + "expectedValue": "'community.aws.ec2_instance.metadata_options.http_tokens' should be defined to 'required'", + "actualValue": "'community.aws.ec2_instance.metadata_options.http_tokens' is not defined to 'required'", + "issueType": "IncorrectValue", + "similarityID": "4bb15c45325bde2bb8bee6fefb9a61a93ec81ae4b3fd7f5479fa8b22ab1b0d67", + "search_line": 35 + }, + { + "queryName": "Instance Uses Metadata Service IMDSv1", + "severity": "LOW", + "line": 47, + "fileName": "positive3.yaml", + "resourceType": "community.aws.ec2_lc", + "resourceName": "create launch configuration with legacy naming and metadata options", + "searchKey": "name={{create launch configuration with legacy naming and metadata options}}.{{community.aws.ec2_lc}}.metadata_options.http_tokens", + "searchValue": "", + "expectedValue": "'community.aws.ec2_lc.metadata_options.http_tokens' should be defined to 'required'", + "actualValue": "'community.aws.ec2_lc.metadata_options.http_tokens' is not defined to 'required'", + "issueType": "IncorrectValue", + "similarityID": "769acbb049fd6965e08ff1665a202db3c949312071a2981bf5cdc7aa35a73c63", + "search_line": 47 + }, + { + "queryName": "Instance Uses Metadata Service IMDSv1", + "severity": "LOW", + "line": 9, + "fileName": "positive4.yaml", + "resourceType": "amazon.aws.ec2_instance", + "resourceName": "start an instance with metadata options", + "searchKey": "name={{start an instance with metadata options}}.{{amazon.aws.ec2_instance}}.metadata_options", + "searchValue": "", + "expectedValue": "'amazon.aws.ec2_instance.metadata_options.http_tokens' should be defined to 'required'", + "actualValue": "'amazon.aws.ec2_instance.metadata_options.http_tokens' is not defined", + "issueType": "MissingAttribute", + "similarityID": "92b1ae1c757a0534938646cfb2d8187d6919500de88b0923507b0790d8ae3a5e", + "search_line": 9 + }, + { + "queryName": "Instance Uses Metadata Service IMDSv1", + "severity": "LOW", + "line": 20, + "fileName": "positive4.yaml", + "resourceType": "community.aws.autoscaling_launch_config", + "resourceName": "create launch configuration with metadata options", + "searchKey": "name={{create launch configuration with metadata options}}.{{community.aws.autoscaling_launch_config}}.metadata_options", + "searchValue": "", + "expectedValue": "'community.aws.autoscaling_launch_config.metadata_options.http_tokens' should be defined to 'required'", + "actualValue": "'community.aws.autoscaling_launch_config.metadata_options.http_tokens' is not defined", + "issueType": "MissingAttribute", + "similarityID": "caa4b0917deb00b3728689979092b89a8679132d0daec3bca039e38466352571", + "search_line": 20 + }, + { + "queryName": "Instance Uses Metadata Service IMDSv1", + "severity": "LOW", + "line": 31, + "fileName": "positive4.yaml", + "resourceType": "community.aws.ec2_instance", + "resourceName": "start an instance with legacy naming and metadata options", + "searchKey": "name={{start an instance with legacy naming and metadata options}}.{{community.aws.ec2_instance}}.metadata_options", + "searchValue": "", + "expectedValue": "'community.aws.ec2_instance.metadata_options.http_tokens' should be defined to 'required'", + "actualValue": "'community.aws.ec2_instance.metadata_options.http_tokens' is not defined", + "issueType": "MissingAttribute", + "similarityID": "7652ebe5591c138dd5db14d900a78bb329e99baf2db978a127ba612ec05f2084", + "search_line": 31 + }, + { + "queryName": "Instance Uses Metadata Service IMDSv1", + "severity": "LOW", + "line": 42, + "fileName": "positive4.yaml", + "resourceType": "community.aws.ec2_lc", + "resourceName": "create launch configuration with legacy naming and metadata options", + "searchKey": "name={{create launch configuration with legacy naming and metadata options}}.{{community.aws.ec2_lc}}.metadata_options", + "searchValue": "", + "expectedValue": "'community.aws.ec2_lc.metadata_options.http_tokens' should be defined to 'required'", + "actualValue": "'community.aws.ec2_lc.metadata_options.http_tokens' is not defined", + "issueType": "MissingAttribute", + "similarityID": "0953bad2f690b1c0da9ee2eda241841cd1d4911ef51951830786c3bcd53722c0", + "search_line": 42 + }, + { + "queryName": "Instance Uses Metadata Service IMDSv1", + "severity": "LOW", + "line": 9, + "fileName": "positive5.yaml", + "resourceType": "amazon.aws.ec2_instance", + "resourceName": "start an instance with metadata options", + "searchKey": "name={{start an instance with metadata options}}.{{amazon.aws.ec2_instance}}.metadata_options", + "searchValue": "", + "expectedValue": "'amazon.aws.ec2_instance.metadata_options.http_tokens' should be defined to 'required'", + "actualValue": "'amazon.aws.ec2_instance.metadata_options.http_tokens' is not defined", + "issueType": "MissingAttribute", + "similarityID": "f5f5a98f31b2f3d368ef9d8afd1848e6c7fe0499f74ae920817be39a1fa0f575", + "search_line": 9 + }, + { + "queryName": "Instance Uses Metadata Service IMDSv1", + "severity": "LOW", + "line": 20, + "fileName": "positive5.yaml", + "resourceType": "community.aws.autoscaling_launch_config", + "resourceName": "create launch configuration with metadata options", + "searchKey": "name={{create launch configuration with metadata options}}.{{community.aws.autoscaling_launch_config}}.metadata_options", + "searchValue": "", + "expectedValue": "'community.aws.autoscaling_launch_config.metadata_options.http_tokens' should be defined to 'required'", + "actualValue": "'community.aws.autoscaling_launch_config.metadata_options.http_tokens' is not defined", + "issueType": "MissingAttribute", + "similarityID": "872afd2a7b5ec2d1ead00b169f22ea5f6bb23e94b24061c3b27ae3f2e8651a9d", + "search_line": 20 + }, + { + "queryName": "Instance Uses Metadata Service IMDSv1", + "severity": "LOW", + "line": 31, + "fileName": "positive5.yaml", + "resourceType": "community.aws.ec2_instance", + "resourceName": "start an instance with legacy naming and metadata options", + "searchKey": "name={{start an instance with legacy naming and metadata options}}.{{community.aws.ec2_instance}}.metadata_options", + "searchValue": "", + "expectedValue": "'community.aws.ec2_instance.metadata_options.http_tokens' should be defined to 'required'", + "actualValue": "'community.aws.ec2_instance.metadata_options.http_tokens' is not defined", + "issueType": "MissingAttribute", + "similarityID": "6115ba73c880310e5b661380700deed2296ab318d49bfda3c8305a76624327c9", + "search_line": 31 + }, + { + "queryName": "Instance Uses Metadata Service IMDSv1", + "severity": "LOW", + "line": 42, + "fileName": "positive5.yaml", + "resourceType": "community.aws.ec2_lc", + "resourceName": "create launch configuration with legacy naming and metadata options", + "searchKey": "name={{create launch configuration with legacy naming and metadata options}}.{{community.aws.ec2_lc}}.metadata_options", + "searchValue": "", + "expectedValue": "'community.aws.ec2_lc.metadata_options.http_tokens' should be defined to 'required'", + "actualValue": "'community.aws.ec2_lc.metadata_options.http_tokens' is not defined", + "issueType": "MissingAttribute", + "similarityID": "0a0a7bf509a715cbb5ee04a6932181d79846b7fcda5e052dddc8a8da52d65cf4", + "search_line": 42 + } ] diff --git a/assets/queries/ansible/aws/instance_with_no_vpc/test/positive_expected_result.json b/assets/queries/ansible/aws/instance_with_no_vpc/test/positive_expected_result.json index fa4b4be12f2..ea09e41918f 100644 --- a/assets/queries/ansible/aws/instance_with_no_vpc/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/instance_with_no_vpc/test/positive_expected_result.json @@ -2,11 +2,31 @@ { "queryName": "Instance With No VPC", "severity": "LOW", - "line": 2 + "line": 2, + "fileName": "positive.yaml", + "resourceType": "community.aws.ec2_instance", + "resourceName": "Start an instance and have it begin a Tower callback on boot", + "searchKey": "name={{Start an instance and have it begin a Tower callback on boot}}.{{community.aws.ec2_instance}}", + "searchValue": "", + "expectedValue": "community.aws.ec2_instance.vpc_subnet_id should be set", + "actualValue": "community.aws.ec2_instance.vpc_subnet_id is undefined", + "issueType": "MissingAttribute", + "similarityID": "09181269297ec750debf419ca4cd6d24e5711e61144f4706ae3bb7aab988f571", + "search_line": -1 }, { "queryName": "Instance With No VPC", "severity": "LOW", - "line": 18 + "line": 18, + "fileName": "positive.yaml", + "resourceType": "amazon.aws.ec2", + "resourceName": "Start an instance and have it begin a Tower callback on boot v2", + "searchKey": "name={{Start an instance and have it begin a Tower callback on boot v2}}.{{amazon.aws.ec2}}", + "searchValue": "", + "expectedValue": "amazon.aws.ec2.vpc_subnet_id should be set", + "actualValue": "amazon.aws.ec2.vpc_subnet_id is undefined", + "issueType": "MissingAttribute", + "similarityID": "d50b42011bd07901e917f41e5dcc501049fba896bb0b79d06269b4c8702dc3ea", + "search_line": -1 } -] \ No newline at end of file +] diff --git a/assets/queries/ansible/aws/kinesis_not_encrypted_with_kms/test/positive_expected_result.json b/assets/queries/ansible/aws/kinesis_not_encrypted_with_kms/test/positive_expected_result.json index 579cb51f9e7..c19247619b5 100644 --- a/assets/queries/ansible/aws/kinesis_not_encrypted_with_kms/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/kinesis_not_encrypted_with_kms/test/positive_expected_result.json @@ -2,26 +2,76 @@ { "queryName": "Kinesis Not Encrypted With KMS", "severity": "HIGH", - "line": 2 + "line": 2, + "fileName": "positive.yaml", + "resourceType": "community.aws.kinesis_stream", + "resourceName": "Encrypt Kinesis Stream test-stream.", + "searchKey": "name={{Encrypt Kinesis Stream test-stream.}}.{{community.aws.kinesis_stream}}", + "searchValue": "", + "expectedValue": "kinesis_stream.encryption_state should be set", + "actualValue": "kinesis_stream.encryption_state is undefined", + "issueType": "MissingAttribute", + "similarityID": "26507ec4d832c3e2ba4c79c4dcc9c5a569c5148109b75877a89e74581cbe5c0e", + "search_line": -1 }, { "queryName": "Kinesis Not Encrypted With KMS", "severity": "HIGH", - "line": 16 + "line": 16, + "fileName": "positive.yaml", + "resourceType": "community.aws.kinesis_stream", + "resourceName": "Encrypt Kinesis Stream test-stream. v2", + "searchKey": "name={{Encrypt Kinesis Stream test-stream. v2}}.{{community.aws.kinesis_stream}}.encryption_state", + "searchValue": "", + "expectedValue": "kinesis_stream.encryption_state should be set to enabled", + "actualValue": "kinesis_stream.encryption_state is not set to enabled", + "issueType": "IncorrectValue", + "similarityID": "b4f4811a91bec48ff5732cbdb0927d5100622c2a82950e3836f17d77141c5cc6", + "search_line": -1 }, { "queryName": "Kinesis Not Encrypted With KMS", "severity": "HIGH", - "line": 23 + "line": 23, + "fileName": "positive.yaml", + "resourceType": "community.aws.kinesis_stream", + "resourceName": "Encrypt Kinesis Stream test-stream. v3", + "searchKey": "name={{Encrypt Kinesis Stream test-stream. v3}}.{{community.aws.kinesis_stream}}", + "searchValue": "", + "expectedValue": "kinesis_stream.encryption_type should be set", + "actualValue": "kinesis_stream.encryption_type is undefined", + "issueType": "MissingAttribute", + "similarityID": "315bedee687c30a0750eb2ac0483044f32f9bb273cf72037ea0f51e11ca54a3a", + "search_line": -1 }, { "queryName": "Kinesis Not Encrypted With KMS", "severity": "HIGH", - "line": 38 + "line": 38, + "fileName": "positive.yaml", + "resourceType": "community.aws.kinesis_stream", + "resourceName": "Encrypt Kinesis Stream test-stream. v4", + "searchKey": "name={{Encrypt Kinesis Stream test-stream. v4}}.{{community.aws.kinesis_stream}}.encryption_type", + "searchValue": "", + "expectedValue": "kinesis_stream.encryption_type should be set and not NONE", + "actualValue": "kinesis_stream.encryption_type is set but NONE", + "issueType": "IncorrectValue", + "similarityID": "656cbeb166a14291f32fb6f17d7a5fb977583af8fc8871483105e6030d98eb19", + "search_line": -1 }, { "queryName": "Kinesis Not Encrypted With KMS", "severity": "HIGH", - "line": 44 + "line": 44, + "fileName": "positive.yaml", + "resourceType": "community.aws.kinesis_stream", + "resourceName": "Encrypt Kinesis Stream test-stream. v5", + "searchKey": "name={{Encrypt Kinesis Stream test-stream. v5}}.{{community.aws.kinesis_stream}}", + "searchValue": "", + "expectedValue": "kinesis_stream.key_id should be set", + "actualValue": "kinesis_stream.key_id is undefined", + "issueType": "MissingAttribute", + "similarityID": "e73b2c9470ed5cf29c36b708d52c614db975ba4668561818b738b15a03868067", + "search_line": -1 } ] diff --git a/assets/queries/ansible/aws/kms_key_with_full_permissions/test/positive_expected_result.json b/assets/queries/ansible/aws/kms_key_with_full_permissions/test/positive_expected_result.json index bfae2532cb7..6fa1351450c 100644 --- a/assets/queries/ansible/aws/kms_key_with_full_permissions/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/kms_key_with_full_permissions/test/positive_expected_result.json @@ -2,13 +2,31 @@ { "queryName": "KMS Key With Vulnerable Policy", "severity": "HIGH", - "line": 5, - "fileName": "positive.yaml" + "line": 3, + "fileName": "positive2.yaml", + "resourceType": "community.aws.aws_kms", + "resourceName": "Update IAM policy on an existing KMS key2", + "searchKey": "name={{Update IAM policy on an existing KMS key2}}.{{community.aws.aws_kms}}", + "searchValue": "", + "expectedValue": "'policy' should be undefined or null", + "actualValue": "'policy' is defined and not null", + "issueType": "MissingAttribute", + "similarityID": "2cb456c1e810a9894457bc0595e497d949b1de6c5ab0b8635cc271935f11d34e", + "search_line": 3 }, { "queryName": "KMS Key With Vulnerable Policy", "severity": "HIGH", - "line": 3, - "fileName": "positive2.yaml" + "line": 5, + "fileName": "positive.yaml", + "resourceType": "community.aws.aws_kms", + "resourceName": "Update IAM policy on an existing KMS key", + "searchKey": "name={{Update IAM policy on an existing KMS key}}.{{community.aws.aws_kms}}.policy", + "searchValue": "", + "expectedValue": "aws_kms.policy should not have wildcard in 'Action' and 'Principal'", + "actualValue": "aws_kms.policy has wildcard in 'Action' or 'Principal'", + "issueType": "IncorrectValue", + "similarityID": "f6c5569e1d1dc1d4c5cc2b3ef67b6af8a26ea012f75c5e1ab586481ba75f118f", + "search_line": 5 } ] diff --git a/assets/queries/ansible/aws/lambda_function_without_tags/test/positive_expected_result.json b/assets/queries/ansible/aws/lambda_function_without_tags/test/positive_expected_result.json index 39bea3ef11d..ba322e705ad 100644 --- a/assets/queries/ansible/aws/lambda_function_without_tags/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/lambda_function_without_tags/test/positive_expected_result.json @@ -2,6 +2,16 @@ { "queryName": "Lambda Function Without Tags", "severity": "LOW", - "line": 2 + "line": 2, + "fileName": "positive.yaml", + "resourceType": "community.aws.lambda", + "resourceName": "add tags", + "searchKey": "name={{add tags}}.{{community.aws.lambda}}", + "searchValue": "", + "expectedValue": "name={{add tags}}.{{community.aws.lambda}}.tags should be defined", + "actualValue": "name={{add tags}}.{{community.aws.lambda}}.tags is undefined", + "issueType": "MissingAttribute", + "similarityID": "bbd60374ff8fb117e47531aeb0ac5b95ad42068b88934f3a3e9f83e849ef9e14", + "search_line": -1 } -] \ No newline at end of file +] diff --git a/assets/queries/ansible/aws/lambda_functions_without_x-ray_tracing/test/positive_expected_result.json b/assets/queries/ansible/aws/lambda_functions_without_x-ray_tracing/test/positive_expected_result.json index 1b3f379b1a1..a5129159ade 100644 --- a/assets/queries/ansible/aws/lambda_functions_without_x-ray_tracing/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/lambda_functions_without_x-ray_tracing/test/positive_expected_result.json @@ -2,11 +2,31 @@ { "queryName": "Lambda Functions Without X-Ray Tracing", "severity": "LOW", - "line": 2 + "line": 2, + "fileName": "positive.yaml", + "resourceType": "community.aws.lambda", + "resourceName": "looped creation", + "searchKey": "name={{looped creation}}.{{community.aws.lambda}}", + "searchValue": "", + "expectedValue": "lambda.tracing_mode should be set", + "actualValue": "lambda.tracing_mode is undefined", + "issueType": "MissingAttribute", + "similarityID": "68663363deae21e41fb8ac4070e69b85b2c5d91f16e7dad233a18495c3b4f680", + "search_line": -1 }, { "queryName": "Lambda Functions Without X-Ray Tracing", "severity": "LOW", - "line": 37 + "line": 37, + "fileName": "positive.yaml", + "resourceType": "community.aws.lambda", + "resourceName": "looped creation V2", + "searchKey": "name={{looped creation V2}}.{{community.aws.lambda}}.tracing_mode", + "searchValue": "", + "expectedValue": "lambda.tracing_mode should be set to 'Active'", + "actualValue": "lambda.tracing_mode is not set to 'Active'", + "issueType": "IncorrectValue", + "similarityID": "8a0329ab660c443d5c9c7ef7ebb1eb6bdfeaae60a1ab2c7f0b9319ca7eeeef45", + "search_line": -1 } ] diff --git a/assets/queries/ansible/aws/lambda_permission_misconfigured/test/positive_expected_result.json b/assets/queries/ansible/aws/lambda_permission_misconfigured/test/positive_expected_result.json index ac77dd2ec5c..fb6e9586c15 100644 --- a/assets/queries/ansible/aws/lambda_permission_misconfigured/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/lambda_permission_misconfigured/test/positive_expected_result.json @@ -2,6 +2,16 @@ { "queryName": "Lambda Permission Misconfigured", "severity": "LOW", - "line": 7 + "line": 7, + "fileName": "positive.yaml", + "resourceType": "community.aws.lambda_policy", + "resourceName": "Lambda S3 notification positive", + "searchKey": "name={{Lambda S3 notification positive}}.{{community.aws.lambda_policy}}.action", + "searchValue": "", + "expectedValue": "name={{Lambda S3 notification positive}}.{{community.aws.lambda_policy}}.action should be 'lambda:InvokeFunction'", + "actualValue": "name={{Lambda S3 notification positive}}.{{community.aws.lambda_policy}}.action is lambda:CreateFunction", + "issueType": "IncorrectValue", + "similarityID": "c8953c8e7863da810706a82801bd21827910ffbcb87d4c6696362efc11efeb46", + "search_line": -1 } ] diff --git a/assets/queries/ansible/aws/lambda_permission_principal_is_wildcard/test/positive_expected_result.json b/assets/queries/ansible/aws/lambda_permission_principal_is_wildcard/test/positive_expected_result.json index 5e494d7d90e..6f6aa87b92e 100644 --- a/assets/queries/ansible/aws/lambda_permission_principal_is_wildcard/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/lambda_permission_principal_is_wildcard/test/positive_expected_result.json @@ -1,7 +1,17 @@ [ { - "line": 8, "queryName": "Lambda Permission Principal Is Wildcard", - "severity": "MEDIUM" + "severity": "MEDIUM", + "line": 8, + "fileName": "positive.yaml", + "resourceType": "community.aws.lambda_policy", + "resourceName": "Lambda S3 event notification", + "searchKey": "name={{Lambda S3 event notification}}.{{community.aws.lambda_policy}}.principal", + "searchValue": "", + "expectedValue": "name={{Lambda S3 event notification}}.{{community.aws.lambda_policy}}.principal shouldn't contain a wildcard", + "actualValue": "name={{Lambda S3 event notification}}.{{community.aws.lambda_policy}}.principal contains a wildcard", + "issueType": "IncorrectValue", + "similarityID": "6f170e2ce45ce76f0f12d00ee0baba8a80eaca454541a5c776de9d0b62aaa784", + "search_line": -1 } ] diff --git a/assets/queries/ansible/aws/launch_configuration_is_not_encrypted/test/positive_expected_result.json b/assets/queries/ansible/aws/launch_configuration_is_not_encrypted/test/positive_expected_result.json index 5793a13e191..dac6f931e6f 100644 --- a/assets/queries/ansible/aws/launch_configuration_is_not_encrypted/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/launch_configuration_is_not_encrypted/test/positive_expected_result.json @@ -2,16 +2,46 @@ { "queryName": "Launch Configuration Is Not Encrypted", "severity": "HIGH", - "line": 8 + "line": 8, + "fileName": "positive.yaml", + "resourceType": "community.aws.ec2_lc", + "resourceName": "note that encrypted volumes are only supported in >= Ansible 2.4", + "searchKey": "name={{note that encrypted volumes are only supported in >= Ansible 2.4}}.{{community.aws.ec2_lc}}.volumes", + "searchValue": "", + "expectedValue": "ec2_lc.volumes[0].encrypted should be set to true or yes", + "actualValue": "ec2_lc.volumes[0].encrypted is not set to true or yes", + "issueType": "IncorrectValue", + "similarityID": "09f8b88ec647acd5c71961202af418259cee0ca267ac3ebd431f5cc0b4ae9dc0", + "search_line": -1 }, { "queryName": "Launch Configuration Is Not Encrypted", "severity": "HIGH", - "line": 22 + "line": 22, + "fileName": "positive.yaml", + "resourceType": "ec2_lc", + "resourceName": "note that encrypted volumes are only supported in >= Ansible 2.4 v2", + "searchKey": "name={{note that encrypted volumes are only supported in >= Ansible 2.4 v2}}.{{ec2_lc}}.volumes", + "searchValue": "", + "expectedValue": "ec2_lc.volumes[0].encrypted should be set", + "actualValue": "ec2_lc.volumes[0].encrypted is undefined", + "issueType": "MissingAttribute", + "similarityID": "40ed8f681ccae69d059bfc4547395e79f9d58f78b6b71cfc16b138eabc027a3b", + "search_line": -1 }, { "queryName": "Launch Configuration Is Not Encrypted", "severity": "HIGH", - "line": 29 + "line": 29, + "fileName": "positive.yaml", + "resourceType": "ec2_lc", + "resourceName": "note that encrypted volumes are only supported in >= Ansible 2.4 v3", + "searchKey": "name={{note that encrypted volumes are only supported in >= Ansible 2.4 v3}}.{{ec2_lc}}", + "searchValue": "", + "expectedValue": "ec2_lc.volumes should be set", + "actualValue": "ec2_lc.volumes is undefined", + "issueType": "MissingAttribute", + "similarityID": "363f3f3ee1668f19219a5762c69950bb9cb05545c25b01a1ae0cb1f76e6cd94c", + "search_line": -1 } ] diff --git a/assets/queries/ansible/aws/misconfigured_password_policy_expiration/test/positive_expected_result.json b/assets/queries/ansible/aws/misconfigured_password_policy_expiration/test/positive_expected_result.json index 16b5f7cbeab..6de060c7062 100644 --- a/assets/queries/ansible/aws/misconfigured_password_policy_expiration/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/misconfigured_password_policy_expiration/test/positive_expected_result.json @@ -2,16 +2,46 @@ { "queryName": "Misconfigured Password Policy Expiration", "severity": "LOW", - "line": 2 + "line": 2, + "fileName": "positive.yaml", + "resourceType": "community.aws.iam_password_policy", + "resourceName": "Missing Password policy for AWS account", + "searchKey": "name={{Missing Password policy for AWS account}}.{{community.aws.iam_password_policy}}", + "searchValue": "", + "expectedValue": "iam_password_policy should have the property 'pw_max_age/password_max_age' lower than 90", + "actualValue": "iam_password_policy has the property 'pw_max_age/password_max_age' unassigned or greater than 90", + "issueType": "MissingAttribute", + "similarityID": "04f3096955149d25169dcb1724dde4a108f1e9a56230d3a3e724b8f727418240", + "search_line": -1 }, { "queryName": "Misconfigured Password Policy Expiration", "severity": "LOW", - "line": 21 + "line": 21, + "fileName": "positive.yaml", + "resourceType": "community.aws.iam_password_policy", + "resourceName": "Extreme Password policy for AWS account", + "searchKey": "name={{Extreme Password policy for AWS account}}.{{community.aws.iam_password_policy}}.pw_max_age", + "searchValue": "", + "expectedValue": "iam_password_policy should have the property 'pw_max_age/password_max_age' lower than 90", + "actualValue": "iam_password_policy has the property 'pw_max_age/password_max_age' unassigned or greater than 90", + "issueType": "IncorrectValue", + "similarityID": "a8f5449c36c3bebb48131daeab24a5e6575cc54214fbb5b998420a0f378a7803", + "search_line": -1 }, { "queryName": "Misconfigured Password Policy Expiration", "severity": "LOW", - "line": 33 + "line": 33, + "fileName": "positive.yaml", + "resourceType": "community.aws.iam_password_policy", + "resourceName": "Alias extreme Password policy for AWS account", + "searchKey": "name={{Alias extreme Password policy for AWS account}}.{{community.aws.iam_password_policy}}.password_max_age", + "searchValue": "", + "expectedValue": "iam_password_policy should have the property 'pw_max_age/password_max_age' lower than 90", + "actualValue": "iam_password_policy has the property 'pw_max_age/password_max_age' unassigned or greater than 90", + "issueType": "IncorrectValue", + "similarityID": "6b54a0197709479f3ed5607e553a5f5e2f7d4e839e40635350e5bc91fb514d45", + "search_line": -1 } -] \ No newline at end of file +] diff --git a/assets/queries/ansible/aws/no_stack_policy/test/positive_expected_result.json b/assets/queries/ansible/aws/no_stack_policy/test/positive_expected_result.json index 9efdc650bfc..748df53b05a 100644 --- a/assets/queries/ansible/aws/no_stack_policy/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/no_stack_policy/test/positive_expected_result.json @@ -2,6 +2,16 @@ { "queryName": "No Stack Policy", "severity": "MEDIUM", - "line": 2 + "line": 2, + "fileName": "positive.yaml", + "resourceType": "amazon.aws.cloudformation", + "resourceName": "create a stack, pass in the template via an URL", + "searchKey": "name={{create a stack, pass in the template via an URL}}.{{amazon.aws.cloudformation}}", + "searchValue": "", + "expectedValue": "cloudformation.stack_policy should be set", + "actualValue": "cloudformation.stack_policy is undefined", + "issueType": "MissingAttribute", + "similarityID": "ec6dba3a41e615a17730eabcbcfa37225966c4dd065a3013812265064500eca6", + "search_line": -1 } ] diff --git a/assets/queries/ansible/aws/password_without_reuse_prevention/test/positive_expected_result.json b/assets/queries/ansible/aws/password_without_reuse_prevention/test/positive_expected_result.json index 1dacba2e48f..a9b3101c702 100644 --- a/assets/queries/ansible/aws/password_without_reuse_prevention/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/password_without_reuse_prevention/test/positive_expected_result.json @@ -2,16 +2,46 @@ { "queryName": "Password Without Reuse Prevention", "severity": "LOW", - "line": 3 + "line": 3, + "fileName": "positive.yaml", + "resourceType": "community.aws.iam_password_policy", + "resourceName": "Password policy for AWS account", + "searchKey": "name={{Password policy for AWS account}}.{{community.aws.iam_password_policy}}", + "searchValue": "", + "expectedValue": "iam_password_policy should have the property 'password_reuse_prevent' greater than 0", + "actualValue": "iam_password_policy has the property 'password_reuse_prevent' unassigned or assigned to 0", + "issueType": "MissingAttribute", + "similarityID": "0b9e703a97d0b8eb7221d896c372e4ee1fc680c4f8473e5b74e649e283e9f884", + "search_line": -1 }, { "queryName": "Password Without Reuse Prevention", "severity": "LOW", - "line": 23 + "line": 23, + "fileName": "positive.yaml", + "resourceType": "community.aws.iam_password_policy", + "resourceName": "Password policy for AWS account2", + "searchKey": "name={{Password policy for AWS account2}}.{{community.aws.iam_password_policy}}.password_reuse_prevent", + "searchValue": "", + "expectedValue": "iam_password_policy should have the property 'password_reuse_prevent' greater than 0", + "actualValue": "iam_password_policy has the property 'password_reuse_prevent' unassigned or assigned to 0", + "issueType": "IncorrectValue", + "similarityID": "c03178a6abee7b5770dd35b1595719e4b5a04ea64acf7a9b3d3ef25ae7b333de", + "search_line": -1 }, { "queryName": "Password Without Reuse Prevention", "severity": "LOW", - "line": 26 + "line": 26, + "fileName": "positive.yaml", + "resourceType": "community.aws.iam_password_policy", + "resourceName": "Password policy for AWS account3", + "searchKey": "name={{Password policy for AWS account3}}.{{community.aws.iam_password_policy}}", + "searchValue": "", + "expectedValue": "iam_password_policy should have the property 'password_reuse_prevent' greater than 0", + "actualValue": "iam_password_policy has the property 'password_reuse_prevent' unassigned or assigned to 0", + "issueType": "MissingAttribute", + "similarityID": "f81fdb8982d54b43df01b7f522aa20b13f507382345948d4e95cc9957b20bda1", + "search_line": -1 } -] \ No newline at end of file +] diff --git a/assets/queries/ansible/aws/public_lambda_via_api_gateway/test/positive_expected_result.json b/assets/queries/ansible/aws/public_lambda_via_api_gateway/test/positive_expected_result.json index db5c9004dc2..d509a35c664 100644 --- a/assets/queries/ansible/aws/public_lambda_via_api_gateway/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/public_lambda_via_api_gateway/test/positive_expected_result.json @@ -1,7 +1,17 @@ [ - { - "queryName": "Public Lambda via API Gateway", - "severity": "MEDIUM", - "line": 9 - } + { + "queryName": "Public Lambda via API Gateway", + "severity": "MEDIUM", + "line": 9, + "fileName": "positive.yaml", + "resourceType": "lambda_policy", + "resourceName": "Lambda S3 event notification", + "searchKey": "name={{Lambda S3 event notification}}.{{lambda_policy}}.source_arn", + "searchValue": "", + "expectedValue": "lambda_policy.source_arn should not equal to '/*/*'", + "actualValue": "lambda_policy.source_arn is equal to '/*/*'", + "issueType": "IncorrectValue", + "similarityID": "771e465e0deef547d2a94820f06c91e8f50d7db138524ef3b2f90e7a954b95b8", + "search_line": -1 + } ] diff --git a/assets/queries/ansible/aws/public_port_wide/test/positive_expected_result.json b/assets/queries/ansible/aws/public_port_wide/test/positive_expected_result.json index 697c1bac5ea..a01065586e9 100644 --- a/assets/queries/ansible/aws/public_port_wide/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/public_port_wide/test/positive_expected_result.json @@ -1,12 +1,32 @@ [ - { - "queryName": "Public Port Wide", - "severity": "HIGH", - "line": 8 - }, - { - "queryName": "Public Port Wide", - "severity": "HIGH", - "line": 12 - } + { + "queryName": "Public Port Wide", + "severity": "HIGH", + "line": 8, + "fileName": "positive.yaml", + "resourceType": "amazon.aws.ec2_group", + "resourceName": "example ec2 group", + "searchKey": "name={{example ec2 group}}.{{amazon.aws.ec2_group}}.rules", + "searchValue": "", + "expectedValue": "ec2_group.rules[0] shouldn't have public port wide", + "actualValue": "ec2_group.rules[0] has public port wide", + "issueType": "IncorrectValue", + "similarityID": "a4bf9718c154460d25baf0534e33c23c61449f248b08ba3b6d8a1589e44f2e38", + "search_line": 8 + }, + { + "queryName": "Public Port Wide", + "severity": "HIGH", + "line": 12, + "fileName": "positive.yaml", + "resourceType": "amazon.aws.ec2_group", + "resourceName": "example ec2 group", + "searchKey": "name={{example ec2 group}}.{{amazon.aws.ec2_group}}.rules", + "searchValue": "", + "expectedValue": "ec2_group.rules[1] shouldn't have public port wide", + "actualValue": "ec2_group.rules[1] has public port wide", + "issueType": "IncorrectValue", + "similarityID": "1b5ce9631e553495096505b314f6717633b8681837d89b1fa201e74d28c9fac9", + "search_line": 12 + } ] diff --git a/assets/queries/ansible/aws/rds_associated_with_public_subnet/test/positive_expected_result.json b/assets/queries/ansible/aws/rds_associated_with_public_subnet/test/positive_expected_result.json index 4d438cbfa35..ca4a4a99e89 100644 --- a/assets/queries/ansible/aws/rds_associated_with_public_subnet/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/rds_associated_with_public_subnet/test/positive_expected_result.json @@ -3,6 +3,15 @@ "queryName": "RDS Associated with Public Subnet", "severity": "CRITICAL", "line": 9, - "fileName": "positive.yaml" + "fileName": "positive.yaml", + "resourceType": "community.aws.rds_instance", + "resourceName": "create minimal aurora instance in default VPC and default subnet group", + "searchKey": "name={{create minimal aurora instance in default VPC and default subnet group}}.{{community.aws.rds_instance}}.db_subnet_group_name", + "searchValue": "", + "expectedValue": "RDS should not be running in a public subnet", + "actualValue": "RDS is running in a public subnet", + "issueType": "MissingAttribute", + "similarityID": "d07c151ca753f97cf024c801a050f7c83f4e4fafa289785b8eb02326c75e9856", + "search_line": 9 } -] \ No newline at end of file +] diff --git a/assets/queries/ansible/aws/rds_db_instance_publicly_accessible/test/positive_expected_result.json b/assets/queries/ansible/aws/rds_db_instance_publicly_accessible/test/positive_expected_result.json index 75c61207d63..118b9f0f4c3 100644 --- a/assets/queries/ansible/aws/rds_db_instance_publicly_accessible/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/rds_db_instance_publicly_accessible/test/positive_expected_result.json @@ -2,11 +2,31 @@ { "queryName": "RDS DB Instance Publicly Accessible", "severity": "CRITICAL", - "line": 12 + "line": 12, + "fileName": "positive.yaml", + "resourceType": "community.aws.rds_instance", + "resourceName": "community - Create a DB instance using the default AWS KMS encryption key", + "searchKey": "name={{community - Create a DB instance using the default AWS KMS encryption key}}.{{community.aws.rds_instance}}.publicly_accessible", + "searchValue": "", + "expectedValue": "community.aws.rds_instance.publicly_accessible should be false", + "actualValue": "community.aws.rds_instance.publicly_accessible is true", + "issueType": "IncorrectValue", + "similarityID": "fc7bb3ddd326352ff14582e4028d1e41fcab9f3e85df6ad23b0bd9790c4eb8d9", + "search_line": -1 }, { "queryName": "RDS DB Instance Publicly Accessible", "severity": "CRITICAL", - "line": 22 + "line": 22, + "fileName": "positive.yaml", + "resourceType": "community.aws.rds", + "resourceName": "community - Basic mysql provisioning example", + "searchKey": "name={{community - Basic mysql provisioning example}}.{{community.aws.rds}}.publicly_accessible", + "searchValue": "", + "expectedValue": "community.aws.rds.publicly_accessible should be false", + "actualValue": "community.aws.rds.publicly_accessible is true", + "issueType": "IncorrectValue", + "similarityID": "38c68c855f23ec35d93c28ecb8855d13264d3778ce76a64a1cf35db6aeaa675a", + "search_line": -1 } -] \ No newline at end of file +] diff --git a/assets/queries/ansible/aws/rds_using_default_port/test/positive_expected_result.json b/assets/queries/ansible/aws/rds_using_default_port/test/positive_expected_result.json index 0282b397a25..ed8752ec3fc 100644 --- a/assets/queries/ansible/aws/rds_using_default_port/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/rds_using_default_port/test/positive_expected_result.json @@ -3,24 +3,60 @@ "queryName": "RDS Using Default Port", "severity": "LOW", "line": 10, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "community.aws.rds_instance", + "resourceName": "create minimal aurora instance in default VPC and default subnet group", + "searchKey": "name={{create minimal aurora instance in default VPC and default subnet group}}.{{community.aws.rds_instance}}.port", + "searchValue": "", + "expectedValue": "'port' should not be set to 3306", + "actualValue": "'port' is set to 3306", + "issueType": "IncorrectValue", + "similarityID": "30e4a31df52e58ada04dcdaa2c817a208605109d343fa50ddb7cb3a6734f7ea4", + "search_line": 10 }, { "queryName": "RDS Using Default Port", "severity": "LOW", "line": 10, - "fileName": "positive2.yaml" + "fileName": "positive2.yaml", + "resourceType": "community.aws.rds_instance", + "resourceName": "create minimal aurora instance in default VPC and default subnet group2", + "searchKey": "name={{create minimal aurora instance in default VPC and default subnet group2}}.{{community.aws.rds_instance}}.port", + "searchValue": "", + "expectedValue": "'port' should not be set to 5432", + "actualValue": "'port' is set to 5432", + "issueType": "IncorrectValue", + "similarityID": "48bc691b58ae2a1f576e440ccb4d8c7ca5ee6772f0c9ba8d213c2ed763b12894", + "search_line": 10 }, { "queryName": "RDS Using Default Port", "severity": "LOW", "line": 10, - "fileName": "positive3.yaml" + "fileName": "positive3.yaml", + "resourceType": "community.aws.rds_instance", + "resourceName": "create minimal aurora instance in default VPC and default subnet group2", + "searchKey": "name={{create minimal aurora instance in default VPC and default subnet group2}}.{{community.aws.rds_instance}}.port", + "searchValue": "", + "expectedValue": "'port' should not be set to 1521", + "actualValue": "'port' is set to 1521", + "issueType": "IncorrectValue", + "similarityID": "b90ca1374fb8a784e5873bbca5059c1a6f7f1458e9c1756aa104a3c7ab6f7352", + "search_line": 10 }, { "queryName": "RDS Using Default Port", "severity": "LOW", "line": 10, - "fileName": "positive4.yaml" + "fileName": "positive4.yaml", + "resourceType": "community.aws.rds_instance", + "resourceName": "create minimal aurora instance in default VPC and default subnet group2", + "searchKey": "name={{create minimal aurora instance in default VPC and default subnet group2}}.{{community.aws.rds_instance}}.port", + "searchValue": "", + "expectedValue": "'port' should not be set to 1433", + "actualValue": "'port' is set to 1433", + "issueType": "IncorrectValue", + "similarityID": "ebe75b613c4ebe9f2e372aa8c54c5f03b690a131ff431fd1e0c1b8925d5a1c23", + "search_line": 10 } ] diff --git a/assets/queries/ansible/aws/rds_with_backup_disabled/test/positive_expected_result.json b/assets/queries/ansible/aws/rds_with_backup_disabled/test/positive_expected_result.json index 61f421b9d95..012b6f84f94 100644 --- a/assets/queries/ansible/aws/rds_with_backup_disabled/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/rds_with_backup_disabled/test/positive_expected_result.json @@ -2,6 +2,16 @@ { "queryName": "RDS With Backup Disabled", "severity": "MEDIUM", - "line": 10 + "line": 10, + "fileName": "positive.yaml", + "resourceType": "community.aws.rds_instance", + "resourceName": "create minimal aurora instance in default VPC and default subnet group", + "searchKey": "name={{create minimal aurora instance in default VPC and default subnet group}}.{{community.aws.rds_instance}}.backup_retention_period", + "searchValue": "", + "expectedValue": "rds_instance should have the property 'backup_retention_period' greater than 0", + "actualValue": "rds_instance has the property 'backup_retention_period' assigned to 0", + "issueType": "IncorrectValue", + "similarityID": "cad480246e5375671fa7239872842b9dd5a2214319e27ee1d17d59b23bcb6f8a", + "search_line": -1 } ] diff --git a/assets/queries/ansible/aws/redis_not_compliant/test/positive_expected_result.json b/assets/queries/ansible/aws/redis_not_compliant/test/positive_expected_result.json index b9ec5be90a3..780b50ce330 100644 --- a/assets/queries/ansible/aws/redis_not_compliant/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/redis_not_compliant/test/positive_expected_result.json @@ -2,6 +2,16 @@ { "queryName": "Redis Not Compliant", "severity": "HIGH", - "line": 6 + "line": 6, + "fileName": "positive.yaml", + "resourceType": "community.aws.elasticache", + "resourceName": "Basic example", + "searchKey": "name={{Basic example}}.{{community.aws.elasticache}}.cache_engine_version", + "searchValue": "", + "expectedValue": "elasticache.cache_engine_version should be compliant with the AWS PCI DSS requirements", + "actualValue": "elasticache.cache_engine_version isn't compliant with the AWS PCI DSS requirements", + "issueType": "IncorrectValue", + "similarityID": "4f8f37af2386143649977e45d0c75f4245b541bc89487abe36545c6f2779ddb4", + "search_line": -1 } ] diff --git a/assets/queries/ansible/aws/redshift_not_encrypted/test/positive_expected_result.json b/assets/queries/ansible/aws/redshift_not_encrypted/test/positive_expected_result.json index e51ed569eba..bb6c833bd96 100644 --- a/assets/queries/ansible/aws/redshift_not_encrypted/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/redshift_not_encrypted/test/positive_expected_result.json @@ -2,16 +2,46 @@ { "queryName": "Redshift Not Encrypted", "severity": "HIGH", - "line": 2 + "line": 2, + "fileName": "positive.yaml", + "resourceType": "community.aws.redshift", + "resourceName": "Basic cluster provisioning example", + "searchKey": "name={{Basic cluster provisioning example}}.{{community.aws.redshift}}", + "searchValue": "", + "expectedValue": "redshift.encrypted should be set to true", + "actualValue": "redshift.encrypted is undefined", + "issueType": "MissingAttribute", + "similarityID": "0f887705cd2a1898fb474002a2252f157262a24c2b11aa85c3d5d82bd5c50f53", + "search_line": -1 }, { "queryName": "Redshift Not Encrypted", "severity": "HIGH", - "line": 19 + "line": 19, + "fileName": "positive.yaml", + "resourceType": "community.aws.redshift", + "resourceName": "Basic cluster provisioning example2", + "searchKey": "name={{Basic cluster provisioning example2}}.{{community.aws.redshift}}.encrypted", + "searchValue": "", + "expectedValue": "redshift.encrypted should be set to true", + "actualValue": "redshift.encrypted is set to false", + "issueType": "IncorrectValue", + "similarityID": "4cac5bf10f1dc3f3630caed018a72ddd5bfd303b287974f5a95d9bcef295bad2", + "search_line": -1 }, { "queryName": "Redshift Not Encrypted", "severity": "HIGH", - "line": 29 + "line": 29, + "fileName": "positive.yaml", + "resourceType": "community.aws.redshift", + "resourceName": "Basic cluster provisioning example3", + "searchKey": "name={{Basic cluster provisioning example3}}.{{community.aws.redshift}}.encrypted", + "searchValue": "", + "expectedValue": "redshift.encrypted should be set to true", + "actualValue": "redshift.encrypted is set to false", + "issueType": "IncorrectValue", + "similarityID": "a63a00c55c6c6ca74d1834494cb160506a4de41dc94d02176749c324df3611a0", + "search_line": -1 } ] diff --git a/assets/queries/ansible/aws/redshift_publicly_accessible/test/positive_expected_result.json b/assets/queries/ansible/aws/redshift_publicly_accessible/test/positive_expected_result.json index 183c583e6ea..2bb7f97faa7 100644 --- a/assets/queries/ansible/aws/redshift_publicly_accessible/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/redshift_publicly_accessible/test/positive_expected_result.json @@ -2,16 +2,46 @@ { "queryName": "Redshift Publicly Accessible", "severity": "HIGH", - "line": 9 + "line": 9, + "fileName": "positive.yaml", + "resourceType": "community.aws.redshift", + "resourceName": "Basic cluster provisioning example04", + "searchKey": "name={{Basic cluster provisioning example04}}.{{community.aws.redshift}}.publicly_accessible", + "searchValue": "", + "expectedValue": "redshift.publicly_accessible should be set to false", + "actualValue": "redshift.publicly_accessible is true", + "issueType": "IncorrectValue", + "similarityID": "4425cea86838b14895149ffb1d0d425071fcc4feff069a786b0c394c97ab42ea", + "search_line": -1 }, { "queryName": "Redshift Publicly Accessible", "severity": "HIGH", - "line": 17 + "line": 17, + "fileName": "positive.yaml", + "resourceType": "community.aws.redshift", + "resourceName": "Basic cluster provisioning example05", + "searchKey": "name={{Basic cluster provisioning example05}}.{{community.aws.redshift}}.publicly_accessible", + "searchValue": "", + "expectedValue": "redshift.publicly_accessible should be set to false", + "actualValue": "redshift.publicly_accessible is true", + "issueType": "IncorrectValue", + "similarityID": "053cfb0db7064f1814d4d12d862da149be63e4bf020ec6ebac39ae2e3730599d", + "search_line": -1 }, { "queryName": "Redshift Publicly Accessible", "severity": "HIGH", - "line": 25 + "line": 25, + "fileName": "positive.yaml", + "resourceType": "redshift", + "resourceName": "Basic cluster provisioning example06", + "searchKey": "name={{Basic cluster provisioning example06}}.{{redshift}}.publicly_accessible", + "searchValue": "", + "expectedValue": "redshift.publicly_accessible should be set to false", + "actualValue": "redshift.publicly_accessible is true", + "issueType": "IncorrectValue", + "similarityID": "e94c0b695ca045d9a249aeb32f8e6d7471597dd7836599ae6a09bd928ccd51eb", + "search_line": -1 } ] diff --git a/assets/queries/ansible/aws/redshift_using_default_port/test/positive_expected_result.json b/assets/queries/ansible/aws/redshift_using_default_port/test/positive_expected_result.json index 8241a36870f..d73f16c9087 100644 --- a/assets/queries/ansible/aws/redshift_using_default_port/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/redshift_using_default_port/test/positive_expected_result.json @@ -3,6 +3,15 @@ "queryName": "Redshift Using Default Port", "severity": "LOW", "line": 8, - "fileName": "positive.yaml" + "fileName": "positive.yaml", + "resourceType": "community.aws.redshift", + "resourceName": "Redshift", + "searchKey": "name={{Redshift}}.{{community.aws.redshift}}.port", + "searchValue": "", + "expectedValue": "redshift.port should not be set to 5439", + "actualValue": "redshift.port is set to 5439", + "issueType": "IncorrectValue", + "similarityID": "c36f9816bbbe79db58b2e5726e90d90dda22995ce065322ee264a18c6dec7158", + "search_line": 8 } ] diff --git a/assets/queries/ansible/aws/remote_desktop_port_open/test/positive_expected_result.json b/assets/queries/ansible/aws/remote_desktop_port_open/test/positive_expected_result.json index 656120158f2..9cd1f5eb027 100644 --- a/assets/queries/ansible/aws/remote_desktop_port_open/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/remote_desktop_port_open/test/positive_expected_result.json @@ -2,36 +2,106 @@ { "queryName": "Remote Desktop Port Open To Internet", "severity": "HIGH", - "line": 9 + "line": 9, + "fileName": "positive.yaml", + "resourceType": "amazon.aws.ec2_group", + "resourceName": "example ec2 group1", + "searchKey": "name={{example ec2 group1}}.{{amazon.aws.ec2_group}}.rules", + "searchValue": "", + "expectedValue": "ec2_group.rules shouldn't open the remote desktop port (3389)", + "actualValue": "ec2_group.rules opens the remote desktop port (3389)", + "issueType": "IncorrectValue", + "similarityID": "5dd1483bbdb3bed1f52b3d032465f7172c11f8b3674b9d503d59af40b3cd460c", + "search_line": -1 }, { "queryName": "Remote Desktop Port Open To Internet", "severity": "HIGH", - "line": 23 + "line": 23, + "fileName": "positive.yaml", + "resourceType": "amazon.aws.ec2_group", + "resourceName": "example ec2 group2", + "searchKey": "name={{example ec2 group2}}.{{amazon.aws.ec2_group}}.rules", + "searchValue": "", + "expectedValue": "ec2_group.rules shouldn't open the remote desktop port (3389)", + "actualValue": "ec2_group.rules opens the remote desktop port (3389)", + "issueType": "IncorrectValue", + "similarityID": "abf7a88c30fc9031f26b5f760b88de69b84dd62fd3904988f29eacb16009ba28", + "search_line": -1 }, { "queryName": "Remote Desktop Port Open To Internet", "severity": "HIGH", - "line": 36 + "line": 36, + "fileName": "positive.yaml", + "resourceType": "amazon.aws.ec2_group", + "resourceName": "example ec2 group3", + "searchKey": "name={{example ec2 group3}}.{{amazon.aws.ec2_group}}.rules", + "searchValue": "", + "expectedValue": "ec2_group.rules shouldn't open the remote desktop port (3389)", + "actualValue": "ec2_group.rules opens the remote desktop port (3389)", + "issueType": "IncorrectValue", + "similarityID": "ad52fabe3a5a3eb3083fb172ee82d5fbecf880953ba64953c66f1cbad76ce7e2", + "search_line": -1 }, { "queryName": "Remote Desktop Port Open To Internet", "severity": "HIGH", - "line": 49 + "line": 49, + "fileName": "positive.yaml", + "resourceType": "amazon.aws.ec2_group", + "resourceName": "example ec2 group4", + "searchKey": "name={{example ec2 group4}}.{{amazon.aws.ec2_group}}.rules", + "searchValue": "", + "expectedValue": "ec2_group.rules shouldn't open the remote desktop port (3389)", + "actualValue": "ec2_group.rules opens the remote desktop port (3389)", + "issueType": "IncorrectValue", + "similarityID": "1fe0f46d0926314f8f09aaf632410efb88d3d717710a37911066512bd6c25da1", + "search_line": -1 }, { "queryName": "Remote Desktop Port Open To Internet", "severity": "HIGH", - "line": 64 + "line": 64, + "fileName": "positive.yaml", + "resourceType": "amazon.aws.ec2_group", + "resourceName": "example ec2 group5", + "searchKey": "name={{example ec2 group5}}.{{amazon.aws.ec2_group}}.rules", + "searchValue": "", + "expectedValue": "ec2_group.rules shouldn't open the remote desktop port (3389)", + "actualValue": "ec2_group.rules opens the remote desktop port (3389)", + "issueType": "IncorrectValue", + "similarityID": "6f45e6d1e8f689d8e37ce5f6da47ee8c51d229968272bf070b411fea5776ead5", + "search_line": -1 }, { "queryName": "Remote Desktop Port Open To Internet", "severity": "HIGH", - "line": 79 + "line": 79, + "fileName": "positive.yaml", + "resourceType": "amazon.aws.ec2_group", + "resourceName": "example ec2 group6", + "searchKey": "name={{example ec2 group6}}.{{amazon.aws.ec2_group}}.rules", + "searchValue": "", + "expectedValue": "ec2_group.rules shouldn't open the remote desktop port (3389)", + "actualValue": "ec2_group.rules opens the remote desktop port (3389)", + "issueType": "IncorrectValue", + "similarityID": "bf42198e80d07ec0ff37e0bb35e44a1f4b281f3094fedcc1950911bb29382c64", + "search_line": -1 }, { "queryName": "Remote Desktop Port Open To Internet", "severity": "HIGH", - "line": 93 + "line": 93, + "fileName": "positive.yaml", + "resourceType": "amazon.aws.ec2_group", + "resourceName": "example ec2 group7", + "searchKey": "name={{example ec2 group7}}.{{amazon.aws.ec2_group}}.rules", + "searchValue": "", + "expectedValue": "ec2_group.rules shouldn't open the remote desktop port (3389)", + "actualValue": "ec2_group.rules opens the remote desktop port (3389)", + "issueType": "IncorrectValue", + "similarityID": "1166ebe283b707285eb1bfa04f3358ec7654e9bdc00cb3666b21186373b8d971", + "search_line": -1 } ] diff --git a/assets/queries/ansible/aws/root_account_has_active_access_keys/test/positive_expected_result.json b/assets/queries/ansible/aws/root_account_has_active_access_keys/test/positive_expected_result.json index 25b4a19110d..389263fe065 100644 --- a/assets/queries/ansible/aws/root_account_has_active_access_keys/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/root_account_has_active_access_keys/test/positive_expected_result.json @@ -2,6 +2,16 @@ { "queryName": "Root Account Has Active Access Keys", "severity": "HIGH", - "line": 3 + "line": 3, + "fileName": "positive.yaml", + "resourceType": "community.aws.iam", + "resourceName": "Create two new IAM users with API keys", + "searchKey": "name={{Create two new IAM users with API keys}}.{{community.aws.iam}}", + "searchValue": "", + "expectedValue": "iam should not be active for a root account", + "actualValue": "iam is active for a root account", + "issueType": "IncorrectValue", + "similarityID": "f195bea8d4e669905d8e65e98d078cc053cf19710532271c4c22ce66c2d5321b", + "search_line": -1 } ] diff --git a/assets/queries/ansible/aws/route53_record_undefined/test/positive_expected_result.json b/assets/queries/ansible/aws/route53_record_undefined/test/positive_expected_result.json index f2880c7d7f9..2f87e1bcdf2 100644 --- a/assets/queries/ansible/aws/route53_record_undefined/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/route53_record_undefined/test/positive_expected_result.json @@ -1,12 +1,32 @@ [ - { - "queryName": "Route53 Record Undefined", - "severity": "HIGH", - "line": 3 - }, - { - "queryName": "Route53 Record Undefined", - "severity": "HIGH", - "line": 14 - } + { + "queryName": "Route53 Record Undefined", + "severity": "HIGH", + "line": 3, + "fileName": "positive.yaml", + "resourceType": "community.aws.route53", + "resourceName": "Use a routing policy to distribute traffic02", + "searchKey": "name={{Use a routing policy to distribute traffic02}}.{{community.aws.route53}}", + "searchValue": "", + "expectedValue": "route53.value should be defined or not null", + "actualValue": "route53.value is undefined or null", + "issueType": "MissingAttribute", + "similarityID": "8794ef6f0467dc06680cbc66848e25c0bf25731e5d7cd392ecf684a9c193be98", + "search_line": -1 + }, + { + "queryName": "Route53 Record Undefined", + "severity": "HIGH", + "line": 14, + "fileName": "positive.yaml", + "resourceType": "community.aws.route53", + "resourceName": "Use a routing policy to distribute traffic03", + "searchKey": "name={{Use a routing policy to distribute traffic03}}.{{community.aws.route53}}", + "searchValue": "", + "expectedValue": "route53.value should be defined or not null", + "actualValue": "route53.value is undefined or null", + "issueType": "MissingAttribute", + "similarityID": "a5ef9417ad62d007644f7426e85ce7546635ce4cd9404c15c3b6c1b2c82c5f24", + "search_line": -1 + } ] diff --git a/assets/queries/ansible/aws/s3_bucket_access_to_any_principal/test/positive_expected_result.json b/assets/queries/ansible/aws/s3_bucket_access_to_any_principal/test/positive_expected_result.json index a0c9e642dd8..f724bd04d81 100644 --- a/assets/queries/ansible/aws/s3_bucket_access_to_any_principal/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/s3_bucket_access_to_any_principal/test/positive_expected_result.json @@ -3,6 +3,15 @@ "queryName": "S3 Bucket Access to Any Principal", "severity": "CRITICAL", "line": 4, - "fileName": "positive.yaml" + "fileName": "positive.yaml", + "resourceType": "amazon.aws.s3_bucket", + "resourceName": "Create a simple s3 bucket with a policy", + "searchKey": "name={{Create a simple s3 bucket with a policy}}.{{amazon.aws.s3_bucket}}.policy", + "searchValue": "", + "expectedValue": "s3_bucket.policy.Statement shouldn't make the bucket accessible to all AWS Accounts", + "actualValue": "s3_bucket.policy.Statement does make the bucket accessible to all AWS Accounts", + "issueType": "IncorrectValue", + "similarityID": "effcffb03bc23addb0b24e2d3ceeeb43a5760f03a233b966fd4446bb7c5f64d2", + "search_line": 4 } -] \ No newline at end of file +] diff --git a/assets/queries/ansible/aws/s3_bucket_acl_allows_read_to_all_users/test/positive_expected_result.json b/assets/queries/ansible/aws/s3_bucket_acl_allows_read_to_all_users/test/positive_expected_result.json index 18d2e29c9e0..079e16e3d3f 100644 --- a/assets/queries/ansible/aws/s3_bucket_acl_allows_read_to_all_users/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/s3_bucket_acl_allows_read_to_all_users/test/positive_expected_result.json @@ -2,11 +2,31 @@ { "queryName": "S3 Bucket ACL Allows Read to All Users", "severity": "HIGH", - "line": 6 + "line": 6, + "fileName": "positive.yaml", + "resourceType": "amazon.aws.aws_s3", + "resourceName": "Create an empty bucket", + "searchKey": "name={{Create an empty bucket}}.{{amazon.aws.aws_s3}}.permission", + "searchValue": "", + "expectedValue": "aws_s3 should not have read access for all user groups", + "actualValue": "aws_s3 has read access for all user groups", + "issueType": "IncorrectValue", + "similarityID": "b0823392aa5982e0503ed5c2468b7183645bebf8e0ece444fbf545f87c57bf37", + "search_line": -1 }, { "queryName": "S3 Bucket ACL Allows Read to All Users", "severity": "HIGH", - "line": 11 + "line": 11, + "fileName": "positive.yaml", + "resourceType": "amazon.aws.aws_s3", + "resourceName": "Create an empty bucket2", + "searchKey": "name={{Create an empty bucket2}}.{{amazon.aws.aws_s3}}.permission", + "searchValue": "", + "expectedValue": "aws_s3 should not have read access for all user groups", + "actualValue": "aws_s3 has read access for all user groups", + "issueType": "IncorrectValue", + "similarityID": "0696c638fdf8e40cc62500cea022c10a4817fac87036e781052590dfe0c03c09", + "search_line": -1 } ] diff --git a/assets/queries/ansible/aws/s3_bucket_acl_allows_read_to_any_authenticated_user/test/positive_expected_result.json b/assets/queries/ansible/aws/s3_bucket_acl_allows_read_to_any_authenticated_user/test/positive_expected_result.json index 87d25ea164a..1232848bb23 100644 --- a/assets/queries/ansible/aws/s3_bucket_acl_allows_read_to_any_authenticated_user/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/s3_bucket_acl_allows_read_to_any_authenticated_user/test/positive_expected_result.json @@ -2,6 +2,16 @@ { "queryName": "S3 Bucket ACL Allows Read to Any Authenticated User", "severity": "HIGH", - "line": 6 + "line": 6, + "fileName": "positive.yaml", + "resourceType": "amazon.aws.aws_s3", + "resourceName": "Create an empty bucket2", + "searchKey": "name={{Create an empty bucket2}}.{{amazon.aws.aws_s3}}.permission", + "searchValue": "", + "expectedValue": "aws_s3 should not have read access for all authenticated users", + "actualValue": "aws_s3 has read access for all authenticated users", + "issueType": "IncorrectValue", + "similarityID": "83e5f0e8b88af769ac6863d71e15377858985f2f001a1ac303a35d18d99ffd01", + "search_line": -1 } ] diff --git a/assets/queries/ansible/aws/s3_bucket_allows_delete_action_from_all_principals/test/positive_expected_result.json b/assets/queries/ansible/aws/s3_bucket_allows_delete_action_from_all_principals/test/positive_expected_result.json index 06c2ef921aa..9ddc6c0e40b 100644 --- a/assets/queries/ansible/aws/s3_bucket_allows_delete_action_from_all_principals/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/s3_bucket_allows_delete_action_from_all_principals/test/positive_expected_result.json @@ -3,6 +3,15 @@ "queryName": "S3 Bucket Allows Delete Action From All Principals", "severity": "CRITICAL", "line": 6, - "fileName": "positive.yaml" + "fileName": "positive.yaml", + "resourceType": "amazon.aws.s3_bucket", + "resourceName": "Bucket", + "searchKey": "name={{Bucket}}.{{amazon.aws.s3_bucket}}.policy", + "searchValue": "", + "expectedValue": "s3_bucket[mys3bucket] should not allow Delete Action From All Principals", + "actualValue": "s3_bucket[mys3bucket] allows Delete Action From All Principals", + "issueType": "IncorrectValue", + "similarityID": "5c33ecb26eea77e83b2ebadd88b71074a5e6514bdcd7d7f8d9bd6a247b6c37cf", + "search_line": 6 } -] \ No newline at end of file +] diff --git a/assets/queries/ansible/aws/s3_bucket_allows_get_action_from_all_principals/test/positive_expected_result.json b/assets/queries/ansible/aws/s3_bucket_allows_get_action_from_all_principals/test/positive_expected_result.json index 8f1b3fbcadf..35e1acec5e8 100644 --- a/assets/queries/ansible/aws/s3_bucket_allows_get_action_from_all_principals/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/s3_bucket_allows_get_action_from_all_principals/test/positive_expected_result.json @@ -3,6 +3,15 @@ "queryName": "S3 Bucket Allows Get Action From All Principals", "severity": "HIGH", "line": 6, - "fileName": "positive.yaml" + "fileName": "positive.yaml", + "resourceType": "amazon.aws.s3_bucket", + "resourceName": "Bucket", + "searchKey": "name={{Bucket}}.{{amazon.aws.s3_bucket}}.policy", + "searchValue": "", + "expectedValue": "s3_bucket[mys3bucket] should not allow Get Action From All Principals", + "actualValue": "s3_bucket[mys3bucket] allows Get Action From All Principals", + "issueType": "IncorrectValue", + "similarityID": "50be132b5eca536aeb7b78c1e3f17f4622c3dd093719be1595d7d309065b63aa", + "search_line": 6 } ] diff --git a/assets/queries/ansible/aws/s3_bucket_allows_list_action_from_all_principals/test/positive_expected_result.json b/assets/queries/ansible/aws/s3_bucket_allows_list_action_from_all_principals/test/positive_expected_result.json index 29ade8a428f..4709f480d70 100644 --- a/assets/queries/ansible/aws/s3_bucket_allows_list_action_from_all_principals/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/s3_bucket_allows_list_action_from_all_principals/test/positive_expected_result.json @@ -3,6 +3,15 @@ "queryName": "S3 Bucket Allows List Action From All Principals", "severity": "HIGH", "line": 6, - "fileName": "positive.yaml" + "fileName": "positive.yaml", + "resourceType": "amazon.aws.s3_bucket", + "resourceName": "Bucket", + "searchKey": "name={{Bucket}}.{{amazon.aws.s3_bucket}}.policy", + "searchValue": "", + "expectedValue": "s3_bucket[mys3bucket] should not allow List Action From All Principals", + "actualValue": "s3_bucket[mys3bucket] allows List Action From All Principals", + "issueType": "IncorrectValue", + "similarityID": "bba3039d4bb7d8daf66b4db6efcedef6ae449b8e2b33c6d008d3ad29658feeba", + "search_line": 6 } ] diff --git a/assets/queries/ansible/aws/s3_bucket_allows_put_action_from_all_principals/test/positive_expected_result.json b/assets/queries/ansible/aws/s3_bucket_allows_put_action_from_all_principals/test/positive_expected_result.json index c876ed36f9f..1b90a120db5 100644 --- a/assets/queries/ansible/aws/s3_bucket_allows_put_action_from_all_principals/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/s3_bucket_allows_put_action_from_all_principals/test/positive_expected_result.json @@ -3,6 +3,15 @@ "queryName": "S3 Bucket Allows Put Action From All Principals", "severity": "CRITICAL", "line": 6, - "fileName": "positive.yaml" + "fileName": "positive.yaml", + "resourceType": "amazon.aws.s3_bucket", + "resourceName": "Bucket", + "searchKey": "name={{Bucket}}.{{amazon.aws.s3_bucket}}.policy", + "searchValue": "", + "expectedValue": "s3_bucket[mys3bucket] should not allow Put Action From All Principals", + "actualValue": "s3_bucket[mys3bucket] allows Put Action From All Principals", + "issueType": "IncorrectValue", + "similarityID": "60387de560eb1f3b39223c938c8f299cc9aed7cc7a01406e3b746610ee2f1036", + "search_line": 6 } -] \ No newline at end of file +] diff --git a/assets/queries/ansible/aws/s3_bucket_logging_disabled/test/positive_expected_result.json b/assets/queries/ansible/aws/s3_bucket_logging_disabled/test/positive_expected_result.json index 312ed116fe5..012bd20f98d 100644 --- a/assets/queries/ansible/aws/s3_bucket_logging_disabled/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/s3_bucket_logging_disabled/test/positive_expected_result.json @@ -2,6 +2,16 @@ { "queryName": "S3 Bucket Logging Disabled", "severity": "MEDIUM", - "line": 6 + "line": 6, + "fileName": "positive.yaml", + "resourceType": "amazon.aws.s3_bucket", + "resourceName": "Create S3 bucket", + "searchKey": "name={{Create S3 bucket}}.{{amazon.aws.s3_bucket}}.debug_botocore_endpoint_logs", + "searchValue": "", + "expectedValue": "s3_bucket.debug_botocore_endpoint_logs should be true", + "actualValue": "s3_bucket.debug_botocore_endpoint_logs is false", + "issueType": "IncorrectValue", + "similarityID": "3b4fc5901861fb5f49aa907fd5b9a80041efcd76d57a8d1fcf5d1e1ac900a3b5", + "search_line": -1 } ] diff --git a/assets/queries/ansible/aws/s3_bucket_with_all_permissions/test/positive_expected_result.json b/assets/queries/ansible/aws/s3_bucket_with_all_permissions/test/positive_expected_result.json index fafb06cc6bd..319fe8bb204 100644 --- a/assets/queries/ansible/aws/s3_bucket_with_all_permissions/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/s3_bucket_with_all_permissions/test/positive_expected_result.json @@ -2,6 +2,16 @@ { "queryName": "S3 Bucket With All Permissions", "severity": "CRITICAL", - "line": 5 + "line": 5, + "fileName": "positive.yaml", + "resourceType": "amazon.aws.s3_bucket", + "resourceName": "Create s3 bucket", + "searchKey": "name={{Create s3 bucket}}.{{amazon.aws.s3_bucket}}.policy", + "searchValue": "", + "expectedValue": "'policy.Statement' should not allow all actions to all principal", + "actualValue": "'policy.Statement' allows all actions to all principal", + "issueType": "IncorrectValue", + "similarityID": "f2c568c77e5c179d39f65daf7f4f5334c72a4de0be8ceeea2f8345c18e7ca065", + "search_line": 5 } -] \ No newline at end of file +] diff --git a/assets/queries/ansible/aws/s3_bucket_with_public_access/test/positive_expected_result.json b/assets/queries/ansible/aws/s3_bucket_with_public_access/test/positive_expected_result.json index aa8f4a2d3a9..22e00148dc2 100644 --- a/assets/queries/ansible/aws/s3_bucket_with_public_access/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/s3_bucket_with_public_access/test/positive_expected_result.json @@ -2,11 +2,31 @@ { "queryName": "S3 Bucket With Public Access", "severity": "CRITICAL", - "line": 6 + "line": 6, + "fileName": "positive.yaml", + "resourceType": "amazon.aws.aws_s3", + "resourceName": "Create an empty bucket", + "searchKey": "name={{Create an empty bucket}}.{{amazon.aws.aws_s3}}.permission", + "searchValue": "", + "expectedValue": "aws_s3.permission shouldn't allow public access", + "actualValue": "aws_s3.permission allows public access", + "issueType": "IncorrectValue", + "similarityID": "3080144d83c22aad16294e40ec0a37f8463a6b4397f6a3f2f497a8a0bf61db9b", + "search_line": -1 }, { "queryName": "S3 Bucket With Public Access", "severity": "CRITICAL", - "line": 11 + "line": 11, + "fileName": "positive.yaml", + "resourceType": "amazon.aws.aws_s3", + "resourceName": "Create an empty bucket 01", + "searchKey": "name={{Create an empty bucket 01}}.{{amazon.aws.aws_s3}}.permission", + "searchValue": "", + "expectedValue": "aws_s3.permission shouldn't allow public access", + "actualValue": "aws_s3.permission allows public access", + "issueType": "IncorrectValue", + "similarityID": "c5b7271a9109beca9129a140ce2ccd0992ffc373325bbd8ca5491d55752df3ee", + "search_line": -1 } -] \ No newline at end of file +] diff --git a/assets/queries/ansible/aws/s3_bucket_with_unsecured_cors_rule/test/positive_expected_result.json b/assets/queries/ansible/aws/s3_bucket_with_unsecured_cors_rule/test/positive_expected_result.json index 92201a3d8d4..d70a06beea1 100644 --- a/assets/queries/ansible/aws/s3_bucket_with_unsecured_cors_rule/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/s3_bucket_with_unsecured_cors_rule/test/positive_expected_result.json @@ -3,12 +3,30 @@ "queryName": "S3 Bucket with Unsecured CORS Rule", "severity": "MEDIUM", "line": 5, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "community.aws.aws_s3_cors", + "resourceName": "Create s3 bucket2", + "searchKey": "name={{Create s3 bucket2}}.{{community.aws.aws_s3_cors}}.rules", + "searchValue": "", + "expectedValue": "community.aws.aws_s3_cors[0] should not allow all methods, all headers or several origins", + "actualValue": "community.aws.aws_s3_cors[0] allows all methods, all headers or several origins", + "issueType": "IncorrectValue", + "similarityID": "309139cc812440e76d83cba2038bac4603368436261f91d3762a80e614f93a43", + "search_line": -1 }, { "queryName": "S3 Bucket with Unsecured CORS Rule", "severity": "MEDIUM", "line": 5, - "fileName": "positive2.yaml" + "fileName": "positive2.yaml", + "resourceType": "aws_s3_cors", + "resourceName": "Create s3 bucket4", + "searchKey": "name={{Create s3 bucket4}}.{{aws_s3_cors}}.rules", + "searchValue": "", + "expectedValue": "aws_s3_cors[0] should not allow all methods, all headers or several origins", + "actualValue": "aws_s3_cors[0] allows all methods, all headers or several origins", + "issueType": "IncorrectValue", + "similarityID": "04fb490019a65a9e798208988bdbd3e96ca9dad3149d9d23cd67c2bfb3b7e2a3", + "search_line": -1 } -] \ No newline at end of file +] diff --git a/assets/queries/ansible/aws/s3_bucket_without_server-side_encryption/test/positive_expected_result.json b/assets/queries/ansible/aws/s3_bucket_without_server-side_encryption/test/positive_expected_result.json index 64fca39c902..190ddd338ca 100644 --- a/assets/queries/ansible/aws/s3_bucket_without_server-side_encryption/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/s3_bucket_without_server-side_encryption/test/positive_expected_result.json @@ -2,6 +2,16 @@ { "queryName": "S3 Bucket Without Server-side-encryption", "severity": "HIGH", - "line": 5 + "line": 5, + "fileName": "positive.yaml", + "resourceType": "amazon.aws.s3_bucket", + "resourceName": "Create a simple s3 bucket", + "searchKey": "name={{Create a simple s3 bucket}}.{{amazon.aws.s3_bucket}}.encryption", + "searchValue": "", + "expectedValue": "s3_bucket.encryption should not be 'none'", + "actualValue": "s3_bucket.encryption is 'none'", + "issueType": "IncorrectValue", + "similarityID": "5fa1ecb08936b60825b650eede5bd101361fecbc52027453e7af2395c964b3d1", + "search_line": -1 } ] diff --git a/assets/queries/ansible/aws/s3_bucket_without_versioning/test/positive_expected_result.json b/assets/queries/ansible/aws/s3_bucket_without_versioning/test/positive_expected_result.json index b92ee4c0630..b9cf6cb5426 100644 --- a/assets/queries/ansible/aws/s3_bucket_without_versioning/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/s3_bucket_without_versioning/test/positive_expected_result.json @@ -2,11 +2,31 @@ { "queryName": "S3 Bucket Without Versioning", "severity": "MEDIUM", - "line": 3 + "line": 3, + "fileName": "positive.yaml", + "resourceType": "amazon.aws.s3_bucket", + "resourceName": "foo", + "searchKey": "name={{foo}}.{{amazon.aws.s3_bucket}}", + "searchValue": "", + "expectedValue": "s3_bucket should have versioning set to true", + "actualValue": "s3_bucket does not have versioning (defaults to false)", + "issueType": "MissingAttribute", + "similarityID": "132434ff228ac560eae414d570dde068d2b3f35d8cd506b7675f512b4acb9d33", + "search_line": -1 }, { "queryName": "S3 Bucket Without Versioning", "severity": "MEDIUM", - "line": 15 + "line": 15, + "fileName": "positive.yaml", + "resourceType": "amazon.aws.s3_bucket", + "resourceName": "foo2", + "searchKey": "name={{foo2}}.{{amazon.aws.s3_bucket}}.versioning", + "searchValue": "", + "expectedValue": "s3_bucket should have versioning set to true", + "actualValue": "s3_bucket does has versioning set to false", + "issueType": "IncorrectValue", + "similarityID": "4209f444f99b4e056fd62e940e69da7896eb6d00e18506ae7c583fdb359a1489", + "search_line": -1 } ] diff --git a/assets/queries/ansible/aws/secure_ciphers_disabled/test/positive_expected_result.json b/assets/queries/ansible/aws/secure_ciphers_disabled/test/positive_expected_result.json index 0c32f95eaa3..5ed0203a2d4 100644 --- a/assets/queries/ansible/aws/secure_ciphers_disabled/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/secure_ciphers_disabled/test/positive_expected_result.json @@ -2,6 +2,16 @@ { "queryName": "Secure Ciphers Disabled", "severity": "MEDIUM", - "line": 14 + "line": 14, + "fileName": "positive.yaml", + "resourceType": "community.aws.cloudfront_distribution", + "resourceName": "example", + "searchKey": "name={{example}}.{{community.aws.cloudfront_distribution}}.viewer_certificate.minimum_protocol_version", + "searchValue": "", + "expectedValue": "cloudfront_distribution.viewer_certificate.minimum_protocol_version should be TLSv1.1 or TLSv1.2", + "actualValue": "cloudfront_distribution.viewer_certificate.minimum_protocol_version isn't TLSv1.1 or TLSv1.2", + "issueType": "IncorrectValue", + "similarityID": "8241f49867575f313f9a7240640d1fc317dbbb8ae465e77a1561bcd468eefe84", + "search_line": -1 } -] \ No newline at end of file +] diff --git a/assets/queries/ansible/aws/security_group_ingress_not_restricted/test/positive_expected_result.json b/assets/queries/ansible/aws/security_group_ingress_not_restricted/test/positive_expected_result.json index 6f227d16122..9e3cc148580 100644 --- a/assets/queries/ansible/aws/security_group_ingress_not_restricted/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/security_group_ingress_not_restricted/test/positive_expected_result.json @@ -2,31 +2,91 @@ { "queryName": "Security Group Ingress Not Restricted", "severity": "HIGH", - "line": 8 + "line": 8, + "fileName": "positive.yaml", + "resourceType": "amazon.aws.ec2_group", + "resourceName": "example ec2 group", + "searchKey": "name={{example ec2 group}}.{{amazon.aws.ec2_group}}.rules", + "searchValue": "", + "expectedValue": "ec2_group.rules[0] should be restricted", + "actualValue": "ec2_group.rules[0] is not restricted", + "issueType": "IncorrectValue", + "similarityID": "b7cb8f7961ce193c9e5dd1f4b4616b687cb3ccec98cb6fb69c0051d469ee20c3", + "search_line": 8 }, { "queryName": "Security Group Ingress Not Restricted", "severity": "HIGH", - "line": 12 + "line": 12, + "fileName": "positive.yaml", + "resourceType": "amazon.aws.ec2_group", + "resourceName": "example ec2 group", + "searchKey": "name={{example ec2 group}}.{{amazon.aws.ec2_group}}.rules", + "searchValue": "", + "expectedValue": "ec2_group.rules[1] should be restricted", + "actualValue": "ec2_group.rules[1] is not restricted", + "issueType": "IncorrectValue", + "similarityID": "04ff24f8abdca2ce644788d51f9460cf7fe79b991b193732ef77279001e3fedb", + "search_line": 12 }, { "queryName": "Security Group Ingress Not Restricted", "severity": "HIGH", - "line": 16 + "line": 16, + "fileName": "positive.yaml", + "resourceType": "amazon.aws.ec2_group", + "resourceName": "example ec2 group", + "searchKey": "name={{example ec2 group}}.{{amazon.aws.ec2_group}}.rules", + "searchValue": "", + "expectedValue": "ec2_group.rules[2] should be restricted", + "actualValue": "ec2_group.rules[2] is not restricted", + "issueType": "IncorrectValue", + "similarityID": "8f73ed63bb1362c0a213e36979ac6e943c84b1082ecf7aed52bd65e47b29281c", + "search_line": 16 }, { "queryName": "Security Group Ingress Not Restricted", "severity": "HIGH", - "line": 27 + "line": 27, + "fileName": "positive.yaml", + "resourceType": "amazon.aws.ec2_group", + "resourceName": "example ec2 group v2", + "searchKey": "name={{example ec2 group v2}}.{{amazon.aws.ec2_group}}.rules", + "searchValue": "", + "expectedValue": "ec2_group.rules[0] should be restricted", + "actualValue": "ec2_group.rules[0] is not restricted", + "issueType": "IncorrectValue", + "similarityID": "6e14178c7575ac7c32fc7613d2bf2cbbd486cedf1729445f6114db79e89750db", + "search_line": 27 }, { "queryName": "Security Group Ingress Not Restricted", "severity": "HIGH", - "line": 31 + "line": 31, + "fileName": "positive.yaml", + "resourceType": "amazon.aws.ec2_group", + "resourceName": "example ec2 group v2", + "searchKey": "name={{example ec2 group v2}}.{{amazon.aws.ec2_group}}.rules", + "searchValue": "", + "expectedValue": "ec2_group.rules[1] should be restricted", + "actualValue": "ec2_group.rules[1] is not restricted", + "issueType": "IncorrectValue", + "similarityID": "8f9cf372ebdc601ad8893ec3d5d6c0f2ce90f7eaa7edae5f692e2477f23123bd", + "search_line": 31 }, { "queryName": "Security Group Ingress Not Restricted", "severity": "HIGH", - "line": 35 + "line": 35, + "fileName": "positive.yaml", + "resourceType": "amazon.aws.ec2_group", + "resourceName": "example ec2 group v2", + "searchKey": "name={{example ec2 group v2}}.{{amazon.aws.ec2_group}}.rules", + "searchValue": "", + "expectedValue": "ec2_group.rules[2] should be restricted", + "actualValue": "ec2_group.rules[2] is not restricted", + "issueType": "IncorrectValue", + "similarityID": "1ccd11b820c3d8f0f26cd6cd372a0cd7c2107ac0476ef4c49379684b6ff3bfe6", + "search_line": 35 } ] diff --git a/assets/queries/ansible/aws/security_group_with_unrestricted_access_to_ssh/test/positive_expected_result.json b/assets/queries/ansible/aws/security_group_with_unrestricted_access_to_ssh/test/positive_expected_result.json index 494b7d0ff8b..28498fc0a85 100644 --- a/assets/queries/ansible/aws/security_group_with_unrestricted_access_to_ssh/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/security_group_with_unrestricted_access_to_ssh/test/positive_expected_result.json @@ -2,16 +2,46 @@ { "queryName": "Security Group With Unrestricted Access To SSH", "severity": "MEDIUM", - "line": 8 + "line": 8, + "fileName": "positive.yaml", + "resourceType": "amazon.aws.ec2_group", + "resourceName": "example ec2 group", + "searchKey": "name={{example ec2 group}}.{{amazon.aws.ec2_group}}.rules", + "searchValue": "", + "expectedValue": "ec2_group.rules[0] SSH' (Port:22) should not be public", + "actualValue": "ec2_group.rules[0] SSH' (Port:22) is public", + "issueType": "IncorrectValue", + "similarityID": "ca930bbad202c2d108ca0e9950f5e2f4d23f8d795a06ac3ebdaa66846e72f513", + "search_line": 8 }, { "queryName": "Security Group With Unrestricted Access To SSH", "severity": "MEDIUM", - "line": 12 + "line": 12, + "fileName": "positive.yaml", + "resourceType": "amazon.aws.ec2_group", + "resourceName": "example ec2 group", + "searchKey": "name={{example ec2 group}}.{{amazon.aws.ec2_group}}.rules", + "searchValue": "", + "expectedValue": "ec2_group.rules[1] SSH' (Port:22) should not be public", + "actualValue": "ec2_group.rules[1] SSH' (Port:22) is public", + "issueType": "IncorrectValue", + "similarityID": "4eda8c4b163f8988db0c62a020bbe5a89494c27db7b3c789088443db2d3be6a9", + "search_line": 12 }, { "queryName": "Security Group With Unrestricted Access To SSH", "severity": "MEDIUM", - "line": 16 + "line": 16, + "fileName": "positive.yaml", + "resourceType": "amazon.aws.ec2_group", + "resourceName": "example ec2 group", + "searchKey": "name={{example ec2 group}}.{{amazon.aws.ec2_group}}.rules", + "searchValue": "", + "expectedValue": "ec2_group.rules[2] SSH' (Port:22) should not be public", + "actualValue": "ec2_group.rules[2] SSH' (Port:22) is public", + "issueType": "IncorrectValue", + "similarityID": "dda508819c0e0e6c152077f0f82a7036ecf6026c588334a5712b78a865efb67b", + "search_line": 16 } ] diff --git a/assets/queries/ansible/aws/ses_policy_with_allowed_iam_actions/test/positive_expected_result.json b/assets/queries/ansible/aws/ses_policy_with_allowed_iam_actions/test/positive_expected_result.json index 3f258837a38..9fc737fdf70 100644 --- a/assets/queries/ansible/aws/ses_policy_with_allowed_iam_actions/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/ses_policy_with_allowed_iam_actions/test/positive_expected_result.json @@ -3,6 +3,15 @@ "queryName": "SES Policy With Allowed IAM Actions", "severity": "HIGH", "line": 5, - "fileName": "positive.yaml" + "fileName": "positive.yaml", + "resourceType": "community.aws.aws_ses_identity_policy", + "resourceName": "add sending authorization policy to email identityyy", + "searchKey": "name={{add sending authorization policy to email identityyy}}.{{community.aws.aws_ses_identity_policy}}.policy", + "searchValue": "", + "expectedValue": "'policy' should not allow IAM actions to all principals", + "actualValue": "'policy' allows IAM actions to all principals", + "issueType": "IncorrectValue", + "similarityID": "06cbc11a3b5d1680be9710b954a7f0322cb4ab2b45521bd6d2e07a668150e16a", + "search_line": 5 } ] diff --git a/assets/queries/ansible/aws/sns_topic_is_publicly_accessible/test/positive_expected_result.json b/assets/queries/ansible/aws/sns_topic_is_publicly_accessible/test/positive_expected_result.json index 879a626a397..0243fe7e858 100644 --- a/assets/queries/ansible/aws/sns_topic_is_publicly_accessible/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/sns_topic_is_publicly_accessible/test/positive_expected_result.json @@ -1,26 +1,62 @@ [ - { - "queryName": "SNS Topic is Publicly Accessible", - "severity": "CRITICAL", - "line": 23, - "fileName": "positive1.yaml" - }, - { - "queryName": "SNS Topic is Publicly Accessible", - "severity": "CRITICAL", - "line": 52, - "fileName": "positive1.yaml" - }, - { - "queryName": "SNS Topic is Publicly Accessible", - "severity": "CRITICAL", - "line": 23, - "fileName": "positive2.yaml" - }, - { - "queryName": "SNS Topic is Publicly Accessible", - "severity": "CRITICAL", - "line": 55, - "fileName": "positive2.yaml" - } + { + "queryName": "SNS Topic is Publicly Accessible", + "severity": "CRITICAL", + "line": 23, + "fileName": "positive1.yaml", + "resourceType": "community.aws.sns_topic", + "resourceName": "Create alarm SNS topic community", + "searchKey": "name={{Create alarm SNS topic community}}.{{community.aws.sns_topic}}.policy", + "searchValue": "", + "expectedValue": "sns_topic.policy.Statement shouldn't contain '*' for an AWS Principal", + "actualValue": "sns_topic.policy.Statement contains '*' in an AWS Principal", + "issueType": "IncorrectValue", + "similarityID": "3d10faae7297cc31ee7d8a2cd2734e7dfce28bcd5788e2029232f728f44d416c", + "search_line": 23 + }, + { + "queryName": "SNS Topic is Publicly Accessible", + "severity": "CRITICAL", + "line": 52, + "fileName": "positive1.yaml", + "resourceType": "sns_topic", + "resourceName": "Create alarm SNS topic", + "searchKey": "name={{Create alarm SNS topic}}.{{sns_topic}}.policy", + "searchValue": "", + "expectedValue": "sns_topic.policy.Statement shouldn't contain '*' for an AWS Principal", + "actualValue": "sns_topic.policy.Statement contains '*' in an AWS Principal", + "issueType": "IncorrectValue", + "similarityID": "52ced2a4a23c5bcde52c07a08918efafdf704388f59f65f5ef8259f67cedfc78", + "search_line": 52 + }, + { + "queryName": "SNS Topic is Publicly Accessible", + "severity": "CRITICAL", + "line": 23, + "fileName": "positive2.yaml", + "resourceType": "community.aws.sns_topic", + "resourceName": "Create alarm SNS topic community", + "searchKey": "name={{Create alarm SNS topic community}}.{{community.aws.sns_topic}}.policy", + "searchValue": "", + "expectedValue": "sns_topic.policy.Statement shouldn't contain '*' for an AWS Principal", + "actualValue": "sns_topic.policy.Statement contains '*' in an AWS Principal", + "issueType": "IncorrectValue", + "similarityID": "adb109ee66a944f84b185e7451525d8a7aedaf544de83c068bf583eac48058f7", + "search_line": 23 + }, + { + "queryName": "SNS Topic is Publicly Accessible", + "severity": "CRITICAL", + "line": 55, + "fileName": "positive2.yaml", + "resourceType": "sns_topic", + "resourceName": "Create alarm SNS topic", + "searchKey": "name={{Create alarm SNS topic}}.{{sns_topic}}.policy", + "searchValue": "", + "expectedValue": "sns_topic.policy.Statement shouldn't contain '*' for an AWS Principal", + "actualValue": "sns_topic.policy.Statement contains '*' in an AWS Principal", + "issueType": "IncorrectValue", + "similarityID": "8788de6f64211f20b1270bd67f7242a7d034462059db0f0e3c623f2d4599e930", + "search_line": 55 + } ] diff --git a/assets/queries/ansible/aws/sql_analysis_services_port_2383_is_publicly_accessible/test/positive_expected_result.json b/assets/queries/ansible/aws/sql_analysis_services_port_2383_is_publicly_accessible/test/positive_expected_result.json index a3eb82d8f96..85c43c7bd42 100644 --- a/assets/queries/ansible/aws/sql_analysis_services_port_2383_is_publicly_accessible/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/sql_analysis_services_port_2383_is_publicly_accessible/test/positive_expected_result.json @@ -2,26 +2,76 @@ { "queryName": "SQL Analysis Services Port 2383 (TCP) Is Publicly Accessible", "severity": "MEDIUM", - "line": 9 + "line": 9, + "fileName": "positive.yaml", + "resourceType": "amazon.aws.ec2_group", + "resourceName": "example using security group rule descriptions", + "searchKey": "name={{example using security group rule descriptions}}.{{amazon.aws.ec2_group}}.rules", + "searchValue": "", + "expectedValue": "ec2_group.rules[0] shouldn't open the SQL analysis services port (2383)", + "actualValue": "ec2_group.rules[0] opens the SQL analysis services port (2383)", + "issueType": "IncorrectValue", + "similarityID": "8226986ba10f07db2b20d9a6f83a494e681da4a59004b6df75fbd70354146a22", + "search_line": -1 }, { "queryName": "SQL Analysis Services Port 2383 (TCP) Is Publicly Accessible", "severity": "MEDIUM", - "line": 23 + "line": 23, + "fileName": "positive.yaml", + "resourceType": "amazon.aws.ec2_group", + "resourceName": "example using security group rule descriptions 2", + "searchKey": "name={{example using security group rule descriptions 2}}.{{amazon.aws.ec2_group}}.rules", + "searchValue": "", + "expectedValue": "ec2_group.rules[0] shouldn't open the SQL analysis services port (2383)", + "actualValue": "ec2_group.rules[0] opens the SQL analysis services port (2383)", + "issueType": "IncorrectValue", + "similarityID": "585ab68b8be06d057324ea028efe9f892d8611383eb53b6024c2c731722a181a", + "search_line": -1 }, { "queryName": "SQL Analysis Services Port 2383 (TCP) Is Publicly Accessible", "severity": "MEDIUM", - "line": 37 + "line": 37, + "fileName": "positive.yaml", + "resourceType": "amazon.aws.ec2_group", + "resourceName": "example using security group rule descriptions 3", + "searchKey": "name={{example using security group rule descriptions 3}}.{{amazon.aws.ec2_group}}.rules", + "searchValue": "", + "expectedValue": "ec2_group.rules[0] shouldn't open the SQL analysis services port (2383)", + "actualValue": "ec2_group.rules[0] opens the SQL analysis services port (2383)", + "issueType": "IncorrectValue", + "similarityID": "397f6e23e5af2688b5048b45d02e83c574789db224e19b541f6d1311325e42b6", + "search_line": -1 }, { "queryName": "SQL Analysis Services Port 2383 (TCP) Is Publicly Accessible", "severity": "MEDIUM", - "line": 51 + "line": 51, + "fileName": "positive.yaml", + "resourceType": "amazon.aws.ec2_group", + "resourceName": "example using security group rule descriptions 4", + "searchKey": "name={{example using security group rule descriptions 4}}.{{amazon.aws.ec2_group}}.rules", + "searchValue": "", + "expectedValue": "ec2_group.rules[0] shouldn't open the SQL analysis services port (2383)", + "actualValue": "ec2_group.rules[0] opens the SQL analysis services port (2383)", + "issueType": "IncorrectValue", + "similarityID": "5325701f1cf433ebf05a31b33b419ade80e2669946bf9b83634666550fef5e53", + "search_line": -1 }, { "queryName": "SQL Analysis Services Port 2383 (TCP) Is Publicly Accessible", "severity": "MEDIUM", - "line": 65 + "line": 65, + "fileName": "positive.yaml", + "resourceType": "amazon.aws.ec2_group", + "resourceName": "example using security group rule descriptions 5", + "searchKey": "name={{example using security group rule descriptions 5}}.{{amazon.aws.ec2_group}}.rules", + "searchValue": "", + "expectedValue": "ec2_group.rules[0] shouldn't open the SQL analysis services port (2383)", + "actualValue": "ec2_group.rules[0] opens the SQL analysis services port (2383)", + "issueType": "IncorrectValue", + "similarityID": "0b074ef6d48fab8e4932fe14594e9bf6ee3b992ba91b554b0008c1151bdc0275", + "search_line": -1 } ] diff --git a/assets/queries/ansible/aws/sqs_policy_allows_all_actions/test/positive_expected_result.json b/assets/queries/ansible/aws/sqs_policy_allows_all_actions/test/positive_expected_result.json index c16a93df09f..9a3182e2dd2 100644 --- a/assets/queries/ansible/aws/sqs_policy_allows_all_actions/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/sqs_policy_allows_all_actions/test/positive_expected_result.json @@ -3,6 +3,15 @@ "queryName": "SQS Policy Allows All Actions", "severity": "HIGH", "line": 10, - "fileName": "positive.yaml" + "fileName": "positive.yaml", + "resourceType": "community.aws.sqs_queue", + "resourceName": "Second SQS queue with policy", + "searchKey": "name={{Second SQS queue with policy}}.{{community.aws.sqs_queue}}.policy", + "searchValue": "", + "expectedValue": "sqs_queue.policy.Statement should not contain Action equal to '*'", + "actualValue": "sqs_queue.policy.Statement contains Action equal to '*'", + "issueType": "IncorrectValue", + "similarityID": "eab05d0e0ef3bde6f25fad9f30c4b5a467e091844791a3d99905ea489fcfee0a", + "search_line": 10 } -] \ No newline at end of file +] diff --git a/assets/queries/ansible/aws/sqs_policy_with_public_access/test/positive_expected_result.json b/assets/queries/ansible/aws/sqs_policy_with_public_access/test/positive_expected_result.json index 0e7522dd585..32d4700d6e5 100644 --- a/assets/queries/ansible/aws/sqs_policy_with_public_access/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/sqs_policy_with_public_access/test/positive_expected_result.json @@ -3,12 +3,30 @@ "queryName": "SQS Policy With Public Access", "severity": "MEDIUM", "line": 10, - "fileName": "positive.yaml" + "fileName": "positive.yaml", + "resourceType": "community.aws.sqs_queue", + "resourceName": "First SQS queue with policy", + "searchKey": "name={{First SQS queue with policy}}.{{community.aws.sqs_queue}}.policy", + "searchValue": "", + "expectedValue": "sqs_queue.policy.Principal should not equal to '*'", + "actualValue": "sqs_queue.policy.Principal is equal to '*'", + "issueType": "IncorrectValue", + "similarityID": "e10130270e16e4b0c6e3b6c63eada4f080f3c7b267e80c8e3391f3067e77868e", + "search_line": 10 }, { "queryName": "SQS Policy With Public Access", "severity": "MEDIUM", "line": 28, - "fileName": "positive.yaml" + "fileName": "positive.yaml", + "resourceType": "community.aws.sqs_queue", + "resourceName": "Second SQS queue with policy", + "searchKey": "name={{Second SQS queue with policy}}.{{community.aws.sqs_queue}}.policy", + "searchValue": "", + "expectedValue": "sqs_queue.policy.Principal should not equal to '*'", + "actualValue": "sqs_queue.policy.Principal is equal to '*'", + "issueType": "IncorrectValue", + "similarityID": "0d2d0a52bd7740b349c76594e4fb0dd2b61932e3b871c89251a011dc14be1b05", + "search_line": 28 } ] diff --git a/assets/queries/ansible/aws/sqs_queue_exposed/test/positive_expected_result.json b/assets/queries/ansible/aws/sqs_queue_exposed/test/positive_expected_result.json index f2422275416..6044bec959c 100644 --- a/assets/queries/ansible/aws/sqs_queue_exposed/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/sqs_queue_exposed/test/positive_expected_result.json @@ -3,12 +3,30 @@ "queryName": "SQS Queue Exposed", "severity": "HIGH", "line": 10, - "fileName": "positive.yaml" + "fileName": "positive.yaml", + "resourceType": "community.aws.sqs_queue", + "resourceName": "example", + "searchKey": "name={{example}}.{{community.aws.sqs_queue}}.policy", + "searchValue": "", + "expectedValue": "sqs_queue.policy.Principal shouldn't get the queue publicly accessible", + "actualValue": "sqs_queue.policy.Principal does get the queue publicly accessible", + "issueType": "IncorrectValue", + "similarityID": "6806b222e964a13a5ae3cf01a512fc5bd8aaf8aa4148100bcfd518df613d81bb", + "search_line": 10 }, { "queryName": "SQS Queue Exposed", "severity": "HIGH", "line": 31, - "fileName": "positive.yaml" + "fileName": "positive.yaml", + "resourceType": "community.aws.sqs_queue", + "resourceName": "example with list", + "searchKey": "name={{example with list}}.{{community.aws.sqs_queue}}.policy", + "searchValue": "", + "expectedValue": "sqs_queue.policy.Principal shouldn't get the queue publicly accessible", + "actualValue": "sqs_queue.policy.Principal does get the queue publicly accessible", + "issueType": "IncorrectValue", + "similarityID": "76a626a24b5356c465b3a9f43b059d41f154bd036772ba32eddbde5babc2b41b", + "search_line": 31 } ] diff --git a/assets/queries/ansible/aws/sqs_with_sse_disabled/test/positive_expected_result.json b/assets/queries/ansible/aws/sqs_with_sse_disabled/test/positive_expected_result.json index 9508951fea5..67a2d9382cf 100644 --- a/assets/queries/ansible/aws/sqs_with_sse_disabled/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/sqs_with_sse_disabled/test/positive_expected_result.json @@ -2,21 +2,61 @@ { "queryName": "SQS With SSE Disabled", "severity": "MEDIUM", - "line": 2 + "line": 2, + "fileName": "positive.yaml", + "resourceType": "community.aws.sqs_queue", + "resourceName": "Create SQS queue with redrive policy", + "searchKey": "name={{Create SQS queue with redrive policy}}.{{community.aws.sqs_queue}}.kms_master_key_id", + "searchValue": "", + "expectedValue": "'kms_master_key_id' should be set", + "actualValue": "'kms_master_key_id' is undefined", + "issueType": "MissingAttribute", + "similarityID": "45264090ae81717d98bed55dcc187b4eb7e0ca2e1ce1ef1855e724c1ec873c36", + "search_line": -1 }, { "queryName": "SQS With SSE Disabled", "severity": "MEDIUM", - "line": 16 + "line": 16, + "fileName": "positive.yaml", + "resourceType": "community.aws.sqs_queue", + "resourceName": "Drop redrive policy", + "searchKey": "name={{Drop redrive policy}}.{{community.aws.sqs_queue}}.kms_master_key_id", + "searchValue": "", + "expectedValue": "'kms_master_key_id' should be set", + "actualValue": "'kms_master_key_id' is undefined", + "issueType": "MissingAttribute", + "similarityID": "bf614942d7df916d1866d442c1d705dab231806da225257275ba2f8303f945be", + "search_line": -1 }, { "queryName": "SQS With SSE Disabled", "severity": "MEDIUM", - "line": 22 + "line": 22, + "fileName": "positive.yaml", + "resourceType": "community.aws.sqs_queue", + "resourceName": "Create FIFO queue", + "searchKey": "name={{Create FIFO queue}}.{{community.aws.sqs_queue}}.kms_master_key_id", + "searchValue": "", + "expectedValue": "'kms_master_key_id' should be set", + "actualValue": "'kms_master_key_id' is undefined", + "issueType": "MissingAttribute", + "similarityID": "859ecb1a2057af1b157582cc5c3ff986690002ee1d099f5a33240cdf98638491", + "search_line": -1 }, { "queryName": "SQS With SSE Disabled", "severity": "MEDIUM", - "line": 29 + "line": 29, + "fileName": "positive.yaml", + "resourceType": "community.aws.sqs_queue", + "resourceName": "Tag queue", + "searchKey": "name={{Tag queue}}.{{community.aws.sqs_queue}}.kms_master_key_id", + "searchValue": "", + "expectedValue": "'kms_master_key_id' should be set", + "actualValue": "'kms_master_key_id' is undefined", + "issueType": "MissingAttribute", + "similarityID": "c5711dedc9841bf18bff772f5ff9bdd9d59203e8222c5fcfb5ee7d91052eff5b", + "search_line": -1 } ] diff --git a/assets/queries/ansible/aws/stack_notifications_disabled/test/positive_expected_result.json b/assets/queries/ansible/aws/stack_notifications_disabled/test/positive_expected_result.json index 092c000c61f..788f5ae6986 100644 --- a/assets/queries/ansible/aws/stack_notifications_disabled/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/stack_notifications_disabled/test/positive_expected_result.json @@ -2,6 +2,16 @@ { "queryName": "Stack Notifications Disabled", "severity": "LOW", - "line": 2 + "line": 2, + "fileName": "positive.yaml", + "resourceType": "amazon.aws.cloudformation", + "resourceName": "create a stack, pass in the template via an URL", + "searchKey": "name={{create a stack, pass in the template via an URL}}.{{amazon.aws.cloudformation}}", + "searchValue": "", + "expectedValue": "cloudformation.notification_arns should be set", + "actualValue": "cloudformation.notification_arns is undefined", + "issueType": "MissingAttribute", + "similarityID": "5167dd162f00d3ad855e1e7165989376c16d05a3424d24711a4600392fe418fd", + "search_line": -1 } ] diff --git a/assets/queries/ansible/aws/stack_retention_disabled/test/positive_expected_result.json b/assets/queries/ansible/aws/stack_retention_disabled/test/positive_expected_result.json index 26d12a6c987..4f5a8756599 100644 --- a/assets/queries/ansible/aws/stack_retention_disabled/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/stack_retention_disabled/test/positive_expected_result.json @@ -2,11 +2,31 @@ { "queryName": "Stack Retention Disabled", "severity": "MEDIUM", - "line": 2 + "line": 2, + "fileName": "positive.yaml", + "resourceType": "community.aws.cloudformation_stack_set", + "resourceName": "Create a stack set with instances in two accounts", + "searchKey": "name={{Create a stack set with instances in two accounts}}.{{community.aws.cloudformation_stack_set}}", + "searchValue": "", + "expectedValue": "cloudformation_stack_set.purge_stacks should be set", + "actualValue": "cloudformation_stack_set.purge_stacks is undefined", + "issueType": "MissingAttribute", + "similarityID": "0dfca63641a83836cc0a2c8b172abab80e3a786d974fc575e634ef6ab9c366ef", + "search_line": -1 }, { "queryName": "Stack Retention Disabled", "severity": "MEDIUM", - "line": 23 + "line": 23, + "fileName": "positive.yaml", + "resourceType": "community.aws.cloudformation_stack_set", + "resourceName": "on subsequent calls, templates are optional but parameters and tags can be altered", + "searchKey": "name={{on subsequent calls, templates are optional but parameters and tags can be altered}}.{{community.aws.cloudformation_stack_set}}.purge_stacks", + "searchValue": "", + "expectedValue": "cloudformation_stack_set.purge_stacks should be set to false", + "actualValue": "cloudformation_stack_set.purge_stacks is true", + "issueType": "IncorrectValue", + "similarityID": "f28f94f94f999df50e6904c68ce440c58b7c1f5b122226a3ec27f85ec55c433d", + "search_line": -1 } ] diff --git a/assets/queries/ansible/aws/stack_without_template/test/positive_expected_result.json b/assets/queries/ansible/aws/stack_without_template/test/positive_expected_result.json index 45c13d3d70f..3c6a3a40489 100644 --- a/assets/queries/ansible/aws/stack_without_template/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/stack_without_template/test/positive_expected_result.json @@ -2,21 +2,61 @@ { "queryName": "Stack Without Template", "severity": "LOW", - "line": 2 + "line": 2, + "fileName": "positive.yaml", + "resourceType": "amazon.aws.cloudformation", + "resourceName": "create a stack, pass in the template via an URL", + "searchKey": "name={{create a stack, pass in the template via an URL}}.{{amazon.aws.cloudformation}}", + "searchValue": "", + "expectedValue": "amazon.aws.cloudformation has template, template_body or template_url set", + "actualValue": "amazon.aws.cloudformation does not have template, template_body or template_url set", + "issueType": "MissingAttribute", + "similarityID": "8d6fd643093ead4acbe42d82297b8d17045d1002d6fa0348f363afc055dbe8a3", + "search_line": -1 }, { "queryName": "Stack Without Template", "severity": "LOW", - "line": 15 + "line": 15, + "fileName": "positive.yaml", + "resourceType": "amazon.aws.cloudformation", + "resourceName": "create a stack, pass in the template via an URL v2", + "searchKey": "name={{create a stack, pass in the template via an URL v2}}.{{amazon.aws.cloudformation}}", + "searchValue": "", + "expectedValue": "amazon.aws.cloudformation should not have more than one of the attributes template, template_body and template_url set", + "actualValue": "amazon.aws.cloudformation has more than one of the attributes template, template_body and template_url set", + "issueType": "IncorrectValue", + "similarityID": "281c2f523a3d9f1653351985e762c8c0608b73a07a9069b7b694b2ac45ed8529", + "search_line": -1 }, { "queryName": "Stack Without Template", "severity": "LOW", - "line": 30 + "line": 30, + "fileName": "positive.yaml", + "resourceType": "community.aws.cloudformation_stack_set", + "resourceName": "Create a stack set with instances in two accounts", + "searchKey": "name={{Create a stack set with instances in two accounts}}.{{community.aws.cloudformation_stack_set}}", + "searchValue": "", + "expectedValue": "community.aws.cloudformation_stack_set should not have more than one of the attributes template, template_body and template_url set", + "actualValue": "community.aws.cloudformation_stack_set has more than one of the attributes template, template_body and template_url set", + "issueType": "IncorrectValue", + "similarityID": "8d41e3b091381cae9cbf2bd25adc713c68e560debdc59c4a682ceed85765e123", + "search_line": -1 }, { "queryName": "Stack Without Template", "severity": "LOW", - "line": 40 + "line": 40, + "fileName": "positive.yaml", + "resourceType": "community.aws.cloudformation_stack_set", + "resourceName": "Create a stack set with instances in two accounts v2", + "searchKey": "name={{Create a stack set with instances in two accounts v2}}.{{community.aws.cloudformation_stack_set}}", + "searchValue": "", + "expectedValue": "community.aws.cloudformation_stack_set has template, template_body or template_url set", + "actualValue": "community.aws.cloudformation_stack_set does not have template, template_body or template_url set", + "issueType": "MissingAttribute", + "similarityID": "b6132b892c6073890e390b8741232be13593a72d2c3041871da51878f3f527fa", + "search_line": -1 } -] \ No newline at end of file +] diff --git a/assets/queries/ansible/aws/unknown_port_exposed_to_internet/test/positive_expected_result.json b/assets/queries/ansible/aws/unknown_port_exposed_to_internet/test/positive_expected_result.json index 05f6d2f3c8f..f6c5b8d425d 100644 --- a/assets/queries/ansible/aws/unknown_port_exposed_to_internet/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/unknown_port_exposed_to_internet/test/positive_expected_result.json @@ -1,12 +1,32 @@ [ - { - "queryName": "Unknown Port Exposed To Internet", - "severity": "HIGH", - "line": 9 - }, - { - "queryName": "Unknown Port Exposed To Internet", - "severity": "HIGH", - "line": 13 - } + { + "queryName": "Unknown Port Exposed To Internet", + "severity": "HIGH", + "line": 9, + "fileName": "positive.yaml", + "resourceType": "amazon.aws.ec2_group", + "resourceName": "example ec2 group", + "searchKey": "name={{example ec2 group}}.{{amazon.aws.ec2_group}}.rules", + "searchValue": "", + "expectedValue": "ec2_group.rules[0] port_range should not contain unknown ports and should not be exposed to the entire Internet", + "actualValue": "ec2_group.rules[0] port_range contains unknown ports and are exposed to the entire Internet", + "issueType": "IncorrectValue", + "similarityID": "0106d3a243444cf874c44af0deaf4e833a3e65a519ff27b983c850c6291adce2", + "search_line": 9 + }, + { + "queryName": "Unknown Port Exposed To Internet", + "severity": "HIGH", + "line": 13, + "fileName": "positive.yaml", + "resourceType": "amazon.aws.ec2_group", + "resourceName": "example ec2 group", + "searchKey": "name={{example ec2 group}}.{{amazon.aws.ec2_group}}.rules", + "searchValue": "", + "expectedValue": "ec2_group.rules[1] port_range should not contain unknown ports and should not be exposed to the entire Internet", + "actualValue": "ec2_group.rules[1] port_range contains unknown ports and are exposed to the entire Internet", + "issueType": "IncorrectValue", + "similarityID": "eba65952bf734db09b2d006e448c1c6c3c9fa09b1bd033b2e915c97959f2387c", + "search_line": 13 + } ] diff --git a/assets/queries/ansible/aws/unrestricted_security_group_ingress/test/positive_expected_result.json b/assets/queries/ansible/aws/unrestricted_security_group_ingress/test/positive_expected_result.json index e600c057d23..84232063465 100644 --- a/assets/queries/ansible/aws/unrestricted_security_group_ingress/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/unrestricted_security_group_ingress/test/positive_expected_result.json @@ -2,21 +2,61 @@ { "queryName": "Unrestricted Security Group Ingress", "severity": "HIGH", - "line": 14 + "line": 14, + "fileName": "positive.yaml", + "resourceType": "amazon.aws.ec2_group", + "resourceName": "example1", + "searchKey": "name={{example1}}.{{amazon.aws.ec2_group}}.rules.cidr_ip={{0.0.0.0/0}}", + "searchValue": "", + "expectedValue": "ec2_group.rules.cidr_ip should not contain the value '0.0.0.0/0'", + "actualValue": "ec2_group.rules.cidr_ip contains value '0.0.0.0/0'", + "issueType": "IncorrectValue", + "similarityID": "7b5b17d27ed8a5051e354e8f0dbd3df0f5fbb71042592dc9936b365bfb9e28d8", + "search_line": -1 }, { "queryName": "Unrestricted Security Group Ingress", "severity": "HIGH", - "line": 28 + "line": 28, + "fileName": "positive.yaml", + "resourceType": "amazon.aws.ec2_group", + "resourceName": "example2", + "searchKey": "name={{example2}}.{{amazon.aws.ec2_group}}.rules.cidr_ip.{{0.0.0.0/0}}", + "searchValue": "", + "expectedValue": "ec2_group.rules.cidr_ip should not contain the value '0.0.0.0/0'", + "actualValue": "ec2_group.rules.cidr_ip contains value '0.0.0.0/0'", + "issueType": "IncorrectValue", + "similarityID": "2f6c054a1fba796fc4d50f366c35a8959d11a6e3213123e08afbf2f1fc732919", + "search_line": -1 }, { "queryName": "Unrestricted Security Group Ingress", "severity": "HIGH", - "line": 41 + "line": 41, + "fileName": "positive.yaml", + "resourceType": "amazon.aws.ec2_group", + "resourceName": "example3", + "searchKey": "name={{example3}}.{{amazon.aws.ec2_group}}.rules.cidr_ipv6={{::/0}}", + "searchValue": "", + "expectedValue": "ec2_group.rules.cidr_ipv6 should not contain the value '::/0'", + "actualValue": "ec2_group.rules.cidr_ipv6 contains value '::/0'", + "issueType": "IncorrectValue", + "similarityID": "b680bf44b5e5108e35da7831a74364139bfd91c57f55c079ee58c5c12bdd53bb", + "search_line": -1 }, { "queryName": "Unrestricted Security Group Ingress", "severity": "HIGH", - "line": 55 + "line": 55, + "fileName": "positive.yaml", + "resourceType": "amazon.aws.ec2_group", + "resourceName": "example4", + "searchKey": "name={{example4}}.{{amazon.aws.ec2_group}}.rules.cidr_ipv6.{{::/0}}", + "searchValue": "", + "expectedValue": "ec2_group.rules.cidr_ipv6 should not contain the value '::/0'", + "actualValue": "ec2_group.rules.cidr_ipv6 contains value '::/0'", + "issueType": "IncorrectValue", + "similarityID": "7f518185f32738bb9b5ba3bc51a17d355b00baa8c425ce659441537df289c14c", + "search_line": -1 } ] diff --git a/assets/queries/ansible/aws/user_data_contains_encoded_private_key/test/positive_expected_result.json b/assets/queries/ansible/aws/user_data_contains_encoded_private_key/test/positive_expected_result.json index 772c99ba9f8..5779deb9d99 100644 --- a/assets/queries/ansible/aws/user_data_contains_encoded_private_key/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/user_data_contains_encoded_private_key/test/positive_expected_result.json @@ -1,7 +1,17 @@ [ - { - "queryName": "User Data Contains Encoded Private Key", - "severity": "HIGH", - "line": 9 - } + { + "queryName": "User Data Contains Encoded Private Key", + "severity": "HIGH", + "line": 9, + "fileName": "positive.yaml", + "resourceType": "community.aws.ec2_lc", + "resourceName": "note that encrypted volumes are only supported in >= Ansible 2.4", + "searchKey": "name={{note that encrypted volumes are only supported in >= Ansible 2.4}}.{{community.aws.ec2_lc}}.user_data", + "searchValue": "", + "expectedValue": "ec2_lc.user_data should not contain RSA Private Key", + "actualValue": "ec2_lc.user_data contains RSA Private Key", + "issueType": "IncorrectValue", + "similarityID": "4a045d704a8fafe3e6f90fb7ab273fdbb4f7c301658063161f7c22c7889c2c79", + "search_line": -1 + } ] diff --git a/assets/queries/ansible/aws/viewer_protocol_policy_allows_http/test/positive_expected_result.json b/assets/queries/ansible/aws/viewer_protocol_policy_allows_http/test/positive_expected_result.json index 7a3f75db184..92d38ad633f 100644 --- a/assets/queries/ansible/aws/viewer_protocol_policy_allows_http/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/viewer_protocol_policy_allows_http/test/positive_expected_result.json @@ -2,11 +2,31 @@ { "queryName": "Cloudfront Viewer Protocol Policy Allows HTTP", "severity": "MEDIUM", - "line": 20 + "line": 20, + "fileName": "positive.yaml", + "resourceType": "community.aws.cloudfront_distribution", + "resourceName": "example1", + "searchKey": "name={{example1}}.{{community.aws.cloudfront_distribution}}.default_cache_behavior.viewer_protocol_policy", + "searchValue": "", + "expectedValue": "cloudfront_distribution.default_cache_behavior.viewer_protocol_policy should be 'https-only' or 'redirect-to-https'", + "actualValue": "cloudfront_distribution.default_cache_behavior.viewer_protocol_policy isn't 'https-only' or 'redirect-to-https'", + "issueType": "IncorrectValue", + "similarityID": "d5c0a65e6d468981b5ad7c2843393a7c9ce63db736dc43411659105c03bc96e7", + "search_line": -1 }, { "queryName": "Cloudfront Viewer Protocol Policy Allows HTTP", "severity": "MEDIUM", - "line": 50 + "line": 50, + "fileName": "positive.yaml", + "resourceType": "community.aws.cloudfront_distribution", + "resourceName": "example2", + "searchKey": "name={{example2}}.{{community.aws.cloudfront_distribution}}.cache_behaviors.viewer_protocol_policy", + "searchValue": "", + "expectedValue": "cloudfront_distribution.cache_behaviors.viewer_protocol_policy should be 'https-only' or 'redirect-to-https'", + "actualValue": "cloudfront_distribution.cache_behaviors.viewer_protocol_policy isn't 'https-only' or 'redirect-to-https'", + "issueType": "IncorrectValue", + "similarityID": "017f1c7d3aa29b5b014cca922099d95fdbbb7f7bf8ff83b429a79072ce43693e", + "search_line": -1 } -] \ No newline at end of file +] diff --git a/assets/queries/ansible/aws/vulnerable_default_ssl_certificate/test/positive_expected_result.json b/assets/queries/ansible/aws/vulnerable_default_ssl_certificate/test/positive_expected_result.json index a319e98250d..b40b6e9711d 100644 --- a/assets/queries/ansible/aws/vulnerable_default_ssl_certificate/test/positive_expected_result.json +++ b/assets/queries/ansible/aws/vulnerable_default_ssl_certificate/test/positive_expected_result.json @@ -2,16 +2,46 @@ { "queryName": "Vulnerable Default SSL Certificate", "severity": "MEDIUM", - "line": 6 + "line": 6, + "fileName": "positive.yaml", + "resourceType": "community.aws.cloudfront_distribution", + "resourceName": "create a basic distribution with defaults, tags and default SSL certificate", + "searchKey": "name={{create a basic distribution with defaults, tags and default SSL certificate}}.{{community.aws.cloudfront_distribution}}.viewer_certificate.cloudfront_default_certificate", + "searchValue": "", + "expectedValue": "Attribute 'cloudfront_default_certificate' should be 'false' or not defined", + "actualValue": "Attribute 'cloudfront_default_certificate' is 'true'", + "issueType": "IncorrectValue", + "similarityID": "fd503757d40e9e4249d6558281de613d5cefec1f220375f972475b30465363d1", + "search_line": 6 }, { "queryName": "Vulnerable Default SSL Certificate", "severity": "MEDIUM", - "line": 15 + "line": 15, + "fileName": "positive.yaml", + "resourceType": "community.aws.cloudfront_distribution", + "resourceName": "create a basic distribution with defaults, tags and misconfigured custom SSL certificate", + "searchKey": "name={{create a basic distribution with defaults, tags and misconfigured custom SSL certificate}}.{{community.aws.cloudfront_distribution}}.viewer_certificate", + "searchValue": "minimum_protocol_version", + "expectedValue": "Attribute minimum_protocol_version should be defined when one of 'acm_certificate_arn' or 'iam_certificate_id' is declared.", + "actualValue": "Attribute 'minimum_protocol_version' is not defined", + "issueType": "MissingAttribute", + "similarityID": "10553c10c6246734c3f35b0d2fe095a899867836bb609e0955f864a2d7a0976b", + "search_line": 15 }, { "queryName": "Vulnerable Default SSL Certificate", "severity": "MEDIUM", - "line": 15 + "line": 15, + "fileName": "positive.yaml", + "resourceType": "community.aws.cloudfront_distribution", + "resourceName": "create a basic distribution with defaults, tags and misconfigured custom SSL certificate", + "searchKey": "name={{create a basic distribution with defaults, tags and misconfigured custom SSL certificate}}.{{community.aws.cloudfront_distribution}}.viewer_certificate", + "searchValue": "ssl_support_method", + "expectedValue": "Attribute ssl_support_method should be defined when one of 'acm_certificate_arn' or 'iam_certificate_id' is declared.", + "actualValue": "Attribute 'ssl_support_method' is not defined", + "issueType": "MissingAttribute", + "similarityID": "33556a98aacc769025b337bcad67b8d14c1e3b0c2720f2ba149ad1881b57e2ba", + "search_line": 15 } -] \ No newline at end of file +] diff --git a/assets/queries/ansible/azure/ad_admin_not_configured_for_sql_server/test/positive_expected_result.json b/assets/queries/ansible/azure/ad_admin_not_configured_for_sql_server/test/positive_expected_result.json index 85e34b71da8..64d6b65fb4c 100644 --- a/assets/queries/ansible/azure/ad_admin_not_configured_for_sql_server/test/positive_expected_result.json +++ b/assets/queries/ansible/azure/ad_admin_not_configured_for_sql_server/test/positive_expected_result.json @@ -2,6 +2,16 @@ { "queryName": "AD Admin Not Configured For SQL Server", "severity": "MEDIUM", - "line": 3 + "line": 3, + "fileName": "positive.yaml", + "resourceType": "azure_rm_sqlserver", + "resourceName": "Create (or update) SQL Server", + "searchKey": "name={{Create (or update) SQL Server}}.{{azure_rm_sqlserver}}", + "searchValue": "", + "expectedValue": "azure_rm_sqlserver.ad_user should be defined", + "actualValue": "azure_rm_sqlserver.ad_user is undefined", + "issueType": "MissingAttribute", + "similarityID": "b090ffa57f59ae72c31108929483b70f97a7b906ca506c771672aa112a054405", + "search_line": -1 } -] \ No newline at end of file +] diff --git a/assets/queries/ansible/azure/admin_user_enabled_for_container_registry/test/positive_expected_result.json b/assets/queries/ansible/azure/admin_user_enabled_for_container_registry/test/positive_expected_result.json index 8db54668eed..19ea1a1e107 100644 --- a/assets/queries/ansible/azure/admin_user_enabled_for_container_registry/test/positive_expected_result.json +++ b/assets/queries/ansible/azure/admin_user_enabled_for_container_registry/test/positive_expected_result.json @@ -2,11 +2,31 @@ { "queryName": "Admin User Enabled For Container Registry", "severity": "MEDIUM", - "line": 7 + "line": 7, + "fileName": "positive.yaml", + "resourceType": "azure.azcollection.azure_rm_containerregistry", + "resourceName": "Create an azure container registry", + "searchKey": "name={{Create an azure container registry}}.{{azure.azcollection.azure_rm_containerregistry}}.admin_user_enabled", + "searchValue": "", + "expectedValue": "azure_rm_containerregistry.admin_user_enabled should be false or undefined (defaults to false)", + "actualValue": "azure_rm_containerregistry.admin_user_enabled is true", + "issueType": "IncorrectValue", + "similarityID": "e14e2f54dd7b245ef38bec907a99525e4d850fc2daab589f95e66362a1ae9537", + "search_line": -1 }, { "queryName": "Admin User Enabled For Container Registry", "severity": "MEDIUM", - "line": 17 + "line": 17, + "fileName": "positive.yaml", + "resourceType": "azure.azcollection.azure_rm_containerregistry", + "resourceName": "Create an azure container registry2", + "searchKey": "name={{Create an azure container registry2}}.{{azure.azcollection.azure_rm_containerregistry}}.admin_user_enabled", + "searchValue": "", + "expectedValue": "azure_rm_containerregistry.admin_user_enabled should be false or undefined (defaults to false)", + "actualValue": "azure_rm_containerregistry.admin_user_enabled is true", + "issueType": "IncorrectValue", + "similarityID": "1119c6cb2a7fb49ab2b9821fed53a13e5e9da49e69d6ece509af72f04382aa33", + "search_line": -1 } -] \ No newline at end of file +] diff --git a/assets/queries/ansible/azure/aks_monitoring_logging_disabled/test/positive_expected_result.json b/assets/queries/ansible/azure/aks_monitoring_logging_disabled/test/positive_expected_result.json index 222abd325a6..7c7576ad898 100644 --- a/assets/queries/ansible/azure/aks_monitoring_logging_disabled/test/positive_expected_result.json +++ b/assets/queries/ansible/azure/aks_monitoring_logging_disabled/test/positive_expected_result.json @@ -2,21 +2,61 @@ { "queryName": "AKS Monitoring Logging Disabled", "severity": "MEDIUM", - "line": 2 + "line": 2, + "fileName": "positive.yaml", + "resourceType": "azure_rm_aks", + "resourceName": "Create an AKS instance v0", + "searchKey": "name={{Create an AKS instance v0}}.{{azure_rm_aks}}", + "searchValue": "", + "expectedValue": "azure_rm_aks.addon should be set", + "actualValue": "azure_rm_aks.addon is undefined", + "issueType": "MissingAttribute", + "similarityID": "1ba88d322401f4586a081b9078df9f4a8149dcb3cd6e1d16b399ed63e461e033", + "search_line": -1 }, { "queryName": "AKS Monitoring Logging Disabled", "severity": "MEDIUM", - "line": 43 + "line": 43, + "fileName": "positive.yaml", + "resourceType": "azure_rm_aks", + "resourceName": "Create an AKS instance", + "searchKey": "name={{Create an AKS instance}}.{{azure_rm_aks}}.addon", + "searchValue": "", + "expectedValue": "azure_rm_aks.addon.monitoring should be set", + "actualValue": "azure_rm_aks.addon.monitoring is undefined", + "issueType": "MissingAttribute", + "similarityID": "010d168a5530c2b2593e18c98642cb61178674be5cbe40f96c3d6a61016bc665", + "search_line": -1 }, { "queryName": "AKS Monitoring Logging Disabled", "severity": "MEDIUM", - "line": 68 + "line": 68, + "fileName": "positive.yaml", + "resourceType": "azure_rm_aks", + "resourceName": "Create an AKS instance v3", + "searchKey": "name={{Create an AKS instance v3}}.{{azure_rm_aks}}.addon.monitoring", + "searchValue": "", + "expectedValue": "azure_rm_aks.addon.monitoring.{\"enabled\", \"log_analytics_workspace_resource_id\"} should be set", + "actualValue": "azure_rm_aks.addon.monitoring.{\"enabled\", \"log_analytics_workspace_resource_id\"} is undefined", + "issueType": "MissingAttribute", + "similarityID": "3f0bea81da363f7e994f3d201a2e25d5ade21721cbaaa793eccd5641546380ac", + "search_line": -1 }, { "queryName": "AKS Monitoring Logging Disabled", "severity": "MEDIUM", - "line": 94 + "line": 94, + "fileName": "positive.yaml", + "resourceType": "azure_rm_aks", + "resourceName": "Create an AKS instance v9", + "searchKey": "name={{Create an AKS instance v9}}.{{azure_rm_aks}}.addon.monitoring.enabled", + "searchValue": "", + "expectedValue": "azure_rm_aks.addon.monitoring.enabled should be set to 'yes' or 'false'", + "actualValue": "azure_rm_aks.addon.monitoring.enabled is not set to 'yes' or 'false'", + "issueType": "IncorrectValue", + "similarityID": "8b606b08a51fa4b81fa7cd32bf8010a98066f6fce671a79310e6147429988cea", + "search_line": -1 } ] diff --git a/assets/queries/ansible/azure/aks_network_policy_misconfigured/test/positive_expected_result.json b/assets/queries/ansible/azure/aks_network_policy_misconfigured/test/positive_expected_result.json index a9f6033dbaa..804194c9e1a 100644 --- a/assets/queries/ansible/azure/aks_network_policy_misconfigured/test/positive_expected_result.json +++ b/assets/queries/ansible/azure/aks_network_policy_misconfigured/test/positive_expected_result.json @@ -2,11 +2,31 @@ { "queryName": "AKS Network Policy Misconfigured", "severity": "LOW", - "line": 10 + "line": 10, + "fileName": "positive.yaml", + "resourceType": "azure_rm_aks", + "resourceName": "Create a managed Azure Container Services (AKS) instance03", + "searchKey": "name={{Create a managed Azure Container Services (AKS) instance03}}.{{azure_rm_aks}}.network_profile.network_policy", + "searchValue": "", + "expectedValue": "Azure AKS cluster network policy should be either 'calico' or 'azure'", + "actualValue": "Azure AKS cluster network policy is istio", + "issueType": "IncorrectValue", + "similarityID": "771cbe5f57168414145266bdf3d3ac0c6173a374a94d1eb2d2e1adaff8101194", + "search_line": -1 }, { "queryName": "AKS Network Policy Misconfigured", "severity": "LOW", - "line": 24 + "line": 24, + "fileName": "positive.yaml", + "resourceType": "azure_rm_aks", + "resourceName": "Create a managed Azure Container Services (AKS) instance04", + "searchKey": "name={{Create a managed Azure Container Services (AKS) instance04}}.{{azure_rm_aks}}", + "searchValue": "", + "expectedValue": "Azure AKS cluster network profile should be defined", + "actualValue": "Azure AKS cluster network profile is undefined", + "issueType": "MissingAttribute", + "similarityID": "8d6055e2794c1f2fecf911ecee796f6b838aa865df50c74088b6831ea75d0e6d", + "search_line": -1 } -] \ No newline at end of file +] diff --git a/assets/queries/ansible/azure/aks_rbac_disabled/test/positive_expected_result.json b/assets/queries/ansible/azure/aks_rbac_disabled/test/positive_expected_result.json index 8d15a88670b..c4375f012ee 100644 --- a/assets/queries/ansible/azure/aks_rbac_disabled/test/positive_expected_result.json +++ b/assets/queries/ansible/azure/aks_rbac_disabled/test/positive_expected_result.json @@ -2,11 +2,31 @@ { "queryName": "AKS RBAC Disabled", "severity": "MEDIUM", - "line": 21 + "line": 21, + "fileName": "positive.yaml", + "resourceType": "azure_rm_aks", + "resourceName": "Create an AKS instance", + "searchKey": "name={{Create an AKS instance}}.{{azure_rm_aks}}.enable_rbac", + "searchValue": "", + "expectedValue": "azure_rm_aks.enable_rbac should be set to 'yes' or 'true'", + "actualValue": "azure_rm_aks.enable_rbac is not set to 'yes' or 'true'", + "issueType": "IncorrectValue", + "similarityID": "1bc4ea3d4a25c1986ba194b76f91affddc1ef85524522f022a6978ca51e712da", + "search_line": -1 }, { "queryName": "AKS RBAC Disabled", "severity": "MEDIUM", - "line": 23 + "line": 23, + "fileName": "positive.yaml", + "resourceType": "azure_rm_aks", + "resourceName": "Create an AKS instance v2", + "searchKey": "name={{Create an AKS instance v2}}.{{azure_rm_aks}}", + "searchValue": "", + "expectedValue": "azure_rm_aks.enable_rbac should be defined", + "actualValue": "azure_rm_aks.enable_rbac is undefined", + "issueType": "MissingAttribute", + "similarityID": "52f670c7e4b250774c41aedbdfb46e61400ff475eb1f346e1bc8f01f131554fc", + "search_line": -1 } ] diff --git a/assets/queries/ansible/azure/azure_container_registry_with_no_locks/test/positive_expected_result.json b/assets/queries/ansible/azure/azure_container_registry_with_no_locks/test/positive_expected_result.json index 1129e0d6c75..bd5a1886ad3 100644 --- a/assets/queries/ansible/azure/azure_container_registry_with_no_locks/test/positive_expected_result.json +++ b/assets/queries/ansible/azure/azure_container_registry_with_no_locks/test/positive_expected_result.json @@ -3,18 +3,45 @@ "queryName": "Azure Container Registry With No Locks", "severity": "HIGH", "line": 2, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "azure_rm_containerregistry", + "resourceName": "Create an azure container registry", + "searchKey": "name={{Create an azure container registry}}.{{azure_rm_containerregistry}}", + "searchValue": "", + "expectedValue": "'azure_rm_containerregistry' should be referenced by an existing lock", + "actualValue": "'azure_rm_containerregistry' is not referenced by an existing lock", + "issueType": "IncorrectValue", + "similarityID": "2061ed01060d31281febed1249cfd0339049ace5d8b5599d1450d4cd0eb99de7", + "search_line": -1 }, { "queryName": "Azure Container Registry With No Locks", "severity": "HIGH", "line": 17, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "azure.azcollection.azure_rm_containerregistry", + "resourceName": "Create an azure container registry2", + "searchKey": "name={{Create an azure container registry2}}.{{azure.azcollection.azure_rm_containerregistry}}", + "searchValue": "", + "expectedValue": "'azure.azcollection.azure_rm_containerregistry' should be referenced by an existing lock", + "actualValue": "'azure.azcollection.azure_rm_containerregistry' is not referenced by an existing lock", + "issueType": "IncorrectValue", + "similarityID": "356a4b0d3e7206e74aa4c8a8f93f7acba43ebaaf794834594f828633ba34b7b8", + "search_line": -1 }, { "queryName": "Azure Container Registry With No Locks", "severity": "HIGH", "line": 2, - "fileName": "positive2.yaml" + "fileName": "positive2.yaml", + "resourceType": "azure.azcollection.azure_rm_containerregistry", + "resourceName": "Create an azure container registryy1", + "searchKey": "name={{Create an azure container registryy1}}.{{azure.azcollection.azure_rm_containerregistry}}", + "searchValue": "", + "expectedValue": "'azure.azcollection.azure_rm_containerregistry' should be referenced by an existing lock", + "actualValue": "'azure.azcollection.azure_rm_containerregistry' is not referenced by an existing lock", + "issueType": "IncorrectValue", + "similarityID": "cf8a7eb56240c55ba957dc4eff8c96f3a38694f430caaa6ac74633906fcc836c", + "search_line": -1 } ] diff --git a/assets/queries/ansible/azure/azure_instance_using_basic_authentication/test/positive_expected_result.json b/assets/queries/ansible/azure/azure_instance_using_basic_authentication/test/positive_expected_result.json index 7f2e13b5a90..1245155046b 100644 --- a/assets/queries/ansible/azure/azure_instance_using_basic_authentication/test/positive_expected_result.json +++ b/assets/queries/ansible/azure/azure_instance_using_basic_authentication/test/positive_expected_result.json @@ -3,6 +3,15 @@ "queryName": "Azure Instance Using Basic Authentication", "severity": "MEDIUM", "line": 1, - "fileName": "positive.yaml" + "fileName": "positive.yaml", + "resourceType": "azure_rm_virtualmachine", + "resourceName": "testvm001", + "searchKey": "azure_rm_virtualmachine[testvm001].ssh_public_keys", + "searchValue": "", + "expectedValue": "'azure_rm_virtualmachine[testvm001]' should be using SSH keys for authentication", + "actualValue": "'azure_rm_virtualmachine[testvm001]' is using username and password for authentication", + "issueType": "MissingAttribute", + "similarityID": "5b0474f3c900f98007240187715be0761e8e61ab74bc8e9c89bd94e014d91945", + "search_line": -1 } -] \ No newline at end of file +] diff --git a/assets/queries/ansible/azure/cosmosdb_account_ip_range_filter_not_set/test/positive_expected_result.json b/assets/queries/ansible/azure/cosmosdb_account_ip_range_filter_not_set/test/positive_expected_result.json index 0d8570fd156..3c42838afff 100644 --- a/assets/queries/ansible/azure/cosmosdb_account_ip_range_filter_not_set/test/positive_expected_result.json +++ b/assets/queries/ansible/azure/cosmosdb_account_ip_range_filter_not_set/test/positive_expected_result.json @@ -2,6 +2,16 @@ { "queryName": "CosmosDB Account IP Range Filter Not Set", "severity": "CRITICAL", - "line": 2 + "line": 2, + "fileName": "positive.yaml", + "resourceType": "azure_rm_cosmosdbaccount", + "resourceName": "Create Cosmos DB Account - max", + "searchKey": "name={{Create Cosmos DB Account - max}}.{{azure_rm_cosmosdbaccount}}", + "searchValue": "", + "expectedValue": "'azurerm_cosmosdb_account.ip_range_filter' should be defined", + "actualValue": "'azurerm_cosmosdb_account.ip_range_filter' is undefined", + "issueType": "MissingAttribute", + "similarityID": "918bd86be1fb96055f168df9885f168a9aab63363e8b33df11c377dcd840a4dd", + "search_line": -1 } -] \ No newline at end of file +] diff --git a/assets/queries/ansible/azure/cosmosdb_account_without_tags/test/positive_expected_result.json b/assets/queries/ansible/azure/cosmosdb_account_without_tags/test/positive_expected_result.json index a1ef5db4746..a07b2fb8cda 100644 --- a/assets/queries/ansible/azure/cosmosdb_account_without_tags/test/positive_expected_result.json +++ b/assets/queries/ansible/azure/cosmosdb_account_without_tags/test/positive_expected_result.json @@ -2,6 +2,16 @@ { "queryName": "Cosmos DB Account Without Tags", "severity": "LOW", - "line": 3 + "line": 3, + "fileName": "positive.yaml", + "resourceType": "azure_rm_cosmosdbaccount", + "resourceName": "Create Cosmos DB Account - min", + "searchKey": "name={{Create Cosmos DB Account - min}}.{{azure_rm_cosmosdbaccount}}.tags", + "searchValue": "", + "expectedValue": "azure_rm_cosmosdbaccount.tags should be defined", + "actualValue": "azure_rm_cosmosdbaccount.tags is undefined", + "issueType": "MissingAttribute", + "similarityID": "8b7d0bf6c487df975a493308c78750e74f4e746704dbe53044343f764229f33e", + "search_line": -1 } -] \ No newline at end of file +] diff --git a/assets/queries/ansible/azure/default_azure_storage_account_network_access_is_too_permissive/test/positive_expected_result.json b/assets/queries/ansible/azure/default_azure_storage_account_network_access_is_too_permissive/test/positive_expected_result.json index 0a1c0773b32..b833f01dfce 100644 --- a/assets/queries/ansible/azure/default_azure_storage_account_network_access_is_too_permissive/test/positive_expected_result.json +++ b/assets/queries/ansible/azure/default_azure_storage_account_network_access_is_too_permissive/test/positive_expected_result.json @@ -3,18 +3,45 @@ "queryName": "Default Azure Storage Account Network Access Is Too Permissive", "severity": "HIGH", "line": 3, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "azure.azcollection.azure_rm_storageaccount", + "resourceName": "create an account", + "searchKey": "name={{create an account}}.{{azure.azcollection.azure_rm_storageaccount}}", + "searchValue": "", + "expectedValue": "azure_rm_storageaccount.public_network_access should be set to 'Disabled'", + "actualValue": "azure_rm_storageaccount.public_network_access is set to 'Enabled'", + "issueType": "IncorrectValue", + "similarityID": "c9f1787cc33c6e0e375bd20b26fcde0c8e259e053f4efb309825982800af0878", + "search_line": -1 }, { "queryName": "Default Azure Storage Account Network Access Is Too Permissive", "severity": "HIGH", "line": 3, - "fileName": "positive2.yaml" + "fileName": "positive2.yaml", + "resourceType": "azure.azcollection.azure_rm_storageaccount", + "resourceName": "create an account", + "searchKey": "name={{create an account}}.{{azure.azcollection.azure_rm_storageaccount}}", + "searchValue": "", + "expectedValue": "azure_rm_storageaccount.public_network_access should be set to 'Disabled'", + "actualValue": "azure_rm_storageaccount.public_network_access is not set (default is 'Enabled')", + "issueType": "MissingAttribute", + "similarityID": "9d6f34c45fe0ff5a059770c5ed0e0353f3ae901d5582c10efd5c06902938dcc4", + "search_line": -1 }, { "queryName": "Default Azure Storage Account Network Access Is Too Permissive", "severity": "HIGH", "line": 3, - "fileName": "positive3.yaml" + "fileName": "positive3.yaml", + "resourceType": "azure.azcollection.azure_rm_storageaccount", + "resourceName": "create an account", + "searchKey": "name={{create an account}}.{{azure.azcollection.azure_rm_storageaccount}}", + "searchValue": "", + "expectedValue": "azure_rm_storageaccountnetworkAcls.network_acls.default_action should be set to 'Deny'", + "actualValue": "azure_rm_storageaccountnetworkAcls.network_acls.default_action is set to 'Allow'", + "issueType": "IncorrectValue", + "similarityID": "c10c2504ec85c94eb612b04d3d4ef4dd25287f0d6bea2bda6cb9412f2239a658", + "search_line": -1 } -] \ No newline at end of file +] diff --git a/assets/queries/ansible/azure/firewall_rule_allows_too_many_hosts_to_access_redis_cache/test/positive_expected_result.json b/assets/queries/ansible/azure/firewall_rule_allows_too_many_hosts_to_access_redis_cache/test/positive_expected_result.json index 29b80de7ead..35bb71ac82d 100644 --- a/assets/queries/ansible/azure/firewall_rule_allows_too_many_hosts_to_access_redis_cache/test/positive_expected_result.json +++ b/assets/queries/ansible/azure/firewall_rule_allows_too_many_hosts_to_access_redis_cache/test/positive_expected_result.json @@ -2,6 +2,16 @@ { "queryName": "Firewall Rule Allows Too Many Hosts To Access Redis Cache", "severity": "MEDIUM", - "line": 6 + "line": 6, + "fileName": "positive.yaml", + "resourceType": "azure_rm_rediscachefirewallrule", + "resourceName": "too_many_hosts", + "searchKey": "name={{too_many_hosts}}.{{azure_rm_rediscachefirewallrule}}.start_ip_address", + "searchValue": "", + "expectedValue": "azure_rm_rediscachefirewallrule.start_ip_address and end_ip_address should allow up to 255 hosts", + "actualValue": "azure_rm_rediscachefirewallrule.start_ip_address and end_ip_address allow 65539 hosts", + "issueType": "IncorrectValue", + "similarityID": "386436cce36b9646979b30a87099fecc3d679cb717bf4de74b840751eb5e9650", + "search_line": -1 } ] diff --git a/assets/queries/ansible/azure/key_vault_soft_delete_is_disabled/test/positive_expected_result.json b/assets/queries/ansible/azure/key_vault_soft_delete_is_disabled/test/positive_expected_result.json index 188baf9b196..0fdb3f89354 100644 --- a/assets/queries/ansible/azure/key_vault_soft_delete_is_disabled/test/positive_expected_result.json +++ b/assets/queries/ansible/azure/key_vault_soft_delete_is_disabled/test/positive_expected_result.json @@ -2,11 +2,31 @@ { "queryName": "Key Vault Soft Delete Is Disabled", "severity": "MEDIUM", - "line": 7 + "line": 7, + "fileName": "positive.yaml", + "resourceType": "azure_rm_keyvault", + "resourceName": "Create instance of Key Vault", + "searchKey": "name={{Create instance of Key Vault}}.{{azure_rm_keyvault}}.enable_soft_delete", + "searchValue": "", + "expectedValue": "azure_rm_keyvault.enable_soft_delete should be true", + "actualValue": "azure_rm_keyvault.enable_soft_delete is false", + "issueType": "IncorrectValue", + "similarityID": "8c45bb58e8ae17b225f51b8f336f2ebf0a8468fce2315f9d7cf7dd9b097fa1a9", + "search_line": -1 }, { "queryName": "Key Vault Soft Delete Is Disabled", "severity": "MEDIUM", - "line": 18 + "line": 18, + "fileName": "positive.yaml", + "resourceType": "azure_rm_keyvault", + "resourceName": "Create instance of Key Vault 02", + "searchKey": "name={{Create instance of Key Vault 02}}.{{azure_rm_keyvault}}", + "searchValue": "", + "expectedValue": "azure_rm_keyvault.enable_soft_delete should be defined", + "actualValue": "azure_rm_keyvault.enable_soft_delete is undefined", + "issueType": "MissingAttribute", + "similarityID": "681967777c875e99cc1481ce9b5060d06d8c61d4ad2ac85e9a08590f57ec69a3", + "search_line": -1 } ] diff --git a/assets/queries/ansible/azure/log_retention_is_not_set/test/positive_expected_result.json b/assets/queries/ansible/azure/log_retention_is_not_set/test/positive_expected_result.json index 6295e41f7be..1e272427fc3 100644 --- a/assets/queries/ansible/azure/log_retention_is_not_set/test/positive_expected_result.json +++ b/assets/queries/ansible/azure/log_retention_is_not_set/test/positive_expected_result.json @@ -2,6 +2,16 @@ { "queryName": "Log Retention Is Not Set", "severity": "MEDIUM", - "line": 7 + "line": 7, + "fileName": "positive.yaml", + "resourceType": "azure_rm_postgresqlconfiguration", + "resourceName": "Update PostgreSQL Server setting", + "searchKey": "name={{Update PostgreSQL Server setting}}.{{azure_rm_postgresqlconfiguration}}.value", + "searchValue": "", + "expectedValue": "azure_rm_postgresqlconfiguration.value should equal to 'on'", + "actualValue": "azure_rm_postgresqlconfiguration.value is not equal to 'on'", + "issueType": "IncorrectValue", + "similarityID": "35896379706c15da322784b080167baa0fcebfca4f517ead8cb563748a85b8f8", + "search_line": -1 } ] diff --git a/assets/queries/ansible/azure/monitoring_log_profile_without_all_activities/test/positive_expected_result.json b/assets/queries/ansible/azure/monitoring_log_profile_without_all_activities/test/positive_expected_result.json index 43927abce46..15ab58b9b3e 100644 --- a/assets/queries/ansible/azure/monitoring_log_profile_without_all_activities/test/positive_expected_result.json +++ b/assets/queries/ansible/azure/monitoring_log_profile_without_all_activities/test/positive_expected_result.json @@ -2,11 +2,31 @@ { "queryName": "Monitoring Log Profile Without All Activities", "severity": "MEDIUM", - "line": 9 + "line": 9, + "fileName": "positive.yaml", + "resourceType": "azure_rm_monitorlogprofile", + "resourceName": "Create a log profile", + "searchKey": "name={{Create a log profile}}.{{azure_rm_monitorlogprofile}}.categories", + "searchValue": "", + "expectedValue": "azure_rm_monitorlogprofile.categories should have all categories, Write, Action and Delete", + "actualValue": "azure_rm_monitorlogprofile.categories does not have all categories, Write, Action and Delete", + "issueType": "IncorrectValue", + "similarityID": "6c5e34aca79b5fa89b7744de0ba734d8bc229191250d16a5d7112f9e070c019c", + "search_line": -1 }, { "queryName": "Monitoring Log Profile Without All Activities", "severity": "MEDIUM", - "line": 21 + "line": 21, + "fileName": "positive.yaml", + "resourceType": "azure_rm_monitorlogprofile", + "resourceName": "Create a log profile2", + "searchKey": "name={{Create a log profile2}}.{{azure_rm_monitorlogprofile}}", + "searchValue": "", + "expectedValue": "azure_rm_monitorlogprofile.categories should be defined", + "actualValue": "azure_rm_monitorlogprofile.categories is undefined", + "issueType": "MissingAttribute", + "similarityID": "64b991d215c4488712fcddc0c04ac7bfd8b7e828ce0805bc5675d29a7b65a40f", + "search_line": -1 } ] diff --git a/assets/queries/ansible/azure/mysql_ssl_connection_disabled/test/positive_expected_result.json b/assets/queries/ansible/azure/mysql_ssl_connection_disabled/test/positive_expected_result.json index a9e5e06cdb7..2d9d5347785 100644 --- a/assets/queries/ansible/azure/mysql_ssl_connection_disabled/test/positive_expected_result.json +++ b/assets/queries/ansible/azure/mysql_ssl_connection_disabled/test/positive_expected_result.json @@ -2,11 +2,31 @@ { "queryName": "MySQL SSL Connection Disabled", "severity": "MEDIUM", - "line": 3 + "line": 3, + "fileName": "positive.yaml", + "resourceType": "azure.azcollection.azure_rm_mysqlserver", + "resourceName": "Create (or update) MySQL Server", + "searchKey": "name={{Create (or update) MySQL Server}}.{{azure.azcollection.azure_rm_mysqlserver}}", + "searchValue": "", + "expectedValue": "azure_rm_mysqlserver should have enforce_ssl set to true", + "actualValue": "azure_rm_mysqlserver does not have enforce_ssl (defaults to false)", + "issueType": "MissingAttribute", + "similarityID": "7389adb7571fb4430a54e8fede97c5aa6884a072ee7b3be16f0c798911ae152f", + "search_line": -1 }, { "queryName": "MySQL SSL Connection Disabled", "severity": "MEDIUM", - "line": 23 + "line": 23, + "fileName": "positive.yaml", + "resourceType": "azure.azcollection.azure_rm_mysqlserver", + "resourceName": "Create (or update) MySQL Server2", + "searchKey": "name={{Create (or update) MySQL Server2}}.{{azure.azcollection.azure_rm_mysqlserver}}.enforce_ssl", + "searchValue": "", + "expectedValue": "azure_rm_mysqlserver should have enforce_ssl set to true", + "actualValue": "azure_rm_mysqlserver does has enforce_ssl set to false", + "issueType": "IncorrectValue", + "similarityID": "1c43b6af94bfe3de95fb4a686d5e1fa5798ae575a7fe44e3d2bc02cb2eed8708", + "search_line": -1 } -] \ No newline at end of file +] diff --git a/assets/queries/ansible/azure/postgresql_log_checkpoints_disabled/test/positive_expected_result.json b/assets/queries/ansible/azure/postgresql_log_checkpoints_disabled/test/positive_expected_result.json index c9faef24c34..3afbf99e09e 100644 --- a/assets/queries/ansible/azure/postgresql_log_checkpoints_disabled/test/positive_expected_result.json +++ b/assets/queries/ansible/azure/postgresql_log_checkpoints_disabled/test/positive_expected_result.json @@ -2,31 +2,91 @@ { "queryName": "PostgreSQL Log Checkpoints Disabled", "severity": "MEDIUM", - "line": 7 + "line": 7, + "fileName": "positive.yaml", + "resourceType": "azure.azcollection.azure_rm_postgresqlconfiguration", + "resourceName": "Update PostgreSQL Server setting", + "searchKey": "name={{Update PostgreSQL Server setting}}.{{azure.azcollection.azure_rm_postgresqlconfiguration}}.value", + "searchValue": "", + "expectedValue": "azure_rm_postgresqlconfiguration.value should be 'ON' when name is 'log_checkpoints'", + "actualValue": "azure_rm_postgresqlconfiguration.value if 'OFF'", + "issueType": "IncorrectValue", + "similarityID": "a113982e80e73b7d7c9d06722ca3b6185355970cd77e06f80822fce9da61c98b", + "search_line": -1 }, { "queryName": "PostgreSQL Log Checkpoints Disabled", "severity": "MEDIUM", - "line": 13 + "line": 13, + "fileName": "positive.yaml", + "resourceType": "azure.azcollection.azure_rm_postgresqlconfiguration", + "resourceName": "Update PostgreSQL Server setting2", + "searchKey": "name={{Update PostgreSQL Server setting2}}.{{azure.azcollection.azure_rm_postgresqlconfiguration}}.value", + "searchValue": "", + "expectedValue": "azure_rm_postgresqlconfiguration.value should be 'ON' when name is 'log_checkpoints'", + "actualValue": "azure_rm_postgresqlconfiguration.value if 'OFF'", + "issueType": "IncorrectValue", + "similarityID": "08e2f64320b09efd25c5ba4e37e402c498942aa8b95d9dfca31c18bf7f011658", + "search_line": -1 }, { "queryName": "PostgreSQL Log Checkpoints Disabled", "severity": "MEDIUM", - "line": 19 + "line": 19, + "fileName": "positive.yaml", + "resourceType": "azure.azcollection.azure_rm_postgresqlconfiguration", + "resourceName": "Update PostgreSQL Server setting3", + "searchKey": "name={{Update PostgreSQL Server setting3}}.{{azure.azcollection.azure_rm_postgresqlconfiguration}}.value", + "searchValue": "", + "expectedValue": "azure_rm_postgresqlconfiguration.value should be 'ON' when name is 'log_checkpoints'", + "actualValue": "azure_rm_postgresqlconfiguration.value if 'OFF'", + "issueType": "IncorrectValue", + "similarityID": "4b457b522e8936fce705a53ca57da0fea1b4e0e48a37f9878beeb3f567870e50", + "search_line": -1 }, { "queryName": "PostgreSQL Log Checkpoints Disabled", "severity": "MEDIUM", - "line": 25 + "line": 25, + "fileName": "positive.yaml", + "resourceType": "azure.azcollection.azure_rm_postgresqlconfiguration", + "resourceName": "Update PostgreSQL Server setting4", + "searchKey": "name={{Update PostgreSQL Server setting4}}.{{azure.azcollection.azure_rm_postgresqlconfiguration}}.value", + "searchValue": "", + "expectedValue": "azure_rm_postgresqlconfiguration.value should be 'ON' when name is 'log_checkpoints'", + "actualValue": "azure_rm_postgresqlconfiguration.value if 'OFF'", + "issueType": "IncorrectValue", + "similarityID": "9e2f4628a840f1eb892760e96ed8776652d6f774bac67142c7e44bb06b0de19a", + "search_line": -1 }, { "queryName": "PostgreSQL Log Checkpoints Disabled", "severity": "MEDIUM", - "line": 31 + "line": 31, + "fileName": "positive.yaml", + "resourceType": "azure.azcollection.azure_rm_postgresqlconfiguration", + "resourceName": "Update PostgreSQL Server setting5", + "searchKey": "name={{Update PostgreSQL Server setting5}}.{{azure.azcollection.azure_rm_postgresqlconfiguration}}.value", + "searchValue": "", + "expectedValue": "azure_rm_postgresqlconfiguration.value should be 'ON' when name is 'log_checkpoints'", + "actualValue": "azure_rm_postgresqlconfiguration.value if 'OFF'", + "issueType": "IncorrectValue", + "similarityID": "38de4e2c4b5fa3ea2f1e578790a16c22339d119e767a6ce023ac5d5fea1b7120", + "search_line": -1 }, { "queryName": "PostgreSQL Log Checkpoints Disabled", "severity": "MEDIUM", - "line": 37 + "line": 37, + "fileName": "positive.yaml", + "resourceType": "azure.azcollection.azure_rm_postgresqlconfiguration", + "resourceName": "Update PostgreSQL Server setting6", + "searchKey": "name={{Update PostgreSQL Server setting6}}.{{azure.azcollection.azure_rm_postgresqlconfiguration}}.value", + "searchValue": "", + "expectedValue": "azure_rm_postgresqlconfiguration.value should be 'ON' when name is 'log_checkpoints'", + "actualValue": "azure_rm_postgresqlconfiguration.value if 'OFF'", + "issueType": "IncorrectValue", + "similarityID": "c5f78a3bf383dab3f409d91e906aa72f39f93e23eba1a3b269e978e8230ea796", + "search_line": -1 } ] diff --git a/assets/queries/ansible/azure/postgresql_log_connections_not_set/test/positive_expected_result.json b/assets/queries/ansible/azure/postgresql_log_connections_not_set/test/positive_expected_result.json index dfe5d144763..1a4adbc50a8 100644 --- a/assets/queries/ansible/azure/postgresql_log_connections_not_set/test/positive_expected_result.json +++ b/assets/queries/ansible/azure/postgresql_log_connections_not_set/test/positive_expected_result.json @@ -2,31 +2,91 @@ { "queryName": "PostgreSQL Log Connections Not Set", "severity": "MEDIUM", - "line": 7 + "line": 7, + "fileName": "positive.yaml", + "resourceType": "azure.azcollection.azure_rm_postgresqlconfiguration", + "resourceName": "Update PostgreSQL Server setting", + "searchKey": "name={{Update PostgreSQL Server setting}}.{{azure.azcollection.azure_rm_postgresqlconfiguration}}.value", + "searchValue": "", + "expectedValue": "azure_rm_postgresqlconfiguration.value should be 'ON' when name is 'log_connections'", + "actualValue": "azure_rm_postgresqlconfiguration.value is 'OFF'", + "issueType": "IncorrectValue", + "similarityID": "28dfd144688f04011868c74e379f702a93af3fe09901fdac0d81dff0ccb803cf", + "search_line": -1 }, { "queryName": "PostgreSQL Log Connections Not Set", "severity": "MEDIUM", - "line": 13 + "line": 13, + "fileName": "positive.yaml", + "resourceType": "azure.azcollection.azure_rm_postgresqlconfiguration", + "resourceName": "Update PostgreSQL Server setting2", + "searchKey": "name={{Update PostgreSQL Server setting2}}.{{azure.azcollection.azure_rm_postgresqlconfiguration}}.value", + "searchValue": "", + "expectedValue": "azure_rm_postgresqlconfiguration.value should be 'ON' when name is 'log_connections'", + "actualValue": "azure_rm_postgresqlconfiguration.value is 'OFF'", + "issueType": "IncorrectValue", + "similarityID": "d769b0cb2fd974df259fa8b49e6c58f9dc67ef137f183016a0de2cecb7199e34", + "search_line": -1 }, { "queryName": "PostgreSQL Log Connections Not Set", "severity": "MEDIUM", - "line": 19 + "line": 19, + "fileName": "positive.yaml", + "resourceType": "azure.azcollection.azure_rm_postgresqlconfiguration", + "resourceName": "Update PostgreSQL Server setting3", + "searchKey": "name={{Update PostgreSQL Server setting3}}.{{azure.azcollection.azure_rm_postgresqlconfiguration}}.value", + "searchValue": "", + "expectedValue": "azure_rm_postgresqlconfiguration.value should be 'ON' when name is 'log_connections'", + "actualValue": "azure_rm_postgresqlconfiguration.value is 'OFF'", + "issueType": "IncorrectValue", + "similarityID": "dfa7b1f366ca4dc038f657eb1bef24dc30fdba637dd8bba368beb4961801621e", + "search_line": -1 }, { "queryName": "PostgreSQL Log Connections Not Set", "severity": "MEDIUM", - "line": 25 + "line": 25, + "fileName": "positive.yaml", + "resourceType": "azure.azcollection.azure_rm_postgresqlconfiguration", + "resourceName": "Update PostgreSQL Server setting4", + "searchKey": "name={{Update PostgreSQL Server setting4}}.{{azure.azcollection.azure_rm_postgresqlconfiguration}}.value", + "searchValue": "", + "expectedValue": "azure_rm_postgresqlconfiguration.value should be 'ON' when name is 'log_connections'", + "actualValue": "azure_rm_postgresqlconfiguration.value is 'OFF'", + "issueType": "IncorrectValue", + "similarityID": "c04b121a601b72ad8ab8a0fd7e849794fc67e0a48eab5e9f819600fcf780e588", + "search_line": -1 }, { "queryName": "PostgreSQL Log Connections Not Set", "severity": "MEDIUM", - "line": 31 + "line": 31, + "fileName": "positive.yaml", + "resourceType": "azure.azcollection.azure_rm_postgresqlconfiguration", + "resourceName": "Update PostgreSQL Server setting5", + "searchKey": "name={{Update PostgreSQL Server setting5}}.{{azure.azcollection.azure_rm_postgresqlconfiguration}}.value", + "searchValue": "", + "expectedValue": "azure_rm_postgresqlconfiguration.value should be 'ON' when name is 'log_connections'", + "actualValue": "azure_rm_postgresqlconfiguration.value is 'OFF'", + "issueType": "IncorrectValue", + "similarityID": "d80727fe4ec65ae8e742e0040ef6bf45d204a3d293653958ac8caf9de33a44d8", + "search_line": -1 }, { "queryName": "PostgreSQL Log Connections Not Set", "severity": "MEDIUM", - "line": 37 + "line": 37, + "fileName": "positive.yaml", + "resourceType": "azure.azcollection.azure_rm_postgresqlconfiguration", + "resourceName": "Update PostgreSQL Server setting6", + "searchKey": "name={{Update PostgreSQL Server setting6}}.{{azure.azcollection.azure_rm_postgresqlconfiguration}}.value", + "searchValue": "", + "expectedValue": "azure_rm_postgresqlconfiguration.value should be 'ON' when name is 'log_connections'", + "actualValue": "azure_rm_postgresqlconfiguration.value is 'OFF'", + "issueType": "IncorrectValue", + "similarityID": "724f9a687478799a50da61972b72944c5f3a92267525ff063c93611f902c7ba3", + "search_line": -1 } ] diff --git a/assets/queries/ansible/azure/postgresql_log_disconnections_not_set/test/positive_expected_result.json b/assets/queries/ansible/azure/postgresql_log_disconnections_not_set/test/positive_expected_result.json index d3675e682a1..79a0dd2d280 100644 --- a/assets/queries/ansible/azure/postgresql_log_disconnections_not_set/test/positive_expected_result.json +++ b/assets/queries/ansible/azure/postgresql_log_disconnections_not_set/test/positive_expected_result.json @@ -2,31 +2,91 @@ { "queryName": "PostgreSQL Log Disconnections Not Set", "severity": "MEDIUM", - "line": 7 + "line": 7, + "fileName": "positive.yaml", + "resourceType": "azure.azcollection.azure_rm_postgresqlconfiguration", + "resourceName": "Update PostgreSQL Server setting", + "searchKey": "name={{Update PostgreSQL Server setting}}.{{azure.azcollection.azure_rm_postgresqlconfiguration}}.value", + "searchValue": "", + "expectedValue": "azure_rm_postgresqlconfiguration.value should be 'ON' when name is 'log_disconnections'", + "actualValue": "azure_rm_postgresqlconfiguration.value is 'OFF'", + "issueType": "IncorrectValue", + "similarityID": "b8cf392dd25e80c349cf3089aad2523f861da65d8457b18288880a3b5bf28b20", + "search_line": -1 }, { "queryName": "PostgreSQL Log Disconnections Not Set", "severity": "MEDIUM", - "line": 13 + "line": 13, + "fileName": "positive.yaml", + "resourceType": "azure.azcollection.azure_rm_postgresqlconfiguration", + "resourceName": "Update PostgreSQL Server setting2", + "searchKey": "name={{Update PostgreSQL Server setting2}}.{{azure.azcollection.azure_rm_postgresqlconfiguration}}.value", + "searchValue": "", + "expectedValue": "azure_rm_postgresqlconfiguration.value should be 'ON' when name is 'log_disconnections'", + "actualValue": "azure_rm_postgresqlconfiguration.value is 'OFF'", + "issueType": "IncorrectValue", + "similarityID": "d596db8e109939b863cfee6e9041e67edf18cf5f4521cac34c53913f2e59e642", + "search_line": -1 }, { "queryName": "PostgreSQL Log Disconnections Not Set", "severity": "MEDIUM", - "line": 19 + "line": 19, + "fileName": "positive.yaml", + "resourceType": "azure.azcollection.azure_rm_postgresqlconfiguration", + "resourceName": "Update PostgreSQL Server setting3", + "searchKey": "name={{Update PostgreSQL Server setting3}}.{{azure.azcollection.azure_rm_postgresqlconfiguration}}.value", + "searchValue": "", + "expectedValue": "azure_rm_postgresqlconfiguration.value should be 'ON' when name is 'log_disconnections'", + "actualValue": "azure_rm_postgresqlconfiguration.value is 'OFF'", + "issueType": "IncorrectValue", + "similarityID": "118c3ef6073e799e8677f36e1cfec714a0c071c6ccfa864387e91a29ee6a40c0", + "search_line": -1 }, { "queryName": "PostgreSQL Log Disconnections Not Set", "severity": "MEDIUM", - "line": 25 + "line": 25, + "fileName": "positive.yaml", + "resourceType": "azure.azcollection.azure_rm_postgresqlconfiguration", + "resourceName": "Update PostgreSQL Server setting4", + "searchKey": "name={{Update PostgreSQL Server setting4}}.{{azure.azcollection.azure_rm_postgresqlconfiguration}}.value", + "searchValue": "", + "expectedValue": "azure_rm_postgresqlconfiguration.value should be 'ON' when name is 'log_disconnections'", + "actualValue": "azure_rm_postgresqlconfiguration.value is 'OFF'", + "issueType": "IncorrectValue", + "similarityID": "9330a737bd664a7b09f94728db93160bda41b6fe8b177e294acbfd2be9041710", + "search_line": -1 }, { "queryName": "PostgreSQL Log Disconnections Not Set", "severity": "MEDIUM", - "line": 31 + "line": 31, + "fileName": "positive.yaml", + "resourceType": "azure.azcollection.azure_rm_postgresqlconfiguration", + "resourceName": "Update PostgreSQL Server setting5", + "searchKey": "name={{Update PostgreSQL Server setting5}}.{{azure.azcollection.azure_rm_postgresqlconfiguration}}.value", + "searchValue": "", + "expectedValue": "azure_rm_postgresqlconfiguration.value should be 'ON' when name is 'log_disconnections'", + "actualValue": "azure_rm_postgresqlconfiguration.value is 'OFF'", + "issueType": "IncorrectValue", + "similarityID": "c2f2b56c8470e8f172928c08489e8f52e19d4e2bc4228d31799af68b147dc86f", + "search_line": -1 }, { "queryName": "PostgreSQL Log Disconnections Not Set", "severity": "MEDIUM", - "line": 37 + "line": 37, + "fileName": "positive.yaml", + "resourceType": "azure.azcollection.azure_rm_postgresqlconfiguration", + "resourceName": "Update PostgreSQL Server setting6", + "searchKey": "name={{Update PostgreSQL Server setting6}}.{{azure.azcollection.azure_rm_postgresqlconfiguration}}.value", + "searchValue": "", + "expectedValue": "azure_rm_postgresqlconfiguration.value should be 'ON' when name is 'log_disconnections'", + "actualValue": "azure_rm_postgresqlconfiguration.value is 'OFF'", + "issueType": "IncorrectValue", + "similarityID": "70f7c94066d629ddb4974e5ee28aa6bb21ec4a1d0cc58e748a6747cca73b438c", + "search_line": -1 } ] diff --git a/assets/queries/ansible/azure/postgresql_log_duration_not_set/test/positive_expected_result.json b/assets/queries/ansible/azure/postgresql_log_duration_not_set/test/positive_expected_result.json index 86f29653a21..bf7d8bc48de 100644 --- a/assets/queries/ansible/azure/postgresql_log_duration_not_set/test/positive_expected_result.json +++ b/assets/queries/ansible/azure/postgresql_log_duration_not_set/test/positive_expected_result.json @@ -2,31 +2,91 @@ { "queryName": "PostgreSQL Log Duration Not Set", "severity": "MEDIUM", - "line": 6 + "line": 6, + "fileName": "positive.yaml", + "resourceType": "azure.azcollection.azure_rm_postgresqlconfiguration", + "resourceName": "example1", + "searchKey": "name={{example1}}.{{azure.azcollection.azure_rm_postgresqlconfiguration}}.value", + "searchValue": "", + "expectedValue": "azure_rm_postgresqlconfiguration.value should be 'ON' for 'log_duration'", + "actualValue": "azure_rm_postgresqlconfiguration.value is 'OFF' for 'log_duration'", + "issueType": "IncorrectValue", + "similarityID": "a8f2ae22d11bcec97e6c70082aff701d8682a4a7d0fe53a8812397a9df495f09", + "search_line": -1 }, { "queryName": "PostgreSQL Log Duration Not Set", "severity": "MEDIUM", - "line": 12 + "line": 12, + "fileName": "positive.yaml", + "resourceType": "azure.azcollection.azure_rm_postgresqlconfiguration", + "resourceName": "example2", + "searchKey": "name={{example2}}.{{azure.azcollection.azure_rm_postgresqlconfiguration}}.value", + "searchValue": "", + "expectedValue": "azure_rm_postgresqlconfiguration.value should be 'ON' for 'log_duration'", + "actualValue": "azure_rm_postgresqlconfiguration.value is 'OFF' for 'log_duration'", + "issueType": "IncorrectValue", + "similarityID": "9b3d3714198d7032a0133a7eeb2f4c3b74bb8e385c4a0fcbb0ef2561e6fa0f8a", + "search_line": -1 }, { "queryName": "PostgreSQL Log Duration Not Set", "severity": "MEDIUM", - "line": 18 + "line": 18, + "fileName": "positive.yaml", + "resourceType": "azure.azcollection.azure_rm_postgresqlconfiguration", + "resourceName": "example3", + "searchKey": "name={{example3}}.{{azure.azcollection.azure_rm_postgresqlconfiguration}}.value", + "searchValue": "", + "expectedValue": "azure_rm_postgresqlconfiguration.value should be 'ON' for 'log_duration'", + "actualValue": "azure_rm_postgresqlconfiguration.value is 'OFF' for 'log_duration'", + "issueType": "IncorrectValue", + "similarityID": "4e454e0aa471e18bd5f199753da5209f23ce06922b62d2eb5d70882311164826", + "search_line": -1 }, { "queryName": "PostgreSQL Log Duration Not Set", "severity": "MEDIUM", - "line": 24 + "line": 24, + "fileName": "positive.yaml", + "resourceType": "azure.azcollection.azure_rm_postgresqlconfiguration", + "resourceName": "example4", + "searchKey": "name={{example4}}.{{azure.azcollection.azure_rm_postgresqlconfiguration}}.value", + "searchValue": "", + "expectedValue": "azure_rm_postgresqlconfiguration.value should be 'ON' for 'log_duration'", + "actualValue": "azure_rm_postgresqlconfiguration.value is 'OFF' for 'log_duration'", + "issueType": "IncorrectValue", + "similarityID": "7dd91beafbfa5fb34dc4e0ddc32b6457ed276d067ec4280e0ddc42df1a23f989", + "search_line": -1 }, { "queryName": "PostgreSQL Log Duration Not Set", "severity": "MEDIUM", - "line": 30 + "line": 30, + "fileName": "positive.yaml", + "resourceType": "azure.azcollection.azure_rm_postgresqlconfiguration", + "resourceName": "example5", + "searchKey": "name={{example5}}.{{azure.azcollection.azure_rm_postgresqlconfiguration}}.value", + "searchValue": "", + "expectedValue": "azure_rm_postgresqlconfiguration.value should be 'ON' for 'log_duration'", + "actualValue": "azure_rm_postgresqlconfiguration.value is 'OFF' for 'log_duration'", + "issueType": "IncorrectValue", + "similarityID": "218904d179627a0d05cd6f53fea3846cbb69b1764a9d9aca71d8ce84160feb09", + "search_line": -1 }, { "queryName": "PostgreSQL Log Duration Not Set", "severity": "MEDIUM", - "line": 36 + "line": 36, + "fileName": "positive.yaml", + "resourceType": "azure.azcollection.azure_rm_postgresqlconfiguration", + "resourceName": "example6", + "searchKey": "name={{example6}}.{{azure.azcollection.azure_rm_postgresqlconfiguration}}.value", + "searchValue": "", + "expectedValue": "azure_rm_postgresqlconfiguration.value should be 'ON' for 'log_duration'", + "actualValue": "azure_rm_postgresqlconfiguration.value is 'OFF' for 'log_duration'", + "issueType": "IncorrectValue", + "similarityID": "ae80675d325876066e1bc4953fb17dc972c11042dbed34325d0e63bc606f39cc", + "search_line": -1 } ] diff --git a/assets/queries/ansible/azure/postgresql_server_without_connection_throttling/test/positive_expected_result.json b/assets/queries/ansible/azure/postgresql_server_without_connection_throttling/test/positive_expected_result.json index ded293c1435..99c40d85aef 100644 --- a/assets/queries/ansible/azure/postgresql_server_without_connection_throttling/test/positive_expected_result.json +++ b/assets/queries/ansible/azure/postgresql_server_without_connection_throttling/test/positive_expected_result.json @@ -2,31 +2,91 @@ { "queryName": "PostgreSQL Server Without Connection Throttling", "severity": "MEDIUM", - "line": 7 + "line": 7, + "fileName": "positive.yaml", + "resourceType": "azure.azcollection.azure_rm_postgresqlconfiguration", + "resourceName": "Update PostgreSQL Server setting", + "searchKey": "name={{Update PostgreSQL Server setting}}.{{azure.azcollection.azure_rm_postgresqlconfiguration}}.value", + "searchValue": "", + "expectedValue": "azure_rm_postgresqlconfiguration.value should be 'ON' when name is 'connection_throttling'", + "actualValue": "azure_rm_postgresqlconfiguration.value if 'OFF'", + "issueType": "IncorrectValue", + "similarityID": "e256794508f4685818cfe1d52ad827792ba8b9742fbbe8c5ffff2fb1755d9d83", + "search_line": -1 }, { "queryName": "PostgreSQL Server Without Connection Throttling", "severity": "MEDIUM", - "line": 13 + "line": 13, + "fileName": "positive.yaml", + "resourceType": "azure.azcollection.azure_rm_postgresqlconfiguration", + "resourceName": "Update PostgreSQL Server setting2", + "searchKey": "name={{Update PostgreSQL Server setting2}}.{{azure.azcollection.azure_rm_postgresqlconfiguration}}.value", + "searchValue": "", + "expectedValue": "azure_rm_postgresqlconfiguration.value should be 'ON' when name is 'connection_throttling'", + "actualValue": "azure_rm_postgresqlconfiguration.value if 'OFF'", + "issueType": "IncorrectValue", + "similarityID": "b68a019e6608c48489505e5f450c9d4a5cb1674488c849ae6b089f6a2fba4655", + "search_line": -1 }, { "queryName": "PostgreSQL Server Without Connection Throttling", "severity": "MEDIUM", - "line": 19 + "line": 19, + "fileName": "positive.yaml", + "resourceType": "azure.azcollection.azure_rm_postgresqlconfiguration", + "resourceName": "Update PostgreSQL Server setting3", + "searchKey": "name={{Update PostgreSQL Server setting3}}.{{azure.azcollection.azure_rm_postgresqlconfiguration}}.value", + "searchValue": "", + "expectedValue": "azure_rm_postgresqlconfiguration.value should be 'ON' when name is 'connection_throttling'", + "actualValue": "azure_rm_postgresqlconfiguration.value if 'OFF'", + "issueType": "IncorrectValue", + "similarityID": "fd231fd1a76b56a4b18b9cbb183980a05d3804c4d51f7a297452ac8dbc4d365b", + "search_line": -1 }, { "queryName": "PostgreSQL Server Without Connection Throttling", "severity": "MEDIUM", - "line": 25 + "line": 25, + "fileName": "positive.yaml", + "resourceType": "azure.azcollection.azure_rm_postgresqlconfiguration", + "resourceName": "Update PostgreSQL Server setting4", + "searchKey": "name={{Update PostgreSQL Server setting4}}.{{azure.azcollection.azure_rm_postgresqlconfiguration}}.value", + "searchValue": "", + "expectedValue": "azure_rm_postgresqlconfiguration.value should be 'ON' when name is 'connection_throttling'", + "actualValue": "azure_rm_postgresqlconfiguration.value if 'OFF'", + "issueType": "IncorrectValue", + "similarityID": "4dacfb4abd443f393864ede67906586490e742f23d40d4b2a8e864d61d0e7b3f", + "search_line": -1 }, { "queryName": "PostgreSQL Server Without Connection Throttling", "severity": "MEDIUM", - "line": 31 + "line": 31, + "fileName": "positive.yaml", + "resourceType": "azure.azcollection.azure_rm_postgresqlconfiguration", + "resourceName": "Update PostgreSQL Server setting5", + "searchKey": "name={{Update PostgreSQL Server setting5}}.{{azure.azcollection.azure_rm_postgresqlconfiguration}}.value", + "searchValue": "", + "expectedValue": "azure_rm_postgresqlconfiguration.value should be 'ON' when name is 'connection_throttling'", + "actualValue": "azure_rm_postgresqlconfiguration.value if 'OFF'", + "issueType": "IncorrectValue", + "similarityID": "c339b1c018ab4f9e4e2d268a483c52485d4a6c9b5541aaf8202cf00eefd97167", + "search_line": -1 }, { "queryName": "PostgreSQL Server Without Connection Throttling", "severity": "MEDIUM", - "line": 37 + "line": 37, + "fileName": "positive.yaml", + "resourceType": "azure.azcollection.azure_rm_postgresqlconfiguration", + "resourceName": "Update PostgreSQL Server setting6", + "searchKey": "name={{Update PostgreSQL Server setting6}}.{{azure.azcollection.azure_rm_postgresqlconfiguration}}.value", + "searchValue": "", + "expectedValue": "azure_rm_postgresqlconfiguration.value should be 'ON' when name is 'connection_throttling'", + "actualValue": "azure_rm_postgresqlconfiguration.value if 'OFF'", + "issueType": "IncorrectValue", + "similarityID": "eeb393cb45372adc6618ce5c3b9b5e356ce594646dcff59b21c4627d95e05876", + "search_line": -1 } ] diff --git a/assets/queries/ansible/azure/public_storage_account/test/positive_expected_result.json b/assets/queries/ansible/azure/public_storage_account/test/positive_expected_result.json index 95adb340371..f0c999f0bca 100644 --- a/assets/queries/ansible/azure/public_storage_account/test/positive_expected_result.json +++ b/assets/queries/ansible/azure/public_storage_account/test/positive_expected_result.json @@ -1,12 +1,32 @@ [ - { - "queryName": "Public Storage Account", - "severity": "HIGH", - "line": 9 - }, - { - "queryName": "Public Storage Account", - "severity": "HIGH", - "line": 19 - } + { + "queryName": "Public Storage Account", + "severity": "HIGH", + "line": 9, + "fileName": "positive.yaml", + "resourceType": "azure_rm_storageaccount", + "resourceName": "configure firewall and virtual networks", + "searchKey": "name={{configure firewall and virtual networks}}.{{azure_rm_storageaccount}}.network_acls.ip_rules", + "searchValue": "", + "expectedValue": "azure_rm_storageaccount.network_acls.default_action should be set to 'Deny' and azure_rm_storageaccount.network_acls.ip_rules should not contain value '0.0.0.0/0' ", + "actualValue": "azure_rm_storageaccount.network_acls.default_action is 'Deny' and azure_rm_storageaccount.network_acls.ip_rules contains value '0.0.0.0/0'", + "issueType": "IncorrectValue", + "similarityID": "4e8731893d4053df5b65210110b7cda7eede54a2a2261fed5e453c13696c0f89", + "search_line": -1 + }, + { + "queryName": "Public Storage Account", + "severity": "HIGH", + "line": 19, + "fileName": "positive.yaml", + "resourceType": "azure_rm_storageaccount", + "resourceName": "configure firewall and more virtual networks", + "searchKey": "name={{configure firewall and more virtual networks}}.{{azure_rm_storageaccount}}.network_acls.default_action", + "searchValue": "", + "expectedValue": "azure_rm_storageaccount.network_acls.default_action should not be set", + "actualValue": "azure_rm_storageaccount.network_acls.default_action is 'Allow'", + "issueType": "IncorrectValue", + "similarityID": "7e8bda231815b57da5d33e829e26abfd1f3caf8739c8b4c7a71c5016fa91b1e1", + "search_line": -1 + } ] diff --git a/assets/queries/ansible/azure/redis_cache_allows_non_ssl_connections/test/positive_expected_result.json b/assets/queries/ansible/azure/redis_cache_allows_non_ssl_connections/test/positive_expected_result.json index 34ebe756b7d..9678e5de16d 100644 --- a/assets/queries/ansible/azure/redis_cache_allows_non_ssl_connections/test/positive_expected_result.json +++ b/assets/queries/ansible/azure/redis_cache_allows_non_ssl_connections/test/positive_expected_result.json @@ -2,6 +2,16 @@ { "queryName": "Redis Cache Allows Non SSL Connections", "severity": "MEDIUM", - "line": 5 + "line": 5, + "fileName": "positive.yaml", + "resourceType": "azure_rm_rediscache", + "resourceName": "Non SSl Allowed", + "searchKey": "name={{Non SSl Allowed}}.{{azure_rm_rediscache}}.enable_non_ssl_port", + "searchValue": "", + "expectedValue": "azure_rm_rediscache.enable_non_ssl_port should be set to false or undefined", + "actualValue": "azure_rm_rediscache.enable_non_ssl_port is true", + "issueType": "IncorrectValue", + "similarityID": "39d9ee4736ae529e0980e5ec414a6db35dfe6ec993d26fbd856d5a1d7ca8f0ad", + "search_line": -1 } ] diff --git a/assets/queries/ansible/azure/redis_entirely_accessible/test/positive_expected_result.json b/assets/queries/ansible/azure/redis_entirely_accessible/test/positive_expected_result.json index f04cd803160..2426d712239 100644 --- a/assets/queries/ansible/azure/redis_entirely_accessible/test/positive_expected_result.json +++ b/assets/queries/ansible/azure/redis_entirely_accessible/test/positive_expected_result.json @@ -2,6 +2,16 @@ { "queryName": "Redis Entirely Accessible", "severity": "CRITICAL", - "line": 7 + "line": 7, + "fileName": "positive.yaml", + "resourceType": "azure_rm_rediscachefirewallrule", + "resourceName": "Create a Firewall rule for Azure Cache for Redis", + "searchKey": "name={{Create a Firewall rule for Azure Cache for Redis}}.{{azure_rm_rediscachefirewallrule}}.start_ip_address", + "searchValue": "", + "expectedValue": "azure_rm_rediscachefirewallrule start_ip and end_ip should not equal to '0.0.0.0'", + "actualValue": "azure_rm_rediscachefirewallrule start_ip and end_ip are equal to '0.0.0.0'", + "issueType": "IncorrectValue", + "similarityID": "0ac01d66fb431b706730d4b61e886e574d10098b991b205300f7fbee1db660ff", + "search_line": -1 } -] \ No newline at end of file +] diff --git a/assets/queries/ansible/azure/redis_publicly_accessible/test/positive_expected_result.json b/assets/queries/ansible/azure/redis_publicly_accessible/test/positive_expected_result.json index bc5829b31c7..e0b1517d72b 100644 --- a/assets/queries/ansible/azure/redis_publicly_accessible/test/positive_expected_result.json +++ b/assets/queries/ansible/azure/redis_publicly_accessible/test/positive_expected_result.json @@ -2,6 +2,16 @@ { "queryName": "Redis Publicly Accessible", "severity": "CRITICAL", - "line": 7 + "line": 7, + "fileName": "positive.yaml", + "resourceType": "azure_rm_rediscachefirewallrule", + "resourceName": "Create a Firewall rule for Azure Cache for Redis", + "searchKey": "name={{Create a Firewall rule for Azure Cache for Redis}}.{{azure_rm_rediscachefirewallrule}}.start_ip_address", + "searchValue": "", + "expectedValue": "azure_rm_rediscachefirewallrule ip range should be private", + "actualValue": "azure_rm_rediscachefirewallrule ip range is public", + "issueType": "IncorrectValue", + "similarityID": "36c7de9f370f4ba91a879cb01277796d1bede764ecf07005fe907bb3698658b1", + "search_line": -1 } -] \ No newline at end of file +] diff --git a/assets/queries/ansible/azure/role_definition_allows_custom_role_creation/test/positive_expected_result.json b/assets/queries/ansible/azure/role_definition_allows_custom_role_creation/test/positive_expected_result.json index ac9202cc9b3..a1e19d91869 100644 --- a/assets/queries/ansible/azure/role_definition_allows_custom_role_creation/test/positive_expected_result.json +++ b/assets/queries/ansible/azure/role_definition_allows_custom_role_creation/test/positive_expected_result.json @@ -3,12 +3,30 @@ "queryName": "Role Definition Allows Custom Role Creation", "severity": "MEDIUM", "line": 7, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "azure_rm_roledefinition", + "resourceName": "Create a role definition", + "searchKey": "name={{Create a role definition}}.{{azure_rm_roledefinition}}.permissions.actions", + "searchValue": "", + "expectedValue": "azure_rm_roledefinition.permissions[0].actions should not allow custom role creation", + "actualValue": "azure_rm_roledefinition.permissions[0].actions allows custom role creation", + "issueType": "IncorrectValue", + "similarityID": "338ea66701ace2c1ebeefb0ede9198e16e5b7f4abe0b8d5bd3fd5b2f44ce15d4", + "search_line": 7 }, { "queryName": "Role Definition Allows Custom Role Creation", "severity": "MEDIUM", "line": 7, - "fileName": "positive2.yaml" + "fileName": "positive2.yaml", + "resourceType": "azure_rm_roledefinition", + "resourceName": "Create a role definition2", + "searchKey": "name={{Create a role definition2}}.{{azure_rm_roledefinition}}.permissions.actions", + "searchValue": "", + "expectedValue": "azure_rm_roledefinition.permissions[0].actions should not allow custom role creation", + "actualValue": "azure_rm_roledefinition.permissions[0].actions allows custom role creation", + "issueType": "IncorrectValue", + "similarityID": "869de3f3c1ef8d8a7bd0e1fe34fa61812d8376a514456c65f86d16591ce2e714", + "search_line": 7 } ] diff --git a/assets/queries/ansible/azure/security_group_is_not_configured/test/positive_expected_result.json b/assets/queries/ansible/azure/security_group_is_not_configured/test/positive_expected_result.json index d0ea6a501f6..e05963c57e7 100644 --- a/assets/queries/ansible/azure/security_group_is_not_configured/test/positive_expected_result.json +++ b/assets/queries/ansible/azure/security_group_is_not_configured/test/positive_expected_result.json @@ -2,26 +2,76 @@ { "queryName": "Security Group is Not Configured", "severity": "HIGH", - "line": 3 + "line": 3, + "fileName": "positive.yaml", + "resourceType": "azure_rm_subnet", + "resourceName": "Create a subnet1", + "searchKey": "name={{Create a subnet1}}.{{azure_rm_subnet}}", + "searchValue": "", + "expectedValue": "azure_rm_subnet.security_group should be defined and not null", + "actualValue": "azure_rm_subnet.security_group is undefined or null", + "issueType": "MissingAttribute", + "similarityID": "d156eef59841d6f6792eb2a405422939edbcb21835c04da92aa2f010875b0535", + "search_line": -1 }, { "queryName": "Security Group is Not Configured", "severity": "HIGH", - "line": 9 + "line": 9, + "fileName": "positive.yaml", + "resourceType": "azure_rm_subnet", + "resourceName": "Create a subnet2", + "searchKey": "name={{Create a subnet2}}.{{azure_rm_subnet}}", + "searchValue": "", + "expectedValue": "azure_rm_subnet.security_group should be defined and not null", + "actualValue": "azure_rm_subnet.security_group is undefined or null", + "issueType": "MissingAttribute", + "similarityID": "e214c37587100b3ba34f9ac07f818a49bcfb99c64bf1cc8916dd8a174c4480a8", + "search_line": -1 }, { "queryName": "Security Group is Not Configured", "severity": "HIGH", - "line": 16 + "line": 16, + "fileName": "positive.yaml", + "resourceType": "azure_rm_subnet", + "resourceName": "Create a subnet3", + "searchKey": "name={{Create a subnet3}}.{{azure_rm_subnet}}", + "searchValue": "", + "expectedValue": "azure_rm_subnet.security_group should be defined and not null", + "actualValue": "azure_rm_subnet.security_group is undefined or null", + "issueType": "MissingAttribute", + "similarityID": "08cc8bf1aee3f241462cfc67ef5d887f02a50904405b87911cff7bddb29d9052", + "search_line": -1 }, { "queryName": "Security Group is Not Configured", "severity": "HIGH", - "line": 28 + "line": 28, + "fileName": "positive.yaml", + "resourceType": "azure_rm_subnet", + "resourceName": "Create a subnet4", + "searchKey": "name={{Create a subnet4}}.{{azure_rm_subnet}}.security_group", + "searchValue": "", + "expectedValue": "azure_rm_subnet.security_group should not be empty", + "actualValue": "azure_rm_subnet.security_group is empty", + "issueType": "IncorrectValue", + "similarityID": "20a83c7cef36f954a9f6c06993659a53b6f24833395ae83cc973bced005bd201", + "search_line": -1 }, { "queryName": "Security Group is Not Configured", "severity": "HIGH", - "line": 35 + "line": 35, + "fileName": "positive.yaml", + "resourceType": "azure_rm_subnet", + "resourceName": "Create a subnet5", + "searchKey": "name={{Create a subnet5}}.{{azure_rm_subnet}}.security_group_name", + "searchValue": "", + "expectedValue": "azure_rm_subnet.security_group_name should not be empty", + "actualValue": "azure_rm_subnet.security_group_name is empty", + "issueType": "IncorrectValue", + "similarityID": "b863ba1087425eb18dc3a37dde335528d28feaeb0840fb45d9ec8112aab8d9f6", + "search_line": -1 } -] \ No newline at end of file +] diff --git a/assets/queries/ansible/azure/sensitive_port_is_exposed_to_entire_network/test/positive_expected_result.json b/assets/queries/ansible/azure/sensitive_port_is_exposed_to_entire_network/test/positive_expected_result.json index 14b473342aa..9ff170f0aa9 100644 --- a/assets/queries/ansible/azure/sensitive_port_is_exposed_to_entire_network/test/positive_expected_result.json +++ b/assets/queries/ansible/azure/sensitive_port_is_exposed_to_entire_network/test/positive_expected_result.json @@ -2,221 +2,661 @@ { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 13 + "line": 13, + "fileName": "positive.yaml", + "resourceType": "azure_rm_securitygroup", + "resourceName": "foo1", + "searchKey": "name={{foo1}}.{{azure_rm_securitygroup}}.rules.name={{example1}}.destination_port_range", + "searchValue": "UDP,61621", + "expectedValue": "Cassandra OpsCenter (UDP:61621) should not be allowed", + "actualValue": "Cassandra OpsCenter (UDP:61621) is allowed", + "issueType": "IncorrectValue", + "similarityID": "951f65224c0863aaf5a7a873915380ce9dd6f23a6554abe1de238e2ab896d9c6", + "search_line": -1 }, { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 27 + "line": 27, + "fileName": "positive.yaml", + "resourceType": "azure_rm_securitygroup", + "resourceName": "foo2", + "searchKey": "name={{foo2}}.{{azure_rm_securitygroup}}.rules.name={{example2}}.destination_port_range", + "searchValue": "TCP,23", + "expectedValue": "Telnet (TCP:23) should not be allowed", + "actualValue": "Telnet (TCP:23) is allowed", + "issueType": "IncorrectValue", + "similarityID": "db9b32edf43cc26dd110e0c90f5e426dbf58dd9d92f8d4d467744d2e5ddbb837", + "search_line": -1 }, { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 27 + "line": 27, + "fileName": "positive.yaml", + "resourceType": "azure_rm_securitygroup", + "resourceName": "foo2", + "searchKey": "name={{foo2}}.{{azure_rm_securitygroup}}.rules.name={{example2}}.destination_port_range", + "searchValue": "TCP,25", + "expectedValue": "SMTP (TCP:25) should not be allowed", + "actualValue": "SMTP (TCP:25) is allowed", + "issueType": "IncorrectValue", + "similarityID": "6026e1694cb740b43caf6406a869a13af3c90b42196977963da0a531e81c93e0", + "search_line": -1 }, { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 41 + "line": 41, + "fileName": "positive.yaml", + "resourceType": "azure_rm_securitygroup", + "resourceName": "foo3", + "searchKey": "name={{foo3}}.{{azure_rm_securitygroup}}.rules.name={{example3}}.destination_port_range", + "searchValue": "TCP,21", + "expectedValue": "FTP (TCP:21) should not be allowed", + "actualValue": "FTP (TCP:21) is allowed", + "issueType": "IncorrectValue", + "similarityID": "5807e1365a4cd408ba584510754a5d1defcd3b2b02161a1c9390ac765f092c40", + "search_line": -1 }, { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 41 + "line": 41, + "fileName": "positive.yaml", + "resourceType": "azure_rm_securitygroup", + "resourceName": "foo3", + "searchKey": "name={{foo3}}.{{azure_rm_securitygroup}}.rules.name={{example3}}.destination_port_range", + "searchValue": "TCP,22", + "expectedValue": "SSH (TCP:22) should not be allowed", + "actualValue": "SSH (TCP:22) is allowed", + "issueType": "IncorrectValue", + "similarityID": "38fde39aa7d033d6f653204817d60237a114815facc64b0dd7810cbe4d35648d", + "search_line": -1 }, { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 41 + "line": 41, + "fileName": "positive.yaml", + "resourceType": "azure_rm_securitygroup", + "resourceName": "foo3", + "searchKey": "name={{foo3}}.{{azure_rm_securitygroup}}.rules.name={{example3}}.destination_port_range", + "searchValue": "TCP,23", + "expectedValue": "Telnet (TCP:23) should not be allowed", + "actualValue": "Telnet (TCP:23) is allowed", + "issueType": "IncorrectValue", + "similarityID": "e87061d83a536d4b373a718fea7833e95a7e1eb8c13a9a55336e49eebd3fb9fc", + "search_line": -1 }, { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 41 + "line": 41, + "fileName": "positive.yaml", + "resourceType": "azure_rm_securitygroup", + "resourceName": "foo3", + "searchKey": "name={{foo3}}.{{azure_rm_securitygroup}}.rules.name={{example3}}.destination_port_range", + "searchValue": "UDP,21", + "expectedValue": "FTP (UDP:21) should not be allowed", + "actualValue": "FTP (UDP:21) is allowed", + "issueType": "IncorrectValue", + "similarityID": "c9c7c005ad83bd995f9b83b36c5d77d9bf8b421d723b97708eb952fa31b6ce33", + "search_line": -1 }, { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 41 + "line": 41, + "fileName": "positive.yaml", + "resourceType": "azure_rm_securitygroup", + "resourceName": "foo3", + "searchKey": "name={{foo3}}.{{azure_rm_securitygroup}}.rules.name={{example3}}.destination_port_range", + "searchValue": "UDP,22", + "expectedValue": "SSH (UDP:22) should not be allowed", + "actualValue": "SSH (UDP:22) is allowed", + "issueType": "IncorrectValue", + "similarityID": "4f8ee11bbac1d6ebc21a8c4afddc241d30a8e621c13026525d08d66a1cc3bb26", + "search_line": -1 }, { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 41 + "line": 41, + "fileName": "positive.yaml", + "resourceType": "azure_rm_securitygroup", + "resourceName": "foo3", + "searchKey": "name={{foo3}}.{{azure_rm_securitygroup}}.rules.name={{example3}}.destination_port_range", + "searchValue": "UDP,23", + "expectedValue": "Telnet (UDP:23) should not be allowed", + "actualValue": "Telnet (UDP:23) is allowed", + "issueType": "IncorrectValue", + "similarityID": "7b08e1d62a3c65c7dfd40f83905df04673b62b0035b35110b9ac50da758e43e9", + "search_line": -1 }, { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 55 + "line": 55, + "fileName": "positive.yaml", + "resourceType": "azure_rm_securitygroup", + "resourceName": "foo4", + "searchKey": "name={{foo4}}.{{azure_rm_securitygroup}}.rules.name={{example4}}.destination_port_range", + "searchValue": "TCP,23", + "expectedValue": "Telnet (TCP:23) should not be allowed", + "actualValue": "Telnet (TCP:23) is allowed", + "issueType": "IncorrectValue", + "similarityID": "b361d2381083453163a36389f88f651a903d0c57cace374865f3ffa89b592dd6", + "search_line": -1 }, { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 55 + "line": 55, + "fileName": "positive.yaml", + "resourceType": "azure_rm_securitygroup", + "resourceName": "foo4", + "searchKey": "name={{foo4}}.{{azure_rm_securitygroup}}.rules.name={{example4}}.destination_port_range", + "searchValue": "UDP,23", + "expectedValue": "Telnet (UDP:23) should not be allowed", + "actualValue": "Telnet (UDP:23) is allowed", + "issueType": "IncorrectValue", + "similarityID": "1fe71448c1a191d5f3f63f75d5f2fe1918f3a59599317e8707b3800732260fbf", + "search_line": -1 }, { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 69 + "line": 69, + "fileName": "positive.yaml", + "resourceType": "azure_rm_securitygroup", + "resourceName": "foo5", + "searchKey": "name={{foo5}}.{{azure_rm_securitygroup}}.rules.name={{example5}}.destination_port_range", + "searchValue": "UDP,23", + "expectedValue": "Telnet (UDP:23) should not be allowed", + "actualValue": "Telnet (UDP:23) is allowed", + "issueType": "IncorrectValue", + "similarityID": "7a429081811bbdcb50986a33e8540dbb5e0a2370aa205deb3cd438ff21a162d5", + "search_line": -1 }, { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 85 + "line": 85, + "fileName": "positive.yaml", + "resourceType": "azure_rm_securitygroup", + "resourceName": "foo6", + "searchKey": "name={{foo6}}.{{azure_rm_securitygroup}}.rules.name={{example6}}.destination_port_range", + "searchValue": "TCP,23", + "expectedValue": "Telnet (TCP:23) should not be allowed", + "actualValue": "Telnet (TCP:23) is allowed", + "issueType": "IncorrectValue", + "similarityID": "db3682bfcd43dd4af069b5832f0a8984237dc6e28deffc2ca95962dadad2cb3d", + "search_line": -1 }, { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 99 + "line": 99, + "fileName": "positive.yaml", + "resourceType": "azure_rm_securitygroup", + "resourceName": "foo7", + "searchKey": "name={{foo7}}.{{azure_rm_securitygroup}}.rules.name={{example7}}.destination_port_range", + "searchValue": "UDP,22", + "expectedValue": "SSH (UDP:22) should not be allowed", + "actualValue": "SSH (UDP:22) is allowed", + "issueType": "IncorrectValue", + "similarityID": "eb1265737afe469e9a587211e6a40aa55a34e8a3d8602cad5a7326080d153b4c", + "search_line": -1 }, { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 99 + "line": 99, + "fileName": "positive.yaml", + "resourceType": "azure_rm_securitygroup", + "resourceName": "foo7", + "searchKey": "name={{foo7}}.{{azure_rm_securitygroup}}.rules.name={{example7}}.destination_port_range", + "searchValue": "UDP,23", + "expectedValue": "Telnet (UDP:23) should not be allowed", + "actualValue": "Telnet (UDP:23) is allowed", + "issueType": "IncorrectValue", + "similarityID": "3656b47f837f203c9540f43f8ad3daf554f4848601b6ed102c53aac35c90f1b6", + "search_line": -1 }, { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 99 + "line": 99, + "fileName": "positive.yaml", + "resourceType": "azure_rm_securitygroup", + "resourceName": "foo7", + "searchKey": "name={{foo7}}.{{azure_rm_securitygroup}}.rules.name={{example7}}.destination_port_range", + "searchValue": "UDP,25", + "expectedValue": "SMTP (UDP:25) should not be allowed", + "actualValue": "SMTP (UDP:25) is allowed", + "issueType": "IncorrectValue", + "similarityID": "11018066c4a3e4aea9ffd69a9894f8d145422a9b27f837a61dd9c10141f02aa8", + "search_line": -1 }, { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 99 + "line": 99, + "fileName": "positive.yaml", + "resourceType": "azure_rm_securitygroup", + "resourceName": "foo7", + "searchKey": "name={{foo7}}.{{azure_rm_securitygroup}}.rules.name={{example7}}.destination_port_range", + "searchValue": "UDP,53", + "expectedValue": "DNS (UDP:53) should not be allowed", + "actualValue": "DNS (UDP:53) is allowed", + "issueType": "IncorrectValue", + "similarityID": "74ae02005cf4b1ee3bbe1bc3f8a551a49f530b049609dbdfb94a5ab601ad95bd", + "search_line": -1 }, { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 113 + "line": 113, + "fileName": "positive.yaml", + "resourceType": "azure_rm_securitygroup", + "resourceName": "foo8", + "searchKey": "name={{foo8}}.{{azure_rm_securitygroup}}.rules.name={{example8}}.destination_port_range", + "searchValue": "TCP,23", + "expectedValue": "Telnet (TCP:23) should not be allowed", + "actualValue": "Telnet (TCP:23) is allowed", + "issueType": "IncorrectValue", + "similarityID": "7f4268589cfb58b8e985adc419003aeb0613cef587272104a586dc3a99294707", + "search_line": -1 }, { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 130 + "line": 130, + "fileName": "positive.yaml", + "resourceType": "azure_rm_securitygroup", + "resourceName": "foo9", + "searchKey": "name={{foo9}}.{{azure_rm_securitygroup}}.rules.name={{example9}}.destination_port_range", + "searchValue": "TCP,23", + "expectedValue": "Telnet (TCP:23) should not be allowed", + "actualValue": "Telnet (TCP:23) is allowed", + "issueType": "IncorrectValue", + "similarityID": "4ae882e26890a6aa30b25d33f8b0303d1b26b76d9ccadafccd374043ebb9270d", + "search_line": -1 }, { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 130 + "line": 130, + "fileName": "positive.yaml", + "resourceType": "azure_rm_securitygroup", + "resourceName": "foo9", + "searchKey": "name={{foo9}}.{{azure_rm_securitygroup}}.rules.name={{example9}}.destination_port_range", + "searchValue": "UDP,23", + "expectedValue": "Telnet (UDP:23) should not be allowed", + "actualValue": "Telnet (UDP:23) is allowed", + "issueType": "IncorrectValue", + "similarityID": "13feb5d728609464d44a8825d7b5ce4964204be4e9e84d0c43fc59fe8e1933e4", + "search_line": -1 }, { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 142 + "line": 142, + "fileName": "positive.yaml", + "resourceType": "azure_rm_securitygroup", + "resourceName": "foo9", + "searchKey": "name={{foo9}}.{{azure_rm_securitygroup}}.rules.name={{example10}}.destination_port_range", + "searchValue": "TCP,110", + "expectedValue": "POP3 (TCP:110) should not be allowed", + "actualValue": "POP3 (TCP:110) is allowed", + "issueType": "IncorrectValue", + "similarityID": "c0182dae01d5e7ef21877100c4c9ed93e4ccd74cdc7c3c4d09b103c0f85a9211", + "search_line": -1 }, { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 142 + "line": 142, + "fileName": "positive.yaml", + "resourceType": "azure_rm_securitygroup", + "resourceName": "foo9", + "searchKey": "name={{foo9}}.{{azure_rm_securitygroup}}.rules.name={{example10}}.destination_port_range", + "searchValue": "TCP,135", + "expectedValue": "MSSQL Debugger (TCP:135) should not be allowed", + "actualValue": "MSSQL Debugger (TCP:135) is allowed", + "issueType": "IncorrectValue", + "similarityID": "972d625644cb59619cfaf3aa73f5c142e5e2cbdd292dce13da68090e0fc3ece9", + "search_line": -1 }, { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 142 + "line": 142, + "fileName": "positive.yaml", + "resourceType": "azure_rm_securitygroup", + "resourceName": "foo9", + "searchKey": "name={{foo9}}.{{azure_rm_securitygroup}}.rules.name={{example10}}.destination_port_range", + "searchValue": "TCP,137", + "expectedValue": "NetBIOS Name Service (TCP:137) should not be allowed", + "actualValue": "NetBIOS Name Service (TCP:137) is allowed", + "issueType": "IncorrectValue", + "similarityID": "8482d99bbf1740858b5db0a04b0f7a5da9c6c963ebc053ec0566ee3d18834edd", + "search_line": -1 }, { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 142 + "line": 142, + "fileName": "positive.yaml", + "resourceType": "azure_rm_securitygroup", + "resourceName": "foo9", + "searchKey": "name={{foo9}}.{{azure_rm_securitygroup}}.rules.name={{example10}}.destination_port_range", + "searchValue": "TCP,138", + "expectedValue": "NetBIOS Datagram Service (TCP:138) should not be allowed", + "actualValue": "NetBIOS Datagram Service (TCP:138) is allowed", + "issueType": "IncorrectValue", + "similarityID": "0d3f92fb6986844d82999527bc26ebe7c12d65384ec90f92925c9ec6267f2f15", + "search_line": -1 }, { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 142 + "line": 142, + "fileName": "positive.yaml", + "resourceType": "azure_rm_securitygroup", + "resourceName": "foo9", + "searchKey": "name={{foo9}}.{{azure_rm_securitygroup}}.rules.name={{example10}}.destination_port_range", + "searchValue": "TCP,139", + "expectedValue": "NetBIOS Session Service (TCP:139) should not be allowed", + "actualValue": "NetBIOS Session Service (TCP:139) is allowed", + "issueType": "IncorrectValue", + "similarityID": "8460c7fbaf2078a45ffd9967cf66807521246c432efd69c306eeb9b8d04b639d", + "search_line": -1 }, { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 142 + "line": 142, + "fileName": "positive.yaml", + "resourceType": "azure_rm_securitygroup", + "resourceName": "foo9", + "searchKey": "name={{foo9}}.{{azure_rm_securitygroup}}.rules.name={{example10}}.destination_port_range", + "searchValue": "TCP,20", + "expectedValue": "FTP (TCP:20) should not be allowed", + "actualValue": "FTP (TCP:20) is allowed", + "issueType": "IncorrectValue", + "similarityID": "a4a8fc2b7b25d7335a26a7d0ef64d10533a0077b2df9461bc4001ffe24402f7f", + "search_line": -1 }, { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 142 + "line": 142, + "fileName": "positive.yaml", + "resourceType": "azure_rm_securitygroup", + "resourceName": "foo9", + "searchKey": "name={{foo9}}.{{azure_rm_securitygroup}}.rules.name={{example10}}.destination_port_range", + "searchValue": "TCP,21", + "expectedValue": "FTP (TCP:21) should not be allowed", + "actualValue": "FTP (TCP:21) is allowed", + "issueType": "IncorrectValue", + "similarityID": "5d7e672afe8de45459f5e83daf9a138ceba252256ce4657e46a9604989d7fa6a", + "search_line": -1 }, { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 142 + "line": 142, + "fileName": "positive.yaml", + "resourceType": "azure_rm_securitygroup", + "resourceName": "foo9", + "searchKey": "name={{foo9}}.{{azure_rm_securitygroup}}.rules.name={{example10}}.destination_port_range", + "searchValue": "TCP,22", + "expectedValue": "SSH (TCP:22) should not be allowed", + "actualValue": "SSH (TCP:22) is allowed", + "issueType": "IncorrectValue", + "similarityID": "f04b8dba296b45304519994e1373837a5fe0f96b5bbdbb6796050f31313350ba", + "search_line": -1 }, { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 142 + "line": 142, + "fileName": "positive.yaml", + "resourceType": "azure_rm_securitygroup", + "resourceName": "foo9", + "searchKey": "name={{foo9}}.{{azure_rm_securitygroup}}.rules.name={{example10}}.destination_port_range", + "searchValue": "TCP,23", + "expectedValue": "Telnet (TCP:23) should not be allowed", + "actualValue": "Telnet (TCP:23) is allowed", + "issueType": "IncorrectValue", + "similarityID": "fb2f10db9ce0e1ae76f70acb76844881265c9afac04e1783413d950e8c4cad5c", + "search_line": -1 }, { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 142 + "line": 142, + "fileName": "positive.yaml", + "resourceType": "azure_rm_securitygroup", + "resourceName": "foo9", + "searchKey": "name={{foo9}}.{{azure_rm_securitygroup}}.rules.name={{example10}}.destination_port_range", + "searchValue": "TCP,25", + "expectedValue": "SMTP (TCP:25) should not be allowed", + "actualValue": "SMTP (TCP:25) is allowed", + "issueType": "IncorrectValue", + "similarityID": "d9417c16430ca14d0ec9f3af710dbfea0236b5edcf7fec9af21998d8773ef89a", + "search_line": -1 }, { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 142 + "line": 142, + "fileName": "positive.yaml", + "resourceType": "azure_rm_securitygroup", + "resourceName": "foo9", + "searchKey": "name={{foo9}}.{{azure_rm_securitygroup}}.rules.name={{example10}}.destination_port_range", + "searchValue": "TCP,53", + "expectedValue": "DNS (TCP:53) should not be allowed", + "actualValue": "DNS (TCP:53) is allowed", + "issueType": "IncorrectValue", + "similarityID": "74cb4fd6bb3dd3cc803ce78eff54cc1fb1b6fc3793ea84f196f06febd3eb3d19", + "search_line": -1 }, { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 142 + "line": 142, + "fileName": "positive.yaml", + "resourceType": "azure_rm_securitygroup", + "resourceName": "foo9", + "searchKey": "name={{foo9}}.{{azure_rm_securitygroup}}.rules.name={{example10}}.destination_port_range", + "searchValue": "TCP,80", + "expectedValue": "HTTP (TCP:80) should not be allowed", + "actualValue": "HTTP (TCP:80) is allowed", + "issueType": "IncorrectValue", + "similarityID": "4a63c773c23dd16435f75dffef1d518c05ea19a732e69e03f789a7588a7840c3", + "search_line": -1 }, { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 142 + "line": 142, + "fileName": "positive.yaml", + "resourceType": "azure_rm_securitygroup", + "resourceName": "foo9", + "searchKey": "name={{foo9}}.{{azure_rm_securitygroup}}.rules.name={{example10}}.destination_port_range", + "searchValue": "UDP,110", + "expectedValue": "POP3 (UDP:110) should not be allowed", + "actualValue": "POP3 (UDP:110) is allowed", + "issueType": "IncorrectValue", + "similarityID": "9361808357f8e40587438687510b7127b935294e3201c5d5a57024ee13584243", + "search_line": -1 }, { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 142 + "line": 142, + "fileName": "positive.yaml", + "resourceType": "azure_rm_securitygroup", + "resourceName": "foo9", + "searchKey": "name={{foo9}}.{{azure_rm_securitygroup}}.rules.name={{example10}}.destination_port_range", + "searchValue": "UDP,135", + "expectedValue": "MSSQL Debugger (UDP:135) should not be allowed", + "actualValue": "MSSQL Debugger (UDP:135) is allowed", + "issueType": "IncorrectValue", + "similarityID": "f53fbb5430422b42621cf2e6a9a6622d34805ed673a0bffc5893fe420ecb9c8a", + "search_line": -1 }, { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 142 + "line": 142, + "fileName": "positive.yaml", + "resourceType": "azure_rm_securitygroup", + "resourceName": "foo9", + "searchKey": "name={{foo9}}.{{azure_rm_securitygroup}}.rules.name={{example10}}.destination_port_range", + "searchValue": "UDP,137", + "expectedValue": "NetBIOS Name Service (UDP:137) should not be allowed", + "actualValue": "NetBIOS Name Service (UDP:137) is allowed", + "issueType": "IncorrectValue", + "similarityID": "84b41d150074a7773dfe485b153c229efd57d21efb08daf45f4e16b9ca3079f3", + "search_line": -1 }, { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 142 + "line": 142, + "fileName": "positive.yaml", + "resourceType": "azure_rm_securitygroup", + "resourceName": "foo9", + "searchKey": "name={{foo9}}.{{azure_rm_securitygroup}}.rules.name={{example10}}.destination_port_range", + "searchValue": "UDP,138", + "expectedValue": "NetBIOS Datagram Service (UDP:138) should not be allowed", + "actualValue": "NetBIOS Datagram Service (UDP:138) is allowed", + "issueType": "IncorrectValue", + "similarityID": "344fabab93dfdb32c776b66e49bcc4a020b2a15652c2a7e9df489de3b28fcf8f", + "search_line": -1 }, { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 142 + "line": 142, + "fileName": "positive.yaml", + "resourceType": "azure_rm_securitygroup", + "resourceName": "foo9", + "searchKey": "name={{foo9}}.{{azure_rm_securitygroup}}.rules.name={{example10}}.destination_port_range", + "searchValue": "UDP,139", + "expectedValue": "NetBIOS Session Service (UDP:139) should not be allowed", + "actualValue": "NetBIOS Session Service (UDP:139) is allowed", + "issueType": "IncorrectValue", + "similarityID": "c6379b340157f25ad221fc5f9640cbaf88a0b9b4035cd3c4d9a8831c01236a2f", + "search_line": -1 }, { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 142 + "line": 142, + "fileName": "positive.yaml", + "resourceType": "azure_rm_securitygroup", + "resourceName": "foo9", + "searchKey": "name={{foo9}}.{{azure_rm_securitygroup}}.rules.name={{example10}}.destination_port_range", + "searchValue": "UDP,20", + "expectedValue": "FTP (UDP:20) should not be allowed", + "actualValue": "FTP (UDP:20) is allowed", + "issueType": "IncorrectValue", + "similarityID": "d850dc45320ecb99070906a96b1312064f79c8a55e7b6cae8b077be0d78a11b1", + "search_line": -1 }, { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 142 + "line": 142, + "fileName": "positive.yaml", + "resourceType": "azure_rm_securitygroup", + "resourceName": "foo9", + "searchKey": "name={{foo9}}.{{azure_rm_securitygroup}}.rules.name={{example10}}.destination_port_range", + "searchValue": "UDP,21", + "expectedValue": "FTP (UDP:21) should not be allowed", + "actualValue": "FTP (UDP:21) is allowed", + "issueType": "IncorrectValue", + "similarityID": "748e615b9b92931089442779d977f859b8434fdad7175026730ea568bfab1980", + "search_line": -1 }, { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 142 + "line": 142, + "fileName": "positive.yaml", + "resourceType": "azure_rm_securitygroup", + "resourceName": "foo9", + "searchKey": "name={{foo9}}.{{azure_rm_securitygroup}}.rules.name={{example10}}.destination_port_range", + "searchValue": "UDP,22", + "expectedValue": "SSH (UDP:22) should not be allowed", + "actualValue": "SSH (UDP:22) is allowed", + "issueType": "IncorrectValue", + "similarityID": "42e51eebfa95973bc6d97f535851de5a89f8b464b49d3a9cc1ca6230f4e5a47d", + "search_line": -1 }, { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 142 + "line": 142, + "fileName": "positive.yaml", + "resourceType": "azure_rm_securitygroup", + "resourceName": "foo9", + "searchKey": "name={{foo9}}.{{azure_rm_securitygroup}}.rules.name={{example10}}.destination_port_range", + "searchValue": "UDP,23", + "expectedValue": "Telnet (UDP:23) should not be allowed", + "actualValue": "Telnet (UDP:23) is allowed", + "issueType": "IncorrectValue", + "similarityID": "aadbd3bccf1f4b27a23b5994a190084dd62e0c0d82429b33e1a1de7149518272", + "search_line": -1 }, { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 142 + "line": 142, + "fileName": "positive.yaml", + "resourceType": "azure_rm_securitygroup", + "resourceName": "foo9", + "searchKey": "name={{foo9}}.{{azure_rm_securitygroup}}.rules.name={{example10}}.destination_port_range", + "searchValue": "UDP,25", + "expectedValue": "SMTP (UDP:25) should not be allowed", + "actualValue": "SMTP (UDP:25) is allowed", + "issueType": "IncorrectValue", + "similarityID": "c32730feb725edb4b8206804919ee63ff84bed83d49380016bb0781338d2c15f", + "search_line": -1 }, { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 142 + "line": 142, + "fileName": "positive.yaml", + "resourceType": "azure_rm_securitygroup", + "resourceName": "foo9", + "searchKey": "name={{foo9}}.{{azure_rm_securitygroup}}.rules.name={{example10}}.destination_port_range", + "searchValue": "UDP,53", + "expectedValue": "DNS (UDP:53) should not be allowed", + "actualValue": "DNS (UDP:53) is allowed", + "issueType": "IncorrectValue", + "similarityID": "1fcb6787f4880dcb2b7979e1bd750e7e1151738709c6eacd3b7b4dac0abca8e8", + "search_line": -1 }, { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 142 + "line": 142, + "fileName": "positive.yaml", + "resourceType": "azure_rm_securitygroup", + "resourceName": "foo9", + "searchKey": "name={{foo9}}.{{azure_rm_securitygroup}}.rules.name={{example10}}.destination_port_range", + "searchValue": "UDP,80", + "expectedValue": "HTTP (UDP:80) should not be allowed", + "actualValue": "HTTP (UDP:80) is allowed", + "issueType": "IncorrectValue", + "similarityID": "328ce77e1497610fd7c929093227be42e4bd889231583a0866cb440978028394", + "search_line": -1 } ] diff --git a/assets/queries/ansible/azure/small_activity_log_retention_period/test/positive_expected_result.json b/assets/queries/ansible/azure/small_activity_log_retention_period/test/positive_expected_result.json index 5282ba8c326..575e7ec75e6 100644 --- a/assets/queries/ansible/azure/small_activity_log_retention_period/test/positive_expected_result.json +++ b/assets/queries/ansible/azure/small_activity_log_retention_period/test/positive_expected_result.json @@ -2,16 +2,46 @@ { "queryName": "Small Activity Log Retention Period", "severity": "LOW", - "line": 13 + "line": 13, + "fileName": "positive.yaml", + "resourceType": "azure_rm_monitorlogprofile", + "resourceName": "Create a log profile", + "searchKey": "name={{Create a log profile}}.{{azure_rm_monitorlogprofile}}.retention_policy.enabled", + "searchValue": "", + "expectedValue": "azure_rm_monitorlogprofile.retention_policy.enabled should be true or yes", + "actualValue": "azure_rm_monitorlogprofile.retention_policy.enabled is false or no", + "issueType": "IncorrectValue", + "similarityID": "20ab4fb49cd51c508ade9c9fa66e7896fb773a8ee9d3064578bc25c86a10968c", + "search_line": -1 }, { "queryName": "Small Activity Log Retention Period", "severity": "LOW", - "line": 20 + "line": 20, + "fileName": "positive.yaml", + "resourceType": "azure_rm_monitorlogprofile", + "resourceName": "Create a log profile2", + "searchKey": "name={{Create a log profile2}}.{{azure_rm_monitorlogprofile}}", + "searchValue": "", + "expectedValue": "azure_rm_monitorlogprofile.retention_policy should be defined", + "actualValue": "azure_rm_monitorlogprofile.retention_policy is undefined", + "issueType": "MissingAttribute", + "similarityID": "4616d37f9f9a5f604cf00f47f91fb0a1e15704ab5f9ff8fb4de759314ccae2d1", + "search_line": -1 }, { "queryName": "Small Activity Log Retention Period", "severity": "LOW", - "line": 46 + "line": 46, + "fileName": "positive.yaml", + "resourceType": "azure_rm_monitorlogprofile", + "resourceName": "Create a log profile3", + "searchKey": "name={{Create a log profile3}}.{{azure_rm_monitorlogprofile}}.retention_policy.days", + "searchValue": "", + "expectedValue": "azure_rm_monitorlogprofile.retention_policy.days should be greater than or equal to 365 days or 0 (indefinitely)", + "actualValue": "azure_rm_monitorlogprofile.retention_policy.days is less than 365 days or different than 0 (indefinitely)", + "issueType": "IncorrectValue", + "similarityID": "141bb5eee1cdfc46b3f6c0f0d327acc213dc706f04087ae21c3ee8dc7145162e", + "search_line": -1 } -] \ No newline at end of file +] diff --git a/assets/queries/ansible/azure/sql_server_ingress_from_any_ip/test/positive_expected_result.json b/assets/queries/ansible/azure/sql_server_ingress_from_any_ip/test/positive_expected_result.json index 31a8c77cc01..edc009c88cd 100644 --- a/assets/queries/ansible/azure/sql_server_ingress_from_any_ip/test/positive_expected_result.json +++ b/assets/queries/ansible/azure/sql_server_ingress_from_any_ip/test/positive_expected_result.json @@ -2,6 +2,16 @@ { "queryName": "SQLServer Ingress From Any IP", "severity": "CRITICAL", - "line": 8 + "line": 8, + "fileName": "positive.yaml", + "resourceType": "azure.azcollection.azure_rm_sqlfirewallrule", + "resourceName": "Create (or update) Firewall Rule", + "searchKey": "name={{Create (or update) Firewall Rule}}.{{azure.azcollection.azure_rm_sqlfirewallrule}}.end_ip_address", + "searchValue": "", + "expectedValue": "azure_rm_sqlfirewallrule should allow all IPs", + "actualValue": "azure_rm_sqlfirewallrule should not allow all IPs (range from start_ip_address to end_ip_address)", + "issueType": "IncorrectValue", + "similarityID": "b6b50cc9e9317e447a6ede96def6056b6bd176fbbea48ea8709550051114109d", + "search_line": -1 } -] \ No newline at end of file +] diff --git a/assets/queries/ansible/azure/sql_server_predictable_active_directory_admin_account_name/test/positive_expected_result.json b/assets/queries/ansible/azure/sql_server_predictable_active_directory_admin_account_name/test/positive_expected_result.json index abfcd251cad..2b404607509 100644 --- a/assets/queries/ansible/azure/sql_server_predictable_active_directory_admin_account_name/test/positive_expected_result.json +++ b/assets/queries/ansible/azure/sql_server_predictable_active_directory_admin_account_name/test/positive_expected_result.json @@ -2,16 +2,46 @@ { "queryName": "SQL Server Predictable Active Directory Account Name", "severity": "LOW", - "line": 7 + "line": 7, + "fileName": "positive.yaml", + "resourceType": "azure_ad_serviceprincipal", + "resourceName": "create ad sp", + "searchKey": "name={{create ad sp}}.{{azure_ad_serviceprincipal}}.ad_user", + "searchValue": "", + "expectedValue": "azure_ad_serviceprincipal.ad_user should not be predictable", + "actualValue": "azure_ad_serviceprincipal.ad_user is predictable", + "issueType": "IncorrectValue", + "similarityID": "276bfdcbff1763bbf26e333a6b9921e2a80b1f783289c9222f8622748e66b13b", + "search_line": -1 }, { "queryName": "SQL Server Predictable Active Directory Account Name", "severity": "LOW", - "line": 13 + "line": 13, + "fileName": "positive.yaml", + "resourceType": "azure_ad_serviceprincipal", + "resourceName": "create ad sp2", + "searchKey": "name={{create ad sp2}}.{{azure_ad_serviceprincipal}}.ad_user", + "searchValue": "", + "expectedValue": "azure_ad_serviceprincipal.ad_user should be neither empty nor null", + "actualValue": "azure_ad_serviceprincipal.ad_user is empty or null", + "issueType": "IncorrectValue", + "similarityID": "b01bfc2e2dfa95ccc563c11974aefb055b48845418079db41523c32d7ac7936c", + "search_line": -1 }, { "queryName": "SQL Server Predictable Active Directory Account Name", "severity": "LOW", - "line": 19 + "line": 19, + "fileName": "positive.yaml", + "resourceType": "azure_ad_serviceprincipal", + "resourceName": "create ad sp3", + "searchKey": "name={{create ad sp3}}.{{azure_ad_serviceprincipal}}.ad_user", + "searchValue": "", + "expectedValue": "azure_ad_serviceprincipal.ad_user should be neither empty nor null", + "actualValue": "azure_ad_serviceprincipal.ad_user is empty or null", + "issueType": "IncorrectValue", + "similarityID": "c62a94aea161b9f99634aa16d58732d367c6256288fd9886b4ff50c9fb86e5a6", + "search_line": -1 } -] \ No newline at end of file +] diff --git a/assets/queries/ansible/azure/sql_server_predictable_admin_account_name/test/positive_expected_result.json b/assets/queries/ansible/azure/sql_server_predictable_admin_account_name/test/positive_expected_result.json index ce8105939d3..16c94e68dbe 100644 --- a/assets/queries/ansible/azure/sql_server_predictable_admin_account_name/test/positive_expected_result.json +++ b/assets/queries/ansible/azure/sql_server_predictable_admin_account_name/test/positive_expected_result.json @@ -2,16 +2,46 @@ { "queryName": "SQL Server Predictable Admin Account Name", "severity": "LOW", - "line": 7 + "line": 7, + "fileName": "positive.yaml", + "resourceType": "azure_rm_sqlserver", + "resourceName": "Create (or update) SQL Server1", + "searchKey": "name={{Create (or update) SQL Server1}}.{{azure_rm_sqlserver}}.admin_username", + "searchValue": "", + "expectedValue": "azure_rm_sqlserver.admin_username should not be empty", + "actualValue": "azure_rm_sqlserver.admin_username is empty", + "issueType": "IncorrectValue", + "similarityID": "be44737fdbe449bbe5c1922e3693c1c6af6432af31486973e5014217fa1b9dad", + "search_line": -1 }, { "queryName": "SQL Server Predictable Admin Account Name", "severity": "LOW", - "line": 14 + "line": 14, + "fileName": "positive.yaml", + "resourceType": "azure_rm_sqlserver", + "resourceName": "Create (or update) SQL Server2", + "searchKey": "name={{Create (or update) SQL Server2}}.{{azure_rm_sqlserver}}.admin_username", + "searchValue": "", + "expectedValue": "azure_rm_sqlserver.admin_username should not be empty", + "actualValue": "azure_rm_sqlserver.admin_username is empty", + "issueType": "IncorrectValue", + "similarityID": "4d2398b9de95e2f54ee1907aca7385fd16d20c0a1e6aaad8a730561c335cfa78", + "search_line": -1 }, { "queryName": "SQL Server Predictable Admin Account Name", "severity": "LOW", - "line": 21 + "line": 21, + "fileName": "positive.yaml", + "resourceType": "azure_rm_sqlserver", + "resourceName": "Create (or update) SQL Server3", + "searchKey": "name={{Create (or update) SQL Server3}}.{{azure_rm_sqlserver}}.admin_username", + "searchValue": "", + "expectedValue": "azure_rm_sqlserver.admin_username should not be predictable", + "actualValue": "azure_rm_sqlserver.admin_username is predictable", + "issueType": "IncorrectValue", + "similarityID": "eff6cd6e474e04ed1847df5fb0ca171cb568d9a428d46ce1eec4d1c5337ae76c", + "search_line": -1 } -] \ No newline at end of file +] diff --git a/assets/queries/ansible/azure/ssl_enforce_is_disabled/test/positive_expected_result.json b/assets/queries/ansible/azure/ssl_enforce_is_disabled/test/positive_expected_result.json index a0427e72698..f5ec84548c0 100644 --- a/assets/queries/ansible/azure/ssl_enforce_is_disabled/test/positive_expected_result.json +++ b/assets/queries/ansible/azure/ssl_enforce_is_disabled/test/positive_expected_result.json @@ -2,11 +2,31 @@ { "queryName": "SSL Enforce Disabled", "severity": "MEDIUM", - "line": 2 + "line": 2, + "fileName": "positive.yaml", + "resourceType": "azure.azcollection.azure_rm_postgresqlserver", + "resourceName": "Create (or update) PostgreSQL Server", + "searchKey": "name={{Create (or update) PostgreSQL Server}}.{{azure.azcollection.azure_rm_postgresqlserver}}", + "searchValue": "", + "expectedValue": "azure_rm_postgresqlserver should have enforce_ssl set to true", + "actualValue": "azure_rm_postgresqlserver does not have enforce_ssl (defaults to false)", + "issueType": "MissingAttribute", + "similarityID": "765d7902cfc9dc200fe69741106e5b43f787ba3d4ff3f0341b2348fd36531dbc", + "search_line": -1 }, { "queryName": "SSL Enforce Disabled", "severity": "MEDIUM", - "line": 21 + "line": 21, + "fileName": "positive.yaml", + "resourceType": "azure.azcollection.azure_rm_postgresqlserver", + "resourceName": "Create (or update) PostgreSQL Server2", + "searchKey": "name={{Create (or update) PostgreSQL Server2}}.{{azure.azcollection.azure_rm_postgresqlserver}}.enforce_ssl", + "searchValue": "", + "expectedValue": "azure_rm_postgresqlserver should have enforce_ssl set to true", + "actualValue": "azure_rm_postgresqlserver does has enforce_ssl set to false", + "issueType": "IncorrectValue", + "similarityID": "14b34196be93313d104397f793f44f0756d3690ee2ee2e1df687edc689782b66", + "search_line": -1 } -] \ No newline at end of file +] diff --git a/assets/queries/ansible/azure/storage_account_not_forcing_https/test/positive_expected_result.json b/assets/queries/ansible/azure/storage_account_not_forcing_https/test/positive_expected_result.json index 571578e12dc..56d4b0f6907 100644 --- a/assets/queries/ansible/azure/storage_account_not_forcing_https/test/positive_expected_result.json +++ b/assets/queries/ansible/azure/storage_account_not_forcing_https/test/positive_expected_result.json @@ -2,46 +2,136 @@ { "queryName": "Storage Account Not Forcing HTTPS", "severity": "MEDIUM", - "line": 3 + "line": 3, + "fileName": "positive.yaml", + "resourceType": "azure.azcollection.azure_rm_storageaccount", + "resourceName": "create an account", + "searchKey": "name={{create an account}}.{{azure.azcollection.azure_rm_storageaccount}}", + "searchValue": "", + "expectedValue": "azure_rm_storageaccount.https_only should be defined", + "actualValue": "azure_rm_storageaccount.https_only is undefined (defaults to false)", + "issueType": "MissingAttribute", + "similarityID": "c8138cfb4146f5f0560300cb51daca4035ae5620b4ac1078b23363b5571e1cc9", + "search_line": -1 }, { "queryName": "Storage Account Not Forcing HTTPS", "severity": "MEDIUM", - "line": 15 + "line": 15, + "fileName": "positive.yaml", + "resourceType": "azure.azcollection.azure_rm_storageaccount", + "resourceName": "create an account2", + "searchKey": "name={{create an account2}}.{{azure.azcollection.azure_rm_storageaccount}}.https_only", + "searchValue": "", + "expectedValue": "azure_rm_storageaccount should have https_only set to true", + "actualValue": "azure_rm_storageaccount has https_only set to false", + "issueType": "IncorrectValue", + "similarityID": "09646974e358470ea017a6af7d912c589ba4eb9e58de71e5349e71258e7c351f", + "search_line": -1 }, { "queryName": "Storage Account Not Forcing HTTPS", "severity": "MEDIUM", - "line": 24 + "line": 24, + "fileName": "positive.yaml", + "resourceType": "azure.azcollection.azure_rm_storageaccount", + "resourceName": "create an account3", + "searchKey": "name={{create an account3}}.{{azure.azcollection.azure_rm_storageaccount}}.https_only", + "searchValue": "", + "expectedValue": "azure_rm_storageaccount should have https_only set to true", + "actualValue": "azure_rm_storageaccount has https_only set to false", + "issueType": "IncorrectValue", + "similarityID": "13f0dd5a29ab95b0c35d44b563f29642d15ba120899859ac76887685fc5fed2e", + "search_line": -1 }, { "queryName": "Storage Account Not Forcing HTTPS", "severity": "MEDIUM", - "line": 33 + "line": 33, + "fileName": "positive.yaml", + "resourceType": "azure.azcollection.azure_rm_storageaccount", + "resourceName": "create an account4", + "searchKey": "name={{create an account4}}.{{azure.azcollection.azure_rm_storageaccount}}.https_only", + "searchValue": "", + "expectedValue": "azure_rm_storageaccount should have https_only set to true", + "actualValue": "azure_rm_storageaccount has https_only set to false", + "issueType": "IncorrectValue", + "similarityID": "931a6516098bf4e7470be7243d17e24023fdc65e0e2f22a7d76f398d75a084f3", + "search_line": -1 }, { "queryName": "Storage Account Not Forcing HTTPS", "severity": "MEDIUM", - "line": 42 + "line": 42, + "fileName": "positive.yaml", + "resourceType": "azure.azcollection.azure_rm_storageaccount", + "resourceName": "create an account5", + "searchKey": "name={{create an account5}}.{{azure.azcollection.azure_rm_storageaccount}}.https_only", + "searchValue": "", + "expectedValue": "azure_rm_storageaccount should have https_only set to true", + "actualValue": "azure_rm_storageaccount has https_only set to false", + "issueType": "IncorrectValue", + "similarityID": "9386dd45dd69a3a776d5b65a4aa9feccd39f4caf10d585e595d7733397c48d2b", + "search_line": -1 }, { "queryName": "Storage Account Not Forcing HTTPS", "severity": "MEDIUM", - "line": 51 + "line": 51, + "fileName": "positive.yaml", + "resourceType": "azure.azcollection.azure_rm_storageaccount", + "resourceName": "create an account6", + "searchKey": "name={{create an account6}}.{{azure.azcollection.azure_rm_storageaccount}}.https_only", + "searchValue": "", + "expectedValue": "azure_rm_storageaccount should have https_only set to true", + "actualValue": "azure_rm_storageaccount has https_only set to false", + "issueType": "IncorrectValue", + "similarityID": "0ba8de8d55d73114f490df791278696336e0d50fa8306c529d0f402dd0195883", + "search_line": -1 }, { "queryName": "Storage Account Not Forcing HTTPS", "severity": "MEDIUM", - "line": 60 + "line": 60, + "fileName": "positive.yaml", + "resourceType": "azure.azcollection.azure_rm_storageaccount", + "resourceName": "create an account7", + "searchKey": "name={{create an account7}}.{{azure.azcollection.azure_rm_storageaccount}}.https_only", + "searchValue": "", + "expectedValue": "azure_rm_storageaccount should have https_only set to true", + "actualValue": "azure_rm_storageaccount has https_only set to false", + "issueType": "IncorrectValue", + "similarityID": "46a9063104f24bb8adc1b92dc317d39f00c880c98355eea4f64d6b5a96841eac", + "search_line": -1 }, { "queryName": "Storage Account Not Forcing HTTPS", "severity": "MEDIUM", - "line": 69 + "line": 69, + "fileName": "positive.yaml", + "resourceType": "azure.azcollection.azure_rm_storageaccount", + "resourceName": "create an account8", + "searchKey": "name={{create an account8}}.{{azure.azcollection.azure_rm_storageaccount}}.https_only", + "searchValue": "", + "expectedValue": "azure_rm_storageaccount should have https_only set to true", + "actualValue": "azure_rm_storageaccount has https_only set to false", + "issueType": "IncorrectValue", + "similarityID": "fcc70c0633ebb0faedcd2d10ad7a3d4ade3a51cc06f6543e06d391aa551a6a1e", + "search_line": -1 }, { "queryName": "Storage Account Not Forcing HTTPS", "severity": "MEDIUM", - "line": 78 + "line": 78, + "fileName": "positive.yaml", + "resourceType": "azure.azcollection.azure_rm_storageaccount", + "resourceName": "create an account9", + "searchKey": "name={{create an account9}}.{{azure.azcollection.azure_rm_storageaccount}}.https_only", + "searchValue": "", + "expectedValue": "azure_rm_storageaccount should have https_only set to true", + "actualValue": "azure_rm_storageaccount has https_only set to false", + "issueType": "IncorrectValue", + "similarityID": "a967e37259950f1e08e43b8fd92de6aafb6f88319883211726182aad5934dfdc", + "search_line": -1 } -] \ No newline at end of file +] diff --git a/assets/queries/ansible/azure/storage_account_not_using_latest_tls_encryption_version/test/positive_expected_result.json b/assets/queries/ansible/azure/storage_account_not_using_latest_tls_encryption_version/test/positive_expected_result.json index b46384e752e..3ade547c5e7 100644 --- a/assets/queries/ansible/azure/storage_account_not_using_latest_tls_encryption_version/test/positive_expected_result.json +++ b/assets/queries/ansible/azure/storage_account_not_using_latest_tls_encryption_version/test/positive_expected_result.json @@ -1,12 +1,32 @@ [ - { - "queryName": "Storage Account Not Using Latest TLS Encryption Version", - "severity": "MEDIUM", - "line": 8 - }, - { - "queryName": "Storage Account Not Using Latest TLS Encryption Version", - "severity": "MEDIUM", - "line": 12 - } + { + "queryName": "Storage Account Not Using Latest TLS Encryption Version", + "severity": "MEDIUM", + "line": 8, + "fileName": "positive.yaml", + "resourceType": "azure_rm_storageaccount", + "resourceName": "Create an account with kind of FileStorage", + "searchKey": "name={{Create an account with kind of FileStorage}}.{{azure_rm_storageaccount}}.minimum_tls_version", + "searchValue": "", + "expectedValue": "azure_rm_storageaccount should be using the latest version of TLS encryption", + "actualValue": "azure_rm_storageaccount is using version TLS1_0 of TLS encryption", + "issueType": "IncorrectValue", + "similarityID": "45a2d0c8070300168a9b1a05e39fb0c325ce6cb08e0649ad3eb4daa4ecad5455", + "search_line": -1 + }, + { + "queryName": "Storage Account Not Using Latest TLS Encryption Version", + "severity": "MEDIUM", + "line": 12, + "fileName": "positive.yaml", + "resourceType": "azure_rm_storageaccount", + "resourceName": "Create a second account with kind of FileStorage", + "searchKey": "name={{Create a second account with kind of FileStorage}}.{{azure_rm_storageaccount}}", + "searchValue": "", + "expectedValue": "azure_rm_storageaccount.minimum_tls_version should be defined", + "actualValue": "azure_rm_storageaccount.minimum_tls_version is undefined", + "issueType": "MissingAttribute", + "similarityID": "be95cc7f842a394959dcf7e17989a948e58d4d58c2d30abda705620c7530b8fa", + "search_line": -1 + } ] diff --git a/assets/queries/ansible/azure/storage_container_is_publicly_accessible/test/positive_expected_result.json b/assets/queries/ansible/azure/storage_container_is_publicly_accessible/test/positive_expected_result.json index b27a116746e..2787ce95397 100644 --- a/assets/queries/ansible/azure/storage_container_is_publicly_accessible/test/positive_expected_result.json +++ b/assets/queries/ansible/azure/storage_container_is_publicly_accessible/test/positive_expected_result.json @@ -2,11 +2,31 @@ { "queryName": "Storage Container Is Publicly Accessible", "severity": "HIGH", - "line": 9 + "line": 9, + "fileName": "positive.yaml", + "resourceType": "azure_rm_storageblob", + "resourceName": "Create container foo and upload a file", + "searchKey": "name={{Create container foo and upload a file}}.{{azure_rm_storageblob}}.public_access", + "searchValue": "", + "expectedValue": "azure_rm_storageblob.public_access should not be set", + "actualValue": "azure_rm_storageblob.public_access is equal to 'blob' or 'container'", + "issueType": "IncorrectValue", + "similarityID": "1349a6e1434486c73f0184c0931c8cda22cf813353f54e073787c4131903b4a5", + "search_line": -1 }, { "queryName": "Storage Container Is Publicly Accessible", "severity": "HIGH", - "line": 17 + "line": 17, + "fileName": "positive.yaml", + "resourceType": "azure_rm_storageblob", + "resourceName": "Create container foo2 and upload a file", + "searchKey": "name={{Create container foo2 and upload a file}}.{{azure_rm_storageblob}}.public_access", + "searchValue": "", + "expectedValue": "azure_rm_storageblob.public_access should not be set", + "actualValue": "azure_rm_storageblob.public_access is equal to 'blob' or 'container'", + "issueType": "IncorrectValue", + "similarityID": "f5eaa5d1626c6dc7b966224127fa4d1198d4b5b1834df6fbcbb53bb33b4fdfbf", + "search_line": -1 } ] diff --git a/assets/queries/ansible/azure/trusted_microsoft_services_not_enabled/test/positive_expected_result.json b/assets/queries/ansible/azure/trusted_microsoft_services_not_enabled/test/positive_expected_result.json index 3d9d3360063..5c75a1630ab 100644 --- a/assets/queries/ansible/azure/trusted_microsoft_services_not_enabled/test/positive_expected_result.json +++ b/assets/queries/ansible/azure/trusted_microsoft_services_not_enabled/test/positive_expected_result.json @@ -2,16 +2,46 @@ { "queryName": "Trusted Microsoft Services Not Enabled", "severity": "MEDIUM", - "line": 7 + "line": 7, + "fileName": "positive.yaml", + "resourceType": "azure_rm_storageaccount", + "resourceName": "configure firewall and virtual networks", + "searchKey": "name={{configure firewall and virtual networks}}.{{azure_rm_storageaccount}}.network_acls.bypass", + "searchValue": "", + "expectedValue": "azure_rm_storageaccount.network_acls.bypass should not be set or contain 'AzureServices'", + "actualValue": "azure_rm_storageaccount.network_acls.bypass does not contain 'AzureServices' ", + "issueType": "IncorrectValue", + "similarityID": "1db8f59dba37b47d666c9aef189200fa69f696fb4f6baf49879dea329fe53c57", + "search_line": -1 }, { "queryName": "Trusted Microsoft Services Not Enabled", "severity": "MEDIUM", - "line": 24 + "line": 24, + "fileName": "positive.yaml", + "resourceType": "azure_rm_storageaccount", + "resourceName": "configure firewall and virtual networks2", + "searchKey": "name={{configure firewall and virtual networks2}}.{{azure_rm_storageaccount}}.network_acls.bypass", + "searchValue": "", + "expectedValue": "azure_rm_storageaccount.network_acls.bypass should not be set or contain 'AzureServices'", + "actualValue": "azure_rm_storageaccount.network_acls.bypass does not contain 'AzureServices' ", + "issueType": "IncorrectValue", + "similarityID": "f58f5d67bb04599a42a94e67700463fef2b9b52835562e132feb513f588eacc1", + "search_line": -1 }, { "queryName": "Trusted Microsoft Services Not Enabled", "severity": "MEDIUM", - "line": 40 + "line": 40, + "fileName": "positive.yaml", + "resourceType": "azure_rm_storageaccount", + "resourceName": "configure firewall and virtual networks3", + "searchKey": "name={{configure firewall and virtual networks3}}.{{azure_rm_storageaccount}}.network_acls.bypass", + "searchValue": "", + "expectedValue": "azure_rm_storageaccount.network_acls.bypass should not be set or contain 'AzureServices'", + "actualValue": "azure_rm_storageaccount.network_acls.bypass does not contain 'AzureServices' ", + "issueType": "IncorrectValue", + "similarityID": "73916e77dd823f20ae001ff9e69c9e05146463a230c9dad9f401b85a179b1a18", + "search_line": -1 } -] \ No newline at end of file +] diff --git a/assets/queries/ansible/azure/unrestricted_sql_server_acess/test/positive_expected_result.json b/assets/queries/ansible/azure/unrestricted_sql_server_acess/test/positive_expected_result.json index 44cefe27131..d4003fb9e67 100644 --- a/assets/queries/ansible/azure/unrestricted_sql_server_acess/test/positive_expected_result.json +++ b/assets/queries/ansible/azure/unrestricted_sql_server_acess/test/positive_expected_result.json @@ -2,11 +2,31 @@ { "queryName": "Unrestricted SQL Server Access", "severity": "CRITICAL", - "line": 3 + "line": 3, + "fileName": "positive.yaml", + "resourceType": "azure_rm_sqlfirewallrule", + "resourceName": "Create (or update) Firewall Rule1", + "searchKey": "name={{Create (or update) Firewall Rule1}}.{{azure_rm_sqlfirewallrule}}", + "searchValue": "", + "expectedValue": "The difference between the value of azure_rm_sqlfirewallrule end_ip_address and start_ip_address should be less than 256", + "actualValue": "The difference between the value of azure_rm_sqlfirewallrule end_ip_address and start_ip_address is greater than or equal to 256", + "issueType": "IncorrectValue", + "similarityID": "673e495ae9ae0c21d4fb81fbe7bc90e282fa0935a62faa8b447eb493c3af8a7c", + "search_line": -1 }, { "queryName": "Unrestricted SQL Server Access", "severity": "CRITICAL", - "line": 10 + "line": 10, + "fileName": "positive.yaml", + "resourceType": "azure_rm_sqlfirewallrule", + "resourceName": "Create (or update) Firewall Rule2", + "searchKey": "name={{Create (or update) Firewall Rule2}}.{{azure_rm_sqlfirewallrule}}", + "searchValue": "", + "expectedValue": "The difference between the value of azure_rm_sqlfirewallrule end_ip_address and start_ip_address should be less than 256", + "actualValue": "The difference between the value of azure_rm_sqlfirewallrule end_ip_address and start_ip_address is greater than or equal to 256", + "issueType": "IncorrectValue", + "similarityID": "fe42ba43e06db122d13b050902aebbb92e5680188c5d44f25b0f552099e024c1", + "search_line": -1 } -] \ No newline at end of file +] diff --git a/assets/queries/ansible/azure/vm_not_attached_to_network/test/positive_expected_result.json b/assets/queries/ansible/azure/vm_not_attached_to_network/test/positive_expected_result.json index 0c333d3f99e..0aa5418e4e3 100644 --- a/assets/queries/ansible/azure/vm_not_attached_to_network/test/positive_expected_result.json +++ b/assets/queries/ansible/azure/vm_not_attached_to_network/test/positive_expected_result.json @@ -2,6 +2,16 @@ { "queryName": "VM Not Attached To Network", "severity": "MEDIUM", - "line": 3 + "line": 3, + "fileName": "positive.yaml", + "resourceType": "azure_rm_virtualmachine", + "resourceName": "Create a VM with a custom image", + "searchKey": "name={{Create a VM with a custom image}}.{{azure_rm_virtualmachine}}", + "searchValue": "", + "expectedValue": "azure_rm_virtualmachine.network_interface_names should be defined", + "actualValue": "azure_rm_virtualmachine.network_interface_names is undefined", + "issueType": "MissingAttribute", + "similarityID": "357731ae905821bed427bb25541d1f3279a2b686b2440fbaa520c9873e7c27c3", + "search_line": -1 } -] \ No newline at end of file +] diff --git a/assets/queries/ansible/azure/waf_is_disabled_for_azure_application_gateway/test/positive_expected_result.json b/assets/queries/ansible/azure/waf_is_disabled_for_azure_application_gateway/test/positive_expected_result.json index 22b5f2f5a9e..532af24d3f9 100644 --- a/assets/queries/ansible/azure/waf_is_disabled_for_azure_application_gateway/test/positive_expected_result.json +++ b/assets/queries/ansible/azure/waf_is_disabled_for_azure_application_gateway/test/positive_expected_result.json @@ -2,6 +2,16 @@ { "queryName": "WAF Is Disabled For Azure Application Gateway", "severity": "MEDIUM", - "line": 7 + "line": 7, + "fileName": "positive.yaml", + "resourceType": "azure_rm_appgateway", + "resourceName": "Create instance of Application Gateway", + "searchKey": "name={{Create instance of Application Gateway}}.{{azure_rm_appgateway}}.sku.tier", + "searchValue": "", + "expectedValue": "azure_rm_appgateway.sku.tier should be 'waf' or 'waf_v2'", + "actualValue": "azure_rm_appgateway.sku.tier is standard", + "issueType": "IncorrectValue", + "similarityID": "70d933c87cca00ebfd3708e302ac711f6f840ce191b83feb5dd78cc3f93298e7", + "search_line": -1 } ] diff --git a/assets/queries/ansible/azure/web_app_accepting_traffic_other_than_https/test/positive_expected_result.json b/assets/queries/ansible/azure/web_app_accepting_traffic_other_than_https/test/positive_expected_result.json index fe2ba76306d..6782873bf77 100644 --- a/assets/queries/ansible/azure/web_app_accepting_traffic_other_than_https/test/positive_expected_result.json +++ b/assets/queries/ansible/azure/web_app_accepting_traffic_other_than_https/test/positive_expected_result.json @@ -2,11 +2,31 @@ { "queryName": "Web App Accepting Traffic Other Than HTTPS", "severity": "MEDIUM", - "line": 5 + "line": 5, + "fileName": "positive.yaml", + "resourceType": "azure_rm_webapp", + "resourceName": "Create a windows web app with non-exist app service plan", + "searchKey": "name={{Create a windows web app with non-exist app service plan}}.{{azure_rm_webapp}}.https_only", + "searchValue": "", + "expectedValue": "azure_rm_webapp.https_only should be set to true or 'yes'", + "actualValue": "azure_rm_webapp.https_only value is 'false'", + "issueType": "IncorrectValue", + "similarityID": "308af9c6097e65af0f3278237d8875f991f1c4bbe996443ecb0c5e7e13dbf6ce", + "search_line": -1 }, { "queryName": "Web App Accepting Traffic Other Than HTTPS", "severity": "MEDIUM", - "line": 12 + "line": 12, + "fileName": "positive.yaml", + "resourceType": "azure_rm_webapp", + "resourceName": "Create another windows web app", + "searchKey": "name={{Create another windows web app}}.{{azure_rm_webapp}}", + "searchValue": "", + "expectedValue": "azure_rm_webapp.https_only should be defined", + "actualValue": "azure_rm_webapp.https_only is undefined", + "issueType": "MissingAttribute", + "similarityID": "de91c297700b17b5516540b3c4561688e7d8e20d8cd8c2242c36f6b512eabfcf", + "search_line": -1 } -] \ No newline at end of file +] diff --git a/assets/queries/ansible/config/allow_unsafe_lookups_enabled_in_defaults/test/positive_expected_result.json b/assets/queries/ansible/config/allow_unsafe_lookups_enabled_in_defaults/test/positive_expected_result.json index ab2ceef570a..d152717e96b 100644 --- a/assets/queries/ansible/config/allow_unsafe_lookups_enabled_in_defaults/test/positive_expected_result.json +++ b/assets/queries/ansible/config/allow_unsafe_lookups_enabled_in_defaults/test/positive_expected_result.json @@ -1,7 +1,17 @@ [ - { - "queryName": "Allow Unsafe Lookups Enabled In Defaults", - "severity": "HIGH", - "line": 19 - } + { + "queryName": "Allow Unsafe Lookups Enabled In Defaults", + "severity": "HIGH", + "line": 19, + "fileName": "positive1.cfg", + "resourceType": "n/a", + "resourceName": "defaults", + "searchKey": "defaults.allow_unsafe_lookups", + "searchValue": "", + "expectedValue": "allow_unsafe_lookups should be set to 'False'", + "actualValue": "allow_unsafe_lookups is set to 'True'", + "issueType": "IncorrectValue", + "similarityID": "125aa7cafdebda2e4096ff53acc3fd3a4a60374d51d9d9cdc94ca6ca35564ca0", + "search_line": -1 + } ] diff --git a/assets/queries/ansible/config/communication_over_http_in_defaults/test/positive_expected_result.json b/assets/queries/ansible/config/communication_over_http_in_defaults/test/positive_expected_result.json index af3bb39b39d..933a1ceaff1 100644 --- a/assets/queries/ansible/config/communication_over_http_in_defaults/test/positive_expected_result.json +++ b/assets/queries/ansible/config/communication_over_http_in_defaults/test/positive_expected_result.json @@ -1,7 +1,17 @@ [ - { - "queryName": "Communication Over HTTP In Defaults", - "severity": "MEDIUM", - "line": 5 - } + { + "queryName": "Communication Over HTTP In Defaults", + "severity": "MEDIUM", + "line": 5, + "fileName": "positive1.cfg", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "[galaxy].server", + "searchValue": "", + "expectedValue": "'server' from galaxy group should be accessed via the HTTPS protocol", + "actualValue": "'server' from galaxy group is accessed via the HTTP protocol'", + "issueType": "IncorrectValue", + "similarityID": "10281adcd5e0413dfa9e0d9c4feb847ac71860308bc035a02dc42bec79eb749b", + "search_line": -1 + } ] diff --git a/assets/queries/ansible/config/logging_of_sensitive_data_in_defaults/test/positive_expected_result.json b/assets/queries/ansible/config/logging_of_sensitive_data_in_defaults/test/positive_expected_result.json index 4236128659b..c045587525c 100644 --- a/assets/queries/ansible/config/logging_of_sensitive_data_in_defaults/test/positive_expected_result.json +++ b/assets/queries/ansible/config/logging_of_sensitive_data_in_defaults/test/positive_expected_result.json @@ -1,14 +1,32 @@ [ - { - "queryName": "Logging of Sensitive Data In Defaults", - "severity": "LOW", - "filename": "positive1.cfg", - "line": 1 - }, - { - "queryName": "Logging of Sensitive Data In Defaults", - "severity": "LOW", - "filename": "positive2.cfg", - "line": 39 - } + { + "queryName": "Logging of Sensitive Data In Defaults", + "severity": "LOW", + "line": 1, + "fileName": "positive1.cfg", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "defaults", + "searchValue": "", + "expectedValue": "no_log should be defined and set to 'true'", + "actualValue": "no_log is not defined", + "issueType": "IncorrectValue", + "similarityID": "9a3b799f4991c0f6068bb98a946ebc1c20609f51eeccc81ca8a4145f1aae234d", + "search_line": -1 + }, + { + "queryName": "Logging of Sensitive Data In Defaults", + "severity": "LOW", + "line": 39, + "fileName": "positive2.cfg", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "defaults.no_log", + "searchValue": "", + "expectedValue": "no_log should be set to 'true'", + "actualValue": "no_log is set to 'false'", + "issueType": "IncorrectValue", + "similarityID": "98e2351d5249042d07f1b4368fd956041c6b156bd92544d4abd82bfce307b9f2", + "search_line": -1 + } ] diff --git a/assets/queries/ansible/config/privilege_escalation_using_become_plugin_in_defaults/test/positive_expected_result.json b/assets/queries/ansible/config/privilege_escalation_using_become_plugin_in_defaults/test/positive_expected_result.json index edcbda369aa..ec35ed13e08 100644 --- a/assets/queries/ansible/config/privilege_escalation_using_become_plugin_in_defaults/test/positive_expected_result.json +++ b/assets/queries/ansible/config/privilege_escalation_using_become_plugin_in_defaults/test/positive_expected_result.json @@ -1,14 +1,32 @@ [ - { - "queryName": "Privilege Escalation Using Become Plugin In Defaults", - "severity": "MEDIUM", - "filename": "positive1.cfg", - "line": 10 - }, - { - "queryName": "Privilege Escalation Using Become Plugin In Defaults", - "severity": "MEDIUM", - "filename": "positive2.cfg", - "line": 12 - } + { + "queryName": "Privilege Escalation Using Become Plugin In Defaults", + "severity": "MEDIUM", + "line": 10, + "fileName": "positive1.cfg", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "defaults.become", + "searchValue": "", + "expectedValue": "'become' should be set to 'true'", + "actualValue": "'become' is set to 'false'", + "issueType": "IncorrectValue", + "similarityID": "a3c6b0873769845b73faf32f71f82c1caad2212b8308227980dd13c7d80c242a", + "search_line": -1 + }, + { + "queryName": "Privilege Escalation Using Become Plugin In Defaults", + "severity": "MEDIUM", + "line": 12, + "fileName": "positive2.cfg", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "defaults.become_user", + "searchValue": "", + "expectedValue": "'become' should be defined and set to 'true'", + "actualValue": "'become' is not defined", + "issueType": "MissingAttribute", + "similarityID": "9cb2e114c801c05ed94762d87feb078aa1d757e43494dcc49ff22704e654ee68", + "search_line": -1 + } ] diff --git a/assets/queries/ansible/gcp/bigquery_dataset_is_public/test/positive_expected_result.json b/assets/queries/ansible/gcp/bigquery_dataset_is_public/test/positive_expected_result.json index ccbd9315993..3f35a9ce4d9 100644 --- a/assets/queries/ansible/gcp/bigquery_dataset_is_public/test/positive_expected_result.json +++ b/assets/queries/ansible/gcp/bigquery_dataset_is_public/test/positive_expected_result.json @@ -1,7 +1,17 @@ [ - { - "queryName": "BigQuery Dataset Is Public", - "severity": "HIGH", - "line": 5 - } + { + "queryName": "BigQuery Dataset Is Public", + "severity": "HIGH", + "line": 5, + "fileName": "positive.yaml", + "resourceType": "google.cloud.gcp_bigquery_dataset", + "resourceName": "create a dataset", + "searchKey": "name={{create a dataset}}.{{google.cloud.gcp_bigquery_dataset}}.access", + "searchValue": "", + "expectedValue": "gcp_bigquery_dataset.access.special_group should not equal to 'allAuthenticatedUsers'", + "actualValue": "gcp_bigquery_dataset.access.special_group is equal to 'allAuthenticatedUsers'", + "issueType": "IncorrectValue", + "similarityID": "4a679980a9a759bd96cf8af04e06fa9953b9d906cf160712f4fbb71291c52226", + "search_line": -1 + } ] diff --git a/assets/queries/ansible/gcp/client_certificate_disabled/test/positive_expected_result.json b/assets/queries/ansible/gcp/client_certificate_disabled/test/positive_expected_result.json index 36503065ad0..912ce5958ec 100644 --- a/assets/queries/ansible/gcp/client_certificate_disabled/test/positive_expected_result.json +++ b/assets/queries/ansible/gcp/client_certificate_disabled/test/positive_expected_result.json @@ -2,16 +2,46 @@ { "queryName": "Client Certificate Disabled", "severity": "HIGH", - "line": 3 + "line": 3, + "fileName": "positive.yaml", + "resourceType": "google.cloud.gcp_container_cluster", + "resourceName": "create a cluster1", + "searchKey": "name={{create a cluster1}}.{{google.cloud.gcp_container_cluster}}", + "searchValue": "", + "expectedValue": "gcp_container_cluster.master_auth should be defined", + "actualValue": "gcp_container_cluster.master_auth is undefined", + "issueType": "MissingAttribute", + "similarityID": "7c63e39721fa4cf8b41aed030771ef65924a9f45e1bcf5289deb44e826eb6855", + "search_line": -1 }, { "queryName": "Client Certificate Disabled", "severity": "HIGH", - "line": 18 + "line": 18, + "fileName": "positive.yaml", + "resourceType": "google.cloud.gcp_container_cluster", + "resourceName": "create a cluster2", + "searchKey": "name={{create a cluster2}}.{{google.cloud.gcp_container_cluster}}.master_auth", + "searchValue": "", + "expectedValue": "gcp_container_cluster.master_auth.client_certificate_config should be defined", + "actualValue": "gcp_container_cluster.master_auth.client_certificate_config is undefined", + "issueType": "MissingAttribute", + "similarityID": "4a0c48c424879f346170e0b794fd25ca40a2a2cf1d24e8ea09121abc8e6540af", + "search_line": -1 }, { "queryName": "Client Certificate Disabled", "severity": "HIGH", - "line": 37 + "line": 37, + "fileName": "positive.yaml", + "resourceType": "google.cloud.gcp_container_cluster", + "resourceName": "create a cluster3", + "searchKey": "name={{create a cluster3}}.{{google.cloud.gcp_container_cluster}}.master_auth.client_certificate_config.issue_client_certificate", + "searchValue": "", + "expectedValue": "gcp_container_cluster.master_auth.password should be true", + "actualValue": "gcp_container_cluster.master_auth.password is false", + "issueType": "IncorrectValue", + "similarityID": "c2292a84e6d5d27c07a9fc0faec50608ab751f70b298621f21c728fc7668905f", + "search_line": -1 } ] diff --git a/assets/queries/ansible/gcp/cloud_dns_without_dnnsec/test/positive_expected_result.json b/assets/queries/ansible/gcp/cloud_dns_without_dnnsec/test/positive_expected_result.json index 9379e54d288..05df5713db1 100644 --- a/assets/queries/ansible/gcp/cloud_dns_without_dnnsec/test/positive_expected_result.json +++ b/assets/queries/ansible/gcp/cloud_dns_without_dnnsec/test/positive_expected_result.json @@ -1,17 +1,47 @@ [ - { - "queryName": "Cloud DNS Without DNSSEC", - "severity": "MEDIUM", - "line": 3 - }, - { - "queryName": "Cloud DNS Without DNSSEC", - "severity": "MEDIUM", - "line": 20 - }, - { - "queryName": "Cloud DNS Without DNSSEC", - "severity": "MEDIUM", - "line": 33 - } + { + "queryName": "Cloud DNS Without DNSSEC", + "severity": "MEDIUM", + "line": 3, + "fileName": "positive.yaml", + "resourceType": "google.cloud.gcp_dns_managed_zone", + "resourceName": "create a managed zone", + "searchKey": "name={{create a managed zone}}.{{google.cloud.gcp_dns_managed_zone}}", + "searchValue": "", + "expectedValue": "gcp_dns_managed_zone.dnssec_config should be defined", + "actualValue": "gcp_dns_managed_zone.dnssec_config is undefined", + "issueType": "MissingAttribute", + "similarityID": "cd3422112730a0623905f72579857c2d253f59a39ec1cc414aa83806fc339aad", + "search_line": -1 + }, + { + "queryName": "Cloud DNS Without DNSSEC", + "severity": "MEDIUM", + "line": 20, + "fileName": "positive.yaml", + "resourceType": "google.cloud.gcp_dns_managed_zone", + "resourceName": "create a second managed zone", + "searchKey": "name={{create a second managed zone}}.{{google.cloud.gcp_dns_managed_zone}}.dnssec_config", + "searchValue": "", + "expectedValue": "gcp_dns_managed_zone.dnssec_config.state should be defined", + "actualValue": "gcp_dns_managed_zone.dnssec_config.state is undefined", + "issueType": "MissingAttribute", + "similarityID": "4f60d691d90cf9de9051f1d1c1d2f39a225b6a894a206c73972c0cd32cc4e519", + "search_line": -1 + }, + { + "queryName": "Cloud DNS Without DNSSEC", + "severity": "MEDIUM", + "line": 33, + "fileName": "positive.yaml", + "resourceType": "google.cloud.gcp_dns_managed_zone", + "resourceName": "create a third managed zone", + "searchKey": "name={{create a third managed zone}}.{{google.cloud.gcp_dns_managed_zone}}.dnssec_config.state", + "searchValue": "", + "expectedValue": "gcp_dns_managed_zone.dnssec_config.state should equal to 'on'", + "actualValue": "gcp_dns_managed_zone.dnssec_config.state is not equal to 'on'", + "issueType": "IncorrectValue", + "similarityID": "6214324194a3e593b9c09ce76d0bd484611a9de64eed15ecf06c98fc268391df", + "search_line": -1 + } ] diff --git a/assets/queries/ansible/gcp/cloud_sql_instance_with_contained_database_authentication_on/test/positive_expected_result.json b/assets/queries/ansible/gcp/cloud_sql_instance_with_contained_database_authentication_on/test/positive_expected_result.json index 0d9b8e9029c..7c07bed4a30 100644 --- a/assets/queries/ansible/gcp/cloud_sql_instance_with_contained_database_authentication_on/test/positive_expected_result.json +++ b/assets/queries/ansible/gcp/cloud_sql_instance_with_contained_database_authentication_on/test/positive_expected_result.json @@ -2,6 +2,16 @@ { "queryName": "Cloud SQL Instance With Contained Database Authentication On", "severity": "HIGH", - "line": 10 + "line": 10, + "fileName": "positive.yaml", + "resourceType": "google.cloud.gcp_sql_instance", + "resourceName": "sql_instance", + "searchKey": "name={{sql_instance}}.{{google.cloud.gcp_sql_instance}}.settings.database_flags", + "searchValue": "", + "expectedValue": "cloud_gcp_sql_instance.settings.database_flags should be correct", + "actualValue": "cloud_gcp_sql_instance.settings.database_flags.name is 'contained database authentication' and cloud_gcp_sql_instance.settings.database_flags.value is not 'off'", + "issueType": "IncorrectValue", + "similarityID": "cafb04c25a4a29306b68f516c01416f448439287239f3a9eb5fcdbcddd40fdd8", + "search_line": -1 } ] diff --git a/assets/queries/ansible/gcp/cloud_sql_instance_with_cross_db_ownership_chaining_on/test/positive_expected_result.json b/assets/queries/ansible/gcp/cloud_sql_instance_with_cross_db_ownership_chaining_on/test/positive_expected_result.json index 195a85873d7..d4fdc1b17d2 100644 --- a/assets/queries/ansible/gcp/cloud_sql_instance_with_cross_db_ownership_chaining_on/test/positive_expected_result.json +++ b/assets/queries/ansible/gcp/cloud_sql_instance_with_cross_db_ownership_chaining_on/test/positive_expected_result.json @@ -2,6 +2,16 @@ { "queryName": "Cloud SQL Instance With Cross DB Ownership Chaining On", "severity": "HIGH", - "line": 10 + "line": 10, + "fileName": "positive.yaml", + "resourceType": "google.cloud.gcp_sql_instance", + "resourceName": "sql_instance", + "searchKey": "name={{sql_instance}}.{{google.cloud.gcp_sql_instance}}.settings.database_flags", + "searchValue": "", + "expectedValue": "{{cloud_gcp_sql_instance}}.settings.database_flags should be correct", + "actualValue": "{{cloud_gcp_sql_instance}}.settings.database_flags.name is 'cross db ownership chaining' and cloud_gcp_sql_instance.settings.database_flags.value is not 'off'", + "issueType": "IncorrectValue", + "similarityID": "4177127b55590660da314a352b9c89a78c054b0afe7a047761f43498dd5b29bd", + "search_line": -1 } ] diff --git a/assets/queries/ansible/gcp/cloud_storage_anonymous_or_publicly_accessible/test/positive_expected_result.json b/assets/queries/ansible/gcp/cloud_storage_anonymous_or_publicly_accessible/test/positive_expected_result.json index e0ee2d2a9d5..d1154a4056e 100644 --- a/assets/queries/ansible/gcp/cloud_storage_anonymous_or_publicly_accessible/test/positive_expected_result.json +++ b/assets/queries/ansible/gcp/cloud_storage_anonymous_or_publicly_accessible/test/positive_expected_result.json @@ -2,16 +2,46 @@ { "queryName": "Cloud Storage Anonymous or Publicly Accessible", "severity": "CRITICAL", - "line": 11 + "line": 11, + "fileName": "positive.yaml", + "resourceType": "google.cloud.gcp_storage_bucket", + "resourceName": "create a bucket1", + "searchKey": "name={{create a bucket1}}.{{google.cloud.gcp_storage_bucket}}.default_object_acl.entity", + "searchValue": "", + "expectedValue": "gcp_storage_bucket.default_object_acl.entity should not be 'allUsers' or 'allAuthenticatedUsers'", + "actualValue": "gcp_storage_bucket.default_object_acl.entity is 'allUsers' or 'allAuthenticatedUsers'", + "issueType": "IncorrectValue", + "similarityID": "9f7e6f735043378cec2d8f42c15413d12a81413003b6000560957da289b77988", + "search_line": -1 }, { "queryName": "Cloud Storage Anonymous or Publicly Accessible", "severity": "CRITICAL", - "line": 22 + "line": 22, + "fileName": "positive.yaml", + "resourceType": "google.cloud.gcp_storage_bucket", + "resourceName": "create a bucket2", + "searchKey": "name={{create a bucket2}}.{{google.cloud.gcp_storage_bucket}}.acl.entity", + "searchValue": "", + "expectedValue": "gcp_storage_bucket.acl.entity should not be 'allUsers' or 'allAuthenticatedUsers'", + "actualValue": "gcp_storage_bucket.acl.entity is 'allUsers' or 'allAuthenticatedUsers'", + "issueType": "IncorrectValue", + "similarityID": "236333b5c675aa0fb8055441dcc268915b49d36949ec4f0ac19b8d42d6a4f188", + "search_line": -1 }, { "queryName": "Cloud Storage Anonymous or Publicly Accessible", "severity": "CRITICAL", - "line": 28 + "line": 28, + "fileName": "positive.yaml", + "resourceType": "google.cloud.gcp_storage_bucket", + "resourceName": "create a bucket3", + "searchKey": "name={{create a bucket3}}.{{google.cloud.gcp_storage_bucket}}", + "searchValue": "", + "expectedValue": "gcp_storage_bucket.default_object_acl should be defined", + "actualValue": "gcp_storage_bucket.default_object_acl is undefined", + "issueType": "MissingAttribute", + "similarityID": "5bfca4be0a579da3be3419751da202a5d7414c707f9166e298ac3e2cb07d6016", + "search_line": -1 } -] \ No newline at end of file +] diff --git a/assets/queries/ansible/gcp/cloud_storage_bucket_logging_not_enabled/test/positive_expected_result.json b/assets/queries/ansible/gcp/cloud_storage_bucket_logging_not_enabled/test/positive_expected_result.json index 1d61cc30951..9a8e0f62612 100644 --- a/assets/queries/ansible/gcp/cloud_storage_bucket_logging_not_enabled/test/positive_expected_result.json +++ b/assets/queries/ansible/gcp/cloud_storage_bucket_logging_not_enabled/test/positive_expected_result.json @@ -2,6 +2,16 @@ { "queryName": "Cloud Storage Bucket Logging Not Enabled", "severity": "MEDIUM", - "line": 3 + "line": 3, + "fileName": "positive.yaml", + "resourceType": "google.cloud.gcp_storage_bucket", + "resourceName": "create a bucket", + "searchKey": "name={{create a bucket}}.{{google.cloud.gcp_storage_bucket}}", + "searchValue": "", + "expectedValue": "gcp_storage_bucket.logging should be defined", + "actualValue": "gcp_storage_bucket.logging is undefined", + "issueType": "MissingAttribute", + "similarityID": "7c64f208fcd63b95ec78d3987860ae2f7995708267a5243b3d72d80eb497bbf4", + "search_line": -1 } -] \ No newline at end of file +] diff --git a/assets/queries/ansible/gcp/cloud_storage_bucket_versioning_disabled/test/positive_expected_result.json b/assets/queries/ansible/gcp/cloud_storage_bucket_versioning_disabled/test/positive_expected_result.json index e2023f7479b..b590c74ec82 100644 --- a/assets/queries/ansible/gcp/cloud_storage_bucket_versioning_disabled/test/positive_expected_result.json +++ b/assets/queries/ansible/gcp/cloud_storage_bucket_versioning_disabled/test/positive_expected_result.json @@ -2,11 +2,31 @@ { "queryName": "Cloud Storage Bucket Versioning Disabled", "severity": "MEDIUM", - "line": 3 + "line": 3, + "fileName": "positive.yaml", + "resourceType": "google.cloud.gcp_storage_bucket", + "resourceName": "create a bucket", + "searchKey": "name={{create a bucket}}.{{google.cloud.gcp_storage_bucket}}", + "searchValue": "", + "expectedValue": "gcp_storage_bucket.versioning should be defined", + "actualValue": "gcp_storage_bucket.versioning is undefined", + "issueType": "MissingAttribute", + "similarityID": "2d24280b69a17a81903e10b840f444f0c21a7e4ac12c61d90c7f05d5b60e617f", + "search_line": -1 }, { "queryName": "Cloud Storage Bucket Versioning Disabled", "severity": "MEDIUM", - "line": 17 + "line": 17, + "fileName": "positive.yaml", + "resourceType": "google.cloud.gcp_storage_bucket", + "resourceName": "create a second bucket", + "searchKey": "name={{create a second bucket}}.{{google.cloud.gcp_storage_bucket}}.versioning.enabled", + "searchValue": "", + "expectedValue": "gcp_storage_bucket.versioning.enabled should be true", + "actualValue": "gcp_storage_bucket.versioning.enabled is false", + "issueType": "IncorrectValue", + "similarityID": "78302be24155f285cee5d43964c0af5046672c3833a2974472e116bcd3dc6dd4", + "search_line": -1 } -] \ No newline at end of file +] diff --git a/assets/queries/ansible/gcp/cluster_labels_disabled/test/positive_expected_result.json b/assets/queries/ansible/gcp/cluster_labels_disabled/test/positive_expected_result.json index 8c1a8dc644d..5e037db0dcd 100644 --- a/assets/queries/ansible/gcp/cluster_labels_disabled/test/positive_expected_result.json +++ b/assets/queries/ansible/gcp/cluster_labels_disabled/test/positive_expected_result.json @@ -2,16 +2,46 @@ { "queryName": "Cluster Labels Disabled", "severity": "LOW", - "line": 2 + "line": 2, + "fileName": "positive.yaml", + "resourceType": "google.cloud.gcp_container_cluster", + "resourceName": "create a cluster1", + "searchKey": "name={{create a cluster1}}.{{google.cloud.gcp_container_cluster}}", + "searchValue": "", + "expectedValue": "google.cloud.gcp_container_cluster should be defined and not null", + "actualValue": "google.cloud.gcp_container_cluster is undefined and null", + "issueType": "MissingAttribute", + "similarityID": "2692ee7cd48c1d40c28788d1d630da34acdff38cd57d45c46548c4c1bec32f27", + "search_line": -1 }, { "queryName": "Cluster Labels Disabled", "severity": "LOW", - "line": 17 + "line": 17, + "fileName": "positive.yaml", + "resourceType": "google.cloud.gcp_container_cluster", + "resourceName": "create a cluster2", + "searchKey": "name={{create a cluster2}}.{{google.cloud.gcp_container_cluster}}", + "searchValue": "", + "expectedValue": "google.cloud.gcp_container_cluster should be defined and not null", + "actualValue": "google.cloud.gcp_container_cluster is undefined and null", + "issueType": "MissingAttribute", + "similarityID": "4287eb431ed3280c4cd4e6541f92a96f86a9b4f7ca2286138ada3ec1f2ed502f", + "search_line": -1 }, { "queryName": "Cluster Labels Disabled", "severity": "LOW", - "line": 47 + "line": 47, + "fileName": "positive.yaml", + "resourceType": "google.cloud.gcp_container_cluster", + "resourceName": "create a cluster3", + "searchKey": "name={{create a cluster3}}.{{google.cloud.gcp_container_cluster}}.resource_labels", + "searchValue": "", + "expectedValue": "google.cloud.gcp_container_cluster should not be empty", + "actualValue": "google.cloud.gcp_container_cluster is empty", + "issueType": "IncorrectValue", + "similarityID": "11f47e8dcab2a937353f05f97b1ee5238d8c00b2c0104b078dd711470b3c0019", + "search_line": -1 } -] \ No newline at end of file +] diff --git a/assets/queries/ansible/gcp/cluster_master_authentication_disabled/test/positive_expected_result.json b/assets/queries/ansible/gcp/cluster_master_authentication_disabled/test/positive_expected_result.json index 06b3b7a82fa..7bb2694cd82 100644 --- a/assets/queries/ansible/gcp/cluster_master_authentication_disabled/test/positive_expected_result.json +++ b/assets/queries/ansible/gcp/cluster_master_authentication_disabled/test/positive_expected_result.json @@ -2,26 +2,76 @@ { "queryName": "Cluster Master Authentication Disabled", "severity": "MEDIUM", - "line": 3 + "line": 3, + "fileName": "positive.yaml", + "resourceType": "google.cloud.gcp_container_cluster", + "resourceName": "create a cluster1", + "searchKey": "name={{create a cluster1}}.{{google.cloud.gcp_container_cluster}}", + "searchValue": "", + "expectedValue": "gcp_container_cluster.master_auth should be defined and not null", + "actualValue": "gcp_container_cluster.master_auth is undefined or null", + "issueType": "MissingAttribute", + "similarityID": "f93754f80a2f7d564072c15511520b56ca0eef6fcdc5bdb5f3636debcef950ab", + "search_line": -1 }, { "queryName": "Cluster Master Authentication Disabled", "severity": "MEDIUM", - "line": 18 + "line": 18, + "fileName": "positive.yaml", + "resourceType": "google.cloud.gcp_container_cluster", + "resourceName": "create a cluster2", + "searchKey": "name={{create a cluster2}}.{{google.cloud.gcp_container_cluster}}.master_auth", + "searchValue": "", + "expectedValue": "gcp_container_cluster.master_auth.username should be defined and not null", + "actualValue": "gcp_container_cluster.master_auth.username is undefined or null", + "issueType": "MissingAttribute", + "similarityID": "ac16235f9c37369fe5898a35886caf521edcc17b46f4753242ed172f509a81cb", + "search_line": -1 }, { "queryName": "Cluster Master Authentication Disabled", "severity": "MEDIUM", - "line": 32 + "line": 32, + "fileName": "positive.yaml", + "resourceType": "google.cloud.gcp_container_cluster", + "resourceName": "create a cluster3", + "searchKey": "name={{create a cluster3}}.{{google.cloud.gcp_container_cluster}}.master_auth", + "searchValue": "", + "expectedValue": "gcp_container_cluster.master_auth.password should be defined and not null", + "actualValue": "gcp_container_cluster.master_auth.password is undefined or null", + "issueType": "MissingAttribute", + "similarityID": "c96a85fbb6dae2df3993ea5930ba1e239caf13196da01598460a4ae7babd8fef", + "search_line": -1 }, { "queryName": "Cluster Master Authentication Disabled", "severity": "MEDIUM", - "line": 46 + "line": 46, + "fileName": "positive.yaml", + "resourceType": "google.cloud.gcp_container_cluster", + "resourceName": "create a cluster4", + "searchKey": "name={{create a cluster4}}.{{google.cloud.gcp_container_cluster}}.master_auth", + "searchValue": "", + "expectedValue": "gcp_container_cluster.master_auth.username should be defined and not null", + "actualValue": "gcp_container_cluster.master_auth.username is undefined or null", + "issueType": "MissingAttribute", + "similarityID": "c857a0ebaa8be71b35a4389d8dbcf332e54823043d224f2e5939feeb17f1ea34", + "search_line": -1 }, { "queryName": "Cluster Master Authentication Disabled", "severity": "MEDIUM", - "line": 61 + "line": 61, + "fileName": "positive.yaml", + "resourceType": "google.cloud.gcp_container_cluster", + "resourceName": "create a cluster5", + "searchKey": "name={{create a cluster5}}.{{google.cloud.gcp_container_cluster}}.master_auth", + "searchValue": "", + "expectedValue": "gcp_container_cluster.master_auth.password should be defined and not null", + "actualValue": "gcp_container_cluster.master_auth.password is undefined or null", + "issueType": "MissingAttribute", + "similarityID": "616be505684f4414f8edfec5b81e8c95b5ade80b28f57d83f05482bd52d338ef", + "search_line": -1 } -] \ No newline at end of file +] diff --git a/assets/queries/ansible/gcp/compute_instance_is_publicly_accessible/test/positive_expected_result.json b/assets/queries/ansible/gcp/compute_instance_is_publicly_accessible/test/positive_expected_result.json index 77e4bef3293..650810dfed1 100644 --- a/assets/queries/ansible/gcp/compute_instance_is_publicly_accessible/test/positive_expected_result.json +++ b/assets/queries/ansible/gcp/compute_instance_is_publicly_accessible/test/positive_expected_result.json @@ -2,6 +2,16 @@ { "queryName": "Compute Instance Is Publicly Accessible", "severity": "MEDIUM", - "line": 6 + "line": 6, + "fileName": "positive.yaml", + "resourceType": "google.cloud.gcp_compute_instance", + "resourceName": "create a instance", + "searchKey": "name={{create a instance}}.{{google.cloud.gcp_compute_instance}}.network_interfaces.access_configs", + "searchValue": "", + "expectedValue": "gcp_compute_instance.network_interfaces.access_configs should not be defined", + "actualValue": "gcp_compute_instance.network_interfaces.access_configs is defined", + "issueType": "IncorrectValue", + "similarityID": "82eb311ec4b36b028d90976a6e022611079748502540deccabecc4db4089eb88", + "search_line": -1 } -] \ No newline at end of file +] diff --git a/assets/queries/ansible/gcp/cos_node_image_not_used/test/positive_expected_result.json b/assets/queries/ansible/gcp/cos_node_image_not_used/test/positive_expected_result.json index 7749e1bcee8..c7ad3748c0e 100644 --- a/assets/queries/ansible/gcp/cos_node_image_not_used/test/positive_expected_result.json +++ b/assets/queries/ansible/gcp/cos_node_image_not_used/test/positive_expected_result.json @@ -2,6 +2,16 @@ { "queryName": "COS Node Image Not Used", "severity": "LOW", - "line": 13 + "line": 13, + "fileName": "positive.yaml", + "resourceType": "google.cloud.gcp_container_node_pool", + "resourceName": "create a node pool", + "searchKey": "name={{create a node pool}}.{{google.cloud.gcp_container_node_pool}}.config.image_type", + "searchValue": "", + "expectedValue": "gcp_container_node_pool.config.image_type should start with 'COS'", + "actualValue": "gcp_container_node_pool.config.image_type does not start with 'COS'", + "issueType": "IncorrectValue", + "similarityID": "d8c429653cca3434294f00c1a6ea0ff9fa1f8024efebf0ad160346f53c8bd426", + "search_line": -1 } -] \ No newline at end of file +] diff --git a/assets/queries/ansible/gcp/disk_encryption_disabled/test/positive_expected_result.json b/assets/queries/ansible/gcp/disk_encryption_disabled/test/positive_expected_result.json index ed85273a162..81c43f0ccbe 100644 --- a/assets/queries/ansible/gcp/disk_encryption_disabled/test/positive_expected_result.json +++ b/assets/queries/ansible/gcp/disk_encryption_disabled/test/positive_expected_result.json @@ -3,30 +3,75 @@ "queryName": "Disk Encryption Disabled", "severity": "MEDIUM", "line": 3, - "filename": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "google.cloud.gcp_compute_disk", + "resourceName": "create a disk1", + "searchKey": "name={{create a disk1}}.{{google.cloud.gcp_compute_disk}}", + "searchValue": "", + "expectedValue": "gcp_compute_disk.disk_encryption_key should be defined and not null", + "actualValue": "gcp_compute_disk.disk_encryption_key is undefined or null", + "issueType": "MissingAttribute", + "similarityID": "80c27a383b39455dce536f3f8c8fc9acbd5f7a11be728af74b9c53056450a9e4", + "search_line": -1 }, { "queryName": "Disk Encryption Disabled", "severity": "MEDIUM", "line": 15, - "filename": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "google.cloud.gcp_compute_disk", + "resourceName": "create a disk3", + "searchKey": "name={{create a disk3}}.{{google.cloud.gcp_compute_disk}}.disk_encryption_key", + "searchValue": "", + "expectedValue": "gcp_compute_disk.disk_encryption_key.raw_key or gcp_compute_disk.disk_encryption_key.kms_key_name should be defined and not null", + "actualValue": "gcp_compute_disk.disk_encryption_key.raw_key and gcp_compute_disk.disk_encryption_key.kms_key_name are undefined or null", + "issueType": "MissingAttribute", + "similarityID": "53de80240c67f42c1b943c99a1ea6afce3a9d859bf02858e22b0c3e2129fd7d0", + "search_line": -1 }, { "queryName": "Disk Encryption Disabled", "severity": "MEDIUM", "line": 27, - "filename": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "google.cloud.gcp_compute_disk", + "resourceName": "create a disk4", + "searchKey": "name={{create a disk4}}.{{google.cloud.gcp_compute_disk}}.disk_encryption_key.raw_key", + "searchValue": "", + "expectedValue": "gcp_compute_disk.disk_encryption_key.raw_key should not be empty", + "actualValue": "gcp_compute_disk.disk_encryption_key.raw_key is empty", + "issueType": "IncorrectValue", + "similarityID": "8510404bbe8165a0c418af93b7c9e12fbc8ca2d3c807bb1d538a36c891dbde9f", + "search_line": -1 }, { "queryName": "Disk Encryption Disabled", "severity": "MEDIUM", "line": 5, - "filename": "positive2.yaml" + "fileName": "positive2.yaml", + "resourceType": "google.cloud.gcp_compute_disk", + "resourceName": "create a disk3", + "searchKey": "name={{create a disk3}}.{{google.cloud.gcp_compute_disk}}.disk_encryption_key", + "searchValue": "", + "expectedValue": "gcp_compute_disk.disk_encryption_key.raw_key or gcp_compute_disk.disk_encryption_key.kms_key_name should be defined and not null", + "actualValue": "gcp_compute_disk.disk_encryption_key.raw_key and gcp_compute_disk.disk_encryption_key.kms_key_name are undefined or null", + "issueType": "MissingAttribute", + "similarityID": "2851ca46fbc8e8bd648510c4650d3451b9d80385be74b57e6e309f2c021273ef", + "search_line": -1 }, { "queryName": "Disk Encryption Disabled", "severity": "MEDIUM", "line": 17, - "filename": "positive2.yaml" + "fileName": "positive2.yaml", + "resourceType": "google.cloud.gcp_compute_disk", + "resourceName": "create a disk4", + "searchKey": "name={{create a disk4}}.{{google.cloud.gcp_compute_disk}}.disk_encryption_key.kms_key_name", + "searchValue": "", + "expectedValue": "gcp_compute_disk.disk_encryption_key.kms_key_name should not be empty", + "actualValue": "gcp_compute_disk.disk_encryption_key.kms_key_name is empty", + "issueType": "IncorrectValue", + "similarityID": "a1285b2ef2e503f986a98c7cd18e962e18dfe90f26cd46f3dbd34d41a3f5d3f6", + "search_line": -1 } ] diff --git a/assets/queries/ansible/gcp/dnssec_using_rsasha1/test/positive_expected_result.json b/assets/queries/ansible/gcp/dnssec_using_rsasha1/test/positive_expected_result.json index e0b836b45d2..22a35566f6b 100644 --- a/assets/queries/ansible/gcp/dnssec_using_rsasha1/test/positive_expected_result.json +++ b/assets/queries/ansible/gcp/dnssec_using_rsasha1/test/positive_expected_result.json @@ -2,6 +2,16 @@ { "queryName": "DNSSEC Using RSASHA1", "severity": "MEDIUM", - "line": 13 + "line": 13, + "fileName": "positive.yaml", + "resourceType": "google.cloud.gcp_dns_managed_zone", + "resourceName": "create a managed zone", + "searchKey": "name={{create a managed zone}}.{{google.cloud.gcp_dns_managed_zone}}.dnssec_config.defaultKeySpecs.algorithm", + "searchValue": "", + "expectedValue": "gcp_dns_managed_zone.dnssec_config.defaultKeySpecs.algorithm should not equal to 'rsasha1'", + "actualValue": "gcp_dns_managed_zone.dnssec_config.defaultKeySpecs.algorithm is equal to 'rsasha1'", + "issueType": "IncorrectValue", + "similarityID": "877d7d131881c0ce111f7aa889af9042d5ca1f8bc2fc11011ac85b28bac52c77", + "search_line": -1 } -] \ No newline at end of file +] diff --git a/assets/queries/ansible/gcp/gke_basic_authentication_enabled/test/positive_expected_result.json b/assets/queries/ansible/gcp/gke_basic_authentication_enabled/test/positive_expected_result.json index 7d0d7d53ef2..ee7fc56536a 100644 --- a/assets/queries/ansible/gcp/gke_basic_authentication_enabled/test/positive_expected_result.json +++ b/assets/queries/ansible/gcp/gke_basic_authentication_enabled/test/positive_expected_result.json @@ -2,26 +2,76 @@ { "queryName": "GKE Basic Authentication Enabled", "severity": "MEDIUM", - "line": 3 + "line": 3, + "fileName": "positive.yaml", + "resourceType": "google.cloud.gcp_container_cluster", + "resourceName": "create a cluster1", + "searchKey": "name={{create a cluster1}}.{{google.cloud.gcp_container_cluster}}", + "searchValue": "", + "expectedValue": "gcp_container_cluster.master_auth should be defined", + "actualValue": "gcp_container_cluster.master_auth is undefined", + "issueType": "MissingAttribute", + "similarityID": "3112f4cf64ea73b9877f0128c33755de8e7d147aba954637181bbdf86fa12d85", + "search_line": -1 }, { "queryName": "GKE Basic Authentication Enabled", "severity": "MEDIUM", - "line": 18 + "line": 18, + "fileName": "positive.yaml", + "resourceType": "google.cloud.gcp_container_cluster", + "resourceName": "create a cluster2", + "searchKey": "name={{create a cluster2}}.{{google.cloud.gcp_container_cluster}}.master_auth", + "searchValue": "", + "expectedValue": "gcp_container_cluster.master_auth.username should be defined", + "actualValue": "gcp_container_cluster.master_auth.username is undefined", + "issueType": "MissingAttribute", + "similarityID": "f6c42971c9bb60cc8d1a324bc1366537c81ffe481d8ab1656d8c2320b1d0c6f0", + "search_line": -1 }, { "queryName": "GKE Basic Authentication Enabled", "severity": "MEDIUM", - "line": 32 + "line": 32, + "fileName": "positive.yaml", + "resourceType": "google.cloud.gcp_container_cluster", + "resourceName": "create a cluster3", + "searchKey": "name={{create a cluster3}}.{{google.cloud.gcp_container_cluster}}.master_auth", + "searchValue": "", + "expectedValue": "gcp_container_cluster.master_auth.password should be defined", + "actualValue": "gcp_container_cluster.master_auth.password is undefined", + "issueType": "MissingAttribute", + "similarityID": "dcd7d2ec81dde712f79beebccfd1cf3e23ff46a92698bdbba290560182719de9", + "search_line": -1 }, { "queryName": "GKE Basic Authentication Enabled", "severity": "MEDIUM", - "line": 47 + "line": 47, + "fileName": "positive.yaml", + "resourceType": "google.cloud.gcp_container_cluster", + "resourceName": "create a cluster4", + "searchKey": "name={{create a cluster4}}.{{google.cloud.gcp_container_cluster}}.master_auth.username", + "searchValue": "", + "expectedValue": "gcp_container_cluster.master_auth.username should be empty", + "actualValue": "gcp_container_cluster.master_auth.username is not empty", + "issueType": "IncorrectValue", + "similarityID": "e735705794d5a6343046e0b1b5fbb3ccf9f1e8332884df7bdbebb8799b3ef466", + "search_line": -1 }, { "queryName": "GKE Basic Authentication Enabled", "severity": "MEDIUM", - "line": 63 + "line": 63, + "fileName": "positive.yaml", + "resourceType": "google.cloud.gcp_container_cluster", + "resourceName": "create a cluster5", + "searchKey": "name={{create a cluster5}}.{{google.cloud.gcp_container_cluster}}.master_auth.password", + "searchValue": "", + "expectedValue": "gcp_container_cluster.master_auth.password should be empty", + "actualValue": "gcp_container_cluster.master_auth.password is not empty", + "issueType": "IncorrectValue", + "similarityID": "abb07d0eb2c833f99c7a2b024ed6841e3b5fc298c8c7d21e3045066ed6849a77", + "search_line": -1 } -] \ No newline at end of file +] diff --git a/assets/queries/ansible/gcp/gke_legacy_authorization_enabled/test/positive_expected_result.json b/assets/queries/ansible/gcp/gke_legacy_authorization_enabled/test/positive_expected_result.json index 7a792dec50d..91d2debbf02 100644 --- a/assets/queries/ansible/gcp/gke_legacy_authorization_enabled/test/positive_expected_result.json +++ b/assets/queries/ansible/gcp/gke_legacy_authorization_enabled/test/positive_expected_result.json @@ -2,6 +2,16 @@ { "queryName": "GKE Legacy Authorization Enabled", "severity": "HIGH", - "line": 18 + "line": 18, + "fileName": "positive.yaml", + "resourceType": "google.cloud.gcp_container_cluster", + "resourceName": "create a cluster", + "searchKey": "name={{create a cluster}}.{{google.cloud.gcp_container_cluster}}.legacy_abac.enabled", + "searchValue": "", + "expectedValue": "gcp_container_cluster.legacy_abac.enabled should be set to false", + "actualValue": "gcp_container_cluster.legacy_abac.enabled is true", + "issueType": "IncorrectValue", + "similarityID": "be4aefb1cf9069893ed34ea1a5bac9f82af4fa88f5771ec3ea54bc6d3c68c47b", + "search_line": -1 } ] diff --git a/assets/queries/ansible/gcp/gke_master_authorized_networks_disabled/test/positive_expected_result.json b/assets/queries/ansible/gcp/gke_master_authorized_networks_disabled/test/positive_expected_result.json index 5535f921553..0852dbb66f7 100644 --- a/assets/queries/ansible/gcp/gke_master_authorized_networks_disabled/test/positive_expected_result.json +++ b/assets/queries/ansible/gcp/gke_master_authorized_networks_disabled/test/positive_expected_result.json @@ -2,16 +2,46 @@ { "queryName": "GKE Master Authorized Networks Disabled", "severity": "MEDIUM", - "line": 10 + "line": 10, + "fileName": "positive.yaml", + "resourceType": "google.cloud.gcp_container_cluster", + "resourceName": "create a cluster", + "searchKey": "name={{create a cluster}}.{{google.cloud.gcp_container_cluster}}.master_authorized_networks_config.enabled", + "searchValue": "", + "expectedValue": "gcp_container_cluster.master_authorized_networks_config.enabled should be true", + "actualValue": "gcp_container_cluster.master_authorized_networks_config.enabled is false", + "issueType": "IncorrectValue", + "similarityID": "e16e271876bf6edef92ba7d4cf5662d7a1fbbcd948e06bfa9c5d40a346d0fa95", + "search_line": -1 }, { "queryName": "GKE Master Authorized Networks Disabled", "severity": "MEDIUM", - "line": 17 + "line": 17, + "fileName": "positive.yaml", + "resourceType": "google.cloud.gcp_container_cluster", + "resourceName": "create a second cluster", + "searchKey": "name={{create a second cluster}}.{{google.cloud.gcp_container_cluster}}.master_authorized_networks_config", + "searchValue": "", + "expectedValue": "gcp_container_cluster.master_authorized_networks_config.enabled should be defined", + "actualValue": "gcp_container_cluster.master_authorized_networks_config.enabled is undefined", + "issueType": "MissingAttribute", + "similarityID": "f91901f3684037817ffcc1c5ceca94ef0bc4dc5bd4c041299c90298d1a249d93", + "search_line": -1 }, { "queryName": "GKE Master Authorized Networks Disabled", "severity": "MEDIUM", - "line": 22 + "line": 22, + "fileName": "positive.yaml", + "resourceType": "google.cloud.gcp_container_cluster", + "resourceName": "create a third cluster", + "searchKey": "name={{create a third cluster}}.{{google.cloud.gcp_container_cluster}}", + "searchValue": "", + "expectedValue": "gcp_container_cluster.master_authorized_networks_config should be defined", + "actualValue": "gcp_container_cluster.master_authorized_networks_config is undefined", + "issueType": "MissingAttribute", + "similarityID": "9e45f8d66d89ed80f8bace5ff4f084b2ca2fa15f7ae1be4eb4b090993b4a3919", + "search_line": -1 } -] \ No newline at end of file +] diff --git a/assets/queries/ansible/gcp/gke_using_default_service_account/test/positive_expected_result.json b/assets/queries/ansible/gcp/gke_using_default_service_account/test/positive_expected_result.json index c1d0cdbb565..61043d4a682 100644 --- a/assets/queries/ansible/gcp/gke_using_default_service_account/test/positive_expected_result.json +++ b/assets/queries/ansible/gcp/gke_using_default_service_account/test/positive_expected_result.json @@ -1,14 +1,32 @@ [ - { - "queryName": "GKE Using Default Service Account", - "severity": "MEDIUM", - "line": 8, - "fileName": "positive1.yaml" - }, - { - "queryName": "GKE Using Default Service Account", - "severity": "MEDIUM", - "line": 11, - "fileName": "positive2.yaml" - } + { + "queryName": "GKE Using Default Service Account", + "severity": "MEDIUM", + "line": 8, + "fileName": "positive1.yaml", + "resourceType": "google.cloud.gcp_container_cluster", + "resourceName": "create a cluster", + "searchKey": "name={{create a cluster}}.{{google.cloud.gcp_container_cluster}}.node_config", + "searchValue": "", + "expectedValue": "'service_account' should not be default", + "actualValue": "'service_account' is missing", + "issueType": "MissingAttribute", + "similarityID": "16ddb14764a67732c6104263385f094378753e0758c8497df3792eff09357ea4", + "search_line": 8 + }, + { + "queryName": "GKE Using Default Service Account", + "severity": "MEDIUM", + "line": 11, + "fileName": "positive2.yaml", + "resourceType": "google.cloud.gcp_container_cluster", + "resourceName": "create a cluster", + "searchKey": "name={{create a cluster}}.{{google.cloud.gcp_container_cluster}}.node_config.service_account", + "searchValue": "", + "expectedValue": "'service_account' should not be default", + "actualValue": "'service_account' is default", + "issueType": "IncorrectValue", + "similarityID": "f8dfb894b860b87a8aa60d90ab844e7a5b793780324f4d1fba241d69c009f372", + "search_line": 11 + } ] diff --git a/assets/queries/ansible/gcp/google_compute_network_using_default_firewall_rule/test/positive_expected_result.json b/assets/queries/ansible/gcp/google_compute_network_using_default_firewall_rule/test/positive_expected_result.json index ed1b5a8150c..00cf4b5e12e 100644 --- a/assets/queries/ansible/gcp/google_compute_network_using_default_firewall_rule/test/positive_expected_result.json +++ b/assets/queries/ansible/gcp/google_compute_network_using_default_firewall_rule/test/positive_expected_result.json @@ -3,6 +3,15 @@ "queryName": "Google Compute Network Using Default Firewall Rule", "severity": "MEDIUM", "line": 11, - "fileName": "positive.yaml" + "fileName": "positive.yaml", + "resourceType": "google.cloud.gcp_compute_network", + "resourceName": "create a network2", + "searchKey": "name={{create a network2}}.{{google.cloud.gcp_compute_network}}", + "searchValue": "", + "expectedValue": "'google.cloud.gcp_compute_network' should not be using a default firewall rule", + "actualValue": "'google.cloud.gcp_compute_network' is using a default firewall rule", + "issueType": "IncorrectValue", + "similarityID": "6dca771e3e1f8472ce178d5159384ff120f6d5994820bce99040e444a836c00b", + "search_line": -1 } ] diff --git a/assets/queries/ansible/gcp/google_compute_network_using_firewall_allows_port_range/test/positive_expected_result.json b/assets/queries/ansible/gcp/google_compute_network_using_firewall_allows_port_range/test/positive_expected_result.json index 35ee2790201..9b44c75ba48 100644 --- a/assets/queries/ansible/gcp/google_compute_network_using_firewall_allows_port_range/test/positive_expected_result.json +++ b/assets/queries/ansible/gcp/google_compute_network_using_firewall_allows_port_range/test/positive_expected_result.json @@ -3,6 +3,15 @@ "queryName": "Google Compute Network Using Firewall Rule that Allows Port Range", "severity": "LOW", "line": 19, - "fileName": "positive.yaml" + "fileName": "positive.yaml", + "resourceType": "google.cloud.gcp_compute_network", + "resourceName": "create a network2", + "searchKey": "name={{create a network2}}.{{google.cloud.gcp_compute_network}}", + "searchValue": "", + "expectedValue": "'google.cloud.gcp_compute_network' should not be using a firewall rule that allows access to port range", + "actualValue": "'google.cloud.gcp_compute_network' is using a firewall rule that allows access to port range", + "issueType": "IncorrectValue", + "similarityID": "be1dc234a1ef9b2f1f5b902438f38f2edb7cb22f528d84de790672129b0cd6e2", + "search_line": -1 } ] diff --git a/assets/queries/ansible/gcp/google_compute_network_using_firewall_rule_allows_all_ports/test/positive_expected_result.json b/assets/queries/ansible/gcp/google_compute_network_using_firewall_rule_allows_all_ports/test/positive_expected_result.json index c07d1c5283a..3d585586bfb 100644 --- a/assets/queries/ansible/gcp/google_compute_network_using_firewall_rule_allows_all_ports/test/positive_expected_result.json +++ b/assets/queries/ansible/gcp/google_compute_network_using_firewall_rule_allows_all_ports/test/positive_expected_result.json @@ -3,6 +3,15 @@ "queryName": "Google Compute Network Using Firewall Rule that Allows All Ports", "severity": "MEDIUM", "line": 19, - "fileName": "positive.yaml" + "fileName": "positive.yaml", + "resourceType": "google.cloud.gcp_compute_network", + "resourceName": "create a network2", + "searchKey": "name={{create a network2}}.{{google.cloud.gcp_compute_network}}", + "searchValue": "", + "expectedValue": "'google.cloud.gcp_compute_network' should not be using a firewall rule that allows access to all ports", + "actualValue": "'google.cloud.gcp_compute_network' is using a firewall rule that allows access to all ports", + "issueType": "IncorrectValue", + "similarityID": "d7cef941e9b63e3ffd8971fe5489ddf8e80573bf724aba147cb4b478e13e4ea7", + "search_line": -1 } ] diff --git a/assets/queries/ansible/gcp/google_compute_ssl_policy_weak_cipher_in_use/test/positive_expected_result.json b/assets/queries/ansible/gcp/google_compute_ssl_policy_weak_cipher_in_use/test/positive_expected_result.json index 9fab22393ec..4437119c5bd 100644 --- a/assets/queries/ansible/gcp/google_compute_ssl_policy_weak_cipher_in_use/test/positive_expected_result.json +++ b/assets/queries/ansible/gcp/google_compute_ssl_policy_weak_cipher_in_use/test/positive_expected_result.json @@ -2,11 +2,31 @@ { "queryName": "Google Compute SSL Policy Weak Cipher In Use", "severity": "MEDIUM", - "line": 2 + "line": 2, + "fileName": "positive.yaml", + "resourceType": "google.cloud.gcp_compute_ssl_policy", + "resourceName": "create a SSL policy", + "searchKey": "name={{create a SSL policy}}.{{google.cloud.gcp_compute_ssl_policy}}", + "searchValue": "", + "expectedValue": "gcp_compute_ssl_policy has min_tls_version should be set to 'TLS_1_2'", + "actualValue": "gcp_compute_ssl_policy does not have min_tls_version set to 'TLS_1_2'", + "issueType": "MissingAttribute", + "similarityID": "6e8e803cd7fb53dec4c66a60f7a4388835eae37414c5b80f58d7fb7266c1d468", + "search_line": -1 }, { "queryName": "Google Compute SSL Policy Weak Cipher In Use", "severity": "MEDIUM", - "line": 16 + "line": 16, + "fileName": "positive.yaml", + "resourceType": "google.cloud.gcp_compute_ssl_policy", + "resourceName": "create a SSL policy2", + "searchKey": "name={{create a SSL policy2}}.{{google.cloud.gcp_compute_ssl_policy}}.min_tls_version", + "searchValue": "", + "expectedValue": "gcp_compute_ssl_policy.min_tls_version has min_tls_version should be set to 'TLS_1_2'", + "actualValue": "gcp_compute_ssl_policy.min_tls_version does not have min_tls_version set to 'TLS_1_2'", + "issueType": "IncorrectValue", + "similarityID": "32018d1993aea2e4af57dd210bd463255aabfdcc47d68d3710ededa0bb1c014f", + "search_line": -1 } ] diff --git a/assets/queries/ansible/gcp/google_compute_subnetwork_with_private_google_access_disabled/test/positive_expected_result.json b/assets/queries/ansible/gcp/google_compute_subnetwork_with_private_google_access_disabled/test/positive_expected_result.json index 4b088e2c82c..c744d0b3c5a 100644 --- a/assets/queries/ansible/gcp/google_compute_subnetwork_with_private_google_access_disabled/test/positive_expected_result.json +++ b/assets/queries/ansible/gcp/google_compute_subnetwork_with_private_google_access_disabled/test/positive_expected_result.json @@ -3,12 +3,30 @@ "queryName": "Google Compute Subnetwork with Private Google Access Disabled", "severity": "LOW", "line": 2, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "google.cloud.gcp_compute_subnetwork", + "resourceName": "create a subnetwork", + "searchKey": "name={{create a subnetwork}}.{{google.cloud.gcp_compute_subnetwork}}", + "searchValue": "", + "expectedValue": "google.cloud.gcp_compute_subnetwork.private_ip_google_access should be defined and not null", + "actualValue": "google.cloud.gcp_compute_subnetwork.private_ip_google_access is undefined or null", + "issueType": "MissingAttribute", + "similarityID": "e611819b143859e85e19fca64ef4bb39efd4a97d15b67536eafc40599a887b62", + "search_line": 2 }, { "queryName": "Google Compute Subnetwork with Private Google Access Disabled", "severity": "LOW", "line": 10, - "fileName": "positive2.yaml" + "fileName": "positive2.yaml", + "resourceType": "google.cloud.gcp_compute_subnetwork", + "resourceName": "create a subnetwork2", + "searchKey": "name={{create a subnetwork2}}.{{google.cloud.gcp_compute_subnetwork}}.private_ip_google_access", + "searchValue": "", + "expectedValue": "google.cloud.gcp_compute_subnetwork.private_ip_google_access should be set to yes", + "actualValue": "google.cloud.gcp_compute_subnetwork.private_ip_google_access is set to no", + "issueType": "IncorrectValue", + "similarityID": "d496812533764729f31ea851fe0e1ce603b9416545c4855b2745d0d71db803eb", + "search_line": 10 } ] diff --git a/assets/queries/ansible/gcp/google_container_node_pool_auto_repair_disabled/test/positive_expected_result.json b/assets/queries/ansible/gcp/google_container_node_pool_auto_repair_disabled/test/positive_expected_result.json index 6be1d2d4a37..842a546ecfb 100644 --- a/assets/queries/ansible/gcp/google_container_node_pool_auto_repair_disabled/test/positive_expected_result.json +++ b/assets/queries/ansible/gcp/google_container_node_pool_auto_repair_disabled/test/positive_expected_result.json @@ -2,16 +2,46 @@ { "queryName": "Google Container Node Pool Auto Repair Disabled", "severity": "MEDIUM", - "line": 13 + "line": 13, + "fileName": "positive.yaml", + "resourceType": "google.cloud.gcp_container_node_pool", + "resourceName": "create a node pool", + "searchKey": "name={{create a node pool}}.{{google.cloud.gcp_container_node_pool}}.management.auto_repair", + "searchValue": "", + "expectedValue": "gcp_container_node_pool.management.auto_repair should be set to true", + "actualValue": "gcp_container_node_poolmanagement.auto_repair is set to false", + "issueType": "IncorrectValue", + "similarityID": "0060f8fd8173476f1772a0599773f1d82f84844ff038b625fd6c79b8bb9a0258", + "search_line": -1 }, { "queryName": "Google Container Node Pool Auto Repair Disabled", "severity": "MEDIUM", - "line": 26 + "line": 26, + "fileName": "positive.yaml", + "resourceType": "google.cloud.gcp_container_node_pool", + "resourceName": "create a node pool2", + "searchKey": "name={{create a node pool2}}.{{google.cloud.gcp_container_node_pool}}.management.auto_repair", + "searchValue": "", + "expectedValue": "gcp_container_node_pool.management.auto_repair should be set to true", + "actualValue": "gcp_container_node_poolmanagement.auto_repair is set to false", + "issueType": "IncorrectValue", + "similarityID": "f4d0a3e4f08e8175d4ac6af87af2a22f0ec0ea4908a95f9eeeea74b01a03e1c0", + "search_line": -1 }, { "queryName": "Google Container Node Pool Auto Repair Disabled", "severity": "MEDIUM", - "line": 29 + "line": 29, + "fileName": "positive.yaml", + "resourceType": "google.cloud.gcp_container_node_pool", + "resourceName": "create a node pool3", + "searchKey": "name={{create a node pool3}}.{{google.cloud.gcp_container_node_pool}}", + "searchValue": "", + "expectedValue": "gcp_container_node_pool.management should be defined", + "actualValue": "gcp_container_node_pool.management is undefined", + "issueType": "MissingAttribute", + "similarityID": "73ed1e3f1925d2a5d703dfc408c1a7fad4192a2bc60b38c837d935b082e039eb", + "search_line": -1 } ] diff --git a/assets/queries/ansible/gcp/high_google_kms_crypto_key_rotation_period/test/positive_expected_result.json b/assets/queries/ansible/gcp/high_google_kms_crypto_key_rotation_period/test/positive_expected_result.json index 64749f941ee..42446e0f80a 100644 --- a/assets/queries/ansible/gcp/high_google_kms_crypto_key_rotation_period/test/positive_expected_result.json +++ b/assets/queries/ansible/gcp/high_google_kms_crypto_key_rotation_period/test/positive_expected_result.json @@ -2,11 +2,31 @@ { "queryName": "High Google KMS Crypto Key Rotation Period", "severity": "MEDIUM", - "line": 18 + "line": 18, + "fileName": "positive.yaml", + "resourceType": "google.cloud.gcp_kms_crypto_key", + "resourceName": "create a crypto key", + "searchKey": "name={{create a crypto key}}.{{google.cloud.gcp_kms_crypto_key}}.rotation_period", + "searchValue": "", + "expectedValue": "gcp_kms_crypto_key.rotation_period should be less or equal to 7776000", + "actualValue": "gcp_kms_crypto_key.rotation_period exceeds 7776000", + "issueType": "IncorrectValue", + "similarityID": "047cbb968614e3e41fb0c92a341b0814f186e1584da8124218effa7dd5b7e5d8", + "search_line": -1 }, { "queryName": "High Google KMS Crypto Key Rotation Period", "severity": "MEDIUM", - "line": 23 + "line": 23, + "fileName": "positive.yaml", + "resourceType": "google.cloud.gcp_kms_crypto_key", + "resourceName": "create a crypto key2", + "searchKey": "name={{create a crypto key2}}.{{google.cloud.gcp_kms_crypto_key}}", + "searchValue": "", + "expectedValue": "gcp_kms_crypto_key.rotation_period should be defined with a value less or equal to 7776000", + "actualValue": "gcp_kms_crypto_key.rotation_period is undefined", + "issueType": "MissingAttribute", + "similarityID": "b6a36cc2d3e30805250ac8689464e0a62a13a3565f295fb9f189e13e72426e9c", + "search_line": -1 } ] diff --git a/assets/queries/ansible/gcp/ip_aliasing_disabled/test/positive_expected_result.json b/assets/queries/ansible/gcp/ip_aliasing_disabled/test/positive_expected_result.json index 515f5894a3c..c1c135112c4 100644 --- a/assets/queries/ansible/gcp/ip_aliasing_disabled/test/positive_expected_result.json +++ b/assets/queries/ansible/gcp/ip_aliasing_disabled/test/positive_expected_result.json @@ -2,16 +2,46 @@ { "queryName": "IP Aliasing Disabled", "severity": "MEDIUM", - "line": 2 + "line": 2, + "fileName": "positive.yaml", + "resourceType": "google.cloud.gcp_container_cluster", + "resourceName": "create a cluster1", + "searchKey": "name={{create a cluster1}}.{{google.cloud.gcp_container_cluster}}", + "searchValue": "", + "expectedValue": "gcp_container_cluster.ip_allocation_policy should be defined", + "actualValue": "gcp_container_cluster.ip_allocation_policy is undefined", + "issueType": "MissingAttribute", + "similarityID": "9bcfbdc8ad683d19304f3a748608a7633d9a1478601dfc232a0dfb24462d7b7b", + "search_line": -1 }, { "queryName": "IP Aliasing Disabled", "severity": "MEDIUM", - "line": 31 + "line": 31, + "fileName": "positive.yaml", + "resourceType": "google.cloud.gcp_container_cluster", + "resourceName": "create a cluster2", + "searchKey": "name={{create a cluster2}}.{{google.cloud.gcp_container_cluster}}.ip_allocation_policy", + "searchValue": "", + "expectedValue": "gcp_container_cluster.ip_allocation_policy.use_ip_aliases should be set to true", + "actualValue": "gcp_container_cluster.ip_allocation_policy.use_ip_aliases is undefined", + "issueType": "MissingAttribute", + "similarityID": "72efaebd492118ef2950c875ae9571ce9e1ffd70e566a670cb10d9b11d9b80a2", + "search_line": -1 }, { "queryName": "IP Aliasing Disabled", "severity": "MEDIUM", - "line": 50 + "line": 50, + "fileName": "positive.yaml", + "resourceType": "google.cloud.gcp_container_cluster", + "resourceName": "create a cluster3", + "searchKey": "name={{create a cluster3}}.{{google.cloud.gcp_container_cluster}}.ip_allocation_policy.use_ip_aliases", + "searchValue": "", + "expectedValue": "gcp_container_cluster.ip_allocation_policy.use_ip_aliases should be true", + "actualValue": "gcp_container_cluster.ip_allocation_policy.use_ip_aliases is false", + "issueType": "IncorrectValue", + "similarityID": "4fc82a54c62d7fd5f8303bb019222ed5e7d96e656b9b07a420cc8a67430dcd92", + "search_line": -1 } -] \ No newline at end of file +] diff --git a/assets/queries/ansible/gcp/ip_forwarding_enabled/test/positive_expected_result.json b/assets/queries/ansible/gcp/ip_forwarding_enabled/test/positive_expected_result.json index fd23b343a69..bcdd72aa980 100644 --- a/assets/queries/ansible/gcp/ip_forwarding_enabled/test/positive_expected_result.json +++ b/assets/queries/ansible/gcp/ip_forwarding_enabled/test/positive_expected_result.json @@ -2,6 +2,16 @@ { "queryName": "IP Forwarding Enabled", "severity": "MEDIUM", - "line": 22 + "line": 22, + "fileName": "positive.yaml", + "resourceType": "google.cloud.gcp_compute_instance", + "resourceName": "create a instance", + "searchKey": "name={{create a instance}}.{{google.cloud.gcp_compute_instance}}.can_ip_forward", + "searchValue": "", + "expectedValue": "gcp_compute_instance.can_ip_forward should be set to false", + "actualValue": "gcp_compute_instance.can_ip_forward is true", + "issueType": "IncorrectValue", + "similarityID": "21eca875e7a7e787b1e7d96f46214c77af02d11abc97158dee484ec040da3f7c", + "search_line": -1 } ] diff --git a/assets/queries/ansible/gcp/mysql_instance_with_local_infile_on/test/positive_expected_result.json b/assets/queries/ansible/gcp/mysql_instance_with_local_infile_on/test/positive_expected_result.json index ca7bdf90551..0e1085f433b 100644 --- a/assets/queries/ansible/gcp/mysql_instance_with_local_infile_on/test/positive_expected_result.json +++ b/assets/queries/ansible/gcp/mysql_instance_with_local_infile_on/test/positive_expected_result.json @@ -2,6 +2,16 @@ { "queryName": "MySQL Instance With Local Infile On", "severity": "HIGH", - "line": 10 + "line": 10, + "fileName": "positive.yaml", + "resourceType": "google.cloud.gcp_sql_instance", + "resourceName": "sql_instance", + "searchKey": "name={{sql_instance}}.{{google.cloud.gcp_sql_instance}}.settings.database_flags", + "searchValue": "", + "expectedValue": "cloud_gcp_sql_instance.settings.database_flags should be correct", + "actualValue": "cloud_gcp_sql_instance.settings.database_flags.name is 'local_infile' and cloud_gcp_sql_instance.settings.database_flags.value is not 'off'", + "issueType": "IncorrectValue", + "similarityID": "21af406666a8c35abf9b07ab12f1226dd1ba172a32bc5321cf5b99ce90ea4b09", + "search_line": -1 } ] diff --git a/assets/queries/ansible/gcp/network_policy_disabled/test/positive_expected_result.json b/assets/queries/ansible/gcp/network_policy_disabled/test/positive_expected_result.json index 422a04267dc..f0c7c8fe5c7 100644 --- a/assets/queries/ansible/gcp/network_policy_disabled/test/positive_expected_result.json +++ b/assets/queries/ansible/gcp/network_policy_disabled/test/positive_expected_result.json @@ -2,26 +2,76 @@ { "queryName": "Network Policy Disabled", "severity": "MEDIUM", - "line": 3 + "line": 3, + "fileName": "positive.yaml", + "resourceType": "google.cloud.gcp_container_cluster", + "resourceName": "create a cluster1", + "searchKey": "name={{create a cluster1}}.{{google.cloud.gcp_container_cluster}}", + "searchValue": "network_policy", + "expectedValue": "gcp_container_cluster.network_policy should be defined", + "actualValue": "gcp_container_cluster.network_policy is undefined", + "issueType": "MissingAttribute", + "similarityID": "85d07fd370097ad3375610b116050404b95a6e395802ca2684aeb28814cec125", + "search_line": 3 }, { "queryName": "Network Policy Disabled", "severity": "MEDIUM", - "line": 21 + "line": 21, + "fileName": "positive.yaml", + "resourceType": "google.cloud.gcp_container_cluster", + "resourceName": "create a cluster2", + "searchKey": "name={{create a cluster2}}.{{google.cloud.gcp_container_cluster}}", + "searchValue": "addons_config", + "expectedValue": "gcp_container_cluster.addons_config should be defined", + "actualValue": "gcp_container_cluster.addons_config is undefined", + "issueType": "MissingAttribute", + "similarityID": "fef916f7a45863e3ffe3f1d1890f6e95d62e9a00c6481854da2889ea2636e89f", + "search_line": 21 }, { "queryName": "Network Policy Disabled", "severity": "MEDIUM", - "line": 54 + "line": 54, + "fileName": "positive.yaml", + "resourceType": "google.cloud.gcp_container_cluster", + "resourceName": "create a cluster3", + "searchKey": "name={{create a cluster3}}.{{google.cloud.gcp_container_cluster}}.addons_config", + "searchValue": "", + "expectedValue": "gcp_container_cluster.addons_config.network_policy_config should be defined", + "actualValue": "gcp_container_cluster.addons_config.network_policy_config is undefined", + "issueType": "MissingAttribute", + "similarityID": "e8e6960e17727c2913a1aa1b213cf129ed82449db6a8b5171019f442602eb730", + "search_line": 54 }, { "queryName": "Network Policy Disabled", "severity": "MEDIUM", - "line": 73 + "line": 73, + "fileName": "positive.yaml", + "resourceType": "google.cloud.gcp_container_cluster", + "resourceName": "create a cluster4", + "searchKey": "name={{create a cluster4}}.{{google.cloud.gcp_container_cluster}}.network_policy.enabled", + "searchValue": "", + "expectedValue": "gcp_container_cluster.network_policy.enabled should be true", + "actualValue": "gcp_container_cluster.network_policy.enabled is false", + "issueType": "IncorrectValue", + "similarityID": "795f15265877ddd1981f22f63a763a36eb4783d2310314adf5dd0a6aeabd35ae", + "search_line": 73 }, { "queryName": "Network Policy Disabled", "severity": "MEDIUM", - "line": 96 + "line": 96, + "fileName": "positive.yaml", + "resourceType": "google.cloud.gcp_container_cluster", + "resourceName": "create a cluster5", + "searchKey": "name={{create a cluster5}}.{{google.cloud.gcp_container_cluster}}.addons_config.network_policy_config.disabled", + "searchValue": "", + "expectedValue": "gcp_container_cluster.addons_config.network_policy_config.disabled should be set to false", + "actualValue": "gcp_container_cluster.addons_config.network_policy_config.disabled is true", + "issueType": "IncorrectValue", + "similarityID": "9f34ca1a91892fd79b7fcc672bf344ea0af89d0b400532ddf75944b40ae0d159", + "search_line": 96 } -] \ No newline at end of file +] diff --git a/assets/queries/ansible/gcp/node_auto_upgrade_disabled/test/positive_expected_result.json b/assets/queries/ansible/gcp/node_auto_upgrade_disabled/test/positive_expected_result.json index 1e8d4e0b4e8..cb00046b4a3 100644 --- a/assets/queries/ansible/gcp/node_auto_upgrade_disabled/test/positive_expected_result.json +++ b/assets/queries/ansible/gcp/node_auto_upgrade_disabled/test/positive_expected_result.json @@ -2,16 +2,46 @@ { "queryName": "Node Auto Upgrade Disabled", "severity": "MEDIUM", - "line": 3 + "line": 3, + "fileName": "positive.yaml", + "resourceType": "google.cloud.gcp_container_node_pool", + "resourceName": "create a node pool", + "searchKey": "name={{create a node pool}}.{{google.cloud.gcp_container_node_pool}}", + "searchValue": "", + "expectedValue": "gcp_container_node_pool.management should be defined", + "actualValue": "gcp_container_node_pool.management is undefined", + "issueType": "MissingAttribute", + "similarityID": "30b164e770fd544547d8d21a28e3a0e995e142a59a5124a279c22e520756edd6", + "search_line": -1 }, { "queryName": "Node Auto Upgrade Disabled", "severity": "MEDIUM", - "line": 22 + "line": 22, + "fileName": "positive.yaml", + "resourceType": "google.cloud.gcp_container_node_pool", + "resourceName": "create a second node pool", + "searchKey": "name={{create a second node pool}}.{{google.cloud.gcp_container_node_pool}}.management", + "searchValue": "", + "expectedValue": "gcp_container_node_pool.management.auto_upgrade should be defined", + "actualValue": "gcp_container_node_pool.management.auto_upgrade is undefined", + "issueType": "MissingAttribute", + "similarityID": "a934dc6142332c81a1f9e1957d7c33fe2d73bffb936f2c05c803ba53962819b6", + "search_line": -1 }, { "queryName": "Node Auto Upgrade Disabled", "severity": "MEDIUM", - "line": 36 + "line": 36, + "fileName": "positive.yaml", + "resourceType": "google.cloud.gcp_container_node_pool", + "resourceName": "create a third node pool", + "searchKey": "name={{create a third node pool}}.{{google.cloud.gcp_container_node_pool}}.management.auto_upgrade", + "searchValue": "", + "expectedValue": "gcp_container_node_pool.management.auto_upgrade should be true", + "actualValue": "gcp_container_node_pool.management.auto_upgrade is false", + "issueType": "IncorrectValue", + "similarityID": "76139c31160692548ca5b1a29edf1813a23bb59623f28d32dc710b74e12f5236", + "search_line": -1 } -] \ No newline at end of file +] diff --git a/assets/queries/ansible/gcp/oslogin_is_disabled_for_vm_instance/test/positive_expected_result.json b/assets/queries/ansible/gcp/oslogin_is_disabled_for_vm_instance/test/positive_expected_result.json index 489e34a7d20..b02d6f9b5b0 100644 --- a/assets/queries/ansible/gcp/oslogin_is_disabled_for_vm_instance/test/positive_expected_result.json +++ b/assets/queries/ansible/gcp/oslogin_is_disabled_for_vm_instance/test/positive_expected_result.json @@ -1,7 +1,17 @@ [ - { - "queryName": "OSLogin Is Disabled In VM Instance", - "severity": "MEDIUM", - "line": 4 - } + { + "queryName": "OSLogin Is Disabled In VM Instance", + "severity": "MEDIUM", + "line": 4, + "fileName": "positive.yaml", + "resourceType": "google.cloud.gcp_compute_instance", + "resourceName": "oslogin-disabled", + "searchKey": "name={{oslogin-disabled}}.{{google.cloud.gcp_compute_instance}}.metadata.enable-oslogin", + "searchValue": "", + "expectedValue": "gcp_compute_instance.metadata.enable-oslogin should be true", + "actualValue": "gcp_compute_instance.metadata.enable-oslogin is false", + "issueType": "IncorrectValue", + "similarityID": "a998f2616219301e8f28207a45463e80fcb4793c6a3f0a3f0f6dd410085d7129", + "search_line": -1 + } ] diff --git a/assets/queries/ansible/gcp/postgresql_log_checkpoints_flag_not_set_to_on/test/positive_expected_result.json b/assets/queries/ansible/gcp/postgresql_log_checkpoints_flag_not_set_to_on/test/positive_expected_result.json index f8fa12d454b..a2a90faffe1 100644 --- a/assets/queries/ansible/gcp/postgresql_log_checkpoints_flag_not_set_to_on/test/positive_expected_result.json +++ b/assets/queries/ansible/gcp/postgresql_log_checkpoints_flag_not_set_to_on/test/positive_expected_result.json @@ -1,12 +1,32 @@ [ - { - "queryName": "PostgreSQL log_checkpoints Flag Not Set To ON", - "severity": "MEDIUM", - "line": 5 - }, - { - "queryName": "PostgreSQL log_checkpoints Flag Not Set To ON", - "severity": "MEDIUM", - "line": 16 - } + { + "queryName": "PostgreSQL log_checkpoints Flag Not Set To ON", + "severity": "MEDIUM", + "line": 5, + "fileName": "positive.yaml", + "resourceType": "google.cloud.gcp_sql_instance", + "resourceName": "create instance", + "searchKey": "name={{create instance}}.{{google.cloud.gcp_sql_instance}}.settings.databaseFlags", + "searchValue": "", + "expectedValue": "gcp_sql_instance.settings.databaseFlags should have 'log_checkpoints' flag set to 'on'", + "actualValue": "gcp_sql_instance.settings.databaseFlags has 'log_checkpoints' flag set to 'off'", + "issueType": "IncorrectValue", + "similarityID": "ed50766e47e2af6e1ec23de0cdf27883a49eeee47451729e065267b7ec4c7d6b", + "search_line": -1 + }, + { + "queryName": "PostgreSQL log_checkpoints Flag Not Set To ON", + "severity": "MEDIUM", + "line": 16, + "fileName": "positive.yaml", + "resourceType": "google.cloud.gcp_sql_instance", + "resourceName": "create another instance", + "searchKey": "name={{create another instance}}.{{google.cloud.gcp_sql_instance}}", + "searchValue": "", + "expectedValue": "gcp_sql_instance.settings.databaseFlags should be defined", + "actualValue": "gcp_sql_instance.settings.databaseFlags is not defined", + "issueType": "MissingAttribute", + "similarityID": "109d678b962f49c12cd3c4e4781050f9549cb8f5c436dd53b384d2efc0438654", + "search_line": -1 + } ] diff --git a/assets/queries/ansible/gcp/postgresql_log_connections_disabled/test/positive_expected_result.json b/assets/queries/ansible/gcp/postgresql_log_connections_disabled/test/positive_expected_result.json index 6cd81a17bd4..5b53b94d951 100644 --- a/assets/queries/ansible/gcp/postgresql_log_connections_disabled/test/positive_expected_result.json +++ b/assets/queries/ansible/gcp/postgresql_log_connections_disabled/test/positive_expected_result.json @@ -2,11 +2,31 @@ { "queryName": "PostgreSQL Log Connections Disabled", "severity": "MEDIUM", - "line": 5 + "line": 5, + "fileName": "positive.yaml", + "resourceType": "google.cloud.gcp_sql_instance", + "resourceName": "create instance", + "searchKey": "name={{create instance}}.{{google.cloud.gcp_sql_instance}}.settings.databaseFlags", + "searchValue": "", + "expectedValue": "gcp_sql_instance.settings.databaseFlags should have 'log_connections' flag set to 'on'", + "actualValue": "gcp_sql_instance.settings.databaseFlags has 'log_connections' flag set to 'off'", + "issueType": "IncorrectValue", + "similarityID": "62caa46c25304d1acf0469f6b40117515a6fc89a162c1827f558b1a600475544", + "search_line": -1 }, { "queryName": "PostgreSQL Log Connections Disabled", "severity": "MEDIUM", - "line": 16 + "line": 16, + "fileName": "positive.yaml", + "resourceType": "google.cloud.gcp_sql_instance", + "resourceName": "create another instance", + "searchKey": "name={{create another instance}}.{{google.cloud.gcp_sql_instance}}", + "searchValue": "", + "expectedValue": "gcp_sql_instance.settings.databaseFlags should be defined", + "actualValue": "gcp_sql_instance.settings.databaseFlags is not defined", + "issueType": "MissingAttribute", + "similarityID": "9dd7f620cba4d637c5a9eb1bfcf4c5072141f68950d18a89a9f85946500ebe84", + "search_line": -1 } -] \ No newline at end of file +] diff --git a/assets/queries/ansible/gcp/postgresql_logging_of_temporary_files_disabled/test/positive_expected_result.json b/assets/queries/ansible/gcp/postgresql_logging_of_temporary_files_disabled/test/positive_expected_result.json index 176293e62bf..7556724bc49 100644 --- a/assets/queries/ansible/gcp/postgresql_logging_of_temporary_files_disabled/test/positive_expected_result.json +++ b/assets/queries/ansible/gcp/postgresql_logging_of_temporary_files_disabled/test/positive_expected_result.json @@ -2,6 +2,16 @@ { "queryName": "PostgreSQL Logging Of Temporary Files Disabled", "severity": "LOW", - "line": 10 + "line": 10, + "fileName": "positive.yaml", + "resourceType": "google.cloud.gcp_sql_instance", + "resourceName": "sql_instance", + "searchKey": "name={{sql_instance}}.{{google.cloud.gcp_sql_instance}}.settings.database_flags", + "searchValue": "", + "expectedValue": "gcp_sql_instance.settings.database_flags should set the log_temp_files to 0", + "actualValue": "gcp_sql_instance.settings.database_flags doesn't set the log_temp_files to 0", + "issueType": "IncorrectValue", + "similarityID": "0100e53f5d3994a5c3129041dc4b10738453e8940506ac834a394fc54ed3592e", + "search_line": -1 } -] \ No newline at end of file +] diff --git a/assets/queries/ansible/gcp/postgresql_misconfigured_log_messages_flag/test/positive_expected_result.json b/assets/queries/ansible/gcp/postgresql_misconfigured_log_messages_flag/test/positive_expected_result.json index 58a65f3141f..c3c48944091 100644 --- a/assets/queries/ansible/gcp/postgresql_misconfigured_log_messages_flag/test/positive_expected_result.json +++ b/assets/queries/ansible/gcp/postgresql_misconfigured_log_messages_flag/test/positive_expected_result.json @@ -2,6 +2,16 @@ { "queryName": "PostgreSQL Misconfigured Log Messages Flag", "severity": "LOW", - "line": 11 + "line": 11, + "fileName": "positive.yaml", + "resourceType": "google.cloud.gcp_sql_instance", + "resourceName": "sql_instance", + "searchKey": "name={{sql_instance}}.{{google.cloud.gcp_sql_instance}}.settings.database_flags.log_min_messages", + "searchValue": "", + "expectedValue": "gcp_sql_instance.settings.database_flags should set 'log_min_messages' to a valid value", + "actualValue": "gcp_sql_instance.settings.database_flags doesn't set 'log_min_messages' to a valid value", + "issueType": "IncorrectValue", + "similarityID": "53eca9efb79d6a1ded0d77c99c2dd876f4e16f115ff7a25ba401649c67709511", + "search_line": -1 } -] \ No newline at end of file +] diff --git a/assets/queries/ansible/gcp/postgresql_misconfigured_logging_duration_flag/test/positive_expected_result.json b/assets/queries/ansible/gcp/postgresql_misconfigured_logging_duration_flag/test/positive_expected_result.json index 2032e1d2680..259bce5b852 100644 --- a/assets/queries/ansible/gcp/postgresql_misconfigured_logging_duration_flag/test/positive_expected_result.json +++ b/assets/queries/ansible/gcp/postgresql_misconfigured_logging_duration_flag/test/positive_expected_result.json @@ -2,6 +2,16 @@ { "queryName": "PostgreSQL Misconfigured Logging Duration Flag", "severity": "LOW", - "line": 10 + "line": 10, + "fileName": "positive.yaml", + "resourceType": "google.cloud.gcp_sql_instance", + "resourceName": "sql_instance", + "searchKey": "name={{sql_instance}}.{{google.cloud.gcp_sql_instance}}.settings.database_flags", + "searchValue": "", + "expectedValue": "gcp_sql_instance.settings.database_flags should set the log_min_duration_statement to -1", + "actualValue": "gcp_sql_instance.settings.database_flags doesn't set the log_min_duration_statement to -1", + "issueType": "IncorrectValue", + "similarityID": "29e0202459140c0f0859ce4899924c4820561b61dadd43e1f462410267f64c3a", + "search_line": -1 } -] \ No newline at end of file +] diff --git a/assets/queries/ansible/gcp/private_cluster_disabled/test/positive_expected_result.json b/assets/queries/ansible/gcp/private_cluster_disabled/test/positive_expected_result.json index 689ed5ffc81..82789b8397d 100644 --- a/assets/queries/ansible/gcp/private_cluster_disabled/test/positive_expected_result.json +++ b/assets/queries/ansible/gcp/private_cluster_disabled/test/positive_expected_result.json @@ -2,26 +2,76 @@ { "queryName": "Private Cluster Disabled", "severity": "MEDIUM", - "line": 2 + "line": 2, + "fileName": "positive.yaml", + "resourceType": "google.cloud.gcp_container_cluster", + "resourceName": "create a cluster1", + "searchKey": "name={{create a cluster1}}.{{google.cloud.gcp_container_cluster}}", + "searchValue": "", + "expectedValue": "gcp_container_cluster.private_cluster_config should be defined", + "actualValue": "gcp_container_cluster.private_cluster_config is undefined", + "issueType": "MissingAttribute", + "similarityID": "7d02b7f4dd32a0231d2ed1d6649b6f16240dc9e68ce6013f466c25b9f36a4283", + "search_line": -1 }, { "queryName": "Private Cluster Disabled", "severity": "MEDIUM", - "line": 31 + "line": 31, + "fileName": "positive.yaml", + "resourceType": "google.cloud.gcp_container_cluster", + "resourceName": "create a cluster2", + "searchKey": "name={{create a cluster2}}.{{google.cloud.gcp_container_cluster}}.private_cluster_config", + "searchValue": "", + "expectedValue": "gcp_container_cluster.private_cluster_config.enable_private_nodes should be defined", + "actualValue": "gcp_container_cluster.private_cluster_config.enable_private_nodes is undefined", + "issueType": "MissingAttribute", + "similarityID": "efbd55674b4d2359fdf6a32ba6bb3e294db411f21aef874d0e70255b5067a0be", + "search_line": -1 }, { "queryName": "Private Cluster Disabled", "severity": "MEDIUM", - "line": 48 + "line": 48, + "fileName": "positive.yaml", + "resourceType": "google.cloud.gcp_container_cluster", + "resourceName": "create a cluster3", + "searchKey": "name={{create a cluster3}}.{{google.cloud.gcp_container_cluster}}.private_cluster_config", + "searchValue": "", + "expectedValue": "gcp_container_cluster.private_cluster_config.enable_private_endpoint should be defined", + "actualValue": "gcp_container_cluster.private_cluster_config.enable_private_endpoint is undefined", + "issueType": "MissingAttribute", + "similarityID": "a705c0e79ce4ad7b19e498ccb4e2ae9b28423309006ab80ec9b573ae8ca58370", + "search_line": -1 }, { "queryName": "Private Cluster Disabled", "severity": "MEDIUM", - "line": 66 + "line": 66, + "fileName": "positive.yaml", + "resourceType": "google.cloud.gcp_container_cluster", + "resourceName": "create a cluster4", + "searchKey": "name={{create a cluster4}}.{{google.cloud.gcp_container_cluster}}.private_cluster_config.enable_private_endpoint", + "searchValue": "", + "expectedValue": "gcp_container_cluster.private_cluster_config.enable_private_endpoint should be true", + "actualValue": "gcp_container_cluster.private_cluster_config.enable_private_endpoint is false", + "issueType": "IncorrectValue", + "similarityID": "cfdb3b13834e9c66ba210794e81ea386383d5cf0071473a8c7acbeb2deed16da", + "search_line": -1 }, { "queryName": "Private Cluster Disabled", "severity": "MEDIUM", - "line": 85 + "line": 85, + "fileName": "positive.yaml", + "resourceType": "google.cloud.gcp_container_cluster", + "resourceName": "create a cluster5", + "searchKey": "name={{create a cluster5}}.{{google.cloud.gcp_container_cluster}}.private_cluster_config.enable_private_nodes", + "searchValue": "", + "expectedValue": "gcp_container_cluster.private_cluster_config.enable_private_nodes should be true", + "actualValue": "gcp_container_cluster.private_cluster_config.enable_private_nodes is false", + "issueType": "IncorrectValue", + "similarityID": "5f7100f8d9271cbaae52288f575bd2572829891a1b919a7a752c600302856818", + "search_line": -1 } -] \ No newline at end of file +] diff --git a/assets/queries/ansible/gcp/project_wide_ssh_keys_are_enabled_in_vm_instances/test/positive_expected_result.json b/assets/queries/ansible/gcp/project_wide_ssh_keys_are_enabled_in_vm_instances/test/positive_expected_result.json index 13ca90f5f99..3ae32302126 100644 --- a/assets/queries/ansible/gcp/project_wide_ssh_keys_are_enabled_in_vm_instances/test/positive_expected_result.json +++ b/assets/queries/ansible/gcp/project_wide_ssh_keys_are_enabled_in_vm_instances/test/positive_expected_result.json @@ -1,17 +1,47 @@ [ - { - "queryName": "Project-wide SSH Keys Are Enabled In VM Instances", - "severity": "MEDIUM", - "line": 4 - }, - { - "queryName": "Project-wide SSH Keys Are Enabled In VM Instances", - "severity": "MEDIUM", - "line": 9 - }, - { - "queryName": "Project-wide SSH Keys Are Enabled In VM Instances", - "severity": "MEDIUM", - "line": 15 - } + { + "queryName": "Project-wide SSH Keys Are Enabled In VM Instances", + "severity": "MEDIUM", + "line": 4, + "fileName": "positive.yaml", + "resourceType": "google.cloud.gcp_compute_instance", + "resourceName": "ssh_keys_unblocked", + "searchKey": "name={{ssh_keys_unblocked}}.{{google.cloud.gcp_compute_instance}}.metadata.block-project-ssh-keys", + "searchValue": "", + "expectedValue": "gcp_compute_instance.metadata.block-project-ssh-keys should be true", + "actualValue": "gcp_compute_instance.metadata.block-project-ssh-keys is false", + "issueType": "IncorrectValue", + "similarityID": "522028039ece31e652ed60f40db4e7f4a975d7c5d5f5355dca173892f0c0f4aa", + "search_line": -1 + }, + { + "queryName": "Project-wide SSH Keys Are Enabled In VM Instances", + "severity": "MEDIUM", + "line": 9, + "fileName": "positive.yaml", + "resourceType": "google.cloud.gcp_compute_instance", + "resourceName": "ssh_keys_missing", + "searchKey": "name={{ssh_keys_missing}}.{{google.cloud.gcp_compute_instance}}.metadata", + "searchValue": "", + "expectedValue": "gcp_compute_instance.metadata.block-project-ssh-keys should be set to true", + "actualValue": "gcp_compute_instance.metadata.block-project-ssh-keys is undefined", + "issueType": "MissingAttribute", + "similarityID": "7caf13daeee207a2858a7335073d97a546ca7b3fd3b96b74453f315d01a37f60", + "search_line": -1 + }, + { + "queryName": "Project-wide SSH Keys Are Enabled In VM Instances", + "severity": "MEDIUM", + "line": 15, + "fileName": "positive.yaml", + "resourceType": "google.cloud.gcp_compute_instance", + "resourceName": "no_metadata", + "searchKey": "name={{no_metadata}}.{{google.cloud.gcp_compute_instance}}", + "searchValue": "", + "expectedValue": "gcp_compute_instance.metadata should be set", + "actualValue": "gcp_compute_instance.metadata is undefined", + "issueType": "MissingAttribute", + "similarityID": "a49caab94bd8192a564cecc1d7bc177616bf1e339e7e15b318fe7c7938ff6558", + "search_line": -1 + } ] diff --git a/assets/queries/ansible/gcp/rdp_access_is_not_restricted/test/positive_expected_result.json b/assets/queries/ansible/gcp/rdp_access_is_not_restricted/test/positive_expected_result.json index 54fdcecba5f..a140035eb74 100644 --- a/assets/queries/ansible/gcp/rdp_access_is_not_restricted/test/positive_expected_result.json +++ b/assets/queries/ansible/gcp/rdp_access_is_not_restricted/test/positive_expected_result.json @@ -2,11 +2,31 @@ { "queryName": "RDP Access Is Not Restricted", "severity": "HIGH", - "line": 8 + "line": 8, + "fileName": "positive.yaml", + "resourceType": "google.cloud.gcp_compute_firewall", + "resourceName": "rdp_in_range", + "searchKey": "name={{rdp_in_range}}.{{google.cloud.gcp_compute_firewall}}.allowed.ip_protocol=tcp.ports", + "searchValue": "", + "expectedValue": "gcp_compute_firewall.allowed.ip_protocol=tcp.ports shouldn't contain RDP port (3389) with unrestricted ingress traffic", + "actualValue": "gcp_compute_firewall.allowed.ip_protocol=tcp.ports contain RDP port (3389) with unrestricted ingress traffic", + "issueType": "IncorrectValue", + "similarityID": "6553780f25947ff777226dbf02d441b5a48a0307d2b1ee719159ea41b594f256", + "search_line": -1 }, { "queryName": "RDP Access Is Not Restricted", "severity": "HIGH", - "line": 29 + "line": 29, + "fileName": "positive.yaml", + "resourceType": "google.cloud.gcp_compute_firewall", + "resourceName": "rdp_in_port", + "searchKey": "name={{rdp_in_port}}.{{google.cloud.gcp_compute_firewall}}.allowed.ip_protocol=tcp.ports", + "searchValue": "", + "expectedValue": "gcp_compute_firewall.allowed.ip_protocol=tcp.ports shouldn't contain RDP port (3389) with unrestricted ingress traffic", + "actualValue": "gcp_compute_firewall.allowed.ip_protocol=tcp.ports contain RDP port (3389) with unrestricted ingress traffic", + "issueType": "IncorrectValue", + "similarityID": "a6c88547a338bca54e9b37eb0e12db21a28244b676f6bc683f9699b8b532835e", + "search_line": -1 } -] \ No newline at end of file +] diff --git a/assets/queries/ansible/gcp/serial_ports_enabled_for_vm_instances/test/positive_expected_result.json b/assets/queries/ansible/gcp/serial_ports_enabled_for_vm_instances/test/positive_expected_result.json index b24c967c2c6..02db8ef749f 100644 --- a/assets/queries/ansible/gcp/serial_ports_enabled_for_vm_instances/test/positive_expected_result.json +++ b/assets/queries/ansible/gcp/serial_ports_enabled_for_vm_instances/test/positive_expected_result.json @@ -1,7 +1,17 @@ [ - { - "queryName": "Serial Ports Are Enabled For VM Instances", - "severity": "MEDIUM", - "line": 4 - } + { + "queryName": "Serial Ports Are Enabled For VM Instances", + "severity": "MEDIUM", + "line": 4, + "fileName": "positive.yaml", + "resourceType": "google.cloud.gcp_compute_instance", + "resourceName": "serial_enabled", + "searchKey": "name={{serial_enabled}}.{{google.cloud.gcp_compute_instance}}.metadata.serial-port-enable", + "searchValue": "", + "expectedValue": "gcp_compute_instance.metadata.serial-port-enable should be undefined or set to false", + "actualValue": "gcp_compute_instance.metadata.serial-port-enable is set to true", + "issueType": "IncorrectValue", + "similarityID": "52a89585fa1ab03041b3f601372bee322e2bb98439e1ad4faeb42de876bb370a", + "search_line": -1 + } ] diff --git a/assets/queries/ansible/gcp/shielded_vm_disabled/test/positive_expected_result.json b/assets/queries/ansible/gcp/shielded_vm_disabled/test/positive_expected_result.json index eca3f4bb68b..4cf3eb7fbd9 100644 --- a/assets/queries/ansible/gcp/shielded_vm_disabled/test/positive_expected_result.json +++ b/assets/queries/ansible/gcp/shielded_vm_disabled/test/positive_expected_result.json @@ -2,36 +2,106 @@ { "queryName": "Shielded VM Disabled", "severity": "MEDIUM", - "line": 3 + "line": 3, + "fileName": "positive.yaml", + "resourceType": "google.cloud.gcp_compute_instance", + "resourceName": "create a instance1", + "searchKey": "name={{create a instance1}}.{{google.cloud.gcp_compute_instance}}", + "searchValue": "", + "expectedValue": "gcp_compute_instance.shielded_instance_config should be defined", + "actualValue": "gcp_compute_instance.shielded_instance_config is undefined", + "issueType": "MissingAttribute", + "similarityID": "117f866351f681e8f8cc900d8b5729ffe10eaa13cee9dcb7b4057485c8f5240c", + "search_line": -1 }, { "queryName": "Shielded VM Disabled", "severity": "MEDIUM", - "line": 42 + "line": 42, + "fileName": "positive.yaml", + "resourceType": "google.cloud.gcp_compute_instance", + "resourceName": "create a instance2", + "searchKey": "name={{create a instance2}}.{{google.cloud.gcp_compute_instance}}.shielded_instance_config", + "searchValue": "", + "expectedValue": "gcp_compute_instance.shielded_instance_config.enable_integrity_monitoring should be defined", + "actualValue": "gcp_compute_instance.shielded_instance_config.enable_integrity_monitoring is undefined", + "issueType": "MissingAttribute", + "similarityID": "8c227524812e46e846d974eb320c7840fdcfe6fce8ed4bd761b545f2318e0297", + "search_line": -1 }, { "queryName": "Shielded VM Disabled", "severity": "MEDIUM", - "line": 65 + "line": 65, + "fileName": "positive.yaml", + "resourceType": "google.cloud.gcp_compute_instance", + "resourceName": "create a instance3", + "searchKey": "name={{create a instance3}}.{{google.cloud.gcp_compute_instance}}.shielded_instance_config", + "searchValue": "", + "expectedValue": "gcp_compute_instance.shielded_instance_config.enable_secure_boot should be defined", + "actualValue": "gcp_compute_instance.shielded_instance_config.enable_secure_boot is undefined", + "issueType": "MissingAttribute", + "similarityID": "b417b9624639d35cbca54c122fbbfeb690c3f61f2318042df14cbe1279b92782", + "search_line": -1 }, { "queryName": "Shielded VM Disabled", "severity": "MEDIUM", - "line": 88 + "line": 88, + "fileName": "positive.yaml", + "resourceType": "google.cloud.gcp_compute_instance", + "resourceName": "create a instance4", + "searchKey": "name={{create a instance4}}.{{google.cloud.gcp_compute_instance}}.shielded_instance_config", + "searchValue": "", + "expectedValue": "gcp_compute_instance.shielded_instance_config.enable_vtpm should be defined", + "actualValue": "gcp_compute_instance.shielded_instance_config.enable_vtpm is undefined", + "issueType": "MissingAttribute", + "similarityID": "5d6e12917123f85a34467bb7a996f7acfbf3a8b3af0cca5d367cf015cbf1fc4b", + "search_line": -1 }, { "queryName": "Shielded VM Disabled", "severity": "MEDIUM", - "line": 112 + "line": 112, + "fileName": "positive.yaml", + "resourceType": "google.cloud.gcp_compute_instance", + "resourceName": "create a instance5", + "searchKey": "name={{create a instance5}}.{{google.cloud.gcp_compute_instance}}.shielded_instance_config.enable_integrity_monitoring", + "searchValue": "", + "expectedValue": "gcp_compute_instance.shielded_instance_config.enable_integrity_monitoring should be true", + "actualValue": "gcp_compute_instance.shielded_instance_config.enable_integrity_monitoring is false", + "issueType": "IncorrectValue", + "similarityID": "e2355129e81321b10d88710ce6f351474fa69e76cd3c23f80ea38cfa5320e5c2", + "search_line": -1 }, { "queryName": "Shielded VM Disabled", "severity": "MEDIUM", - "line": 137 + "line": 137, + "fileName": "positive.yaml", + "resourceType": "google.cloud.gcp_compute_instance", + "resourceName": "create a instance6", + "searchKey": "name={{create a instance6}}.{{google.cloud.gcp_compute_instance}}.shielded_instance_config.enable_secure_boot", + "searchValue": "", + "expectedValue": "gcp_compute_instance.shielded_instance_config.enable_secure_boot should be true", + "actualValue": "gcp_compute_instance.shielded_instance_config.enable_secure_boot is false", + "issueType": "IncorrectValue", + "similarityID": "35cc1f104fac7cad30a0edbfc632b3940d0aab62c883e6c6886639bd77d6bcad", + "search_line": -1 }, { "queryName": "Shielded VM Disabled", "severity": "MEDIUM", - "line": 162 + "line": 162, + "fileName": "positive.yaml", + "resourceType": "google.cloud.gcp_compute_instance", + "resourceName": "create a instance7", + "searchKey": "name={{create a instance7}}.{{google.cloud.gcp_compute_instance}}.shielded_instance_config.enable_vtpm", + "searchValue": "", + "expectedValue": "gcp_compute_instance.shielded_instance_config.enable_vtpm should be true", + "actualValue": "gcp_compute_instance.shielded_instance_config.enable_vtpm is false", + "issueType": "IncorrectValue", + "similarityID": "ade394d15452df876283ac3133f95744dd126010b81735ee4286f5d265f24cd2", + "search_line": -1 } ] diff --git a/assets/queries/ansible/gcp/sql_db_instance_backup_disabled/test/positive_expected_result.json b/assets/queries/ansible/gcp/sql_db_instance_backup_disabled/test/positive_expected_result.json index 4beca497fd1..8a66df8a528 100644 --- a/assets/queries/ansible/gcp/sql_db_instance_backup_disabled/test/positive_expected_result.json +++ b/assets/queries/ansible/gcp/sql_db_instance_backup_disabled/test/positive_expected_result.json @@ -2,21 +2,61 @@ { "queryName": "SQL DB Instance Backup Disabled", "severity": "MEDIUM", - "line": 3 + "line": 3, + "fileName": "positive.yaml", + "resourceType": "google.cloud.gcp_sql_instance", + "resourceName": "create a instance", + "searchKey": "name={{create a instance}}.{{google.cloud.gcp_sql_instance}}", + "searchValue": "", + "expectedValue": "gcp_sql_instance.settings should be defined", + "actualValue": "gcp_sql_instance.settings is undefined", + "issueType": "MissingAttribute", + "similarityID": "66f80a32ff25d73d161c3a39f88cbb69e84561e160a980ed1ee3be49cea12dc3", + "search_line": -1 }, { "queryName": "SQL DB Instance Backup Disabled", "severity": "MEDIUM", - "line": 13 + "line": 13, + "fileName": "positive.yaml", + "resourceType": "google.cloud.gcp_sql_instance", + "resourceName": "create a second instance", + "searchKey": "name={{create a second instance}}.{{google.cloud.gcp_sql_instance}}.settings", + "searchValue": "", + "expectedValue": "gcp_sql_instance.settings.backup_configuration should be defined", + "actualValue": "gcp_sql_instance.settings.backup_configuration is undefined", + "issueType": "MissingAttribute", + "similarityID": "313ff23604269195f538736354bff96ab8c79fda8fe04b90c96ae63e61cc14e2", + "search_line": -1 }, { "queryName": "SQL DB Instance Backup Disabled", "severity": "MEDIUM", - "line": 24 + "line": 24, + "fileName": "positive.yaml", + "resourceType": "google.cloud.gcp_sql_instance", + "resourceName": "create a third instance", + "searchKey": "name={{create a third instance}}.{{google.cloud.gcp_sql_instance}}.settings.backup_configuration", + "searchValue": "", + "expectedValue": "gcp_sql_instance.settings.backup_configuration.enabled should be defined", + "actualValue": "gcp_sql_instance.settings.backup_configuration.enabled is undefined", + "issueType": "MissingAttribute", + "similarityID": "d92b75c617591c3c86b4386bd2a1a1459c3b60ee65ad5bfee5947e24c7766276", + "search_line": -1 }, { "queryName": "SQL DB Instance Backup Disabled", "severity": "MEDIUM", - "line": 38 + "line": 38, + "fileName": "positive.yaml", + "resourceType": "google.cloud.gcp_sql_instance", + "resourceName": "create a forth instance", + "searchKey": "name={{create a forth instance}}.{{google.cloud.gcp_sql_instance}}.settings.backup_configuration.enabled", + "searchValue": "", + "expectedValue": "gcp_sql_instance.settings.backup_configuration.require_ssl should be true", + "actualValue": "gcp_sql_instance.settings.backup_configuration.require_ssl is false", + "issueType": "IncorrectValue", + "similarityID": "d966e439bc52ef01af16d271231fbca8d0d637fbd61d46d6c73b2921d31e9adb", + "search_line": -1 } -] \ No newline at end of file +] diff --git a/assets/queries/ansible/gcp/sql_db_instance_is_publicly_accessible/test/positive_expected_result.json b/assets/queries/ansible/gcp/sql_db_instance_is_publicly_accessible/test/positive_expected_result.json index 895e3ab0522..d49b2a8620d 100644 --- a/assets/queries/ansible/gcp/sql_db_instance_is_publicly_accessible/test/positive_expected_result.json +++ b/assets/queries/ansible/gcp/sql_db_instance_is_publicly_accessible/test/positive_expected_result.json @@ -2,16 +2,46 @@ { "queryName": "SQL DB Instance Publicly Accessible", "severity": "CRITICAL", - "line": 12 + "line": 12, + "fileName": "positive.yaml", + "resourceType": "google.cloud.gcp_sql_instance", + "resourceName": "sql_instance", + "searchKey": "name={{sql_instance}}.{{google.cloud.gcp_sql_instance}}.settings.ip_configuration.authorized_networks.name={{google dns server}}.value", + "searchValue": "", + "expectedValue": "gcp_sql_instance.settings.ip_configuration.authorized_networks.name={{google dns server}}.value address should be trusted", + "actualValue": "gcp_sql_instance.settings.ip_configuration.authorized_networks.name={{google dns server}}.value address is not restricted: '0.0.0.0'", + "issueType": "IncorrectValue", + "similarityID": "55e0c3a317d9259387f57951e485aaff9f51bb10321139af30246028e73dd972", + "search_line": -1 }, { "queryName": "SQL DB Instance Publicly Accessible", "severity": "CRITICAL", - "line": 24 + "line": 24, + "fileName": "positive.yaml", + "resourceType": "google.cloud.gcp_sql_instance", + "resourceName": "sql_instance2", + "searchKey": "name={{sql_instance2}}.{{google.cloud.gcp_sql_instance}}.settings.ip_configuration.ipv4_enabled", + "searchValue": "", + "expectedValue": "gcp_sql_instance.settings.ip_configuration.ipv4_enabled should be disabled when there are no authorized networks", + "actualValue": "gcp_sql_instance.settings.ip_configuration.ipv4_enabled is enabled when there are no authorized networks", + "issueType": "IncorrectValue", + "similarityID": "1f96778e0644e21e91e673282a0d5c7580b333429ca242b3dc49f554c8a2875e", + "search_line": -1 }, { "queryName": "SQL DB Instance Publicly Accessible", "severity": "CRITICAL", - "line": 34 + "line": 34, + "fileName": "positive.yaml", + "resourceType": "google.cloud.gcp_sql_instance", + "resourceName": "sql_instance3", + "searchKey": "name={{sql_instance3}}.{{google.cloud.gcp_sql_instance}}.settings", + "searchValue": "", + "expectedValue": "gcp_sql_instance.settings.ip_configuration should be defined and allow only trusted networks", + "actualValue": "gcp_sql_instance.settings.ip_configuration is undefined", + "issueType": "MissingAttribute", + "similarityID": "952b453a67327000d906f3fecec4c006d3b636bc32f24fe2b0fb014557084f09", + "search_line": -1 } -] \ No newline at end of file +] diff --git a/assets/queries/ansible/gcp/sql_db_instance_with_ssl_disabled/test/positive_expected_result.json b/assets/queries/ansible/gcp/sql_db_instance_with_ssl_disabled/test/positive_expected_result.json index f57970923b9..dbe7dd2eb29 100644 --- a/assets/queries/ansible/gcp/sql_db_instance_with_ssl_disabled/test/positive_expected_result.json +++ b/assets/queries/ansible/gcp/sql_db_instance_with_ssl_disabled/test/positive_expected_result.json @@ -2,21 +2,61 @@ { "queryName": "SQL DB Instance With SSL Disabled", "severity": "HIGH", - "line": 3 + "line": 3, + "fileName": "positive.yaml", + "resourceType": "google.cloud.gcp_sql_instance", + "resourceName": "create a instance", + "searchKey": "name={{create a instance}}.{{google.cloud.gcp_sql_instance}}", + "searchValue": "", + "expectedValue": "gcp_sql_instance.settings should be defined", + "actualValue": "gcp_sql_instance.settings is undefined", + "issueType": "MissingAttribute", + "similarityID": "0440320c0c34a64935f85a283e6e2ad2850ed51c79248bc5496cf06e8a3dcaf3", + "search_line": -1 }, { "queryName": "SQL DB Instance With SSL Disabled", "severity": "HIGH", - "line": 13 + "line": 13, + "fileName": "positive.yaml", + "resourceType": "google.cloud.gcp_sql_instance", + "resourceName": "create a second instance", + "searchKey": "name={{create a second instance}}.{{google.cloud.gcp_sql_instance}}.settings", + "searchValue": "", + "expectedValue": "gcp_sql_instance.settings.ip_configuration should be defined", + "actualValue": "gcp_sql_instance.settings.ip_configuration is undefined", + "issueType": "MissingAttribute", + "similarityID": "6503420339b4bed2ccf6a81d9e18d96a7e186e26c3ad534ac3a19aa4467afaa4", + "search_line": -1 }, { "queryName": "SQL DB Instance With SSL Disabled", "severity": "HIGH", - "line": 24 + "line": 24, + "fileName": "positive.yaml", + "resourceType": "google.cloud.gcp_sql_instance", + "resourceName": "create a third instance", + "searchKey": "name={{create a third instance}}.{{google.cloud.gcp_sql_instance}}.settings.ip_configuration", + "searchValue": "", + "expectedValue": "gcp_sql_instance.settings.ip_configuration.require_ssl should be defined", + "actualValue": "gcp_sql_instance.settings.ip_configuration.require_ssl is undefined", + "issueType": "MissingAttribute", + "similarityID": "2cf30fb532fd1e06a7a47cd85957f3f088127593742fb5b3137297f40baa89eb", + "search_line": -1 }, { "queryName": "SQL DB Instance With SSL Disabled", "severity": "HIGH", - "line": 39 + "line": 39, + "fileName": "positive.yaml", + "resourceType": "google.cloud.gcp_sql_instance", + "resourceName": "create a forth instance", + "searchKey": "name={{create a forth instance}}.{{google.cloud.gcp_sql_instance}}.settings.ip_configuration.require_ssl", + "searchValue": "", + "expectedValue": "gcp_sql_instance.settings.ip_configuration.require_ssl should be true", + "actualValue": "gcp_sql_instance.settings.ip_configuration.require_ssl is false", + "issueType": "IncorrectValue", + "similarityID": "284fa53a0316efb3f27bbcb6c087597c0324a2a488c43a6b72d3f68e1f51a4c5", + "search_line": -1 } ] diff --git a/assets/queries/ansible/gcp/ssh_access_is_not_restricted/test/positive_expected_result.json b/assets/queries/ansible/gcp/ssh_access_is_not_restricted/test/positive_expected_result.json index 87ae2e25edb..b1a7e9b44ca 100644 --- a/assets/queries/ansible/gcp/ssh_access_is_not_restricted/test/positive_expected_result.json +++ b/assets/queries/ansible/gcp/ssh_access_is_not_restricted/test/positive_expected_result.json @@ -2,6 +2,16 @@ { "queryName": "SSH Access Is Not Restricted", "severity": "MEDIUM", - "line": 6 + "line": 6, + "fileName": "positive.yaml", + "resourceType": "google.cloud.gcp_compute_firewall", + "resourceName": "ssh_unrestricted", + "searchKey": "name={{ssh_unrestricted}}.{{google.cloud.gcp_compute_firewall}}.allowed.ip_protocol=tcp.ports", + "searchValue": "", + "expectedValue": "gcp_compute_firewall.allowed.ip_protocol=tcp.ports shouldn't contain SSH port (22) with unrestricted ingress traffic", + "actualValue": "gcp_compute_firewall.allowed.ip_protocol=tcp.ports contain SSH port (22) with unrestricted ingress traffic", + "issueType": "IncorrectValue", + "similarityID": "758a56bce1cf963f4fb8cb6f03fc8f047ec2682b3b3dd261e26ed62e2c86c861", + "search_line": -1 } ] diff --git a/assets/queries/ansible/gcp/stackdriver_logging_disabled/test/positive_expected_result.json b/assets/queries/ansible/gcp/stackdriver_logging_disabled/test/positive_expected_result.json index 73738c59a3a..a08908fc970 100644 --- a/assets/queries/ansible/gcp/stackdriver_logging_disabled/test/positive_expected_result.json +++ b/assets/queries/ansible/gcp/stackdriver_logging_disabled/test/positive_expected_result.json @@ -2,11 +2,31 @@ { "queryName": "Stackdriver Logging Disabled", "severity": "MEDIUM", - "line": 3 + "line": 3, + "fileName": "positive.yaml", + "resourceType": "google.cloud.gcp_container_cluster", + "resourceName": "create a cluster1", + "searchKey": "name={{create a cluster1}}.{{google.cloud.gcp_container_cluster}}", + "searchValue": "", + "expectedValue": "gcp_container_cluster.logging_service should be defined", + "actualValue": "gcp_container_cluster.logging_service is undefined", + "issueType": "MissingAttribute", + "similarityID": "2c0788f623c2137282510b63f7f0a843f1d482320d3d6ca9175852979d16d260", + "search_line": -1 }, { "queryName": "Stackdriver Logging Disabled", "severity": "MEDIUM", - "line": 32 + "line": 32, + "fileName": "positive.yaml", + "resourceType": "google.cloud.gcp_container_cluster", + "resourceName": "create a cluster2", + "searchKey": "name={{create a cluster2}}.{{google.cloud.gcp_container_cluster}}.logging_service", + "searchValue": "", + "expectedValue": "gcp_container_cluster.logging_service should not be 'none'", + "actualValue": "gcp_container_cluster.logging_service is 'none'", + "issueType": "IncorrectValue", + "similarityID": "088eae579cc0d77b482e34bb469814e2717131fef21022ac5493987ec3cd1000", + "search_line": -1 } -] \ No newline at end of file +] diff --git a/assets/queries/ansible/gcp/stackdriver_monitoring_disabled/test/positive_expected_result.json b/assets/queries/ansible/gcp/stackdriver_monitoring_disabled/test/positive_expected_result.json index 325445d9111..47fe1ed087e 100644 --- a/assets/queries/ansible/gcp/stackdriver_monitoring_disabled/test/positive_expected_result.json +++ b/assets/queries/ansible/gcp/stackdriver_monitoring_disabled/test/positive_expected_result.json @@ -2,11 +2,31 @@ { "queryName": "Stackdriver Monitoring Disabled", "severity": "MEDIUM", - "line": 3 + "line": 3, + "fileName": "positive.yaml", + "resourceType": "google.cloud.gcp_container_cluster", + "resourceName": "create a cluster1", + "searchKey": "name={{create a cluster1}}.{{google.cloud.gcp_container_cluster}}", + "searchValue": "", + "expectedValue": "gcp_container_cluster.monitoring_service should be defined", + "actualValue": "gcp_container_cluster.monitoring_service is undefined", + "issueType": "MissingAttribute", + "similarityID": "501a24ac1ec7c6bad4b6ae88d801594b5a88cdfc2a07d53e6413f304b64ce3bd", + "search_line": -1 }, { "queryName": "Stackdriver Monitoring Disabled", "severity": "MEDIUM", - "line": 32 + "line": 32, + "fileName": "positive.yaml", + "resourceType": "google.cloud.gcp_container_cluster", + "resourceName": "create a cluster2", + "searchKey": "name={{create a cluster2}}.{{google.cloud.gcp_container_cluster}}.monitoring_service", + "searchValue": "", + "expectedValue": "gcp_container_cluster.monitoring_service should not be 'none'", + "actualValue": "gcp_container_cluster.monitoring_service is 'none'", + "issueType": "IncorrectValue", + "similarityID": "183c31a1643024abf58818920372a4140878e8df3f5ee1171a2de16ce287d2c0", + "search_line": -1 } -] \ No newline at end of file +] diff --git a/assets/queries/ansible/gcp/using_default_service_account/test/positive_expected_result.json b/assets/queries/ansible/gcp/using_default_service_account/test/positive_expected_result.json index 8c434d44683..b3f752e4cde 100644 --- a/assets/queries/ansible/gcp/using_default_service_account/test/positive_expected_result.json +++ b/assets/queries/ansible/gcp/using_default_service_account/test/positive_expected_result.json @@ -1,22 +1,62 @@ [ - { - "queryName": "Using Default Service Account", - "severity": "MEDIUM", - "line": 3 - }, - { - "queryName": "Using Default Service Account", - "severity": "MEDIUM", - "line": 57 - }, - { - "queryName": "Using Default Service Account", - "severity": "MEDIUM", - "line": 86 - }, - { - "queryName": "Using Default Service Account", - "severity": "MEDIUM", - "line": 115 - } + { + "queryName": "Using Default Service Account", + "severity": "MEDIUM", + "line": 3, + "fileName": "positive.yaml", + "resourceType": "google.cloud.gcp_compute_instance", + "resourceName": "create a instance1", + "searchKey": "name={{create a instance1}}.{{google.cloud.gcp_compute_instance}}", + "searchValue": "", + "expectedValue": "gcp_compute_instance.service_account_email should be defined", + "actualValue": "gcp_compute_instance.service_account_email is undefined", + "issueType": "MissingAttribute", + "similarityID": "c4a95efda7565da58d03e5738b29bd29f5efdcf1b2cb083cd13b235481ae6057", + "search_line": -1 + }, + { + "queryName": "Using Default Service Account", + "severity": "MEDIUM", + "line": 57, + "fileName": "positive.yaml", + "resourceType": "google.cloud.gcp_compute_instance", + "resourceName": "create a instance2", + "searchKey": "name={{create a instance2}}.{{google.cloud.gcp_compute_instance}}.service_account_email", + "searchValue": "", + "expectedValue": "gcp_compute_instance.service_account_email should not be empty", + "actualValue": "gcp_compute_instance.service_account_email is empty", + "issueType": "IncorrectValue", + "similarityID": "924b0ae7e150caa6a09d4429a693febd143fb20ac36ebfc4e652408d7a8200f4", + "search_line": -1 + }, + { + "queryName": "Using Default Service Account", + "severity": "MEDIUM", + "line": 86, + "fileName": "positive.yaml", + "resourceType": "google.cloud.gcp_compute_instance", + "resourceName": "create a instance3", + "searchKey": "name={{create a instance3}}.{{google.cloud.gcp_compute_instance}}.service_account_email", + "searchValue": "", + "expectedValue": "gcp_compute_instance.service_account_email should be an email", + "actualValue": "gcp_compute_instance.service_account_email is not an email", + "issueType": "IncorrectValue", + "similarityID": "a46b5e48d7bc178f3c4271005e405856a630a6004ba92559d72e6afd040b419e", + "search_line": -1 + }, + { + "queryName": "Using Default Service Account", + "severity": "MEDIUM", + "line": 115, + "fileName": "positive.yaml", + "resourceType": "google.cloud.gcp_compute_instance", + "resourceName": "create a instance4", + "searchKey": "name={{create a instance4}}.{{google.cloud.gcp_compute_instance}}.service_account_email", + "searchValue": "", + "expectedValue": "gcp_compute_instance.service_account_email should not be a default Google Compute Engine service account", + "actualValue": "gcp_compute_instance.service_account_email is a default Google Compute Engine service account", + "issueType": "IncorrectValue", + "similarityID": "bb1839bcef70b1da342d0fde04dc28662ebaa8a165aeaddc1d37ce1df852efaa", + "search_line": -1 + } ] diff --git a/assets/queries/ansible/gcp/vm_with_full_cloud_access/test/positive_expected_result.json b/assets/queries/ansible/gcp/vm_with_full_cloud_access/test/positive_expected_result.json index ace8a7b988f..40ce909102a 100644 --- a/assets/queries/ansible/gcp/vm_with_full_cloud_access/test/positive_expected_result.json +++ b/assets/queries/ansible/gcp/vm_with_full_cloud_access/test/positive_expected_result.json @@ -2,6 +2,16 @@ { "queryName": "VM With Full Cloud Access", "severity": "MEDIUM", - "line": 7 + "line": 7, + "fileName": "positive.yaml", + "resourceType": "google.cloud.gcp_compute_instance", + "resourceName": "create a instance", + "searchKey": "name={{create a instance}}.{{google.cloud.gcp_compute_instance}}.service_accounts", + "searchValue": "", + "expectedValue": "gcp_compute_instance.service_accounts.scopes should not contain 'cloud-platform'", + "actualValue": "gcp_compute_instance.service_accounts.scopes contains 'cloud-platform'", + "issueType": "IncorrectValue", + "similarityID": "a22aea8747cf76a885ee832d89ab46a692ba24feb6efa8501265bc0de9cebf49", + "search_line": -1 } -] \ No newline at end of file +] diff --git a/assets/queries/ansible/general/communication_over_http/test/positive_expected_result.json b/assets/queries/ansible/general/communication_over_http/test/positive_expected_result.json index 82b40927d37..696bb51c730 100644 --- a/assets/queries/ansible/general/communication_over_http/test/positive_expected_result.json +++ b/assets/queries/ansible/general/communication_over_http/test/positive_expected_result.json @@ -1,8 +1,17 @@ [ - { - "queryName": "Communication Over HTTP", - "severity": "MEDIUM", - "line": 6, - "filename": "positive1.yaml" - } -] \ No newline at end of file + { + "queryName": "Communication Over HTTP", + "severity": "MEDIUM", + "line": 6, + "fileName": "positive1.yaml", + "resourceType": "ansible.builtin.uri", + "resourceName": "Verificar o status do site", + "searchKey": "name={{Verificar o status do site}}.{{ansible.builtin.uri}}.url", + "searchValue": "", + "expectedValue": "ansible.builtin.uri.url should be accessed via the HTTPS protocol", + "actualValue": "ansible.builtin.uri.url is accessed via the HTTP protocol'", + "issueType": "IncorrectValue", + "similarityID": "d34e875c990392aa46227141581e84e8c98ac53752024edbd29d622e81752998", + "search_line": -1 + } +] diff --git a/assets/queries/ansible/general/insecure_relative_path_resolution/test/positive_expected_result.json b/assets/queries/ansible/general/insecure_relative_path_resolution/test/positive_expected_result.json index d18625872a6..88a96f9e756 100644 --- a/assets/queries/ansible/general/insecure_relative_path_resolution/test/positive_expected_result.json +++ b/assets/queries/ansible/general/insecure_relative_path_resolution/test/positive_expected_result.json @@ -1,14 +1,32 @@ [ - { - "queryName": "Insecure Relative Path Resolution", - "severity": "LOW", - "line": 7, - "fileName": "positive1.yaml" - }, - { - "queryName": "Insecure Relative Path Resolution", - "severity": "LOW", - "line": 12, - "fileName": "positive1.yaml" - } + { + "queryName": "Insecure Relative Path Resolution", + "severity": "LOW", + "line": 7, + "fileName": "positive1.yaml", + "resourceType": "ansible.builtin.template", + "resourceName": "One", + "searchKey": "name={{One}}.{{ansible.builtin.template}}.src", + "searchValue": "", + "expectedValue": "ansible.builtin.template.src should not be a relative path", + "actualValue": "ansible.builtin.template.src is a relative path", + "issueType": "IncorrectValue", + "similarityID": "3d5473a5d0506edf9757368555b71a22a8dfc40023e5fe04a989bb37085161f6", + "search_line": -1 + }, + { + "queryName": "Insecure Relative Path Resolution", + "severity": "LOW", + "line": 12, + "fileName": "positive1.yaml", + "resourceType": "ansible.builtin.copy", + "resourceName": "Two", + "searchKey": "name={{Two}}.{{ansible.builtin.copy}}.src", + "searchValue": "", + "expectedValue": "ansible.builtin.copy.src should not be a relative path", + "actualValue": "ansible.builtin.copy.src is a relative path", + "issueType": "IncorrectValue", + "similarityID": "e90879bf8499dec2fec635ba0f3b5e9854acaae35524781cf5013bbd9c79608f", + "search_line": -1 + } ] diff --git a/assets/queries/ansible/general/logging_of_sensitive_data/test/positive_expected_result.json b/assets/queries/ansible/general/logging_of_sensitive_data/test/positive_expected_result.json index fd7f628c92d..9ed788927da 100644 --- a/assets/queries/ansible/general/logging_of_sensitive_data/test/positive_expected_result.json +++ b/assets/queries/ansible/general/logging_of_sensitive_data/test/positive_expected_result.json @@ -1,14 +1,32 @@ [ - { - "queryName": "Logging of Sensitive Data", - "severity": "LOW", - "line": 14, - "fileName": "positive1.yaml" - }, - { - "queryName": "Logging of Sensitive Data", - "severity": "LOW", - "line": 5, - "fileName": "positive2.yaml" - } -] \ No newline at end of file + { + "queryName": "Logging of Sensitive Data", + "severity": "LOW", + "line": 14, + "fileName": "positive1.yaml", + "resourceType": "ansible.builtin.user", + "resourceName": "bar", + "searchKey": "name={{bar}}.no_log", + "searchValue": "", + "expectedValue": "'no_log' should be set to 'true' in order to not expose sensitive data", + "actualValue": "'no_log' is set to false", + "issueType": "IncorrectValue", + "similarityID": "51abf6927b57dd467ce04fff36df4577f071bdb5572bf65966905cbe1d019ee9", + "search_line": -1 + }, + { + "queryName": "Logging of Sensitive Data", + "severity": "LOW", + "line": 5, + "fileName": "positive2.yaml", + "resourceType": "ansible.builtin.user", + "resourceName": "bar", + "searchKey": "name={{bar}}", + "searchValue": "", + "expectedValue": "'no_log' should be defined and set to 'true' in order to not expose sensitive data", + "actualValue": "'no_log' is not defined", + "issueType": "MissingAttribute", + "similarityID": "183e56f80bb1f3b365bae74af357068bfebdcc00742d0c3628afc93c0b1b2f3e", + "search_line": -1 + } +] diff --git a/assets/queries/ansible/general/privilege_escalation_using_become_plugin/test/positive_expected_result.json b/assets/queries/ansible/general/privilege_escalation_using_become_plugin/test/positive_expected_result.json index 9f87ac0816f..f099fcd6ee6 100644 --- a/assets/queries/ansible/general/privilege_escalation_using_become_plugin/test/positive_expected_result.json +++ b/assets/queries/ansible/general/privilege_escalation_using_become_plugin/test/positive_expected_result.json @@ -1,38 +1,92 @@ [ - { - "queryName": "Privilege Escalation Using Become Plugin", - "severity": "MEDIUM", - "line": 4, - "fileName": "positive1.yaml" - }, - { - "queryName": "Privilege Escalation Using Become Plugin", - "severity": "MEDIUM", - "line": 15, - "fileName": "positive1.yaml" - }, - { - "queryName": "Privilege Escalation Using Become Plugin", - "severity": "MEDIUM", - "line": 31, - "fileName": "positive1.yaml" - }, - { - "queryName": "Privilege Escalation Using Become Plugin", - "severity": "MEDIUM", - "line": 44, - "fileName": "positive1.yaml" - }, - { - "queryName": "Privilege Escalation Using Become Plugin", - "severity": "MEDIUM", - "line": 53, - "fileName": "positive1.yaml" - }, - { - "queryName": "Privilege Escalation Using Become Plugin", - "severity": "MEDIUM", - "line": 61, - "fileName": "positive1.yaml" - } -] \ No newline at end of file + { + "queryName": "Privilege Escalation Using Become Plugin", + "severity": "MEDIUM", + "line": 4, + "fileName": "positive1.yaml", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "become_user={{bar}}", + "searchValue": "", + "expectedValue": "'become' should be defined and set to 'true' in order to perform an action with bar", + "actualValue": "'become' is not defined", + "issueType": "MissingAttribute", + "similarityID": "8cf6517f331237327c182aae7c355313225bae5e7d3bd6705e1864c771156115", + "search_line": -1 + }, + { + "queryName": "Privilege Escalation Using Become Plugin", + "severity": "MEDIUM", + "line": 15, + "fileName": "positive1.yaml", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "become", + "searchValue": "", + "expectedValue": "'become' should be defined and set to 'true' in order to perform an action with root", + "actualValue": "'become' is set to 'false'", + "issueType": "MissingAttribute", + "similarityID": "0a89b1b82f1f702ca00522bec4b494513a58bac39787351704f83f00acc7e6fa", + "search_line": -1 + }, + { + "queryName": "Privilege Escalation Using Become Plugin", + "severity": "MEDIUM", + "line": 31, + "fileName": "positive1.yaml", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "name={{Sample become_user}}.become_user={{foo}}", + "searchValue": "", + "expectedValue": "'become' should be defined and set to 'true' in order to perform an action with foo", + "actualValue": "'become' is not defined", + "issueType": "MissingAttribute", + "similarityID": "69e448b190e043a33bb14eb9fb31323c5f82dc9264235f39adbc36753aee5886", + "search_line": -1 + }, + { + "queryName": "Privilege Escalation Using Become Plugin", + "severity": "MEDIUM", + "line": 44, + "fileName": "positive1.yaml", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "name={{Sample become_user}}.become_user={{postgres}}.become", + "searchValue": "", + "expectedValue": "'become' should be to 'true' in order to perform an action with postgres", + "actualValue": "'become' is set to 'false'", + "issueType": "MissingAttribute", + "similarityID": "d531cd6e59488524c28027c2f998ffb6bf4f83c6c0680609072a9d887994e8f0", + "search_line": -1 + }, + { + "queryName": "Privilege Escalation Using Become Plugin", + "severity": "MEDIUM", + "line": 53, + "fileName": "positive1.yaml", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "name={{become_user with become task as false}}.become_user={{mongodb}}.become", + "searchValue": "", + "expectedValue": "'become' should be to 'true' in order to perform an action with mongodb", + "actualValue": "'become' is set to 'false'", + "issueType": "MissingAttribute", + "similarityID": "7db61dcf575267907570fe3c5748155a06a6924937b9236d39cf5f6f49329003", + "search_line": -1 + }, + { + "queryName": "Privilege Escalation Using Become Plugin", + "severity": "MEDIUM", + "line": 61, + "fileName": "positive1.yaml", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "name={{become_user without become}}.become_user={{mysql}}", + "searchValue": "", + "expectedValue": "'become' should be defined and set to 'true' in order to perform an action with mysql", + "actualValue": "'become' is not defined", + "issueType": "MissingAttribute", + "similarityID": "46c739ccd4c4b667e0a337a4172e37e60357ebff19f3bc729f7450d5d16d565a", + "search_line": -1 + } +] diff --git a/assets/queries/ansible/general/risky_file_permissions/test/positive_expected_result.json b/assets/queries/ansible/general/risky_file_permissions/test/positive_expected_result.json index 96a4bfa8502..7b3f296df47 100644 --- a/assets/queries/ansible/general/risky_file_permissions/test/positive_expected_result.json +++ b/assets/queries/ansible/general/risky_file_permissions/test/positive_expected_result.json @@ -1,62 +1,152 @@ [ - { - "queryName": "Risky File Permissions", - "severity": "INFO", - "file": "positive1.yaml", - "line": 5 - }, - { - "queryName": "Risky File Permissions", - "severity": "INFO", - "file": "positive1.yaml", - "line": 13 - }, - { - "queryName": "Risky File Permissions", - "severity": "INFO", - "file": "positive1.yaml", - "line": 17 - }, - { - "queryName": "Risky File Permissions", - "severity": "INFO", - "file": "positive1.yaml", - "line": 25 - }, - { - "queryName": "Risky File Permissions", - "severity": "INFO", - "file": "positive1.yaml", - "line": 29 - }, - { - "queryName": "Risky File Permissions", - "severity": "INFO", - "file": "positive1.yaml", - "line": 38 - }, - { - "queryName": "Risky File Permissions", - "severity": "INFO", - "file": "positive1.yaml", - "line": 46 - }, - { - "queryName": "Risky File Permissions", - "severity": "INFO", - "file": "positive1.yaml", - "line": 55 - }, - { - "queryName": "Risky File Permissions", - "severity": "INFO", - "file": "positive1.yaml", - "line": 64 - }, - { - "queryName": "Risky File Permissions", - "severity": "INFO", - "file": "positive1.yaml", - "line": 74 - } -] \ No newline at end of file + { + "queryName": "Risky File Permissions", + "severity": "INFO", + "line": 5, + "fileName": "positive1.yaml", + "resourceType": "ansible.builtin.file", + "resourceName": "not preserve value", + "searchKey": "name={{not preserve value}}.{{ansible.builtin.file}}", + "searchValue": "", + "expectedValue": "ansible.builtin.file does not allow setting 'preserve' value for 'mode' key", + "actualValue": "'Mode' key of ansible.builtin.file is set to 'preserve'", + "issueType": "IncorrectValue", + "similarityID": "18e99cb407b717b7779b3753aef16eb12a1edae67e77db8e988bd874142fb328", + "search_line": -1 + }, + { + "queryName": "Risky File Permissions", + "severity": "INFO", + "line": 13, + "fileName": "positive1.yaml", + "resourceType": "file", + "resourceName": "Permissions missing", + "searchKey": "name={{Permissions missing}}.{{file}}", + "searchValue": "", + "expectedValue": "All the permissions set in file about creating files/directories", + "actualValue": "There are some permissions missing in file and might create directory/file", + "issueType": "MissingAttribute", + "similarityID": "149f78dfd01604a8989acb49e66b89b09b2f27a41ae35e12db925574d8d57e51", + "search_line": -1 + }, + { + "queryName": "Risky File Permissions", + "severity": "INFO", + "line": 17, + "fileName": "positive1.yaml", + "resourceType": "ansible.builtin.file", + "resourceName": "Permissions missing 2x", + "searchKey": "name={{Permissions missing 2x}}.{{ansible.builtin.file}}", + "searchValue": "", + "expectedValue": "All the permissions set in ansible.builtin.file about creating files/directories", + "actualValue": "There are some permissions missing in ansible.builtin.file and might create directory/file", + "issueType": "MissingAttribute", + "similarityID": "f3459cfcb08ee2113ef28d56914b731c6115f1474bb121dd9676904369ab66f4", + "search_line": -1 + }, + { + "queryName": "Risky File Permissions", + "severity": "INFO", + "line": 25, + "fileName": "positive1.yaml", + "resourceType": "file", + "resourceName": "Permissions missing 3x", + "searchKey": "name={{Permissions missing 3x}}.{{file}}", + "searchValue": "", + "expectedValue": "All the permissions set in file about creating files/directories", + "actualValue": "There are some permissions missing in file and might create directory/file", + "issueType": "MissingAttribute", + "similarityID": "68552148e6cf06969987dce0851b9e2573fc61b50996ee0669e640b924f8a5fc", + "search_line": -1 + }, + { + "queryName": "Risky File Permissions", + "severity": "INFO", + "line": 29, + "fileName": "positive1.yaml", + "resourceType": "false", + "resourceName": "create is true", + "searchKey": "name={{create is true}}.{{ansible.builtin.lineinfile}}", + "searchValue": "", + "expectedValue": "ansible.builtin.lineinfile 'create' key should set to 'false' or 'mode' key should be defined", + "actualValue": "ansible.builtin.lineinfile 'create' key is set to 'true' and 'mode' key is not defined", + "issueType": "IncorrectValue", + "similarityID": "fd6d04586a81306d06aafb93834e236e72c1ae183b833a91ae3b5dabb7020fb1", + "search_line": -1 + }, + { + "queryName": "Risky File Permissions", + "severity": "INFO", + "line": 38, + "fileName": "positive1.yaml", + "resourceType": "get_url", + "resourceName": "Permissions missing 4x", + "searchKey": "name={{Permissions missing 4x}}.{{get_url}}", + "searchValue": "", + "expectedValue": "All the permissions set in get_url about creating files/directories", + "actualValue": "There are some permissions missing in get_url and might create directory/file", + "issueType": "MissingAttribute", + "similarityID": "98ae6191a96df387225fcad92b2883ef07e3beea3e98eec46da5db13cd916d71", + "search_line": -1 + }, + { + "queryName": "Risky File Permissions", + "severity": "INFO", + "line": 46, + "fileName": "positive1.yaml", + "resourceType": "false", + "resourceName": "create is true 2x", + "searchKey": "name={{create is true 2x}}.{{ansible.builtin.lineinfile}}", + "searchValue": "", + "expectedValue": "ansible.builtin.lineinfile 'create' key should set to 'false' or 'mode' key should be defined", + "actualValue": "ansible.builtin.lineinfile 'create' key is set to 'true' and 'mode' key is not defined", + "issueType": "IncorrectValue", + "similarityID": "1b3eb77b24465f79531be6c2b536eed078772e7329d0f44de23fe3ff984a60d9", + "search_line": -1 + }, + { + "queryName": "Risky File Permissions", + "severity": "INFO", + "line": 55, + "fileName": "positive1.yaml", + "resourceType": "replace", + "resourceName": "not preserve mode 2x", + "searchKey": "name={{not preserve mode 2x}}.{{replace}}", + "searchValue": "", + "expectedValue": "replace does not allow setting 'preserve' value for 'mode' key", + "actualValue": "'Mode' key of replace is set to 'preserve'", + "issueType": "IncorrectValue", + "similarityID": "5dde56e9ca961afde974f86538ff9440ebf46f2bcfc5ee361eb6a5f45952d546", + "search_line": -1 + }, + { + "queryName": "Risky File Permissions", + "severity": "INFO", + "line": 64, + "fileName": "positive1.yaml", + "resourceType": "file", + "resourceName": "Not Permissions", + "searchKey": "name={{Not Permissions}}.{{file}}", + "searchValue": "", + "expectedValue": "All the permissions set in file about creating files/directories", + "actualValue": "There are some permissions missing in file and might create directory/file", + "issueType": "MissingAttribute", + "similarityID": "be22834f2b136802426e8f85e51d033eb29393276559167be3807ba2f76a75fd", + "search_line": -1 + }, + { + "queryName": "Risky File Permissions", + "severity": "INFO", + "line": 74, + "fileName": "positive1.yaml", + "resourceType": "ansible.builtin.lineinfile", + "resourceName": "create_false", + "searchKey": "name={{create_false}}.{{ansible.builtin.lineinfile}}", + "searchValue": "", + "expectedValue": "ansible.builtin.lineinfile does not allow setting 'preserve' value for 'mode' key", + "actualValue": "'Mode' key of ansible.builtin.lineinfile is set to 'preserve'", + "issueType": "IncorrectValue", + "similarityID": "e65af750078cd24b73232df02228412116c8e065cd15b43cd2c13a82613ef601", + "search_line": -1 + } +] diff --git a/assets/queries/ansible/general/unpinned_package_version/test/positive_expected_result.json b/assets/queries/ansible/general/unpinned_package_version/test/positive_expected_result.json index f67cb49ccc2..08764894340 100644 --- a/assets/queries/ansible/general/unpinned_package_version/test/positive_expected_result.json +++ b/assets/queries/ansible/general/unpinned_package_version/test/positive_expected_result.json @@ -1,158 +1,392 @@ [ - { - "queryName": "Unpinned Package Version", - "severity": "LOW", - "filename": "positive1.yaml", - "line": 8 - }, - { - "queryName": "Unpinned Package Version", - "severity": "LOW", - "filename": "positive1.yaml", - "line": 13 - }, - { - "queryName": "Unpinned Package Version", - "severity": "LOW", - "filename": "positive1.yaml", - "line": 18 - }, - { - "queryName": "Unpinned Package Version", - "severity": "LOW", - "filename": "positive1.yaml", - "line": 23 - }, - { - "queryName": "Unpinned Package Version", - "severity": "LOW", - "filename": "positive1.yaml", - "line": 29 - }, - { - "queryName": "Unpinned Package Version", - "severity": "LOW", - "filename": "positive1.yaml", - "line": 34 - }, - { - "queryName": "Unpinned Package Version", - "severity": "LOW", - "filename": "positive1.yaml", - "line": 40 - }, - { - "queryName": "Unpinned Package Version", - "severity": "LOW", - "filename": "positive1.yaml", - "line": 44 - }, - { - "queryName": "Unpinned Package Version", - "severity": "LOW", - "filename": "positive1.yaml", - "line": 50 - }, - { - "queryName": "Unpinned Package Version", - "severity": "LOW", - "filename": "positive1.yaml", - "line": 55 - }, - { - "queryName": "Unpinned Package Version", - "severity": "LOW", - "filename": "positive1.yaml", - "line": 60 - }, - { - "queryName": "Unpinned Package Version", - "severity": "LOW", - "filename": "positive1.yaml", - "line": 65 - }, - { - "queryName": "Unpinned Package Version", - "severity": "LOW", - "filename": "positive1.yaml", - "line": 74 - }, - { - "queryName": "Unpinned Package Version", - "severity": "LOW", - "filename": "positive1.yaml", - "line": 79 - }, - { - "queryName": "Unpinned Package Version", - "severity": "LOW", - "filename": "positive1.yaml", - "line": 84 - }, - { - "queryName": "Unpinned Package Version", - "severity": "LOW", - "filename": "positive1.yaml", - "line": 89 - }, - { - "queryName": "Unpinned Package Version", - "severity": "LOW", - "filename": "positive1.yaml", - "line": 94 - }, - { - "queryName": "Unpinned Package Version", - "severity": "LOW", - "filename": "positive1.yaml", - "line": 101 - }, - { - "queryName": "Unpinned Package Version", - "severity": "LOW", - "filename": "positive1.yaml", - "line": 106 - }, - { - "queryName": "Unpinned Package Version", - "severity": "LOW", - "filename": "positive1.yaml", - "line": 111 - }, - { - "queryName": "Unpinned Package Version", - "severity": "LOW", - "filename": "positive1.yaml", - "line": 116 - }, - { - "queryName": "Unpinned Package Version", - "severity": "LOW", - "filename": "positive1.yaml", - "line": 121 - }, - { - "queryName": "Unpinned Package Version", - "severity": "LOW", - "filename": "positive1.yaml", - "line": 130 - }, - { - "queryName": "Unpinned Package Version", - "severity": "LOW", - "filename": "positive1.yaml", - "line": 136 - }, - { - "queryName": "Unpinned Package Version", - "severity": "LOW", - "filename": "positive1.yaml", - "line": 144 - }, - { - "queryName": "Unpinned Package Version", - "severity": "LOW", - "filename": "positive1.yaml", - "line": 149 - } -] \ No newline at end of file + { + "queryName": "Unpinned Package Version", + "severity": "LOW", + "line": 8, + "fileName": "positive1.yaml", + "resourceType": "ansible.builtin.yum", + "resourceName": "Install Ansible", + "searchKey": "name={{Install Ansible}}.{{ansible.builtin.yum}}.state", + "searchValue": "", + "expectedValue": "State's task when installing a package should not be defined as 'latest' or should have set 'update_only' to 'true'", + "actualValue": "State's task is set to 'latest'", + "issueType": "IncorrectValue", + "similarityID": "398a72350c4c9e20c69215a2cd6b0ba007089abbf073048e68e1bd328fc692f8", + "search_line": -1 + }, + { + "queryName": "Unpinned Package Version", + "severity": "LOW", + "line": 13, + "fileName": "positive1.yaml", + "resourceType": "ansible.builtin.pip", + "resourceName": "Install Ansible-lint", + "searchKey": "name={{Install Ansible-lint}}.{{ansible.builtin.pip}}.state", + "searchValue": "", + "expectedValue": "State's task when installing a package should not be defined as 'latest' or should have set 'update_only' to 'true'", + "actualValue": "State's task is set to 'latest'", + "issueType": "IncorrectValue", + "similarityID": "2dd7bd4e71c767a28422ec798e0386f3351a6fea2b6c4dab5287f03fd152f778", + "search_line": -1 + }, + { + "queryName": "Unpinned Package Version", + "severity": "LOW", + "line": 18, + "fileName": "positive1.yaml", + "resourceType": "ansible.builtin.package", + "resourceName": "Install some-package", + "searchKey": "name={{Install some-package}}.{{ansible.builtin.package}}.state", + "searchValue": "", + "expectedValue": "State's task when installing a package should not be defined as 'latest' or should have set 'update_only' to 'true'", + "actualValue": "State's task is set to 'latest'", + "issueType": "IncorrectValue", + "similarityID": "ca816352d5535d7929e96b41bb71f6370b42248a267c98d58550950ea082db08", + "search_line": -1 + }, + { + "queryName": "Unpinned Package Version", + "severity": "LOW", + "line": 23, + "fileName": "positive1.yaml", + "resourceType": "ansible.builtin.yum", + "resourceName": "Install Ansible with update_only to false", + "searchKey": "name={{Install Ansible with update_only to false}}.{{ansible.builtin.yum}}.state", + "searchValue": "", + "expectedValue": "State's task when installing a package should not be defined as 'latest' or should have set 'update_only' to 'true'", + "actualValue": "State's task is set to 'latest'", + "issueType": "IncorrectValue", + "similarityID": "f5b629065d31eb4b07537948af789a652c188c7bef2c3e627171a78d7fe12b5b", + "search_line": -1 + }, + { + "queryName": "Unpinned Package Version", + "severity": "LOW", + "line": 29, + "fileName": "positive1.yaml", + "resourceType": "community.general.zypper", + "resourceName": "Install nmap", + "searchKey": "name={{Install nmap}}.{{community.general.zypper}}.state", + "searchValue": "", + "expectedValue": "State's task when installing a package should not be defined as 'latest' or should have set 'update_only' to 'true'", + "actualValue": "State's task is set to 'latest'", + "issueType": "IncorrectValue", + "similarityID": "3f21300d53ad5246301f459e5555fbb5012f03f559678c66c79eba370b45f2eb", + "search_line": -1 + }, + { + "queryName": "Unpinned Package Version", + "severity": "LOW", + "line": 34, + "fileName": "positive1.yaml", + "resourceType": "community.general.apk", + "resourceName": "Install package without using cache", + "searchKey": "name={{Install package without using cache}}.{{community.general.apk}}.state", + "searchValue": "", + "expectedValue": "State's task when installing a package should not be defined as 'latest' or should have set 'update_only' to 'true'", + "actualValue": "State's task is set to 'latest'", + "issueType": "IncorrectValue", + "similarityID": "d292b65b2e727722cbf482ebec4b9792b1a67822aeb999d6ee2d6c383ca5cbd8", + "search_line": -1 + }, + { + "queryName": "Unpinned Package Version", + "severity": "LOW", + "line": 40, + "fileName": "positive1.yaml", + "resourceType": "ansible.builtin.apt", + "resourceName": "Install apache httpd", + "searchKey": "name={{Install apache httpd}}.{{ansible.builtin.apt}}.state", + "searchValue": "", + "expectedValue": "State's task when installing a package should not be defined as 'latest' or should have set 'update_only' to 'true'", + "actualValue": "State's task is set to 'latest'", + "issueType": "IncorrectValue", + "similarityID": "e4a4bfa9d3e7e673b8482d510259289f734bb73ef7611e0e5e2533de06d48dd1", + "search_line": -1 + }, + { + "queryName": "Unpinned Package Version", + "severity": "LOW", + "line": 44, + "fileName": "positive1.yaml", + "resourceType": "community.general.bundler", + "resourceName": "Update Gemfile in another directory", + "searchKey": "name={{Update Gemfile in another directory}}.{{community.general.bundler}}.state", + "searchValue": "", + "expectedValue": "State's task when installing a package should not be defined as 'latest' or should have set 'update_only' to 'true'", + "actualValue": "State's task is set to 'latest'", + "issueType": "IncorrectValue", + "similarityID": "f3fac5e7f94046e8116fceb1e5b04a6a0b8869f30708b134e5189a35a2663c35", + "search_line": -1 + }, + { + "queryName": "Unpinned Package Version", + "severity": "LOW", + "line": 50, + "fileName": "positive1.yaml", + "resourceType": "ansible.builtin.dnf", + "resourceName": "Install a modularity appstream with defined profile", + "searchKey": "name={{Install a modularity appstream with defined profile}}.{{ansible.builtin.dnf}}.state", + "searchValue": "", + "expectedValue": "State's task when installing a package should not be defined as 'latest' or should have set 'update_only' to 'true'", + "actualValue": "State's task is set to 'latest'", + "issueType": "IncorrectValue", + "similarityID": "10bc5931a411d0f1fcc59b1db4399f431996656d7a47beef59dbc708671bb185", + "search_line": -1 + }, + { + "queryName": "Unpinned Package Version", + "severity": "LOW", + "line": 55, + "fileName": "positive1.yaml", + "resourceType": "community.general.gem", + "resourceName": "Install rake", + "searchKey": "name={{Install rake}}.{{community.general.gem}}.state", + "searchValue": "", + "expectedValue": "State's task when installing a package should not be defined as 'latest' or should have set 'update_only' to 'true'", + "actualValue": "State's task is set to 'latest'", + "issueType": "IncorrectValue", + "similarityID": "869c431ba7a39d293706d71d910b1ce2201ad9e110c6acc8d21e13304f8ce42b", + "search_line": -1 + }, + { + "queryName": "Unpinned Package Version", + "severity": "LOW", + "line": 60, + "fileName": "positive1.yaml", + "resourceType": "community.general.homebrew", + "resourceName": "Install formula foo with 'brew' from cask", + "searchKey": "name={{Install formula foo with 'brew' from cask}}.{{community.general.homebrew}}.state", + "searchValue": "", + "expectedValue": "State's task when installing a package should not be defined as 'latest' or should have set 'update_only' to 'true'", + "actualValue": "State's task is set to 'latest'", + "issueType": "IncorrectValue", + "similarityID": "f63ed7b1a212d3fdb4de72f721796a9fd7db1767d5428ed60173ad8365bd25d6", + "search_line": -1 + }, + { + "queryName": "Unpinned Package Version", + "severity": "LOW", + "line": 65, + "fileName": "positive1.yaml", + "resourceType": "community.general.jenkins_plugin", + "resourceName": "Install Green Balls plugin", + "searchKey": "name={{Install Green Balls plugin}}.{{community.general.jenkins_plugin}}.state", + "searchValue": "", + "expectedValue": "State's task when installing a package should not be defined as 'latest' or should have set 'update_only' to 'true'", + "actualValue": "State's task is set to 'latest'", + "issueType": "IncorrectValue", + "similarityID": "3232f067a4ce9b78ec37261b2655fa3993fac48253ccc7cb019a91657809a8af", + "search_line": -1 + }, + { + "queryName": "Unpinned Package Version", + "severity": "LOW", + "line": 74, + "fileName": "positive1.yaml", + "resourceType": "community.general.npm", + "resourceName": "Install packages based on package.json", + "searchKey": "name={{Install packages based on package.json}}.{{community.general.npm}}.state", + "searchValue": "", + "expectedValue": "State's task when installing a package should not be defined as 'latest' or should have set 'update_only' to 'true'", + "actualValue": "State's task is set to 'latest'", + "issueType": "IncorrectValue", + "similarityID": "f733a876b5e03b504c670249fc142e1b897266d8752d2156a199a887a5457a54", + "search_line": -1 + }, + { + "queryName": "Unpinned Package Version", + "severity": "LOW", + "line": 79, + "fileName": "positive1.yaml", + "resourceType": "community.general.openbsd_pkg", + "resourceName": "Install nmap", + "searchKey": "name={{Install nmap}}.{{community.general.openbsd_pkg}}.state", + "searchValue": "", + "expectedValue": "State's task when installing a package should not be defined as 'latest' or should have set 'update_only' to 'true'", + "actualValue": "State's task is set to 'latest'", + "issueType": "IncorrectValue", + "similarityID": "b2c93da6605e291da119f975677d3bf15e70b9024020997ddbb4def819bb4e2c", + "search_line": -1 + }, + { + "queryName": "Unpinned Package Version", + "severity": "LOW", + "line": 84, + "fileName": "positive1.yaml", + "resourceType": "ansible.builtin.package", + "resourceName": "Install ntpdate", + "searchKey": "name={{Install ntpdate}}.{{ansible.builtin.package}}.state", + "searchValue": "", + "expectedValue": "State's task when installing a package should not be defined as 'latest' or should have set 'update_only' to 'true'", + "actualValue": "State's task is set to 'latest'", + "issueType": "IncorrectValue", + "similarityID": "1beba7a4507052a4e295153c64bd71ee072b0184afad50c0e68a8e780a1c5b83", + "search_line": -1 + }, + { + "queryName": "Unpinned Package Version", + "severity": "LOW", + "line": 89, + "fileName": "positive1.yaml", + "resourceType": "community.general.pacman", + "resourceName": "Install package bar from file", + "searchKey": "name={{Install package bar from file}}.{{community.general.pacman}}.state", + "searchValue": "", + "expectedValue": "State's task when installing a package should not be defined as 'latest' or should have set 'update_only' to 'true'", + "actualValue": "State's task is set to 'latest'", + "issueType": "IncorrectValue", + "similarityID": "9dab96677214a0a55d0a264e71dbf560c5ac309701380d3de28b05548097d3dc", + "search_line": -1 + }, + { + "queryName": "Unpinned Package Version", + "severity": "LOW", + "line": 94, + "fileName": "positive1.yaml", + "resourceType": "community.general.pkg5", + "resourceName": "Install finger daemon", + "searchKey": "name={{Install finger daemon}}.{{community.general.pkg5}}.state", + "searchValue": "", + "expectedValue": "State's task when installing a package should not be defined as 'latest' or should have set 'update_only' to 'true'", + "actualValue": "State's task is set to 'latest'", + "issueType": "IncorrectValue", + "similarityID": "d0751c4b22349b3f9529fb4c7290724b58aa4f2c38f5586988a3249c5f66f57d", + "search_line": -1 + }, + { + "queryName": "Unpinned Package Version", + "severity": "LOW", + "line": 101, + "fileName": "positive1.yaml", + "resourceType": "community.general.pkgutil", + "resourceName": "Install several packages", + "searchKey": "name={{Install several packages}}.{{community.general.pkgutil}}.state", + "searchValue": "", + "expectedValue": "State's task when installing a package should not be defined as 'latest' or should have set 'update_only' to 'true'", + "actualValue": "State's task is set to 'latest'", + "issueType": "IncorrectValue", + "similarityID": "6f0c29b9ea7d2ecd4d5fafe989263c75dbaf24e4f15b83d4228990e9ed92aa77", + "search_line": -1 + }, + { + "queryName": "Unpinned Package Version", + "severity": "LOW", + "line": 106, + "fileName": "positive1.yaml", + "resourceType": "community.general.portage", + "resourceName": "Install package foo", + "searchKey": "name={{Install package foo}}.{{community.general.portage}}.state", + "searchValue": "", + "expectedValue": "State's task when installing a package should not be defined as 'latest' or should have set 'update_only' to 'true'", + "actualValue": "State's task is set to 'latest'", + "issueType": "IncorrectValue", + "similarityID": "004082d4b35b874cf054669e831c0590859d1e403498a41d286b5a51d37b9d96", + "search_line": -1 + }, + { + "queryName": "Unpinned Package Version", + "severity": "LOW", + "line": 111, + "fileName": "positive1.yaml", + "resourceType": "community.general.slackpkg", + "resourceName": "Make sure that it is the most updated package", + "searchKey": "name={{Make sure that it is the most updated package}}.{{community.general.slackpkg}}.state", + "searchValue": "", + "expectedValue": "State's task when installing a package should not be defined as 'latest' or should have set 'update_only' to 'true'", + "actualValue": "State's task is set to 'latest'", + "issueType": "IncorrectValue", + "similarityID": "b558abeb17e8dea7f3222ce34a9278f05fd94494d3b7ebc658c01c5e24eb4959", + "search_line": -1 + }, + { + "queryName": "Unpinned Package Version", + "severity": "LOW", + "line": 116, + "fileName": "positive1.yaml", + "resourceType": "community.general.sorcery", + "resourceName": "Make sure spell foo is installed", + "searchKey": "name={{Make sure spell foo is installed}}.{{community.general.sorcery}}.state", + "searchValue": "", + "expectedValue": "State's task when installing a package should not be defined as 'latest' or should have set 'update_only' to 'true'", + "actualValue": "State's task is set to 'latest'", + "issueType": "IncorrectValue", + "similarityID": "a972c788a46674cdd2949b210c1b913ae040ce46e7cf31ba666ab3b6fe3593bd", + "search_line": -1 + }, + { + "queryName": "Unpinned Package Version", + "severity": "LOW", + "line": 121, + "fileName": "positive1.yaml", + "resourceType": "community.general.swdepot", + "resourceName": "Install package unzip", + "searchKey": "name={{Install package unzip}}.{{community.general.swdepot}}.state", + "searchValue": "", + "expectedValue": "State's task when installing a package should not be defined as 'latest' or should have set 'update_only' to 'true'", + "actualValue": "State's task is set to 'latest'", + "issueType": "IncorrectValue", + "similarityID": "03ab92ea1a1703a7abe9669220346b0f39f9c94232386f781952d97199791e32", + "search_line": -1 + }, + { + "queryName": "Unpinned Package Version", + "severity": "LOW", + "line": 130, + "fileName": "positive1.yaml", + "resourceType": "win_chocolatey", + "resourceName": "Install multiple packages", + "searchKey": "name={{Install multiple packages}}.{{win_chocolatey}}.state", + "searchValue": "", + "expectedValue": "State's task when installing a package should not be defined as 'latest' or should have set 'update_only' to 'true'", + "actualValue": "State's task is set to 'latest'", + "issueType": "IncorrectValue", + "similarityID": "16edf6b8fb6333c9dd488f900dabfa5c1e1f1e22a8c679c53efdd8602233cc63", + "search_line": -1 + }, + { + "queryName": "Unpinned Package Version", + "severity": "LOW", + "line": 136, + "fileName": "positive1.yaml", + "resourceType": "community.general.yarn", + "resourceName": "Install \"imagemin\" node.js package globally.", + "searchKey": "name={{Install \"imagemin\" node.js package globally.}}.{{community.general.yarn}}.state", + "searchValue": "", + "expectedValue": "State's task when installing a package should not be defined as 'latest' or should have set 'update_only' to 'true'", + "actualValue": "State's task is set to 'latest'", + "issueType": "IncorrectValue", + "similarityID": "5225982a27f10e7eb134e42cf1871ae38c37092219e62b56c9ffa4469140bd2a", + "search_line": -1 + }, + { + "queryName": "Unpinned Package Version", + "severity": "LOW", + "line": 144, + "fileName": "positive1.yaml", + "resourceType": "ansible.builtin.yum", + "resourceName": "Install a list of packages (suitable replacement for 2.11 loop deprecation warning)", + "searchKey": "name={{Install a list of packages (suitable replacement for 2.11 loop deprecation warning)}}.{{ansible.builtin.yum}}.state", + "searchValue": "", + "expectedValue": "State's task when installing a package should not be defined as 'latest' or should have set 'update_only' to 'true'", + "actualValue": "State's task is set to 'latest'", + "issueType": "IncorrectValue", + "similarityID": "04bd3a1a2d2f32aea9570e3acc32992d1f902b40c5362802f0063ef43ceec2c0", + "search_line": -1 + }, + { + "queryName": "Unpinned Package Version", + "severity": "LOW", + "line": 149, + "fileName": "positive1.yaml", + "resourceType": "community.general.zypper", + "resourceName": "Install local rpm file", + "searchKey": "name={{Install local rpm file}}.{{community.general.zypper}}.state", + "searchValue": "", + "expectedValue": "State's task when installing a package should not be defined as 'latest' or should have set 'update_only' to 'true'", + "actualValue": "State's task is set to 'latest'", + "issueType": "IncorrectValue", + "similarityID": "98fb3068e631f3b712452f86a6403fda4d6f8f4ab3b901fc3401712f519f1139", + "search_line": -1 + } +] diff --git a/assets/queries/ansible/hosts/ansible_tower_exposed_to_internet/test/positive_expected_result.json b/assets/queries/ansible/hosts/ansible_tower_exposed_to_internet/test/positive_expected_result.json index 1f10687fd09..00d4171866b 100644 --- a/assets/queries/ansible/hosts/ansible_tower_exposed_to_internet/test/positive_expected_result.json +++ b/assets/queries/ansible/hosts/ansible_tower_exposed_to_internet/test/positive_expected_result.json @@ -3,12 +3,30 @@ "queryName": "Ansible Tower Exposed To Internet", "severity": "MEDIUM", "line": 1, - "fileName": "positive1.ini" + "fileName": "positive1.ini", + "resourceType": "n/a", + "resourceName": "children", + "searchKey": "[tower]", + "searchValue": "", + "expectedValue": "Ansible Tower IP should be private", + "actualValue": "Ansible Tower IP is public", + "issueType": "IncorrectValue", + "similarityID": "09a6bd1d189279ce9ff103ae52cea28de90d2ab066e3e33484e1b8b21f44334d", + "search_line": -1 }, { "queryName": "Ansible Tower Exposed To Internet", "severity": "MEDIUM", "line": 24, - "fileName": "positive2.yaml" + "fileName": "positive2.yaml", + "resourceType": "n/a", + "resourceName": "children", + "searchKey": "all.children.tower.hosts", + "searchValue": "", + "expectedValue": "Ansible Tower IP should be private", + "actualValue": "Ansible Tower IP is public", + "issueType": "IncorrectValue", + "similarityID": "3106839ed34aaf7e2c38d7958c702834bc83552b4d046600cce67014339327d7", + "search_line": -1 } ] diff --git a/assets/queries/azureResourceManager/account_admins_not_notified_by_email/test/positive_expected_result.json b/assets/queries/azureResourceManager/account_admins_not_notified_by_email/test/positive_expected_result.json index 8c4c5e42123..c199ec65f6f 100644 --- a/assets/queries/azureResourceManager/account_admins_not_notified_by_email/test/positive_expected_result.json +++ b/assets/queries/azureResourceManager/account_admins_not_notified_by_email/test/positive_expected_result.json @@ -2,49 +2,121 @@ { "queryName": "Account Admins Not Notified By Email", "severity": "INFO", - "line": 14, - "filename": "positive1.json" + "line": 4, + "fileName": "positive1.bicep", + "resourceType": "Microsoft.Sql/servers/databases/securityAlertPolicies", + "resourceName": "sample/server/default", + "searchKey": "resources.name={{sample/server/default}}.properties.emailAccountAdmins", + "searchValue": "", + "expectedValue": "securityAlertPolicies.properties.emailAccountAdmins property value should be set to true", + "actualValue": "securityAlertPolicies.properties.emailAccountAdmins property value is set to false", + "issueType": "IncorrectValue", + "similarityID": "39fe844602d43c18c8161b84fb6428ce7f992cec4f783555db6775b7fd4a42a6", + "search_line": 4 }, { "queryName": "Account Admins Not Notified By Email", "severity": "INFO", - "line": 13, - "filename": "positive2.json" + "line": 14, + "fileName": "positive1.json", + "resourceType": "Microsoft.Sql/servers/databases/securityAlertPolicies", + "resourceName": "sample/server/default", + "searchKey": "resources.name={{sample/server/default}}.properties.emailAccountAdmins", + "searchValue": "", + "expectedValue": "securityAlertPolicies.properties.emailAccountAdmins property value should be set to true", + "actualValue": "securityAlertPolicies.properties.emailAccountAdmins property value is set to false", + "issueType": "IncorrectValue", + "similarityID": "0afa60ae587b17830eeb4fe2efe3e9b2b6f9ec28706e39a085654b445b6f3061", + "search_line": 14 }, { "queryName": "Account Admins Not Notified By Email", "severity": "INFO", - "line": 16, - "filename": "positive3.json" + "line": 3, + "fileName": "positive2.bicep", + "resourceType": "Microsoft.Sql/servers/databases/securityAlertPolicies", + "resourceName": "sample/server/default", + "searchKey": "resources.name={{sample/server/default}}.properties", + "searchValue": "", + "expectedValue": "securityAlertPolicies.properties.emailAccountAdmins should be set to true", + "actualValue": "securityAlertPolicies.properties.emailAccountAdmins is missing", + "issueType": "MissingAttribute", + "similarityID": "bd1659c4126e49fd9a9df30c30b53c75b89ae40364c268a958404b59992cd8a1", + "search_line": 3 }, { "queryName": "Account Admins Not Notified By Email", "severity": "INFO", - "line": 15, - "filename": "positive4.json" + "line": 13, + "fileName": "positive2.json", + "resourceType": "Microsoft.Sql/servers/databases/securityAlertPolicies", + "resourceName": "sample/server/default", + "searchKey": "resources.name={{sample/server/default}}.properties", + "searchValue": "", + "expectedValue": "securityAlertPolicies.properties.emailAccountAdmins should be set to true", + "actualValue": "securityAlertPolicies.properties.emailAccountAdmins is missing", + "issueType": "MissingAttribute", + "similarityID": "4cefefdcd85bda34c612d7cf07c4415e3022646e989057500dc0710908d0facb", + "search_line": 13 }, { "queryName": "Account Admins Not Notified By Email", "severity": "INFO", "line": 4, - "filename": "positive1.bicep" - }, + "fileName": "positive3.bicep", + "resourceType": "Microsoft.Sql/servers/databases/securityAlertPolicies", + "resourceName": "sample/server/default", + "searchKey": "resources.name={{sample/server/default}}.properties.emailAccountAdmins", + "searchValue": "", + "expectedValue": "securityAlertPolicies.properties.emailAccountAdmins property value should be set to true", + "actualValue": "securityAlertPolicies.properties.emailAccountAdmins property value is set to false", + "issueType": "IncorrectValue", + "similarityID": "e9099d5da0417a58ee2eaba4279cdbe9338a08b8a3d07a36fd14a390e8978472", + "search_line": 4 + }, { "queryName": "Account Admins Not Notified By Email", "severity": "INFO", - "line": 3, - "filename": "positive2.bicep" + "line": 16, + "fileName": "positive3.json", + "resourceType": "Microsoft.Sql/servers/databases/securityAlertPolicies", + "resourceName": "sample/server/default", + "searchKey": "properties.template.resources.name={{sample/server/default}}.properties.emailAccountAdmins", + "searchValue": "", + "expectedValue": "securityAlertPolicies.properties.emailAccountAdmins property value should be set to true", + "actualValue": "securityAlertPolicies.properties.emailAccountAdmins property value is set to false", + "issueType": "IncorrectValue", + "similarityID": "1800c2e7feeb1a9e1e6c0254e30b3f9c83371e2137b3cbc1ac97299ba767da76", + "search_line": 16 }, { "queryName": "Account Admins Not Notified By Email", "severity": "INFO", - "line": 4, - "filename": "positive3.bicep" + "line": 3, + "fileName": "positive4.bicep", + "resourceType": "Microsoft.Sql/servers/databases/securityAlertPolicies", + "resourceName": "sample/server/default", + "searchKey": "resources.name={{sample/server/default}}.properties", + "searchValue": "", + "expectedValue": "securityAlertPolicies.properties.emailAccountAdmins should be set to true", + "actualValue": "securityAlertPolicies.properties.emailAccountAdmins is missing", + "issueType": "MissingAttribute", + "similarityID": "3989dad3e7c9d54bb191c025c94f08600067cc25be6b520d7bbb061fd000361b", + "search_line": 3 }, { "queryName": "Account Admins Not Notified By Email", "severity": "INFO", - "line": 3, - "filename": "positive4.bicep" + "line": 15, + "fileName": "positive4.json", + "resourceType": "Microsoft.Sql/servers/databases/securityAlertPolicies", + "resourceName": "sample/server/default", + "searchKey": "properties.template.resources.name={{sample/server/default}}.properties", + "searchValue": "", + "expectedValue": "securityAlertPolicies.properties.emailAccountAdmins should be set to true", + "actualValue": "securityAlertPolicies.properties.emailAccountAdmins is missing", + "issueType": "MissingAttribute", + "similarityID": "fc0889f01880f19b717781e8f14f8b06aeff4faec44562a968a0f1b999d2e624", + "search_line": 15 } ] diff --git a/assets/queries/azureResourceManager/aks_cluster_network_policy_not_configured/test/positive_expected_result.json b/assets/queries/azureResourceManager/aks_cluster_network_policy_not_configured/test/positive_expected_result.json index 31a9ddc78c3..3e7563e5095 100644 --- a/assets/queries/azureResourceManager/aks_cluster_network_policy_not_configured/test/positive_expected_result.json +++ b/assets/queries/azureResourceManager/aks_cluster_network_policy_not_configured/test/positive_expected_result.json @@ -2,49 +2,121 @@ { "queryName": "AKS Cluster Network Policy Not Configured", "severity": "MEDIUM", - "line": 6, - "filename": "positive1.json" + "line": 2, + "fileName": "positive1.bicep", + "resourceType": "Microsoft.ContainerService/managedClusters", + "resourceName": "aksCluster1", + "searchKey": "resources.name=aksCluster1", + "searchValue": "", + "expectedValue": "'networkProfile.networkPolicy' should be defined and not empty", + "actualValue": "'networkProfile.networkPolicy' is undefined", + "issueType": "MissingAttribute", + "similarityID": "d44e89f34fc17b5863f0a4aa738f94be9e59dc7d65a5227d77549370fc3e8ae2", + "search_line": 2 }, { "queryName": "AKS Cluster Network Policy Not Configured", "severity": "MEDIUM", - "line": 37, - "filename": "positive2.json" + "line": 6, + "fileName": "positive1.json", + "resourceType": "Microsoft.ContainerService/managedClusters", + "resourceName": "aksCluster1", + "searchKey": "resources.name=aksCluster1", + "searchValue": "", + "expectedValue": "'networkProfile.networkPolicy' should be defined and not empty", + "actualValue": "'networkProfile.networkPolicy' is undefined", + "issueType": "MissingAttribute", + "similarityID": "0201f31af223c848187fd47de847d7a8cccb8e60522f7aa471f153a530df7235", + "search_line": 6 }, { "queryName": "AKS Cluster Network Policy Not Configured", "severity": "MEDIUM", - "line": 8, - "filename": "positive3.json" + "line": 31, + "fileName": "positive2.bicep", + "resourceType": "Microsoft.ContainerService/managedClusters", + "resourceName": "aksCluster1", + "searchKey": "resources.name=aksCluster1.properties.networkProfile.networkPolicy", + "searchValue": "", + "expectedValue": "'networkProfile.networkPolicy' should be defined and not empty", + "actualValue": "'networkProfile.networkPolicy' is empty", + "issueType": "IncorrectValue", + "similarityID": "e2186562c64317aaa15eac8cfb61749037132a68fa9b47a8fb50c5381301dc0d", + "search_line": 31 }, { "queryName": "AKS Cluster Network Policy Not Configured", "severity": "MEDIUM", - "line": 39, - "filename": "positive4.json" + "line": 37, + "fileName": "positive2.json", + "resourceType": "Microsoft.ContainerService/managedClusters", + "resourceName": "aksCluster1", + "searchKey": "resources.name=aksCluster1.properties.networkProfile.networkPolicy", + "searchValue": "", + "expectedValue": "'networkProfile.networkPolicy' should be defined and not empty", + "actualValue": "'networkProfile.networkPolicy' is empty", + "issueType": "IncorrectValue", + "similarityID": "40f8f77709cc877143138ae48c95ecd0a61b7ea919fb620eee6d393c47834c30", + "search_line": 37 }, { "queryName": "AKS Cluster Network Policy Not Configured", "severity": "MEDIUM", "line": 2, - "filename": "positive1.bicep" + "fileName": "positive3.bicep", + "resourceType": "Microsoft.ContainerService/managedClusters", + "resourceName": "aksCluster1", + "searchKey": "resources.name=aksCluster1", + "searchValue": "", + "expectedValue": "'networkProfile.networkPolicy' should be defined and not empty", + "actualValue": "'networkProfile.networkPolicy' is undefined", + "issueType": "MissingAttribute", + "similarityID": "979d5ae8dea27ad67cdb5e1583887c13b65f61cf90e8e700db5ddd971d6c896a", + "search_line": 2 }, { "queryName": "AKS Cluster Network Policy Not Configured", "severity": "MEDIUM", - "line": 31, - "filename": "positive2.bicep" + "line": 8, + "fileName": "positive3.json", + "resourceType": "Microsoft.ContainerService/managedClusters", + "resourceName": "aksCluster1", + "searchKey": "properties.template.resources.name=aksCluster1", + "searchValue": "", + "expectedValue": "'networkProfile.networkPolicy' should be defined and not empty", + "actualValue": "'networkProfile.networkPolicy' is undefined", + "issueType": "MissingAttribute", + "similarityID": "edace701973cd8d35d42453016fe316f86c9dd3a15d8e99ff364a2afd0bd8c70", + "search_line": 8 }, { "queryName": "AKS Cluster Network Policy Not Configured", "severity": "MEDIUM", - "line": 2, - "filename": "positive3.bicep" + "line": 31, + "fileName": "positive4.bicep", + "resourceType": "Microsoft.ContainerService/managedClusters", + "resourceName": "aksCluster1", + "searchKey": "resources.name=aksCluster1.properties.networkProfile.networkPolicy", + "searchValue": "", + "expectedValue": "'networkProfile.networkPolicy' should be defined and not empty", + "actualValue": "'networkProfile.networkPolicy' is empty", + "issueType": "IncorrectValue", + "similarityID": "d75e83783da12507ea7d52d3cd7b235e3847f7ace12ee1ac0f0731b1ba26de33", + "search_line": 31 }, { "queryName": "AKS Cluster Network Policy Not Configured", "severity": "MEDIUM", - "line": 31, - "filename": "positive4.bicep" + "line": 39, + "fileName": "positive4.json", + "resourceType": "Microsoft.ContainerService/managedClusters", + "resourceName": "aksCluster1", + "searchKey": "properties.template.resources.name=aksCluster1.properties.networkProfile.networkPolicy", + "searchValue": "", + "expectedValue": "'networkProfile.networkPolicy' should be defined and not empty", + "actualValue": "'networkProfile.networkPolicy' is empty", + "issueType": "IncorrectValue", + "similarityID": "b834759326b4ee9f2abc1ed3b4984bc9877c4b9703be1832fb7363ac6ad9f4a4", + "search_line": 39 } ] diff --git a/assets/queries/azureResourceManager/aks_cluster_rbac_disabled/test/positive_expected_result.json b/assets/queries/azureResourceManager/aks_cluster_rbac_disabled/test/positive_expected_result.json index 70cdf5c8a8f..8a855425c69 100644 --- a/assets/queries/azureResourceManager/aks_cluster_rbac_disabled/test/positive_expected_result.json +++ b/assets/queries/azureResourceManager/aks_cluster_rbac_disabled/test/positive_expected_result.json @@ -2,49 +2,121 @@ { "queryName": "AKS Cluster RBAC Disabled", "severity": "HIGH", - "line": 14, - "fileName": "positive1.json" + "line": 4, + "fileName": "positive1.bicep", + "resourceType": "Microsoft.ContainerService/managedClusters", + "resourceName": "aksCluster1", + "searchKey": "resources.name={{aksCluster1}}.properties", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.ContainerService/managedClusters' should have the 'enableRBAC' property defined", + "actualValue": "resource with type 'Microsoft.ContainerService/managedClusters' doesn't have 'enableRBAC' property defined", + "issueType": "MissingAttribute", + "similarityID": "b6c0b73f2eb067e60e1b60965c2f9d7f096b7c567ec1b54a66b11cc8fc0b7975", + "search_line": 4 }, { "queryName": "AKS Cluster RBAC Disabled", "severity": "HIGH", - "line": 36, - "fileName": "positive2.json" + "line": 14, + "fileName": "positive1.json", + "resourceType": "Microsoft.ContainerService/managedClusters", + "resourceName": "aksCluster1", + "searchKey": "resources.name={{aksCluster1}}.properties", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.ContainerService/managedClusters' should have the 'enableRBAC' property defined", + "actualValue": "resource with type 'Microsoft.ContainerService/managedClusters' doesn't have 'enableRBAC' property defined", + "issueType": "MissingAttribute", + "similarityID": "bb6c3fd7456b40cdff8f835002a9f06b73cfb59427eea73fa5f5629b21c3df36", + "search_line": 14 }, { "queryName": "AKS Cluster RBAC Disabled", "severity": "HIGH", - "line": 16, - "fileName": "positive3.json" + "line": 26, + "fileName": "positive2.bicep", + "resourceType": "Microsoft.ContainerService/managedClusters", + "resourceName": "aksCluster1", + "searchKey": "resources.name={{aksCluster1}}.properties.enableRBAC", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.ContainerService/managedClusters' should have the 'enableRBAC' property value set to true", + "actualValue": "resource with type 'Microsoft.ContainerService/managedClusters' doesn't have 'enableRBAC' set to true%!(EXTRA string=property value)", + "issueType": "IncorrectValue", + "similarityID": "9a3c4592651fcaeb4a8eed93d4680e26a9eb5b0254e499f7f49306a1bbcc2148", + "search_line": 26 }, { "queryName": "AKS Cluster RBAC Disabled", "severity": "HIGH", - "line": 38, - "fileName": "positive4.json" + "line": 36, + "fileName": "positive2.json", + "resourceType": "Microsoft.ContainerService/managedClusters", + "resourceName": "aksCluster1", + "searchKey": "resources.name={{aksCluster1}}.properties.enableRBAC", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.ContainerService/managedClusters' should have the 'enableRBAC' property value set to true", + "actualValue": "resource with type 'Microsoft.ContainerService/managedClusters' doesn't have 'enableRBAC' set to true%!(EXTRA string=property value)", + "issueType": "IncorrectValue", + "similarityID": "f289822f20c5e16e47ec9c70f58e86a2bb20e711a05dda898fb4522a7f20caf1", + "search_line": 36 }, { "queryName": "AKS Cluster RBAC Disabled", "severity": "HIGH", "line": 4, - "fileName": "positive1.bicep" + "fileName": "positive3.bicep", + "resourceType": "Microsoft.ContainerService/managedClusters", + "resourceName": "aksCluster1", + "searchKey": "resources.name={{aksCluster1}}.properties", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.ContainerService/managedClusters' should have the 'enableRBAC' property defined", + "actualValue": "resource with type 'Microsoft.ContainerService/managedClusters' doesn't have 'enableRBAC' property defined", + "issueType": "MissingAttribute", + "similarityID": "a9b5363ae76d68918ac8599470318a69c56da621572ad9c3576d0772f373625d", + "search_line": 4 }, { "queryName": "AKS Cluster RBAC Disabled", "severity": "HIGH", - "line": 26, - "fileName": "positive2.bicep" + "line": 16, + "fileName": "positive3.json", + "resourceType": "Microsoft.ContainerService/managedClusters", + "resourceName": "aksCluster1", + "searchKey": "properties.template.resources.name={{aksCluster1}}.properties", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.ContainerService/managedClusters' should have the 'enableRBAC' property defined", + "actualValue": "resource with type 'Microsoft.ContainerService/managedClusters' doesn't have 'enableRBAC' property defined", + "issueType": "MissingAttribute", + "similarityID": "cf55e2223c115015a5b77f263ff49df0389656c4cc3944d231ff2ed4e9c40ec7", + "search_line": 16 }, { "queryName": "AKS Cluster RBAC Disabled", "severity": "HIGH", - "line": 4, - "fileName": "positive3.bicep" + "line": 26, + "fileName": "positive4.bicep", + "resourceType": "Microsoft.ContainerService/managedClusters", + "resourceName": "aksCluster1", + "searchKey": "resources.name={{aksCluster1}}.properties.enableRBAC", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.ContainerService/managedClusters' should have the 'enableRBAC' property value set to true", + "actualValue": "resource with type 'Microsoft.ContainerService/managedClusters' doesn't have 'enableRBAC' set to true%!(EXTRA string=property value)", + "issueType": "IncorrectValue", + "similarityID": "0c3fdaa7b77ee0fb8515893e1acd013bd855f693c0ad715c6d611f3c98e4253c", + "search_line": 26 }, { "queryName": "AKS Cluster RBAC Disabled", "severity": "HIGH", - "line": 26, - "fileName": "positive4.bicep" + "line": 38, + "fileName": "positive4.json", + "resourceType": "Microsoft.ContainerService/managedClusters", + "resourceName": "aksCluster1", + "searchKey": "properties.template.resources.name={{aksCluster1}}.properties.enableRBAC", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.ContainerService/managedClusters' should have the 'enableRBAC' property value set to true", + "actualValue": "resource with type 'Microsoft.ContainerService/managedClusters' doesn't have 'enableRBAC' set to true%!(EXTRA string=property value)", + "issueType": "IncorrectValue", + "similarityID": "73233c64bbee0e70126dcd46b3f2d49356902f3635a83f4588f3820f86fe65b2", + "search_line": 38 } -] \ No newline at end of file +] diff --git a/assets/queries/azureResourceManager/aks_dashboard_enabled/test/positive_expected_result.json b/assets/queries/azureResourceManager/aks_dashboard_enabled/test/positive_expected_result.json index 2a226e8456a..992ee626337 100644 --- a/assets/queries/azureResourceManager/aks_dashboard_enabled/test/positive_expected_result.json +++ b/assets/queries/azureResourceManager/aks_dashboard_enabled/test/positive_expected_result.json @@ -2,25 +2,61 @@ { "queryName": "AKS Dashboard Is Enabled", "severity": "LOW", - "line": 14, - "filename": "positive1.json" + "line": 8, + "fileName": "positive1.bicep", + "resourceType": "Microsoft.ContainerService/managedClusters", + "resourceName": "aksCluster1", + "searchKey": "resources.name=aksCluster1.properties.addonProfiles.kubeDashboard.enabled", + "searchValue": "", + "expectedValue": "'addonProfiles.kubeDashboard.enabled' should be defined and false", + "actualValue": "'addonProfiles.kubeDashboard.enabled' property value is false", + "issueType": "IncorrectValue", + "similarityID": "9a69fa1621ac02a403f1738c05119db657a3e4dea68f0a965fa0f790140feeb8", + "search_line": 8 }, { "queryName": "AKS Dashboard Is Enabled", "severity": "LOW", - "line": 16, - "filename": "positive2.json" + "line": 14, + "fileName": "positive1.json", + "resourceType": "Microsoft.ContainerService/managedClusters", + "resourceName": "aksCluster1", + "searchKey": "resources.name=aksCluster1.properties.addonProfiles.kubeDashboard.enabled", + "searchValue": "", + "expectedValue": "'addonProfiles.kubeDashboard.enabled' should be defined and false", + "actualValue": "'addonProfiles.kubeDashboard.enabled' property value is false", + "issueType": "IncorrectValue", + "similarityID": "b49a8c02b3df8a091743209aca0d8afd4176eeea2928ca73f6845c915ed08338", + "search_line": 14 }, { "queryName": "AKS Dashboard Is Enabled", "severity": "LOW", "line": 8, - "filename": "positive1.bicep" + "fileName": "positive2.bicep", + "resourceType": "Microsoft.ContainerService/managedClusters", + "resourceName": "aksCluster1", + "searchKey": "resources.name=aksCluster1.properties.addonProfiles.kubeDashboard.enabled", + "searchValue": "", + "expectedValue": "'addonProfiles.kubeDashboard.enabled' should be defined and false", + "actualValue": "'addonProfiles.kubeDashboard.enabled' property value is false", + "issueType": "IncorrectValue", + "similarityID": "737a67133139236a3e5223e1784f0266e12478345400262b710fe6e0992dad34", + "search_line": 8 }, { "queryName": "AKS Dashboard Is Enabled", "severity": "LOW", - "line": 8, - "filename": "positive2.bicep" + "line": 16, + "fileName": "positive2.json", + "resourceType": "Microsoft.ContainerService/managedClusters", + "resourceName": "aksCluster1", + "searchKey": "properties.template.resources.name=aksCluster1.properties.addonProfiles.kubeDashboard.enabled", + "searchValue": "", + "expectedValue": "'addonProfiles.kubeDashboard.enabled' should be defined and false", + "actualValue": "'addonProfiles.kubeDashboard.enabled' property value is false", + "issueType": "IncorrectValue", + "similarityID": "d8aa9b754c205cd0eea952cc3867ef3fca0b7456544ba9b670bfeeb9347383ec", + "search_line": 16 } ] diff --git a/assets/queries/azureResourceManager/aks_logging_azure_monitoring_disabled/test/positive_expected_result.json b/assets/queries/azureResourceManager/aks_logging_azure_monitoring_disabled/test/positive_expected_result.json index 1f589057ff2..c5a57622eae 100644 --- a/assets/queries/azureResourceManager/aks_logging_azure_monitoring_disabled/test/positive_expected_result.json +++ b/assets/queries/azureResourceManager/aks_logging_azure_monitoring_disabled/test/positive_expected_result.json @@ -2,49 +2,121 @@ { "queryName": "AKS Logging To Azure Monitoring Is Disabled", "severity": "MEDIUM", - "line": 14, - "filename": "positive1.json" + "line": 8, + "fileName": "positive1.bicep", + "resourceType": "Microsoft.ContainerService/managedClusters", + "resourceName": "aksCluster1", + "searchKey": "resources.name=aksCluster1.properties.addonProfiles.omsagent.enabled", + "searchValue": "", + "expectedValue": "'addonProfiles.omsagent.enabled' should be defined and false", + "actualValue": "'addonProfiles.omsagent.enabled' property value is set to false", + "issueType": "IncorrectValue", + "similarityID": "1c03325fd27f0f977e7dd9c3612ce8b496d8d4abcdcf9603b79b798cbde3269b", + "search_line": 8 }, { "queryName": "AKS Logging To Azure Monitoring Is Disabled", "severity": "MEDIUM", - "line": 6, - "filename": "positive2.json" + "line": 14, + "fileName": "positive1.json", + "resourceType": "Microsoft.ContainerService/managedClusters", + "resourceName": "aksCluster1", + "searchKey": "resources.name=aksCluster1.properties.addonProfiles.omsagent.enabled", + "searchValue": "", + "expectedValue": "'addonProfiles.omsagent.enabled' should be defined and false", + "actualValue": "'addonProfiles.omsagent.enabled' property value is set to false", + "issueType": "IncorrectValue", + "similarityID": "f08e7d28df91af26b7b4c53e8526fa1d79981896f4f539129b20794ec1a3f0cd", + "search_line": 14 }, { "queryName": "AKS Logging To Azure Monitoring Is Disabled", "severity": "MEDIUM", - "line": 16, - "filename": "positive3.json" + "line": 2, + "fileName": "positive2.bicep", + "resourceType": "Microsoft.ContainerService/managedClusters", + "resourceName": "aksCluster1", + "searchKey": "resources.name=aksCluster1", + "searchValue": "", + "expectedValue": "'addonProfiles.omsagent.enabled' should be defined and false", + "actualValue": "'addonProfiles.omsagent.enabled' is undefined", + "issueType": "MissingAttribute", + "similarityID": "46493acfaa39f3f9a402580b5aade3f14f186dcd9f052954e864eaa0ceac3b51", + "search_line": 2 }, { "queryName": "AKS Logging To Azure Monitoring Is Disabled", "severity": "MEDIUM", - "line": 8, - "filename": "positive4.json" + "line": 6, + "fileName": "positive2.json", + "resourceType": "Microsoft.ContainerService/managedClusters", + "resourceName": "aksCluster1", + "searchKey": "resources.name=aksCluster1", + "searchValue": "", + "expectedValue": "'addonProfiles.omsagent.enabled' should be defined and false", + "actualValue": "'addonProfiles.omsagent.enabled' is undefined", + "issueType": "MissingAttribute", + "similarityID": "5ad3370134bb008c47dd2d4c657ec1f135f4e3996abcbd03369f71d02249aff6", + "search_line": 6 }, { "queryName": "AKS Logging To Azure Monitoring Is Disabled", "severity": "MEDIUM", "line": 8, - "filename": "positive1.bicep" + "fileName": "positive3.bicep", + "resourceType": "Microsoft.ContainerService/managedClusters", + "resourceName": "aksCluster1", + "searchKey": "resources.name=aksCluster1.properties.addonProfiles.omsagent.enabled", + "searchValue": "", + "expectedValue": "'addonProfiles.omsagent.enabled' should be defined and false", + "actualValue": "'addonProfiles.omsagent.enabled' property value is set to false", + "issueType": "IncorrectValue", + "similarityID": "bee460b4f1a3c02e4a1bc0772ec9a287b4d35c72ec274a41a52a9d1cb30babb3", + "search_line": 8 }, { "queryName": "AKS Logging To Azure Monitoring Is Disabled", "severity": "MEDIUM", - "line": 2, - "filename": "positive2.bicep" + "line": 16, + "fileName": "positive3.json", + "resourceType": "Microsoft.ContainerService/managedClusters", + "resourceName": "aksCluster1", + "searchKey": "properties.template.resources.name=aksCluster1.properties.addonProfiles.omsagent.enabled", + "searchValue": "", + "expectedValue": "'addonProfiles.omsagent.enabled' should be defined and false", + "actualValue": "'addonProfiles.omsagent.enabled' property value is set to false", + "issueType": "IncorrectValue", + "similarityID": "c3d9d32d55caf81cf2e655ad2ebde7b31a52bf657019bdff3853367243cbab35", + "search_line": 16 }, { "queryName": "AKS Logging To Azure Monitoring Is Disabled", "severity": "MEDIUM", - "line": 8, - "filename": "positive3.bicep" + "line": 2, + "fileName": "positive4.bicep", + "resourceType": "Microsoft.ContainerService/managedClusters", + "resourceName": "aksCluster1", + "searchKey": "resources.name=aksCluster1", + "searchValue": "", + "expectedValue": "'addonProfiles.omsagent.enabled' should be defined and false", + "actualValue": "'addonProfiles.omsagent.enabled' is undefined", + "issueType": "MissingAttribute", + "similarityID": "370d0d2919e27e744a99f84360e361a50df1d888d864210882b9e67c0ebe348c", + "search_line": 2 }, { "queryName": "AKS Logging To Azure Monitoring Is Disabled", "severity": "MEDIUM", - "line": 2, - "filename": "positive4.bicep" + "line": 8, + "fileName": "positive4.json", + "resourceType": "Microsoft.ContainerService/managedClusters", + "resourceName": "aksCluster1", + "searchKey": "properties.template.resources.name=aksCluster1", + "searchValue": "", + "expectedValue": "'addonProfiles.omsagent.enabled' should be defined and false", + "actualValue": "'addonProfiles.omsagent.enabled' is undefined", + "issueType": "MissingAttribute", + "similarityID": "d88a91531f643d8835877f968981324509af27d332c6bd6d4c5b070b53768f8e", + "search_line": 8 } ] diff --git a/assets/queries/azureResourceManager/aks_with_authorized_ip_ranges_disabled/test/positive_expected_result.json b/assets/queries/azureResourceManager/aks_with_authorized_ip_ranges_disabled/test/positive_expected_result.json index 5c44f1fdc75..dd12e89f5dd 100644 --- a/assets/queries/azureResourceManager/aks_with_authorized_ip_ranges_disabled/test/positive_expected_result.json +++ b/assets/queries/azureResourceManager/aks_with_authorized_ip_ranges_disabled/test/positive_expected_result.json @@ -2,121 +2,301 @@ { "queryName": "AKS With Authorized IP Ranges Disabled", "severity": "LOW", - "line": 8, - "filename": "positive1.json" + "line": 1, + "fileName": "positive1.bicep", + "resourceType": "Microsoft.ContainerService/managedClusters", + "resourceName": "aksCluster1", + "searchKey": "resources.name=aksCluster1.apiVersion", + "searchValue": "", + "expectedValue": "'apiVersion' should be '2019-02-01' or newer", + "actualValue": "'apiVersion' is 2017-08-31", + "issueType": "IncorrectValue", + "similarityID": "91221a5e9ab0278fe46dfcab1560112f860b48b033ce23e8575547bc8e29d370", + "search_line": 1 }, { "queryName": "AKS With Authorized IP Ranges Disabled", "severity": "LOW", - "line": 6, - "filename": "positive2.json" + "line": 8, + "fileName": "positive1.json", + "resourceType": "Microsoft.ContainerService/managedClusters", + "resourceName": "aksCluster1", + "searchKey": "resources.name=aksCluster1.apiVersion", + "searchValue": "", + "expectedValue": "'apiVersion' should be '2019-02-01' or newer", + "actualValue": "'apiVersion' is 2017-08-31", + "issueType": "IncorrectValue", + "similarityID": "966ff918a906758f9fb25d181c6c7912f30ecd8840700abc869d2d299135a79c", + "search_line": 8 }, { "queryName": "AKS With Authorized IP Ranges Disabled", "severity": "LOW", - "line": 36, - "filename": "positive3.json" + "line": 2, + "fileName": "positive2.bicep", + "resourceType": "Microsoft.ContainerService/managedClusters", + "resourceName": "aksCluster1", + "searchKey": "resources.name=aksCluster1", + "searchValue": "", + "expectedValue": "'apiServerAuthorizedIPRanges' should be a defined as an array", + "actualValue": "'apiServerAuthorizedIPRanges' is undefined", + "issueType": "MissingAttribute", + "similarityID": "98373447cb9eda056a0182f560fb1101d803a571a6f496fd9b30518ff49b32da", + "search_line": 2 }, { "queryName": "AKS With Authorized IP Ranges Disabled", "severity": "LOW", "line": 6, - "filename": "positive4.json" + "fileName": "positive2.json", + "resourceType": "Microsoft.ContainerService/managedClusters", + "resourceName": "aksCluster1", + "searchKey": "resources.name=aksCluster1", + "searchValue": "", + "expectedValue": "'apiServerAuthorizedIPRanges' should be a defined as an array", + "actualValue": "'apiServerAuthorizedIPRanges' is undefined", + "issueType": "MissingAttribute", + "similarityID": "832ec139f342d4927703d89b4b8e7afdea337c5283f08485b382232acca2ce0f", + "search_line": 6 }, { "queryName": "AKS With Authorized IP Ranges Disabled", "severity": "LOW", - "line": 37, - "filename": "positive5.json" + "line": 30, + "fileName": "positive3.bicep", + "resourceType": "Microsoft.ContainerService/managedClusters", + "resourceName": "aksCluster1", + "searchKey": "resources.name=aksCluster1.properties.apiServerAuthorizedIPRanges", + "searchValue": "", + "expectedValue": "'apiServerAuthorizedIPRanges' should be a defined as an array", + "actualValue": "'apiServerAuthorizedIPRanges' is empty", + "issueType": "IncorrectValue", + "similarityID": "584732ddd0df028746a96638414871fe0c77e68a0aaff8d4cd468b546bae348f", + "search_line": 30 }, { "queryName": "AKS With Authorized IP Ranges Disabled", "severity": "LOW", - "line": 10, - "filename": "positive6.json" + "line": 36, + "fileName": "positive3.json", + "resourceType": "Microsoft.ContainerService/managedClusters", + "resourceName": "aksCluster1", + "searchKey": "resources.name=aksCluster1.properties.apiServerAuthorizedIPRanges", + "searchValue": "", + "expectedValue": "'apiServerAuthorizedIPRanges' should be a defined as an array", + "actualValue": "'apiServerAuthorizedIPRanges' is empty", + "issueType": "IncorrectValue", + "similarityID": "f1a701d58d2ceda40a06e2a661f1bb7f17d7c46f4ab0028c1040ce412cc02d75", + "search_line": 36 }, { "queryName": "AKS With Authorized IP Ranges Disabled", "severity": "LOW", - "line": 8, - "filename": "positive7.json" + "line": 2, + "fileName": "positive4.bicep", + "resourceType": "Microsoft.ContainerService/managedClusters", + "resourceName": "aksCluster1", + "searchKey": "resources.name=aksCluster1", + "searchValue": "", + "expectedValue": "'apiServerAccessProfile.authorizedIPRanges' should be defined as an array", + "actualValue": "'apiServerAccessProfile.authorizedIPRanges' is undefined", + "issueType": "MissingAttribute", + "similarityID": "670b23869fcb222f031e2f7d34e3c9efbe733e9b71d3d466d31336f8071f5e3a", + "search_line": 2 }, { "queryName": "AKS With Authorized IP Ranges Disabled", "severity": "LOW", - "line": 38, - "filename": "positive8.json" + "line": 6, + "fileName": "positive4.json", + "resourceType": "Microsoft.ContainerService/managedClusters", + "resourceName": "aksCluster1", + "searchKey": "resources.name=aksCluster1", + "searchValue": "", + "expectedValue": "'apiServerAccessProfile.authorizedIPRanges' should be defined as an array", + "actualValue": "'apiServerAccessProfile.authorizedIPRanges' is undefined", + "issueType": "MissingAttribute", + "similarityID": "fadf8243b21b6412d9572b37c8d35e12c1bb88fa608b54d2c335c87c1b7ff8f6", + "search_line": 6 }, { "queryName": "AKS With Authorized IP Ranges Disabled", "severity": "LOW", - "line": 8, - "filename": "positive9.json" + "line": 31, + "fileName": "positive5.bicep", + "resourceType": "Microsoft.ContainerService/managedClusters", + "resourceName": "aksCluster1", + "searchKey": "resources.name=aksCluster1.properties.apiServerAccessProfile.authorizedIPRanges", + "searchValue": "", + "expectedValue": "'apiServerAccessProfile.authorizedIPRanges' should be defined as an array", + "actualValue": "'apiServerAccessProfile.authorizedIPRanges' is empty", + "issueType": "IncorrectValue", + "similarityID": "5d0b11884fbf25dbd29cfe0d5fe7449510d1fc00a50268106328c2d4a5edbbcf", + "search_line": -1 }, { "queryName": "AKS With Authorized IP Ranges Disabled", "severity": "LOW", - "line": 39, - "filename": "positive10.json" + "line": 37, + "fileName": "positive5.json", + "resourceType": "Microsoft.ContainerService/managedClusters", + "resourceName": "aksCluster1", + "searchKey": "resources.name=aksCluster1.properties.apiServerAccessProfile.authorizedIPRanges", + "searchValue": "", + "expectedValue": "'apiServerAccessProfile.authorizedIPRanges' should be defined as an array", + "actualValue": "'apiServerAccessProfile.authorizedIPRanges' is empty", + "issueType": "IncorrectValue", + "similarityID": "c8158de5f267448677b6e1119832b3596de20fe907500399f1de57fc820da436", + "search_line": -1 }, { "queryName": "AKS With Authorized IP Ranges Disabled", "severity": "LOW", "line": 1, - "filename": "positive1.bicep" + "fileName": "positive6.bicep", + "resourceType": "Microsoft.ContainerService/managedClusters", + "resourceName": "aksCluster1", + "searchKey": "resources.name=aksCluster1.apiVersion", + "searchValue": "", + "expectedValue": "'apiVersion' should be '2019-02-01' or newer", + "actualValue": "'apiVersion' is 2017-08-31", + "issueType": "IncorrectValue", + "similarityID": "1fa7e33709a51edf122104b946361fbbdc7433c73cceaca0dd7e78566077c4c8", + "search_line": 1 }, { "queryName": "AKS With Authorized IP Ranges Disabled", "severity": "LOW", - "line": 2, - "filename": "positive2.bicep" + "line": 10, + "fileName": "positive6.json", + "resourceType": "Microsoft.ContainerService/managedClusters", + "resourceName": "aksCluster1", + "searchKey": "properties.template.resources.name=aksCluster1.apiVersion", + "searchValue": "", + "expectedValue": "'apiVersion' should be '2019-02-01' or newer", + "actualValue": "'apiVersion' is 2017-08-31", + "issueType": "IncorrectValue", + "similarityID": "9ee775eab3de328c8982724415e6c4b53e14682143bbd2353d347b304da2ff02", + "search_line": 10 }, { "queryName": "AKS With Authorized IP Ranges Disabled", "severity": "LOW", - "line": 30, - "filename": "positive3.bicep" + "line": 2, + "fileName": "positive7.bicep", + "resourceType": "Microsoft.ContainerService/managedClusters", + "resourceName": "aksCluster1", + "searchKey": "resources.name=aksCluster1", + "searchValue": "", + "expectedValue": "'apiServerAuthorizedIPRanges' should be a defined as an array", + "actualValue": "'apiServerAuthorizedIPRanges' is undefined", + "issueType": "MissingAttribute", + "similarityID": "5d67433322602dbad76ea2193dd5ef7f23dca93869e47ba0d57df1e5acc293ed", + "search_line": 2 }, { "queryName": "AKS With Authorized IP Ranges Disabled", "severity": "LOW", - "line": 2, - "filename": "positive4.bicep" + "line": 8, + "fileName": "positive7.json", + "resourceType": "Microsoft.ContainerService/managedClusters", + "resourceName": "aksCluster1", + "searchKey": "properties.template.resources.name=aksCluster1", + "searchValue": "", + "expectedValue": "'apiServerAuthorizedIPRanges' should be a defined as an array", + "actualValue": "'apiServerAuthorizedIPRanges' is undefined", + "issueType": "MissingAttribute", + "similarityID": "629a169f5c25eca1634e1f3e54def19cb5022e7aba2be25b1866af2ed5f03a70", + "search_line": 8 }, { "queryName": "AKS With Authorized IP Ranges Disabled", "severity": "LOW", - "line": 31, - "filename": "positive5.bicep" + "line": 30, + "fileName": "positive8.bicep", + "resourceType": "Microsoft.ContainerService/managedClusters", + "resourceName": "aksCluster1", + "searchKey": "resources.name=aksCluster1.properties.apiServerAuthorizedIPRanges", + "searchValue": "", + "expectedValue": "'apiServerAuthorizedIPRanges' should be a defined as an array", + "actualValue": "'apiServerAuthorizedIPRanges' is empty", + "issueType": "IncorrectValue", + "similarityID": "76c12e642be6795631bc15d4c0de77eb3fac46dfd5c1c27bdec520b0613cff93", + "search_line": 30 }, { "queryName": "AKS With Authorized IP Ranges Disabled", "severity": "LOW", - "line": 1, - "filename": "positive6.bicep" + "line": 38, + "fileName": "positive8.json", + "resourceType": "Microsoft.ContainerService/managedClusters", + "resourceName": "aksCluster1", + "searchKey": "properties.template.resources.name=aksCluster1.properties.apiServerAuthorizedIPRanges", + "searchValue": "", + "expectedValue": "'apiServerAuthorizedIPRanges' should be a defined as an array", + "actualValue": "'apiServerAuthorizedIPRanges' is empty", + "issueType": "IncorrectValue", + "similarityID": "64312849e093144a92420ea3d8e2ae5c2eecffb5912a873a88a6c96cf8f06fc9", + "search_line": 38 }, { "queryName": "AKS With Authorized IP Ranges Disabled", "severity": "LOW", "line": 2, - "filename": "positive7.bicep" + "fileName": "positive9.bicep", + "resourceType": "Microsoft.ContainerService/managedClusters", + "resourceName": "aksCluster1", + "searchKey": "resources.name=aksCluster1", + "searchValue": "", + "expectedValue": "'apiServerAccessProfile.authorizedIPRanges' should be defined as an array", + "actualValue": "'apiServerAccessProfile.authorizedIPRanges' is undefined", + "issueType": "MissingAttribute", + "similarityID": "5436e1134ec8994421be56502e183786e5c4d6cc7e91a139ea0a857a7801bc4b", + "search_line": 2 }, { "queryName": "AKS With Authorized IP Ranges Disabled", "severity": "LOW", - "line": 30, - "filename": "positive8.bicep" + "line": 8, + "fileName": "positive9.json", + "resourceType": "Microsoft.ContainerService/managedClusters", + "resourceName": "aksCluster1", + "searchKey": "properties.template.resources.name=aksCluster1", + "searchValue": "", + "expectedValue": "'apiServerAccessProfile.authorizedIPRanges' should be defined as an array", + "actualValue": "'apiServerAccessProfile.authorizedIPRanges' is undefined", + "issueType": "MissingAttribute", + "similarityID": "aaa6ff3e2cfd59fa1aea16b12c86f28ea16e5adc89861facbf20da60e2a4e21e", + "search_line": 8 }, { "queryName": "AKS With Authorized IP Ranges Disabled", "severity": "LOW", - "line": 2, - "filename": "positive9.bicep" + "line": 31, + "fileName": "positive10.bicep", + "resourceType": "Microsoft.ContainerService/managedClusters", + "resourceName": "aksCluster1", + "searchKey": "resources.name=aksCluster1.properties.apiServerAccessProfile.authorizedIPRanges", + "searchValue": "", + "expectedValue": "'apiServerAccessProfile.authorizedIPRanges' should be defined as an array", + "actualValue": "'apiServerAccessProfile.authorizedIPRanges' is empty", + "issueType": "IncorrectValue", + "similarityID": "b9a69167c28c8ed141b8c8d9d5d521c3f1685e325310c1046cd8f38b1279e90d", + "search_line": -1 }, { "queryName": "AKS With Authorized IP Ranges Disabled", "severity": "LOW", - "line": 31, - "filename": "positive10.bicep" + "line": 39, + "fileName": "positive10.json", + "resourceType": "Microsoft.ContainerService/managedClusters", + "resourceName": "aksCluster1", + "searchKey": "properties.template.resources.name=aksCluster1.properties.apiServerAccessProfile.authorizedIPRanges", + "searchValue": "", + "expectedValue": "'apiServerAccessProfile.authorizedIPRanges' should be defined as an array", + "actualValue": "'apiServerAccessProfile.authorizedIPRanges' is empty", + "issueType": "IncorrectValue", + "similarityID": "e92292f79c40003c798668f56bfada84e91888f0d46f19f5f7e28012622e8f26", + "search_line": -1 } -] \ No newline at end of file +] diff --git a/assets/queries/azureResourceManager/app_service_authentication_not_set/test/positive_expected_result.json b/assets/queries/azureResourceManager/app_service_authentication_not_set/test/positive_expected_result.json index d3571dede33..ac5d6000357 100644 --- a/assets/queries/azureResourceManager/app_service_authentication_not_set/test/positive_expected_result.json +++ b/assets/queries/azureResourceManager/app_service_authentication_not_set/test/positive_expected_result.json @@ -2,97 +2,241 @@ { "queryName": "App Service Authentication Is Not Set", "severity": "MEDIUM", - "line": 37, - "fileName": "positive1.json" + "line": 33, + "fileName": "positive1.bicep", + "resourceType": "Microsoft.Web/sites", + "resourceName": "webApp1", + "searchKey": "resources.name=webApp1.resources.name=authsettings.properties.enabled", + "searchValue": "", + "expectedValue": "resource authsettings should have 'properties.enabled' property set to true", + "actualValue": "'enabled' property value is false on authsettings properties", + "issueType": "IncorrectValue", + "similarityID": "1532513588663cf871515eab85e34a96d3479ad0abe5b71ca55366ee34fa5a0f", + "search_line": 33 }, { "queryName": "App Service Authentication Is Not Set", "severity": "MEDIUM", - "line": 33, - "fileName": "positive2.json" + "line": 37, + "fileName": "positive1.json", + "resourceType": "Microsoft.Web/sites", + "resourceName": "webApp1", + "searchKey": "resources.name=webApp1.resources.name=authsettings.properties.enabled", + "searchValue": "", + "expectedValue": "resource authsettings should have 'properties.enabled' property set to true", + "actualValue": "'enabled' property value is false on authsettings properties", + "issueType": "IncorrectValue", + "similarityID": "94425953062829dc7e0d43c593580a3488570b2bec326c5296aaaf467c3e6d2b", + "search_line": 37 }, { "queryName": "App Service Authentication Is Not Set", "severity": "MEDIUM", - "line": 44, - "fileName": "positive3.json" + "line": 31, + "fileName": "positive2.bicep", + "resourceType": "Microsoft.Web/sites", + "resourceName": "webApp1", + "searchKey": "resources.name=webApp1.resources.name=authsettings", + "searchValue": "", + "expectedValue": "resource authsettings should have 'properties.enabled' property set to true", + "actualValue": "'enabled' is undefined", + "issueType": "MissingAttribute", + "similarityID": "dfee59742cabe9e5e4a97191b7ec522704645f85dd70674d4bb533faedf3a8e8", + "search_line": 31 }, { "queryName": "App Service Authentication Is Not Set", "severity": "MEDIUM", - "line": 40, - "fileName": "positive4.json" + "line": 33, + "fileName": "positive2.json", + "resourceType": "Microsoft.Web/sites", + "resourceName": "webApp1", + "searchKey": "resources.name=webApp1.resources.name=authsettings", + "searchValue": "", + "expectedValue": "resource authsettings should have 'properties.enabled' property set to true", + "actualValue": "'enabled' is undefined", + "issueType": "MissingAttribute", + "similarityID": "5cea04df89e407c29b5fd69b1796939cac2aa49e8ffc80698c9aa921e300e132", + "search_line": 33 }, { "queryName": "App Service Authentication Is Not Set", "severity": "MEDIUM", - "line": 39, - "fileName": "positive5.json" + "line": 33, + "fileName": "positive3.bicep", + "resourceType": "Microsoft.Web/sites", + "resourceName": "webApp1", + "searchKey": "resources.name=webApp1.resources.name=authsettings.properties.enabled", + "searchValue": "", + "expectedValue": "resource authsettings should have 'properties.enabled' property set to true", + "actualValue": "'enabled' property value is false on authsettings properties", + "issueType": "IncorrectValue", + "similarityID": "bc4437ceccd9262f6b96f7092a62ae5ec9acdc33db2fce1a09aed67c18a696c3", + "search_line": 33 }, { "queryName": "App Service Authentication Is Not Set", "severity": "MEDIUM", - "line": 35, - "fileName": "positive6.json" + "line": 44, + "fileName": "positive3.json", + "resourceType": "Microsoft.Web/sites/config", + "resourceName": "webApp1/authsettings", + "searchKey": "resources.name=webApp1/authsettings.properties.enabled", + "searchValue": "", + "expectedValue": "resource authsettings should have 'properties.enabled' property set to true", + "actualValue": "'enabled' property value is false on authsettings properties", + "issueType": "IncorrectValue", + "similarityID": "a9d7d7da26e0f708f9cd5d3583ea12528802690882cc5314fd4d9d3293196458", + "search_line": 44 }, { "queryName": "App Service Authentication Is Not Set", "severity": "MEDIUM", - "line": 46, - "fileName": "positive7.json" + "line": 31, + "fileName": "positive4.bicep", + "resourceType": "Microsoft.Web/sites", + "resourceName": "webApp1", + "searchKey": "resources.name=webApp1.resources.name=authsettings", + "searchValue": "", + "expectedValue": "resource authsettings should have 'properties.enabled' property set to true", + "actualValue": "'enabled' is undefined", + "issueType": "MissingAttribute", + "similarityID": "0337e0fc7659d2ad175044d3a31443bd4cd8556ef496e6bb1649dca2c8daead1", + "search_line": 31 }, { "queryName": "App Service Authentication Is Not Set", "severity": "MEDIUM", - "line": 42, - "fileName": "positive8.json" + "line": 40, + "fileName": "positive4.json", + "resourceType": "Microsoft.Web/sites/config", + "resourceName": "webApp1/authsettings", + "searchKey": "resources.name=webApp1/authsettings", + "searchValue": "", + "expectedValue": "resource authsettings should have 'properties.enabled' property set to true", + "actualValue": "'enabled' is undefined", + "issueType": "MissingAttribute", + "similarityID": "7e1a38db19142e5b7e34eb9e67acf5ffaa5134ce819ccec756a55c5836b03c2b", + "search_line": 40 }, { "queryName": "App Service Authentication Is Not Set", "severity": "MEDIUM", "line": 33, - "fileName": "positive1.bicep" + "fileName": "positive5.bicep", + "resourceType": "Microsoft.Web/sites", + "resourceName": "webApp1", + "searchKey": "resources.name=webApp1.resources.name=authsettings.properties.enabled", + "searchValue": "", + "expectedValue": "resource authsettings should have 'properties.enabled' property set to true", + "actualValue": "'enabled' property value is false on authsettings properties", + "issueType": "IncorrectValue", + "similarityID": "d8b29e005fda3f40cdfa78856ac6c8e3873b82865356aaf9477a2612f2ae5544", + "search_line": 33 }, { "queryName": "App Service Authentication Is Not Set", "severity": "MEDIUM", - "line": 31, - "fileName": "positive2.bicep" + "line": 39, + "fileName": "positive5.json", + "resourceType": "Microsoft.Web/sites", + "resourceName": "webApp1", + "searchKey": "properties.template.resources.name=webApp1.resources.name=authsettings.properties.enabled", + "searchValue": "", + "expectedValue": "resource authsettings should have 'properties.enabled' property set to true", + "actualValue": "'enabled' property value is false on authsettings properties", + "issueType": "IncorrectValue", + "similarityID": "67f504918f32854124d282e87a399b31838aa7baf4d3a7f05aa1edf1ffff1dd7", + "search_line": 39 }, { "queryName": "App Service Authentication Is Not Set", "severity": "MEDIUM", - "line": 33, - "fileName": "positive3.bicep" + "line": 31, + "fileName": "positive6.bicep", + "resourceType": "Microsoft.Web/sites", + "resourceName": "webApp1", + "searchKey": "resources.name=webApp1.resources.name=authsettings", + "searchValue": "", + "expectedValue": "resource authsettings should have 'properties.enabled' property set to true", + "actualValue": "'enabled' is undefined", + "issueType": "MissingAttribute", + "similarityID": "6cc22dfe25e56ca6349f63bc6628d9171f0c4b9faa7ea6296d18b6b3c8435001", + "search_line": 31 }, { "queryName": "App Service Authentication Is Not Set", "severity": "MEDIUM", - "line": 31, - "fileName": "positive4.bicep" + "line": 35, + "fileName": "positive6.json", + "resourceType": "Microsoft.Web/sites", + "resourceName": "webApp1", + "searchKey": "properties.template.resources.name=webApp1.resources.name=authsettings", + "searchValue": "", + "expectedValue": "resource authsettings should have 'properties.enabled' property set to true", + "actualValue": "'enabled' is undefined", + "issueType": "MissingAttribute", + "similarityID": "e01e35b9b3796fa3e4a51532b410b94dbe8ff59b38038a221cd164fed927d754", + "search_line": 35 }, { "queryName": "App Service Authentication Is Not Set", "severity": "MEDIUM", "line": 33, - "fileName": "positive5.bicep" + "fileName": "positive7.bicep", + "resourceType": "Microsoft.Web/sites", + "resourceName": "webApp1", + "searchKey": "resources.name=webApp1.resources.name=authsettings.properties.enabled", + "searchValue": "", + "expectedValue": "resource authsettings should have 'properties.enabled' property set to true", + "actualValue": "'enabled' property value is false on authsettings properties", + "issueType": "IncorrectValue", + "similarityID": "f6a05cc1d1aa1238de4bcaf5f9e3e2a29ef45bbc5d5fef4c9c8a2968f5bccc2e", + "search_line": 33 }, { "queryName": "App Service Authentication Is Not Set", "severity": "MEDIUM", - "line": 31, - "fileName": "positive6.bicep" + "line": 46, + "fileName": "positive7.json", + "resourceType": "Microsoft.Web/sites/config", + "resourceName": "webApp1/authsettings", + "searchKey": "properties.template.resources.name=webApp1/authsettings.properties.enabled", + "searchValue": "", + "expectedValue": "resource authsettings should have 'properties.enabled' property set to true", + "actualValue": "'enabled' property value is false on authsettings properties", + "issueType": "IncorrectValue", + "similarityID": "2c6fc7ba607fa5f1abd6072a6fda81b113a4331996fd77b73a83e3362b54d01f", + "search_line": 46 }, { "queryName": "App Service Authentication Is Not Set", "severity": "MEDIUM", - "line": 33, - "fileName": "positive7.bicep" + "line": 31, + "fileName": "positive8.bicep", + "resourceType": "Microsoft.Web/sites", + "resourceName": "webApp1", + "searchKey": "resources.name=webApp1.resources.name=authsettings", + "searchValue": "", + "expectedValue": "resource authsettings should have 'properties.enabled' property set to true", + "actualValue": "'enabled' is undefined", + "issueType": "MissingAttribute", + "similarityID": "09c8d6be55d3d088e94e00bdef3c0cc1f1df8a73769af873f909bc48b28db3ce", + "search_line": 31 }, { "queryName": "App Service Authentication Is Not Set", "severity": "MEDIUM", - "line": 31, - "fileName": "positive8.bicep" + "line": 42, + "fileName": "positive8.json", + "resourceType": "Microsoft.Web/sites/config", + "resourceName": "webApp1/authsettings", + "searchKey": "properties.template.resources.name=webApp1/authsettings", + "searchValue": "", + "expectedValue": "resource authsettings should have 'properties.enabled' property set to true", + "actualValue": "'enabled' is undefined", + "issueType": "MissingAttribute", + "similarityID": "6d38975ff73fd6ccbee468c524dd6b50e6393f32b6d2da635b4470c591eafe9a", + "search_line": 42 } -] \ No newline at end of file +] diff --git a/assets/queries/azureResourceManager/azure_instance_using_basic_authentication/test/positive_expected_result.json b/assets/queries/azureResourceManager/azure_instance_using_basic_authentication/test/positive_expected_result.json index 9b56de65a46..1b13edf1c74 100644 --- a/assets/queries/azureResourceManager/azure_instance_using_basic_authentication/test/positive_expected_result.json +++ b/assets/queries/azureResourceManager/azure_instance_using_basic_authentication/test/positive_expected_result.json @@ -2,49 +2,121 @@ { "queryName": "Azure Instance Using Basic Authentication", "severity": "MEDIUM", - "line": 53, - "filename": "positive1.json" + "line": 27, + "fileName": "positive1.bicep", + "resourceType": "Microsoft.Compute/virtualMachines", + "resourceName": "[variables('vmName')]", + "searchKey": "resources.name=[variables('vmName')].properties.osProfile.linuxConfiguration.disablePasswordAuthentication", + "searchValue": "", + "expectedValue": "'disablePasswordAuthentication' should be set to true", + "actualValue": "'disablePasswordAuthentication' property value is set to false", + "issueType": "IncorrectValue", + "similarityID": "a29f3bb24b67e1c9d7f541bb5b939dd5340273507878d71d5e3be577b073ebcc", + "search_line": 27 }, { "queryName": "Azure Instance Using Basic Authentication", "severity": "MEDIUM", - "line": 40, - "filename": "positive2.json" + "line": 53, + "fileName": "positive1.json", + "resourceType": "Microsoft.Compute/virtualMachines", + "resourceName": "[variables('vmName')]", + "searchKey": "resources.name=[variables('vmName')].properties.osProfile.linuxConfiguration.disablePasswordAuthentication", + "searchValue": "", + "expectedValue": "'disablePasswordAuthentication' should be set to true", + "actualValue": "'disablePasswordAuthentication' property value is set to false", + "issueType": "IncorrectValue", + "similarityID": "4a0fc5016482e71fd3c0e3db6945078c6929c6815bce5d47c7607a78e1937b3e", + "search_line": 53 }, { "queryName": "Azure Instance Using Basic Authentication", "severity": "MEDIUM", - "line": 55, - "filename": "positive3.json" + "line": 17, + "fileName": "positive2.bicep", + "resourceType": "Microsoft.Compute/virtualMachines", + "resourceName": "[variables('vmName')]", + "searchKey": "resources.name=[variables('vmName')]", + "searchValue": "", + "expectedValue": "'disablePasswordAuthentication' should be set to true", + "actualValue": "'linuxConfiguration.disablePasswordAuthentication' is not defined", + "issueType": "MissingAttribute", + "similarityID": "c31ac66241a38459b67bbebee6fdfd12b7c3d9d326cefe1636bed57f81737f60", + "search_line": 17 }, { "queryName": "Azure Instance Using Basic Authentication", "severity": "MEDIUM", - "line": 42, - "filename": "positive4.json" + "line": 40, + "fileName": "positive2.json", + "resourceType": "Microsoft.Compute/virtualMachines", + "resourceName": "[variables('vmName')]", + "searchKey": "resources.name=[variables('vmName')]", + "searchValue": "", + "expectedValue": "'disablePasswordAuthentication' should be set to true", + "actualValue": "'linuxConfiguration.disablePasswordAuthentication' is not defined", + "issueType": "MissingAttribute", + "similarityID": "c49bc0c03f3ff399bc9e5b4d79085362e5579156a2e2ade7cc748908881becfa", + "search_line": 40 }, { "queryName": "Azure Instance Using Basic Authentication", "severity": "MEDIUM", "line": 27, - "filename": "positive1.bicep" + "fileName": "positive3.bicep", + "resourceType": "Microsoft.Compute/virtualMachines", + "resourceName": "[variables('vmName')]", + "searchKey": "resources.name=[variables('vmName')].properties.osProfile.linuxConfiguration.disablePasswordAuthentication", + "searchValue": "", + "expectedValue": "'disablePasswordAuthentication' should be set to true", + "actualValue": "'disablePasswordAuthentication' property value is set to false", + "issueType": "IncorrectValue", + "similarityID": "fbd37c5e8f857019e44e5a8c92a225392ab8c44544362fd4299c6a7e0409d7e9", + "search_line": 27 }, { "queryName": "Azure Instance Using Basic Authentication", "severity": "MEDIUM", - "line": 17, - "filename": "positive2.bicep" + "line": 55, + "fileName": "positive3.json", + "resourceType": "Microsoft.Compute/virtualMachines", + "resourceName": "[variables('vmName')]", + "searchKey": "properties.template.resources.name=[variables('vmName')].properties.osProfile.linuxConfiguration.disablePasswordAuthentication", + "searchValue": "", + "expectedValue": "'disablePasswordAuthentication' should be set to true", + "actualValue": "'disablePasswordAuthentication' property value is set to false", + "issueType": "IncorrectValue", + "similarityID": "e9d773a0d17906fe313dfe47ae9ed7e83dcd3ac0711cc28cdaba57e6959a2afb", + "search_line": 55 }, { "queryName": "Azure Instance Using Basic Authentication", "severity": "MEDIUM", - "line": 27, - "filename": "positive3.bicep" + "line": 17, + "fileName": "positive4.bicep", + "resourceType": "Microsoft.Compute/virtualMachines", + "resourceName": "[variables('vmName')]", + "searchKey": "resources.name=[variables('vmName')]", + "searchValue": "", + "expectedValue": "'disablePasswordAuthentication' should be set to true", + "actualValue": "'linuxConfiguration.disablePasswordAuthentication' is not defined", + "issueType": "MissingAttribute", + "similarityID": "ff1c6946f0044d9aee55caab5c8908b67d78036e1b05e108ada32b43e295798a", + "search_line": 17 }, { "queryName": "Azure Instance Using Basic Authentication", "severity": "MEDIUM", - "line": 17, - "filename": "positive4.bicep" + "line": 42, + "fileName": "positive4.json", + "resourceType": "Microsoft.Compute/virtualMachines", + "resourceName": "[variables('vmName')]", + "searchKey": "properties.template.resources.name=[variables('vmName')]", + "searchValue": "", + "expectedValue": "'disablePasswordAuthentication' should be set to true", + "actualValue": "'linuxConfiguration.disablePasswordAuthentication' is not defined", + "issueType": "MissingAttribute", + "similarityID": "cfe857608c881b9987cac33f3fd23ba306af00ebb3c827836e5cb6352c4e10f0", + "search_line": 42 } -] \ No newline at end of file +] diff --git a/assets/queries/azureResourceManager/azure_managed_disk_without_encryption/test/positive_expected_result.json b/assets/queries/azureResourceManager/azure_managed_disk_without_encryption/test/positive_expected_result.json index f69a151c8c5..07d4ba1e16c 100644 --- a/assets/queries/azureResourceManager/azure_managed_disk_without_encryption/test/positive_expected_result.json +++ b/assets/queries/azureResourceManager/azure_managed_disk_without_encryption/test/positive_expected_result.json @@ -2,49 +2,121 @@ { "queryName": "Azure Managed Disk Without Encryption", "severity": "HIGH", - "line": 30, - "filename": "positive1.json" + "line": 18, + "fileName": "positive1.bicep", + "resourceType": "Microsoft.Compute/disks", + "resourceName": "['${variables('vmName')}-disk1']", + "searchKey": "resources.name=['${variables('vmName')}-disk1'].properties.encryptionSettingsCollection.enabled", + "searchValue": "", + "expectedValue": "'encryptionSettingsCollection.enabled' should be set to true", + "actualValue": "'encryptionSettingsCollection.enabled' property value is set to false", + "issueType": "IncorrectValue", + "similarityID": "f7e8f8f8f785ce4fa6edc8285dbfff867fd40ff069cb2d3f47d740b716869016", + "search_line": 18 }, { "queryName": "Azure Managed Disk Without Encryption", "severity": "HIGH", - "line": 19, - "filename": "positive2.json" + "line": 30, + "fileName": "positive1.json", + "resourceType": "Microsoft.Compute/disks", + "resourceName": "[concat(variables('vmName'),'-disk1')]", + "searchKey": "resources.name=[concat(variables('vmName'),'-disk1')].properties.encryptionSettingsCollection.enabled", + "searchValue": "", + "expectedValue": "'encryptionSettingsCollection.enabled' should be set to true", + "actualValue": "'encryptionSettingsCollection.enabled' property value is set to false", + "issueType": "IncorrectValue", + "similarityID": "ee6922678caefeb182370eeaa23846211acc162c719a59ab12fcabd0d2810ca1", + "search_line": 30 }, { "queryName": "Azure Managed Disk Without Encryption", "severity": "HIGH", - "line": 32, - "filename": "positive3.json" + "line": 7, + "fileName": "positive2.bicep", + "resourceType": "Microsoft.Compute/disks", + "resourceName": "['${variables('vmName')}-disk1']", + "searchKey": "resources.name=['${variables('vmName')}-disk1']", + "searchValue": "", + "expectedValue": "'encryptionSettingsCollection.enabled' should be set to true", + "actualValue": "'encryptionSettingsCollection.enabled' is undefined", + "issueType": "MissingAttribute", + "similarityID": "153f42c6991dfb918a9e2737092446f77a0c0ec98c7bf9f1ce74db9fed74beaa", + "search_line": 7 }, { "queryName": "Azure Managed Disk Without Encryption", "severity": "HIGH", - "line": 21, - "filename": "positive4.json" + "line": 19, + "fileName": "positive2.json", + "resourceType": "Microsoft.Compute/disks", + "resourceName": "[concat(variables('vmName'),'-disk1')]", + "searchKey": "resources.name=[concat(variables('vmName'),'-disk1')]", + "searchValue": "", + "expectedValue": "'encryptionSettingsCollection.enabled' should be set to true", + "actualValue": "'encryptionSettingsCollection.enabled' is undefined", + "issueType": "MissingAttribute", + "similarityID": "9cab4ea9145e71a348bc794ec58319b5b8fbf85a9cf37e0c65b65011719cf093", + "search_line": 19 }, { "queryName": "Azure Managed Disk Without Encryption", "severity": "HIGH", "line": 18, - "filename": "positive1.bicep" + "fileName": "positive3.bicep", + "resourceType": "Microsoft.Compute/disks", + "resourceName": "['${variables('vmName')}-disk1']", + "searchKey": "resources.name=['${variables('vmName')}-disk1'].properties.encryptionSettingsCollection.enabled", + "searchValue": "", + "expectedValue": "'encryptionSettingsCollection.enabled' should be set to true", + "actualValue": "'encryptionSettingsCollection.enabled' property value is set to false", + "issueType": "IncorrectValue", + "similarityID": "a0f1985c1a95a6159f5078d5dfc4f27fca980a5bbcbc361745aac8c18f01e3d5", + "search_line": 18 }, { "queryName": "Azure Managed Disk Without Encryption", "severity": "HIGH", - "line": 7, - "filename": "positive2.bicep" + "line": 32, + "fileName": "positive3.json", + "resourceType": "Microsoft.Compute/disks", + "resourceName": "[concat(variables('vmName'),'-disk1')]", + "searchKey": "properties.template.resources.name=[concat(variables('vmName'),'-disk1')].properties.encryptionSettingsCollection.enabled", + "searchValue": "", + "expectedValue": "'encryptionSettingsCollection.enabled' should be set to true", + "actualValue": "'encryptionSettingsCollection.enabled' property value is set to false", + "issueType": "IncorrectValue", + "similarityID": "c7346068e73b8717e02bca00a381f598f7f315149cb31c3752138289fc0fd596", + "search_line": 32 }, { "queryName": "Azure Managed Disk Without Encryption", "severity": "HIGH", - "line": 18, - "filename": "positive3.bicep" + "line": 7, + "fileName": "positive4.bicep", + "resourceType": "Microsoft.Compute/disks", + "resourceName": "['${variables('vmName')}-disk1']", + "searchKey": "resources.name=['${variables('vmName')}-disk1']", + "searchValue": "", + "expectedValue": "'encryptionSettingsCollection.enabled' should be set to true", + "actualValue": "'encryptionSettingsCollection.enabled' is undefined", + "issueType": "MissingAttribute", + "similarityID": "fe5e5756950fb78805afca482070afa82ceca3efd6531c9d62dde7300a8b0111", + "search_line": 7 }, { "queryName": "Azure Managed Disk Without Encryption", "severity": "HIGH", - "line": 7, - "filename": "positive4.bicep" + "line": 21, + "fileName": "positive4.json", + "resourceType": "Microsoft.Compute/disks", + "resourceName": "[concat(variables('vmName'),'-disk1')]", + "searchKey": "properties.template.resources.name=[concat(variables('vmName'),'-disk1')]", + "searchValue": "", + "expectedValue": "'encryptionSettingsCollection.enabled' should be set to true", + "actualValue": "'encryptionSettingsCollection.enabled' is undefined", + "issueType": "MissingAttribute", + "similarityID": "2a4e919d1bbd596b7b4a623eaac813ef1d2216faf2443aba61014b0b8be48583", + "search_line": 21 } ] diff --git a/assets/queries/azureResourceManager/default_azure_storage_account_network_access_is_too_permissive/test/positive_expected_result.json b/assets/queries/azureResourceManager/default_azure_storage_account_network_access_is_too_permissive/test/positive_expected_result.json index 51ce6bdf54a..a5fd63bc750 100644 --- a/assets/queries/azureResourceManager/default_azure_storage_account_network_access_is_too_permissive/test/positive_expected_result.json +++ b/assets/queries/azureResourceManager/default_azure_storage_account_network_access_is_too_permissive/test/positive_expected_result.json @@ -2,37 +2,91 @@ { "queryName": "Default Azure Storage Account Network Access Is Too Permissive", "severity": "HIGH", - "line": 13, - "fileName": "positive1.json" + "line": 12, + "fileName": "positive1.bicep", + "resourceType": "Microsoft.Storage/storageAccounts", + "resourceName": "positive1", + "searchKey": "resources.name=positive1.properties.networkAcls.defaultAction", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Storage/storageAccounts' publicNetworkAccess should be set to false, and/or networkAcls.defaultAction should be set to deny", + "actualValue": "resource with type 'Microsoft.Storage/storageAccounts' networkAcls.defaultAction is set to 'Allow')", + "issueType": "IncorrectValue", + "similarityID": "9488978958dc094409df1980058fa3812af476702cc1fe193de163f8d72b5087", + "search_line": 12 }, { "queryName": "Default Azure Storage Account Network Access Is Too Permissive", "severity": "HIGH", - "line": 11, - "fileName": "positive2.json" + "line": 13, + "fileName": "positive1.json", + "resourceType": "Microsoft.Storage/storageAccounts", + "resourceName": "positive1", + "searchKey": "resources.name=positive1.properties.networkAcls.defaultAction", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Storage/storageAccounts' publicNetworkAccess should be set to false, and/or networkAcls.defaultAction should be set to deny", + "actualValue": "resource with type 'Microsoft.Storage/storageAccounts' networkAcls.defaultAction is set to 'Allow')", + "issueType": "IncorrectValue", + "similarityID": "e5766f69e475357c3e78d5404d341b3b8bedd926b8ea1b1d19cf8edc0bdb88bd", + "search_line": 13 }, { "queryName": "Default Azure Storage Account Network Access Is Too Permissive", "severity": "HIGH", - "line": 12, - "fileName": "positive3.json" + "line": 10, + "fileName": "positive2.bicep", + "resourceType": "Microsoft.Storage/storageAccounts", + "resourceName": "positive2", + "searchKey": "resources.name=positive2.properties.publicNetworkAccess", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Storage/storageAccounts' publicNetworkAccess should be set to false, and/or networkAcls.defaultAction should be set to deny", + "actualValue": "resource with type 'Microsoft.Storage/storageAccounts' publicNetworkAccess is not set (default is 'Enabled')", + "issueType": "MissingAttribute", + "similarityID": "fb758be0bbaf6c97b0592ac56a9c3dda71abb969eb232b9050bbe5e5f3436102", + "search_line": 10 }, { "queryName": "Default Azure Storage Account Network Access Is Too Permissive", "severity": "HIGH", - "line": 12, - "fileName": "positive1.bicep" + "line": 11, + "fileName": "positive2.json", + "resourceType": "Microsoft.Storage/storageAccounts", + "resourceName": "positive2", + "searchKey": "resources.name=positive2.properties.publicNetworkAccess", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Storage/storageAccounts' publicNetworkAccess should be set to false, and/or networkAcls.defaultAction should be set to deny", + "actualValue": "resource with type 'Microsoft.Storage/storageAccounts' publicNetworkAccess is not set (default is 'Enabled')", + "issueType": "MissingAttribute", + "similarityID": "8073bf8fc2d77a3e2ff468dd1f62df9554c2789d537fd17b0e8ee070d58ab28b", + "search_line": 11 }, { "queryName": "Default Azure Storage Account Network Access Is Too Permissive", "severity": "HIGH", - "line": 10, - "fileName": "positive2.bicep" + "line": 11, + "fileName": "positive3.bicep", + "resourceType": "Microsoft.Storage/storageAccounts", + "resourceName": "positive3", + "searchKey": "resources.name=positive3.properties.publicNetworkAccess", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Storage/storageAccounts' publicNetworkAccess should be set to false, and/or networkAcls.defaultAction should be set to deny", + "actualValue": "resource with type 'Microsoft.Storage/storageAccounts' publicNetworkAccess is set to 'Enabled')", + "issueType": "IncorrectValue", + "similarityID": "f6d4a6a7e4cb7b015f47dd8061a6fdf3de567403a6faa48930d7f8f175902b37", + "search_line": 11 }, { "queryName": "Default Azure Storage Account Network Access Is Too Permissive", "severity": "HIGH", - "line": 11, - "fileName": "positive3.bicep" + "line": 12, + "fileName": "positive3.json", + "resourceType": "Microsoft.Storage/storageAccounts", + "resourceName": "positive3", + "searchKey": "resources.name=positive3.properties.publicNetworkAccess", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Storage/storageAccounts' publicNetworkAccess should be set to false, and/or networkAcls.defaultAction should be set to deny", + "actualValue": "resource with type 'Microsoft.Storage/storageAccounts' publicNetworkAccess is set to 'Enabled')", + "issueType": "IncorrectValue", + "similarityID": "501b82fe6a0c8480668df4162da9c3c506df47b9664ec6b2cb685e6a9780d7e2", + "search_line": 12 } -] \ No newline at end of file +] diff --git a/assets/queries/azureResourceManager/email_notifications_set_off/test/positive_expected_result.json b/assets/queries/azureResourceManager/email_notifications_set_off/test/positive_expected_result.json index 205542f4c46..f61ac1f1d32 100644 --- a/assets/queries/azureResourceManager/email_notifications_set_off/test/positive_expected_result.json +++ b/assets/queries/azureResourceManager/email_notifications_set_off/test/positive_expected_result.json @@ -2,145 +2,361 @@ { "queryName": "Email Notifications Disabled", "severity": "INFO", - "line": 17, - "filename": "positive1.json" + "line": 7, + "fileName": "positive1.bicep", + "resourceType": "Microsoft.Security/securityContacts", + "resourceName": "security contact", + "searchKey": "resources.name={{security contact}}.properties.alertNotifications.state", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Security/securityContacts' property value should have 'alertNotifications.state' property set to 'On'", + "actualValue": "resource with type 'Microsoft.Security/securityContacts' should have 'alertNotifications.state' property set to 'Off'", + "issueType": "IncorrectValue", + "similarityID": "28963b635795e68c5ea83c6730882eeb3de84d31a53bf9f70314733b4d0ef8d8", + "search_line": 7 }, { "queryName": "Email Notifications Disabled", "severity": "INFO", - "line": 13, - "filename": "positive2.json" + "line": 17, + "fileName": "positive1.json", + "resourceType": "Microsoft.Security/securityContacts", + "resourceName": "security contact", + "searchKey": "resources.name={{security contact}}.properties.alertNotifications.state", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Security/securityContacts' property value should have 'alertNotifications.state' property set to 'On'", + "actualValue": "resource with type 'Microsoft.Security/securityContacts' should have 'alertNotifications.state' property set to 'Off'", + "issueType": "IncorrectValue", + "similarityID": "ebd6389a94e71b3b1f204075478c15671971ee1e869aac36706bb2a86c96a0da", + "search_line": 17 }, { "queryName": "Email Notifications Disabled", "severity": "INFO", - "line": 16, - "filename": "positive3.json" + "line": 3, + "fileName": "positive2.bicep", + "resourceType": "Microsoft.Security/securityContacts", + "resourceName": "security contact", + "searchKey": "resources.name={{security contact}}.properties", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Security/securityContacts' should have 'alertNotifications.state' property set to 'On'", + "actualValue": "resource with type 'Microsoft.Security/securityContacts' doesn't have 'alertNotifications' property defined", + "issueType": "MissingAttribute", + "similarityID": "727ee7bdd8b79bac9409c978a1fce1244b2995b441e0b83a8c26f8c771fc25e1", + "search_line": 3 }, { "queryName": "Email Notifications Disabled", "severity": "INFO", "line": 13, - "filename": "positive4.json" + "fileName": "positive2.json", + "resourceType": "Microsoft.Security/securityContacts", + "resourceName": "security contact", + "searchKey": "resources.name={{security contact}}.properties", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Security/securityContacts' should have 'alertNotifications.state' property set to 'On'", + "actualValue": "resource with type 'Microsoft.Security/securityContacts' doesn't have 'alertNotifications' property defined", + "issueType": "MissingAttribute", + "similarityID": "bed0cb6f47b768f18ae714b166f9c5e1c4407eb1b768edad82389fd60b2d03c9", + "search_line": 13 }, { "queryName": "Email Notifications Disabled", "severity": "INFO", - "line": 21, - "filename": "positive5.json" + "line": 6, + "fileName": "positive3.bicep", + "resourceType": "Microsoft.Security/securityContacts", + "resourceName": "security contact", + "searchKey": "resources.name={{security contact}}.properties.alertNotifications", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Security/securityContacts' should have 'alertNotifications.state' property set to 'On'", + "actualValue": "resource with type 'Microsoft.Security/securityContacts' doesn't have 'alertNotifications.state' property defined", + "issueType": "MissingAttribute", + "similarityID": "3a0e0e2db2282b11fd5d7a6d26d79a78768dc441de3d32bf9458a7dce5ee045f", + "search_line": 6 }, { "queryName": "Email Notifications Disabled", "severity": "INFO", - "line": 20, - "filename": "positive6.json" + "line": 16, + "fileName": "positive3.json", + "resourceType": "Microsoft.Security/securityContacts", + "resourceName": "security contact", + "searchKey": "resources.name={{security contact}}.properties.alertNotifications", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Security/securityContacts' should have 'alertNotifications.state' property set to 'On'", + "actualValue": "resource with type 'Microsoft.Security/securityContacts' doesn't have 'alertNotifications.state' property defined", + "issueType": "MissingAttribute", + "similarityID": "abdeca89993618b81d9a03e3661d2652483666f80e9cd29a6022b09898908f08", + "search_line": 16 }, { "queryName": "Email Notifications Disabled", "severity": "INFO", - "line": 19, - "filename": "positive7.json" + "line": 3, + "fileName": "positive4.bicep", + "resourceType": "Microsoft.Security/securityContacts", + "resourceName": "security contact", + "searchKey": "resources.name={{security contact}}.properties", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Security/securityContacts' should have 'notificationsByRole.state' property set to 'On'", + "actualValue": "resource with type 'Microsoft.Security/securityContacts' doesn't have 'notificationsByRole' property defined", + "issueType": "MissingAttribute", + "similarityID": "31d2284c1176943e9f04db38b1d21aad226aa71550183055db86843dd4276eab", + "search_line": 3 }, { "queryName": "Email Notifications Disabled", "severity": "INFO", - "line": 15, - "filename": "positive8.json" + "line": 13, + "fileName": "positive4.json", + "resourceType": "Microsoft.Security/securityContacts", + "resourceName": "security contact", + "searchKey": "resources.name={{security contact}}.properties", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Security/securityContacts' should have 'notificationsByRole.state' property set to 'On'", + "actualValue": "resource with type 'Microsoft.Security/securityContacts' doesn't have 'notificationsByRole' property defined", + "issueType": "MissingAttribute", + "similarityID": "5dff7238743316ae55fcf64a89ddfb1885c880c51e71db57e089d860f21ecf99", + "search_line": 13 }, { "queryName": "Email Notifications Disabled", "severity": "INFO", - "line": 18, - "filename": "positive9.json" + "line": 11, + "fileName": "positive5.bicep", + "resourceType": "Microsoft.Security/securityContacts", + "resourceName": "security contact", + "searchKey": "resources.name={{security contact}}.properties.notificationsByRole.state", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Security/securityContacts' property value should have 'notificationsByRole.state' property set to 'On'", + "actualValue": "resource with type 'Microsoft.Security/securityContacts' should have 'notificationsByRole.state' property set to 'Off'", + "issueType": "IncorrectValue", + "similarityID": "261c3e23a7bbbcf1866d044dc6bd23f7f478d2fd0f35fe2d3b05081bdb45cbd8", + "search_line": 11 }, { "queryName": "Email Notifications Disabled", "severity": "INFO", - "line": 15, - "filename": "positive10.json" + "line": 21, + "fileName": "positive5.json", + "resourceType": "Microsoft.Security/securityContacts", + "resourceName": "security contact", + "searchKey": "resources.name={{security contact}}.properties.notificationsByRole.state", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Security/securityContacts' property value should have 'notificationsByRole.state' property set to 'On'", + "actualValue": "resource with type 'Microsoft.Security/securityContacts' should have 'notificationsByRole.state' property set to 'Off'", + "issueType": "IncorrectValue", + "similarityID": "7b1523b55da11c5fa64a514c132479e12f8d293d511f47dcb916bc881a9fd0ec", + "search_line": 21 }, { "queryName": "Email Notifications Disabled", "severity": "INFO", - "line": 23, - "filename": "positive11.json" + "line": 10, + "fileName": "positive6.bicep", + "resourceType": "Microsoft.Security/securityContacts", + "resourceName": "security contact", + "searchKey": "resources.name={{security contact}}.properties.notificationsByRole", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Security/securityContacts' should have 'notificationsByRole.state' property set to 'On'", + "actualValue": "resource with type 'Microsoft.Security/securityContacts' doesn't have 'notificationsByRole.state' property defined", + "issueType": "MissingAttribute", + "similarityID": "53ad28f3f859f488e45404cd28fd5bd679f9535da0c77b60dd8de5aac564934b", + "search_line": 10 }, { "queryName": "Email Notifications Disabled", "severity": "INFO", - "line": 22, - "filename": "positive12.json" + "line": 20, + "fileName": "positive6.json", + "resourceType": "Microsoft.Security/securityContacts", + "resourceName": "security contact", + "searchKey": "resources.name={{security contact}}.properties.notificationsByRole", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Security/securityContacts' should have 'notificationsByRole.state' property set to 'On'", + "actualValue": "resource with type 'Microsoft.Security/securityContacts' doesn't have 'notificationsByRole.state' property defined", + "issueType": "MissingAttribute", + "similarityID": "897b06a99add0dc24a5b7f754e06a0a73f9153f901c42efacc67246dcca4c8de", + "search_line": 20 }, { "queryName": "Email Notifications Disabled", "severity": "INFO", "line": 7, - "filename": "positive1.bicep" + "fileName": "positive7.bicep", + "resourceType": "Microsoft.Security/securityContacts", + "resourceName": "security contact", + "searchKey": "resources.name={{security contact}}.properties.alertNotifications.state", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Security/securityContacts' property value should have 'alertNotifications.state' property set to 'On'", + "actualValue": "resource with type 'Microsoft.Security/securityContacts' should have 'alertNotifications.state' property set to 'Off'", + "issueType": "IncorrectValue", + "similarityID": "290cbbcb37b2f51f89c6f4c2be28878790428f425b1900ed81b9ae24c94f69b1", + "search_line": 7 }, { "queryName": "Email Notifications Disabled", "severity": "INFO", - "line": 3, - "filename": "positive2.bicep" + "line": 19, + "fileName": "positive7.json", + "resourceType": "Microsoft.Security/securityContacts", + "resourceName": "security contact", + "searchKey": "properties.template.resources.name={{security contact}}.properties.alertNotifications.state", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Security/securityContacts' property value should have 'alertNotifications.state' property set to 'On'", + "actualValue": "resource with type 'Microsoft.Security/securityContacts' should have 'alertNotifications.state' property set to 'Off'", + "issueType": "IncorrectValue", + "similarityID": "c42095427a7f2fd7dc11b4df982d8f808eacaa652dcd6b6c9c143c78d27d4eaa", + "search_line": 19 }, { "queryName": "Email Notifications Disabled", "severity": "INFO", - "line": 6, - "filename": "positive3.bicep" + "line": 3, + "fileName": "positive8.bicep", + "resourceType": "Microsoft.Security/securityContacts", + "resourceName": "security contact", + "searchKey": "resources.name={{security contact}}.properties", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Security/securityContacts' should have 'alertNotifications.state' property set to 'On'", + "actualValue": "resource with type 'Microsoft.Security/securityContacts' doesn't have 'alertNotifications' property defined", + "issueType": "MissingAttribute", + "similarityID": "2ab66b1096c17ad576ae155a91c47055869a2fefbceda7fb6c73c3f573539e77", + "search_line": 3 }, { "queryName": "Email Notifications Disabled", "severity": "INFO", - "line": 3, - "filename": "positive4.bicep" + "line": 15, + "fileName": "positive8.json", + "resourceType": "Microsoft.Security/securityContacts", + "resourceName": "security contact", + "searchKey": "properties.template.resources.name={{security contact}}.properties", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Security/securityContacts' should have 'alertNotifications.state' property set to 'On'", + "actualValue": "resource with type 'Microsoft.Security/securityContacts' doesn't have 'alertNotifications' property defined", + "issueType": "MissingAttribute", + "similarityID": "0803df56399bd7faf640e8a7208062b7f8356d2820629f1954af24935c9c0dff", + "search_line": 15 }, { "queryName": "Email Notifications Disabled", "severity": "INFO", - "line": 11, - "filename": "positive5.bicep" + "line": 6, + "fileName": "positive9.bicep", + "resourceType": "Microsoft.Security/securityContacts", + "resourceName": "security contact", + "searchKey": "resources.name={{security contact}}.properties.alertNotifications", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Security/securityContacts' should have 'alertNotifications.state' property set to 'On'", + "actualValue": "resource with type 'Microsoft.Security/securityContacts' doesn't have 'alertNotifications.state' property defined", + "issueType": "MissingAttribute", + "similarityID": "e241065019d2d0f61d87f3c8332d85de9e4c457adc4e73c97be151146de58b54", + "search_line": 6 }, { "queryName": "Email Notifications Disabled", "severity": "INFO", - "line": 10, - "filename": "positive6.bicep" + "line": 18, + "fileName": "positive9.json", + "resourceType": "Microsoft.Security/securityContacts", + "resourceName": "security contact", + "searchKey": "properties.template.resources.name={{security contact}}.properties.alertNotifications", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Security/securityContacts' should have 'alertNotifications.state' property set to 'On'", + "actualValue": "resource with type 'Microsoft.Security/securityContacts' doesn't have 'alertNotifications.state' property defined", + "issueType": "MissingAttribute", + "similarityID": "68f26f7e28528779e2e6b6e5398910ed6d9937a5347855c2ad98de80f0daafdb", + "search_line": 18 }, { "queryName": "Email Notifications Disabled", "severity": "INFO", - "line": 7, - "filename": "positive7.bicep" + "line": 3, + "fileName": "positive10.bicep", + "resourceType": "Microsoft.Security/securityContacts", + "resourceName": "security contact", + "searchKey": "resources.name={{security contact}}.properties", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Security/securityContacts' should have 'notificationsByRole.state' property set to 'On'", + "actualValue": "resource with type 'Microsoft.Security/securityContacts' doesn't have 'notificationsByRole' property defined", + "issueType": "MissingAttribute", + "similarityID": "465e7da6bf2ef01d4afe4e41568864367d708f76bbe7a8f0736ab2879763d892", + "search_line": 3 }, { "queryName": "Email Notifications Disabled", "severity": "INFO", - "line": 3, - "filename": "positive8.bicep" + "line": 15, + "fileName": "positive10.json", + "resourceType": "Microsoft.Security/securityContacts", + "resourceName": "security contact", + "searchKey": "properties.template.resources.name={{security contact}}.properties", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Security/securityContacts' should have 'notificationsByRole.state' property set to 'On'", + "actualValue": "resource with type 'Microsoft.Security/securityContacts' doesn't have 'notificationsByRole' property defined", + "issueType": "MissingAttribute", + "similarityID": "5ee3076afa617e411d73d49fe9fa1d74fb0081efab10bcbaeea075cef032bc85", + "search_line": 15 }, { "queryName": "Email Notifications Disabled", "severity": "INFO", - "line": 6, - "filename": "positive9.bicep" + "line": 11, + "fileName": "positive11.bicep", + "resourceType": "Microsoft.Security/securityContacts", + "resourceName": "security contact", + "searchKey": "resources.name={{security contact}}.properties.notificationsByRole.state", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Security/securityContacts' property value should have 'notificationsByRole.state' property set to 'On'", + "actualValue": "resource with type 'Microsoft.Security/securityContacts' should have 'notificationsByRole.state' property set to 'Off'", + "issueType": "IncorrectValue", + "similarityID": "d60c880f8bb056822c0a16d363cabf5bd2fdd35466230c8893bf42accbc57bff", + "search_line": 11 }, { "queryName": "Email Notifications Disabled", "severity": "INFO", - "line": 3, - "filename": "positive10.bicep" + "line": 23, + "fileName": "positive11.json", + "resourceType": "Microsoft.Security/securityContacts", + "resourceName": "security contact", + "searchKey": "properties.template.resources.name={{security contact}}.properties.notificationsByRole.state", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Security/securityContacts' property value should have 'notificationsByRole.state' property set to 'On'", + "actualValue": "resource with type 'Microsoft.Security/securityContacts' should have 'notificationsByRole.state' property set to 'Off'", + "issueType": "IncorrectValue", + "similarityID": "335f294c8bd5f646d3e317fb73a3a2f86596e81326fb3a8c2de3e5339b621a30", + "search_line": 23 }, { "queryName": "Email Notifications Disabled", "severity": "INFO", - "line": 11, - "filename": "positive11.bicep" + "line": 10, + "fileName": "positive12.bicep", + "resourceType": "Microsoft.Security/securityContacts", + "resourceName": "security contact", + "searchKey": "resources.name={{security contact}}.properties.notificationsByRole", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Security/securityContacts' should have 'notificationsByRole.state' property set to 'On'", + "actualValue": "resource with type 'Microsoft.Security/securityContacts' doesn't have 'notificationsByRole.state' property defined", + "issueType": "MissingAttribute", + "similarityID": "6bd3c78f28b637576911ba8c848b91a077ef586878111ac4487cd6a59afd20a3", + "search_line": 10 }, { "queryName": "Email Notifications Disabled", "severity": "INFO", - "line": 10, - "filename": "positive12.bicep" + "line": 22, + "fileName": "positive12.json", + "resourceType": "Microsoft.Security/securityContacts", + "resourceName": "security contact", + "searchKey": "properties.template.resources.name={{security contact}}.properties.notificationsByRole", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Security/securityContacts' should have 'notificationsByRole.state' property set to 'On'", + "actualValue": "resource with type 'Microsoft.Security/securityContacts' doesn't have 'notificationsByRole.state' property defined", + "issueType": "MissingAttribute", + "similarityID": "b282155589330e55274801868c8bcb8aa9926f8f4e57d0f4cdebbfb31a9d160f", + "search_line": 22 } ] diff --git a/assets/queries/azureResourceManager/hardcoded_securestring_parameter_default_value/test/positive_expected_result.json b/assets/queries/azureResourceManager/hardcoded_securestring_parameter_default_value/test/positive_expected_result.json index 66a1cf66b62..faebb0414d4 100644 --- a/assets/queries/azureResourceManager/hardcoded_securestring_parameter_default_value/test/positive_expected_result.json +++ b/assets/queries/azureResourceManager/hardcoded_securestring_parameter_default_value/test/positive_expected_result.json @@ -2,25 +2,61 @@ { "queryName": "Hardcoded SecureString Parameter Default Value", "severity": "HIGH", - "line": 7, - "fileName": "positive1.json" + "line": 2, + "fileName": "positive1.bicep", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "parameters.adminPassword.defaultValue", + "searchValue": "", + "expectedValue": "parameters.adminPassword.defaultValue should not be hardcoded", + "actualValue": "parameters.adminPassword.defaultValue is hardcoded", + "issueType": "IncorrectValue", + "similarityID": "bbc12e6c80acee61b11a8285d7453e75b98bc88decbe1ac762ca52a3b6a4ae2b", + "search_line": 2 }, { "queryName": "Hardcoded SecureString Parameter Default Value", "severity": "HIGH", - "line": 9, - "fileName": "positive2.json" + "line": 7, + "fileName": "positive1.json", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "parameters.adminPassword.defaultValue", + "searchValue": "", + "expectedValue": "parameters.adminPassword.defaultValue should not be hardcoded", + "actualValue": "parameters.adminPassword.defaultValue is hardcoded", + "issueType": "IncorrectValue", + "similarityID": "d1bb35bd189780b050e27802a4e1538a8f365d5845ddf89a0f394ffca3be9983", + "search_line": 7 }, { "queryName": "Hardcoded SecureString Parameter Default Value", "severity": "HIGH", "line": 2, - "fileName": "positive1.bicep" + "fileName": "positive2.bicep", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "parameters.adminPassword.defaultValue", + "searchValue": "", + "expectedValue": "parameters.adminPassword.defaultValue should not be hardcoded", + "actualValue": "parameters.adminPassword.defaultValue is hardcoded", + "issueType": "IncorrectValue", + "similarityID": "46f7057c25ea017d8866fd8fa06734e38c179f79501fc6c12a8de419d90fda9a", + "search_line": 2 }, { "queryName": "Hardcoded SecureString Parameter Default Value", "severity": "HIGH", - "line": 2, - "fileName": "positive2.bicep" + "line": 9, + "fileName": "positive2.json", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "parameters.adminPassword.defaultValue", + "searchValue": "", + "expectedValue": "parameters.adminPassword.defaultValue should not be hardcoded", + "actualValue": "parameters.adminPassword.defaultValue is hardcoded", + "issueType": "IncorrectValue", + "similarityID": "432b70dad64b9b8515133bb887a53c24cbb9f266e016755df60b8b67606f0410", + "search_line": -1 } -] \ No newline at end of file +] diff --git a/assets/queries/azureResourceManager/key_vault_not_recoverable/test/positive_expected_result.json b/assets/queries/azureResourceManager/key_vault_not_recoverable/test/positive_expected_result.json index aedb11e80d1..5bfda8b15d5 100644 --- a/assets/queries/azureResourceManager/key_vault_not_recoverable/test/positive_expected_result.json +++ b/assets/queries/azureResourceManager/key_vault_not_recoverable/test/positive_expected_result.json @@ -2,73 +2,181 @@ { "queryName": "Key Vault Not Recoverable", "severity": "HIGH", - "line": 15, - "fileName": "positive1.json" + "line": 5, + "fileName": "positive1.bicep", + "resourceType": "Microsoft.KeyVault/vaults", + "resourceName": "keyVaultInstance", + "searchKey": "resources.name={{keyVaultInstance}}.properties", + "searchValue": "enablePurgeProtection", + "expectedValue": "resource with type 'Microsoft.KeyVault/vaults' should have 'enablePurgeProtection' property defined", + "actualValue": "resource with type 'Microsoft.KeyVault/vaults' doesn't have 'enablePurgeProtection' property defined", + "issueType": "MissingAttribute", + "similarityID": "168f5e6700cf482e823e445f2bcdfb482530df4ce4c31cfa48d110a06c41126c", + "search_line": 5 }, { "queryName": "Key Vault Not Recoverable", "severity": "HIGH", - "line": 39, - "fileName": "positive2.json" + "line": 15, + "fileName": "positive1.json", + "resourceType": "Microsoft.KeyVault/vaults", + "resourceName": "keyVaultInstance", + "searchKey": "resources.name={{keyVaultInstance}}.properties", + "searchValue": "enablePurgeProtection", + "expectedValue": "resource with type 'Microsoft.KeyVault/vaults' should have 'enablePurgeProtection' property defined", + "actualValue": "resource with type 'Microsoft.KeyVault/vaults' doesn't have 'enablePurgeProtection' property defined", + "issueType": "MissingAttribute", + "similarityID": "f1e86fc42c0d3c0c45a98d143bc7e95382e8628d5f28cf0d2fcf6df73d0e7eda", + "search_line": 15 }, { "queryName": "Key Vault Not Recoverable", "severity": "HIGH", - "line": 17, - "fileName": "positive3.json" + "line": 27, + "fileName": "positive2.bicep", + "resourceType": "Microsoft.KeyVault/vaults", + "resourceName": "keyVaultInstance", + "searchKey": "resources.name={{keyVaultInstance}}.properties.enablePurgeProtection", + "searchValue": "enablePurgeProtection", + "expectedValue": "resource with type 'Microsoft.KeyVault/vaults' property value should have 'enablePurgeProtection' property set to true", + "actualValue": "resource with type 'Microsoft.KeyVault/vaults' doesn't have 'enablePurgeProtection' property set to true", + "issueType": "IncorrectValue", + "similarityID": "8d2cd9a6193c7266124705e15d5c6b498117cbd006711611679cf37a1adbbdc4", + "search_line": 27 }, { "queryName": "Key Vault Not Recoverable", "severity": "HIGH", - "line": 41, - "fileName": "positive4.json" + "line": 39, + "fileName": "positive2.json", + "resourceType": "Microsoft.KeyVault/vaults", + "resourceName": "keyVaultInstance", + "searchKey": "resources.name={{keyVaultInstance}}.properties.enablePurgeProtection", + "searchValue": "enablePurgeProtection", + "expectedValue": "resource with type 'Microsoft.KeyVault/vaults' property value should have 'enablePurgeProtection' property set to true", + "actualValue": "resource with type 'Microsoft.KeyVault/vaults' doesn't have 'enablePurgeProtection' property set to true", + "issueType": "IncorrectValue", + "similarityID": "9cb3b90e6288441c8636d431d90daee059117b9afde1767fd1c465857f85f523", + "search_line": 39 }, { "queryName": "Key Vault Not Recoverable", "severity": "HIGH", - "line": 23, - "fileName": "positive5.json" + "line": 5, + "fileName": "positive3.bicep", + "resourceType": "Microsoft.KeyVault/vaults", + "resourceName": "keyVaultInstance", + "searchKey": "resources.name={{keyVaultInstance}}.properties", + "searchValue": "enablePurgeProtection", + "expectedValue": "resource with type 'Microsoft.KeyVault/vaults' should have 'enablePurgeProtection' property defined", + "actualValue": "resource with type 'Microsoft.KeyVault/vaults' doesn't have 'enablePurgeProtection' property defined", + "issueType": "MissingAttribute", + "similarityID": "70897e285affc5c3fb0dbc05ce68a0240b4869943e5be844fb66a40a384b7204", + "search_line": 5 }, { "queryName": "Key Vault Not Recoverable", "severity": "HIGH", - "line": 23, - "fileName": "positive5.json" + "line": 17, + "fileName": "positive3.json", + "resourceType": "Microsoft.KeyVault/vaults", + "resourceName": "keyVaultInstance", + "searchKey": "properties.template.resources.name={{keyVaultInstance}}.properties", + "searchValue": "enablePurgeProtection", + "expectedValue": "resource with type 'Microsoft.KeyVault/vaults' should have 'enablePurgeProtection' property defined", + "actualValue": "resource with type 'Microsoft.KeyVault/vaults' doesn't have 'enablePurgeProtection' property defined", + "issueType": "MissingAttribute", + "similarityID": "002aa53fea7b3e74d0d20062f7cb73fa7e56a8074bc88a7635c7f06a8285c362", + "search_line": 17 }, { "queryName": "Key Vault Not Recoverable", "severity": "HIGH", - "line": 5, - "fileName": "positive1.bicep" + "line": 27, + "fileName": "positive4.bicep", + "resourceType": "Microsoft.KeyVault/vaults", + "resourceName": "keyVaultInstance", + "searchKey": "resources.name={{keyVaultInstance}}.properties.enablePurgeProtection", + "searchValue": "enablePurgeProtection", + "expectedValue": "resource with type 'Microsoft.KeyVault/vaults' property value should have 'enablePurgeProtection' property set to true", + "actualValue": "resource with type 'Microsoft.KeyVault/vaults' doesn't have 'enablePurgeProtection' property set to true", + "issueType": "IncorrectValue", + "similarityID": "81169949953956d8603f35a7f254efaf35894484362be0ee3b9141c3869f2f52", + "search_line": 27 }, { "queryName": "Key Vault Not Recoverable", "severity": "HIGH", - "line": 27, - "fileName": "positive2.bicep" + "line": 41, + "fileName": "positive4.json", + "resourceType": "Microsoft.KeyVault/vaults", + "resourceName": "keyVaultInstance", + "searchKey": "properties.template.resources.name={{keyVaultInstance}}.properties.enablePurgeProtection", + "searchValue": "enablePurgeProtection", + "expectedValue": "resource with type 'Microsoft.KeyVault/vaults' property value should have 'enablePurgeProtection' property set to true", + "actualValue": "resource with type 'Microsoft.KeyVault/vaults' doesn't have 'enablePurgeProtection' property set to true", + "issueType": "IncorrectValue", + "similarityID": "633a2044444602acfc2cff5be0888248685144a9205c758fe12f352fe1dd5249", + "search_line": 41 }, { "queryName": "Key Vault Not Recoverable", "severity": "HIGH", - "line": 5, - "fileName": "positive3.bicep" + "line": 18, + "fileName": "positive5.bicep", + "resourceType": "Microsoft.KeyVault/vaults", + "resourceName": "[parameters('vaults_pgs_bot_prod_name')]", + "searchKey": "resources.name={{[parameters('vaults_pgs_bot_prod_name')]}}.properties", + "searchValue": "enablePurgeProtection", + "expectedValue": "resource with type 'Microsoft.KeyVault/vaults' should have 'enablePurgeProtection' property defined", + "actualValue": "resource with type 'Microsoft.KeyVault/vaults' doesn't have 'enablePurgeProtection' property defined", + "issueType": "MissingAttribute", + "similarityID": "b661e0f9ed75734d365f57ebe05194a7f2cae77da9483cc3d1ed98aa2f4c1166", + "search_line": 18 }, { "queryName": "Key Vault Not Recoverable", "severity": "HIGH", - "line": 27, - "fileName": "positive4.bicep" + "line": 18, + "fileName": "positive5.bicep", + "resourceType": "Microsoft.KeyVault/vaults", + "resourceName": "[parameters('vaults_pgs_bot_prod_name')]", + "searchKey": "resources.name={{[parameters('vaults_pgs_bot_prod_name')]}}.properties", + "searchValue": "enableSoftDelete", + "expectedValue": "resource with type 'Microsoft.KeyVault/vaults' should have 'enableSoftDelete' property defined", + "actualValue": "resource with type 'Microsoft.KeyVault/vaults' doesn't have 'enableSoftDelete' property defined", + "issueType": "MissingAttribute", + "similarityID": "fa80d4b81e7f930c7c6fe17b803b487fb53b5c2f9e137047f0ccc471f7611e23", + "search_line": 18 }, { "queryName": "Key Vault Not Recoverable", "severity": "HIGH", - "line": 18, - "fileName": "positive5.bicep" + "line": 23, + "fileName": "positive5.json", + "resourceType": "Microsoft.KeyVault/vaults", + "resourceName": "[parameters('vaults_pgs_bot_prod_name')]", + "searchKey": "resources.name={{[parameters('vaults_pgs_bot_prod_name')]}}.properties", + "searchValue": "enablePurgeProtection", + "expectedValue": "resource with type 'Microsoft.KeyVault/vaults' should have 'enablePurgeProtection' property defined", + "actualValue": "resource with type 'Microsoft.KeyVault/vaults' doesn't have 'enablePurgeProtection' property defined", + "issueType": "MissingAttribute", + "similarityID": "70dabc384bc14500a6006986d12615dd4a761aad881344abde1dc4b5e4a7367f", + "search_line": 23 }, { "queryName": "Key Vault Not Recoverable", "severity": "HIGH", - "line": 18, - "fileName": "positive5.bicep" + "line": 23, + "fileName": "positive5.json", + "resourceType": "Microsoft.KeyVault/vaults", + "resourceName": "[parameters('vaults_pgs_bot_prod_name')]", + "searchKey": "resources.name={{[parameters('vaults_pgs_bot_prod_name')]}}.properties", + "searchValue": "enableSoftDelete", + "expectedValue": "resource with type 'Microsoft.KeyVault/vaults' should have 'enableSoftDelete' property defined", + "actualValue": "resource with type 'Microsoft.KeyVault/vaults' doesn't have 'enableSoftDelete' property defined", + "issueType": "MissingAttribute", + "similarityID": "293577fc417a717a95262e7be279f3753ff9ca5cc3f8ccef2feeafbf3271e78e", + "search_line": 23 } ] diff --git a/assets/queries/azureResourceManager/log_profile_incorrect_category/test/positive_expected_result.json b/assets/queries/azureResourceManager/log_profile_incorrect_category/test/positive_expected_result.json index 5493d0ff29d..1639712cb3f 100644 --- a/assets/queries/azureResourceManager/log_profile_incorrect_category/test/positive_expected_result.json +++ b/assets/queries/azureResourceManager/log_profile_incorrect_category/test/positive_expected_result.json @@ -2,25 +2,61 @@ { "queryName": "Log Profile Incorrect Category", "severity": "LOW", - "line": 22, - "fileName": "positive1.json" + "line": 9, + "fileName": "positive1.bicep", + "resourceType": "microsoft.insights/logprofiles", + "resourceName": "string", + "searchKey": "resources.name={{string}}.properties.categories", + "searchValue": "", + "expectedValue": "resource with type 'microsoft.insights/logprofiles' should have categories[%!d(string=property value)] %!s(int=0) set to 'Write', 'Delete' or 'Action'", + "actualValue": "resource with type 'microsoft.insights/logprofiles' has categories[0] set to 'Writ'", + "issueType": "IncorrectValue", + "similarityID": "e2f2a1a040a11a1392c7090eb833861026cd75540da1368b5c1eb7809b55f023", + "search_line": 9 }, { "queryName": "Log Profile Incorrect Category", "severity": "LOW", - "line": 24, - "fileName": "positive2.json" + "line": 22, + "fileName": "positive1.json", + "resourceType": "microsoft.insights/logprofiles", + "resourceName": "string", + "searchKey": "resources.name={{string}}.properties.categories", + "searchValue": "", + "expectedValue": "resource with type 'microsoft.insights/logprofiles' should have categories[%!d(string=property value)] %!s(int=0) set to 'Write', 'Delete' or 'Action'", + "actualValue": "resource with type 'microsoft.insights/logprofiles' has categories[0] set to 'Writ'", + "issueType": "IncorrectValue", + "similarityID": "8acbb22b9d09d505c8df1c3937af395afe4ddcc74d6f030d8bddc7f79e477c35", + "search_line": 22 }, { "queryName": "Log Profile Incorrect Category", "severity": "LOW", "line": 9, - "fileName": "positive1.bicep" + "fileName": "positive2.bicep", + "resourceType": "microsoft.insights/logprofiles", + "resourceName": "string", + "searchKey": "resources.name={{string}}.properties.categories", + "searchValue": "", + "expectedValue": "resource with type 'microsoft.insights/logprofiles' should have categories[%!d(string=property value)] %!s(int=0) set to 'Write', 'Delete' or 'Action'", + "actualValue": "resource with type 'microsoft.insights/logprofiles' has categories[0] set to 'Writ'", + "issueType": "IncorrectValue", + "similarityID": "0530f71e9c880de432fd51ee1981e4f62aa60c79bee5f64bde2d12ca620ddc47", + "search_line": 9 }, { "queryName": "Log Profile Incorrect Category", "severity": "LOW", - "line": 9, - "fileName": "positive2.bicep" + "line": 24, + "fileName": "positive2.json", + "resourceType": "microsoft.insights/logprofiles", + "resourceName": "string", + "searchKey": "properties.template.resources.name={{string}}.properties.categories", + "searchValue": "", + "expectedValue": "resource with type 'microsoft.insights/logprofiles' should have categories[%!d(string=property value)] %!s(int=0) set to 'Write', 'Delete' or 'Action'", + "actualValue": "resource with type 'microsoft.insights/logprofiles' has categories[0] set to 'Writ'", + "issueType": "IncorrectValue", + "similarityID": "2a2cf71148aa3849928e5b9482fc8df7231fdce3a4744e0465fc8048e12185fd", + "search_line": 24 } -] \ No newline at end of file +] diff --git a/assets/queries/azureResourceManager/mysql_server_ssl_enforcement_disabled/test/positive_expected_result.json b/assets/queries/azureResourceManager/mysql_server_ssl_enforcement_disabled/test/positive_expected_result.json index a2a485c0bac..bf14a666001 100644 --- a/assets/queries/azureResourceManager/mysql_server_ssl_enforcement_disabled/test/positive_expected_result.json +++ b/assets/queries/azureResourceManager/mysql_server_ssl_enforcement_disabled/test/positive_expected_result.json @@ -2,49 +2,121 @@ { "queryName": "MySQL Server SSL Enforcement Disabled", "severity": "MEDIUM", - "line": 16, - "fileName": "positive1.json" + "line": 6, + "fileName": "positive1.bicep", + "resourceType": "Microsoft.DBforMySQL/servers", + "resourceName": "server", + "searchKey": "resources.name={{server}}.properties", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.DBforMySQL/servers' should have the 'sslEnforcement' property defined", + "actualValue": "resource with type 'Microsoft.DBforMySQL/servers' doesn't have 'sslEnforcement' property defined", + "issueType": "MissingAttribute", + "similarityID": "d4436e9abf9843f8c585618a58f1c6f9146881ed8eb4d8cd017428617ec240cd", + "search_line": 6 }, { "queryName": "MySQL Server SSL Enforcement Disabled", "severity": "MEDIUM", - "line": 18, - "fileName": "positive2.json" + "line": 16, + "fileName": "positive1.json", + "resourceType": "Microsoft.DBforMySQL/servers", + "resourceName": "server", + "searchKey": "resources.name={{server}}.properties", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.DBforMySQL/servers' should have the 'sslEnforcement' property defined", + "actualValue": "resource with type 'Microsoft.DBforMySQL/servers' doesn't have 'sslEnforcement' property defined", + "issueType": "MissingAttribute", + "similarityID": "433e90b8e7f3074f002654b24bbdfea3cad893454a4fcbb2b8b043883197f1f1", + "search_line": 16 }, { "queryName": "MySQL Server SSL Enforcement Disabled", "severity": "MEDIUM", - "line": 18, - "fileName": "positive3.json" + "line": 8, + "fileName": "positive2.bicep", + "resourceType": "Microsoft.DBforMySQL/servers", + "resourceName": "server", + "searchKey": "resources.name={{server}}.properties.sslEnforcement", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.DBforMySQL/servers' should have the 'sslEnforcement' property value set to 'Enabled'", + "actualValue": "resource with type 'Microsoft.DBforMySQL/servers' doesn't have 'sslEnforcement' set to 'Enabled'", + "issueType": "IncorrectValue", + "similarityID": "5e6189de91b7f0cb668654c9117df1b5cb4e221309769ac8067e5c9d3ed9e7a7", + "search_line": 8 }, { "queryName": "MySQL Server SSL Enforcement Disabled", "severity": "MEDIUM", - "line": 20, - "fileName": "positive4.json" + "line": 18, + "fileName": "positive2.json", + "resourceType": "Microsoft.DBforMySQL/servers", + "resourceName": "server", + "searchKey": "resources.name={{server}}.properties.sslEnforcement", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.DBforMySQL/servers' should have the 'sslEnforcement' property value set to 'Enabled'", + "actualValue": "resource with type 'Microsoft.DBforMySQL/servers' doesn't have 'sslEnforcement' set to 'Enabled'", + "issueType": "IncorrectValue", + "similarityID": "5562e9601c72db91696bdfa510a62609de41c01d4cf6f155e3c02bd79652f14e", + "search_line": 18 }, { "queryName": "MySQL Server SSL Enforcement Disabled", "severity": "MEDIUM", "line": 6, - "fileName": "positive1.bicep" + "fileName": "positive3.bicep", + "resourceType": "Microsoft.DBforMySQL/servers", + "resourceName": "server", + "searchKey": "resources.name={{server}}.properties", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.DBforMySQL/servers' should have the 'sslEnforcement' property defined", + "actualValue": "resource with type 'Microsoft.DBforMySQL/servers' doesn't have 'sslEnforcement' property defined", + "issueType": "MissingAttribute", + "similarityID": "6816dabe401dfae21512ca327a250948964ecede20008cf28bc08844e27e689d", + "search_line": 6 }, { "queryName": "MySQL Server SSL Enforcement Disabled", "severity": "MEDIUM", - "line": 8, - "fileName": "positive2.bicep" + "line": 18, + "fileName": "positive3.json", + "resourceType": "Microsoft.DBforMySQL/servers", + "resourceName": "server", + "searchKey": "properties.template.resources.name={{server}}.properties", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.DBforMySQL/servers' should have the 'sslEnforcement' property defined", + "actualValue": "resource with type 'Microsoft.DBforMySQL/servers' doesn't have 'sslEnforcement' property defined", + "issueType": "MissingAttribute", + "similarityID": "13c028d5ef61191ff885eddaf14af92c870bd163c75b339f6524996fe9945314", + "search_line": 18 }, { "queryName": "MySQL Server SSL Enforcement Disabled", "severity": "MEDIUM", - "line": 6, - "fileName": "positive3.bicep" + "line": 8, + "fileName": "positive4.bicep", + "resourceType": "Microsoft.DBforMySQL/servers", + "resourceName": "server", + "searchKey": "resources.name={{server}}.properties.sslEnforcement", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.DBforMySQL/servers' should have the 'sslEnforcement' property value set to 'Enabled'", + "actualValue": "resource with type 'Microsoft.DBforMySQL/servers' doesn't have 'sslEnforcement' set to 'Enabled'", + "issueType": "IncorrectValue", + "similarityID": "2adf93f22b039c6e6e255e4fe0fb7975832ca88cb84deb5ad689d758c6d127af", + "search_line": 8 }, { "queryName": "MySQL Server SSL Enforcement Disabled", "severity": "MEDIUM", - "line": 8, - "fileName": "positive4.bicep" + "line": 20, + "fileName": "positive4.json", + "resourceType": "Microsoft.DBforMySQL/servers", + "resourceName": "server", + "searchKey": "properties.template.resources.name={{server}}.properties.sslEnforcement", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.DBforMySQL/servers' should have the 'sslEnforcement' property value set to 'Enabled'", + "actualValue": "resource with type 'Microsoft.DBforMySQL/servers' doesn't have 'sslEnforcement' set to 'Enabled'", + "issueType": "IncorrectValue", + "similarityID": "631e4554bdba4d328437cf502ecff88803f6c6f6398370c80c025acc773a89fb", + "search_line": 20 } -] \ No newline at end of file +] diff --git a/assets/queries/azureResourceManager/network_security_group_with_unrestricted_access_to_rdp/test/positive_expected_result.json b/assets/queries/azureResourceManager/network_security_group_with_unrestricted_access_to_rdp/test/positive_expected_result.json index 81f2c0350d3..dd07692f0b5 100644 --- a/assets/queries/azureResourceManager/network_security_group_with_unrestricted_access_to_rdp/test/positive_expected_result.json +++ b/assets/queries/azureResourceManager/network_security_group_with_unrestricted_access_to_rdp/test/positive_expected_result.json @@ -2,73 +2,181 @@ { "queryName": "Network Security Group With Unrestricted Access To RDP", "severity": "HIGH", - "line": 19, - "fileName": "positive1.json" + "line": 9, + "fileName": "positive1.bicep", + "resourceType": "Microsoft.Network/networkSecurityGroups", + "resourceName": "security group", + "searchKey": "resources.name={{security group}}.properties.securityRules", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Network/networkSecurityGroups' should restrict access to RDP", + "actualValue": "resource with type 'Microsoft.Network/networkSecurityGroups' does not restrict access to RDP", + "issueType": "IncorrectValue", + "similarityID": "1d1f331194f52943236e5e60b6584c44da2620628cd5624303fab52321e0ca89", + "search_line": 9 }, { "queryName": "Network Security Group With Unrestricted Access To RDP", "severity": "HIGH", - "line": 13, - "fileName": "positive2.json" + "line": 19, + "fileName": "positive1.json", + "resourceType": "Microsoft.Network/networkSecurityGroups", + "resourceName": "security group", + "searchKey": "resources.name={{security group}}.properties.securityRules", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Network/networkSecurityGroups' should restrict access to RDP", + "actualValue": "resource with type 'Microsoft.Network/networkSecurityGroups' does not restrict access to RDP", + "issueType": "IncorrectValue", + "similarityID": "91f385187aebeeb7eb61eed62d635a5850723114037efd77996ed80c87ea2d16", + "search_line": 19 }, { "queryName": "Network Security Group With Unrestricted Access To RDP", "severity": "HIGH", - "line": 20, - "fileName": "positive3.json" + "line": 3, + "fileName": "positive2.bicep", + "resourceType": "Microsoft.Network/networkSecurityGroups/securityRules", + "resourceName": "sample/securitygroup", + "searchKey": "resources.type={{Microsoft.Network/networkSecurityGroups/securityRules}}.properties", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Network/networkSecurityGroups/securityRules' should restrict access to RDP", + "actualValue": "resource with type 'Microsoft.Network/networkSecurityGroups/securityRules' does not restrict access to RDP", + "issueType": "IncorrectValue", + "similarityID": "5448472899e546fbc78f1e22995ef2f07f1f47faf0f9b056c06aa2bece30724e", + "search_line": 3 }, { "queryName": "Network Security Group With Unrestricted Access To RDP", "severity": "HIGH", - "line": 21, - "fileName": "positive4.json" + "line": 13, + "fileName": "positive2.json", + "resourceType": "Microsoft.Network/networkSecurityGroups/securityRules", + "resourceName": "sample/securitygroup", + "searchKey": "resources.type={{Microsoft.Network/networkSecurityGroups/securityRules}}.properties", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Network/networkSecurityGroups/securityRules' should restrict access to RDP", + "actualValue": "resource with type 'Microsoft.Network/networkSecurityGroups/securityRules' does not restrict access to RDP", + "issueType": "IncorrectValue", + "similarityID": "88f6b4f2a7c965cda227711647c8ce41f512373da0d1b7a7a4393617d6f84b9d", + "search_line": 13 }, { "queryName": "Network Security Group With Unrestricted Access To RDP", "severity": "HIGH", - "line": 15, - "fileName": "positive5.json" + "line": 10, + "fileName": "positive3.bicep", + "resourceType": "securityRules", + "resourceName": "sr", + "searchKey": "resources.type={{securityRules}}.properties", + "searchValue": "", + "expectedValue": "resource with type 'securityRules' should restrict access to RDP", + "actualValue": "resource with type 'securityRules' does not restrict access to RDP", + "issueType": "IncorrectValue", + "similarityID": "aff52525e1bbc8e25b969a911a908a6617d4b278af51da975bb35917d4320837", + "search_line": 10 }, { "queryName": "Network Security Group With Unrestricted Access To RDP", "severity": "HIGH", - "line": 22, - "fileName": "positive6.json" + "line": 20, + "fileName": "positive3.json", + "resourceType": "securityRules", + "resourceName": "sr", + "searchKey": "resources.type={{securityRules}}.properties", + "searchValue": "", + "expectedValue": "resource with type 'securityRules' should restrict access to RDP", + "actualValue": "resource with type 'securityRules' does not restrict access to RDP", + "issueType": "IncorrectValue", + "similarityID": "22365a85a29266bd9ca0b262189e315984c15897451e206a43046ebd7870e113", + "search_line": 20 }, { "queryName": "Network Security Group With Unrestricted Access To RDP", "severity": "HIGH", "line": 9, - "fileName": "positive1.bicep" + "fileName": "positive4.bicep", + "resourceType": "Microsoft.Network/networkSecurityGroups", + "resourceName": "security group", + "searchKey": "resources.name={{security group}}.properties.securityRules", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Network/networkSecurityGroups' should restrict access to RDP", + "actualValue": "resource with type 'Microsoft.Network/networkSecurityGroups' does not restrict access to RDP", + "issueType": "IncorrectValue", + "similarityID": "5159c2b256b40939964f714967e556a814f7fba7d012dae4822937029f0345a5", + "search_line": 9 }, { "queryName": "Network Security Group With Unrestricted Access To RDP", "severity": "HIGH", - "line": 3, - "fileName": "positive2.bicep" + "line": 21, + "fileName": "positive4.json", + "resourceType": "Microsoft.Network/networkSecurityGroups", + "resourceName": "security group", + "searchKey": "properties.template.resources.name={{security group}}.properties.securityRules", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Network/networkSecurityGroups' should restrict access to RDP", + "actualValue": "resource with type 'Microsoft.Network/networkSecurityGroups' does not restrict access to RDP", + "issueType": "IncorrectValue", + "similarityID": "d0c2bf3dc244f4980fd39f677eeb25e59d89028f198103e3173db15c09c14067", + "search_line": 21 }, { "queryName": "Network Security Group With Unrestricted Access To RDP", "severity": "HIGH", - "line": 10, - "fileName": "positive3.bicep" + "line": 3, + "fileName": "positive5.bicep", + "resourceType": "Microsoft.Network/networkSecurityGroups/securityRules", + "resourceName": "sample/securitygroup", + "searchKey": "resources.type={{Microsoft.Network/networkSecurityGroups/securityRules}}.properties", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Network/networkSecurityGroups/securityRules' should restrict access to RDP", + "actualValue": "resource with type 'Microsoft.Network/networkSecurityGroups/securityRules' does not restrict access to RDP", + "issueType": "IncorrectValue", + "similarityID": "66c1543243e287e99c6889345ad153b4199fe745be18b7e24c3b2f46ca8ef5e6", + "search_line": 3 }, { "queryName": "Network Security Group With Unrestricted Access To RDP", "severity": "HIGH", - "line": 9, - "fileName": "positive4.bicep" + "line": 15, + "fileName": "positive5.json", + "resourceType": "Microsoft.Network/networkSecurityGroups/securityRules", + "resourceName": "sample/securitygroup", + "searchKey": "resources.type={{Microsoft.Network/networkSecurityGroups/securityRules}}.properties", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Network/networkSecurityGroups/securityRules' should restrict access to RDP", + "actualValue": "resource with type 'Microsoft.Network/networkSecurityGroups/securityRules' does not restrict access to RDP", + "issueType": "IncorrectValue", + "similarityID": "fe06efbac25917395186e74795b295e84841a5a81a7d1f6a9aa69cb4a64e2100", + "search_line": 15 }, { "queryName": "Network Security Group With Unrestricted Access To RDP", "severity": "HIGH", - "line": 3, - "fileName": "positive5.bicep" + "line": 10, + "fileName": "positive6.bicep", + "resourceType": "securityRules", + "resourceName": "sr", + "searchKey": "resources.type={{securityRules}}.properties", + "searchValue": "", + "expectedValue": "resource with type 'securityRules' should restrict access to RDP", + "actualValue": "resource with type 'securityRules' does not restrict access to RDP", + "issueType": "IncorrectValue", + "similarityID": "1c288902e8bea769b212bd43f5e68ab778f10a0cdd2b73420c0b343bf602200a", + "search_line": 10 }, { "queryName": "Network Security Group With Unrestricted Access To RDP", "severity": "HIGH", - "line": 10, - "fileName": "positive6.bicep" + "line": 22, + "fileName": "positive6.json", + "resourceType": "securityRules", + "resourceName": "sr", + "searchKey": "resources.type={{securityRules}}.properties", + "searchValue": "", + "expectedValue": "resource with type 'securityRules' should restrict access to RDP", + "actualValue": "resource with type 'securityRules' does not restrict access to RDP", + "issueType": "IncorrectValue", + "similarityID": "5f36aa9d2b115ce5f5be2f007a585c1ec042bda2b13975a14d1de3b707ca970a", + "search_line": 22 } ] diff --git a/assets/queries/azureResourceManager/network_security_group_with_unrestricted_access_to_ssh/test/positive_expected_result.json b/assets/queries/azureResourceManager/network_security_group_with_unrestricted_access_to_ssh/test/positive_expected_result.json index f4b05c4f8ac..bfdc007b9c3 100644 --- a/assets/queries/azureResourceManager/network_security_group_with_unrestricted_access_to_ssh/test/positive_expected_result.json +++ b/assets/queries/azureResourceManager/network_security_group_with_unrestricted_access_to_ssh/test/positive_expected_result.json @@ -2,79 +2,196 @@ { "queryName": "Network Security Group With Unrestricted Access To SSH", "severity": "MEDIUM", - "line": 19, - "fileName": "positive1.json" + "line": 9, + "fileName": "positive1.bicep", + "resourceType": "Microsoft.Network/networkSecurityGroups", + "resourceName": "security group", + "searchKey": "resources.name={{security group}}.properties.securityRules", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Network/networkSecurityGroups' restricts access to SSH", + "actualValue": "resource with type 'Microsoft.Network/networkSecurityGroups' does not restrict access to SSH", + "issueType": "IncorrectValue", + "similarityID": "6599ffac54afd7084137d06cef8401e1766f25e746fdc6e520a107795b5404c8", + "search_line": 9 }, { "queryName": "Network Security Group With Unrestricted Access To SSH", "severity": "MEDIUM", - "line": 13, - "fileName": "positive2.json" + "line": 19, + "fileName": "positive1.json", + "resourceType": "Microsoft.Network/networkSecurityGroups", + "resourceName": "security group", + "searchKey": "resources.name={{security group}}.properties.securityRules", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Network/networkSecurityGroups' restricts access to SSH", + "actualValue": "resource with type 'Microsoft.Network/networkSecurityGroups' does not restrict access to SSH", + "issueType": "IncorrectValue", + "similarityID": "fb50e9c36cb0632b5ad75f05ff70fadbe6da1e3cf219eca8513ad34c51eb5c50", + "search_line": 19 }, { "queryName": "Network Security Group With Unrestricted Access To SSH", "severity": "MEDIUM", - "line": 20, - "fileName": "positive3.json" + "line": 3, + "fileName": "positive2.bicep", + "resourceType": "Microsoft.Network/networkSecurityGroups/securityRules", + "resourceName": "sample/securitygroup", + "searchKey": "resources.type={{Microsoft.Network/networkSecurityGroups/securityRules}}.properties", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Network/networkSecurityGroups/securityRules' restricts access to SSH", + "actualValue": "resource with type 'Microsoft.Network/networkSecurityGroups/securityRules' does not restrict access to SSH", + "issueType": "IncorrectValue", + "similarityID": "0118efb3baa21f4dba4cf754567cd76e31642aa7ba4c10215444a4f82308dea6", + "search_line": 3 }, { "queryName": "Network Security Group With Unrestricted Access To SSH", "severity": "MEDIUM", - "line": 21, - "fileName": "positive4.json" + "line": 13, + "fileName": "positive2.json", + "resourceType": "Microsoft.Network/networkSecurityGroups/securityRules", + "resourceName": "sample/securitygroup", + "searchKey": "resources.type={{Microsoft.Network/networkSecurityGroups/securityRules}}.properties", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Network/networkSecurityGroups/securityRules' restricts access to SSH", + "actualValue": "resource with type 'Microsoft.Network/networkSecurityGroups/securityRules' does not restrict access to SSH", + "issueType": "IncorrectValue", + "similarityID": "fbece59fb53f3eabe161b2ed2ad921b1c060ceb309eabb2424a02a30db429f6a", + "search_line": 13 }, { "queryName": "Network Security Group With Unrestricted Access To SSH", "severity": "MEDIUM", - "line": 15, - "fileName": "positive5.json" + "line": 10, + "fileName": "positive3.bicep", + "resourceType": "securityRules", + "resourceName": "sr", + "searchKey": "resources.type={{securityRules}}.properties", + "searchValue": "", + "expectedValue": "resource with type 'securityRules' restricts access to SSH", + "actualValue": "resource with type 'securityRules' does not restrict access to SSH", + "issueType": "IncorrectValue", + "similarityID": "894f1af95a7173648c1d470ae0ae72663cc704101be9daeae384a873d564205c", + "search_line": 10 }, { "queryName": "Network Security Group With Unrestricted Access To SSH", "severity": "MEDIUM", - "line": 22, - "fileName": "positive6.json" + "line": 20, + "fileName": "positive3.json", + "resourceType": "securityRules", + "resourceName": "sr", + "searchKey": "resources.type={{securityRules}}.properties", + "searchValue": "", + "expectedValue": "resource with type 'securityRules' restricts access to SSH", + "actualValue": "resource with type 'securityRules' does not restrict access to SSH", + "issueType": "IncorrectValue", + "similarityID": "9631ff1bdbe165202a39ef272700697f45c1183d1071a5f71d9294fd9205d897", + "search_line": 20 }, { "queryName": "Network Security Group With Unrestricted Access To SSH", "severity": "MEDIUM", - "line": 22, - "fileName": "positive7.json" + "line": 9, + "fileName": "positive4.bicep", + "resourceType": "Microsoft.Network/networkSecurityGroups", + "resourceName": "security group", + "searchKey": "resources.name={{security group}}.properties.securityRules", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Network/networkSecurityGroups' restricts access to SSH", + "actualValue": "resource with type 'Microsoft.Network/networkSecurityGroups' does not restrict access to SSH", + "issueType": "IncorrectValue", + "similarityID": "c217e7d4ef56dc6c40f4aa25a32fa60a875c14ab92b18011999e121020779b93", + "search_line": 9 }, { "queryName": "Network Security Group With Unrestricted Access To SSH", "severity": "MEDIUM", - "line": 9, - "fileName": "positive1.bicep" + "line": 21, + "fileName": "positive4.json", + "resourceType": "Microsoft.Network/networkSecurityGroups", + "resourceName": "security group", + "searchKey": "properties.template.resources.name={{security group}}.properties.securityRules", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Network/networkSecurityGroups' restricts access to SSH", + "actualValue": "resource with type 'Microsoft.Network/networkSecurityGroups' does not restrict access to SSH", + "issueType": "IncorrectValue", + "similarityID": "b3ada20157e787743c201261e41b0a7c5f44c845ed238840d5e5e7fd7d1b1802", + "search_line": 21 }, { "queryName": "Network Security Group With Unrestricted Access To SSH", "severity": "MEDIUM", "line": 3, - "fileName": "positive2.bicep" + "fileName": "positive5.bicep", + "resourceType": "Microsoft.Network/networkSecurityGroups/securityRules", + "resourceName": "sample/securitygroup", + "searchKey": "resources.type={{Microsoft.Network/networkSecurityGroups/securityRules}}.properties", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Network/networkSecurityGroups/securityRules' restricts access to SSH", + "actualValue": "resource with type 'Microsoft.Network/networkSecurityGroups/securityRules' does not restrict access to SSH", + "issueType": "IncorrectValue", + "similarityID": "1d1efceb5d4e7bad649558fc1e6c17878cd4a17acf240007b56d0a2eea828db9", + "search_line": 3 }, { "queryName": "Network Security Group With Unrestricted Access To SSH", "severity": "MEDIUM", - "line": 10, - "fileName": "positive3.bicep" + "line": 15, + "fileName": "positive5.json", + "resourceType": "Microsoft.Network/networkSecurityGroups/securityRules", + "resourceName": "sample/securitygroup", + "searchKey": "resources.type={{Microsoft.Network/networkSecurityGroups/securityRules}}.properties", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Network/networkSecurityGroups/securityRules' restricts access to SSH", + "actualValue": "resource with type 'Microsoft.Network/networkSecurityGroups/securityRules' does not restrict access to SSH", + "issueType": "IncorrectValue", + "similarityID": "55f2c6bf93e05450dd0c1a6dba2f2c199e3b98ceb298f1c6bda2c2458b6808ba", + "search_line": 15 }, { "queryName": "Network Security Group With Unrestricted Access To SSH", "severity": "MEDIUM", - "line": 9, - "fileName": "positive4.bicep" + "line": 10, + "fileName": "positive6.bicep", + "resourceType": "securityRules", + "resourceName": "sr", + "searchKey": "resources.type={{securityRules}}.properties", + "searchValue": "", + "expectedValue": "resource with type 'securityRules' restricts access to SSH", + "actualValue": "resource with type 'securityRules' does not restrict access to SSH", + "issueType": "IncorrectValue", + "similarityID": "a3d9a3b04755b84c6f61e7a72e8475d039cde6844841fa5e4fceca500a254cb0", + "search_line": 10 }, { "queryName": "Network Security Group With Unrestricted Access To SSH", "severity": "MEDIUM", - "line": 3, - "fileName": "positive5.bicep" + "line": 22, + "fileName": "positive6.json", + "resourceType": "securityRules", + "resourceName": "sr", + "searchKey": "resources.type={{securityRules}}.properties", + "searchValue": "", + "expectedValue": "resource with type 'securityRules' restricts access to SSH", + "actualValue": "resource with type 'securityRules' does not restrict access to SSH", + "issueType": "IncorrectValue", + "similarityID": "4fcf24426c4c7fa5fee759ea80e442f4740ac42137aded6997c92f79953d5715", + "search_line": 22 }, { "queryName": "Network Security Group With Unrestricted Access To SSH", "severity": "MEDIUM", - "line": 10, - "fileName": "positive6.bicep" + "line": 22, + "fileName": "positive7.json", + "resourceType": "securityRules", + "resourceName": "sr", + "searchKey": "resources.type={{securityRules}}.properties", + "searchValue": "", + "expectedValue": "resource with type 'securityRules' restricts access to SSH", + "actualValue": "resource with type 'securityRules' does not restrict access to SSH", + "issueType": "IncorrectValue", + "similarityID": "fbb3950ada678f91872f4d7379e970d4244594d1f0c4aa8648f8169b828837a3", + "search_line": 22 } -] \ No newline at end of file +] diff --git a/assets/queries/azureResourceManager/phone_number_not_set_security_contacts/test/positive_expected_result.json b/assets/queries/azureResourceManager/phone_number_not_set_security_contacts/test/positive_expected_result.json index 05b67ec86dd..798afd36ec8 100644 --- a/assets/queries/azureResourceManager/phone_number_not_set_security_contacts/test/positive_expected_result.json +++ b/assets/queries/azureResourceManager/phone_number_not_set_security_contacts/test/positive_expected_result.json @@ -2,25 +2,61 @@ { "queryName": "Phone Number Not Set For Security Contacts", "severity": "LOW", - "line": 13, - "fileName": "positive1.json" + "line": 3, + "fileName": "positive1.bicep", + "resourceType": "Microsoft.Security/securityContacts", + "resourceName": "security contact", + "searchKey": "resources.name={{security contact}}.properties", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Security/securityContacts' should have 'phone' property defined", + "actualValue": "resource with type 'Microsoft.Security/securityContacts' doesn't have 'phone' property defined", + "issueType": "MissingAttribute", + "similarityID": "08dd22f9116c4f591a3dc1129910ddf045dd603953854fb6ae6dd58f87d6f131", + "search_line": 3 }, { "queryName": "Phone Number Not Set For Security Contacts", "severity": "LOW", - "line": 15, - "fileName": "positive2.json" + "line": 13, + "fileName": "positive1.json", + "resourceType": "Microsoft.Security/securityContacts", + "resourceName": "security contact", + "searchKey": "resources.name={{security contact}}.properties", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Security/securityContacts' should have 'phone' property defined", + "actualValue": "resource with type 'Microsoft.Security/securityContacts' doesn't have 'phone' property defined", + "issueType": "MissingAttribute", + "similarityID": "13c2167e0e256476fa939953dff21a8b906a9a69dc64bde84bc99285e7f9739a", + "search_line": 13 }, { "queryName": "Phone Number Not Set For Security Contacts", "severity": "LOW", "line": 3, - "fileName": "positive1.bicep" + "fileName": "positive2.bicep", + "resourceType": "Microsoft.Security/securityContacts", + "resourceName": "security contact", + "searchKey": "resources.name={{security contact}}.properties", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Security/securityContacts' should have 'phone' property defined", + "actualValue": "resource with type 'Microsoft.Security/securityContacts' doesn't have 'phone' property defined", + "issueType": "MissingAttribute", + "similarityID": "b4d59baee0194232430d33ca0e442f6666e4ffc442b4f20b7b18b1cbeb7798aa", + "search_line": 3 }, { "queryName": "Phone Number Not Set For Security Contacts", "severity": "LOW", - "line": 3, - "fileName": "positive2.bicep" + "line": 15, + "fileName": "positive2.json", + "resourceType": "Microsoft.Security/securityContacts", + "resourceName": "security contact", + "searchKey": "properties.template.resources.name={{security contact}}.properties", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Security/securityContacts' should have 'phone' property defined", + "actualValue": "resource with type 'Microsoft.Security/securityContacts' doesn't have 'phone' property defined", + "issueType": "MissingAttribute", + "similarityID": "cea6e08e93a921a2306291d5972e6217aaaec6b9bff067427e290330b18932e7", + "search_line": 15 } ] diff --git a/assets/queries/azureResourceManager/postgresql_database_server_connection_throttling_disabled/test/positive_expected_result.json b/assets/queries/azureResourceManager/postgresql_database_server_connection_throttling_disabled/test/positive_expected_result.json index b6417cef88c..636977c1973 100644 --- a/assets/queries/azureResourceManager/postgresql_database_server_connection_throttling_disabled/test/positive_expected_result.json +++ b/assets/queries/azureResourceManager/postgresql_database_server_connection_throttling_disabled/test/positive_expected_result.json @@ -2,73 +2,181 @@ { "queryName": "PostgreSQL Database Server Connection Throttling Disabled", "severity": "MEDIUM", - "line": 45, - "fileName": "positive1.json" + "line": 36, + "fileName": "positive1.bicep", + "resourceType": "configurations", + "resourceName": "connection_throttling", + "searchKey": "resources.resources.name=connection_throttling.properties.value", + "searchValue": "", + "expectedValue": "resource 'property value' should have an 'auditingsettings' servers1 resource enabled", + "actualValue": "resource 'servers1' doesn't have an 'auditingsettings' resource enabled", + "issueType": "IncorrectValue", + "similarityID": "f33b94c1fe968cf50608b01cc06e28a2562ce5b32768601b3e4b5295ffb78fdc", + "search_line": 36 }, { "queryName": "PostgreSQL Database Server Connection Throttling Disabled", "severity": "MEDIUM", - "line": 9, - "fileName": "positive2.json" + "line": 45, + "fileName": "positive1.json", + "resourceType": "configurations", + "resourceName": "connection_throttling", + "searchKey": "resources.resources.name=connection_throttling.properties.value", + "searchValue": "", + "expectedValue": "resource 'property value' should have an 'auditingsettings' servers1 resource enabled", + "actualValue": "resource 'servers1' doesn't have an 'auditingsettings' resource enabled", + "issueType": "IncorrectValue", + "similarityID": "682c84181c9fc1c66866c45f96bf5cea3f7a5f827fb8ecac7131d192d026d4ef", + "search_line": 45 }, { "queryName": "PostgreSQL Database Server Connection Throttling Disabled", "severity": "MEDIUM", - "line": 9, - "fileName": "positive3.json" + "line": 2, + "fileName": "positive2.bicep", + "resourceType": "Microsoft.DBforPostgreSQL/servers", + "resourceName": "servers1", + "searchKey": "resources.name=servers1", + "searchValue": "", + "expectedValue": "resource 'servers1' should have an 'auditingsettings' resource enabled", + "actualValue": "resource 'servers1' doesn't have an 'auditingsettings' resource enabled", + "issueType": "MissingAttribute", + "similarityID": "47ecf57f2f817bc2ddcbb2994bc1c38c100cee6fb5742ae90ee7593613d834a2", + "search_line": 2 }, { "queryName": "PostgreSQL Database Server Connection Throttling Disabled", "severity": "MEDIUM", - "line": 47, - "fileName": "positive4.json" + "line": 9, + "fileName": "positive2.json", + "resourceType": "Microsoft.DBforPostgreSQL/servers", + "resourceName": "servers1", + "searchKey": "resources.name=servers1", + "searchValue": "", + "expectedValue": "resource 'servers1' should have an 'auditingsettings' resource enabled", + "actualValue": "resource 'servers1' doesn't have an 'auditingsettings' resource enabled", + "issueType": "MissingAttribute", + "similarityID": "d6c5ba1adce5cab077fc3c0c779df4fe484a435427d67071a163e7e1c38d5f04", + "search_line": 9 }, { "queryName": "PostgreSQL Database Server Connection Throttling Disabled", "severity": "MEDIUM", - "line": 11, - "fileName": "positive5.json" + "line": 2, + "fileName": "positive3.bicep", + "resourceType": "Microsoft.DBforPostgreSQL/servers", + "resourceName": "servers1", + "searchKey": "resources.name=servers1", + "searchValue": "", + "expectedValue": "resource 'servers1' should have an 'auditingsettings' resource enabled", + "actualValue": "resource 'servers1' doesn't have an 'auditingsettings' resource enabled", + "issueType": "MissingAttribute", + "similarityID": "173a14247858671851fc14072d3a246f59100d9d0e57509c2c31f9d6f3582c28", + "search_line": 2 }, { "queryName": "PostgreSQL Database Server Connection Throttling Disabled", "severity": "MEDIUM", - "line": 11, - "fileName": "positive6.json" + "line": 9, + "fileName": "positive3.json", + "resourceType": "Microsoft.DBforPostgreSQL/servers", + "resourceName": "servers1", + "searchKey": "resources.name=servers1", + "searchValue": "", + "expectedValue": "resource 'servers1' should have an 'auditingsettings' resource enabled", + "actualValue": "resource 'servers1' doesn't have an 'auditingsettings' resource enabled", + "issueType": "MissingAttribute", + "similarityID": "575cdc9cf5bdb96d53a83b986df710146d6c471f9e84fc9a88958bbeb96ea7e0", + "search_line": 9 }, { "queryName": "PostgreSQL Database Server Connection Throttling Disabled", "severity": "MEDIUM", "line": 36, - "fileName": "positive1.bicep" + "fileName": "positive4.bicep", + "resourceType": "configurations", + "resourceName": "connection_throttling", + "searchKey": "resources.resources.name=connection_throttling.properties.value", + "searchValue": "", + "expectedValue": "resource 'property value' should have an 'auditingsettings' servers1 resource enabled", + "actualValue": "resource 'servers1' doesn't have an 'auditingsettings' resource enabled", + "issueType": "IncorrectValue", + "similarityID": "aadac90f6b0448b7a0a68df5469576c63ed9a868507ecc233408a762c10756e5", + "search_line": 36 }, { "queryName": "PostgreSQL Database Server Connection Throttling Disabled", "severity": "MEDIUM", - "line": 2, - "fileName": "positive2.bicep" + "line": 47, + "fileName": "positive4.json", + "resourceType": "configurations", + "resourceName": "connection_throttling", + "searchKey": "properties.template.resources.resources.name=connection_throttling.properties.value", + "searchValue": "", + "expectedValue": "resource 'property value' should have an 'auditingsettings' servers1 resource enabled", + "actualValue": "resource 'servers1' doesn't have an 'auditingsettings' resource enabled", + "issueType": "IncorrectValue", + "similarityID": "2128c18e25a82ee1be80f164182a752cb5cd4c5655098476b1dc383ab8391dc2", + "search_line": 47 }, { "queryName": "PostgreSQL Database Server Connection Throttling Disabled", "severity": "MEDIUM", "line": 2, - "fileName": "positive3.bicep" + "fileName": "positive5.bicep", + "resourceType": "Microsoft.DBforPostgreSQL/servers", + "resourceName": "servers1", + "searchKey": "resources.name=servers1", + "searchValue": "", + "expectedValue": "resource 'servers1' should have an 'auditingsettings' resource enabled", + "actualValue": "resource 'servers1' doesn't have an 'auditingsettings' resource enabled", + "issueType": "MissingAttribute", + "similarityID": "4bf07d28ed6782109256eaa2f3f65a8b9f7378604a068c71fa09cf5ce09b502a", + "search_line": 2 }, { "queryName": "PostgreSQL Database Server Connection Throttling Disabled", "severity": "MEDIUM", - "line": 36, - "fileName": "positive4.bicep" + "line": 11, + "fileName": "positive5.json", + "resourceType": "Microsoft.DBforPostgreSQL/servers", + "resourceName": "servers1", + "searchKey": "properties.template.resources.name=servers1", + "searchValue": "", + "expectedValue": "resource 'servers1' should have an 'auditingsettings' resource enabled", + "actualValue": "resource 'servers1' doesn't have an 'auditingsettings' resource enabled", + "issueType": "MissingAttribute", + "similarityID": "a79431485e39295c3afd9ed3895b4e7e944ff22370d93215730212efbbc0963c", + "search_line": 11 }, { "queryName": "PostgreSQL Database Server Connection Throttling Disabled", "severity": "MEDIUM", "line": 2, - "fileName": "positive5.bicep" + "fileName": "positive6.bicep", + "resourceType": "Microsoft.DBforPostgreSQL/servers", + "resourceName": "servers1", + "searchKey": "resources.name=servers1", + "searchValue": "", + "expectedValue": "resource 'servers1' should have an 'auditingsettings' resource enabled", + "actualValue": "resource 'servers1' doesn't have an 'auditingsettings' resource enabled", + "issueType": "MissingAttribute", + "similarityID": "d53b192015fccecdac1dd666581a3a1339778ee5468e68e93bfb47e9d320abe5", + "search_line": 2 }, { "queryName": "PostgreSQL Database Server Connection Throttling Disabled", "severity": "MEDIUM", - "line": 2, - "fileName": "positive6.bicep" + "line": 11, + "fileName": "positive6.json", + "resourceType": "Microsoft.DBforPostgreSQL/servers", + "resourceName": "servers1", + "searchKey": "properties.template.resources.name=servers1", + "searchValue": "", + "expectedValue": "resource 'servers1' should have an 'auditingsettings' resource enabled", + "actualValue": "resource 'servers1' doesn't have an 'auditingsettings' resource enabled", + "issueType": "MissingAttribute", + "similarityID": "44a9a48084aaeab024640de9b9c98f919e54d54077cf1aea984d5ba958508450", + "search_line": 11 } ] diff --git a/assets/queries/azureResourceManager/postgresql_server_log_checkpoint_disabled/test/positive_expected_result.json b/assets/queries/azureResourceManager/postgresql_server_log_checkpoint_disabled/test/positive_expected_result.json index 1cc3d9d0314..a86342171c7 100644 --- a/assets/queries/azureResourceManager/postgresql_server_log_checkpoint_disabled/test/positive_expected_result.json +++ b/assets/queries/azureResourceManager/postgresql_server_log_checkpoint_disabled/test/positive_expected_result.json @@ -2,97 +2,241 @@ { "queryName": "PostgreSQL Database Server Log Checkpoints Disabled", "severity": "MEDIUM", - "line": 43, - "fileName": "positive1.json" + "line": 40, + "fileName": "positive1.bicep", + "resourceType": "Microsoft.DBforPostgreSQL/servers", + "resourceName": "MyDBServer1", + "searchKey": "resources.name={{MyDBServer1}}.resources.name=log_checkpoints", + "searchValue": "", + "expectedValue": "child resource with 'configurations' of resource type 'Microsoft.DBforPostgreSQL/servers' should have 'log_checkpoints' set to 'on'", + "actualValue": "child resource with 'configurations' of resource type 'Microsoft.DBforPostgreSQL/servers' 'log_checkpoints' is not defined", + "issueType": "MissingAttribute", + "similarityID": "15dc5a867b0abea4f3152cd852c223df38aa6972c4421f81c60454d51adbf502", + "search_line": -1 }, { "queryName": "PostgreSQL Database Server Log Checkpoints Disabled", "severity": "MEDIUM", - "line": 45, - "fileName": "positive2.json" + "line": 43, + "fileName": "positive1.json", + "resourceType": "Microsoft.DBforPostgreSQL/servers", + "resourceName": "MyDBServer1", + "searchKey": "resources.name={{MyDBServer1}}.resources.name=log_checkpoints", + "searchValue": "", + "expectedValue": "child resource with 'configurations' of resource type 'Microsoft.DBforPostgreSQL/servers' should have 'log_checkpoints' set to 'on'", + "actualValue": "child resource with 'configurations' of resource type 'Microsoft.DBforPostgreSQL/servers' 'log_checkpoints' is not defined", + "issueType": "MissingAttribute", + "similarityID": "31162bae648338f74d06f38ca9205b39f5c5d1e6cff2aefc0b25f02cadc372cd", + "search_line": -1 }, { "queryName": "PostgreSQL Database Server Log Checkpoints Disabled", "severity": "MEDIUM", - "line": 44, - "fileName": "positive3.json" + "line": 33, + "fileName": "positive2.bicep", + "resourceType": "Microsoft.DBforPostgreSQL/servers", + "resourceName": "MyDBServer2", + "searchKey": "resources.name={{MyDBServer2}}.resources.name=log_checkpoints.properties.value", + "searchValue": "", + "expectedValue": "child resource with 'configurations' of resource type 'Microsoft.DBforPostgreSQL/servers' should have 'log_checkpoints' property value set to 'on'", + "actualValue": "child resource with 'configurations' of resource type 'Microsoft.DBforPostgreSQL/servers' has 'log_checkpoints' set to 'off'", + "issueType": "IncorrectValue", + "similarityID": "fbcd8117deaa88446a816f878e6c5b2a8008195846d45e016d7974f3854c5ccc", + "search_line": -1 }, { "queryName": "PostgreSQL Database Server Log Checkpoints Disabled", "severity": "MEDIUM", - "line": 43, - "fileName": "positive4.json" + "line": 45, + "fileName": "positive2.json", + "resourceType": "Microsoft.DBforPostgreSQL/servers", + "resourceName": "MyDBServer2", + "searchKey": "resources.name={{MyDBServer2}}.resources.name=log_checkpoints.properties.value", + "searchValue": "", + "expectedValue": "child resource with 'configurations' of resource type 'Microsoft.DBforPostgreSQL/servers' should have 'log_checkpoints' property value set to 'on'", + "actualValue": "child resource with 'configurations' of resource type 'Microsoft.DBforPostgreSQL/servers' has 'log_checkpoints' set to 'off'", + "issueType": "IncorrectValue", + "similarityID": "8c16bfddcfed420d751c1db734f40ae4233d291923abe0f5f8d06642dcca2bc7", + "search_line": -1 }, { "queryName": "PostgreSQL Database Server Log Checkpoints Disabled", "severity": "MEDIUM", - "line": 45, - "fileName": "positive5.json" + "line": 32, + "fileName": "positive3.bicep", + "resourceType": "Microsoft.DBforPostgreSQL/servers/configurations", + "resourceName": "MyDBServer/log_checkpoints", + "searchKey": "resources.name={{MyDBServer/log_checkpoints}}.properties.value", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.DBforPostgreSQL/servers/configurations' should have 'log_checkpoints' property value set to 'on'", + "actualValue": "resource with type 'Microsoft.DBforPostgreSQL/servers/configurations' doesn't have 'log_checkpoints' property set to 'off'", + "issueType": "IncorrectValue", + "similarityID": "9c7de78fe65d64964a742676d8cb1e9655cf097a7d8d75383e5fb38c65bdd869", + "search_line": 32 }, { "queryName": "PostgreSQL Database Server Log Checkpoints Disabled", "severity": "MEDIUM", - "line": 47, - "fileName": "positive6.json" + "line": 44, + "fileName": "positive3.json", + "resourceType": "Microsoft.DBforPostgreSQL/servers/configurations", + "resourceName": "MyDBServer/log_checkpoints", + "searchKey": "resources.name={{MyDBServer/log_checkpoints}}.properties.value", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.DBforPostgreSQL/servers/configurations' should have 'log_checkpoints' property value set to 'on'", + "actualValue": "resource with type 'Microsoft.DBforPostgreSQL/servers/configurations' doesn't have 'log_checkpoints' property set to 'off'", + "issueType": "IncorrectValue", + "similarityID": "f19a688279c6be7cccefaa3fe41b817065f455ecda038c9b6125bc30533d3746", + "search_line": 44 }, { "queryName": "PostgreSQL Database Server Log Checkpoints Disabled", "severity": "MEDIUM", - "line": 46, - "fileName": "positive7.json" + "line": 31, + "fileName": "positive4.bicep", + "resourceType": "Microsoft.DBforPostgreSQL/servers/configurations", + "resourceName": "MyDBServer/log_checkpoints", + "searchKey": "resources.name={{MyDBServer/log_checkpoints}}.properties", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.DBforPostgreSQL/servers/configurations' should have 'log_checkpoints' property set to 'off'", + "actualValue": "resource with type 'Microsoft.DBforPostgreSQL/servers/configurations' 'log_checkpoints' is not defined", + "issueType": "MissingAttribute", + "similarityID": "420e9f7af228d4890d74ced4fda1b1fe916bb0728323c5569f929df2ef4b2b09", + "search_line": 31 }, { "queryName": "PostgreSQL Database Server Log Checkpoints Disabled", "severity": "MEDIUM", - "line": 45, - "fileName": "positive8.json" + "line": 43, + "fileName": "positive4.json", + "resourceType": "Microsoft.DBforPostgreSQL/servers/configurations", + "resourceName": "MyDBServer/log_checkpoints", + "searchKey": "resources.name={{MyDBServer/log_checkpoints}}.properties", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.DBforPostgreSQL/servers/configurations' should have 'log_checkpoints' property set to 'off'", + "actualValue": "resource with type 'Microsoft.DBforPostgreSQL/servers/configurations' 'log_checkpoints' is not defined", + "issueType": "MissingAttribute", + "similarityID": "18fb1a6c10f4135b56b90d04dc781cc57d0c2a8dca6e72e8bd816d5708d048a7", + "search_line": 43 }, { "queryName": "PostgreSQL Database Server Log Checkpoints Disabled", "severity": "MEDIUM", "line": 40, - "fileName": "positive1.bicep" + "fileName": "positive5.bicep", + "resourceType": "Microsoft.DBforPostgreSQL/servers", + "resourceName": "MyDBServer1", + "searchKey": "resources.name={{MyDBServer1}}.resources.name=log_checkpoints", + "searchValue": "", + "expectedValue": "child resource with 'configurations' of resource type 'Microsoft.DBforPostgreSQL/servers' should have 'log_checkpoints' set to 'on'", + "actualValue": "child resource with 'configurations' of resource type 'Microsoft.DBforPostgreSQL/servers' 'log_checkpoints' is not defined", + "issueType": "MissingAttribute", + "similarityID": "fc6c2f633f255e601aa70eba75fe2a595fc7621b77128797221aeff0bf084236", + "search_line": -1 }, { "queryName": "PostgreSQL Database Server Log Checkpoints Disabled", "severity": "MEDIUM", - "line": 33, - "fileName": "positive2.bicep" + "line": 45, + "fileName": "positive5.json", + "resourceType": "Microsoft.DBforPostgreSQL/servers", + "resourceName": "MyDBServer1", + "searchKey": "properties.template.resources.name={{MyDBServer1}}.resources.name=log_checkpoints", + "searchValue": "", + "expectedValue": "child resource with 'configurations' of resource type 'Microsoft.DBforPostgreSQL/servers' should have 'log_checkpoints' set to 'on'", + "actualValue": "child resource with 'configurations' of resource type 'Microsoft.DBforPostgreSQL/servers' 'log_checkpoints' is not defined", + "issueType": "MissingAttribute", + "similarityID": "a2bb46869b01bc4d9a6c1a1b92dd6e2cb058cc6a5ad82cf40d5bee5777c848be", + "search_line": -1 }, { "queryName": "PostgreSQL Database Server Log Checkpoints Disabled", "severity": "MEDIUM", - "line": 32, - "fileName": "positive3.bicep" + "line": 33, + "fileName": "positive6.bicep", + "resourceType": "Microsoft.DBforPostgreSQL/servers", + "resourceName": "MyDBServer2", + "searchKey": "resources.name={{MyDBServer2}}.resources.name=log_checkpoints.properties.value", + "searchValue": "", + "expectedValue": "child resource with 'configurations' of resource type 'Microsoft.DBforPostgreSQL/servers' should have 'log_checkpoints' property value set to 'on'", + "actualValue": "child resource with 'configurations' of resource type 'Microsoft.DBforPostgreSQL/servers' has 'log_checkpoints' set to 'off'", + "issueType": "IncorrectValue", + "similarityID": "ac1c3f8b943ec5ce6cc0d57491dc442f0d626f478777601fcd046564e0dc17fe", + "search_line": -1 }, { "queryName": "PostgreSQL Database Server Log Checkpoints Disabled", "severity": "MEDIUM", - "line": 31, - "fileName": "positive4.bicep" + "line": 47, + "fileName": "positive6.json", + "resourceType": "Microsoft.DBforPostgreSQL/servers", + "resourceName": "MyDBServer2", + "searchKey": "properties.template.resources.name={{MyDBServer2}}.resources.name=log_checkpoints.properties.value", + "searchValue": "", + "expectedValue": "child resource with 'configurations' of resource type 'Microsoft.DBforPostgreSQL/servers' should have 'log_checkpoints' property value set to 'on'", + "actualValue": "child resource with 'configurations' of resource type 'Microsoft.DBforPostgreSQL/servers' has 'log_checkpoints' set to 'off'", + "issueType": "IncorrectValue", + "similarityID": "3f95f5dde0b38bb29229c646f59c07ade390857662c6fab9e3359e8eedfdf060", + "search_line": -1 }, { "queryName": "PostgreSQL Database Server Log Checkpoints Disabled", "severity": "MEDIUM", - "line": 40, - "fileName": "positive5.bicep" + "line": 32, + "fileName": "positive7.bicep", + "resourceType": "Microsoft.DBforPostgreSQL/servers/configurations", + "resourceName": "MyDBServer/log_checkpoints", + "searchKey": "resources.name={{MyDBServer/log_checkpoints}}.properties.value", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.DBforPostgreSQL/servers/configurations' should have 'log_checkpoints' property value set to 'on'", + "actualValue": "resource with type 'Microsoft.DBforPostgreSQL/servers/configurations' doesn't have 'log_checkpoints' property set to 'off'", + "issueType": "IncorrectValue", + "similarityID": "a657fd1437b8a540c33e92c36612b638604e1eec20759d020e03c0597e65dfe0", + "search_line": 32 }, { "queryName": "PostgreSQL Database Server Log Checkpoints Disabled", "severity": "MEDIUM", - "line": 33, - "fileName": "positive6.bicep" + "line": 46, + "fileName": "positive7.json", + "resourceType": "Microsoft.DBforPostgreSQL/servers/configurations", + "resourceName": "MyDBServer/log_checkpoints", + "searchKey": "properties.template.resources.name={{MyDBServer/log_checkpoints}}.properties.value", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.DBforPostgreSQL/servers/configurations' should have 'log_checkpoints' property value set to 'on'", + "actualValue": "resource with type 'Microsoft.DBforPostgreSQL/servers/configurations' doesn't have 'log_checkpoints' property set to 'off'", + "issueType": "IncorrectValue", + "similarityID": "a1a943e6b3b7e44e5e53d4a433758cce28f034dbb18bb33b557e66a851556bae", + "search_line": 46 }, { "queryName": "PostgreSQL Database Server Log Checkpoints Disabled", "severity": "MEDIUM", - "line": 32, - "fileName": "positive7.bicep" + "line": 31, + "fileName": "positive8.bicep", + "resourceType": "Microsoft.DBforPostgreSQL/servers/configurations", + "resourceName": "MyDBServer/log_checkpoints", + "searchKey": "resources.name={{MyDBServer/log_checkpoints}}.properties", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.DBforPostgreSQL/servers/configurations' should have 'log_checkpoints' property set to 'off'", + "actualValue": "resource with type 'Microsoft.DBforPostgreSQL/servers/configurations' 'log_checkpoints' is not defined", + "issueType": "MissingAttribute", + "similarityID": "dae41948526f9fa502f569ecb22dff4a0fb70e94391ecc240a14eb35abf9cacc", + "search_line": 31 }, { "queryName": "PostgreSQL Database Server Log Checkpoints Disabled", "severity": "MEDIUM", - "line": 31, - "fileName": "positive8.bicep" + "line": 45, + "fileName": "positive8.json", + "resourceType": "Microsoft.DBforPostgreSQL/servers/configurations", + "resourceName": "MyDBServer/log_checkpoints", + "searchKey": "properties.template.resources.name={{MyDBServer/log_checkpoints}}.properties", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.DBforPostgreSQL/servers/configurations' should have 'log_checkpoints' property set to 'off'", + "actualValue": "resource with type 'Microsoft.DBforPostgreSQL/servers/configurations' 'log_checkpoints' is not defined", + "issueType": "MissingAttribute", + "similarityID": "27035bf0e77cfc87bfeac1f25bc9b46f0b43d0aa0e38cc16b9f9a725cea2b6db", + "search_line": 45 } -] \ No newline at end of file +] diff --git a/assets/queries/azureResourceManager/postgresql_server_log_connections_disabled/test/positive_expected_result.json b/assets/queries/azureResourceManager/postgresql_server_log_connections_disabled/test/positive_expected_result.json index 20ea5616ff9..acf765d45c9 100644 --- a/assets/queries/azureResourceManager/postgresql_server_log_connections_disabled/test/positive_expected_result.json +++ b/assets/queries/azureResourceManager/postgresql_server_log_connections_disabled/test/positive_expected_result.json @@ -2,97 +2,241 @@ { "queryName": "PostgreSQL Database Server Log Connections Disabled", "severity": "MEDIUM", - "line": 40, - "fileName": "positive1.json" + "line": 31, + "fileName": "positive1.bicep", + "resourceType": "Microsoft.DBforPostgreSQL/servers", + "resourceName": "MyDBServer1", + "searchKey": "resources.name={{MyDBServer1}}.resources.name=log_connections", + "searchValue": "", + "expectedValue": "child resource with 'configurations' of resource type 'Microsoft.DBforPostgreSQL/servers' should have 'log_connections' set to 'on'", + "actualValue": "child resource with 'configurations' of resource type 'Microsoft.DBforPostgreSQL/servers' has 'log_connections' value undefined", + "issueType": "MissingAttribute", + "similarityID": "38042a0dcb6b558bafab21224a886eda23435dc26b08e939d0fc32a6ad3e002f", + "search_line": -1 }, { "queryName": "PostgreSQL Database Server Log Connections Disabled", "severity": "MEDIUM", - "line": 45, - "fileName": "positive2.json" + "line": 40, + "fileName": "positive1.json", + "resourceType": "Microsoft.DBforPostgreSQL/servers", + "resourceName": "MyDBServer1", + "searchKey": "resources.name={{MyDBServer1}}.resources.name=log_connections", + "searchValue": "", + "expectedValue": "child resource with 'configurations' of resource type 'Microsoft.DBforPostgreSQL/servers' should have 'log_connections' set to 'on'", + "actualValue": "child resource with 'configurations' of resource type 'Microsoft.DBforPostgreSQL/servers' has 'log_connections' value undefined", + "issueType": "MissingAttribute", + "similarityID": "2aca6a9e533e4b1461b46facfe061d91874fdd4def6b52b99e59f9fcd3040e39", + "search_line": -1 }, { "queryName": "PostgreSQL Database Server Log Connections Disabled", "severity": "MEDIUM", - "line": 44, - "fileName": "positive3.json" + "line": 33, + "fileName": "positive2.bicep", + "resourceType": "Microsoft.DBforPostgreSQL/servers", + "resourceName": "MyDBServer2", + "searchKey": "resources.name={{MyDBServer2}}.resources.name=log_connections.properties.value", + "searchValue": "", + "expectedValue": "child resource with 'configurations' of resource type 'Microsoft.DBforPostgreSQL/servers' should have 'log_connections' property value set to 'on'", + "actualValue": "child resource with 'configurations' of resource type 'Microsoft.DBforPostgreSQL/servers' has 'log_connections' set to 'off'", + "issueType": "IncorrectValue", + "similarityID": "f3e516726ed0c1037ebf654ed386531e00c05d09f23665aa70bc8d9674ff0b9b", + "search_line": -1 }, { "queryName": "PostgreSQL Database Server Log Connections Disabled", "severity": "MEDIUM", - "line": 43, - "fileName": "positive4.json" + "line": 45, + "fileName": "positive2.json", + "resourceType": "Microsoft.DBforPostgreSQL/servers", + "resourceName": "MyDBServer2", + "searchKey": "resources.name={{MyDBServer2}}.resources.name=log_connections.properties.value", + "searchValue": "", + "expectedValue": "child resource with 'configurations' of resource type 'Microsoft.DBforPostgreSQL/servers' should have 'log_connections' property value set to 'on'", + "actualValue": "child resource with 'configurations' of resource type 'Microsoft.DBforPostgreSQL/servers' has 'log_connections' set to 'off'", + "issueType": "IncorrectValue", + "similarityID": "d4535e1d333690a413c7665335774a0b8f22b1d373276a6101f57ed8701bfbc4", + "search_line": -1 }, { "queryName": "PostgreSQL Database Server Log Connections Disabled", "severity": "MEDIUM", - "line": 42, - "fileName": "positive5.json" + "line": 32, + "fileName": "positive3.bicep", + "resourceType": "Microsoft.DBforPostgreSQL/servers/configurations", + "resourceName": "MyDBServer/log_connections", + "searchKey": "resources.name={{MyDBServer/log_connections}}.properties.value", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.DBforPostgreSQL/servers/configurations' should have 'log_connections' property value set to 'on'", + "actualValue": "resource with type 'Microsoft.DBforPostgreSQL/servers/configurations' doesn't have 'log_connections' property set to 'on'", + "issueType": "IncorrectValue", + "similarityID": "c942c4dba2be3af47a59aed80ef9f9d78e9e862b22bea40e0239b43c399e771d", + "search_line": 32 }, { "queryName": "PostgreSQL Database Server Log Connections Disabled", "severity": "MEDIUM", - "line": 47, - "fileName": "positive6.json" + "line": 44, + "fileName": "positive3.json", + "resourceType": "Microsoft.DBforPostgreSQL/servers/configurations", + "resourceName": "MyDBServer/log_connections", + "searchKey": "resources.name={{MyDBServer/log_connections}}.properties.value", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.DBforPostgreSQL/servers/configurations' should have 'log_connections' property value set to 'on'", + "actualValue": "resource with type 'Microsoft.DBforPostgreSQL/servers/configurations' doesn't have 'log_connections' property set to 'on'", + "issueType": "IncorrectValue", + "similarityID": "5c61fafb936e57e6116debf9814cdd7814096ffd0fc887e5991abd0f2c2984e1", + "search_line": 44 }, { "queryName": "PostgreSQL Database Server Log Connections Disabled", "severity": "MEDIUM", - "line": 46, - "fileName": "positive7.json" + "line": 31, + "fileName": "positive4.bicep", + "resourceType": "Microsoft.DBforPostgreSQL/servers/configurations", + "resourceName": "MyDBServer/log_connections", + "searchKey": "resources.name={{MyDBServer/log_connections}}.properties", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.DBforPostgreSQL/servers/configurations' should have 'log_connections' property set to 'on'", + "actualValue": "resource with type 'Microsoft.DBforPostgreSQL/servers/configurations' doesn't have 'log_connections' value undefined", + "issueType": "MissingAttribute", + "similarityID": "8388b0fb1fb455931a8c27bd3b1edcf37cb4a1f697a8b904682f902f57a29a48", + "search_line": 31 }, { "queryName": "PostgreSQL Database Server Log Connections Disabled", "severity": "MEDIUM", - "line": 45, - "fileName": "positive8.json" + "line": 43, + "fileName": "positive4.json", + "resourceType": "Microsoft.DBforPostgreSQL/servers/configurations", + "resourceName": "MyDBServer/log_connections", + "searchKey": "resources.name={{MyDBServer/log_connections}}.properties", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.DBforPostgreSQL/servers/configurations' should have 'log_connections' property set to 'on'", + "actualValue": "resource with type 'Microsoft.DBforPostgreSQL/servers/configurations' doesn't have 'log_connections' value undefined", + "issueType": "MissingAttribute", + "similarityID": "2c42cb8d901a75efcb2f7ee0d6674f998cf8967488f37ea15d773246260b91a4", + "search_line": 43 }, { "queryName": "PostgreSQL Database Server Log Connections Disabled", "severity": "MEDIUM", "line": 31, - "fileName": "positive1.bicep" + "fileName": "positive5.bicep", + "resourceType": "Microsoft.DBforPostgreSQL/servers", + "resourceName": "MyDBServer1", + "searchKey": "resources.name={{MyDBServer1}}.resources.name=log_connections", + "searchValue": "", + "expectedValue": "child resource with 'configurations' of resource type 'Microsoft.DBforPostgreSQL/servers' should have 'log_connections' set to 'on'", + "actualValue": "child resource with 'configurations' of resource type 'Microsoft.DBforPostgreSQL/servers' has 'log_connections' value undefined", + "issueType": "MissingAttribute", + "similarityID": "2979ba7fcfc031b5087ffcd2faa3e08e2bbb99c2fe7a2b27a3d85fc0b670a97d", + "search_line": -1 }, { "queryName": "PostgreSQL Database Server Log Connections Disabled", "severity": "MEDIUM", - "line": 33, - "fileName": "positive2.bicep" + "line": 42, + "fileName": "positive5.json", + "resourceType": "Microsoft.DBforPostgreSQL/servers", + "resourceName": "MyDBServer1", + "searchKey": "properties.template.resources.name={{MyDBServer1}}.resources.name=log_connections", + "searchValue": "", + "expectedValue": "child resource with 'configurations' of resource type 'Microsoft.DBforPostgreSQL/servers' should have 'log_connections' set to 'on'", + "actualValue": "child resource with 'configurations' of resource type 'Microsoft.DBforPostgreSQL/servers' has 'log_connections' value undefined", + "issueType": "MissingAttribute", + "similarityID": "1e03f1977ca0764f532dbf2a6652085727ffc002054c2582459048fc7079fcd3", + "search_line": -1 }, { "queryName": "PostgreSQL Database Server Log Connections Disabled", "severity": "MEDIUM", - "line": 32, - "fileName": "positive3.bicep" + "line": 33, + "fileName": "positive6.bicep", + "resourceType": "Microsoft.DBforPostgreSQL/servers", + "resourceName": "MyDBServer2", + "searchKey": "resources.name={{MyDBServer2}}.resources.name=log_connections.properties.value", + "searchValue": "", + "expectedValue": "child resource with 'configurations' of resource type 'Microsoft.DBforPostgreSQL/servers' should have 'log_connections' property value set to 'on'", + "actualValue": "child resource with 'configurations' of resource type 'Microsoft.DBforPostgreSQL/servers' has 'log_connections' set to 'off'", + "issueType": "IncorrectValue", + "similarityID": "6e9df547b87aa88a2c854dc0efbbe7ff467fef9ab49521a3fd96d1fe53f2aa92", + "search_line": -1 }, { "queryName": "PostgreSQL Database Server Log Connections Disabled", "severity": "MEDIUM", - "line": 31, - "fileName": "positive4.bicep" + "line": 47, + "fileName": "positive6.json", + "resourceType": "Microsoft.DBforPostgreSQL/servers", + "resourceName": "MyDBServer2", + "searchKey": "properties.template.resources.name={{MyDBServer2}}.resources.name=log_connections.properties.value", + "searchValue": "", + "expectedValue": "child resource with 'configurations' of resource type 'Microsoft.DBforPostgreSQL/servers' should have 'log_connections' property value set to 'on'", + "actualValue": "child resource with 'configurations' of resource type 'Microsoft.DBforPostgreSQL/servers' has 'log_connections' set to 'off'", + "issueType": "IncorrectValue", + "similarityID": "8d7ef052ad1612380aeb14c9863a6795efa3fbeb432569d09a31387299ba58a7", + "search_line": -1 }, { "queryName": "PostgreSQL Database Server Log Connections Disabled", "severity": "MEDIUM", - "line": 31, - "fileName": "positive5.bicep" + "line": 32, + "fileName": "positive7.bicep", + "resourceType": "Microsoft.DBforPostgreSQL/servers/configurations", + "resourceName": "MyDBServer/log_connections", + "searchKey": "resources.name={{MyDBServer/log_connections}}.properties.value", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.DBforPostgreSQL/servers/configurations' should have 'log_connections' property value set to 'on'", + "actualValue": "resource with type 'Microsoft.DBforPostgreSQL/servers/configurations' doesn't have 'log_connections' property set to 'on'", + "issueType": "IncorrectValue", + "similarityID": "32555302e734b8011daabebacfaa32e14bdd79b15da7d2582af5d82c786a8a0a", + "search_line": 32 }, { "queryName": "PostgreSQL Database Server Log Connections Disabled", "severity": "MEDIUM", - "line": 33, - "fileName": "positive6.bicep" + "line": 46, + "fileName": "positive7.json", + "resourceType": "Microsoft.DBforPostgreSQL/servers/configurations", + "resourceName": "MyDBServer/log_connections", + "searchKey": "properties.template.resources.name={{MyDBServer/log_connections}}.properties.value", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.DBforPostgreSQL/servers/configurations' should have 'log_connections' property value set to 'on'", + "actualValue": "resource with type 'Microsoft.DBforPostgreSQL/servers/configurations' doesn't have 'log_connections' property set to 'on'", + "issueType": "IncorrectValue", + "similarityID": "aca14855741e143fd23f540f6c32ee576c5bbe23405e9127d10ad200198e98fd", + "search_line": 46 }, { "queryName": "PostgreSQL Database Server Log Connections Disabled", "severity": "MEDIUM", - "line": 32, - "fileName": "positive7.bicep" + "line": 31, + "fileName": "positive8.bicep", + "resourceType": "Microsoft.DBforPostgreSQL/servers/configurations", + "resourceName": "MyDBServer/log_connections", + "searchKey": "resources.name={{MyDBServer/log_connections}}.properties", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.DBforPostgreSQL/servers/configurations' should have 'log_connections' property set to 'on'", + "actualValue": "resource with type 'Microsoft.DBforPostgreSQL/servers/configurations' doesn't have 'log_connections' value undefined", + "issueType": "MissingAttribute", + "similarityID": "310c0cd70bc2bfec4932d99986f1bae72994e70f32ebb695980b4cd2a8f9c2cf", + "search_line": 31 }, { "queryName": "PostgreSQL Database Server Log Connections Disabled", "severity": "MEDIUM", - "line": 31, - "fileName": "positive8.bicep" + "line": 45, + "fileName": "positive8.json", + "resourceType": "Microsoft.DBforPostgreSQL/servers/configurations", + "resourceName": "MyDBServer/log_connections", + "searchKey": "properties.template.resources.name={{MyDBServer/log_connections}}.properties", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.DBforPostgreSQL/servers/configurations' should have 'log_connections' property set to 'on'", + "actualValue": "resource with type 'Microsoft.DBforPostgreSQL/servers/configurations' doesn't have 'log_connections' value undefined", + "issueType": "MissingAttribute", + "similarityID": "8314b967c583a4380884181082f6318438987471a9de802bb11fe32c200d0570", + "search_line": 45 } -] \ No newline at end of file +] diff --git a/assets/queries/azureResourceManager/postgresql_server_ssl_disabled/test/positive_expected_result.json b/assets/queries/azureResourceManager/postgresql_server_ssl_disabled/test/positive_expected_result.json index 55b0b39ad44..0e8b181fcb9 100644 --- a/assets/queries/azureResourceManager/postgresql_server_ssl_disabled/test/positive_expected_result.json +++ b/assets/queries/azureResourceManager/postgresql_server_ssl_disabled/test/positive_expected_result.json @@ -2,49 +2,121 @@ { "queryName": "PostgreSQL Database Server SSL Disabled", "severity": "MEDIUM", - "line": 14, - "fileName": "positive1.json" + "line": 13, + "fileName": "positive1.bicep", + "resourceType": "Microsoft.DBforPostgreSQL/servers", + "resourceName": "MyDBServer", + "searchKey": "resources.name={{MyDBServer}}.properties.sslEnforcement", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.DBforPostgreSQL/servers' should have 'sslEnforcement' property value set to 'Enabled'", + "actualValue": "resource with type 'Microsoft.DBforPostgreSQL/servers' doesn't have 'sslEnforcement' property set to 'Enabled'", + "issueType": "IncorrectValue", + "similarityID": "b0d8f32c228c0d607b7eb0adfe4926b9fbbc24fd8c877f3d6e439f28b9e0748f", + "search_line": 13 }, { "queryName": "PostgreSQL Database Server SSL Disabled", "severity": "MEDIUM", - "line": 13, - "fileName": "positive2.json" + "line": 14, + "fileName": "positive1.json", + "resourceType": "Microsoft.DBforPostgreSQL/servers", + "resourceName": "MyDBServer", + "searchKey": "resources.name={{MyDBServer}}.properties.sslEnforcement", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.DBforPostgreSQL/servers' should have 'sslEnforcement' property value set to 'Enabled'", + "actualValue": "resource with type 'Microsoft.DBforPostgreSQL/servers' doesn't have 'sslEnforcement' property set to 'Enabled'", + "issueType": "IncorrectValue", + "similarityID": "9ec4b20273cc899ba2ff63cdb77e3143297b522ae6ea029c156b01486c0a502b", + "search_line": 14 }, { "queryName": "PostgreSQL Database Server SSL Disabled", "severity": "MEDIUM", - "line": 16, - "fileName": "positive3.json" + "line": 12, + "fileName": "positive2.bicep", + "resourceType": "Microsoft.DBforPostgreSQL/servers", + "resourceName": "MyDBServer", + "searchKey": "resources.name={{MyDBServer}}.properties", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.DBforPostgreSQL/servers' should have 'sslEnforcement' property defined", + "actualValue": "resource with type 'Microsoft.DBforPostgreSQL/servers' doesn't have 'sslEnforcement' property defined", + "issueType": "MissingAttribute", + "similarityID": "49854b3766b8bd54645d4ceddf776151d9b8d34dc9bbca6dc78749fa3d7803b0", + "search_line": 12 }, { "queryName": "PostgreSQL Database Server SSL Disabled", "severity": "MEDIUM", - "line": 15, - "fileName": "positive4.json" + "line": 13, + "fileName": "positive2.json", + "resourceType": "Microsoft.DBforPostgreSQL/servers", + "resourceName": "MyDBServer", + "searchKey": "resources.name={{MyDBServer}}.properties", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.DBforPostgreSQL/servers' should have 'sslEnforcement' property defined", + "actualValue": "resource with type 'Microsoft.DBforPostgreSQL/servers' doesn't have 'sslEnforcement' property defined", + "issueType": "MissingAttribute", + "similarityID": "b5b6d8db8f633fb53b954f0e7ddf011cd2ce251986764f1a2da41a9e2813db29", + "search_line": 13 }, { "queryName": "PostgreSQL Database Server SSL Disabled", "severity": "MEDIUM", "line": 13, - "fileName": "positive1.bicep" + "fileName": "positive3.bicep", + "resourceType": "Microsoft.DBforPostgreSQL/servers", + "resourceName": "MyDBServer", + "searchKey": "resources.name={{MyDBServer}}.properties.sslEnforcement", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.DBforPostgreSQL/servers' should have 'sslEnforcement' property value set to 'Enabled'", + "actualValue": "resource with type 'Microsoft.DBforPostgreSQL/servers' doesn't have 'sslEnforcement' property set to 'Enabled'", + "issueType": "IncorrectValue", + "similarityID": "749fe65fb9581691b75e857495150693380b6896488d44e74ccc0bae768405a1", + "search_line": 13 }, { "queryName": "PostgreSQL Database Server SSL Disabled", "severity": "MEDIUM", - "line": 12, - "fileName": "positive2.bicep" + "line": 16, + "fileName": "positive3.json", + "resourceType": "Microsoft.DBforPostgreSQL/servers", + "resourceName": "MyDBServer", + "searchKey": "properties.template.resources.name={{MyDBServer}}.properties.sslEnforcement", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.DBforPostgreSQL/servers' should have 'sslEnforcement' property value set to 'Enabled'", + "actualValue": "resource with type 'Microsoft.DBforPostgreSQL/servers' doesn't have 'sslEnforcement' property set to 'Enabled'", + "issueType": "IncorrectValue", + "similarityID": "085be0949d08c43023de9eacf3feb60e8c6103ab0774295d8dc42fe1fbf2d25a", + "search_line": 16 }, { "queryName": "PostgreSQL Database Server SSL Disabled", "severity": "MEDIUM", - "line": 13, - "fileName": "positive3.bicep" + "line": 12, + "fileName": "positive4.bicep", + "resourceType": "Microsoft.DBforPostgreSQL/servers", + "resourceName": "MyDBServer", + "searchKey": "resources.name={{MyDBServer}}.properties", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.DBforPostgreSQL/servers' should have 'sslEnforcement' property defined", + "actualValue": "resource with type 'Microsoft.DBforPostgreSQL/servers' doesn't have 'sslEnforcement' property defined", + "issueType": "MissingAttribute", + "similarityID": "875d765bdb837c41049c4abd608d6cdef61b18ae8f7a3eecd7ce7ea3a2245118", + "search_line": 12 }, { "queryName": "PostgreSQL Database Server SSL Disabled", "severity": "MEDIUM", - "line": 12, - "fileName": "positive4.bicep" + "line": 15, + "fileName": "positive4.json", + "resourceType": "Microsoft.DBforPostgreSQL/servers", + "resourceName": "MyDBServer", + "searchKey": "properties.template.resources.name={{MyDBServer}}.properties", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.DBforPostgreSQL/servers' should have 'sslEnforcement' property defined", + "actualValue": "resource with type 'Microsoft.DBforPostgreSQL/servers' doesn't have 'sslEnforcement' property defined", + "issueType": "MissingAttribute", + "similarityID": "03fd4a2ec5c30905be0377d02d1e7c36e14288e8b7603efcab1c2bb092193a86", + "search_line": 15 } -] \ No newline at end of file +] diff --git a/assets/queries/azureResourceManager/role_definitions_allow_custom_subscription_role_creation/test/positive_expected_result.json b/assets/queries/azureResourceManager/role_definitions_allow_custom_subscription_role_creation/test/positive_expected_result.json index 494dc192beb..3eb69f0006c 100644 --- a/assets/queries/azureResourceManager/role_definitions_allow_custom_subscription_role_creation/test/positive_expected_result.json +++ b/assets/queries/azureResourceManager/role_definitions_allow_custom_subscription_role_creation/test/positive_expected_result.json @@ -2,49 +2,121 @@ { "queryName": "Role Definitions Allow Custom Subscription Role Creation", "severity": "HIGH", - "line": 18, - "fileName": "positive1.json" + "line": 8, + "fileName": "positive1.bicep", + "resourceType": "Microsoft.Authorization/roleDefinitions", + "resourceName": "roleDef", + "searchKey": "resources.name={{roleDef}}.properties.permissions.actions", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Authorization/roleDefinitions' should not allow custom role creation", + "actualValue": "resource with type 'Microsoft.Authorization/roleDefinitions' allows custom role creation (actions set to '*' or 'Microsoft.Authorization/roleDefinitions/write')", + "issueType": "IncorrectValue", + "similarityID": "b63de8441570a5cea79c21c5587cf76a31d4f8a07ae5085f572c3db0c8d56837", + "search_line": 8 }, { "queryName": "Role Definitions Allow Custom Subscription Role Creation", "severity": "HIGH", "line": 18, - "fileName": "positive2.json" + "fileName": "positive1.json", + "resourceType": "Microsoft.Authorization/roleDefinitions", + "resourceName": "roleDef", + "searchKey": "resources.name={{roleDef}}.properties.permissions.actions", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Authorization/roleDefinitions' should not allow custom role creation", + "actualValue": "resource with type 'Microsoft.Authorization/roleDefinitions' allows custom role creation (actions set to '*' or 'Microsoft.Authorization/roleDefinitions/write')", + "issueType": "IncorrectValue", + "similarityID": "95ec719da8fc576c636d323fb130dcdfe5e69414ce007522d2f9c42c804ed4c6", + "search_line": 18 }, { "queryName": "Role Definitions Allow Custom Subscription Role Creation", "severity": "HIGH", - "line": 20, - "fileName": "positive3.json" + "line": 8, + "fileName": "positive2.bicep", + "resourceType": "Microsoft.Authorization/roleDefinitions", + "resourceName": "roleDef", + "searchKey": "resources.name={{roleDef}}.properties.permissions.actions", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Authorization/roleDefinitions' should not allow custom role creation", + "actualValue": "resource with type 'Microsoft.Authorization/roleDefinitions' allows custom role creation (actions set to '*' or 'Microsoft.Authorization/roleDefinitions/write')", + "issueType": "IncorrectValue", + "similarityID": "df567476b37974f8d267e40ee5b7db5f3d62a59660a21de3da91c9b63c6bbcc9", + "search_line": 8 }, { "queryName": "Role Definitions Allow Custom Subscription Role Creation", "severity": "HIGH", - "line": 20, - "fileName": "positive4.json" + "line": 18, + "fileName": "positive2.json", + "resourceType": "Microsoft.Authorization/roleDefinitions", + "resourceName": "roleDef", + "searchKey": "resources.name={{roleDef}}.properties.permissions.actions", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Authorization/roleDefinitions' should not allow custom role creation", + "actualValue": "resource with type 'Microsoft.Authorization/roleDefinitions' allows custom role creation (actions set to '*' or 'Microsoft.Authorization/roleDefinitions/write')", + "issueType": "IncorrectValue", + "similarityID": "a9804caa15de1a25dc045bfba76ae3f908673d0cb2317596595eda7d4c49f5ac", + "search_line": 18 }, { "queryName": "Role Definitions Allow Custom Subscription Role Creation", "severity": "HIGH", "line": 8, - "fileName": "positive1.bicep" + "fileName": "positive3.bicep", + "resourceType": "Microsoft.Authorization/roleDefinitions", + "resourceName": "roleDef", + "searchKey": "resources.name={{roleDef}}.properties.permissions.actions", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Authorization/roleDefinitions' should not allow custom role creation", + "actualValue": "resource with type 'Microsoft.Authorization/roleDefinitions' allows custom role creation (actions set to '*' or 'Microsoft.Authorization/roleDefinitions/write')", + "issueType": "IncorrectValue", + "similarityID": "44391cad6609d171eefc37d7d7e3c7eeb0c9d7fb7029e0a714cec955161f4feb", + "search_line": 8 }, { "queryName": "Role Definitions Allow Custom Subscription Role Creation", "severity": "HIGH", - "line": 8, - "fileName": "positive2.bicep" + "line": 20, + "fileName": "positive3.json", + "resourceType": "Microsoft.Authorization/roleDefinitions", + "resourceName": "roleDef", + "searchKey": "properties.template.resources.name={{roleDef}}.properties.permissions.actions", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Authorization/roleDefinitions' should not allow custom role creation", + "actualValue": "resource with type 'Microsoft.Authorization/roleDefinitions' allows custom role creation (actions set to '*' or 'Microsoft.Authorization/roleDefinitions/write')", + "issueType": "IncorrectValue", + "similarityID": "451690f901b2ba323252c2915725da8932f14065840a5ad96661549f3e833b19", + "search_line": 20 }, { "queryName": "Role Definitions Allow Custom Subscription Role Creation", "severity": "HIGH", "line": 8, - "fileName": "positive3.bicep" + "fileName": "positive4.bicep", + "resourceType": "Microsoft.Authorization/roleDefinitions", + "resourceName": "roleDef", + "searchKey": "resources.name={{roleDef}}.properties.permissions.actions", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Authorization/roleDefinitions' should not allow custom role creation", + "actualValue": "resource with type 'Microsoft.Authorization/roleDefinitions' allows custom role creation (actions set to '*' or 'Microsoft.Authorization/roleDefinitions/write')", + "issueType": "IncorrectValue", + "similarityID": "52f2e96f14bbeb668b0a0e489e8310690d07840b210a1ae9319a4e6c4d924df3", + "search_line": 8 }, { "queryName": "Role Definitions Allow Custom Subscription Role Creation", "severity": "HIGH", - "line": 8, - "fileName": "positive4.bicep" + "line": 20, + "fileName": "positive4.json", + "resourceType": "Microsoft.Authorization/roleDefinitions", + "resourceName": "roleDef", + "searchKey": "properties.template.resources.name={{roleDef}}.properties.permissions.actions", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Authorization/roleDefinitions' should not allow custom role creation", + "actualValue": "resource with type 'Microsoft.Authorization/roleDefinitions' allows custom role creation (actions set to '*' or 'Microsoft.Authorization/roleDefinitions/write')", + "issueType": "IncorrectValue", + "similarityID": "a1af0dd782c3e891d8c24e234b63fee73bf0b0d819f91393e074536d7a72de98", + "search_line": 20 } -] \ No newline at end of file +] diff --git a/assets/queries/azureResourceManager/secret_without_expiration_date/test/positive_expected_result.json b/assets/queries/azureResourceManager/secret_without_expiration_date/test/positive_expected_result.json index 07b856517d0..1561a32b8f0 100644 --- a/assets/queries/azureResourceManager/secret_without_expiration_date/test/positive_expected_result.json +++ b/assets/queries/azureResourceManager/secret_without_expiration_date/test/positive_expected_result.json @@ -2,49 +2,121 @@ { "queryName": "Secret Without Expiration Date", "severity": "MEDIUM", - "line": 49, - "filename": "positive1.json" + "line": 33, + "fileName": "positive1.bicep", + "resourceType": "secrets", + "resourceName": "secretid1", + "searchKey": "resources.resources.name={{secretid1}}.properties", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.KeyVault/vaults/secrets' should have 'attributes.exp' property id defined", + "actualValue": "resource with type 'Microsoft.KeyVault/vaults/secrets' doesn't have 'attributes' property defined", + "issueType": "MissingAttribute", + "similarityID": "af9ad3b9b0374880b4e14c642eba2d8d33e79df4ed3472ffa5984ad21bbc884b", + "search_line": 33 }, { "queryName": "Secret Without Expiration Date", "severity": "MEDIUM", - "line": 54, - "filename": "positive2.json" + "line": 49, + "fileName": "positive1.json", + "resourceType": "Microsoft.KeyVault/vaults/secrets", + "resourceName": "keyVault1/secretid1", + "searchKey": "resources.name={{keyVault1/secretid1}}.properties", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.KeyVault/vaults/secrets' should have 'attributes.exp' property id defined", + "actualValue": "resource with type 'Microsoft.KeyVault/vaults/secrets' doesn't have 'attributes' property defined", + "issueType": "MissingAttribute", + "similarityID": "c73fa85a9bd0b43ee3f36435720254f9b71ef5d296693292070aba8e7b948203", + "search_line": 49 }, { "queryName": "Secret Without Expiration Date", "severity": "MEDIUM", - "line": 51, - "filename": "positive3.json" + "line": 35, + "fileName": "positive2.bicep", + "resourceType": "secrets", + "resourceName": "keyVaultSecret1", + "searchKey": "resources.resources.name={{keyVaultSecret1}}.properties.attributes", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.KeyVault/vaults/secrets' should have 'attributes.exp' property id defined", + "actualValue": "resource with type 'Microsoft.KeyVault/vaults/secrets' doesn't have 'attributes.exp' property defined", + "issueType": "MissingAttribute", + "similarityID": "c14ceb7d48f90f39e1b4a5d8277a1afc77385ca3ca725cd8ff2345d834628458", + "search_line": 35 }, { "queryName": "Secret Without Expiration Date", "severity": "MEDIUM", - "line": 56, - "filename": "positive4.json" + "line": 54, + "fileName": "positive2.json", + "resourceType": "secrets", + "resourceName": "keyVaultSecret1", + "searchKey": "resources.resources.name={{keyVaultSecret1}}.properties.attributes", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.KeyVault/vaults/secrets' should have 'attributes.exp' property id defined", + "actualValue": "resource with type 'Microsoft.KeyVault/vaults/secrets' doesn't have 'attributes.exp' property defined", + "issueType": "MissingAttribute", + "similarityID": "e965d44fe254273506dcbc881c0170186c6751ecb7656e616715d4c397e7fd61", + "search_line": 54 }, { "queryName": "Secret Without Expiration Date", "severity": "MEDIUM", "line": 33, - "filename": "positive1.bicep" + "fileName": "positive3.bicep", + "resourceType": "secrets", + "resourceName": "secretid1", + "searchKey": "resources.resources.name={{secretid1}}.properties", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.KeyVault/vaults/secrets' should have 'attributes.exp' property id defined", + "actualValue": "resource with type 'Microsoft.KeyVault/vaults/secrets' doesn't have 'attributes' property defined", + "issueType": "MissingAttribute", + "similarityID": "6f9ddb8ba784a9ceaab90e5be996125a65cfa198a9d251fc7854f77bb2b85668", + "search_line": 33 }, { "queryName": "Secret Without Expiration Date", "severity": "MEDIUM", - "line": 35, - "filename": "positive2.bicep" + "line": 51, + "fileName": "positive3.json", + "resourceType": "Microsoft.KeyVault/vaults/secrets", + "resourceName": "keyVault1/secretid1", + "searchKey": "properties.template.resources.name={{keyVault1/secretid1}}.properties", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.KeyVault/vaults/secrets' should have 'attributes.exp' property id defined", + "actualValue": "resource with type 'Microsoft.KeyVault/vaults/secrets' doesn't have 'attributes' property defined", + "issueType": "MissingAttribute", + "similarityID": "0fcb56937f51b0317249e70298f3cc5eb0425b08cad719001522014bd1f0ba21", + "search_line": 51 }, { "queryName": "Secret Without Expiration Date", "severity": "MEDIUM", - "line": 33, - "filename": "positive3.bicep" + "line": 35, + "fileName": "positive4.bicep", + "resourceType": "secrets", + "resourceName": "keyVaultSecret1", + "searchKey": "resources.resources.name={{keyVaultSecret1}}.properties.attributes", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.KeyVault/vaults/secrets' should have 'attributes.exp' property id defined", + "actualValue": "resource with type 'Microsoft.KeyVault/vaults/secrets' doesn't have 'attributes.exp' property defined", + "issueType": "MissingAttribute", + "similarityID": "590066a7bfd78959941e72ca0fa352b8993371f54c6a2f715574029e96036e27", + "search_line": 35 }, { "queryName": "Secret Without Expiration Date", "severity": "MEDIUM", - "line": 35, - "filename": "positive4.bicep" + "line": 56, + "fileName": "positive4.json", + "resourceType": "secrets", + "resourceName": "keyVaultSecret1", + "searchKey": "properties.template.resources.resources.name={{keyVaultSecret1}}.properties.attributes", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.KeyVault/vaults/secrets' should have 'attributes.exp' property id defined", + "actualValue": "resource with type 'Microsoft.KeyVault/vaults/secrets' doesn't have 'attributes.exp' property defined", + "issueType": "MissingAttribute", + "similarityID": "da627c601dd38ad1eb93cf8ade97e1d471057ec4f2720f82b0968b6d686326a3", + "search_line": 56 } -] \ No newline at end of file +] diff --git a/assets/queries/azureResourceManager/sql_alert_policy_without_emails/test/positive_expected_result.json b/assets/queries/azureResourceManager/sql_alert_policy_without_emails/test/positive_expected_result.json index 203f8fff574..dda287eb89a 100644 --- a/assets/queries/azureResourceManager/sql_alert_policy_without_emails/test/positive_expected_result.json +++ b/assets/queries/azureResourceManager/sql_alert_policy_without_emails/test/positive_expected_result.json @@ -2,73 +2,181 @@ { "queryName": "SQL Alert Policy Without Emails", "severity": "INFO", - "line": 46, - "filename": "positive1.json" + "line": 31, + "fileName": "positive1.bicep", + "resourceType": "securityAlertPolicies", + "resourceName": "securityPolicy1", + "searchKey": "resources.resources.resources.name={{securityPolicy1}}.properties", + "searchValue": "", + "expectedValue": "securityAlertPolicies.properties.emailAddresses should be defined and contain emails", + "actualValue": "securityAlertPolicies.properties.emailAddresses is not defined", + "issueType": "MissingAttribute", + "similarityID": "561c20d7922fb8ad1ab175dc1d933a7f35ac5b28829b8f4e00d897febb4e44ac", + "search_line": 31 }, { "queryName": "SQL Alert Policy Without Emails", "severity": "INFO", - "line": 48, - "filename": "positive2.json" + "line": 46, + "fileName": "positive1.json", + "resourceType": "Microsoft.Sql/servers/databases/securityAlertPolicies", + "resourceName": "sqlServer1/sqlDatabase1/securityPolicy1", + "searchKey": "resources.resources.name={{sqlServer1/sqlDatabase1/securityPolicy1}}.properties", + "searchValue": "", + "expectedValue": "securityAlertPolicies.properties.emailAddresses should be defined and contain emails", + "actualValue": "securityAlertPolicies.properties.emailAddresses is not defined", + "issueType": "MissingAttribute", + "similarityID": "848f61512491720f9909484f20176e2633407933a4c3c8a9c8c2780e31cb9cd4", + "search_line": 46 }, { "queryName": "SQL Alert Policy Without Emails", "severity": "INFO", - "line": 48, - "filename": "positive3.json" + "line": 33, + "fileName": "positive2.bicep", + "resourceType": "securityAlertPolicies", + "resourceName": "securityPolicy1", + "searchKey": "resources.resources.resources.name={{securityPolicy1}}.properties.emailAddresses", + "searchValue": "", + "expectedValue": "securityAlertPolicies.properties.emailAddresses should be defined and contain emails", + "actualValue": "securityAlertPolicies.properties.emailAddresses doesn't contain emails", + "issueType": "IncorrectValue", + "similarityID": "b5298c1240bba75e1b131ddfaf669d42788fb862617dc96f38633b7a3e876a52", + "search_line": 33 }, { "queryName": "SQL Alert Policy Without Emails", "severity": "INFO", "line": 48, - "filename": "positive4.json" + "fileName": "positive2.json", + "resourceType": "Microsoft.Sql/servers/databases/securityAlertPolicies", + "resourceName": "sqlServer1/sqlDatabase1/securityPolicy1", + "searchKey": "resources.resources.name={{sqlServer1/sqlDatabase1/securityPolicy1}}.properties.emailAddresses", + "searchValue": "", + "expectedValue": "securityAlertPolicies.properties.emailAddresses should be defined and contain emails", + "actualValue": "securityAlertPolicies.properties.emailAddresses doesn't contain emails", + "issueType": "IncorrectValue", + "similarityID": "56d17a1e5c739d1c453a47502c154bd0f08f706776ed64c3d14fe31d4624b6ec", + "search_line": 48 }, { "queryName": "SQL Alert Policy Without Emails", "severity": "INFO", - "line": 50, - "filename": "positive5.json" + "line": 33, + "fileName": "positive3.bicep", + "resourceType": "securityAlertPolicies", + "resourceName": "securityPolicy1", + "searchKey": "resources.resources.resources.name={{securityPolicy1}}.properties.emailAddresses", + "searchValue": "", + "expectedValue": "securityAlertPolicies.properties.emailAddresses should be defined and contain emails", + "actualValue": "securityAlertPolicies.properties.emailAddresses doesn't contain emails", + "issueType": "IncorrectValue", + "similarityID": "afaa1cdf571a176b33191e177aa14b8f73dcc66febcb5933338de9645cf8806c", + "search_line": 33 }, { "queryName": "SQL Alert Policy Without Emails", "severity": "INFO", - "line": 50, - "filename": "positive6.json" + "line": 48, + "fileName": "positive3.json", + "resourceType": "Microsoft.Sql/servers/databases/securityAlertPolicies", + "resourceName": "sqlServer1/sqlDatabase1/securityPolicy1", + "searchKey": "resources.resources.name={{sqlServer1/sqlDatabase1/securityPolicy1}}.properties.emailAddresses", + "searchValue": "", + "expectedValue": "securityAlertPolicies.properties.emailAddresses should be defined and contain emails", + "actualValue": "securityAlertPolicies.properties.emailAddresses doesn't contain emails", + "issueType": "IncorrectValue", + "similarityID": "567433e5e1d35645eff72a4c4f29f7ec09f86c55eecab67c21bff1bc6305ba9b", + "search_line": 48 }, { "queryName": "SQL Alert Policy Without Emails", "severity": "INFO", "line": 31, - "filename": "positive1.bicep" + "fileName": "positive4.bicep", + "resourceType": "securityAlertPolicies", + "resourceName": "securityPolicy1", + "searchKey": "resources.resources.resources.name={{securityPolicy1}}.properties", + "searchValue": "", + "expectedValue": "securityAlertPolicies.properties.emailAddresses should be defined and contain emails", + "actualValue": "securityAlertPolicies.properties.emailAddresses is not defined", + "issueType": "MissingAttribute", + "similarityID": "7c829ede658e27eba33c2039ee80fb39b841f2572348831a4f22e2464e796018", + "search_line": 31 }, { "queryName": "SQL Alert Policy Without Emails", "severity": "INFO", - "line": 33, - "filename": "positive2.bicep" + "line": 48, + "fileName": "positive4.json", + "resourceType": "Microsoft.Sql/servers/databases/securityAlertPolicies", + "resourceName": "sqlServer1/sqlDatabase1/securityPolicy1", + "searchKey": "properties.template.resources.resources.name={{sqlServer1/sqlDatabase1/securityPolicy1}}.properties", + "searchValue": "", + "expectedValue": "securityAlertPolicies.properties.emailAddresses should be defined and contain emails", + "actualValue": "securityAlertPolicies.properties.emailAddresses is not defined", + "issueType": "MissingAttribute", + "similarityID": "594a2edc285a2bea2c484505495bd2c7743b2bf6a34bf06ac83de05f270875bc", + "search_line": 48 }, { "queryName": "SQL Alert Policy Without Emails", "severity": "INFO", "line": 33, - "filename": "positive3.bicep" + "fileName": "positive5.bicep", + "resourceType": "securityAlertPolicies", + "resourceName": "securityPolicy1", + "searchKey": "resources.resources.resources.name={{securityPolicy1}}.properties.emailAddresses", + "searchValue": "", + "expectedValue": "securityAlertPolicies.properties.emailAddresses should be defined and contain emails", + "actualValue": "securityAlertPolicies.properties.emailAddresses doesn't contain emails", + "issueType": "IncorrectValue", + "similarityID": "0d0cf9ee2b625b1c17cfb9c1ed9d8f5916907963662dac7650a4fc5344c4e234", + "search_line": 33 }, { "queryName": "SQL Alert Policy Without Emails", "severity": "INFO", - "line": 31, - "filename": "positive4.bicep" + "line": 50, + "fileName": "positive5.json", + "resourceType": "Microsoft.Sql/servers/databases/securityAlertPolicies", + "resourceName": "sqlServer1/sqlDatabase1/securityPolicy1", + "searchKey": "properties.template.resources.resources.name={{sqlServer1/sqlDatabase1/securityPolicy1}}.properties.emailAddresses", + "searchValue": "", + "expectedValue": "securityAlertPolicies.properties.emailAddresses should be defined and contain emails", + "actualValue": "securityAlertPolicies.properties.emailAddresses doesn't contain emails", + "issueType": "IncorrectValue", + "similarityID": "3ca39f812711461e28cb7bca65825d21f9b7f0dddc2985d08985e4113f5c71d9", + "search_line": 50 }, { "queryName": "SQL Alert Policy Without Emails", "severity": "INFO", "line": 33, - "filename": "positive5.bicep" + "fileName": "positive6.bicep", + "resourceType": "securityAlertPolicies", + "resourceName": "securityPolicy1", + "searchKey": "resources.resources.resources.name={{securityPolicy1}}.properties.emailAddresses", + "searchValue": "", + "expectedValue": "securityAlertPolicies.properties.emailAddresses should be defined and contain emails", + "actualValue": "securityAlertPolicies.properties.emailAddresses doesn't contain emails", + "issueType": "IncorrectValue", + "similarityID": "582022e3dda97c757e595c44d51aa76871c6a5d8efbc316f47ccb714c925ec22", + "search_line": 33 }, { "queryName": "SQL Alert Policy Without Emails", "severity": "INFO", - "line": 33, - "filename": "positive6.bicep" + "line": 50, + "fileName": "positive6.json", + "resourceType": "Microsoft.Sql/servers/databases/securityAlertPolicies", + "resourceName": "sqlServer1/sqlDatabase1/securityPolicy1", + "searchKey": "properties.template.resources.resources.name={{sqlServer1/sqlDatabase1/securityPolicy1}}.properties.emailAddresses", + "searchValue": "", + "expectedValue": "securityAlertPolicies.properties.emailAddresses should be defined and contain emails", + "actualValue": "securityAlertPolicies.properties.emailAddresses doesn't contain emails", + "issueType": "IncorrectValue", + "similarityID": "da2c7516d8f68728e02e6f31d18cdef65df1c894ce9482d3e19b1b2e0439059f", + "search_line": 50 } ] diff --git a/assets/queries/azureResourceManager/sql_database_server_firewall_allows_all_ips/test/positive_expected_result.json b/assets/queries/azureResourceManager/sql_database_server_firewall_allows_all_ips/test/positive_expected_result.json index 0b8fdaabb48..388d38578c5 100644 --- a/assets/queries/azureResourceManager/sql_database_server_firewall_allows_all_ips/test/positive_expected_result.json +++ b/assets/queries/azureResourceManager/sql_database_server_firewall_allows_all_ips/test/positive_expected_result.json @@ -2,49 +2,121 @@ { "queryName": "SQL Database Server Firewall Allows All IPS", "severity": "CRITICAL", - "line": 31, - "filename": "positive1.json" + "line": 18, + "fileName": "positive1.bicep", + "resourceType": "firewallRules", + "resourceName": "AllowAllWindowsAzureIps", + "searchKey": "resources.resources.name={{AllowAllWindowsAzureIps}}.properties.endIpAddress", + "searchValue": "", + "expectedValue": "endIpAddress should not be '255.255.255.255' when startIpAddress is '0.0.0.0'", + "actualValue": "endIpAddress is '255.255.255.255' and startIpAddress is '0.0.0.0'", + "issueType": "IncorrectValue", + "similarityID": "b074d5f2bdf6109bcdcde37514d575ee3b094b69af284d7d12b3a8fbe0b4024e", + "search_line": 18 }, { "queryName": "SQL Database Server Firewall Allows All IPS", "severity": "CRITICAL", - "line": 14, - "filename": "positive2.json" + "line": 31, + "fileName": "positive1.json", + "resourceType": "firewallRules", + "resourceName": "AllowAllWindowsAzureIps", + "searchKey": "resources.resources.name={{AllowAllWindowsAzureIps}}.properties.endIpAddress", + "searchValue": "", + "expectedValue": "endIpAddress should not be '255.255.255.255' when startIpAddress is '0.0.0.0'", + "actualValue": "endIpAddress is '255.255.255.255' and startIpAddress is '0.0.0.0'", + "issueType": "IncorrectValue", + "similarityID": "50d1fb0f3f707d019d99e67f0ea4cbea984839c7051ef74cf164409b226cb0e8", + "search_line": 31 }, { "queryName": "SQL Database Server Firewall Allows All IPS", "severity": "CRITICAL", - "line": 33, - "filename": "positive3.json" + "line": 4, + "fileName": "positive2.bicep", + "resourceType": "Microsoft.Sql/servers/firewallRules", + "resourceName": "sample/firewall", + "searchKey": "resources.name={{sample/firewall}}.properties.endIpAddress", + "searchValue": "", + "expectedValue": "endIpAddress should not be '255.255.255.255' when startIpAddress is '0.0.0.0'", + "actualValue": "endIpAddress is '255.255.255.255' and startIpAddress is '0.0.0.0/0'", + "issueType": "IncorrectValue", + "similarityID": "4fefce02b2eccb78d59aea5569dc2fcb6e93de47535b80e367d44aeef87b5b85", + "search_line": 4 }, { "queryName": "SQL Database Server Firewall Allows All IPS", "severity": "CRITICAL", - "line": 16, - "filename": "positive4.json" + "line": 14, + "fileName": "positive2.json", + "resourceType": "Microsoft.Sql/servers/firewallRules", + "resourceName": "sample/firewall", + "searchKey": "resources.name={{sample/firewall}}.properties.endIpAddress", + "searchValue": "", + "expectedValue": "endIpAddress should not be '255.255.255.255' when startIpAddress is '0.0.0.0'", + "actualValue": "endIpAddress is '255.255.255.255' and startIpAddress is '0.0.0.0/0'", + "issueType": "IncorrectValue", + "similarityID": "03b098e836a42140b5456234a5ad3a0a8d2dc0d9762ee6c051cec55ac0e8b958", + "search_line": 14 }, { "queryName": "SQL Database Server Firewall Allows All IPS", "severity": "CRITICAL", "line": 18, - "filename": "positive1.bicep" + "fileName": "positive3.bicep", + "resourceType": "firewallRules", + "resourceName": "AllowAllWindowsAzureIps", + "searchKey": "resources.resources.name={{AllowAllWindowsAzureIps}}.properties.endIpAddress", + "searchValue": "", + "expectedValue": "endIpAddress should not be '255.255.255.255' when startIpAddress is '0.0.0.0'", + "actualValue": "endIpAddress is '255.255.255.255' and startIpAddress is '0.0.0.0'", + "issueType": "IncorrectValue", + "similarityID": "b79ddb48bb6e44d13a9fe57721679f3a04af6242b3a945e840334fbc2dbae7a8", + "search_line": 18 }, { "queryName": "SQL Database Server Firewall Allows All IPS", "severity": "CRITICAL", - "line": 4, - "filename": "positive2.bicep" + "line": 33, + "fileName": "positive3.json", + "resourceType": "firewallRules", + "resourceName": "AllowAllWindowsAzureIps", + "searchKey": "properties.template.resources.resources.name={{AllowAllWindowsAzureIps}}.properties.endIpAddress", + "searchValue": "", + "expectedValue": "endIpAddress should not be '255.255.255.255' when startIpAddress is '0.0.0.0'", + "actualValue": "endIpAddress is '255.255.255.255' and startIpAddress is '0.0.0.0'", + "issueType": "IncorrectValue", + "similarityID": "8fa3ff9d4f2e5eec009900ed1a24976183841d3fd97b986f2c4443bda06f98bb", + "search_line": 33 }, { "queryName": "SQL Database Server Firewall Allows All IPS", "severity": "CRITICAL", - "line": 18, - "filename": "positive3.bicep" + "line": 4, + "fileName": "positive4.bicep", + "resourceType": "Microsoft.Sql/servers/firewallRules", + "resourceName": "sample/firewall", + "searchKey": "resources.name={{sample/firewall}}.properties.endIpAddress", + "searchValue": "", + "expectedValue": "endIpAddress should not be '255.255.255.255' when startIpAddress is '0.0.0.0'", + "actualValue": "endIpAddress is '255.255.255.255' and startIpAddress is '0.0.0.0/0'", + "issueType": "IncorrectValue", + "similarityID": "2e1a2e2462c798fa8da75cd407a0f5d7f5aff3fe0380ea91590bb1aab08eb733", + "search_line": 4 }, { "queryName": "SQL Database Server Firewall Allows All IPS", "severity": "CRITICAL", - "line": 4, - "filename": "positive4.bicep" + "line": 16, + "fileName": "positive4.json", + "resourceType": "Microsoft.Sql/servers/firewallRules", + "resourceName": "sample/firewall", + "searchKey": "properties.template.resources.name={{sample/firewall}}.properties.endIpAddress", + "searchValue": "", + "expectedValue": "endIpAddress should not be '255.255.255.255' when startIpAddress is '0.0.0.0'", + "actualValue": "endIpAddress is '255.255.255.255' and startIpAddress is '0.0.0.0/0'", + "issueType": "IncorrectValue", + "similarityID": "032bacf2e2a32bd7605667bb7ea32116cc0659cafcee376fdad916cd7a8d8ba1", + "search_line": 16 } -] \ No newline at end of file +] diff --git a/assets/queries/azureResourceManager/sql_server_database_with_alerts_disabled/test/positive_expected_result.json b/assets/queries/azureResourceManager/sql_server_database_with_alerts_disabled/test/positive_expected_result.json index 40352de71bc..6300a05a3ab 100644 --- a/assets/queries/azureResourceManager/sql_server_database_with_alerts_disabled/test/positive_expected_result.json +++ b/assets/queries/azureResourceManager/sql_server_database_with_alerts_disabled/test/positive_expected_result.json @@ -2,97 +2,241 @@ { "queryName": "SQL Server Database With Alerts Disabled", "severity": "MEDIUM", - "line": 14, - "filename": "positive1.json" + "line": 4, + "fileName": "positive1.bicep", + "resourceType": "Microsoft.Sql/servers/databases/securityAlertPolicies", + "resourceName": "sample/databases/default", + "searchKey": "resources.name={{sample/databases/default}}.properties.disabledAlerts", + "searchValue": "", + "expectedValue": "'resources.name=sample/databases/default.disabledAlerts' should be empty", + "actualValue": "'resources.name=sample/databases/default.disabledAlerts' is not empty", + "issueType": "IncorrectValue", + "similarityID": "54e04ec95ce1fe648924b0e5f702bc02811c4ef449595059514755ede5648837", + "search_line": 4 }, { "queryName": "SQL Server Database With Alerts Disabled", "severity": "MEDIUM", - "line": 16, - "filename": "positive2.json" + "line": 14, + "fileName": "positive1.json", + "resourceType": "Microsoft.Sql/servers/databases/securityAlertPolicies", + "resourceName": "sample/databases/default", + "searchKey": "resources.name={{sample/databases/default}}.properties.disabledAlerts", + "searchValue": "", + "expectedValue": "'resources.name=sample/databases/default.disabledAlerts' should be empty", + "actualValue": "'resources.name=sample/databases/default.disabledAlerts' is not empty", + "issueType": "IncorrectValue", + "similarityID": "4b32770ad7421a92e4680592f1412b68daf2550fd09fb29d64980f9e0f94b0f9", + "search_line": 14 }, { "queryName": "SQL Server Database With Alerts Disabled", "severity": "MEDIUM", - "line": 17, - "filename": "positive3.json" + "line": 4, + "fileName": "positive2.bicep", + "resourceType": "Microsoft.Sql/servers/databases/securityAlertPolicies", + "resourceName": "sample/databases/default", + "searchKey": "resources.name={{sample/databases/default}}.properties.disabledAlerts", + "searchValue": "", + "expectedValue": "'resources.name=sample/databases/default.disabledAlerts' should be empty", + "actualValue": "'resources.name=sample/databases/default.disabledAlerts' is not empty", + "issueType": "IncorrectValue", + "similarityID": "6d94cb40b93bd0e4a6adc691e7f882ca9a191967060648f522f4bcc387e76c70", + "search_line": 4 }, { "queryName": "SQL Server Database With Alerts Disabled", "severity": "MEDIUM", - "line": 19, - "filename": "positive4.json" + "line": 16, + "fileName": "positive2.json", + "resourceType": "Microsoft.Sql/servers/databases/securityAlertPolicies", + "resourceName": "sample/databases/default", + "searchKey": "properties.template.resources.name={{sample/databases/default}}.properties.disabledAlerts", + "searchValue": "", + "expectedValue": "'properties.template.resources.name=sample/databases/default.disabledAlerts' should be empty", + "actualValue": "'properties.template.resources.name=sample/databases/default.disabledAlerts' is not empty", + "issueType": "IncorrectValue", + "similarityID": "1288aa6de25029e60cc0892687e80f3b89f1d0b0467b7e1855c17e34ba07265f", + "search_line": 16 }, { "queryName": "SQL Server Database With Alerts Disabled", "severity": "MEDIUM", - "line": 12, - "filename": "positive5.json" + "line": 7, + "fileName": "positive3.bicep", + "resourceType": "Microsoft.Sql/servers/databases/securityAlertPolicies", + "resourceName": "sample/databases/default", + "searchKey": "resources.name={{sample/databases/default}}.properties", + "searchValue": "", + "expectedValue": "'resources.name=sample/databases/default.state' should be enabled", + "actualValue": "'resources.name=sample/databases/default.state' is not enabled", + "issueType": "IncorrectValue", + "similarityID": "5465a156d79cef593bdab732a1891165756121d754165fd883d251fbea879787", + "search_line": 7 }, { "queryName": "SQL Server Database With Alerts Disabled", "severity": "MEDIUM", "line": 17, - "filename": "positive6.json" + "fileName": "positive3.json", + "resourceType": "Microsoft.Sql/servers/databases/securityAlertPolicies", + "resourceName": "sample/databases/default", + "searchKey": "resources.name={{sample/databases/default}}.properties", + "searchValue": "", + "expectedValue": "'resources.name=sample/databases/default.state' should be enabled", + "actualValue": "'resources.name=sample/databases/default.state' is not enabled", + "issueType": "IncorrectValue", + "similarityID": "edbcf10b4dae857af82aadc5b156215578b84b75fc1deac275e0465422c6750a", + "search_line": 17 }, { "queryName": "SQL Server Database With Alerts Disabled", "severity": "MEDIUM", - "line": 23, - "filename": "positive7.json" + "line": 7, + "fileName": "positive4.bicep", + "resourceType": "Microsoft.Sql/servers/databases/securityAlertPolicies", + "resourceName": "sample/databases/default", + "searchKey": "resources.name={{sample/databases/default}}.properties", + "searchValue": "", + "expectedValue": "'resources.name=sample/databases/default.state' should be enabled", + "actualValue": "'resources.name=sample/databases/default.state' is not enabled", + "issueType": "IncorrectValue", + "similarityID": "4a41d42092f31bd28360fbfa4408ea96454384f3c057e194faed49dabfbf13e9", + "search_line": 7 }, { "queryName": "SQL Server Database With Alerts Disabled", "severity": "MEDIUM", - "line": 13, - "filename": "positive8.json" + "line": 19, + "fileName": "positive4.json", + "resourceType": "Microsoft.Sql/servers/databases/securityAlertPolicies", + "resourceName": "sample/databases/default", + "searchKey": "properties.template.resources.name={{sample/databases/default}}.properties", + "searchValue": "", + "expectedValue": "'properties.template.resources.name=sample/databases/default.state' should be enabled", + "actualValue": "'properties.template.resources.name=sample/databases/default.state' is not enabled", + "issueType": "IncorrectValue", + "similarityID": "4198ecc654728d49364d2ff52875c2ceefe043d86fb059752643df19e95a137c", + "search_line": 19 }, { "queryName": "SQL Server Database With Alerts Disabled", "severity": "MEDIUM", - "line": 4, - "filename": "positive1.bicep" + "line": 1, + "fileName": "positive5.bicep", + "resourceType": "Microsoft.Sql/servers/databases", + "resourceName": "sample/default", + "searchKey": "resources.name={{sample/default}}", + "searchValue": "", + "expectedValue": "Security alert policy should be defined and enabled", + "actualValue": "Security alert policy is undefined", + "issueType": "MissingAttribute", + "similarityID": "74568bdf4de2428b46aca71f0a1e529cdb15541a6b873be599ca7b52af5fc507", + "search_line": 1 }, { "queryName": "SQL Server Database With Alerts Disabled", "severity": "MEDIUM", - "line": 4, - "filename": "positive2.bicep" + "line": 12, + "fileName": "positive5.json", + "resourceType": "Microsoft.Sql/servers/databases", + "resourceName": "sample/default", + "searchKey": "properties.template.resources.name={{sample/default}}", + "searchValue": "", + "expectedValue": "Security alert policy should be defined and enabled", + "actualValue": "Security alert policy is undefined", + "issueType": "MissingAttribute", + "similarityID": "619456e76bc21793f9bf6d0d53859f47923dab31a361de49c9481e95a0f7373a", + "search_line": 12 }, { "queryName": "SQL Server Database With Alerts Disabled", "severity": "MEDIUM", - "line": 7, - "filename": "positive3.bicep" + "line": 4, + "fileName": "positive6.bicep", + "resourceType": "Microsoft.Sql/servers/securityAlertPolicies", + "resourceName": "sampleServer/default", + "searchKey": "resources.name={{sampleServer/default}}.properties.disabledAlerts", + "searchValue": "", + "expectedValue": "'resources.name=sampleServer/default.disabledAlerts' should be empty", + "actualValue": "'resources.name=sampleServer/default.disabledAlerts' is not empty", + "issueType": "IncorrectValue", + "similarityID": "afd2fe2d7f35a7dec52943afbcaf97cff58a3e596e19aa1cff16728cd44b7983", + "search_line": 4 }, { "queryName": "SQL Server Database With Alerts Disabled", "severity": "MEDIUM", - "line": 7, - "filename": "positive4.bicep" + "line": 17, + "fileName": "positive6.json", + "resourceType": "Microsoft.Sql/servers/securityAlertPolicies", + "resourceName": "sampleServer/default", + "searchKey": "resources.name={{sampleServer/default}}.properties.disabledAlerts", + "searchValue": "", + "expectedValue": "'resources.name=sampleServer/default.disabledAlerts' should be empty", + "actualValue": "'resources.name=sampleServer/default.disabledAlerts' is not empty", + "issueType": "IncorrectValue", + "similarityID": "c26d10c8de541249c80914cd8770f52e3da71bbe72710b267c3909fb2fd05864", + "search_line": 17 }, { "queryName": "SQL Server Database With Alerts Disabled", "severity": "MEDIUM", - "line": 1, - "filename": "positive5.bicep" + "line": 8, + "fileName": "positive7.bicep", + "resourceType": "Microsoft.Sql/servers/securityAlertPolicies", + "resourceName": "sampleServer/default", + "searchKey": "resources.name={{sampleServer/default}}.properties", + "searchValue": "", + "expectedValue": "'resources.name=sampleServer/default.state' should be enabled", + "actualValue": "'resources.name=sampleServer/default.state' is not enabled", + "issueType": "IncorrectValue", + "similarityID": "99f7ed2441cd3701dd554d4787654e161a66c5d73c6854354792c5e4fed1d727", + "search_line": 8 }, { "queryName": "SQL Server Database With Alerts Disabled", "severity": "MEDIUM", - "line": 4, - "filename": "positive6.bicep" + "line": 23, + "fileName": "positive7.json", + "resourceType": "Microsoft.Sql/servers/securityAlertPolicies", + "resourceName": "sampleServer/default", + "searchKey": "resources.name={{sampleServer/default}}.properties", + "searchValue": "", + "expectedValue": "'resources.name=sampleServer/default.state' should be enabled", + "actualValue": "'resources.name=sampleServer/default.state' is not enabled", + "issueType": "IncorrectValue", + "similarityID": "7e3364e5282c3cf290ad640032a81e57670114e985cab5d3b86b2f6ef03dab8d", + "search_line": 23 }, { "queryName": "SQL Server Database With Alerts Disabled", "severity": "MEDIUM", - "line": 8, - "filename": "positive7.bicep" + "line": 1, + "fileName": "positive8.bicep", + "resourceType": "Microsoft.Sql/servers", + "resourceName": "sample", + "searchKey": "resources.name={{sample}}", + "searchValue": "", + "expectedValue": "Security alert policy should be defined and enabled", + "actualValue": "Security alert policy is undefined", + "issueType": "MissingAttribute", + "similarityID": "164e5c7b38e21f1801e0b8652290734d89b1fb4f9cdf953ce3305649e6229b4e", + "search_line": 1 }, { "queryName": "SQL Server Database With Alerts Disabled", "severity": "MEDIUM", - "line": 1, - "filename": "positive8.bicep" + "line": 13, + "fileName": "positive8.json", + "resourceType": "Microsoft.Sql/servers", + "resourceName": "sample", + "searchKey": "resources.name={{sample}}", + "searchValue": "", + "expectedValue": "Security alert policy should be defined and enabled", + "actualValue": "Security alert policy is undefined", + "issueType": "MissingAttribute", + "similarityID": "458cbcd98b8dbcefd07c6244a8f0eca4afbaed64574414b46682f5f3e313bf7d", + "search_line": 13 } ] diff --git a/assets/queries/azureResourceManager/sql_server_database_with_low_retention_days/test/positive_expected_result.json b/assets/queries/azureResourceManager/sql_server_database_with_low_retention_days/test/positive_expected_result.json index a3671a1324c..695f2ee1cbf 100644 --- a/assets/queries/azureResourceManager/sql_server_database_with_low_retention_days/test/positive_expected_result.json +++ b/assets/queries/azureResourceManager/sql_server_database_with_low_retention_days/test/positive_expected_result.json @@ -2,85 +2,211 @@ { "queryName": "SQL Server Database With Unrecommended Retention Days", "severity": "LOW", - "line": 48, - "filename": "positive1.json" + "line": 36, + "fileName": "positive1.bicep", + "resourceType": "auditingSettings", + "resourceName": "default", + "searchKey": "resources.resources.resources.name={{default}}.properties.retentionDays", + "searchValue": "", + "expectedValue": "'auditingSettings.properties.retentionDays' property value should be defined and above 90 days", + "actualValue": "'auditingSettings.properties.retentionDays' property value is 50", + "issueType": "IncorrectValue", + "similarityID": "8ea400e6f03e1a11253a01f1615cd1b9ffaf1fb3451bf9712de4935d377d7907", + "search_line": 36 }, { "queryName": "SQL Server Database With Unrecommended Retention Days", "severity": "LOW", - "line": 43, - "filename": "positive2.json" + "line": 48, + "fileName": "positive1.json", + "resourceType": "Microsoft.Sql/servers/databases/auditingSettings", + "resourceName": "sqlServer1/sqlDatabase1/default", + "searchKey": "resources.resources.resources.name={{sqlServer1/sqlDatabase1/default}}.properties.retentionDays", + "searchValue": "", + "expectedValue": "'auditingSettings.properties.retentionDays' property value should be defined and above 90 days", + "actualValue": "'auditingSettings.properties.retentionDays' property value is 50", + "issueType": "IncorrectValue", + "similarityID": "9c94ecd590740530174ba1dbafd25b445591a5b2a77d5c47bf82b840091b93e6", + "search_line": 48 }, { "queryName": "SQL Server Database With Unrecommended Retention Days", "severity": "LOW", - "line": 50, - "filename": "positive3.json" + "line": 31, + "fileName": "positive2.bicep", + "resourceType": "auditingSettings", + "resourceName": "default", + "searchKey": "resources.resources.resources.name={{default}}.properties", + "searchValue": "", + "expectedValue": "'auditingSettings.properties.retentionDays' should be defined and above 90 days", + "actualValue": "'auditingSettings.properties.retentionDays' is missing", + "issueType": "MissingAttribute", + "similarityID": "4a434638dcf571ab6f2cad1e916808f4f6d14997f80d3d3c303f24588966d951", + "search_line": 31 }, { "queryName": "SQL Server Database With Unrecommended Retention Days", "severity": "LOW", - "line": 45, - "filename": "positive4.json" + "line": 43, + "fileName": "positive2.json", + "resourceType": "Microsoft.Sql/servers/databases/auditingSettings", + "resourceName": "sqlServer1/sqlDatabase1/default", + "searchKey": "resources.resources.resources.name={{sqlServer1/sqlDatabase1/default}}.properties", + "searchValue": "", + "expectedValue": "'auditingSettings.properties.retentionDays' should be defined and above 90 days", + "actualValue": "'auditingSettings.properties.retentionDays' is missing", + "issueType": "MissingAttribute", + "similarityID": "19dc4df2747b091543e0fa759c67a8ce83fb68687997ba336ece5a64557aecd1", + "search_line": 43 }, { "queryName": "SQL Server Database With Unrecommended Retention Days", "severity": "LOW", - "line": 32, - "filename": "positive5.json" + "line": 36, + "fileName": "positive3.bicep", + "resourceType": "auditingSettings", + "resourceName": "default", + "searchKey": "resources.resources.resources.name={{default}}.properties.retentionDays", + "searchValue": "", + "expectedValue": "'auditingSettings.properties.retentionDays' property value should be defined and above 90 days", + "actualValue": "'auditingSettings.properties.retentionDays' property value is 50", + "issueType": "IncorrectValue", + "similarityID": "fd68e4d1b388ceea012f3374f259ad2af799c7d59dc407e8649e2c723ecc4fd6", + "search_line": 36 }, { "queryName": "SQL Server Database With Unrecommended Retention Days", "severity": "LOW", - "line": 29, - "filename": "positive6.json" + "line": 50, + "fileName": "positive3.json", + "resourceType": "Microsoft.Sql/servers/databases/auditingSettings", + "resourceName": "sqlServer1/sqlDatabase1/default", + "searchKey": "properties.template.resources.resources.resources.name={{sqlServer1/sqlDatabase1/default}}.properties.retentionDays", + "searchValue": "", + "expectedValue": "'auditingSettings.properties.retentionDays' property value should be defined and above 90 days", + "actualValue": "'auditingSettings.properties.retentionDays' property value is 50", + "issueType": "IncorrectValue", + "similarityID": "ca5489608bb33cf8e6f27ecdc879d0df20eb379e47cea6e8093b028adcf694c1", + "search_line": 50 }, { "queryName": "SQL Server Database With Unrecommended Retention Days", "severity": "LOW", - "line": 40, - "filename": "positive7.json" + "line": 31, + "fileName": "positive4.bicep", + "resourceType": "auditingSettings", + "resourceName": "default", + "searchKey": "resources.resources.resources.name={{default}}.properties", + "searchValue": "", + "expectedValue": "'auditingSettings.properties.retentionDays' should be defined and above 90 days", + "actualValue": "'auditingSettings.properties.retentionDays' is missing", + "issueType": "MissingAttribute", + "similarityID": "2a81a1901bdde262d32e752ad09110b4fde86db4a0c9ca8e0a0177ecf337f7e6", + "search_line": 31 }, { "queryName": "SQL Server Database With Unrecommended Retention Days", "severity": "LOW", - "line": 36, - "filename": "positive1.bicep" + "line": 45, + "fileName": "positive4.json", + "resourceType": "Microsoft.Sql/servers/databases/auditingSettings", + "resourceName": "sqlServer1/sqlDatabase1/default", + "searchKey": "properties.template.resources.resources.resources.name={{sqlServer1/sqlDatabase1/default}}.properties", + "searchValue": "", + "expectedValue": "'auditingSettings.properties.retentionDays' should be defined and above 90 days", + "actualValue": "'auditingSettings.properties.retentionDays' is missing", + "issueType": "MissingAttribute", + "similarityID": "19f666614335da1819de836811e6113f4682d3800bb0236f02e3c4493a85308a", + "search_line": 45 }, { "queryName": "SQL Server Database With Unrecommended Retention Days", "severity": "LOW", - "line": 31, - "filename": "positive2.bicep" + "line": 19, + "fileName": "positive5.bicep", + "resourceType": "auditingSettings", + "resourceName": "default", + "searchKey": "resources.resources.name={{default}}.properties.retentionDays", + "searchValue": "", + "expectedValue": "'auditingSettings.properties.retentionDays' property value should be defined and above 90 days", + "actualValue": "'auditingSettings.properties.retentionDays' property value is 89", + "issueType": "IncorrectValue", + "similarityID": "0d84576cd92377b382b14d1bebfe3901c90e0e7bf644836bdb0994478063046e", + "search_line": 19 }, { "queryName": "SQL Server Database With Unrecommended Retention Days", "severity": "LOW", - "line": 36, - "filename": "positive3.bicep" + "line": 32, + "fileName": "positive5.json", + "resourceType": "Microsoft.Sql/servers/auditingSettings", + "resourceName": "sqlServer1/default", + "searchKey": "resources.name={{sqlServer1/default}}.properties.retentionDays", + "searchValue": "", + "expectedValue": "'auditingSettings.properties.retentionDays' property value should be defined and above 90 days", + "actualValue": "'auditingSettings.properties.retentionDays' property value is 89", + "issueType": "IncorrectValue", + "similarityID": "ea1de91bc25c5991a49285f4c8fa1908c01b63c61b0f57b5bf267c25a1f2f893", + "search_line": 32 }, { "queryName": "SQL Server Database With Unrecommended Retention Days", "severity": "LOW", - "line": 31, - "filename": "positive4.bicep" + "line": 16, + "fileName": "positive6.bicep", + "resourceType": "auditingSettings", + "resourceName": "default", + "searchKey": "resources.resources.name={{default}}.properties", + "searchValue": "", + "expectedValue": "'auditingSettings.properties.retentionDays' should be defined and above 90 days", + "actualValue": "'auditingSettings.properties.retentionDays' is missing", + "issueType": "MissingAttribute", + "similarityID": "cf9516df58d1dd4798841ab7deff184e76d71d1511e57d108826bfc5253955b4", + "search_line": 16 }, { "queryName": "SQL Server Database With Unrecommended Retention Days", "severity": "LOW", - "line": 19, - "filename": "positive5.bicep" + "line": 29, + "fileName": "positive6.json", + "resourceType": "Microsoft.Sql/servers/auditingSettings", + "resourceName": "[format('{0}/{1}', 'sqlServer1', 'default')]", + "searchKey": "resources.name={{[format('{0}/{1}', 'sqlServer1', 'default')]}}.properties", + "searchValue": "", + "expectedValue": "'auditingSettings.properties.retentionDays' should be defined and above 90 days", + "actualValue": "'auditingSettings.properties.retentionDays' is missing", + "issueType": "MissingAttribute", + "similarityID": "291c7dc68854b4a22ea10bd3a8d16ed9122bdeeb1c7a39b97e7908c8bb22e820", + "search_line": 29 }, { "queryName": "SQL Server Database With Unrecommended Retention Days", "severity": "LOW", - "line": 16, - "filename": "positive6.bicep" + "line": 31, + "fileName": "positive7.bicep", + "resourceType": "auditingSettings", + "resourceName": "default", + "searchKey": "resources.resources.resources.name={{default}}.properties", + "searchValue": "", + "expectedValue": "'auditingSettings.properties.retentionDays' should be defined and above 90 days", + "actualValue": "'auditingSettings.properties.retentionDays' is missing", + "issueType": "MissingAttribute", + "similarityID": "afb40c23d8166ccc2e2241a310bccab24af38da8acd3c7604b1d439a8c5515e5", + "search_line": 31 }, { "queryName": "SQL Server Database With Unrecommended Retention Days", "severity": "LOW", - "line": 31, - "filename": "positive7.bicep" + "line": 40, + "fileName": "positive7.json", + "resourceType": "Microsoft.Sql/servers/databases/auditingSettings", + "resourceName": "sqlServer1/sqlDatabase1/default", + "searchKey": "resources.resources.resources.name={{sqlServer1/sqlDatabase1/default}}.properties", + "searchValue": "", + "expectedValue": "'auditingSettings.properties.retentionDays' should be defined and above 90 days", + "actualValue": "'auditingSettings.properties.retentionDays' is missing", + "issueType": "MissingAttribute", + "similarityID": "94c7cb91dcbe86b0af013f7065823f45741ac1b5f1af7c6cdb7dd01e22ac2b30", + "search_line": 40 } -] \ No newline at end of file +] diff --git a/assets/queries/azureResourceManager/sql_server_database_without_auditing/test/positive_expected_result.json b/assets/queries/azureResourceManager/sql_server_database_without_auditing/test/positive_expected_result.json index 3c2defc7892..d0e27b01479 100644 --- a/assets/queries/azureResourceManager/sql_server_database_without_auditing/test/positive_expected_result.json +++ b/assets/queries/azureResourceManager/sql_server_database_without_auditing/test/positive_expected_result.json @@ -3,90 +3,225 @@ "queryName": "SQL Server Database Without Auditing", "severity": "MEDIUM", "line": 2, - "filename": "positive1.bicep" + "fileName": "positive1.bicep", + "resourceType": "Microsoft.Sql/servers", + "resourceName": "sqlServer1", + "searchKey": "resources.name=sqlServer1", + "searchValue": "", + "expectedValue": "resource 'sqlServer1' should have an enabled 'auditingsettings' resource", + "actualValue": "resource 'sqlServer1' is missing an enabled 'auditingsettings' resource", + "issueType": "MissingAttribute", + "similarityID": "7353b5ec108528740ee4af94dde95969bdf4c7385ecc737ee80d03422fcc744b", + "search_line": 2 }, { "queryName": "SQL Server Database Without Auditing", "severity": "MEDIUM", "line": 8, - "filename": "positive1.bicep" + "fileName": "positive1.bicep", + "resourceType": "databases", + "resourceName": "sqlDatabase1", + "searchKey": "resources.resources.name=sqlDatabase1", + "searchValue": "", + "expectedValue": "resource 'sqlDatabase1' should have an enabled 'auditingsettings' resource", + "actualValue": "resource 'sqlDatabase1' is missing an enabled 'auditingsettings' resource", + "issueType": "MissingAttribute", + "similarityID": "83fc09e8805477d3a6ef61883e6642e7924c7a47e5bb15791d7b13fdf24c994a", + "search_line": 8 }, { "queryName": "SQL Server Database Without Auditing", "severity": "MEDIUM", "line": 2, - "filename": "positive2.bicep" + "fileName": "positive2.bicep", + "resourceType": "Microsoft.Sql/servers", + "resourceName": "sqlServer1", + "searchKey": "resources.name=sqlServer1", + "searchValue": "", + "expectedValue": "resource 'sqlServer1' should have an enabled 'auditingsettings' resource", + "actualValue": "resource 'sqlServer1' is missing an enabled 'auditingsettings' resource", + "issueType": "IncorrectValue", + "similarityID": "e5fc1fb93bb989e7c509065fe547e3d916b890503d9ac66211801088696fcb25", + "search_line": 2 }, { "queryName": "SQL Server Database Without Auditing", "severity": "MEDIUM", "line": 16, - "filename": "positive2.bicep" + "fileName": "positive2.bicep", + "resourceType": "databases", + "resourceName": "sqlDatabase1", + "searchKey": "resources.resources.name=sqlDatabase1", + "searchValue": "", + "expectedValue": "resource 'sqlDatabase1' should have an enabled 'auditingsettings' resource", + "actualValue": "resource 'sqlDatabase1' is missing an enabled 'auditingsettings' resource", + "issueType": "IncorrectValue", + "similarityID": "d42ef8272c311d3e29f16d64c49468e6f700d576058d6f0ec75da0e860f06274", + "search_line": 16 }, { "queryName": "SQL Server Database Without Auditing", "severity": "MEDIUM", "line": 2, - "filename": "positive3.bicep" + "fileName": "positive3.bicep", + "resourceType": "Microsoft.Sql/servers", + "resourceName": "sqlServer1", + "searchKey": "resources.name=sqlServer1", + "searchValue": "", + "expectedValue": "resource 'sqlServer1' should have an enabled 'auditingsettings' resource", + "actualValue": "resource 'sqlServer1' is missing an enabled 'auditingsettings' resource", + "issueType": "IncorrectValue", + "similarityID": "bab23d87b72f9d16c2b77a0405bf07238e7ed002a04403d753764327cb3f17b4", + "search_line": 2 }, { "queryName": "SQL Server Database Without Auditing", "severity": "MEDIUM", "line": 8, - "filename": "positive4.json" + "fileName": "positive4.json", + "resourceType": "Microsoft.Sql/servers", + "resourceName": "sqlServer1", + "searchKey": "resources.name=sqlServer1", + "searchValue": "", + "expectedValue": "resource 'sqlServer1' should have an enabled 'auditingsettings' resource", + "actualValue": "resource 'sqlServer1' is missing an enabled 'auditingsettings' resource", + "issueType": "MissingAttribute", + "similarityID": "eb36f1a8467c89e48d319a6d1a9d851196b1974003c0d7065ae617f1c15d7069", + "search_line": 8 }, { "queryName": "SQL Server Database Without Auditing", "severity": "MEDIUM", "line": 15, - "filename": "positive4.json" + "fileName": "positive4.json", + "resourceType": "Microsoft.Sql/servers/databases", + "resourceName": "sqlServer1/sqlDatabase1", + "searchKey": "resources.name=sqlServer1/sqlDatabase1", + "searchValue": "", + "expectedValue": "resource 'sqlServer1/sqlDatabase1' should have an enabled 'auditingsettings' resource", + "actualValue": "resource 'sqlServer1/sqlDatabase1' is missing an enabled 'auditingsettings' resource", + "issueType": "MissingAttribute", + "similarityID": "9f4e965b34efc91f60081ea43b9a0f575f928e717e00d02214792b3c39585c74", + "search_line": 15 }, { "queryName": "SQL Server Database Without Auditing", "severity": "MEDIUM", "line": 8, - "filename": "positive5.json" + "fileName": "positive5.json", + "resourceType": "Microsoft.Sql/servers", + "resourceName": "sqlServer1", + "searchKey": "resources.name=sqlServer1", + "searchValue": "", + "expectedValue": "resource 'sqlServer1' should have an enabled 'auditingsettings' resource", + "actualValue": "resource 'sqlServer1' is missing an enabled 'auditingsettings' resource", + "issueType": "MissingAttribute", + "similarityID": "910fad63586c1800e389c332c4359fef3439654e1547f9b661381b19b2eca7eb", + "search_line": 8 }, { "queryName": "SQL Server Database Without Auditing", "severity": "MEDIUM", "line": 15, - "filename": "positive5.json" + "fileName": "positive5.json", + "resourceType": "databases", + "resourceName": "sqlDatabase1", + "searchKey": "resources.resources.name=sqlDatabase1", + "searchValue": "", + "expectedValue": "resource 'sqlDatabase1' should have an enabled 'auditingsettings' resource", + "actualValue": "resource 'sqlDatabase1' is missing an enabled 'auditingsettings' resource", + "issueType": "MissingAttribute", + "similarityID": "276dfe664ea48b844419e9ff9974f40c9df7a93bf00fad2601e14a334675bd8e", + "search_line": 15 }, { "queryName": "SQL Server Database Without Auditing", "severity": "MEDIUM", "line": 8, - "filename": "positive6.json" + "fileName": "positive6.json", + "resourceType": "Microsoft.Sql/servers", + "resourceName": "sqlServer1", + "searchKey": "resources.name=sqlServer1", + "searchValue": "", + "expectedValue": "resource 'sqlServer1' should have an enabled 'auditingsettings' resource", + "actualValue": "resource 'sqlServer1' is missing an enabled 'auditingsettings' resource", + "issueType": "IncorrectValue", + "similarityID": "c81737010d7a9cb4a61c335dd184cff46be758af93d02fba8e561007c7261e41", + "search_line": 8 }, { "queryName": "SQL Server Database Without Auditing", "severity": "MEDIUM", "line": 23, - "filename": "positive6.json" + "fileName": "positive6.json", + "resourceType": "Microsoft.Sql/servers/databases", + "resourceName": "sqlServer1/sqlDatabase1", + "searchKey": "resources.name=sqlServer1/sqlDatabase1", + "searchValue": "", + "expectedValue": "resource 'sqlServer1/sqlDatabase1' should have an enabled 'auditingsettings' resource", + "actualValue": "resource 'sqlServer1/sqlDatabase1' is missing an enabled 'auditingsettings' resource", + "issueType": "IncorrectValue", + "similarityID": "3d494a81a5b5d724aa365357f5b8331822b3641b786f20954c48150aedb5e42d", + "search_line": 23 }, { "queryName": "SQL Server Database Without Auditing", "severity": "MEDIUM", "line": 8, - "filename": "positive7.json" + "fileName": "positive7.json", + "resourceType": "Microsoft.Sql/servers", + "resourceName": "sqlServer1", + "searchKey": "resources.name=sqlServer1", + "searchValue": "", + "expectedValue": "resource 'sqlServer1' should have an enabled 'auditingsettings' resource", + "actualValue": "resource 'sqlServer1' is missing an enabled 'auditingsettings' resource", + "issueType": "IncorrectValue", + "similarityID": "34506b15a7ac8d003ac27221a82b42a3b3e6e6022f97887a7c36fd05d11e0436", + "search_line": 8 }, { "queryName": "SQL Server Database Without Auditing", "severity": "MEDIUM", "line": 23, - "filename": "positive7.json" + "fileName": "positive7.json", + "resourceType": "databases", + "resourceName": "sqlDatabase1", + "searchKey": "resources.resources.name=sqlDatabase1", + "searchValue": "", + "expectedValue": "resource 'sqlDatabase1' should have an enabled 'auditingsettings' resource", + "actualValue": "resource 'sqlDatabase1' is missing an enabled 'auditingsettings' resource", + "issueType": "IncorrectValue", + "similarityID": "aacc1789cb000e06295bcf7c702f25f4a005c305ad6104cefb52cb4597f82b62", + "search_line": 23 }, { "queryName": "SQL Server Database Without Auditing", "severity": "MEDIUM", "line": 8, - "filename": "positive8.json" + "fileName": "positive8.json", + "resourceType": "Microsoft.Sql/servers", + "resourceName": "sqlServer1", + "searchKey": "resources.name=sqlServer1", + "searchValue": "", + "expectedValue": "resource 'sqlServer1' should have an enabled 'auditingsettings' resource", + "actualValue": "resource 'sqlServer1' is missing an enabled 'auditingsettings' resource", + "issueType": "IncorrectValue", + "similarityID": "dd498c42ad03d3f215262695622a5a73cb4193243373a205566ae6a042991678", + "search_line": 8 }, { "queryName": "SQL Server Database Without Auditing", "severity": "MEDIUM", "line": 8, - "filename": "positive9.json" + "fileName": "positive9.json", + "resourceType": "Microsoft.Sql/servers", + "resourceName": "sqlServer1", + "searchKey": "resources.name=sqlServer1", + "searchValue": "", + "expectedValue": "resource 'sqlServer1' should have an enabled 'auditingsettings' resource", + "actualValue": "resource 'sqlServer1' is missing an enabled 'auditingsettings' resource", + "issueType": "IncorrectValue", + "similarityID": "6efc939e22996581b08d2e6198b1743e2388faf63c7c5881fe4f9547495a8b9d", + "search_line": 8 } ] diff --git a/assets/queries/azureResourceManager/standard_price_not_selected/test/positive_expected_result.json b/assets/queries/azureResourceManager/standard_price_not_selected/test/positive_expected_result.json index d934e5404b5..43b5c371aad 100644 --- a/assets/queries/azureResourceManager/standard_price_not_selected/test/positive_expected_result.json +++ b/assets/queries/azureResourceManager/standard_price_not_selected/test/positive_expected_result.json @@ -2,37 +2,91 @@ { "queryName": "Standard Price Is Not Selected", "severity": "LOW", - "line": 27, - "filename": "positive1.json" + "line": 18, + "fileName": "positive1.bicep", + "resourceType": "Microsoft.Security/pricings", + "resourceName": "Princing", + "searchKey": "resources.name=Princing.properties.pricingTier", + "searchValue": "", + "expectedValue": "'pricingTier' should be set to standard", + "actualValue": "'pricingTier' property value is set to Free", + "issueType": "IncorrectValue", + "similarityID": "35cbcce6cc962e01bede9e46beea22c00faaed40ec666368dd70da5d5262f92d", + "search_line": 18 }, { "queryName": "Standard Price Is Not Selected", "severity": "LOW", - "line": 29, - "filename": "positive2.json" + "line": 27, + "fileName": "positive1.json", + "resourceType": "Microsoft.Security/pricings", + "resourceName": "Princing", + "searchKey": "resources.name=Princing.properties.pricingTier", + "searchValue": "", + "expectedValue": "'pricingTier' should be set to standard", + "actualValue": "'pricingTier' property value is set to Free", + "issueType": "IncorrectValue", + "similarityID": "88c04e18403265fc1b54ffd401ccf912cf0e8da44b3b9f1e6b268671dea3e967", + "search_line": 27 }, { "queryName": "Standard Price Is Not Selected", "severity": "LOW", - "line": 23, - "filename": "positive3.json" + "line": 18, + "fileName": "positive2.bicep", + "resourceType": "Microsoft.Security/pricings", + "resourceName": "Princing", + "searchKey": "resources.name=Princing.properties.pricingTier", + "searchValue": "", + "expectedValue": "'pricingTier' should be set to standard", + "actualValue": "'pricingTier' property value is set to Free", + "issueType": "IncorrectValue", + "similarityID": "4930bb73094fc199d9623c63fe8b712683d0ff8e18bd560b5df08e58f3fba0fe", + "search_line": 18 }, { "queryName": "Standard Price Is Not Selected", "severity": "LOW", - "line": 18, - "filename": "positive1.bicep" + "line": 29, + "fileName": "positive2.json", + "resourceType": "Microsoft.Security/pricings", + "resourceName": "Princing", + "searchKey": "properties.template.resources.name=Princing.properties.pricingTier", + "searchValue": "", + "expectedValue": "'pricingTier' should be set to standard", + "actualValue": "'pricingTier' property value is set to Free", + "issueType": "IncorrectValue", + "similarityID": "d81b68f0f08b1d86a5c013a77eb135499c12f543672eb6c8173831836d001841", + "search_line": 29 }, { "queryName": "Standard Price Is Not Selected", "severity": "LOW", - "line": 18, - "filename": "positive2.bicep" + "line": 10, + "fileName": "positive3.bicep", + "resourceType": "Microsoft.Security/pricings", + "resourceName": "VirtualMachines", + "searchKey": "resources.name=VirtualMachines.properties.pricingTier", + "searchValue": "", + "expectedValue": "'pricingTier' should be set to standard", + "actualValue": "'pricingTier' parameter default value is set to Free", + "issueType": "IncorrectValue", + "similarityID": "19a512d37e8eabbe7555231569180b8c7d67c942d154d14090acce1a055f9467", + "search_line": 10 }, { "queryName": "Standard Price Is Not Selected", "severity": "LOW", - "line": 10, - "filename": "positive3.bicep" + "line": 23, + "fileName": "positive3.json", + "resourceType": "Microsoft.Security/pricings", + "resourceName": "VirtualMachines", + "searchKey": "resources.name=VirtualMachines.properties.pricingTier", + "searchValue": "", + "expectedValue": "'pricingTier' should be set to standard", + "actualValue": "'pricingTier' parameter default value is set to Free", + "issueType": "IncorrectValue", + "similarityID": "cdda7be84e8d73d555bebe41ced11e0ee25158aa8b88814153fc623291b6e83f", + "search_line": 23 } -] \ No newline at end of file +] diff --git a/assets/queries/azureResourceManager/storage_account_allows_network_default_access/test/positive_expected_result.json b/assets/queries/azureResourceManager/storage_account_allows_network_default_access/test/positive_expected_result.json index efe274a3d47..859d534cc12 100644 --- a/assets/queries/azureResourceManager/storage_account_allows_network_default_access/test/positive_expected_result.json +++ b/assets/queries/azureResourceManager/storage_account_allows_network_default_access/test/positive_expected_result.json @@ -2,73 +2,181 @@ { "queryName": "Storage Account Allows Default Network Access", "severity": "LOW", - "line": 41, - "fileName": "positive1.json" + "line": 19, + "fileName": "positive1.bicep", + "resourceType": "Microsoft.Storage/storageAccounts", + "resourceName": "[variables('storageAccountName')]", + "searchKey": "resources.name=[variables('storageAccountName')].properties.networkAcls.defaultAction", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Storage/storageAccounts' property value should have the 'properties.networkAcls.defaultAction' set to 'Deny'", + "actualValue": "resource with type 'Microsoft.Storage/storageAccounts' has the 'properties.networkAcls.defaultAction' set to 'Allow'", + "issueType": "IncorrectValue", + "similarityID": "f33806146ab15fbe38516977a24693f1fa1e46f22542aea19e1ea13709abfc1f", + "search_line": 19 }, { "queryName": "Storage Account Allows Default Network Access", "severity": "LOW", - "line": 18, - "fileName": "positive2.json" + "line": 41, + "fileName": "positive1.json", + "resourceType": "Microsoft.Storage/storageAccounts", + "resourceName": "[variables('storageAccountName')]", + "searchKey": "resources.name=[variables('storageAccountName')].properties.networkAcls.defaultAction", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Storage/storageAccounts' property value should have the 'properties.networkAcls.defaultAction' set to 'Deny'", + "actualValue": "resource with type 'Microsoft.Storage/storageAccounts' has the 'properties.networkAcls.defaultAction' set to 'Allow'", + "issueType": "IncorrectValue", + "similarityID": "07e6f7478ec906bed971a90508bbc161178932318525c0e5563fc99342260238", + "search_line": 41 }, { "queryName": "Storage Account Allows Default Network Access", "severity": "LOW", - "line": 8, - "fileName": "positive3.json" + "line": 12, + "fileName": "positive2.bicep", + "resourceType": "Microsoft.Storage/storageAccounts", + "resourceName": "storageaccount1Positive2", + "searchKey": "resources.name=storageaccount1Positive2.properties", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Storage/storageAccounts' should have the 'properties.networkAcls.defaultAction' defined", + "actualValue": "resource with type 'Microsoft.Storage/storageAccounts' doesn't have 'properties.networkAcls.defaultAction' defined", + "issueType": "MissingAttribute", + "similarityID": "4863139fa310c3fd6645d967a90196c0a04ddede3b173eb3a16664d1940f2523", + "search_line": 12 }, { "queryName": "Storage Account Allows Default Network Access", "severity": "LOW", - "line": 43, - "fileName": "positive4.json" + "line": 18, + "fileName": "positive2.json", + "resourceType": "Microsoft.Storage/storageAccounts", + "resourceName": "storageaccount1Positive2", + "searchKey": "resources.name=storageaccount1Positive2.properties", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Storage/storageAccounts' should have the 'properties.networkAcls.defaultAction' defined", + "actualValue": "resource with type 'Microsoft.Storage/storageAccounts' doesn't have 'properties.networkAcls.defaultAction' defined", + "issueType": "MissingAttribute", + "similarityID": "2c30938fd4273cff9c90c76b7cd6b1607295934fb291725e910e040a69b9c046", + "search_line": 18 }, { "queryName": "Storage Account Allows Default Network Access", "severity": "LOW", - "line": 20, - "fileName": "positive5.json" + "line": 1, + "fileName": "positive3.bicep", + "resourceType": "Microsoft.Storage/storageAccounts", + "resourceName": "storageaccount1Positive3", + "searchKey": "resources.name=storageaccount1Positive3.apiVersion=2016-12-01", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Storage/storageAccounts' apiVersion should be newer than 2017 and enable setting networkAcls", + "actualValue": "resource with type 'Microsoft.Storage/storageAccounts' apiVersion is older than 2017 and doesn't enable setting networkAcls", + "issueType": "IncorrectValue", + "similarityID": "be4cf2937163526b0801ad56b04502a129bb72b2ae80bccb46d75785b98bbfeb", + "search_line": 1 }, { "queryName": "Storage Account Allows Default Network Access", "severity": "LOW", - "line": 10, - "fileName": "positive6.json" + "line": 8, + "fileName": "positive3.json", + "resourceType": "Microsoft.Storage/storageAccounts", + "resourceName": "storageaccount1Positive3", + "searchKey": "resources.name=storageaccount1Positive3.apiVersion=2016-12-01", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Storage/storageAccounts' apiVersion should be newer than 2017 and enable setting networkAcls", + "actualValue": "resource with type 'Microsoft.Storage/storageAccounts' apiVersion is older than 2017 and doesn't enable setting networkAcls", + "issueType": "IncorrectValue", + "similarityID": "8af0ce4ee97f94cc6e188433ca4479a91fadc477f3339fd07c2922e1d0cc2966", + "search_line": 8 }, { "queryName": "Storage Account Allows Default Network Access", "severity": "LOW", "line": 19, - "fileName": "positive1.bicep" + "fileName": "positive4.bicep", + "resourceType": "Microsoft.Storage/storageAccounts", + "resourceName": "[variables('storageAccountName')]", + "searchKey": "resources.name=[variables('storageAccountName')].properties.networkAcls.defaultAction", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Storage/storageAccounts' property value should have the 'properties.networkAcls.defaultAction' set to 'Deny'", + "actualValue": "resource with type 'Microsoft.Storage/storageAccounts' has the 'properties.networkAcls.defaultAction' set to 'Allow'", + "issueType": "IncorrectValue", + "similarityID": "7bd4185f48864ced6ccbd83a3d907c30816fa677d16889c823a58fa2c522003f", + "search_line": 19 }, { "queryName": "Storage Account Allows Default Network Access", "severity": "LOW", - "line": 12, - "fileName": "positive2.bicep" + "line": 43, + "fileName": "positive4.json", + "resourceType": "Microsoft.Storage/storageAccounts", + "resourceName": "[variables('storageAccountName')]", + "searchKey": "properties.template.resources.name=[variables('storageAccountName')].properties.networkAcls.defaultAction", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Storage/storageAccounts' property value should have the 'properties.networkAcls.defaultAction' set to 'Deny'", + "actualValue": "resource with type 'Microsoft.Storage/storageAccounts' has the 'properties.networkAcls.defaultAction' set to 'Allow'", + "issueType": "IncorrectValue", + "similarityID": "665699adc3fbce468e02edc60c89b6e241d78e3dfcb0008586de996dcfd2c6fe", + "search_line": 43 }, { "queryName": "Storage Account Allows Default Network Access", "severity": "LOW", - "line": 1, - "fileName": "positive3.bicep" + "line": 12, + "fileName": "positive5.bicep", + "resourceType": "Microsoft.Storage/storageAccounts", + "resourceName": "storageaccount1Positive2", + "searchKey": "resources.name=storageaccount1Positive2.properties", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Storage/storageAccounts' should have the 'properties.networkAcls.defaultAction' defined", + "actualValue": "resource with type 'Microsoft.Storage/storageAccounts' doesn't have 'properties.networkAcls.defaultAction' defined", + "issueType": "MissingAttribute", + "similarityID": "7e940af577b23c01ee4cc3952283ff24993ca8b42dff390b4462432aac1eb4b6", + "search_line": 12 }, { "queryName": "Storage Account Allows Default Network Access", "severity": "LOW", - "line": 19, - "fileName": "positive4.bicep" + "line": 20, + "fileName": "positive5.json", + "resourceType": "Microsoft.Storage/storageAccounts", + "resourceName": "storageaccount1Positive2", + "searchKey": "properties.template.resources.name=storageaccount1Positive2.properties", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Storage/storageAccounts' should have the 'properties.networkAcls.defaultAction' defined", + "actualValue": "resource with type 'Microsoft.Storage/storageAccounts' doesn't have 'properties.networkAcls.defaultAction' defined", + "issueType": "MissingAttribute", + "similarityID": "cc1ebe959e773e1d7d87386f7f8581a5d3366845fc20795f0624758cceb9d727", + "search_line": 20 }, { "queryName": "Storage Account Allows Default Network Access", "severity": "LOW", - "line": 12, - "fileName": "positive5.bicep" + "line": 1, + "fileName": "positive6.bicep", + "resourceType": "Microsoft.Storage/storageAccounts", + "resourceName": "storageaccount1Positive3", + "searchKey": "resources.name=storageaccount1Positive3.apiVersion=2016-12-01", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Storage/storageAccounts' apiVersion should be newer than 2017 and enable setting networkAcls", + "actualValue": "resource with type 'Microsoft.Storage/storageAccounts' apiVersion is older than 2017 and doesn't enable setting networkAcls", + "issueType": "IncorrectValue", + "similarityID": "331fa07adce78ddbbaf9a2e7ab5f8cb0d0341057cb5db178bd98fff0285ceefb", + "search_line": 1 }, { "queryName": "Storage Account Allows Default Network Access", "severity": "LOW", - "line": 1, - "fileName": "positive6.bicep" + "line": 10, + "fileName": "positive6.json", + "resourceType": "Microsoft.Storage/storageAccounts", + "resourceName": "storageaccount1Positive3", + "searchKey": "properties.template.resources.name=storageaccount1Positive3.apiVersion=2016-12-01", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Storage/storageAccounts' apiVersion should be newer than 2017 and enable setting networkAcls", + "actualValue": "resource with type 'Microsoft.Storage/storageAccounts' apiVersion is older than 2017 and doesn't enable setting networkAcls", + "issueType": "IncorrectValue", + "similarityID": "febc01557f4a85e69a6962a28d80d1c27aaee3bd3d4485fdd88fbe36c3517ed0", + "search_line": 10 } ] diff --git a/assets/queries/azureResourceManager/storage_account_allows_unsecure_transfer/test/positive_expected_result.json b/assets/queries/azureResourceManager/storage_account_allows_unsecure_transfer/test/positive_expected_result.json index a7fe7354ff6..e95c5269fb0 100644 --- a/assets/queries/azureResourceManager/storage_account_allows_unsecure_transfer/test/positive_expected_result.json +++ b/assets/queries/azureResourceManager/storage_account_allows_unsecure_transfer/test/positive_expected_result.json @@ -2,73 +2,181 @@ { "queryName": "Storage Account Allows Unsecure Transfer", "severity": "MEDIUM", - "line": 19, - "fileName": "positive1.json" + "line": 13, + "fileName": "positive1.bicep", + "resourceType": "Microsoft.Storage/storageAccounts", + "resourceName": "storageaccount1", + "searchKey": "resources.name=storageaccount1.properties.supportsHttpsTrafficOnly", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Storage/storageAccounts' property value should have the 'supportsHttpsTrafficOnly' property set to true", + "actualValue": "resource with type 'Microsoft.Storage/storageAccounts' doesn't have 'supportsHttpsTrafficOnly' set to true", + "issueType": "IncorrectValue", + "similarityID": "f3dda35c62bbefd41d8664f2c6f0fc81b087851a737414d7d64361d9d67d79c0", + "search_line": 13 }, { "queryName": "Storage Account Allows Unsecure Transfer", "severity": "MEDIUM", - "line": 6, - "fileName": "positive2.json" + "line": 19, + "fileName": "positive1.json", + "resourceType": "Microsoft.Storage/storageAccounts", + "resourceName": "storageaccount1", + "searchKey": "resources.name=storageaccount1.properties.supportsHttpsTrafficOnly", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Storage/storageAccounts' property value should have the 'supportsHttpsTrafficOnly' property set to true", + "actualValue": "resource with type 'Microsoft.Storage/storageAccounts' doesn't have 'supportsHttpsTrafficOnly' set to true", + "issueType": "IncorrectValue", + "similarityID": "5dba7530fd6ee29fd1d720d6ca3b41ee79704d5d74c5d6bd41517c547ea6e330", + "search_line": 19 }, { "queryName": "Storage Account Allows Unsecure Transfer", "severity": "MEDIUM", - "line": 18, - "fileName": "positive3.json" + "line": 2, + "fileName": "positive2.bicep", + "resourceType": "Microsoft.Storage/storageAccounts", + "resourceName": "storageaccount1Positive2", + "searchKey": "resources.name={{storageaccount1Positive2}}", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Storage/storageAccounts' should have the 'supportsHttpsTrafficOnly' property defined", + "actualValue": "resource with type 'Microsoft.Storage/storageAccounts' doesn't have 'supportsHttpsTrafficOnly' property defined", + "issueType": "MissingAttribute", + "similarityID": "d4f03f5f98f413b0ca91cc77614eb05ffad0494d32db8c81f846b8f33a8813f4", + "search_line": 2 }, { "queryName": "Storage Account Allows Unsecure Transfer", "severity": "MEDIUM", - "line": 21, - "fileName": "positive4.json" + "line": 6, + "fileName": "positive2.json", + "resourceType": "Microsoft.Storage/storageAccounts", + "resourceName": "storageaccount1Positive2", + "searchKey": "resources.name={{storageaccount1Positive2}}", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Storage/storageAccounts' should have the 'supportsHttpsTrafficOnly' property defined", + "actualValue": "resource with type 'Microsoft.Storage/storageAccounts' doesn't have 'supportsHttpsTrafficOnly' property defined", + "issueType": "MissingAttribute", + "similarityID": "a37e14b9307d0621e934d5efa0862a74ea40e9c768972700c9a796ea060c15e6", + "search_line": 6 }, { "queryName": "Storage Account Allows Unsecure Transfer", "severity": "MEDIUM", - "line": 8, - "fileName": "positive5.json" + "line": 12, + "fileName": "positive3.bicep", + "resourceType": "Microsoft.Storage/storageAccounts", + "resourceName": "storageaccount1Positive3", + "searchKey": "resources.name={{storageaccount1Positive3}}properties", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Storage/storageAccounts' should have the 'supportsHttpsTrafficOnly' property defined", + "actualValue": "resource with type 'Microsoft.Storage/storageAccounts' doesn't have 'supportsHttpsTrafficOnly' property defined", + "issueType": "MissingAttribute", + "similarityID": "3664a4681067fe46105b5082e3918eec45103a3ed1bac6adf496ec3d7e998749", + "search_line": 12 }, { "queryName": "Storage Account Allows Unsecure Transfer", "severity": "MEDIUM", - "line": 20, - "fileName": "positive6.json" + "line": 18, + "fileName": "positive3.json", + "resourceType": "Microsoft.Storage/storageAccounts", + "resourceName": "storageaccount1Positive3", + "searchKey": "resources.name={{storageaccount1Positive3}}properties", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Storage/storageAccounts' should have the 'supportsHttpsTrafficOnly' property defined", + "actualValue": "resource with type 'Microsoft.Storage/storageAccounts' doesn't have 'supportsHttpsTrafficOnly' property defined", + "issueType": "MissingAttribute", + "similarityID": "2e8dc5d69c9002b3e9ca1d664b6b91db7d79ea9c56fef250f7422b784c66a2b0", + "search_line": 18 }, { "queryName": "Storage Account Allows Unsecure Transfer", "severity": "MEDIUM", "line": 13, - "fileName": "positive1.bicep" + "fileName": "positive4.bicep", + "resourceType": "Microsoft.Storage/storageAccounts", + "resourceName": "storageaccount1", + "searchKey": "resources.name=storageaccount1.properties.supportsHttpsTrafficOnly", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Storage/storageAccounts' property value should have the 'supportsHttpsTrafficOnly' property set to true", + "actualValue": "resource with type 'Microsoft.Storage/storageAccounts' doesn't have 'supportsHttpsTrafficOnly' set to true", + "issueType": "IncorrectValue", + "similarityID": "bb6512ad7e8f4e07234de7b17fe981978bd06d2d0e97dcf55788c021171d92ce", + "search_line": 13 }, { "queryName": "Storage Account Allows Unsecure Transfer", "severity": "MEDIUM", - "line": 2, - "fileName": "positive2.bicep" + "line": 21, + "fileName": "positive4.json", + "resourceType": "Microsoft.Storage/storageAccounts", + "resourceName": "storageaccount1", + "searchKey": "properties.template.resources.name=storageaccount1.properties.supportsHttpsTrafficOnly", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Storage/storageAccounts' property value should have the 'supportsHttpsTrafficOnly' property set to true", + "actualValue": "resource with type 'Microsoft.Storage/storageAccounts' doesn't have 'supportsHttpsTrafficOnly' set to true", + "issueType": "IncorrectValue", + "similarityID": "d7008cc1679b2ac61da4c32e57a7aef5cf369c7f732d7606f7dfe5ccbdab90e4", + "search_line": 21 }, { "queryName": "Storage Account Allows Unsecure Transfer", "severity": "MEDIUM", - "line": 12, - "fileName": "positive3.bicep" + "line": 2, + "fileName": "positive5.bicep", + "resourceType": "Microsoft.Storage/storageAccounts", + "resourceName": "storageaccount1Positive2", + "searchKey": "resources.name={{storageaccount1Positive2}}", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Storage/storageAccounts' should have the 'supportsHttpsTrafficOnly' property defined", + "actualValue": "resource with type 'Microsoft.Storage/storageAccounts' doesn't have 'supportsHttpsTrafficOnly' property defined", + "issueType": "MissingAttribute", + "similarityID": "e119ca02afc7ab7974728492d9bbacce002a423b3cabb6aee7810f330b6bba68", + "search_line": 2 }, { "queryName": "Storage Account Allows Unsecure Transfer", "severity": "MEDIUM", - "line": 13, - "fileName": "positive4.bicep" + "line": 8, + "fileName": "positive5.json", + "resourceType": "Microsoft.Storage/storageAccounts", + "resourceName": "storageaccount1Positive2", + "searchKey": "resources.name={{storageaccount1Positive2}}", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Storage/storageAccounts' should have the 'supportsHttpsTrafficOnly' property defined", + "actualValue": "resource with type 'Microsoft.Storage/storageAccounts' doesn't have 'supportsHttpsTrafficOnly' property defined", + "issueType": "MissingAttribute", + "similarityID": "68e2964cb6084dbf3397d73fac75af777768adedfb70635f52f4ca402b0cd193", + "search_line": 8 }, { "queryName": "Storage Account Allows Unsecure Transfer", "severity": "MEDIUM", - "line": 2, - "fileName": "positive5.bicep" + "line": 12, + "fileName": "positive6.bicep", + "resourceType": "Microsoft.Storage/storageAccounts", + "resourceName": "storageaccount1Positive3", + "searchKey": "resources.name={{storageaccount1Positive3}}properties", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Storage/storageAccounts' should have the 'supportsHttpsTrafficOnly' property defined", + "actualValue": "resource with type 'Microsoft.Storage/storageAccounts' doesn't have 'supportsHttpsTrafficOnly' property defined", + "issueType": "MissingAttribute", + "similarityID": "e413db80ce2af3a25b9137661c7275b0129623a2fc0d9b814914ba66d2a99123", + "search_line": 12 }, { "queryName": "Storage Account Allows Unsecure Transfer", "severity": "MEDIUM", - "line": 12, - "fileName": "positive6.bicep" + "line": 20, + "fileName": "positive6.json", + "resourceType": "Microsoft.Storage/storageAccounts", + "resourceName": "storageaccount1Positive3", + "searchKey": "resources.name={{storageaccount1Positive3}}properties", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Storage/storageAccounts' should have the 'supportsHttpsTrafficOnly' property defined", + "actualValue": "resource with type 'Microsoft.Storage/storageAccounts' doesn't have 'supportsHttpsTrafficOnly' property defined", + "issueType": "MissingAttribute", + "similarityID": "4856f23e07ec075d9a5fda205eacbb9a0eb27ed882220c8102b02185d9f7a3a9", + "search_line": 20 } -] \ No newline at end of file +] diff --git a/assets/queries/azureResourceManager/storage_blob_service_container_with_public_access/test/positive_expected_result.json b/assets/queries/azureResourceManager/storage_blob_service_container_with_public_access/test/positive_expected_result.json index 8958f4d9404..9033321e7f3 100644 --- a/assets/queries/azureResourceManager/storage_blob_service_container_with_public_access/test/positive_expected_result.json +++ b/assets/queries/azureResourceManager/storage_blob_service_container_with_public_access/test/positive_expected_result.json @@ -2,61 +2,151 @@ { "queryName": "Storage Blob Service Container With Public Access", "severity": "HIGH", - "line": 15, - "fileName": "positive1.json" + "line": 5, + "fileName": "positive1.bicep", + "resourceType": "Microsoft.Storage/storageAccounts/blobServices/containers", + "resourceName": "blob/container/example", + "searchKey": "resources.name=blob/container/example.properties.publicAccess", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Storage/storageAccounts/blobServices/containers' shouldn't have 'publicAccess' property value set to 'Container' or 'Blob'", + "actualValue": "resource with type 'Microsoft.Storage/storageAccounts/blobServices/containers' has 'publicAccess' property set to 'Container'", + "issueType": "IncorrectValue", + "similarityID": "b23dbac8cc3f0e0e68eba3e82ed66b6eda5846faa34402098d300c6e647765ba", + "search_line": 5 }, { "queryName": "Storage Blob Service Container With Public Access", "severity": "HIGH", - "line": 107, - "fileName": "positive2.json" + "line": 15, + "fileName": "positive1.json", + "resourceType": "Microsoft.Storage/storageAccounts/blobServices/containers", + "resourceName": "blob/container/example", + "searchKey": "resources.name=blob/container/example.properties.publicAccess", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Storage/storageAccounts/blobServices/containers' shouldn't have 'publicAccess' property value set to 'Container' or 'Blob'", + "actualValue": "resource with type 'Microsoft.Storage/storageAccounts/blobServices/containers' has 'publicAccess' property set to 'Container'", + "issueType": "IncorrectValue", + "similarityID": "b6839b2f561df9e8a1d22f4197197ba345a57858edbb9e1ccb947dd67c2f1bcb", + "search_line": 15 }, { "queryName": "Storage Blob Service Container With Public Access", "severity": "HIGH", - "line": 50, - "fileName": "positive3.json" + "line": 87, + "fileName": "positive2.bicep", + "resourceType": "Microsoft.Storage/storageAccounts", + "resourceName": "[parameters('storageAccountName')]", + "searchKey": "resources.name=[parameters('storageAccountName')].resources.name=default.resources.name=container.properties.publicAccess", + "searchValue": "", + "expectedValue": "resource with type 'containers' shouldn't have 'publicAccess' property value set to 'Container' or 'Blob'", + "actualValue": "resource with type 'containers' has 'publicAccess' property set to 'Blob'", + "issueType": "IncorrectValue", + "similarityID": "3dea5d98daccf135469fa57117974c1b5dc867e5b351a04172f48dc413592f11", + "search_line": 87 }, { "queryName": "Storage Blob Service Container With Public Access", "severity": "HIGH", - "line": 17, - "fileName": "positive4.json" + "line": 107, + "fileName": "positive2.json", + "resourceType": "Microsoft.Storage/storageAccounts/blobServices", + "resourceName": "[concat(parameters('storageAccountName'), '/default')]", + "searchKey": "resources.name=[concat(parameters('storageAccountName'), '/default')].resources.name=container.properties.publicAccess", + "searchValue": "", + "expectedValue": "resource with type 'containers' shouldn't have 'publicAccess' property value set to 'Container' or 'Blob'", + "actualValue": "resource with type 'containers' has 'publicAccess' property set to 'Blob'", + "issueType": "IncorrectValue", + "similarityID": "3b176dcc96b068f6f4fb1c46a0f1311c36eacb263e29756340926497f4cb2c39", + "search_line": -1 }, { "queryName": "Storage Blob Service Container With Public Access", "severity": "HIGH", - "line": 109, - "fileName": "positive5.json" + "line": 29, + "fileName": "positive3.bicep", + "resourceType": "Microsoft.Storage/storageAccounts/blobServices/containers", + "resourceName": "['${parameters('storageAccountName')}/default/${parameters('containerName')}']", + "searchKey": "resources.name=['${parameters('storageAccountName')}/default/${parameters('containerName')}'].properties.publicAccess", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Storage/storageAccounts/blobServices/containers' shouldn't have 'publicAccess' property value set to 'Container' or 'Blob'", + "actualValue": "resource with type 'Microsoft.Storage/storageAccounts/blobServices/containers' has 'publicAccess' property set to 'Blob'", + "issueType": "IncorrectValue", + "similarityID": "a48ecb12399931d2fa67f822de423421d579240e35eb1fa8e629b6c68f489637", + "search_line": 29 }, { "queryName": "Storage Blob Service Container With Public Access", "severity": "HIGH", - "line": 52, - "fileName": "positive6.json" + "line": 50, + "fileName": "positive3.json", + "resourceType": "Microsoft.Storage/storageAccounts", + "resourceName": "[parameters('storageAccountName')]", + "searchKey": "resources.name=[parameters('storageAccountName')].resources.name=[concat('default/', parameters('containerName'))].properties.publicAccess", + "searchValue": "", + "expectedValue": "resource with type 'blobServices/containers' shouldn't have 'publicAccess' property value set to 'Container' or 'Blob'", + "actualValue": "resource with type 'blobServices/containers' has 'publicAccess' property set to 'Blob'", + "issueType": "IncorrectValue", + "similarityID": "ed1cfde22942c6c15f0578fed949804f8b89c935a615934c65bbd467dd2dc723", + "search_line": -1 }, { "queryName": "Storage Blob Service Container With Public Access", "severity": "HIGH", - "line": 96, - "fileName": "positive7.json" + "line": 17, + "fileName": "positive4.json", + "resourceType": "Microsoft.Storage/storageAccounts/blobServices/containers", + "resourceName": "blob/container/example", + "searchKey": "properties.template.resources.name=blob/container/example.properties.publicAccess", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Storage/storageAccounts/blobServices/containers' shouldn't have 'publicAccess' property value set to 'Container' or 'Blob'", + "actualValue": "resource with type 'Microsoft.Storage/storageAccounts/blobServices/containers' has 'publicAccess' property set to 'Container'", + "issueType": "IncorrectValue", + "similarityID": "f33cf44c1d0a4c50b9d74463c94d89d229cbd5c4592fbd112234417d86ba08df", + "search_line": 17 }, { "queryName": "Storage Blob Service Container With Public Access", "severity": "HIGH", - "line": 5, - "fileName": "positive1.bicep" + "line": 109, + "fileName": "positive5.json", + "resourceType": "Microsoft.Storage/storageAccounts/blobServices", + "resourceName": "[concat(parameters('storageAccountName'), '/default')]", + "searchKey": "properties.template.resources.name=[concat(parameters('storageAccountName'), '/default')].resources.name=container.properties.publicAccess", + "searchValue": "", + "expectedValue": "resource with type 'containers' shouldn't have 'publicAccess' property value set to 'Container' or 'Blob'", + "actualValue": "resource with type 'containers' has 'publicAccess' property set to 'Blob'", + "issueType": "IncorrectValue", + "similarityID": "319646323d7b2aa4fe1ad4d66ddf15cb2dcf72763bc242f88fd0aba909a03cf3", + "search_line": -1 }, { "queryName": "Storage Blob Service Container With Public Access", "severity": "HIGH", - "line": 87, - "fileName": "positive2.bicep" + "line": 52, + "fileName": "positive6.json", + "resourceType": "Microsoft.Storage/storageAccounts", + "resourceName": "[parameters('storageAccountName')]", + "searchKey": "properties.template.resources.name=[parameters('storageAccountName')].resources.name=[concat('default/', parameters('containerName'))].properties.publicAccess", + "searchValue": "", + "expectedValue": "resource with type 'blobServices/containers' shouldn't have 'publicAccess' property value set to 'Container' or 'Blob'", + "actualValue": "resource with type 'blobServices/containers' has 'publicAccess' property set to 'Blob'", + "issueType": "IncorrectValue", + "similarityID": "d52f9fc187a2d2fc8a72c5e0a4167ea7843d9685ff8c58ccf2410fffc156d520", + "search_line": -1 }, { "queryName": "Storage Blob Service Container With Public Access", "severity": "HIGH", - "line": 29, - "fileName": "positive3.bicep" + "line": 96, + "fileName": "positive7.json", + "resourceType": "Microsoft.Storage/storageAccounts", + "resourceName": "[parameters('storageAccountName')]", + "searchKey": "resources.name=[parameters('storageAccountName')].resources.name=[concat(parameters('storageAccountName'), '/default')].resources.name=container.properties.publicAccess", + "searchValue": "", + "expectedValue": "resource with type 'containers' shouldn't have 'publicAccess' property value set to 'Container' or 'Blob'", + "actualValue": "resource with type 'containers' has 'publicAccess' property set to 'Blob'", + "issueType": "IncorrectValue", + "similarityID": "955c170c421bf7ca21c42f1e1800cef7dc26942755828173e87dc3a756c32d4b", + "search_line": 96 } ] diff --git a/assets/queries/azureResourceManager/storage_logging_for_read_write_delete_requests_disabled/test/positive_expected_result.json b/assets/queries/azureResourceManager/storage_logging_for_read_write_delete_requests_disabled/test/positive_expected_result.json index a38a9ae1865..6f7811a9cc5 100644 --- a/assets/queries/azureResourceManager/storage_logging_for_read_write_delete_requests_disabled/test/positive_expected_result.json +++ b/assets/queries/azureResourceManager/storage_logging_for_read_write_delete_requests_disabled/test/positive_expected_result.json @@ -2,223 +2,556 @@ { "queryName": "Storage Logging For Read Write And Delete Requests Disabled", "severity": "MEDIUM", - "line": 80, - "fileName": "positive1.json" + "line": 7, + "fileName": "positive1.bicep", + "resourceType": "Microsoft.Storage/storageAccounts/queueServices/providers/diagnosticsettings", + "resourceName": "Microsoft.Storage/storageAccounts/queueServices/providers", + "searchKey": "resources.name=Microsoft.Storage/storageAccounts/queueServices/providers.properties.logs.StorageRead", + "searchValue": "", + "expectedValue": "Storage Logging in 'diagnosticsettings' should be enabled for 'Read' method", + "actualValue": "Storage Logging in 'diagnosticsettings' is disabled for 'Read' method", + "issueType": "IncorrectValue", + "similarityID": "a054cd9456a96b5dc828153d1003d11eccf21a14160376620a8c52fba0147fdb", + "search_line": 7 }, { "queryName": "Storage Logging For Read Write And Delete Requests Disabled", "severity": "MEDIUM", - "line": 84, - "fileName": "positive1.json" + "line": 11, + "fileName": "positive1.bicep", + "resourceType": "Microsoft.Storage/storageAccounts/queueServices/providers/diagnosticsettings", + "resourceName": "Microsoft.Storage/storageAccounts/queueServices/providers", + "searchKey": "resources.name=Microsoft.Storage/storageAccounts/queueServices/providers.properties.logs.StorageWrite", + "searchValue": "", + "expectedValue": "Storage Logging in 'diagnosticsettings' should be enabled for 'Write' method", + "actualValue": "Storage Logging in 'diagnosticsettings' is disabled for 'Write' method", + "issueType": "IncorrectValue", + "similarityID": "3d50645c5016b4c07c48333ffdb0f77a58a3c5566e13fd5dc99fd16173339d84", + "search_line": 11 }, { "queryName": "Storage Logging For Read Write And Delete Requests Disabled", "severity": "MEDIUM", - "line": 88, - "fileName": "positive1.json" + "line": 15, + "fileName": "positive1.bicep", + "resourceType": "Microsoft.Storage/storageAccounts/queueServices/providers/diagnosticsettings", + "resourceName": "Microsoft.Storage/storageAccounts/queueServices/providers", + "searchKey": "resources.name=Microsoft.Storage/storageAccounts/queueServices/providers.properties.logs.StorageDelete", + "searchValue": "", + "expectedValue": "Storage Logging in 'diagnosticsettings' should be enabled for 'Delete' method", + "actualValue": "Storage Logging in 'diagnosticsettings' is disabled for 'Delete' method", + "issueType": "IncorrectValue", + "similarityID": "6409004be87aac36d8c6cae1be35ae360b48a4dd88662036b7186dc356e4ed44", + "search_line": 15 }, { "queryName": "Storage Logging For Read Write And Delete Requests Disabled", "severity": "MEDIUM", - "line": 77, - "fileName": "positive2.json" + "line": 80, + "fileName": "positive1.json", + "resourceType": "Microsoft.Storage/storageAccounts/queueServices/providers/diagnosticsettings", + "resourceName": "[concat(parameters('storageAccountName'),'/default/Microsoft.Insights/', parameters('settingName'))]", + "searchKey": "resources.properties.template.resources.name=[concat(parameters('storageAccountName'),'/default/Microsoft.Insights/', parameters('settingName'))].properties.logs.StorageRead", + "searchValue": "", + "expectedValue": "Storage Logging in 'diagnosticsettings' should be enabled for 'Read' method", + "actualValue": "Storage Logging in 'diagnosticsettings' is disabled for 'Read' method", + "issueType": "IncorrectValue", + "similarityID": "3ae1a4e078ec9853bd5a113bda40ed2e3dd38f0bcd6c48c5ffea32073971bebc", + "search_line": 80 }, { "queryName": "Storage Logging For Read Write And Delete Requests Disabled", "severity": "MEDIUM", - "line": 77, - "fileName": "positive2.json" + "line": 84, + "fileName": "positive1.json", + "resourceType": "Microsoft.Storage/storageAccounts/queueServices/providers/diagnosticsettings", + "resourceName": "[concat(parameters('storageAccountName'),'/default/Microsoft.Insights/', parameters('settingName'))]", + "searchKey": "resources.properties.template.resources.name=[concat(parameters('storageAccountName'),'/default/Microsoft.Insights/', parameters('settingName'))].properties.logs.StorageWrite", + "searchValue": "", + "expectedValue": "Storage Logging in 'diagnosticsettings' should be enabled for 'Write' method", + "actualValue": "Storage Logging in 'diagnosticsettings' is disabled for 'Write' method", + "issueType": "IncorrectValue", + "similarityID": "361822f09f0b6e359dbbc7a9febe8a41651b86bf85743872ce9057e337ac94f6", + "search_line": 84 }, { "queryName": "Storage Logging For Read Write And Delete Requests Disabled", "severity": "MEDIUM", - "line": 80, - "fileName": "positive2.json" + "line": 88, + "fileName": "positive1.json", + "resourceType": "Microsoft.Storage/storageAccounts/queueServices/providers/diagnosticsettings", + "resourceName": "[concat(parameters('storageAccountName'),'/default/Microsoft.Insights/', parameters('settingName'))]", + "searchKey": "resources.properties.template.resources.name=[concat(parameters('storageAccountName'),'/default/Microsoft.Insights/', parameters('settingName'))].properties.logs.StorageDelete", + "searchValue": "", + "expectedValue": "Storage Logging in 'diagnosticsettings' should be enabled for 'Delete' method", + "actualValue": "Storage Logging in 'diagnosticsettings' is disabled for 'Delete' method", + "issueType": "IncorrectValue", + "similarityID": "5f1ffafbcf6772af7dd4db8a00fffa374d34375b39b04beffb82549c22d98409", + "search_line": 88 }, { "queryName": "Storage Logging For Read Write And Delete Requests Disabled", "severity": "MEDIUM", - "line": 67, - "fileName": "positive3.json" + "line": 4, + "fileName": "positive2.bicep", + "resourceType": "Microsoft.Storage/storageAccounts/queueServices/providers/diagnosticsettings", + "resourceName": "Microsoft.Storage/storageAccounts/queueServices/providers", + "searchKey": "resources.name=Microsoft.Storage/storageAccounts/queueServices/providers.properties.logs.StorageDelete", + "searchValue": "StorageDelete", + "expectedValue": "'Storage Logging' in 'diagnosticsettings' needs 'StorageDelete' method", + "actualValue": "'Storage Logging' in 'diagnosticsettings' doesn't have a 'StorageDelete' method", + "issueType": "MissingAttribute", + "similarityID": "cf184803601b3b4923be1530206e0bc6dbf99fb6433f8179056c9ae8aaa2d8bc", + "search_line": 4 }, { "queryName": "Storage Logging For Read Write And Delete Requests Disabled", "severity": "MEDIUM", - "line": 67, - "fileName": "positive3.json" + "line": 4, + "fileName": "positive2.bicep", + "resourceType": "Microsoft.Storage/storageAccounts/queueServices/providers/diagnosticsettings", + "resourceName": "Microsoft.Storage/storageAccounts/queueServices/providers", + "searchKey": "resources.name=Microsoft.Storage/storageAccounts/queueServices/providers.properties.logs.StorageRead", + "searchValue": "StorageRead", + "expectedValue": "'Storage Logging' in 'diagnosticsettings' needs 'StorageRead' method", + "actualValue": "'Storage Logging' in 'diagnosticsettings' doesn't have a 'StorageRead' method", + "issueType": "MissingAttribute", + "similarityID": "802e51c742200c7907629e4517530b57e0081570854e353757dc5ada3aceba70", + "search_line": 4 }, { "queryName": "Storage Logging For Read Write And Delete Requests Disabled", "severity": "MEDIUM", - "line": 67, - "fileName": "positive3.json" + "line": 4, + "fileName": "positive2.bicep", + "resourceType": "Microsoft.Storage/storageAccounts/queueServices/providers/diagnosticsettings", + "resourceName": "Microsoft.Storage/storageAccounts/queueServices/providers", + "searchKey": "resources.name=Microsoft.Storage/storageAccounts/queueServices/providers.properties.logs.StorageWrite", + "searchValue": "StorageWrite", + "expectedValue": "'Storage Logging' in 'diagnosticsettings' needs 'StorageWrite' method", + "actualValue": "'Storage Logging' in 'diagnosticsettings' doesn't have a 'StorageWrite' method", + "issueType": "MissingAttribute", + "similarityID": "817d9ea1e3199b239a619d61ab62c1680f7bc21d0e3080658219550a5895e39a", + "search_line": 4 }, { "queryName": "Storage Logging For Read Write And Delete Requests Disabled", "severity": "MEDIUM", - "line": 82, - "fileName": "positive4.json" + "line": 77, + "fileName": "positive2.json", + "resourceType": "Microsoft.Storage/storageAccounts/queueServices/providers/diagnosticsettings", + "resourceName": "[concat(parameters('storageAccountName'),'/default/Microsoft.Insights/', parameters('settingName'))]", + "searchKey": "resources.properties.template.resources.name=[concat(parameters('storageAccountName'),'/default/Microsoft.Insights/', parameters('settingName'))].properties.logs.StorageDelete", + "searchValue": "StorageDelete", + "expectedValue": "'Storage Logging' in 'diagnosticsettings' needs 'StorageDelete' method", + "actualValue": "'Storage Logging' in 'diagnosticsettings' doesn't have a 'StorageDelete' method", + "issueType": "MissingAttribute", + "similarityID": "c1f676ad16cbcd507bf67ae06a93da3b9b00f8918cea28d019692e520ad5be52", + "search_line": 77 }, { "queryName": "Storage Logging For Read Write And Delete Requests Disabled", "severity": "MEDIUM", - "line": 86, - "fileName": "positive4.json" + "line": 77, + "fileName": "positive2.json", + "resourceType": "Microsoft.Storage/storageAccounts/queueServices/providers/diagnosticsettings", + "resourceName": "[concat(parameters('storageAccountName'),'/default/Microsoft.Insights/', parameters('settingName'))]", + "searchKey": "resources.properties.template.resources.name=[concat(parameters('storageAccountName'),'/default/Microsoft.Insights/', parameters('settingName'))].properties.logs.StorageWrite", + "searchValue": "StorageWrite", + "expectedValue": "'Storage Logging' in 'diagnosticsettings' needs 'StorageWrite' method", + "actualValue": "'Storage Logging' in 'diagnosticsettings' doesn't have a 'StorageWrite' method", + "issueType": "MissingAttribute", + "similarityID": "366429601c58df278f4d92b261a5a2f927aefc3ad235f25e69ed2855024e1dc9", + "search_line": 77 }, { "queryName": "Storage Logging For Read Write And Delete Requests Disabled", "severity": "MEDIUM", - "line": 90, - "fileName": "positive4.json" + "line": 80, + "fileName": "positive2.json", + "resourceType": "Microsoft.Storage/storageAccounts/queueServices/providers/diagnosticsettings", + "resourceName": "[concat(parameters('storageAccountName'),'/default/Microsoft.Insights/', parameters('settingName'))]", + "searchKey": "resources.properties.template.resources.name=[concat(parameters('storageAccountName'),'/default/Microsoft.Insights/', parameters('settingName'))].properties.logs.StorageRead", + "searchValue": "", + "expectedValue": "Storage Logging in 'diagnosticsettings' should be enabled for 'Read' method", + "actualValue": "Storage Logging in 'diagnosticsettings' is disabled for 'Read' method", + "issueType": "IncorrectValue", + "similarityID": "502467ad1a72be9c59e1b3d16a5d0125129f5f488ac157357ff966549024d499", + "search_line": 80 }, { "queryName": "Storage Logging For Read Write And Delete Requests Disabled", "severity": "MEDIUM", - "line": 79, - "fileName": "positive5.json" + "line": 7, + "fileName": "positive3.bicep", + "resourceType": "Microsoft.Storage/storageAccounts/queueServices/providers/diagnosticsettings", + "resourceName": "Microsoft.Storage/storageAccounts/queueServices/providers", + "searchKey": "resources.name=Microsoft.Storage/storageAccounts/queueServices/providers.properties.logs.StorageRead", + "searchValue": "", + "expectedValue": "Storage Logging in 'diagnosticsettings' should be enabled for 'Read' method", + "actualValue": "Storage Logging in 'diagnosticsettings' is disabled for 'Read' method", + "issueType": "IncorrectValue", + "similarityID": "c3dee95c159b83df3953d97b1829f020ca3be28ce6a3a0ff09c116b54c79bc23", + "search_line": 7 }, { "queryName": "Storage Logging For Read Write And Delete Requests Disabled", "severity": "MEDIUM", - "line": 79, - "fileName": "positive5.json" + "line": 15, + "fileName": "positive3.bicep", + "resourceType": "Microsoft.Storage/storageAccounts/queueServices/providers/diagnosticsettings", + "resourceName": "Microsoft.Storage/storageAccounts/queueServices/providers", + "searchKey": "resources.name=Microsoft.Storage/storageAccounts/queueServices/providers.properties.logs.StorageDelete", + "searchValue": "", + "expectedValue": "Storage Logging in 'diagnosticsettings' should be enabled for 'Delete' method", + "actualValue": "Storage Logging in 'diagnosticsettings' is disabled for 'Delete' method", + "issueType": "IncorrectValue", + "similarityID": "3d036eaee555e8bc4f6d10e096a81767e1d9676dfe961aeb1854608ea1a15ccd", + "search_line": 15 }, { "queryName": "Storage Logging For Read Write And Delete Requests Disabled", "severity": "MEDIUM", - "line": 82, - "fileName": "positive5.json" + "line": 67, + "fileName": "positive3.json", + "resourceType": "Microsoft.Storage/storageAccounts/queueServices/providers/diagnosticsettings", + "resourceName": "[concat(parameters('storageAccountName'),'/default/Microsoft.Insights/', parameters('settingName'))]", + "searchKey": "resources.properties.template.resources.name=[concat(parameters('storageAccountName'),'/default/Microsoft.Insights/', parameters('settingName'))].properties.logs.StorageDelete", + "searchValue": "StorageDelete", + "expectedValue": "'Storage Logging' in 'diagnosticsettings' needs 'StorageDelete' method", + "actualValue": "'Storage Logging' in 'diagnosticsettings' doesn't have a 'StorageDelete' method", + "issueType": "MissingAttribute", + "similarityID": "1ee3547b91b2b8c1fb5697272891a5270b03c33ad76eec0bb1ad40eb1662dfd2", + "search_line": -1 }, { "queryName": "Storage Logging For Read Write And Delete Requests Disabled", "severity": "MEDIUM", - "line": 69, - "fileName": "positive6.json" + "line": 67, + "fileName": "positive3.json", + "resourceType": "Microsoft.Storage/storageAccounts/queueServices/providers/diagnosticsettings", + "resourceName": "[concat(parameters('storageAccountName'),'/default/Microsoft.Insights/', parameters('settingName'))]", + "searchKey": "resources.properties.template.resources.name=[concat(parameters('storageAccountName'),'/default/Microsoft.Insights/', parameters('settingName'))].properties.logs.StorageRead", + "searchValue": "StorageRead", + "expectedValue": "'Storage Logging' in 'diagnosticsettings' needs 'StorageRead' method", + "actualValue": "'Storage Logging' in 'diagnosticsettings' doesn't have a 'StorageRead' method", + "issueType": "MissingAttribute", + "similarityID": "ed08d69c7ea307b2d21d0620d7ac9c4ba38842485a0d7b36c4b8b1bf55fea6de", + "search_line": -1 }, { "queryName": "Storage Logging For Read Write And Delete Requests Disabled", "severity": "MEDIUM", - "line": 69, - "fileName": "positive6.json" + "line": 67, + "fileName": "positive3.json", + "resourceType": "Microsoft.Storage/storageAccounts/queueServices/providers/diagnosticsettings", + "resourceName": "[concat(parameters('storageAccountName'),'/default/Microsoft.Insights/', parameters('settingName'))]", + "searchKey": "resources.properties.template.resources.name=[concat(parameters('storageAccountName'),'/default/Microsoft.Insights/', parameters('settingName'))].properties.logs.StorageWrite", + "searchValue": "StorageWrite", + "expectedValue": "'Storage Logging' in 'diagnosticsettings' needs 'StorageWrite' method", + "actualValue": "'Storage Logging' in 'diagnosticsettings' doesn't have a 'StorageWrite' method", + "issueType": "MissingAttribute", + "similarityID": "cff6fedd9ebe62c66245286f4a67a7feefdb5e975b336cfa94985f562847a694", + "search_line": -1 }, { "queryName": "Storage Logging For Read Write And Delete Requests Disabled", "severity": "MEDIUM", - "line": 69, - "fileName": "positive6.json" + "line": 4, + "fileName": "positive4.bicep", + "resourceType": "Microsoft.Storage/storageAccounts/queueServices/providers/diagnosticsettings", + "resourceName": "Microsoft.Storage/storageAccounts/queueServices/providers", + "searchKey": "resources.name=Microsoft.Storage/storageAccounts/queueServices/providers.properties.logs.StorageDelete", + "searchValue": "StorageDelete", + "expectedValue": "'Storage Logging' in 'diagnosticsettings' needs 'StorageDelete' method", + "actualValue": "'Storage Logging' in 'diagnosticsettings' doesn't have a 'StorageDelete' method", + "issueType": "MissingAttribute", + "similarityID": "7c1903b3184755499c43c38b01e103a9cb295f5b7d439f1aca62369d00d325f5", + "search_line": 4 }, { "queryName": "Storage Logging For Read Write And Delete Requests Disabled", "severity": "MEDIUM", - "line": 7, - "fileName": "positive1.bicep" + "line": 4, + "fileName": "positive4.bicep", + "resourceType": "Microsoft.Storage/storageAccounts/queueServices/providers/diagnosticsettings", + "resourceName": "Microsoft.Storage/storageAccounts/queueServices/providers", + "searchKey": "resources.name=Microsoft.Storage/storageAccounts/queueServices/providers.properties.logs.StorageRead", + "searchValue": "StorageRead", + "expectedValue": "'Storage Logging' in 'diagnosticsettings' needs 'StorageRead' method", + "actualValue": "'Storage Logging' in 'diagnosticsettings' doesn't have a 'StorageRead' method", + "issueType": "MissingAttribute", + "similarityID": "97b3f7434c89298cfba9998eb7ae690386d2abfeac603fc2cbecac1a8c794ae5", + "search_line": 4 }, { "queryName": "Storage Logging For Read Write And Delete Requests Disabled", "severity": "MEDIUM", - "line": 15, - "fileName": "positive1.bicep" + "line": 82, + "fileName": "positive4.json", + "resourceType": "Microsoft.Storage/storageAccounts/queueServices/providers/diagnosticsettings", + "resourceName": "[concat(parameters('storageAccountName'),'/default/Microsoft.Insights/', parameters('settingName'))]", + "searchKey": "properties.template.resources.properties.template.resources.name=[concat(parameters('storageAccountName'),'/default/Microsoft.Insights/', parameters('settingName'))].properties.logs.StorageRead", + "searchValue": "", + "expectedValue": "Storage Logging in 'diagnosticsettings' should be enabled for 'Read' method", + "actualValue": "Storage Logging in 'diagnosticsettings' is disabled for 'Read' method", + "issueType": "IncorrectValue", + "similarityID": "d727e70fd82be1f1c7d33c535fd62a90c50aed7ddb3cc28f760112e2a576d292", + "search_line": 82 }, { "queryName": "Storage Logging For Read Write And Delete Requests Disabled", "severity": "MEDIUM", - "line": 11, - "fileName": "positive1.bicep" + "line": 86, + "fileName": "positive4.json", + "resourceType": "Microsoft.Storage/storageAccounts/queueServices/providers/diagnosticsettings", + "resourceName": "[concat(parameters('storageAccountName'),'/default/Microsoft.Insights/', parameters('settingName'))]", + "searchKey": "properties.template.resources.properties.template.resources.name=[concat(parameters('storageAccountName'),'/default/Microsoft.Insights/', parameters('settingName'))].properties.logs.StorageWrite", + "searchValue": "", + "expectedValue": "Storage Logging in 'diagnosticsettings' should be enabled for 'Write' method", + "actualValue": "Storage Logging in 'diagnosticsettings' is disabled for 'Write' method", + "issueType": "IncorrectValue", + "similarityID": "8cb4f98c4ba64042cb3cdb65fa0a82dff9fe062019538d0d3d1bbce9e1ed71b0", + "search_line": 86 }, { "queryName": "Storage Logging For Read Write And Delete Requests Disabled", "severity": "MEDIUM", - "line": 4, - "fileName": "positive2.bicep" + "line": 90, + "fileName": "positive4.json", + "resourceType": "Microsoft.Storage/storageAccounts/queueServices/providers/diagnosticsettings", + "resourceName": "[concat(parameters('storageAccountName'),'/default/Microsoft.Insights/', parameters('settingName'))]", + "searchKey": "properties.template.resources.properties.template.resources.name=[concat(parameters('storageAccountName'),'/default/Microsoft.Insights/', parameters('settingName'))].properties.logs.StorageDelete", + "searchValue": "", + "expectedValue": "Storage Logging in 'diagnosticsettings' should be enabled for 'Delete' method", + "actualValue": "Storage Logging in 'diagnosticsettings' is disabled for 'Delete' method", + "issueType": "IncorrectValue", + "similarityID": "7ca44e43eb2167737f39e0b669f5875a93c1214ec47b94e1aebdc9a7ece6e09d", + "search_line": 90 }, { "queryName": "Storage Logging For Read Write And Delete Requests Disabled", "severity": "MEDIUM", "line": 4, - "fileName": "positive2.bicep" + "fileName": "positive5.bicep", + "resourceType": "Microsoft.Storage/storageAccounts/queueServices/providers/diagnosticsettings", + "resourceName": "Microsoft.Storage/storageAccounts/queueServices/providers", + "searchKey": "resources.name=Microsoft.Storage/storageAccounts/queueServices/providers.properties.logs.StorageDelete", + "searchValue": "StorageDelete", + "expectedValue": "'Storage Logging' in 'diagnosticsettings' needs 'StorageDelete' method", + "actualValue": "'Storage Logging' in 'diagnosticsettings' doesn't have a 'StorageDelete' method", + "issueType": "MissingAttribute", + "similarityID": "cd15535ebe9f79d03479d4204957dcdf5946046b78ce192dcd2d6a20506d17bc", + "search_line": 4 }, { "queryName": "Storage Logging For Read Write And Delete Requests Disabled", "severity": "MEDIUM", "line": 4, - "fileName": "positive2.bicep" + "fileName": "positive5.bicep", + "resourceType": "Microsoft.Storage/storageAccounts/queueServices/providers/diagnosticsettings", + "resourceName": "Microsoft.Storage/storageAccounts/queueServices/providers", + "searchKey": "resources.name=Microsoft.Storage/storageAccounts/queueServices/providers.properties.logs.StorageRead", + "searchValue": "StorageRead", + "expectedValue": "'Storage Logging' in 'diagnosticsettings' needs 'StorageRead' method", + "actualValue": "'Storage Logging' in 'diagnosticsettings' doesn't have a 'StorageRead' method", + "issueType": "MissingAttribute", + "similarityID": "a7f917a9655ed8e072130a21e93547994dfb64bd9715131ca69b21e516bdbef0", + "search_line": 4 }, { "queryName": "Storage Logging For Read Write And Delete Requests Disabled", "severity": "MEDIUM", "line": 7, - "fileName": "positive3.bicep" + "fileName": "positive5.bicep", + "resourceType": "Microsoft.Storage/storageAccounts/queueServices/providers/diagnosticsettings", + "resourceName": "Microsoft.Storage/storageAccounts/queueServices/providers", + "searchKey": "resources.name=Microsoft.Storage/storageAccounts/queueServices/providers.properties.logs.StorageWrite", + "searchValue": "", + "expectedValue": "Storage Logging in 'diagnosticsettings' should be enabled for 'Write' method", + "actualValue": "Storage Logging in 'diagnosticsettings' is disabled for 'Write' method", + "issueType": "IncorrectValue", + "similarityID": "088797370f3cd50faa79d8d928b0d3c680f48c8776123fa7b858c82273457d0c", + "search_line": 7 }, { "queryName": "Storage Logging For Read Write And Delete Requests Disabled", "severity": "MEDIUM", - "line": 15, - "fileName": "positive3.bicep" + "line": 79, + "fileName": "positive5.json", + "resourceType": "Microsoft.Storage/storageAccounts/queueServices/providers/diagnosticsettings", + "resourceName": "[concat(parameters('storageAccountName'),'/default/Microsoft.Insights/', parameters('settingName'))]", + "searchKey": "properties.template.resources.properties.template.resources.name=[concat(parameters('storageAccountName'),'/default/Microsoft.Insights/', parameters('settingName'))].properties.logs.StorageDelete", + "searchValue": "StorageDelete", + "expectedValue": "'Storage Logging' in 'diagnosticsettings' needs 'StorageDelete' method", + "actualValue": "'Storage Logging' in 'diagnosticsettings' doesn't have a 'StorageDelete' method", + "issueType": "MissingAttribute", + "similarityID": "7ce67b9d0c8aa6b5323a606c0f6e347a25227e621e6e92af70f560b72ac11c11", + "search_line": 79 }, { "queryName": "Storage Logging For Read Write And Delete Requests Disabled", "severity": "MEDIUM", - "line": 4, - "fileName": "positive4.bicep" + "line": 79, + "fileName": "positive5.json", + "resourceType": "Microsoft.Storage/storageAccounts/queueServices/providers/diagnosticsettings", + "resourceName": "[concat(parameters('storageAccountName'),'/default/Microsoft.Insights/', parameters('settingName'))]", + "searchKey": "properties.template.resources.properties.template.resources.name=[concat(parameters('storageAccountName'),'/default/Microsoft.Insights/', parameters('settingName'))].properties.logs.StorageWrite", + "searchValue": "StorageWrite", + "expectedValue": "'Storage Logging' in 'diagnosticsettings' needs 'StorageWrite' method", + "actualValue": "'Storage Logging' in 'diagnosticsettings' doesn't have a 'StorageWrite' method", + "issueType": "MissingAttribute", + "similarityID": "151ff4a4465ea08050bbf18f68dd7048e7d1cc4177df22ed8a618c7bfcefd099", + "search_line": 79 }, { "queryName": "Storage Logging For Read Write And Delete Requests Disabled", "severity": "MEDIUM", - "line": 4, - "fileName": "positive4.bicep" + "line": 82, + "fileName": "positive5.json", + "resourceType": "Microsoft.Storage/storageAccounts/queueServices/providers/diagnosticsettings", + "resourceName": "[concat(parameters('storageAccountName'),'/default/Microsoft.Insights/', parameters('settingName'))]", + "searchKey": "properties.template.resources.properties.template.resources.name=[concat(parameters('storageAccountName'),'/default/Microsoft.Insights/', parameters('settingName'))].properties.logs.StorageRead", + "searchValue": "", + "expectedValue": "Storage Logging in 'diagnosticsettings' should be enabled for 'Read' method", + "actualValue": "Storage Logging in 'diagnosticsettings' is disabled for 'Read' method", + "issueType": "IncorrectValue", + "similarityID": "8cea029a8edea56d4a927201718cd68a0c8a47a33f63fa977a93f5867a46641d", + "search_line": 82 }, { "queryName": "Storage Logging For Read Write And Delete Requests Disabled", "severity": "MEDIUM", - "line": 7, - "fileName": "positive5.bicep" + "line": 2, + "fileName": "positive6.bicep", + "resourceType": "Microsoft.Storage/storageAccounts/queueServices/providers/diagnosticsettings", + "resourceName": "Microsoft.Storage/storageAccounts/queueServices/providers", + "searchKey": "resources.name=Microsoft.Storage/storageAccounts/queueServices/providers.properties.logs.StorageDelete", + "searchValue": "StorageDelete", + "expectedValue": "'Storage Logging' in 'diagnosticsettings' needs 'StorageDelete' method", + "actualValue": "'Storage Logging' in 'diagnosticsettings' doesn't have a 'StorageDelete' method", + "issueType": "MissingAttribute", + "similarityID": "3c72423ddbc90a2830ca959c12c12f3dc8ad20a2816693e20bfebfa4065fd706", + "search_line": -1 }, { "queryName": "Storage Logging For Read Write And Delete Requests Disabled", "severity": "MEDIUM", - "line": 4, - "fileName": "positive5.bicep" + "line": 2, + "fileName": "positive6.bicep", + "resourceType": "Microsoft.Storage/storageAccounts/queueServices/providers/diagnosticsettings", + "resourceName": "Microsoft.Storage/storageAccounts/queueServices/providers", + "searchKey": "resources.name=Microsoft.Storage/storageAccounts/queueServices/providers.properties.logs.StorageRead", + "searchValue": "StorageRead", + "expectedValue": "'Storage Logging' in 'diagnosticsettings' needs 'StorageRead' method", + "actualValue": "'Storage Logging' in 'diagnosticsettings' doesn't have a 'StorageRead' method", + "issueType": "MissingAttribute", + "similarityID": "3225b761de41c522f64db42a652cf3d502a11061271df014efb8e60b567a2b94", + "search_line": -1 }, { "queryName": "Storage Logging For Read Write And Delete Requests Disabled", "severity": "MEDIUM", - "line": 4, - "fileName": "positive5.bicep" + "line": 2, + "fileName": "positive6.bicep", + "resourceType": "Microsoft.Storage/storageAccounts/queueServices/providers/diagnosticsettings", + "resourceName": "Microsoft.Storage/storageAccounts/queueServices/providers", + "searchKey": "resources.name=Microsoft.Storage/storageAccounts/queueServices/providers.properties.logs.StorageWrite", + "searchValue": "StorageWrite", + "expectedValue": "'Storage Logging' in 'diagnosticsettings' needs 'StorageWrite' method", + "actualValue": "'Storage Logging' in 'diagnosticsettings' doesn't have a 'StorageWrite' method", + "issueType": "MissingAttribute", + "similarityID": "e2a84056f8e5462ab8f96be62fff995b365b69bb5075439827dd8959f56a3aea", + "search_line": -1 }, { "queryName": "Storage Logging For Read Write And Delete Requests Disabled", "severity": "MEDIUM", - "line": 2, - "fileName": "positive6.bicep" + "line": 69, + "fileName": "positive6.json", + "resourceType": "Microsoft.Storage/storageAccounts/queueServices/providers/diagnosticsettings", + "resourceName": "[concat(parameters('storageAccountName'),'/default/Microsoft.Insights/', parameters('settingName'))]", + "searchKey": "properties.template.resources.properties.template.resources.name=[concat(parameters('storageAccountName'),'/default/Microsoft.Insights/', parameters('settingName'))].properties.logs.StorageDelete", + "searchValue": "StorageDelete", + "expectedValue": "'Storage Logging' in 'diagnosticsettings' needs 'StorageDelete' method", + "actualValue": "'Storage Logging' in 'diagnosticsettings' doesn't have a 'StorageDelete' method", + "issueType": "MissingAttribute", + "similarityID": "bc9aa7f12a4e6b526d91d1b6e8f1933b936a06c6aa6121a16e882a41a7b24cb7", + "search_line": -1 }, { "queryName": "Storage Logging For Read Write And Delete Requests Disabled", "severity": "MEDIUM", - "line": 2, - "fileName": "positive6.bicep" + "line": 69, + "fileName": "positive6.json", + "resourceType": "Microsoft.Storage/storageAccounts/queueServices/providers/diagnosticsettings", + "resourceName": "[concat(parameters('storageAccountName'),'/default/Microsoft.Insights/', parameters('settingName'))]", + "searchKey": "properties.template.resources.properties.template.resources.name=[concat(parameters('storageAccountName'),'/default/Microsoft.Insights/', parameters('settingName'))].properties.logs.StorageRead", + "searchValue": "StorageRead", + "expectedValue": "'Storage Logging' in 'diagnosticsettings' needs 'StorageRead' method", + "actualValue": "'Storage Logging' in 'diagnosticsettings' doesn't have a 'StorageRead' method", + "issueType": "MissingAttribute", + "similarityID": "6ffccc36297ffed634275cbf320fb10d24435b613432e8c7a43b62396e820557", + "search_line": -1 }, { "queryName": "Storage Logging For Read Write And Delete Requests Disabled", "severity": "MEDIUM", - "line": 2, - "fileName": "positive6.bicep" + "line": 69, + "fileName": "positive6.json", + "resourceType": "Microsoft.Storage/storageAccounts/queueServices/providers/diagnosticsettings", + "resourceName": "[concat(parameters('storageAccountName'),'/default/Microsoft.Insights/', parameters('settingName'))]", + "searchKey": "properties.template.resources.properties.template.resources.name=[concat(parameters('storageAccountName'),'/default/Microsoft.Insights/', parameters('settingName'))].properties.logs.StorageWrite", + "searchValue": "StorageWrite", + "expectedValue": "'Storage Logging' in 'diagnosticsettings' needs 'StorageWrite' method", + "actualValue": "'Storage Logging' in 'diagnosticsettings' doesn't have a 'StorageWrite' method", + "issueType": "MissingAttribute", + "similarityID": "f57581d2c6a6206874381cbabd5ac6b98dfa57520a043f51f3959e1f90f049b7", + "search_line": -1 }, { "queryName": "Storage Logging For Read Write And Delete Requests Disabled", "severity": "MEDIUM", "line": 3, - "fileName": "positive7.bicep" + "fileName": "positive7.bicep", + "resourceType": "Microsoft.Storage/storageAccounts/queueServices/providers/diagnosticsettings", + "resourceName": "Microsoft.Storage/storageAccounts/queueServices/providers", + "searchKey": "resources.name=Microsoft.Storage/storageAccounts/queueServices/providers.properties.logs.StorageDelete", + "searchValue": "StorageDelete", + "expectedValue": "'Storage Logging' in 'diagnosticsettings' needs 'StorageDelete' method", + "actualValue": "'Storage Logging' in 'diagnosticsettings' doesn't have a 'StorageDelete' method", + "issueType": "MissingAttribute", + "similarityID": "cd8ee93dd738ef8718c9c170acca14332912cfe061ced7414e7d9ae22386a192", + "search_line": -1 }, { "queryName": "Storage Logging For Read Write And Delete Requests Disabled", "severity": "MEDIUM", "line": 3, - "fileName": "positive7.bicep" + "fileName": "positive7.bicep", + "resourceType": "Microsoft.Storage/storageAccounts/queueServices/providers/diagnosticsettings", + "resourceName": "Microsoft.Storage/storageAccounts/queueServices/providers", + "searchKey": "resources.name=Microsoft.Storage/storageAccounts/queueServices/providers.properties.logs.StorageRead", + "searchValue": "StorageRead", + "expectedValue": "'Storage Logging' in 'diagnosticsettings' needs 'StorageRead' method", + "actualValue": "'Storage Logging' in 'diagnosticsettings' doesn't have a 'StorageRead' method", + "issueType": "MissingAttribute", + "similarityID": "6d5097d03322da20c152183ffcb921a8492b84ae2ee188397961aa65618832c0", + "search_line": -1 }, { "queryName": "Storage Logging For Read Write And Delete Requests Disabled", "severity": "MEDIUM", "line": 3, - "fileName": "positive7.bicep" + "fileName": "positive7.bicep", + "resourceType": "Microsoft.Storage/storageAccounts/queueServices/providers/diagnosticsettings", + "resourceName": "Microsoft.Storage/storageAccounts/queueServices/providers", + "searchKey": "resources.name=Microsoft.Storage/storageAccounts/queueServices/providers.properties.logs.StorageWrite", + "searchValue": "StorageWrite", + "expectedValue": "'Storage Logging' in 'diagnosticsettings' needs 'StorageWrite' method", + "actualValue": "'Storage Logging' in 'diagnosticsettings' doesn't have a 'StorageWrite' method", + "issueType": "MissingAttribute", + "similarityID": "95b9116a47de2b67c449116a81ffc99a97a54433f36b51673af088ae8c6ae2a4", + "search_line": -1 } ] diff --git a/assets/queries/azureResourceManager/trusted_microsoft_services_not_enabled/test/positive_expected_result.json b/assets/queries/azureResourceManager/trusted_microsoft_services_not_enabled/test/positive_expected_result.json index 273685f7d4b..68e35a9418c 100644 --- a/assets/queries/azureResourceManager/trusted_microsoft_services_not_enabled/test/positive_expected_result.json +++ b/assets/queries/azureResourceManager/trusted_microsoft_services_not_enabled/test/positive_expected_result.json @@ -2,85 +2,211 @@ { "queryName": "Trusted Microsoft Services Not Enabled", "severity": "MEDIUM", - "line": 21, - "fileName": "positive1.json" + "line": 11, + "fileName": "positive1.bicep", + "resourceType": "Microsoft.Storage/storageAccounts", + "resourceName": "storage", + "searchKey": "resources.name=storage.properties.networkAcls", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Storage/storageAccounts' should have 'Trusted Microsoft Services' property value enabled", + "actualValue": "resource with type 'Microsoft.Storage/storageAccounts' doesn't have 'Trusted Microsoft Services' enabled", + "issueType": "IncorrectValue", + "similarityID": "3d6d6f5334f4beec45560a19d06dbb1f48268de24b0846b1da8300eb3c414548", + "search_line": 11 }, { "queryName": "Trusted Microsoft Services Not Enabled", "severity": "MEDIUM", "line": 21, - "fileName": "positive2.json" + "fileName": "positive1.json", + "resourceType": "Microsoft.Storage/storageAccounts", + "resourceName": "storage", + "searchKey": "resources.name=storage.properties.networkAcls", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Storage/storageAccounts' should have 'Trusted Microsoft Services' property value enabled", + "actualValue": "resource with type 'Microsoft.Storage/storageAccounts' doesn't have 'Trusted Microsoft Services' enabled", + "issueType": "IncorrectValue", + "similarityID": "2482d1e7db3857e17246186877875992b7bf2ea93ae1fb6a86c844d798af3831", + "search_line": 21 }, { "queryName": "Trusted Microsoft Services Not Enabled", "severity": "MEDIUM", - "line": 23, - "fileName": "positive3.json" + "line": 11, + "fileName": "positive2.bicep", + "resourceType": "Microsoft.Storage/storageAccounts", + "resourceName": "storage", + "searchKey": "resources.name=storage.properties.networkAcls", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Storage/storageAccounts' should have 'Trusted Microsoft Services' property value enabled", + "actualValue": "resource with type 'Microsoft.Storage/storageAccounts' doesn't have 'Trusted Microsoft Services' enabled", + "issueType": "IncorrectValue", + "similarityID": "1478ca3ad6aaf4093eef8c645f3436829206770a88322ccb45ddefa833d62fb3", + "search_line": 11 }, { "queryName": "Trusted Microsoft Services Not Enabled", "severity": "MEDIUM", - "line": 23, - "fileName": "positive4.json" + "line": 21, + "fileName": "positive2.json", + "resourceType": "Microsoft.Storage/storageAccounts", + "resourceName": "storage", + "searchKey": "resources.name=storage.properties.networkAcls", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Storage/storageAccounts' should have 'Trusted Microsoft Services' property value enabled", + "actualValue": "resource with type 'Microsoft.Storage/storageAccounts' doesn't have 'Trusted Microsoft Services' enabled", + "issueType": "IncorrectValue", + "similarityID": "92ed51b87acd3e334445f2a76fffcf6338b4e3f25a2b037731c6d0df2fd61761", + "search_line": 21 }, { "queryName": "Trusted Microsoft Services Not Enabled", "severity": "MEDIUM", - "line": 17, - "fileName": "positive5.json" + "line": 11, + "fileName": "positive3.bicep", + "resourceType": "Microsoft.Storage/storageAccounts", + "resourceName": "storage", + "searchKey": "resources.name=storage.properties.networkAcls", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Storage/storageAccounts' should have 'Trusted Microsoft Services' property value enabled", + "actualValue": "resource with type 'Microsoft.Storage/storageAccounts' doesn't have 'Trusted Microsoft Services' enabled", + "issueType": "IncorrectValue", + "similarityID": "9050c8161f26286dc4c9d14df7942882b406e991b8f6b621fa9f328f26899977", + "search_line": 11 }, { "queryName": "Trusted Microsoft Services Not Enabled", "severity": "MEDIUM", - "line": 19, - "fileName": "positive6.json" + "line": 23, + "fileName": "positive3.json", + "resourceType": "Microsoft.Storage/storageAccounts", + "resourceName": "storage", + "searchKey": "properties.template.resources.name=storage.properties.networkAcls", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Storage/storageAccounts' should have 'Trusted Microsoft Services' property value enabled", + "actualValue": "resource with type 'Microsoft.Storage/storageAccounts' doesn't have 'Trusted Microsoft Services' enabled", + "issueType": "IncorrectValue", + "similarityID": "748ec280b3bae3636e33d4083f6cb4805922149c52bd74e67319a8a510a5cd4d", + "search_line": 23 }, { "queryName": "Trusted Microsoft Services Not Enabled", "severity": "MEDIUM", - "line": 18, - "fileName": "positive7.json" + "line": 11, + "fileName": "positive4.bicep", + "resourceType": "Microsoft.Storage/storageAccounts", + "resourceName": "storage", + "searchKey": "resources.name=storage.properties.networkAcls", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Storage/storageAccounts' should have 'Trusted Microsoft Services' property value enabled", + "actualValue": "resource with type 'Microsoft.Storage/storageAccounts' doesn't have 'Trusted Microsoft Services' enabled", + "issueType": "IncorrectValue", + "similarityID": "ebe8c8a70014576c55c3c298dae0367461c48275d59a9471c67947fbc5d0f5be", + "search_line": 11 }, { "queryName": "Trusted Microsoft Services Not Enabled", "severity": "MEDIUM", - "line": 11, - "fileName": "positive1.bicep" + "line": 23, + "fileName": "positive4.json", + "resourceType": "Microsoft.Storage/storageAccounts", + "resourceName": "storage", + "searchKey": "properties.template.resources.name=storage.properties.networkAcls", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Storage/storageAccounts' should have 'Trusted Microsoft Services' property value enabled", + "actualValue": "resource with type 'Microsoft.Storage/storageAccounts' doesn't have 'Trusted Microsoft Services' enabled", + "issueType": "IncorrectValue", + "similarityID": "55d68b9b4cf06eb03e25b3404aec2644f4362ec31562309f40b2305cd5e339c2", + "search_line": 23 }, { "queryName": "Trusted Microsoft Services Not Enabled", "severity": "MEDIUM", - "line": 11, - "fileName": "positive2.bicep" + "line": 9, + "fileName": "positive5.bicep", + "resourceType": "Microsoft.Storage/storageAccounts", + "resourceName": "value.name", + "searchKey": "resources.name=positive5.properties", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Storage/storageAccounts' should have 'Trusted Microsoft Services' enabled", + "actualValue": "resource with type 'Microsoft.Storage/storageAccounts' doesn't have 'Trusted Microsoft Services' enabled", + "issueType": "MissingAttribute", + "similarityID": "19878924a594dc0d436673e30d762f4cd874115c3ebebd0f1aa7ce53c917f9ca", + "search_line": 9 }, { "queryName": "Trusted Microsoft Services Not Enabled", "severity": "MEDIUM", - "line": 11, - "fileName": "positive3.bicep" + "line": 17, + "fileName": "positive5.json", + "resourceType": "Microsoft.Storage/storageAccounts", + "resourceName": "value.name", + "searchKey": "resources.name=positive5.properties", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Storage/storageAccounts' should have 'Trusted Microsoft Services' enabled", + "actualValue": "resource with type 'Microsoft.Storage/storageAccounts' doesn't have 'Trusted Microsoft Services' enabled", + "issueType": "MissingAttribute", + "similarityID": "fb82a30afa4c007f62a21abe890419ff4fe107b8c805804efefee4a21fafaf90", + "search_line": 17 }, { "queryName": "Trusted Microsoft Services Not Enabled", "severity": "MEDIUM", - "line": 11, - "fileName": "positive4.bicep" + "line": 1, + "fileName": "positive6.bicep", + "resourceType": "Microsoft.Storage/storageAccounts", + "resourceName": "value.name", + "searchKey": "resources.name=positive6", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Storage/storageAccounts' should have 'Trusted Microsoft Services' enabled", + "actualValue": "resource with type 'Microsoft.Storage/storageAccounts' doesn't have 'Trusted Microsoft Services' enabled", + "issueType": "MissingAttribute", + "similarityID": "0baee8158cb51cdf81d7f3a9d016475c63c0432643e79188b09eadf153a8d825", + "search_line": 1 }, { "queryName": "Trusted Microsoft Services Not Enabled", "severity": "MEDIUM", - "line": 9, - "fileName": "positive5.bicep" + "line": 19, + "fileName": "positive6.json", + "resourceType": "Microsoft.Storage/storageAccounts", + "resourceName": "value.name", + "searchKey": "resources.name=positive6", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Storage/storageAccounts' should have 'Trusted Microsoft Services' enabled", + "actualValue": "resource with type 'Microsoft.Storage/storageAccounts' doesn't have 'Trusted Microsoft Services' enabled", + "issueType": "MissingAttribute", + "similarityID": "ad775fc22e6375d7d1f60617d92440546b0f75c9d54c3a02fac0176d11c00b00", + "search_line": 19 }, { "queryName": "Trusted Microsoft Services Not Enabled", "severity": "MEDIUM", - "line": 1, - "fileName": "positive6.bicep" + "line": 10, + "fileName": "positive7.bicep", + "resourceType": "Microsoft.Storage/storageAccounts", + "resourceName": "value.name", + "searchKey": "resources.name=positive7.properties.networkAcls", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Storage/storageAccounts' should have 'Trusted Microsoft Services' enabled", + "actualValue": "resource with type 'Microsoft.Storage/storageAccounts' doesn't have 'Trusted Microsoft Services' enabled", + "issueType": "MissingAttribute", + "similarityID": "2b7ac409e6e1365d913c9c9e974db4e22cdff57d13633ea6d53e0c2e54ca49e2", + "search_line": 10 }, { "queryName": "Trusted Microsoft Services Not Enabled", "severity": "MEDIUM", - "line": 10, - "fileName": "positive7.bicep" + "line": 18, + "fileName": "positive7.json", + "resourceType": "Microsoft.Storage/storageAccounts", + "resourceName": "value.name", + "searchKey": "resources.name=positive7.properties.networkAcls", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Storage/storageAccounts' should have 'Trusted Microsoft Services' enabled", + "actualValue": "resource with type 'Microsoft.Storage/storageAccounts' doesn't have 'Trusted Microsoft Services' enabled", + "issueType": "MissingAttribute", + "similarityID": "5be8f7d4c39de317e8acee0943239ccc21be189d2d2b6161e73219ae19743f94", + "search_line": 18 } -] \ No newline at end of file +] diff --git a/assets/queries/azureResourceManager/unrecommended_log_profile_retention_policy/test/positive_expected_result.json b/assets/queries/azureResourceManager/unrecommended_log_profile_retention_policy/test/positive_expected_result.json index 3ce6f3b5fcd..426f8695d43 100644 --- a/assets/queries/azureResourceManager/unrecommended_log_profile_retention_policy/test/positive_expected_result.json +++ b/assets/queries/azureResourceManager/unrecommended_log_profile_retention_policy/test/positive_expected_result.json @@ -2,73 +2,181 @@ { "queryName": "Unrecommended Log Profile Retention Policy", "severity": "LOW", - "line": 26, - "fileName": "positive1.json" + "line": 12, + "fileName": "positive1.bicep", + "resourceType": "microsoft.insights/logprofiles", + "resourceName": "string", + "searchKey": "resources.name=string.properties.retentionPolicy.days", + "searchValue": "", + "expectedValue": "resource with type 'microsoft.insights/logprofiles' should have 'days' property value set to 0 or higher than 365", + "actualValue": "resource with type 'microsoft.insights/logprofiles' doesn't have 'days' set to 0 or higher than 365", + "issueType": "IncorrectValue", + "similarityID": "2c33f32839383c876d5bc32116d1f03deb90ab16fbc710cae088d5bf16ee0a42", + "search_line": 12 }, { "queryName": "Unrecommended Log Profile Retention Policy", "severity": "LOW", - "line": 25, - "fileName": "positive2.json" + "line": 26, + "fileName": "positive1.json", + "resourceType": "microsoft.insights/logprofiles", + "resourceName": "string", + "searchKey": "resources.name=string.properties.retentionPolicy.days", + "searchValue": "", + "expectedValue": "resource with type 'microsoft.insights/logprofiles' should have 'days' property value set to 0 or higher than 365", + "actualValue": "resource with type 'microsoft.insights/logprofiles' doesn't have 'days' set to 0 or higher than 365", + "issueType": "IncorrectValue", + "similarityID": "71e3ffff843f02eff4d190c027ca43fb1d2c324b583a62f80a68e5b593dd8527", + "search_line": 26 }, { "queryName": "Unrecommended Log Profile Retention Policy", "severity": "LOW", - "line": 26, - "fileName": "positive2.json" + "line": 11, + "fileName": "positive2.bicep", + "resourceType": "microsoft.insights/logprofiles", + "resourceName": "string", + "searchKey": "resources.name=string.properties.retentionPolicy.enabled", + "searchValue": "", + "expectedValue": "resource with type 'microsoft.insights/logprofiles' should have 'enabled' property value set to true", + "actualValue": "resource with type 'microsoft.insights/logprofiles' doesn't have 'enabled' set to true", + "issueType": "IncorrectValue", + "similarityID": "12aaf8ce2b29d67de8a1cb7a2ff6cb5ed33a9258c957351c63a03157e2d11158", + "search_line": 11 }, { "queryName": "Unrecommended Log Profile Retention Policy", "severity": "LOW", - "line": 28, - "fileName": "positive3.json" + "line": 12, + "fileName": "positive2.bicep", + "resourceType": "microsoft.insights/logprofiles", + "resourceName": "string", + "searchKey": "resources.name=string.properties.retentionPolicy.days", + "searchValue": "", + "expectedValue": "resource with type 'microsoft.insights/logprofiles' should have 'days' property value set to 0 or higher than 365", + "actualValue": "resource with type 'microsoft.insights/logprofiles' doesn't have 'days' set to 0 or higher than 365", + "issueType": "IncorrectValue", + "similarityID": "682ee38e74bfb3dff179ae3096c7ba57c316a6772b83a102da240bcf17934cd7", + "search_line": 12 }, { "queryName": "Unrecommended Log Profile Retention Policy", "severity": "LOW", - "line": 27, - "fileName": "positive4.json" + "line": 25, + "fileName": "positive2.json", + "resourceType": "microsoft.insights/logprofiles", + "resourceName": "string", + "searchKey": "resources.name=string.properties.retentionPolicy.enabled", + "searchValue": "", + "expectedValue": "resource with type 'microsoft.insights/logprofiles' should have 'enabled' property value set to true", + "actualValue": "resource with type 'microsoft.insights/logprofiles' doesn't have 'enabled' set to true", + "issueType": "IncorrectValue", + "similarityID": "3223bb36a0de50bbb48f4d1a24ddb544cb1e35ecb155c4defe10af6a5cd8fd4e", + "search_line": 25 }, { "queryName": "Unrecommended Log Profile Retention Policy", "severity": "LOW", - "line": 28, - "fileName": "positive4.json" + "line": 26, + "fileName": "positive2.json", + "resourceType": "microsoft.insights/logprofiles", + "resourceName": "string", + "searchKey": "resources.name=string.properties.retentionPolicy.days", + "searchValue": "", + "expectedValue": "resource with type 'microsoft.insights/logprofiles' should have 'days' property value set to 0 or higher than 365", + "actualValue": "resource with type 'microsoft.insights/logprofiles' doesn't have 'days' set to 0 or higher than 365", + "issueType": "IncorrectValue", + "similarityID": "b8b9c275bfe74b8d2a17dd097752c5e13ca11461eae3fef886c59c6cc740f884", + "search_line": 26 }, { "queryName": "Unrecommended Log Profile Retention Policy", "severity": "LOW", "line": 12, - "fileName": "positive1.bicep" + "fileName": "positive3.bicep", + "resourceType": "microsoft.insights/logprofiles", + "resourceName": "string", + "searchKey": "resources.name=string.properties.retentionPolicy.days", + "searchValue": "", + "expectedValue": "resource with type 'microsoft.insights/logprofiles' should have 'days' property value set to 0 or higher than 365", + "actualValue": "resource with type 'microsoft.insights/logprofiles' doesn't have 'days' set to 0 or higher than 365", + "issueType": "IncorrectValue", + "similarityID": "0299a74f67c94a1f533f229098736b490a3df94d3f65b4580754a67ecb89e1d3", + "search_line": 12 }, { "queryName": "Unrecommended Log Profile Retention Policy", "severity": "LOW", - "line": 12, - "fileName": "positive2.bicep" + "line": 28, + "fileName": "positive3.json", + "resourceType": "microsoft.insights/logprofiles", + "resourceName": "string", + "searchKey": "properties.template.resources.name=string.properties.retentionPolicy.days", + "searchValue": "", + "expectedValue": "resource with type 'microsoft.insights/logprofiles' should have 'days' property value set to 0 or higher than 365", + "actualValue": "resource with type 'microsoft.insights/logprofiles' doesn't have 'days' set to 0 or higher than 365", + "issueType": "IncorrectValue", + "similarityID": "0526a8dd8c55c37145368b52e1792711f77d28a0f63b9a7e93cd4adf5cf59cf0", + "search_line": 28 }, { "queryName": "Unrecommended Log Profile Retention Policy", "severity": "LOW", "line": 11, - "fileName": "positive2.bicep" + "fileName": "positive4.bicep", + "resourceType": "microsoft.insights/logprofiles", + "resourceName": "string", + "searchKey": "resources.name=string.properties.retentionPolicy.enabled", + "searchValue": "", + "expectedValue": "resource with type 'microsoft.insights/logprofiles' should have 'enabled' property value set to true", + "actualValue": "resource with type 'microsoft.insights/logprofiles' doesn't have 'enabled' set to true", + "issueType": "IncorrectValue", + "similarityID": "159780a7a1564ed475022e0869b0a405c6d81b2e11f632c1d62e3b33506ccea3", + "search_line": 11 }, { "queryName": "Unrecommended Log Profile Retention Policy", "severity": "LOW", "line": 12, - "fileName": "positive3.bicep" + "fileName": "positive4.bicep", + "resourceType": "microsoft.insights/logprofiles", + "resourceName": "string", + "searchKey": "resources.name=string.properties.retentionPolicy.days", + "searchValue": "", + "expectedValue": "resource with type 'microsoft.insights/logprofiles' should have 'days' property value set to 0 or higher than 365", + "actualValue": "resource with type 'microsoft.insights/logprofiles' doesn't have 'days' set to 0 or higher than 365", + "issueType": "IncorrectValue", + "similarityID": "d556905d1b8a771fcfc89367e3df22dbf9803a7a79aa0f5206cbdc40e772a24f", + "search_line": 12 }, { "queryName": "Unrecommended Log Profile Retention Policy", "severity": "LOW", - "line": 11, - "fileName": "positive4.bicep" + "line": 27, + "fileName": "positive4.json", + "resourceType": "microsoft.insights/logprofiles", + "resourceName": "string", + "searchKey": "properties.template.resources.name=string.properties.retentionPolicy.enabled", + "searchValue": "", + "expectedValue": "resource with type 'microsoft.insights/logprofiles' should have 'enabled' property value set to true", + "actualValue": "resource with type 'microsoft.insights/logprofiles' doesn't have 'enabled' set to true", + "issueType": "IncorrectValue", + "similarityID": "43506242ff52ec5ac671cab3bd805fad0ac6a838c8e22e782f61e71e60e419f6", + "search_line": 27 }, { "queryName": "Unrecommended Log Profile Retention Policy", "severity": "LOW", - "line": 12, - "fileName": "positive4.bicep" + "line": 28, + "fileName": "positive4.json", + "resourceType": "microsoft.insights/logprofiles", + "resourceName": "string", + "searchKey": "properties.template.resources.name=string.properties.retentionPolicy.days", + "searchValue": "", + "expectedValue": "resource with type 'microsoft.insights/logprofiles' should have 'days' property value set to 0 or higher than 365", + "actualValue": "resource with type 'microsoft.insights/logprofiles' doesn't have 'days' set to 0 or higher than 365", + "issueType": "IncorrectValue", + "similarityID": "20e80817917b95520d6b0190355a4dbe5161ec2116910c0058f04755dd121b69", + "search_line": 28 } -] \ No newline at end of file +] diff --git a/assets/queries/azureResourceManager/unrecommended_network_watcher_flow_log_retention_policy/test/positive_expected_result.json b/assets/queries/azureResourceManager/unrecommended_network_watcher_flow_log_retention_policy/test/positive_expected_result.json index 559db459cb4..dbed472cd65 100644 --- a/assets/queries/azureResourceManager/unrecommended_network_watcher_flow_log_retention_policy/test/positive_expected_result.json +++ b/assets/queries/azureResourceManager/unrecommended_network_watcher_flow_log_retention_policy/test/positive_expected_result.json @@ -2,145 +2,361 @@ { "queryName": "Unrecommended Network Watcher Flow Log Retention Policy", "severity": "LOW", - "line": 20, - "fileName": "positive1.json" + "line": 10, + "fileName": "positive1.bicep", + "resourceType": "Microsoft.Network/networkWatchers/flowLogs", + "resourceName": "flowlogs/sample", + "searchKey": "resources.name={{flowlogs/sample}}.properties.retentionPolicy.days", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Network/networkWatchers/FlowLogs' should have 'days' property value higher than 90", + "actualValue": "resource with type 'Microsoft.Network/networkWatchers/FlowLogs' doesn't have 'days' property higher than 90", + "issueType": "IncorrectValue", + "similarityID": "d1575d66aff59873e2dff19cd45aa26196c75784198d0569d16c2f2c23a62d61", + "search_line": 10 }, { "queryName": "Unrecommended Network Watcher Flow Log Retention Policy", "severity": "LOW", - "line": 21, - "fileName": "positive1.json" + "line": 11, + "fileName": "positive1.bicep", + "resourceType": "Microsoft.Network/networkWatchers/flowLogs", + "resourceName": "flowlogs/sample", + "searchKey": "resources.name={{flowlogs/sample}}.properties.retentionPolicy.enabled", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Network/networkWatchers/FlowLogs' should have 'enabled' property value set to true", + "actualValue": "resource with type 'Microsoft.Network/networkWatchers/FlowLogs' doesn't have 'enabled' set to true", + "issueType": "IncorrectValue", + "similarityID": "03f4e6899ae215bb3cd54296dccc07188d1b1484fdc45ce6c964cc18b546d3d4", + "search_line": 11 }, { "queryName": "Unrecommended Network Watcher Flow Log Retention Policy", "severity": "LOW", - "line": 19, - "fileName": "positive2.json" + "line": 20, + "fileName": "positive1.json", + "resourceType": "Microsoft.Network/networkWatchers/flowLogs", + "resourceName": "flowlogs/sample", + "searchKey": "resources.name={{flowlogs/sample}}.properties.retentionPolicy.days", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Network/networkWatchers/FlowLogs' should have 'days' property value higher than 90", + "actualValue": "resource with type 'Microsoft.Network/networkWatchers/FlowLogs' doesn't have 'days' property higher than 90", + "issueType": "IncorrectValue", + "similarityID": "39475890154912c0df8faf619305542c041c751d7ccd9d827ddd20063b4ad6b7", + "search_line": 20 }, { "queryName": "Unrecommended Network Watcher Flow Log Retention Policy", "severity": "LOW", - "line": 20, - "fileName": "positive2.json" + "line": 21, + "fileName": "positive1.json", + "resourceType": "Microsoft.Network/networkWatchers/flowLogs", + "resourceName": "flowlogs/sample", + "searchKey": "resources.name={{flowlogs/sample}}.properties.retentionPolicy.enabled", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Network/networkWatchers/FlowLogs' should have 'enabled' property value set to true", + "actualValue": "resource with type 'Microsoft.Network/networkWatchers/FlowLogs' doesn't have 'enabled' set to true", + "issueType": "IncorrectValue", + "similarityID": "003783125647e8e0e2f30bd07704471437061a1e1be3a3ed3a5665d95c057952", + "search_line": 21 }, { "queryName": "Unrecommended Network Watcher Flow Log Retention Policy", "severity": "LOW", - "line": 15, - "fileName": "positive3.json" + "line": 9, + "fileName": "positive2.bicep", + "resourceType": "Microsoft.Network/networkWatchers/FlowLogs", + "resourceName": "flowlogs/sample", + "searchKey": "resources.name={{flowlogs/sample}}.properties.retentionPolicy", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Network/networkWatchers/FlowLogs' should have 'enabled' property defined", + "actualValue": "resource with type 'Microsoft.Network/networkWatchers/FlowLogs' doesn't have 'enabled' property defined", + "issueType": "MissingAttribute", + "similarityID": "e8c7d8851cecc4bb3cd08ecde96f3668bee0a0012fdaf4fa80fe06641a0fbebf", + "search_line": 9 }, { "queryName": "Unrecommended Network Watcher Flow Log Retention Policy", "severity": "LOW", - "line": 15, - "fileName": "positive4.json" + "line": 10, + "fileName": "positive2.bicep", + "resourceType": "Microsoft.Network/networkWatchers/FlowLogs", + "resourceName": "flowlogs/sample", + "searchKey": "resources.name={{flowlogs/sample}}.properties.retentionPolicy.days", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Network/networkWatchers/FlowLogs' should have 'days' property value higher than 90", + "actualValue": "resource with type 'Microsoft.Network/networkWatchers/FlowLogs' doesn't have 'days' property higher than 90", + "issueType": "IncorrectValue", + "similarityID": "33b32c2c34df2a85258c66957a6c1d05926b5f20e1419ee2650feed153ca26d0", + "search_line": 10 }, { "queryName": "Unrecommended Network Watcher Flow Log Retention Policy", "severity": "LOW", - "line": 22, - "fileName": "positive5.json" + "line": 19, + "fileName": "positive2.json", + "resourceType": "Microsoft.Network/networkWatchers/FlowLogs", + "resourceName": "flowlogs/sample", + "searchKey": "resources.name={{flowlogs/sample}}.properties.retentionPolicy", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Network/networkWatchers/FlowLogs' should have 'enabled' property defined", + "actualValue": "resource with type 'Microsoft.Network/networkWatchers/FlowLogs' doesn't have 'enabled' property defined", + "issueType": "MissingAttribute", + "similarityID": "5fce385bd0dbd9ccc59a6fd8009008cd728ae5e0df7ef2a52021f2b1184d5faa", + "search_line": 19 }, { "queryName": "Unrecommended Network Watcher Flow Log Retention Policy", "severity": "LOW", - "line": 23, - "fileName": "positive5.json" + "line": 20, + "fileName": "positive2.json", + "resourceType": "Microsoft.Network/networkWatchers/FlowLogs", + "resourceName": "flowlogs/sample", + "searchKey": "resources.name={{flowlogs/sample}}.properties.retentionPolicy.days", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Network/networkWatchers/FlowLogs' should have 'days' property value higher than 90", + "actualValue": "resource with type 'Microsoft.Network/networkWatchers/FlowLogs' doesn't have 'days' property higher than 90", + "issueType": "IncorrectValue", + "similarityID": "15f5709a15d8134cc1678f0be6aafe5ac60d3f5c72b107e8d30df1ff11acfa2e", + "search_line": 20 }, { "queryName": "Unrecommended Network Watcher Flow Log Retention Policy", "severity": "LOW", - "line": 21, - "fileName": "positive6.json" + "line": 5, + "fileName": "positive3.bicep", + "resourceType": "Microsoft.Network/networkWatchers/FlowLogs", + "resourceName": "flowlogs/sample", + "searchKey": "resources.name={{flowlogs/sample}}.properties", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Network/networkWatchers/FlowLogs' should have 'retentionPolicy' property defined", + "actualValue": "resource with type 'Microsoft.Network/networkWatchers/FlowLogs' doesn't have 'retentionPolicy' property defined", + "issueType": "MissingAttribute", + "similarityID": "55cd71935dd4bbd18172c33f82d5b1827158df7213c2f7a1ccac3a2f6786c0db", + "search_line": 5 }, { "queryName": "Unrecommended Network Watcher Flow Log Retention Policy", "severity": "LOW", - "line": 22, - "fileName": "positive6.json" + "line": 15, + "fileName": "positive3.json", + "resourceType": "Microsoft.Network/networkWatchers/FlowLogs", + "resourceName": "flowlogs/sample", + "searchKey": "resources.name={{flowlogs/sample}}.properties", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Network/networkWatchers/FlowLogs' should have 'retentionPolicy' property defined", + "actualValue": "resource with type 'Microsoft.Network/networkWatchers/FlowLogs' doesn't have 'retentionPolicy' property defined", + "issueType": "MissingAttribute", + "similarityID": "074c75fd26ec3e6db2f361c871be80ed42971a5f0183396cc9623c77b570213f", + "search_line": 15 }, { "queryName": "Unrecommended Network Watcher Flow Log Retention Policy", "severity": "LOW", - "line": 17, - "fileName": "positive7.json" + "line": 5, + "fileName": "positive4.bicep", + "resourceType": "Microsoft.Network/networkWatchers/FlowLogs", + "resourceName": "flowlogs/sample", + "searchKey": "resources.name={{flowlogs/sample}}.properties", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Network/networkWatchers/FlowLogs' should have 'enabled' property defined", + "actualValue": "resource with type 'Microsoft.Network/networkWatchers/FlowLogs' doesn't have 'enabled' property defined", + "issueType": "MissingAttribute", + "similarityID": "28cb75532dd8b85052b535542f4e9622cd4bb662058023c838dfe44ee3b2c875", + "search_line": 5 }, { "queryName": "Unrecommended Network Watcher Flow Log Retention Policy", "severity": "LOW", - "line": 17, - "fileName": "positive8.json" + "line": 15, + "fileName": "positive4.json", + "resourceType": "Microsoft.Network/networkWatchers/FlowLogs", + "resourceName": "flowlogs/sample", + "searchKey": "resources.name={{flowlogs/sample}}.properties", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Network/networkWatchers/FlowLogs' should have 'enabled' property defined", + "actualValue": "resource with type 'Microsoft.Network/networkWatchers/FlowLogs' doesn't have 'enabled' property defined", + "issueType": "MissingAttribute", + "similarityID": "d5b801076cf17d446db0da2203205560729ff231ee51280340653a4ba08bc304", + "search_line": 15 }, { "queryName": "Unrecommended Network Watcher Flow Log Retention Policy", "severity": "LOW", "line": 10, - "fileName": "positive1.bicep" + "fileName": "positive5.bicep", + "resourceType": "Microsoft.Network/networkWatchers/flowLogs", + "resourceName": "flowlogs/sample", + "searchKey": "resources.name={{flowlogs/sample}}.properties.retentionPolicy.days", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Network/networkWatchers/FlowLogs' should have 'days' property value higher than 90", + "actualValue": "resource with type 'Microsoft.Network/networkWatchers/FlowLogs' doesn't have 'days' property higher than 90", + "issueType": "IncorrectValue", + "similarityID": "414b71d63523052bc844847ca9a8aa70d95a208aa852a1b203cba8ac5e848da9", + "search_line": 10 }, { "queryName": "Unrecommended Network Watcher Flow Log Retention Policy", "severity": "LOW", "line": 11, - "fileName": "positive1.bicep" + "fileName": "positive5.bicep", + "resourceType": "Microsoft.Network/networkWatchers/flowLogs", + "resourceName": "flowlogs/sample", + "searchKey": "resources.name={{flowlogs/sample}}.properties.retentionPolicy.enabled", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Network/networkWatchers/FlowLogs' should have 'enabled' property value set to true", + "actualValue": "resource with type 'Microsoft.Network/networkWatchers/FlowLogs' doesn't have 'enabled' set to true", + "issueType": "IncorrectValue", + "similarityID": "30c62b4bb525e534c68bb5158ccba9f57d2c558e03711efd3cfb601c18e2c401", + "search_line": 11 }, { "queryName": "Unrecommended Network Watcher Flow Log Retention Policy", "severity": "LOW", - "line": 10, - "fileName": "positive2.bicep" + "line": 22, + "fileName": "positive5.json", + "resourceType": "Microsoft.Network/networkWatchers/flowLogs", + "resourceName": "flowlogs/sample", + "searchKey": "properties.template.resources.name={{flowlogs/sample}}.properties.retentionPolicy.days", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Network/networkWatchers/FlowLogs' should have 'days' property value higher than 90", + "actualValue": "resource with type 'Microsoft.Network/networkWatchers/FlowLogs' doesn't have 'days' property higher than 90", + "issueType": "IncorrectValue", + "similarityID": "bf6cad73168e735f65d8f83ba1976e94f1b8435247d0fa7e912ed254af3f9c75", + "search_line": 22 }, { "queryName": "Unrecommended Network Watcher Flow Log Retention Policy", "severity": "LOW", - "line": 9, - "fileName": "positive2.bicep" + "line": 23, + "fileName": "positive5.json", + "resourceType": "Microsoft.Network/networkWatchers/flowLogs", + "resourceName": "flowlogs/sample", + "searchKey": "properties.template.resources.name={{flowlogs/sample}}.properties.retentionPolicy.enabled", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Network/networkWatchers/FlowLogs' should have 'enabled' property value set to true", + "actualValue": "resource with type 'Microsoft.Network/networkWatchers/FlowLogs' doesn't have 'enabled' set to true", + "issueType": "IncorrectValue", + "similarityID": "721a95ee47b12c0112886ddb929fb633cfe9d355d591b1b5896d006da7196416", + "search_line": 23 }, { "queryName": "Unrecommended Network Watcher Flow Log Retention Policy", "severity": "LOW", - "line": 5, - "fileName": "positive3.bicep" + "line": 9, + "fileName": "positive6.bicep", + "resourceType": "Microsoft.Network/networkWatchers/FlowLogs", + "resourceName": "flowlogs/sample", + "searchKey": "resources.name={{flowlogs/sample}}.properties.retentionPolicy", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Network/networkWatchers/FlowLogs' should have 'enabled' property defined", + "actualValue": "resource with type 'Microsoft.Network/networkWatchers/FlowLogs' doesn't have 'enabled' property defined", + "issueType": "MissingAttribute", + "similarityID": "56606198d30d2b76ebf98a3faad927ebe6f4df8ec15d6461b985043e13b572a9", + "search_line": 9 }, { "queryName": "Unrecommended Network Watcher Flow Log Retention Policy", "severity": "LOW", - "line": 5, - "fileName": "positive4.bicep" + "line": 10, + "fileName": "positive6.bicep", + "resourceType": "Microsoft.Network/networkWatchers/FlowLogs", + "resourceName": "flowlogs/sample", + "searchKey": "resources.name={{flowlogs/sample}}.properties.retentionPolicy.days", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Network/networkWatchers/FlowLogs' should have 'days' property value higher than 90", + "actualValue": "resource with type 'Microsoft.Network/networkWatchers/FlowLogs' doesn't have 'days' property higher than 90", + "issueType": "IncorrectValue", + "similarityID": "68d44cadc58ffb18bd403a0344ed7147da1f10372d5c4d730137cfedae795992", + "search_line": 10 }, { "queryName": "Unrecommended Network Watcher Flow Log Retention Policy", "severity": "LOW", - "line": 10, - "fileName": "positive5.bicep" + "line": 21, + "fileName": "positive6.json", + "resourceType": "Microsoft.Network/networkWatchers/FlowLogs", + "resourceName": "flowlogs/sample", + "searchKey": "properties.template.resources.name={{flowlogs/sample}}.properties.retentionPolicy", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Network/networkWatchers/FlowLogs' should have 'enabled' property defined", + "actualValue": "resource with type 'Microsoft.Network/networkWatchers/FlowLogs' doesn't have 'enabled' property defined", + "issueType": "MissingAttribute", + "similarityID": "0effe8f4c22ace714767d1c18202f53eb23e6da9d17bfd61e0ffbf2fe8a21997", + "search_line": 21 }, { "queryName": "Unrecommended Network Watcher Flow Log Retention Policy", "severity": "LOW", - "line": 11, - "fileName": "positive5.bicep" + "line": 22, + "fileName": "positive6.json", + "resourceType": "Microsoft.Network/networkWatchers/FlowLogs", + "resourceName": "flowlogs/sample", + "searchKey": "properties.template.resources.name={{flowlogs/sample}}.properties.retentionPolicy.days", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Network/networkWatchers/FlowLogs' should have 'days' property value higher than 90", + "actualValue": "resource with type 'Microsoft.Network/networkWatchers/FlowLogs' doesn't have 'days' property higher than 90", + "issueType": "IncorrectValue", + "similarityID": "4680025b9d6de560150db8d55570f01dc6df05d7d398deb9607b9db4fedfa70a", + "search_line": 22 }, { "queryName": "Unrecommended Network Watcher Flow Log Retention Policy", "severity": "LOW", - "line": 9, - "fileName": "positive6.bicep" + "line": 5, + "fileName": "positive7.bicep", + "resourceType": "Microsoft.Network/networkWatchers/FlowLogs", + "resourceName": "flowlogs/sample", + "searchKey": "resources.name={{flowlogs/sample}}.properties", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Network/networkWatchers/FlowLogs' should have 'retentionPolicy' property defined", + "actualValue": "resource with type 'Microsoft.Network/networkWatchers/FlowLogs' doesn't have 'retentionPolicy' property defined", + "issueType": "MissingAttribute", + "similarityID": "2dd4fc8d566a7e26919ea3d73150b8081f68b4a829e2c803faacf5f84a8d85c2", + "search_line": 5 }, { "queryName": "Unrecommended Network Watcher Flow Log Retention Policy", "severity": "LOW", - "line": 10, - "fileName": "positive6.bicep" + "line": 17, + "fileName": "positive7.json", + "resourceType": "Microsoft.Network/networkWatchers/FlowLogs", + "resourceName": "flowlogs/sample", + "searchKey": "properties.template.resources.name={{flowlogs/sample}}.properties", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Network/networkWatchers/FlowLogs' should have 'retentionPolicy' property defined", + "actualValue": "resource with type 'Microsoft.Network/networkWatchers/FlowLogs' doesn't have 'retentionPolicy' property defined", + "issueType": "MissingAttribute", + "similarityID": "1e545a6f692b8669913907ea3b43f0e5d372769eb450aaf003cfb2cebff10d3b", + "search_line": 17 }, { "queryName": "Unrecommended Network Watcher Flow Log Retention Policy", "severity": "LOW", "line": 5, - "fileName": "positive7.bicep" + "fileName": "positive8.bicep", + "resourceType": "Microsoft.Network/networkWatchers/FlowLogs", + "resourceName": "flowlogs/sample", + "searchKey": "resources.name={{flowlogs/sample}}.properties", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Network/networkWatchers/FlowLogs' should have 'enabled' property defined", + "actualValue": "resource with type 'Microsoft.Network/networkWatchers/FlowLogs' doesn't have 'enabled' property defined", + "issueType": "MissingAttribute", + "similarityID": "70f6e9fc3e52b87a5fac290bf9640b487c171585e37a9db7dc30c2e439c3cc91", + "search_line": 5 }, { "queryName": "Unrecommended Network Watcher Flow Log Retention Policy", "severity": "LOW", - "line": 5, - "fileName": "positive8.bicep" + "line": 17, + "fileName": "positive8.json", + "resourceType": "Microsoft.Network/networkWatchers/FlowLogs", + "resourceName": "flowlogs/sample", + "searchKey": "properties.template.resources.name={{flowlogs/sample}}.properties", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Network/networkWatchers/FlowLogs' should have 'enabled' property defined", + "actualValue": "resource with type 'Microsoft.Network/networkWatchers/FlowLogs' doesn't have 'enabled' property defined", + "issueType": "MissingAttribute", + "similarityID": "3afb82f132b4fdc8501566e51a3cc8f86de43a8c47dd26473f5994cd4dc2f439", + "search_line": 17 } -] \ No newline at end of file +] diff --git a/assets/queries/azureResourceManager/web_app_not_using_tls_last_version/test/positive_expected_result.json b/assets/queries/azureResourceManager/web_app_not_using_tls_last_version/test/positive_expected_result.json index 239378fb4dd..2f77a924947 100644 --- a/assets/queries/azureResourceManager/web_app_not_using_tls_last_version/test/positive_expected_result.json +++ b/assets/queries/azureResourceManager/web_app_not_using_tls_last_version/test/positive_expected_result.json @@ -2,73 +2,181 @@ { "queryName": "Web App Not Using TLS Last Version", "severity": "MEDIUM", - "line": 14, - "filename": "positive1.json" + "line": 6, + "fileName": "positive1.bicep", + "resourceType": "Microsoft.Web/sites", + "resourceName": "App", + "searchKey": "resources.name=App.properties.siteConfig.minTlsVersion", + "searchValue": "", + "expectedValue": "'siteConfig.minTlsVersion' should be 1.2 or 1.3", + "actualValue": "'minTlsVersion' is not 1.2 or 1.3", + "issueType": "IncorrectValue", + "similarityID": "a3e105c89fccc8390f5b570c6d3d45ba548e9868bd724674a8d8417b689628c6", + "search_line": 6 }, { "queryName": "Web App Not Using TLS Last Version", "severity": "MEDIUM", - "line": 12, - "filename": "positive2.json" + "line": 14, + "fileName": "positive1.json", + "resourceType": "Microsoft.Web/sites", + "resourceName": "App", + "searchKey": "properties.template.resources.name=App.properties.siteConfig.minTlsVersion", + "searchValue": "", + "expectedValue": "'siteConfig.minTlsVersion' should be 1.2 or 1.3", + "actualValue": "'minTlsVersion' is not 1.2 or 1.3", + "issueType": "IncorrectValue", + "similarityID": "a2d5ddea42a75e2c4ff97c99502d7f0c9e6683ab9a9b5846fa3c0f0140f2c620", + "search_line": 14 }, { "queryName": "Web App Not Using TLS Last Version", "severity": "MEDIUM", - "line": 14, - "filename": "positive3.json" + "line": 4, + "fileName": "positive2.bicep", + "resourceType": "Microsoft.Web/sites", + "resourceName": "App", + "searchKey": "resources.name=App.properties", + "searchValue": "", + "expectedValue": "'siteConfig.minTlsVersion' should be defined", + "actualValue": "'siteConfig.minTlsVersion' is undefined", + "issueType": "MissingAttribute", + "similarityID": "ed4b40fabb9fb60548473ab0d751e771417cf6c42df3a4e2b920e960690813f7", + "search_line": 4 }, { "queryName": "Web App Not Using TLS Last Version", "severity": "MEDIUM", - "line": 13, - "filename": "positive4.json" + "line": 12, + "fileName": "positive2.json", + "resourceType": "Microsoft.Web/sites", + "resourceName": "App", + "searchKey": "properties.template.resources.name=App.properties", + "searchValue": "", + "expectedValue": "'siteConfig.minTlsVersion' should be defined", + "actualValue": "'siteConfig.minTlsVersion' is undefined", + "issueType": "MissingAttribute", + "similarityID": "80246a568a8495ce02109004898798fa073f14f2820dcae1d5981778b466774c", + "search_line": 12 }, { "queryName": "Web App Not Using TLS Last Version", "severity": "MEDIUM", - "line": 17, - "filename": "positive5.json" + "line": 6, + "fileName": "positive3.bicep", + "resourceType": "Microsoft.Web/sites", + "resourceName": "App", + "searchKey": "resources.name=App.properties.siteConfig.minTlsVersion", + "searchValue": "", + "expectedValue": "'siteConfig.minTlsVersion' should be 1.2 or 1.3", + "actualValue": "'minTlsVersion' is not 1.2 or 1.3", + "issueType": "IncorrectValue", + "similarityID": "4c2be6e4efb0f12fcc23dbc8ec0f34aef7615888098899b84e1d1668219f16fa", + "search_line": 6 }, { "queryName": "Web App Not Using TLS Last Version", "severity": "MEDIUM", - "line": 17, - "filename": "positive6.json" + "line": 14, + "fileName": "positive3.json", + "resourceType": "Microsoft.Web/sites", + "resourceName": "App", + "searchKey": "properties.template.resources.name=App.properties.siteConfig.minTlsVersion", + "searchValue": "", + "expectedValue": "'siteConfig.minTlsVersion' should be 1.2 or 1.3", + "actualValue": "'minTlsVersion' is not 1.2 or 1.3", + "issueType": "IncorrectValue", + "similarityID": "976ede44c218293b035cc82f872534220ee1139327238d03a2286ce372498162", + "search_line": 14 }, { "queryName": "Web App Not Using TLS Last Version", "severity": "MEDIUM", - "line": 6, - "filename": "positive1.bicep" + "line": 5, + "fileName": "positive4.bicep", + "resourceType": "Microsoft.Web/sites", + "resourceName": "App", + "searchKey": "resources.name=App.properties.siteConfig", + "searchValue": "", + "expectedValue": "'minTlsVersion' should be defined", + "actualValue": "'minTlsVersion' is undefined", + "issueType": "MissingAttribute", + "similarityID": "5a32905cf5f1f7b5ddbc78e27630bf14a8c3b798c45fc0e001019ca88c392cea", + "search_line": 5 }, { "queryName": "Web App Not Using TLS Last Version", "severity": "MEDIUM", - "line": 4, - "filename": "positive2.bicep" + "line": 13, + "fileName": "positive4.json", + "resourceType": "Microsoft.Web/sites", + "resourceName": "App", + "searchKey": "properties.template.resources.name=App.properties.siteConfig", + "searchValue": "", + "expectedValue": "'minTlsVersion' should be defined", + "actualValue": "'minTlsVersion' is undefined", + "issueType": "MissingAttribute", + "similarityID": "aa6c835947e5ae50cdad9a825e0e2d7de36144c7d9e59ac594cc03f1e7e73b2f", + "search_line": 13 }, { "queryName": "Web App Not Using TLS Last Version", "severity": "MEDIUM", - "line": 6, - "filename": "positive3.bicep" + "line": 11, + "fileName": "positive5.bicep", + "resourceType": "config", + "resourceName": "web", + "searchKey": "resources.resources.name=web.properties.minTlsVersion", + "searchValue": "", + "expectedValue": "'minTlsVersion' should be defined with the version '1.2' or higher", + "actualValue": "'minTlsVersion' is defined to '1.1'", + "issueType": "IncorrectValue", + "similarityID": "59837726aaebe8dcb70599db53abd3e5f6852ff1e753a104a362424be1dd0858", + "search_line": 11 }, { "queryName": "Web App Not Using TLS Last Version", "severity": "MEDIUM", - "line": 5, - "filename": "positive4.bicep" + "line": 17, + "fileName": "positive5.json", + "resourceType": "Microsoft.Web/sites", + "resourceName": "meuAppService", + "searchKey": "resources.name=meuAppService.properties", + "searchValue": "", + "expectedValue": "'siteConfig.minTlsVersion' should be defined", + "actualValue": "'siteConfig.minTlsVersion' is undefined", + "issueType": "MissingAttribute", + "similarityID": "9eb8bd8ff98f1c39ef96be53ded5f801a56310d97e33b0e512cc30921a2b29db", + "search_line": 17 }, { "queryName": "Web App Not Using TLS Last Version", "severity": "MEDIUM", - "line": 11, - "filename": "positive5.bicep" + "line": 10, + "fileName": "positive6.bicep", + "resourceType": "config", + "resourceName": "web", + "searchKey": "resources.resources.name=web.properties", + "searchValue": "", + "expectedValue": "'minTlsVersion' should be defined with the version '1.2' or higher", + "actualValue": "'minTlsVersion' is not defined", + "issueType": "MissingAttribute", + "similarityID": "5c922aa7ce2e982b55a07e68bedc198fae588d6f77bc6a223932dd18f6124197", + "search_line": 10 }, { "queryName": "Web App Not Using TLS Last Version", "severity": "MEDIUM", - "line": 10, - "filename": "positive6.bicep" + "line": 17, + "fileName": "positive6.json", + "resourceType": "Microsoft.Web/sites", + "resourceName": "meuAppService", + "searchKey": "resources.name=meuAppService.properties", + "searchValue": "", + "expectedValue": "'siteConfig.minTlsVersion' should be defined", + "actualValue": "'siteConfig.minTlsVersion' is undefined", + "issueType": "MissingAttribute", + "similarityID": "d03b3d292b3a613d86b3fe63831f2c614a2d59d9511f9f244d434e4a31e4b6a9", + "search_line": 17 } -] \ No newline at end of file +] diff --git a/assets/queries/azureResourceManager/website_azure_active_directory_disabled/test/positive_expected_result.json b/assets/queries/azureResourceManager/website_azure_active_directory_disabled/test/positive_expected_result.json index a4f6d28793d..e3b52384376 100644 --- a/assets/queries/azureResourceManager/website_azure_active_directory_disabled/test/positive_expected_result.json +++ b/assets/queries/azureResourceManager/website_azure_active_directory_disabled/test/positive_expected_result.json @@ -2,85 +2,211 @@ { "queryName": "Website Azure Active Directory Disabled", "severity": "LOW", - "line": 10, - "fileName": "positive1.json" + "line": 2, + "fileName": "positive1.bicep", + "resourceType": "Microsoft.Web/sites", + "resourceName": "webSitePositive2", + "searchKey": "resources.name={{webSitePositive2}}", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Web/sites' should have the 'identity' property defined", + "actualValue": "resource with type 'Microsoft.Web/sites' doesn't have 'identity' property defined", + "issueType": "MissingAttribute", + "similarityID": "76b41f3d600aee4bd2d1b055fa21ff08fe8228ce544d1dc22a1ac0a07a46a7b4", + "search_line": 2 }, { "queryName": "Website Azure Active Directory Disabled", "severity": "LOW", - "line": 15, - "fileName": "positive2.json" + "line": 10, + "fileName": "positive1.json", + "resourceType": "Microsoft.Web/sites", + "resourceName": "webSitePositive2", + "searchKey": "resources.name={{webSitePositive2}}", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Web/sites' should have the 'identity' property defined", + "actualValue": "resource with type 'Microsoft.Web/sites' doesn't have 'identity' property defined", + "issueType": "MissingAttribute", + "similarityID": "57979ec88a7adfd2c14b744cb6f590e3f6e2e85501417fab174c64b7219cf8a7", + "search_line": 10 }, { "queryName": "Website Azure Active Directory Disabled", "severity": "LOW", - "line": 15, - "fileName": "positive3.json" + "line": 5, + "fileName": "positive2.bicep", + "resourceType": "Microsoft.Web/sites", + "resourceName": "webSitePositive3", + "searchKey": "resources.name={{webSitePositive3}}.identity", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Web/sites' should have the identity type set to 'SystemAssigned' or 'UserAssigned'", + "actualValue": "resource with type 'Microsoft.Web/sites' doesn't have the identity type set to 'SystemAssigned' or 'UserAssigned'", + "issueType": "IncorrectValue", + "similarityID": "3aa12b236bfe1523304483cc867a4194898bd30c23a33fc86b74d309a8d1b038", + "search_line": 5 }, { "queryName": "Website Azure Active Directory Disabled", "severity": "LOW", - "line": 12, - "fileName": "positive4.json" + "line": 15, + "fileName": "positive2.json", + "resourceType": "Microsoft.Web/sites", + "resourceName": "webSitePositive3", + "searchKey": "resources.name={{webSitePositive3}}.identity", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Web/sites' should have the identity type set to 'SystemAssigned' or 'UserAssigned'", + "actualValue": "resource with type 'Microsoft.Web/sites' doesn't have the identity type set to 'SystemAssigned' or 'UserAssigned'", + "issueType": "IncorrectValue", + "similarityID": "c8a45f0735faf73862596070c68eec8da0a4723570e73f6ffc11a43c778d672b", + "search_line": 15 }, { "queryName": "Website Azure Active Directory Disabled", "severity": "LOW", - "line": 17, - "fileName": "positive5.json" + "line": 5, + "fileName": "positive3.bicep", + "resourceType": "Microsoft.Web/sites", + "resourceName": "webSitePositive3", + "searchKey": "resources.name={{webSitePositive3}}.identity", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Web/sites' should have the identity type set to 'SystemAssigned' or 'UserAssigned' and 'userAssignedIdentities' defined", + "actualValue": "resource with type 'Microsoft.Web/sites' doesn't have the identity type set to 'SystemAssigned' or 'UserAssigned' and 'userAssignedIdentities' defined", + "issueType": "MissingAttribute", + "similarityID": "f0748b9dbd707e473dcd1708636a7c9248c76ed953f4f5b46977aa9781e29943", + "search_line": 5 }, { "queryName": "Website Azure Active Directory Disabled", "severity": "LOW", - "line": 17, - "fileName": "positive6.json" + "line": 15, + "fileName": "positive3.json", + "resourceType": "Microsoft.Web/sites", + "resourceName": "webSitePositive3", + "searchKey": "resources.name={{webSitePositive3}}.identity", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Web/sites' should have the identity type set to 'SystemAssigned' or 'UserAssigned' and 'userAssignedIdentities' defined", + "actualValue": "resource with type 'Microsoft.Web/sites' doesn't have the identity type set to 'SystemAssigned' or 'UserAssigned' and 'userAssignedIdentities' defined", + "issueType": "MissingAttribute", + "similarityID": "747ad335201d4061d69eada7094ba9f173f4fe626fa8cb2953a6e1d00a2ab121", + "search_line": 15 }, { "queryName": "Website Azure Active Directory Disabled", "severity": "LOW", - "line": 18, - "fileName": "positive7.json" + "line": 2, + "fileName": "positive4.bicep", + "resourceType": "Microsoft.Web/sites", + "resourceName": "webSitePositive2", + "searchKey": "resources.name={{webSitePositive2}}", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Web/sites' should have the 'identity' property defined", + "actualValue": "resource with type 'Microsoft.Web/sites' doesn't have 'identity' property defined", + "issueType": "MissingAttribute", + "similarityID": "c7bf8906f8befd31aab212a1658299d51cb888dedec3d3fedaa3c0f3495b79ba", + "search_line": 2 }, { "queryName": "Website Azure Active Directory Disabled", "severity": "LOW", - "line": 2, - "fileName": "positive1.bicep" + "line": 12, + "fileName": "positive4.json", + "resourceType": "Microsoft.Web/sites", + "resourceName": "webSitePositive2", + "searchKey": "properties.template.resources.name={{webSitePositive2}}", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Web/sites' should have the 'identity' property defined", + "actualValue": "resource with type 'Microsoft.Web/sites' doesn't have 'identity' property defined", + "issueType": "MissingAttribute", + "similarityID": "70c3d9568decfc22df2238fb32fe830d46bf5b2573e0d2fbf4b829e7eb175523", + "search_line": 12 }, { "queryName": "Website Azure Active Directory Disabled", "severity": "LOW", "line": 5, - "fileName": "positive2.bicep" + "fileName": "positive5.bicep", + "resourceType": "Microsoft.Web/sites", + "resourceName": "webSitePositive3", + "searchKey": "resources.name={{webSitePositive3}}.identity", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Web/sites' should have the identity type set to 'SystemAssigned' or 'UserAssigned'", + "actualValue": "resource with type 'Microsoft.Web/sites' doesn't have the identity type set to 'SystemAssigned' or 'UserAssigned'", + "issueType": "IncorrectValue", + "similarityID": "72bdc70dc871d8fb86f30d5fe9e9904770f4fff3d330ff321a6aa34ad799cc5f", + "search_line": 5 }, { "queryName": "Website Azure Active Directory Disabled", "severity": "LOW", - "line": 5, - "fileName": "positive3.bicep" + "line": 17, + "fileName": "positive5.json", + "resourceType": "Microsoft.Web/sites", + "resourceName": "webSitePositive3", + "searchKey": "properties.template.resources.name={{webSitePositive3}}.identity", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Web/sites' should have the identity type set to 'SystemAssigned' or 'UserAssigned'", + "actualValue": "resource with type 'Microsoft.Web/sites' doesn't have the identity type set to 'SystemAssigned' or 'UserAssigned'", + "issueType": "IncorrectValue", + "similarityID": "4ac06f3f8583056f10271d7a56c51e1e1928af55ba7e2503dd805eb07e3d955b", + "search_line": 17 }, { "queryName": "Website Azure Active Directory Disabled", "severity": "LOW", - "line": 2, - "fileName": "positive4.bicep" + "line": 5, + "fileName": "positive6.bicep", + "resourceType": "Microsoft.Web/sites", + "resourceName": "webSitePositive3", + "searchKey": "resources.name={{webSitePositive3}}.identity", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Web/sites' should have the identity type set to 'SystemAssigned' or 'UserAssigned' and 'userAssignedIdentities' defined", + "actualValue": "resource with type 'Microsoft.Web/sites' doesn't have the identity type set to 'SystemAssigned' or 'UserAssigned' and 'userAssignedIdentities' defined", + "issueType": "MissingAttribute", + "similarityID": "2a1e9b47b70afb6642251796452912b3acfd4bf97857361210fafebef5705a65", + "search_line": 5 }, { "queryName": "Website Azure Active Directory Disabled", "severity": "LOW", - "line": 5, - "fileName": "positive5.bicep" + "line": 17, + "fileName": "positive6.json", + "resourceType": "Microsoft.Web/sites", + "resourceName": "webSitePositive3", + "searchKey": "properties.template.resources.name={{webSitePositive3}}.identity", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Web/sites' should have the identity type set to 'SystemAssigned' or 'UserAssigned' and 'userAssignedIdentities' defined", + "actualValue": "resource with type 'Microsoft.Web/sites' doesn't have the identity type set to 'SystemAssigned' or 'UserAssigned' and 'userAssignedIdentities' defined", + "issueType": "MissingAttribute", + "similarityID": "53f8d94b517921781b20c0f33c384ffc872da7cf0a2c87ec4cbe14893feffe5a", + "search_line": 17 }, { "queryName": "Website Azure Active Directory Disabled", "severity": "LOW", "line": 5, - "fileName": "positive6.bicep" + "fileName": "positive7.bicep", + "resourceType": "Microsoft.Web/sites", + "resourceName": "webSitePositive7", + "searchKey": "resources.name={{webSitePositive7}}.identity", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Web/sites' should have the identity type set to 'SystemAssigned' or 'UserAssigned'", + "actualValue": "resource with type 'Microsoft.Web/sites' doesn't have the identity type set to 'SystemAssigned' or 'UserAssigned'", + "issueType": "IncorrectValue", + "similarityID": "de1ea628d320c2d441aaf1530f3957dca499724b047f6e211062b095b8d8a7a2", + "search_line": 5 }, { "queryName": "Website Azure Active Directory Disabled", "severity": "LOW", - "line": 5, - "fileName": "positive7.bicep" + "line": 18, + "fileName": "positive7.json", + "resourceType": "Microsoft.Web/sites", + "resourceName": "webSitePositive7", + "searchKey": "resources.name={{webSitePositive7}}.identity", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Web/sites' should have the identity type set to 'SystemAssigned' or 'UserAssigned'", + "actualValue": "resource with type 'Microsoft.Web/sites' doesn't have the identity type set to 'SystemAssigned' or 'UserAssigned'", + "issueType": "IncorrectValue", + "similarityID": "814698a043814b611e9d269b8d58eac9414a23547fee3d94c82d912aa4a72ea8", + "search_line": 18 } ] diff --git a/assets/queries/azureResourceManager/website_not_forcing_https/test/positive_expected_result.json b/assets/queries/azureResourceManager/website_not_forcing_https/test/positive_expected_result.json index 139dfcbc9e3..b6c6d6473d5 100644 --- a/assets/queries/azureResourceManager/website_not_forcing_https/test/positive_expected_result.json +++ b/assets/queries/azureResourceManager/website_not_forcing_https/test/positive_expected_result.json @@ -2,49 +2,121 @@ { "queryName": "Website Not Forcing HTTPS", "severity": "MEDIUM", - "line": 15, - "fileName": "positive1.json" + "line": 5, + "fileName": "positive1.bicep", + "resourceType": "Microsoft.Web/sites", + "resourceName": "webSite", + "searchKey": "resources.name={{webSite}}.properties", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Web/sites' should have the 'httpsOnly' property defined", + "actualValue": "resource with type 'Microsoft.Web/sites' doesn't have 'httpsOnly' property defined", + "issueType": "MissingAttribute", + "similarityID": "6a0de17efd4b187a0b8d5bb42a21f0a415cc75f7c19b0e97370ba84678f7e540", + "search_line": 5 }, { "queryName": "Website Not Forcing HTTPS", "severity": "MEDIUM", - "line": 17, - "fileName": "positive2.json" + "line": 15, + "fileName": "positive1.json", + "resourceType": "Microsoft.Web/sites", + "resourceName": "webSite", + "searchKey": "resources.name={{webSite}}.properties", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Web/sites' should have the 'httpsOnly' property defined", + "actualValue": "resource with type 'Microsoft.Web/sites' doesn't have 'httpsOnly' property defined", + "issueType": "MissingAttribute", + "similarityID": "eb986030ef010a28c9f733765ce8316da4487936ffadf70d56df63dd0c2f766b", + "search_line": 15 }, { "queryName": "Website Not Forcing HTTPS", "severity": "MEDIUM", - "line": 17, - "fileName": "positive3.json" + "line": 7, + "fileName": "positive2.bicep", + "resourceType": "Microsoft.Web/sites", + "resourceName": "webSite", + "searchKey": "resources.name={{webSite}}.properties.httpsOnly", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Web/sites' should have the 'httpsOnly' false set to true", + "actualValue": "resource with type 'Microsoft.Web/sites' doesn't have 'httpsOnly' set to true", + "issueType": "IncorrectValue", + "similarityID": "0592b62d8f508ab67cf563a4c8fc1a62552e3e50031e33a12143a6023186d4e2", + "search_line": 7 }, { "queryName": "Website Not Forcing HTTPS", "severity": "MEDIUM", - "line": 19, - "fileName": "positive4.json" + "line": 17, + "fileName": "positive2.json", + "resourceType": "Microsoft.Web/sites", + "resourceName": "webSite", + "searchKey": "resources.name={{webSite}}.properties.httpsOnly", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Web/sites' should have the 'httpsOnly' false set to true", + "actualValue": "resource with type 'Microsoft.Web/sites' doesn't have 'httpsOnly' set to true", + "issueType": "IncorrectValue", + "similarityID": "d60f877c98cabde6301c2122a69afbc3d234bd8b5523cc30a4479aced1cffcaa", + "search_line": 17 }, { "queryName": "Website Not Forcing HTTPS", "severity": "MEDIUM", "line": 5, - "fileName": "positive1.bicep" + "fileName": "positive3.bicep", + "resourceType": "Microsoft.Web/sites", + "resourceName": "webSite", + "searchKey": "resources.name={{webSite}}.properties", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Web/sites' should have the 'httpsOnly' property defined", + "actualValue": "resource with type 'Microsoft.Web/sites' doesn't have 'httpsOnly' property defined", + "issueType": "MissingAttribute", + "similarityID": "c51736661d296721187ced005f67d61b3a2327a0fa29cda1d337acaaa2ba0e92", + "search_line": 5 }, { "queryName": "Website Not Forcing HTTPS", "severity": "MEDIUM", - "line": 7, - "fileName": "positive2.bicep" + "line": 17, + "fileName": "positive3.json", + "resourceType": "Microsoft.Web/sites", + "resourceName": "webSite", + "searchKey": "properties.template.resources.name={{webSite}}.properties", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Web/sites' should have the 'httpsOnly' property defined", + "actualValue": "resource with type 'Microsoft.Web/sites' doesn't have 'httpsOnly' property defined", + "issueType": "MissingAttribute", + "similarityID": "e70b2445310b195475b5f2a87b0a578ebc364ad629fdffca11ee2cec57294bed", + "search_line": 17 }, { "queryName": "Website Not Forcing HTTPS", "severity": "MEDIUM", - "line": 5, - "fileName": "positive3.bicep" + "line": 7, + "fileName": "positive4.bicep", + "resourceType": "Microsoft.Web/sites", + "resourceName": "webSite", + "searchKey": "resources.name={{webSite}}.properties.httpsOnly", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Web/sites' should have the 'httpsOnly' false set to true", + "actualValue": "resource with type 'Microsoft.Web/sites' doesn't have 'httpsOnly' set to true", + "issueType": "IncorrectValue", + "similarityID": "f65f30160ead619397a3c16b66c4d855544ad2b01379cb9d5be3fa963b64f5fc", + "search_line": 7 }, { "queryName": "Website Not Forcing HTTPS", "severity": "MEDIUM", - "line": 7, - "fileName": "positive4.bicep" + "line": 19, + "fileName": "positive4.json", + "resourceType": "Microsoft.Web/sites", + "resourceName": "webSite", + "searchKey": "properties.template.resources.name={{webSite}}.properties.httpsOnly", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Web/sites' should have the 'httpsOnly' false set to true", + "actualValue": "resource with type 'Microsoft.Web/sites' doesn't have 'httpsOnly' set to true", + "issueType": "IncorrectValue", + "similarityID": "8ccb7d2d6da5b3d4c44a6a51d70278bf4070187b05340049f902fbc2a1a27bb6", + "search_line": 19 } -] \ No newline at end of file +] diff --git a/assets/queries/azureResourceManager/website_with_client_certificate_auth_disabled/test/positive_expected_result.json b/assets/queries/azureResourceManager/website_with_client_certificate_auth_disabled/test/positive_expected_result.json index 0c8d1bb5c60..4e6aa90ce66 100644 --- a/assets/queries/azureResourceManager/website_with_client_certificate_auth_disabled/test/positive_expected_result.json +++ b/assets/queries/azureResourceManager/website_with_client_certificate_auth_disabled/test/positive_expected_result.json @@ -2,73 +2,181 @@ { "queryName": "Website with Client Certificate Auth Disabled", "severity": "MEDIUM", - "line": 15, - "fileName": "positive1.json" + "line": 5, + "fileName": "positive1.bicep", + "resourceType": "Microsoft.Web/sites", + "resourceName": "webSite", + "searchKey": "resources.name={{webSite}}.properties", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Web/sites' should have the 'clientCertEnabled' property defined", + "actualValue": "resource with type 'Microsoft.Web/sites' doesn't have 'clientCertEnabled' property defined", + "issueType": "MissingAttribute", + "similarityID": "c1f6e7dcba95ac53b03b248b87eb00d5a49c137d168a5bd65d4c3ee800fb8845", + "search_line": 5 }, { "queryName": "Website with Client Certificate Auth Disabled", "severity": "MEDIUM", - "line": 17, - "fileName": "positive2.json" + "line": 15, + "fileName": "positive1.json", + "resourceType": "Microsoft.Web/sites", + "resourceName": "webSite", + "searchKey": "resources.name={{webSite}}.properties", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Web/sites' should have the 'clientCertEnabled' property defined", + "actualValue": "resource with type 'Microsoft.Web/sites' doesn't have 'clientCertEnabled' property defined", + "issueType": "MissingAttribute", + "similarityID": "863dc9d5f6558143056c226209d986fe0b5f8ec1cb54ddec7f15ed957f1a7e12", + "search_line": 15 }, { "queryName": "Website with Client Certificate Auth Disabled", "severity": "MEDIUM", - "line": 17, - "fileName": "positive3.json" + "line": 7, + "fileName": "positive2.bicep", + "resourceType": "Microsoft.Web/sites", + "resourceName": "webSite", + "searchKey": "resources.name={{webSite}}.properties.clientCertEnabled", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Web/sites' should have the 'clientCertEnabled' property value set to true", + "actualValue": "resource with type 'Microsoft.Web/sites' doesn't have 'clientCertEnabled' set to true", + "issueType": "IncorrectValue", + "similarityID": "715318e904cea716eb78e0380fa4522038ae6152cdc0cd6ff89a19ad3e81bee4", + "search_line": 7 }, { "queryName": "Website with Client Certificate Auth Disabled", "severity": "MEDIUM", - "line": 19, - "fileName": "positive4.json" + "line": 17, + "fileName": "positive2.json", + "resourceType": "Microsoft.Web/sites", + "resourceName": "webSite", + "searchKey": "resources.name={{webSite}}.properties.clientCertEnabled", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Web/sites' should have the 'clientCertEnabled' property value set to true", + "actualValue": "resource with type 'Microsoft.Web/sites' doesn't have 'clientCertEnabled' set to true", + "issueType": "IncorrectValue", + "similarityID": "d96f64f0b16d5ecfad6de74907f3553e2af7ad24cc9e1c02cf20b8dc67e324de", + "search_line": 17 }, { "queryName": "Website with Client Certificate Auth Disabled", "severity": "MEDIUM", - "line": 46, - "fileName": "positive5.json" + "line": 5, + "fileName": "positive3.bicep", + "resourceType": "Microsoft.Web/sites", + "resourceName": "webSite", + "searchKey": "resources.name={{webSite}}.properties", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Web/sites' should have the 'clientCertEnabled' property defined", + "actualValue": "resource with type 'Microsoft.Web/sites' doesn't have 'clientCertEnabled' property defined", + "issueType": "MissingAttribute", + "similarityID": "1b10b1883936739fb10d55ccfb12c491e74beefdf834adcadf7b1db2ec385b5c", + "search_line": 5 }, { "queryName": "Website with Client Certificate Auth Disabled", "severity": "MEDIUM", - "line": 44, - "fileName": "positive6.json" + "line": 17, + "fileName": "positive3.json", + "resourceType": "Microsoft.Web/sites", + "resourceName": "webSite", + "searchKey": "properties.template.resources.name={{webSite}}.properties", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Web/sites' should have the 'clientCertEnabled' property defined", + "actualValue": "resource with type 'Microsoft.Web/sites' doesn't have 'clientCertEnabled' property defined", + "issueType": "MissingAttribute", + "similarityID": "5ebd032fc1e560cbb39d64eea0ea07c436b0199d4e9a9efda3772255d7aa7963", + "search_line": 17 }, { "queryName": "Website with Client Certificate Auth Disabled", "severity": "MEDIUM", - "line": 5, - "fileName": "positive1.bicep" + "line": 7, + "fileName": "positive4.bicep", + "resourceType": "Microsoft.Web/sites", + "resourceName": "webSite", + "searchKey": "resources.name={{webSite}}.properties.clientCertEnabled", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Web/sites' should have the 'clientCertEnabled' property value set to true", + "actualValue": "resource with type 'Microsoft.Web/sites' doesn't have 'clientCertEnabled' set to true", + "issueType": "IncorrectValue", + "similarityID": "5552dddb7dc89760c95e6f9ef4b68afaee1a4d3be00f6b92266aa3edafddfdad", + "search_line": 7 }, { "queryName": "Website with Client Certificate Auth Disabled", "severity": "MEDIUM", - "line": 7, - "fileName": "positive2.bicep" + "line": 19, + "fileName": "positive4.json", + "resourceType": "Microsoft.Web/sites", + "resourceName": "webSite", + "searchKey": "properties.template.resources.name={{webSite}}.properties.clientCertEnabled", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Web/sites' should have the 'clientCertEnabled' property value set to true", + "actualValue": "resource with type 'Microsoft.Web/sites' doesn't have 'clientCertEnabled' set to true", + "issueType": "IncorrectValue", + "similarityID": "c1be3a7051a10c5a3f115de7d5ce18ea2899a7f52c4504dd1391f05e75f6d8eb", + "search_line": 19 }, { "queryName": "Website with Client Certificate Auth Disabled", "severity": "MEDIUM", - "line": 5, - "fileName": "positive3.bicep" + "line": 25, + "fileName": "positive5.bicep", + "resourceType": "Microsoft.Web/sites", + "resourceName": "[parameters('siteName')]", + "searchKey": "resources.name={{[parameters('siteName')]}}.properties.clientCertEnabled", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Web/sites' should have the 'clientCertEnabled' property value or 'http20Enabled' field set to true", + "actualValue": "resource with type 'Microsoft.Web/sites' doesn't have 'clientCertEnabled' or 'http20Enabled' set to true", + "issueType": "IncorrectValue", + "similarityID": "45f6e4201390fe9807e727d7c989ec66ea2f4a7f8381d283cb29894d5f90b116", + "search_line": 25 }, { "queryName": "Website with Client Certificate Auth Disabled", "severity": "MEDIUM", - "line": 7, - "fileName": "positive4.bicep" + "line": 46, + "fileName": "positive5.json", + "resourceType": "Microsoft.Web/sites", + "resourceName": "[parameters('siteName')]", + "searchKey": "resources.name={{[parameters('siteName')]}}.properties.clientCertEnabled", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Web/sites' should have the 'clientCertEnabled' property value or 'http20Enabled' field set to true", + "actualValue": "resource with type 'Microsoft.Web/sites' doesn't have 'clientCertEnabled' or 'http20Enabled' set to true", + "issueType": "IncorrectValue", + "similarityID": "43fefc2ae43fc7563ac01b2b5f6e71d8749f3db59e6863d0bd41d13655fb3193", + "search_line": 46 }, { "queryName": "Website with Client Certificate Auth Disabled", "severity": "MEDIUM", - "line": 25, - "fileName": "positive5.bicep" + "line": 23, + "fileName": "positive6.bicep", + "resourceType": "Microsoft.Web/sites", + "resourceName": "[parameters('siteName')]", + "searchKey": "resources.name={{[parameters('siteName')]}}.properties", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Web/sites' should have the 'clientCertEnabled' property defined", + "actualValue": "resource with type 'Microsoft.Web/sites' doesn't have 'clientCertEnabled' property defined", + "issueType": "MissingAttribute", + "similarityID": "656db5ff1e8af5c3aefcf1392885c8d28ad4de7c2713beef7c25b519d0a56d8a", + "search_line": 23 }, { "queryName": "Website with Client Certificate Auth Disabled", "severity": "MEDIUM", - "line": 23, - "fileName": "positive6.bicep" + "line": 44, + "fileName": "positive6.json", + "resourceType": "Microsoft.Web/sites", + "resourceName": "[parameters('siteName')]", + "searchKey": "resources.name={{[parameters('siteName')]}}.properties", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Web/sites' should have the 'clientCertEnabled' property defined", + "actualValue": "resource with type 'Microsoft.Web/sites' doesn't have 'clientCertEnabled' property defined", + "issueType": "MissingAttribute", + "similarityID": "0b8aeb722b43dbc81ef45ae6fc6ed565aca01c4aa169523687aea723558dbc28", + "search_line": 44 } -] \ No newline at end of file +] diff --git a/assets/queries/azureResourceManager/website_with_http20enabled_disabled/test/positive_expected_result.json b/assets/queries/azureResourceManager/website_with_http20enabled_disabled/test/positive_expected_result.json index d0b031f4309..1b73429ebe9 100644 --- a/assets/queries/azureResourceManager/website_with_http20enabled_disabled/test/positive_expected_result.json +++ b/assets/queries/azureResourceManager/website_with_http20enabled_disabled/test/positive_expected_result.json @@ -2,73 +2,181 @@ { "queryName": "Website with 'Http20Enabled' Disabled", "severity": "LOW", - "line": 15, - "fileName": "positive1.json" + "line": 5, + "fileName": "positive1.bicep", + "resourceType": "Microsoft.Web/sites", + "resourceName": "webSite", + "searchKey": "resources.name={{webSite}}.properties", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Web/sites' should have the 'siteConfig' property defined", + "actualValue": "resource with type 'Microsoft.Web/sites' doesn't have 'siteConfig' property defined", + "issueType": "MissingAttribute", + "similarityID": "dddc0ae9345bc05ddeabe2007448b276a8d3c169c588bce0daa977631ad27239", + "search_line": 5 }, { "queryName": "Website with 'Http20Enabled' Disabled", "severity": "LOW", - "line": 19, - "fileName": "positive2.json" + "line": 15, + "fileName": "positive1.json", + "resourceType": "Microsoft.Web/sites", + "resourceName": "webSite", + "searchKey": "resources.name={{webSite}}.properties", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Web/sites' should have the 'siteConfig' property defined", + "actualValue": "resource with type 'Microsoft.Web/sites' doesn't have 'siteConfig' property defined", + "issueType": "MissingAttribute", + "similarityID": "5cd243d6e10e950337457f657e7c01d9dea5a940bae14d15b9be07e75ed6a0af", + "search_line": 15 }, { "queryName": "Website with 'Http20Enabled' Disabled", "severity": "LOW", - "line": 18, - "fileName": "positive3.json" + "line": 9, + "fileName": "positive2.bicep", + "resourceType": "Microsoft.Web/sites", + "resourceName": "webSite", + "searchKey": "resources.type={{Microsoft.Web/sites}}.properties.siteConfig.http20Enabled", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Web/sites' should have the 'http20Enabled' property value set to true in siteConfig", + "actualValue": "resource with type 'Microsoft.Web/sites' doesn't have 'http20Enabled' set to true in siteConfig", + "issueType": "IncorrectValue", + "similarityID": "7afacee32d5eac0fe3fbd3e5c27bf798f6bd11bf73415911638519ed28526baf", + "search_line": 9 }, { "queryName": "Website with 'Http20Enabled' Disabled", "severity": "LOW", - "line": 17, - "fileName": "positive4.json" + "line": 19, + "fileName": "positive2.json", + "resourceType": "Microsoft.Web/sites", + "resourceName": "webSite", + "searchKey": "resources.type={{Microsoft.Web/sites}}.properties.siteConfig.http20Enabled", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Web/sites' should have the 'http20Enabled' property value set to true in siteConfig", + "actualValue": "resource with type 'Microsoft.Web/sites' doesn't have 'http20Enabled' set to true in siteConfig", + "issueType": "IncorrectValue", + "similarityID": "e1748439968fd29eb6996b91da4179c97b99126344cb6e5da415b5637a00aad8", + "search_line": 19 }, { "queryName": "Website with 'Http20Enabled' Disabled", "severity": "LOW", - "line": 21, - "fileName": "positive5.json" + "line": 8, + "fileName": "positive3.bicep", + "resourceType": "Microsoft.Web/sites", + "resourceName": "webSite", + "searchKey": "resources.name={{webSite}}.properties.siteConfig", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Web/sites' should have the 'http20Enabled' property defined in siteConfig", + "actualValue": "resource with type 'Microsoft.Web/sites' doesn't have 'http20Enabled' property defined in siteConfig", + "issueType": "MissingAttribute", + "similarityID": "16d7c10b7f6ec9f6283cea066c4e87406ac7dccec36f7dc74bd4133e03bec304", + "search_line": 8 }, { "queryName": "Website with 'Http20Enabled' Disabled", "severity": "LOW", - "line": 20, - "fileName": "positive6.json" + "line": 18, + "fileName": "positive3.json", + "resourceType": "Microsoft.Web/sites", + "resourceName": "webSite", + "searchKey": "resources.name={{webSite}}.properties.siteConfig", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Web/sites' should have the 'http20Enabled' property defined in siteConfig", + "actualValue": "resource with type 'Microsoft.Web/sites' doesn't have 'http20Enabled' property defined in siteConfig", + "issueType": "MissingAttribute", + "similarityID": "fb07a7db7f5bd93fa0a5c83f0fb14cc39f88975b43721773b18e3eff09141836", + "search_line": 18 }, { "queryName": "Website with 'Http20Enabled' Disabled", "severity": "LOW", "line": 5, - "fileName": "positive1.bicep" + "fileName": "positive4.bicep", + "resourceType": "Microsoft.Web/sites", + "resourceName": "webSite", + "searchKey": "resources.name={{webSite}}.properties", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Web/sites' should have the 'siteConfig' property defined", + "actualValue": "resource with type 'Microsoft.Web/sites' doesn't have 'siteConfig' property defined", + "issueType": "MissingAttribute", + "similarityID": "d4e73b3c9abfa6ca148fb1b9c9cb9fd3c9a0de1e51d9a9eb3eb2751ce2c6800b", + "search_line": 5 }, { "queryName": "Website with 'Http20Enabled' Disabled", "severity": "LOW", - "line": 9, - "fileName": "positive2.bicep" + "line": 17, + "fileName": "positive4.json", + "resourceType": "Microsoft.Web/sites", + "resourceName": "webSite", + "searchKey": "properties.template.resources.name={{webSite}}.properties", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Web/sites' should have the 'siteConfig' property defined", + "actualValue": "resource with type 'Microsoft.Web/sites' doesn't have 'siteConfig' property defined", + "issueType": "MissingAttribute", + "similarityID": "7118bde3834e618884f394ed4db74ce8cab2b19cee9dc5c04ab94b0f4b0a6661", + "search_line": 17 }, { "queryName": "Website with 'Http20Enabled' Disabled", "severity": "LOW", - "line": 8, - "fileName": "positive3.bicep" + "line": 9, + "fileName": "positive5.bicep", + "resourceType": "Microsoft.Web/sites", + "resourceName": "webSite", + "searchKey": "resources.type={{Microsoft.Web/sites}}.properties.siteConfig.http20Enabled", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Web/sites' should have the 'http20Enabled' property value set to true in siteConfig", + "actualValue": "resource with type 'Microsoft.Web/sites' doesn't have 'http20Enabled' set to true in siteConfig", + "issueType": "IncorrectValue", + "similarityID": "dabc2b1c035a5e71a9f8598558e8f9eaa48094063bf5e39483dc845c2b33b77a", + "search_line": 9 }, { "queryName": "Website with 'Http20Enabled' Disabled", "severity": "LOW", - "line": 5, - "fileName": "positive4.bicep" + "line": 21, + "fileName": "positive5.json", + "resourceType": "Microsoft.Web/sites", + "resourceName": "webSite", + "searchKey": "resources.type={{Microsoft.Web/sites}}.properties.siteConfig.http20Enabled", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Web/sites' should have the 'http20Enabled' property value set to true in siteConfig", + "actualValue": "resource with type 'Microsoft.Web/sites' doesn't have 'http20Enabled' set to true in siteConfig", + "issueType": "IncorrectValue", + "similarityID": "37a2353923542427e225b1eef3471bf29ae1b4f379a0105e1897c6e035017006", + "search_line": 21 }, { "queryName": "Website with 'Http20Enabled' Disabled", "severity": "LOW", - "line": 9, - "fileName": "positive5.bicep" + "line": 8, + "fileName": "positive6.bicep", + "resourceType": "Microsoft.Web/sites", + "resourceName": "webSite", + "searchKey": "resources.name={{webSite}}.properties.siteConfig", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Web/sites' should have the 'http20Enabled' property defined in siteConfig", + "actualValue": "resource with type 'Microsoft.Web/sites' doesn't have 'http20Enabled' property defined in siteConfig", + "issueType": "MissingAttribute", + "similarityID": "ba4f0775ee337471d52d38f97ebf1974a392d405cc3daee555f43947f6215344", + "search_line": 8 }, { "queryName": "Website with 'Http20Enabled' Disabled", "severity": "LOW", - "line": 8, - "fileName": "positive6.bicep" + "line": 20, + "fileName": "positive6.json", + "resourceType": "Microsoft.Web/sites", + "resourceName": "webSite", + "searchKey": "properties.template.resources.name={{webSite}}.properties.siteConfig", + "searchValue": "", + "expectedValue": "resource with type 'Microsoft.Web/sites' should have the 'http20Enabled' property defined in siteConfig", + "actualValue": "resource with type 'Microsoft.Web/sites' doesn't have 'http20Enabled' property defined in siteConfig", + "issueType": "MissingAttribute", + "similarityID": "7d615d8f4aca9985fef9ea8cdb667c5d08687f24f74751e67bf94498f7a94a21", + "search_line": 20 } ] diff --git a/assets/queries/buildah/run_using_apt/test/positive_expected_result.json b/assets/queries/buildah/run_using_apt/test/positive_expected_result.json index b170be0f78e..10e992ffd70 100644 --- a/assets/queries/buildah/run_using_apt/test/positive_expected_result.json +++ b/assets/queries/buildah/run_using_apt/test/positive_expected_result.json @@ -3,6 +3,15 @@ "queryName": "Run Using apt", "severity": "LOW", "line": 3, - "fileName": "positive.sh" + "fileName": "positive.sh", + "resourceType": "", + "resourceName": "", + "searchKey": "from[{{fedora}}].{{buildah run ${c} apt install python3-setuptools -y}}", + "searchValue": "", + "expectedValue": "RUN instructions should not use the 'apt' program", + "actualValue": "RUN instruction is invoking the 'apt' program", + "issueType": "IncorrectValue", + "similarityID": "679a316442efb4312fedfc9118696c4243b334bf86530dad2fd947394fe61a9c", + "search_line": -1 } -] \ No newline at end of file +] diff --git a/assets/queries/cicd/github/run_block_injection/test/positive_expected_result.json b/assets/queries/cicd/github/run_block_injection/test/positive_expected_result.json index d286f9fe022..51d52ae0e8d 100644 --- a/assets/queries/cicd/github/run_block_injection/test/positive_expected_result.json +++ b/assets/queries/cicd/github/run_block_injection/test/positive_expected_result.json @@ -3,48 +3,120 @@ "queryName": "Run Block Injection", "severity": "HIGH", "line": 10, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "run={{if [ \"${{ github.event.issue.body }}\" ]; then\n if [[ \"${{ github.event.issue.title }}\" =~ ^\\[Auto\\]* ]]; then\n :\n else\n echo \"This issue does not need to generate a markdown file.\" 1>&2\n exit 1;\n fi;\nelse\n echo \"The description of the issue is empty.\" 1>&2\n exit 1;\nfi;\n}}", + "searchValue": "github.event.issue.body", + "expectedValue": "Run block does not contain dangerous input controlled by user.", + "actualValue": "Run block contains dangerous input controlled by user.", + "issueType": "IncorrectValue", + "similarityID": "0f773966eb88be045738d41c4c7ee1e38798d47990fc2e6a9f58231619044449", + "search_line": 10 }, { "queryName": "Run Block Injection", "severity": "HIGH", "line": 10, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "run={{if [ \"${{ github.event.issue.body }}\" ]; then\n if [[ \"${{ github.event.issue.title }}\" =~ ^\\[Auto\\]* ]]; then\n :\n else\n echo \"This issue does not need to generate a markdown file.\" 1>&2\n exit 1;\n fi;\nelse\n echo \"The description of the issue is empty.\" 1>&2\n exit 1;\nfi;\n}}", + "searchValue": "github.event.issue.title", + "expectedValue": "Run block does not contain dangerous input controlled by user.", + "actualValue": "Run block contains dangerous input controlled by user.", + "issueType": "IncorrectValue", + "similarityID": "f077832391af7e9d3a8463e122ea71f6dac5810b4cde24db9a69336783194220", + "search_line": 10 }, { "queryName": "Run Block Injection", "severity": "HIGH", "line": 13, - "fileName": "positive2.yaml" + "fileName": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "run={{echo \"Pull Request Body: ${{ github.event.pull_request.body }}\"\n}}", + "searchValue": "github.event.pull_request.body", + "expectedValue": "Run block does not contain dangerous input controlled by user.", + "actualValue": "Run block contains dangerous input controlled by user.", + "issueType": "IncorrectValue", + "similarityID": "52dc1aaad31937470da62b0de12e4683589ed6d859f71c406dfd0302e600fe62", + "search_line": 13 }, { "queryName": "Run Block Injection", "severity": "HIGH", "line": 13, - "fileName": "positive3.yaml" + "fileName": "positive3.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "run={{echo \"Issue Comment Body: ${{ github.event.comment.body }}\"\n}}", + "searchValue": "github.event.comment.body", + "expectedValue": "Run block does not contain dangerous input controlled by user.", + "actualValue": "Run block contains dangerous input controlled by user.", + "issueType": "IncorrectValue", + "similarityID": "c744e65590333fea5763a3f05a7163691912d9f5e276adcd913778565427f75e", + "search_line": 13 }, { "queryName": "Run Block Injection", "severity": "HIGH", "line": 13, - "fileName": "positive4.yaml" + "fileName": "positive4.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "run={{echo \"Discussion Title: ${{ github.event.discussion.title }}\"\n}}", + "searchValue": "github.event.discussion.title", + "expectedValue": "Run block does not contain dangerous input controlled by user.", + "actualValue": "Run block contains dangerous input controlled by user.", + "issueType": "IncorrectValue", + "similarityID": "b2092967df2fee24ae366bb1fcb36580f981cd856ce3bdbeb0dad67e23c9beac", + "search_line": 13 }, { "queryName": "Run Block Injection", "severity": "HIGH", "line": 13, - "fileName": "positive5.yaml" + "fileName": "positive5.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "run={{echo \"Discussion Comment Body: ${{ github.event.comment.body }}\"\n}}", + "searchValue": "github.event.comment.body", + "expectedValue": "Run block does not contain dangerous input controlled by user.", + "actualValue": "Run block contains dangerous input controlled by user.", + "issueType": "IncorrectValue", + "similarityID": "fe7ea4c0aeb26f65726900931561b8242e8064f57eedb3f33a0f35e4b9cc4698", + "search_line": 13 }, { "queryName": "Run Block Injection", "severity": "HIGH", "line": 13, - "fileName": "positive6.yaml" + "fileName": "positive6.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "run={{echo \"Author's Name: ${{ github.event.authors.name }}\"\n}}", + "searchValue": "github.*.authors.name", + "expectedValue": "Run block does not contain dangerous input controlled by user.", + "actualValue": "Run block contains dangerous input controlled by user.", + "issueType": "IncorrectValue", + "similarityID": "9013cc77c95a519e054311d946c0936b8f4ef572ef24aa42340e8b5f8da1ec96", + "search_line": 13 }, { "queryName": "Run Block Injection", "severity": "HIGH", "line": 13, - "fileName": "positive7.yaml" + "fileName": "positive7.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "run={{echo \"Workflow Run Path: ${{ github.event.workflow.path }}\"\n}}", + "searchValue": "github.event.workflow.path", + "expectedValue": "Run block does not contain dangerous input controlled by user.", + "actualValue": "Run block contains dangerous input controlled by user.", + "issueType": "IncorrectValue", + "similarityID": "d766181ce75b7bcad754b7a79aaeee8f8da2ad4bdb91e2b371f5527e326f1f0d", + "search_line": 13 } ] diff --git a/assets/queries/cicd/github/script_block_injection/test/positive_expected_result.json b/assets/queries/cicd/github/script_block_injection/test/positive_expected_result.json index cd44b6b0881..4afa2f7e36b 100644 --- a/assets/queries/cicd/github/script_block_injection/test/positive_expected_result.json +++ b/assets/queries/cicd/github/script_block_injection/test/positive_expected_result.json @@ -1,44 +1,107 @@ [ - { - "queryName": "Script Block Injection", - "severity": "HIGH", - "line": 17, - "fileName": "positive1.yaml" - }, - { - "queryName": "Script Block Injection", - "severity": "HIGH", - "line": 17, - "fileName": "positive2.yaml" - }, - { - "queryName": "Script Block Injection", - "severity": "HIGH", - "line": 17, - "fileName": "positive3.yaml" - }, - { - "queryName": "Script Block Injection", - "severity": "HIGH", - "line": 17, - "fileName": "positive4.yaml" - }, - { - "queryName": "Script Block Injection", - "severity": "HIGH", - "line": 17, - "fileName": "positive5.yaml" - }, - { - "queryName": "Script Block Injection", - "severity": "HIGH", - "line": 17, - "fileName": "positive6.yaml" - }, - { - "queryName": "Script Block Injection", - "severity": "HIGH", - "line": 17, - "fileName": "positive7.yaml" - } + { + "queryName": "Script Block Injection", + "severity": "HIGH", + "line": 17, + "fileName": "positive1.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "script={{const fs = require('fs');\nconst body = fs.readFileSync('/tmp/${{ github.event.issue.title }}.txt', {encoding: 'utf8'});\n\nawait github.rest.issues.createComment({\n issue_number: context.issue.number,\n owner: context.repo.owner,\n repo: context.repo.repo,\n body: 'Thanks for reporting!'\n})\n\nreturn true;\n}}", + "searchValue": "github.event.issue.title", + "expectedValue": "Script block does not contain dangerous input controlled by user.", + "actualValue": "Script block contains dangerous input controlled by user.", + "issueType": "IncorrectValue", + "similarityID": "b472d93958d74770d0153959e0d817fc8a861a3011a87d48a499b728519c9fd6", + "search_line": 17 + }, + { + "queryName": "Script Block Injection", + "severity": "HIGH", + "line": 17, + "fileName": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "script={{const fs = require('fs');\nconst body = fs.readFileSync('/tmp/${{ github.event.pull_request.title }}.txt', {encoding: 'utf8'});\n\nawait github.rest.issues.createComment({\n issue_number: context.issue.number,\n owner: context.repo.owner,\n repo: context.repo.repo,\n body: 'Thanks for reporting!'\n})\n\nreturn true;\n}}", + "searchValue": "github.event.pull_request.title", + "expectedValue": "Script block does not contain dangerous input controlled by user.", + "actualValue": "Script block contains dangerous input controlled by user.", + "issueType": "IncorrectValue", + "similarityID": "b87888b344b6cff8edc1d1fc29062354474a4fa1ef6ae47e7db4021e01ba0b03", + "search_line": 17 + }, + { + "queryName": "Script Block Injection", + "severity": "HIGH", + "line": 17, + "fileName": "positive3.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "script={{const fs = require('fs');\nconst body = fs.readFileSync('/tmp/${{ github.event.issue.title }}.txt', {encoding: 'utf8'});\n\nawait github.rest.issues.createComment({\n issue_number: context.issue.number,\n owner: context.repo.owner,\n repo: context.repo.repo,\n body: 'Thanks for reporting!'\n})\n\nreturn true;\n}}", + "searchValue": "github.event.issue.title", + "expectedValue": "Script block does not contain dangerous input controlled by user.", + "actualValue": "Script block contains dangerous input controlled by user.", + "issueType": "IncorrectValue", + "similarityID": "aecc0263b1348f0c5f97fab8c7bb59b9474b34db571b382af41b33debb2d6e80", + "search_line": 17 + }, + { + "queryName": "Script Block Injection", + "severity": "HIGH", + "line": 17, + "fileName": "positive4.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "script={{const fs = require('fs');\nconst body = fs.readFileSync('/tmp/${{ github.event.discussion.title }}.txt', {encoding: 'utf8'});\n\nawait github.rest.issues.createComment({\n issue_number: context.issue.number,\n owner: context.repo.owner,\n repo: context.repo.repo,\n body: 'Thanks for reporting!'\n})\n\nreturn true;\n}}", + "searchValue": "github.event.discussion.title", + "expectedValue": "Script block does not contain dangerous input controlled by user.", + "actualValue": "Script block contains dangerous input controlled by user.", + "issueType": "IncorrectValue", + "similarityID": "32628f6f985121ba009cc0dbddaee715b3b11b1c3df65815b40fef456f9dadd8", + "search_line": 17 + }, + { + "queryName": "Script Block Injection", + "severity": "HIGH", + "line": 17, + "fileName": "positive5.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "script={{const fs = require('fs');\nconst body = fs.readFileSync('/tmp/${{ github.event.discussion.title }}.txt', {encoding: 'utf8'});\n\nawait github.rest.issues.createComment({\n issue_number: context.issue.number,\n owner: context.repo.owner,\n repo: context.repo.repo,\n body: 'Thanks for reporting!'\n})\n\nreturn true;\n}}", + "searchValue": "github.event.discussion.title", + "expectedValue": "Script block does not contain dangerous input controlled by user.", + "actualValue": "Script block contains dangerous input controlled by user.", + "issueType": "IncorrectValue", + "similarityID": "c085d838ed90c8903449a94e9b17cac86e3bfa25c7b8f7802cc5b1db5b025556", + "search_line": 17 + }, + { + "queryName": "Script Block Injection", + "severity": "HIGH", + "line": 17, + "fileName": "positive6.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "script={{const fs = require('fs');\nconst body = fs.readFileSync('/tmp/${{ github.event.workflow.path }}.txt', {encoding: 'utf8'});\n\nawait github.rest.issues.createComment({\n issue_number: context.issue.number,\n owner: context.repo.owner,\n repo: context.repo.repo,\n body: 'Thanks for reporting!'\n})\n\nreturn true;\n}}", + "searchValue": "github.event.workflow.path", + "expectedValue": "Script block does not contain dangerous input controlled by user.", + "actualValue": "Script block contains dangerous input controlled by user.", + "issueType": "IncorrectValue", + "similarityID": "7d45b831d545a6ee8fc00e808112fa9038406f7d444a890e0e18bc73ca60663f", + "search_line": 17 + }, + { + "queryName": "Script Block Injection", + "severity": "HIGH", + "line": 17, + "fileName": "positive7.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "script={{const fs = require('fs');\nconst body = fs.readFileSync('/tmp/${{ github.event.authors.name }}.txt', {encoding: 'utf8'});\n\nawait github.rest.issues.createComment({\n issue_number: context.issue.number,\n owner: context.repo.owner,\n repo: context.repo.repo,\n body: 'Thanks for reporting!'\n})\n\nreturn true;\n}}", + "searchValue": "github.*.authors.name", + "expectedValue": "Script block does not contain dangerous input controlled by user.", + "actualValue": "Script block contains dangerous input controlled by user.", + "issueType": "IncorrectValue", + "similarityID": "bba30b5a5775bd6c9e989ee710821d145e18cec9b1e03cf2828d44f4c8fd1525", + "search_line": 17 + } ] diff --git a/assets/queries/cicd/github/unpinned_actions_full_length_commit_sha/test/positive_expected_result.json b/assets/queries/cicd/github/unpinned_actions_full_length_commit_sha/test/positive_expected_result.json index 239e93bff3d..71cc952112a 100644 --- a/assets/queries/cicd/github/unpinned_actions_full_length_commit_sha/test/positive_expected_result.json +++ b/assets/queries/cicd/github/unpinned_actions_full_length_commit_sha/test/positive_expected_result.json @@ -3,6 +3,15 @@ "queryName": "Unpinned Actions Full Length Commit SHA", "severity": "LOW", "line": 12, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "uses={{thollander/actions-comment-pull-request@v2}}", + "searchValue": "", + "expectedValue": "Action pinned to a full length commit SHA.", + "actualValue": "Action is not pinned to a full length commit SHA.", + "issueType": "IncorrectValue", + "similarityID": "c9bb241500f8b70915ba77a5239bff4f4aa9cdf481921e955351b249155b5ef8", + "search_line": 12 } -] \ No newline at end of file +] diff --git a/assets/queries/cicd/github/unsecured_commands/test/positive_expected_result.json b/assets/queries/cicd/github/unsecured_commands/test/positive_expected_result.json index cf333643e72..537aebb3f12 100644 --- a/assets/queries/cicd/github/unsecured_commands/test/positive_expected_result.json +++ b/assets/queries/cicd/github/unsecured_commands/test/positive_expected_result.json @@ -1,20 +1,47 @@ [ - { - "queryName": "Unsecured Commands", - "severity": "MEDIUM", - "line": 8, - "fileName": "positive1.yaml" - }, - { - "queryName": "Unsecured Commands", - "severity": "MEDIUM", - "line": 11, - "fileName": "positive2.yaml" - }, - { - "queryName": "Unsecured Commands", - "severity": "MEDIUM", - "line": 16, - "fileName": "positive3.yaml" - } + { + "queryName": "Unsecured Commands", + "severity": "MEDIUM", + "line": 8, + "fileName": "positive1.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "env.actions_allow_unsecure_commands={{true}}", + "searchValue": "", + "expectedValue": "ACTIONS_ALLOW_UNSECURE_COMMANDS environment variable is not set as true.", + "actualValue": "ACTIONS_ALLOW_UNSECURE_COMMANDS environment variable is set as true.", + "issueType": "IncorrectValue", + "similarityID": "85b60386025039f46b4f6f518f66af453d2854f5c3a90e7d5e065a6489b8f00f", + "search_line": 8 + }, + { + "queryName": "Unsecured Commands", + "severity": "MEDIUM", + "line": 11, + "fileName": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "env.actions_allow_unsecure_commands={{true}}", + "searchValue": "", + "expectedValue": "ACTIONS_ALLOW_UNSECURE_COMMANDS environment variable is not set as true.", + "actualValue": "ACTIONS_ALLOW_UNSECURE_COMMANDS environment variable is set as true.", + "issueType": "IncorrectValue", + "similarityID": "bea11b836744fcf58ed143d0f4fac2887fbf48cd05ea4bbb842e59324d9b8482", + "search_line": 11 + }, + { + "queryName": "Unsecured Commands", + "severity": "MEDIUM", + "line": 16, + "fileName": "positive3.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "env.actions_allow_unsecure_commands={{true}}", + "searchValue": "", + "expectedValue": "ACTIONS_ALLOW_UNSECURE_COMMANDS environment variable is not set as true.", + "actualValue": "ACTIONS_ALLOW_UNSECURE_COMMANDS environment variable is set as true.", + "issueType": "IncorrectValue", + "similarityID": "a4f11028626902511f4ab9e50109138b858dd201e91fb6417918d81de5a699d9", + "search_line": 16 + } ] diff --git a/assets/queries/cloudFormation/aws/access_key_not_rotated_within_90_days/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/access_key_not_rotated_within_90_days/test/positive_expected_result.json index 141986e6d6a..92129bdde28 100644 --- a/assets/queries/cloudFormation/aws/access_key_not_rotated_within_90_days/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/access_key_not_rotated_within_90_days/test/positive_expected_result.json @@ -3,12 +3,30 @@ "queryName": "High Access Key Rotation Period", "severity": "MEDIUM", "line": 7, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::Config::ConfigRule", + "resourceName": "access-keys-rotated", + "searchKey": "Resources.ConfigRule.Properties.InputParameters.maxAccessKeyAge", + "searchValue": "", + "expectedValue": "Resources.ConfigRule.InputParameters.maxAccessKeyAge should be less or equal to 90 (days)", + "actualValue": "Resources.ConfigRule.InputParameters.maxAccessKeyAge is more than 90 (days).", + "issueType": "IncorrectValue", + "similarityID": "6bc99eb87d140a4465de9e2d48d62ac5069ae27615c3a15f0cf36e3c9a16375e", + "search_line": -1 }, { - "fileName": "positive2.json", "queryName": "High Access Key Rotation Period", "severity": "MEDIUM", - "line": 8 + "line": 8, + "fileName": "positive2.json", + "resourceType": "AWS::Config::ConfigRule", + "resourceName": "access-keys-rotated", + "searchKey": "Resources.ConfigRule.Properties.InputParameters.maxAccessKeyAge", + "searchValue": "", + "expectedValue": "Resources.ConfigRule.InputParameters.maxAccessKeyAge should be less or equal to 90 (days)", + "actualValue": "Resources.ConfigRule.InputParameters.maxAccessKeyAge is more than 90 (days).", + "issueType": "IncorrectValue", + "similarityID": "1e665019adeec5cdeb91ae96e921fda9a580d7daefe4c492861f81ec1fa25ba9", + "search_line": -1 } ] diff --git a/assets/queries/cloudFormation/aws/alb_is_not_integrated_with_waf/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/alb_is_not_integrated_with_waf/test/positive_expected_result.json index 752bfdd1cca..c1b45ac0122 100644 --- a/assets/queries/cloudFormation/aws/alb_is_not_integrated_with_waf/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/alb_is_not_integrated_with_waf/test/positive_expected_result.json @@ -3,24 +3,60 @@ "queryName": "ALB Is Not Integrated With WAF", "severity": "MEDIUM", "line": 3, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::ElasticLoadBalancing::LoadBalancer", + "resourceName": "MyLoadBalancer22", + "searchKey": "Resources.MyLoadBalancer22", + "searchValue": "", + "expectedValue": "'Resources.MyLoadBalancer22' should not have an 'internal' scheme and should have a 'WebACLAssociation' associated", + "actualValue": "'Resources.MyLoadBalancer22' does not have an 'internal' scheme and a 'WebACLAssociation' associated", + "issueType": "MissingAttribute", + "similarityID": "e09ae0aadbeae9d0cd6d629e533ad0a1a75fd90602ea88a2e827ba9e7c0e338a", + "search_line": -1 }, { - "fileName": "positive2.yaml", "queryName": "ALB Is Not Integrated With WAF", "severity": "MEDIUM", - "line": 3 + "line": 3, + "fileName": "positive2.yaml", + "resourceType": "AWS::ElasticLoadBalancingV2::LoadBalancer", + "resourceName": "myloadbalancerv2", + "searchKey": "Resources.MyLoadBalancerV2", + "searchValue": "", + "expectedValue": "'Resources.MyLoadBalancerV2' should not have an 'internal' scheme and should have a 'WebACLAssociation' associated", + "actualValue": "'Resources.MyLoadBalancerV2' does not have an 'internal' scheme and a 'WebACLAssociation' associated", + "issueType": "MissingAttribute", + "similarityID": "935ecfea379e406be2fbcdf0f00f0f9bd3cf4b47cfa87e69fab803e6adb395ca", + "search_line": -1 }, { - "fileName": "positive3.json", "queryName": "ALB Is Not Integrated With WAF", "severity": "MEDIUM", - "line": 4 + "line": 4, + "fileName": "positive3.json", + "resourceType": "AWS::ElasticLoadBalancing::LoadBalancer", + "resourceName": "MyLoadBalancer22222222", + "searchKey": "Resources.MyLoadBalancer22222222", + "searchValue": "", + "expectedValue": "'Resources.MyLoadBalancer22222222' should not have an 'internal' scheme and should have a 'WebACLAssociation' associated", + "actualValue": "'Resources.MyLoadBalancer22222222' does not have an 'internal' scheme and a 'WebACLAssociation' associated", + "issueType": "MissingAttribute", + "similarityID": "d8024dc78f4a06b4d6f10e95b29c17f50ffecb93d1b3d43d4c17c094a12bf149", + "search_line": -1 }, { "queryName": "ALB Is Not Integrated With WAF", "severity": "MEDIUM", "line": 4, - "fileName": "positive4.json" + "fileName": "positive4.json", + "resourceType": "AWS::ElasticLoadBalancingV2::LoadBalancer", + "resourceName": "myloadbalancerv2", + "searchKey": "Resources.MyLoadBalancerV22222", + "searchValue": "", + "expectedValue": "'Resources.MyLoadBalancerV22222' should not have an 'internal' scheme and should have a 'WebACLAssociation' associated", + "actualValue": "'Resources.MyLoadBalancerV22222' does not have an 'internal' scheme and a 'WebACLAssociation' associated", + "issueType": "MissingAttribute", + "similarityID": "6e6ec505b6432081832bb7991f4c43cb39a0a9f8a4fd2beddafadf59f3808af7", + "search_line": -1 } ] diff --git a/assets/queries/cloudFormation/aws/alb_listening_on_http/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/alb_listening_on_http/test/positive_expected_result.json index 04e2f4531a9..3d1b1abaf1d 100644 --- a/assets/queries/cloudFormation/aws/alb_listening_on_http/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/alb_listening_on_http/test/positive_expected_result.json @@ -1,32 +1,77 @@ [ { - "fileName": "positive1.yaml", "queryName": "ALB Listening on HTTP", "severity": "MEDIUM", - "line": 25 + "line": 13, + "fileName": "positive1.yaml", + "resourceType": "AWS::ElasticLoadBalancing::LoadBalancer", + "resourceName": "MyLoadBalancer", + "searchKey": "Resources.MyLoadBalancer.Properties.Listeners.Protocol=HTTP", + "searchValue": "", + "expectedValue": "'Resources.MyLoadBalancer.Listeners.Protocol' should not equal to 'HTTP'", + "actualValue": "'Resources.MyLoadBalancer.Listeners.Protocol' equals to 'HTTP'", + "issueType": "IncorrectValue", + "similarityID": "11e116344c3fc1cb66e5ba3965ce21bb42be676297259d9db7d7afd37f14a5fb", + "search_line": 13 }, { - "fileName": "positive1.yaml", "queryName": "ALB Listening on HTTP", "severity": "MEDIUM", - "line": 13 + "line": 25, + "fileName": "positive1.yaml", + "resourceType": "AWS::ElasticLoadBalancingV2::Listener", + "resourceName": "HTTPlistener", + "searchKey": "Resources.HTTPlistener.Properties.Protocol=HTTP", + "searchValue": "", + "expectedValue": "'Resources.HTTPlistener.Protocol' should not equal to 'HTTP'", + "actualValue": "'Resources.HTTPlistener.Protocol' equals to 'HTTP'", + "issueType": "IncorrectValue", + "similarityID": "8ac0a22227f13ac440cb5927924e73dc3f66a9045f012092145ba601e88a0f7a", + "search_line": 25 }, { - "line": 35, - "fileName": "positive2.json", "queryName": "ALB Listening on HTTP", - "severity": "MEDIUM" - }, - { + "severity": "MEDIUM", "line": 9, "fileName": "positive2.json", + "resourceType": "AWS::ElasticLoadBalancing::LoadBalancer", + "resourceName": "MyLoadBalancer", + "searchKey": "Resources.MyLoadBalancer.Properties.Listeners.Protocol=HTTP", + "searchValue": "", + "expectedValue": "'Resources.MyLoadBalancer.Listeners.Protocol' should not equal to 'HTTP'", + "actualValue": "'Resources.MyLoadBalancer.Listeners.Protocol' equals to 'HTTP'", + "issueType": "IncorrectValue", + "similarityID": "147084d49c5c0df6d63bbd9c3671c75463866e10d564f8fd7ebbf300b0bcd231", + "search_line": 9 + }, + { "queryName": "ALB Listening on HTTP", - "severity": "MEDIUM" + "severity": "MEDIUM", + "line": 35, + "fileName": "positive2.json", + "resourceType": "AWS::ElasticLoadBalancingV2::Listener", + "resourceName": "HTTPlistener", + "searchKey": "Resources.HTTPlistener.Properties.Protocol=HTTP", + "searchValue": "", + "expectedValue": "'Resources.HTTPlistener.Protocol' should not equal to 'HTTP'", + "actualValue": "'Resources.HTTPlistener.Protocol' equals to 'HTTP'", + "issueType": "IncorrectValue", + "similarityID": "43fc448a9e5e7dd9c8b08227962599dea46d50d9800324665aafb283e1fa9896", + "search_line": 35 }, { "queryName": "ALB Listening on HTTP", "severity": "MEDIUM", "line": 16, - "fileName": "positive3.yaml" + "fileName": "positive3.yaml", + "resourceType": "AWS::ElasticLoadBalancingV2::Listener", + "resourceName": "HTTPlistener", + "searchKey": "Resources.HTTPlistener.Properties.Protocol=HTTP", + "searchValue": "", + "expectedValue": "'Resources.HTTPlistener.Protocol' should not equal to 'HTTP'", + "actualValue": "'Resources.HTTPlistener.Protocol' equals to 'HTTP'", + "issueType": "IncorrectValue", + "similarityID": "ed9f4ae9233e2985d6140beac9aaf22fa028352429aecaad0229c4189828a19c", + "search_line": 16 } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/alexa_skill_plaintext_client_secret_exposed/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/alexa_skill_plaintext_client_secret_exposed/test/positive_expected_result.json index 71586537796..0e78c643959 100644 --- a/assets/queries/cloudFormation/aws/alexa_skill_plaintext_client_secret_exposed/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/alexa_skill_plaintext_client_secret_exposed/test/positive_expected_result.json @@ -1,14 +1,32 @@ [ { - "fileName": "positive1.yaml", "queryName": "Alexa Skill Plaintext Client Secret Exposed", "severity": "MEDIUM", - "line": 17 + "line": 17, + "fileName": "positive1.yaml", + "resourceType": "Alexa::ASK::Skill", + "resourceName": "MySkill", + "searchKey": "Resources.MySkill.Properties.AuthenticationConfiguration.ClientSecret", + "searchValue": "", + "expectedValue": "'Resources.MySkill.Properties.ClientSecret' should start with '{{resolve:secretsmanager:' or '{{resolve:ssm-secure:'", + "actualValue": "'Resources.MySkill.Properties.ClientSecret' does not start with '{{resolve:secretsmanager:' or '{{resolve:ssm-secure:'", + "issueType": "IncorrectValue", + "similarityID": "92e364a9a0879b59aeadebd0917f203a9f2a870c7bb0e1ef2f7324a3d52cbe39", + "search_line": -1 }, { "queryName": "Alexa Skill Plaintext Client Secret Exposed", "severity": "MEDIUM", "line": 24, - "fileName": "positive2.json" + "fileName": "positive2.json", + "resourceType": "Alexa::ASK::Skill", + "resourceName": "MySkill", + "searchKey": "Resources.MySkill.Properties.AuthenticationConfiguration.ClientSecret", + "searchValue": "", + "expectedValue": "'Resources.MySkill.Properties.ClientSecret' should start with '{{resolve:secretsmanager:' or '{{resolve:ssm-secure:'", + "actualValue": "'Resources.MySkill.Properties.ClientSecret' does not start with '{{resolve:secretsmanager:' or '{{resolve:ssm-secure:'", + "issueType": "IncorrectValue", + "similarityID": "838b5c96610cb38832c38ffe6d81e13b1cbb19ed6adf8a744fe6a63dd13e9b17", + "search_line": -1 } ] diff --git a/assets/queries/cloudFormation/aws/amazon_dms_replication_instance_is_publicly_accessible/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/amazon_dms_replication_instance_is_publicly_accessible/test/positive_expected_result.json index b6f9e0c14ad..83deb7be9b2 100644 --- a/assets/queries/cloudFormation/aws/amazon_dms_replication_instance_is_publicly_accessible/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/amazon_dms_replication_instance_is_publicly_accessible/test/positive_expected_result.json @@ -3,18 +3,45 @@ "queryName": "Amazon DMS Replication Instance Is Publicly Accessible", "severity": "CRITICAL", "line": 9, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::DMS::ReplicationInstance", + "resourceName": "ReplicationInstance", + "searchKey": "Resources.ReplicationInstance.Properties.PubliclyAccessible", + "searchValue": "", + "expectedValue": "Resources.ReplicationInstance.Properties.PubliclyAccessible should be defined to 'false'", + "actualValue": "Resources.ReplicationInstance.Properties.PubliclyAccessible is defined to 'true", + "issueType": "IncorrectValue", + "similarityID": "c4b8a59faa522b7ec0207d1d5e69aab65c0b0bd6a1d15b0765b7cc703901d7fa", + "search_line": 9 }, { "queryName": "Amazon DMS Replication Instance Is Publicly Accessible", "severity": "CRITICAL", "line": 4, - "fileName": "positive2.yaml" + "fileName": "positive2.yaml", + "resourceType": "AWS::DMS::ReplicationInstance", + "resourceName": "ReplicationInstance", + "searchKey": "Resources.ReplicationInstance.Properties", + "searchValue": "", + "expectedValue": "Resources.ReplicationInstance.Properties.PubliclyAccessible should be defined to 'false'", + "actualValue": "Resources.ReplicationInstance.Properties.PubliclyAccessible is not defined", + "issueType": "MissingAttribute", + "similarityID": "5dd95cfa554a0ec0fdf27545b024ddd944a4535be65f4a0202bd87996a4c6c6d", + "search_line": -1 }, { "queryName": "Amazon DMS Replication Instance Is Publicly Accessible", "severity": "CRITICAL", "line": 9, - "fileName": "positive3.yaml" + "fileName": "positive3.yaml", + "resourceType": "AWS::DMS::ReplicationInstance", + "resourceName": "ReplicationInstance", + "searchKey": "Resources.ReplicationInstance.Properties.PubliclyAccessible", + "searchValue": "", + "expectedValue": "Resources.ReplicationInstance.Properties.PubliclyAccessible should be defined to 'false'", + "actualValue": "Resources.ReplicationInstance.Properties.PubliclyAccessible is defined to 'true", + "issueType": "IncorrectValue", + "similarityID": "631f26fcf01c458be8ca5965a19874fd6f5b76f77fba4fb7e071baafbdd23c5b", + "search_line": 9 } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/amazon_mq_broker_encryption_disabled/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/amazon_mq_broker_encryption_disabled/test/positive_expected_result.json index 23eaadc63ed..501f4454687 100644 --- a/assets/queries/cloudFormation/aws/amazon_mq_broker_encryption_disabled/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/amazon_mq_broker_encryption_disabled/test/positive_expected_result.json @@ -3,12 +3,30 @@ "queryName": "AmazonMQ Broker Encryption Disabled", "severity": "HIGH", "line": 6, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::AmazonMQ::Broker", + "resourceName": "MyBasicBroker", + "searchKey": "Resources.BasicBroker.Properties.EncryptionOptions", + "searchValue": "", + "expectedValue": "Resources.BasicBroker.Properties.EncryptionOptions should be defined", + "actualValue": "Resources.BasicBroker.Properties.EncryptionOptions is not defined", + "issueType": "MissingAttribute", + "similarityID": "ce9cc2369ef0986b19ab4e627250e1888e0461c03d739a99772519659cfa67d0", + "search_line": -1 }, { "queryName": "AmazonMQ Broker Encryption Disabled", "severity": "HIGH", "line": 7, - "fileName": "positive2.json" + "fileName": "positive2.json", + "resourceType": "AWS::AmazonMQ::Broker", + "resourceName": "MyBasicBroker", + "searchKey": "Resources.BasicBroker.Properties.EncryptionOptions", + "searchValue": "", + "expectedValue": "Resources.BasicBroker.Properties.EncryptionOptions should be defined", + "actualValue": "Resources.BasicBroker.Properties.EncryptionOptions is not defined", + "issueType": "MissingAttribute", + "similarityID": "d1260fcced563560449fdb9e7b214febf8749f2a875e485fbb8cf29f1262994c", + "search_line": -1 } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/amplify_app_access_token_exposed/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/amplify_app_access_token_exposed/test/positive_expected_result.json index 15c356f85c1..152775728ff 100644 --- a/assets/queries/cloudFormation/aws/amplify_app_access_token_exposed/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/amplify_app_access_token_exposed/test/positive_expected_result.json @@ -3,36 +3,90 @@ "queryName": "Amplify App Access Token Exposed", "severity": "HIGH", "line": 6, - "fileName": "positive2.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::Amplify::App", + "resourceName": "String", + "searchKey": "Resources.NewAmpApp.Properties.AccessToken", + "searchValue": "", + "expectedValue": "Resources.NewAmpApp.Properties.AccessToken must not be in plain text string", + "actualValue": "Resources.NewAmpApp.Properties.AccessToken must be defined as a parameter or have a secret manager referenced", + "issueType": "IncorrectValue", + "similarityID": "a7b0912a47a22405d98f02d3a0e3a89f8acd70f8ca874c7c2b5ffc209b3ab0a1", + "search_line": -1 }, { - "line": 10, - "fileName": "positive3.yaml", "queryName": "Amplify App Access Token Exposed", - "severity": "HIGH" + "severity": "HIGH", + "line": 6, + "fileName": "positive2.yaml", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "Parameters.ParentAccessToken.Default", + "searchValue": "", + "expectedValue": "Parameters.ParentAccessToken.Default should be defined", + "actualValue": "Parameters.ParentAccessToken.Default shouldn't be defined", + "issueType": "IncorrectValue", + "similarityID": "48e129d4d69f85dca43b7e14326732721f3144fb4409c0fbf798e05b2362b46e", + "search_line": -1 }, { - "fileName": "positive1.yaml", "queryName": "Amplify App Access Token Exposed", "severity": "HIGH", - "line": 6 + "line": 10, + "fileName": "positive3.yaml", + "resourceType": "AWS::Amplify::App", + "resourceName": "NewAmpApp", + "searchKey": "Resources.NewApp.Properties.AccessToken", + "searchValue": "", + "expectedValue": "Resources.NewApp.Properties.AccessToken must not be in plain text string", + "actualValue": "Resources.NewApp.Properties.AccessToken must be defined as a parameter or have a secret manager referenced", + "issueType": "IncorrectValue", + "similarityID": "0620309c97a3e1a08aa4bf8a2cf7551050c90d29cd59dbce3b805ed15e532708", + "search_line": -1 }, { + "queryName": "Amplify App Access Token Exposed", + "severity": "HIGH", "line": 11, "fileName": "positive4.json", - "queryName": "Amplify App Access Token Exposed", - "severity": "HIGH" + "resourceType": "AWS::Amplify::App", + "resourceName": "String", + "searchKey": "Resources.NewAmpApp.Properties.AccessToken", + "searchValue": "", + "expectedValue": "Resources.NewAmpApp.Properties.AccessToken must not be in plain text string", + "actualValue": "Resources.NewAmpApp.Properties.AccessToken must be defined as a parameter or have a secret manager referenced", + "issueType": "IncorrectValue", + "similarityID": "e76c1531c21e09b10f4fea24c713525983d19647abbee1682f7d11b3618dc4fb", + "search_line": -1 }, { "queryName": "Amplify App Access Token Exposed", "severity": "HIGH", "line": 7, - "fileName": "positive5.json" + "fileName": "positive5.json", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "Parameters.ParentAccessToken.Default", + "searchValue": "", + "expectedValue": "Parameters.ParentAccessToken.Default should be defined", + "actualValue": "Parameters.ParentAccessToken.Default shouldn't be defined", + "issueType": "IncorrectValue", + "similarityID": "4e1eed6bb77bbdebe52e2bec6472d08407fb32c3c5c6853c9f855f309457cff2", + "search_line": -1 }, { "queryName": "Amplify App Access Token Exposed", "severity": "HIGH", "line": 9, - "fileName": "positive6.json" + "fileName": "positive6.json", + "resourceType": "AWS::Amplify::App", + "resourceName": "NewAmpApp", + "searchKey": "Resources.NewApp.Properties.AccessToken", + "searchValue": "", + "expectedValue": "Resources.NewApp.Properties.AccessToken must not be in plain text string", + "actualValue": "Resources.NewApp.Properties.AccessToken must be defined as a parameter or have a secret manager referenced", + "issueType": "IncorrectValue", + "similarityID": "d70bb472890441e67f7bdf0741a86cd108a012d0aec9c1ce7a7da7a058bc526d", + "search_line": -1 } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/amplify_app_basic_auth_config_password_exposed/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/amplify_app_basic_auth_config_password_exposed/test/positive_expected_result.json index f96f04cb1a8..48430d59215 100644 --- a/assets/queries/cloudFormation/aws/amplify_app_basic_auth_config_password_exposed/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/amplify_app_basic_auth_config_password_exposed/test/positive_expected_result.json @@ -3,36 +3,90 @@ "queryName": "Amplify App Basic Auth Config Password Exposed", "severity": "HIGH", "line": 16, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::Amplify::App", + "resourceName": "NewAmpApp", + "searchKey": "Resources.NewAmpApp-1.Properties.BasicAuthConfig.Password", + "searchValue": "", + "expectedValue": "Resources.NewAmpApp-1.Properties.BasicAuthConfig.Password must not be in plain text string", + "actualValue": "Resources.NewAmpApp-1.Properties.BasicAuthConfig.Password must be defined as a parameter or have a secret manager referenced", + "issueType": "IncorrectValue", + "similarityID": "239c2c8e6c89e124160850f3d46e120c64ae0b8e5a5e7c19be25fdf0ee928404", + "search_line": -1 }, { "queryName": "Amplify App Basic Auth Config Password Exposed", "severity": "HIGH", "line": 6, - "fileName": "positive2.yaml" + "fileName": "positive2.yaml", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "Parameters.ParentPassword.Default", + "searchValue": "", + "expectedValue": "Parameters.ParentPassword.Default should be defined", + "actualValue": "Parameters.ParentPassword.Default shouldn't be defined", + "issueType": "IncorrectValue", + "similarityID": "bc47097cea1a6a2470c2ced22a37dffdb89bc21dd3b68df4520bd369461157fe", + "search_line": -1 }, { "queryName": "Amplify App Basic Auth Config Password Exposed", "severity": "HIGH", "line": 12, - "fileName": "positive3.json" + "fileName": "positive3.json", + "resourceType": "AWS::Amplify::App", + "resourceName": "NewAmpApp", + "searchKey": "Resources.NewAmpApp-1.Properties.BasicAuthConfig.Password", + "searchValue": "", + "expectedValue": "Resources.NewAmpApp-1.Properties.BasicAuthConfig.Password must not be in plain text string", + "actualValue": "Resources.NewAmpApp-1.Properties.BasicAuthConfig.Password must be defined as a parameter or have a secret manager referenced", + "issueType": "IncorrectValue", + "similarityID": "a701766bb99b939bc6d14deadf64be1f91fcc90d92f89de92298600f5e2c1ff2", + "search_line": -1 }, { "queryName": "Amplify App Basic Auth Config Password Exposed", "severity": "HIGH", "line": 12, - "fileName": "positive4.json" + "fileName": "positive4.json", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "Parameters.ParentPassword.Default", + "searchValue": "", + "expectedValue": "Parameters.ParentPassword.Default should be defined", + "actualValue": "Parameters.ParentPassword.Default shouldn't be defined", + "issueType": "IncorrectValue", + "similarityID": "98c6a01ca4463f2b7e1363f148c827ab6a37a9808a16eae7398301e8bc80c83b", + "search_line": -1 }, { "queryName": "Amplify App Basic Auth Config Password Exposed", "severity": "HIGH", "line": 6, - "fileName": "positive5.yaml" + "fileName": "positive5.yaml", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "Parameters.ParentPassword.Default", + "searchValue": "", + "expectedValue": "Parameters.ParentPassword.Default should be defined", + "actualValue": "Parameters.ParentPassword.Default shouldn't be defined", + "issueType": "IncorrectValue", + "similarityID": "a34f0e7680113e01216da492d78d92c6503c778678cdabdd44f0d9081be8d0cf", + "search_line": -1 }, { "queryName": "Amplify App Basic Auth Config Password Exposed", "severity": "HIGH", "line": 12, - "fileName": "positive6.json" + "fileName": "positive6.json", + "resourceType": "AWS::Amplify::App", + "resourceName": "NewAmpApp", + "searchKey": "Resources.NewAmpApp-1.Properties.BasicAuthConfig.Password", + "searchValue": "", + "expectedValue": "Resources.NewAmpApp-1.Properties.BasicAuthConfig.Password must not be in plain text string", + "actualValue": "Resources.NewAmpApp-1.Properties.BasicAuthConfig.Password must be defined as a parameter or have a secret manager referenced", + "issueType": "IncorrectValue", + "similarityID": "f2997bede2637b0756b56a43ef0026e0824109b839f2a2a2778293377f5197fc", + "search_line": -1 } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/amplify_app_oauth_token_exposed/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/amplify_app_oauth_token_exposed/test/positive_expected_result.json index e205140998d..ccd2add9a8f 100644 --- a/assets/queries/cloudFormation/aws/amplify_app_oauth_token_exposed/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/amplify_app_oauth_token_exposed/test/positive_expected_result.json @@ -2,25 +2,61 @@ { "queryName": "Amplify App OAuth Token Exposed", "severity": "HIGH", - "line": 5, - "fileName": "positive2.yaml" - }, - { "line": 4, "fileName": "positive1.yaml", + "resourceType": "AWS::Amplify::App", + "resourceName": "NewAmpApp", + "searchKey": "Resources.NewAmpApp-1.Properties.BasicAuthConfig.Password", + "searchValue": "", + "expectedValue": "Resources.NewAmpApp-1.Properties.BasicAuthConfig.Password must not be in plain text string", + "actualValue": "Resources.NewAmpApp-1.Properties.BasicAuthConfig.Password must be defined as a parameter or have a secret manager referenced", + "issueType": "IncorrectValue", + "similarityID": "c312512ca9fa0e5b4c084e073cf6b956ba20a296d38f570e064f5a64f3301f12", + "search_line": -1 + }, + { "queryName": "Amplify App OAuth Token Exposed", - "severity": "HIGH" + "severity": "HIGH", + "line": 5, + "fileName": "positive2.yaml", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "Parameters.ParentPassword.Default", + "searchValue": "", + "expectedValue": "Parameters.ParentPassword.Default should be defined", + "actualValue": "Parameters.ParentPassword.Default shouldn't be defined", + "issueType": "IncorrectValue", + "similarityID": "25a13228940fb3a61514558e3856ece7a7facaa0964050360d4d27b863a97c57", + "search_line": -1 }, { "queryName": "Amplify App OAuth Token Exposed", "severity": "HIGH", "line": 5, - "fileName": "positive3.json" + "fileName": "positive3.json", + "resourceType": "AWS::Amplify::App", + "resourceName": "NewAmpApp", + "searchKey": "Resources.NewAmpApp-1.Properties.BasicAuthConfig.Password", + "searchValue": "", + "expectedValue": "Resources.NewAmpApp-1.Properties.BasicAuthConfig.Password must not be in plain text string", + "actualValue": "Resources.NewAmpApp-1.Properties.BasicAuthConfig.Password must be defined as a parameter or have a secret manager referenced", + "issueType": "IncorrectValue", + "similarityID": "fbe9fae1a769964f6d1532f8b003cde2042f1fc340fea8a66c14c612e74ce1af", + "search_line": -1 }, { "queryName": "Amplify App OAuth Token Exposed", "severity": "HIGH", "line": 11, - "fileName": "positive4.json" + "fileName": "positive4.json", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "Parameters.ParentPassword.Default", + "searchValue": "", + "expectedValue": "Parameters.ParentPassword.Default should be defined", + "actualValue": "Parameters.ParentPassword.Default shouldn't be defined", + "issueType": "IncorrectValue", + "similarityID": "bd2a5ee36b34463bf3ae3056c8b87ae388d3b8782e518a61a456d9f82926123d", + "search_line": -1 } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/amplify_branch_basic_auth_config_password_exposed/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/amplify_branch_basic_auth_config_password_exposed/test/positive_expected_result.json index d6968d166f3..38f51301cb3 100644 --- a/assets/queries/cloudFormation/aws/amplify_branch_basic_auth_config_password_exposed/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/amplify_branch_basic_auth_config_password_exposed/test/positive_expected_result.json @@ -3,37 +3,90 @@ "queryName": "Amplify Branch Basic Auth Config Password Exposed", "severity": "HIGH", "line": 18, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::Amplify::Branch", + "resourceName": "NewAmpApp1", + "searchKey": "Resources.NewAmpApp1.Properties.BasicAuthConfig.Password", + "searchValue": "", + "expectedValue": "Resources.NewAmpApp1.Properties.BasicAuthConfig.Password must not be in plain text string", + "actualValue": "Resources.NewAmpApp1.Properties.BasicAuthConfig.Password must be defined as a parameter or have a secret manager referenced", + "issueType": "IncorrectValue", + "similarityID": "c2f29a5c5f589fe94469b63db119927c526774ffac87afe8f929d8f25dfc87b7", + "search_line": -1 }, { "queryName": "Amplify Branch Basic Auth Config Password Exposed", "severity": "HIGH", "line": 5, - "fileName": "positive2.yaml" + "fileName": "positive2.yaml", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "Parameters.ParentPassword.Default", + "searchValue": "", + "expectedValue": "Parameters.ParentPassword.Default should be defined", + "actualValue": "Parameters.ParentPassword.Default shouldn't be defined", + "issueType": "IncorrectValue", + "similarityID": "2c6b4e4cd3a730e143620ae6462bd59e3078b86edaaeb9adc1af4c0b5f6ec830", + "search_line": -1 }, { - "queryName": "Amplify Branch Basic Auth Config Password Exposed", "severity": "HIGH", "line": 19, - "fileName": "positive3.json" + "fileName": "positive3.json", + "resourceType": "AWS::Amplify::Branch", + "resourceName": "NewAmpApp1", + "searchKey": "Resources.NewAmpApp1.Properties.BasicAuthConfig.Password", + "searchValue": "", + "expectedValue": "Resources.NewAmpApp1.Properties.BasicAuthConfig.Password must not be in plain text string", + "actualValue": "Resources.NewAmpApp1.Properties.BasicAuthConfig.Password must be defined as a parameter or have a secret manager referenced", + "issueType": "IncorrectValue", + "similarityID": "967dd8d4c213d19f86a2aab7c67ceb06ab988b4395269cbc2497de3a481bc220", + "search_line": -1 }, { "queryName": "Amplify Branch Basic Auth Config Password Exposed", "severity": "HIGH", "line": 35, - "fileName": "positive4.json" + "fileName": "positive4.json", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "Parameters.ParentPassword.Default", + "searchValue": "", + "expectedValue": "Parameters.ParentPassword.Default should be defined", + "actualValue": "Parameters.ParentPassword.Default shouldn't be defined", + "issueType": "IncorrectValue", + "similarityID": "472e1cc3039d9e06bda3673c75ce7fa897bf70ceba9f54a8757abb4abf4142c9", + "search_line": -1 }, { "queryName": "Amplify Branch Basic Auth Config Password Exposed", "severity": "HIGH", "line": 18, - "fileName": "positive5.yaml" + "fileName": "positive5.yaml", + "resourceType": "AWS::Amplify::Branch", + "resourceName": "NewAmpApp1", + "searchKey": "Resources.NewAmpApp1.Properties.BasicAuthConfig.Password", + "searchValue": "", + "expectedValue": "Resources.NewAmpApp1.Properties.BasicAuthConfig.Password must not be in plain text string", + "actualValue": "Resources.NewAmpApp1.Properties.BasicAuthConfig.Password must be defined as a parameter or have a secret manager referenced", + "issueType": "IncorrectValue", + "similarityID": "67179a7d1434872516da64b231e5a2379e7f52dfbcf17a57525a2c1758e32534", + "search_line": -1 }, { "queryName": "Amplify Branch Basic Auth Config Password Exposed", "severity": "HIGH", "line": 19, - "fileName": "positive6.json" + "fileName": "positive6.json", + "resourceType": "AWS::Amplify::Branch", + "resourceName": "NewAmpApp1", + "searchKey": "Resources.NewAmpApp1.Properties.BasicAuthConfig.Password", + "searchValue": "", + "expectedValue": "Resources.NewAmpApp1.Properties.BasicAuthConfig.Password must not be in plain text string", + "actualValue": "Resources.NewAmpApp1.Properties.BasicAuthConfig.Password must be defined as a parameter or have a secret manager referenced", + "issueType": "IncorrectValue", + "similarityID": "339f591674de2e71188eeaae47834a6e1ea57342b7a4f72b94f0dfae24b55a29", + "search_line": -1 } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/api_gateway_access_logging_disabled/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/api_gateway_access_logging_disabled/test/positive_expected_result.json index 4038d0f764d..f808c9fba95 100644 --- a/assets/queries/cloudFormation/aws/api_gateway_access_logging_disabled/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/api_gateway_access_logging_disabled/test/positive_expected_result.json @@ -3,114 +3,285 @@ "queryName": "API Gateway V2 Stage Access Logging Settings Not Defined", "severity": "MEDIUM", "line": 16, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::ApiGateway::Stage", + "resourceName": "Prod", + "searchKey": "Resources.Prod.Properties.MethodSettings", + "searchValue": "", + "expectedValue": "Resources.Prod.Properties.MethodSettings.LoggingLevel should be defined and not null", + "actualValue": "Resources.Prod.Properties.MethodSettings.LoggingLevel are undefined or null", + "issueType": "MissingAttribute", + "similarityID": "8213345fa15a5ac93c6e323afacdbd3489b997710787f25a08d445dcb61f5dd3", + "search_line": 16 }, { "queryName": "API Gateway V2 Stage Access Logging Settings Not Defined", "severity": "MEDIUM", "line": 7, - "fileName": "positive2.json" + "fileName": "positive2.json", + "resourceType": "AWS::ApiGatewayV2::Stage", + "resourceName": "Prod", + "searchKey": "Resources.MyStage.Properties", + "searchValue": "DefaultRouteSettings", + "expectedValue": "Resources.MyStage.Properties.DefaultRouteSettings should be defined and not null", + "actualValue": "Resources.MyStage.Properties.DefaultRouteSettings are undefined or null", + "issueType": "MissingAttribute", + "similarityID": "104faa63e3c1ed7c9bf08a286341d315b287e2c2a4fd584ae6eac55bd1ff5a9a", + "search_line": 7 }, { "queryName": "API Gateway V2 Stage Access Logging Settings Not Defined", "severity": "MEDIUM", "line": 21, - "fileName": "positive3.json" + "fileName": "positive3.json", + "resourceType": "AWS::ApiGatewayV2::Stage", + "resourceName": "Prod", + "searchKey": "Resources.MyStage.Properties.DefaultRouteSettings.LoggingLevel", + "searchValue": "", + "expectedValue": "Resources.MyStage.Properties.DefaultRouteSettings.LoggingLevel should not be set to OFF", + "actualValue": "Resources.MyStage.Properties.DefaultRouteSettings.LoggingLevel is OFF", + "issueType": "IncorrectValue", + "similarityID": "725a459dd9eeba545e7f138a83e734da78061a1ab770f58c1d77cbe5e96878d8", + "search_line": 21 }, { "queryName": "API Gateway V2 Stage Access Logging Settings Not Defined", "severity": "MEDIUM", "line": 19, - "fileName": "positive4.json" + "fileName": "positive4.json", + "resourceType": "AWS::ApiGatewayV2::Stage", + "resourceName": "Prod", + "searchKey": "Resources.MyStage.Properties.DefaultRouteSettings", + "searchValue": "", + "expectedValue": "Resources.MyStage.Properties.DefaultRouteSettings.LoggingLevel should be defined and not null", + "actualValue": "Resources.MyStage.Properties.DefaultRouteSettings.LoggingLevel are undefined or null", + "issueType": "MissingAttribute", + "similarityID": "4ea8d1d0eb707677174107380218d9a47b6e77c9e6404ee261347a02aaf6042d", + "search_line": 19 }, { "queryName": "API Gateway V2 Stage Access Logging Settings Not Defined", "severity": "MEDIUM", "line": 6, - "fileName": "positive5.json" + "fileName": "positive5.json", + "resourceType": "AWS::ApiGatewayV2::Stage", + "resourceName": "Prod", + "searchKey": "Resources.MyStage.Properties", + "searchValue": "AccessLogSettings", + "expectedValue": "'AccessLogSettings' should be defined", + "actualValue": "'AccessLogSettings' is not defined", + "issueType": "MissingAttribute", + "similarityID": "4b4dbb3791ecd807bd7eb612a1e2edb75bb6b9b7893047678082ae09b7c497c0", + "search_line": 6 }, { "queryName": "API Gateway V2 Stage Access Logging Settings Not Defined", "severity": "MEDIUM", "line": 6, - "fileName": "positive6.json" + "fileName": "positive6.json", + "resourceType": "AWS::ApiGateway::Stage", + "resourceName": "Prod", + "searchKey": "Resources.MyStage.Properties", + "searchValue": "AccessLogSetting", + "expectedValue": "'AccessLogSetting' should be defined", + "actualValue": "'AccessLogSetting' is not defined", + "issueType": "MissingAttribute", + "similarityID": "86ec0107a5a4aef0d174729c573d4108a9620610ffe6813f7b1f382eae48abde", + "search_line": 6 }, { "queryName": "API Gateway V2 Stage Access Logging Settings Not Defined", "severity": "MEDIUM", "line": 7, - "fileName": "positive7.json" + "fileName": "positive7.json", + "resourceType": "AWS::ApiGateway::Stage", + "resourceName": "Prod", + "searchKey": "Resources.MyStage.Properties", + "searchValue": "MethodSettings", + "expectedValue": "Resources.MyStage.Properties.MethodSettings should be defined and not null", + "actualValue": "Resources.MyStage.Properties.MethodSettings are undefined or null", + "issueType": "MissingAttribute", + "similarityID": "f296dd6d422d47a3896384afb0cf0284570d96a75669282d19b612fe45052765", + "search_line": 7 }, { "queryName": "API Gateway V2 Stage Access Logging Settings Not Defined", "severity": "MEDIUM", "line": 4, - "fileName": "positive8.yaml" + "fileName": "positive8.yaml", + "resourceType": "AWS::ApiGateway::Stage", + "resourceName": "Prod", + "searchKey": "Resources.Prod.Properties", + "searchValue": "MethodSettings", + "expectedValue": "Resources.Prod.Properties.MethodSettings should be defined and not null", + "actualValue": "Resources.Prod.Properties.MethodSettings are undefined or null", + "issueType": "MissingAttribute", + "similarityID": "e62e620ed8af5315e28921b390588428ba1ea0988893b419936197542bcadc3f", + "search_line": 4 }, { "queryName": "API Gateway V2 Stage Access Logging Settings Not Defined", "severity": "MEDIUM", "line": 4, - "fileName": "positive9.yaml" + "fileName": "positive9.yaml", + "resourceType": "AWS::ApiGatewayV2::Stage", + "resourceName": "Prod", + "searchKey": "Resources.Prod.Properties", + "searchValue": "DefaultRouteSettings", + "expectedValue": "Resources.Prod.Properties.DefaultRouteSettings should be defined and not null", + "actualValue": "Resources.Prod.Properties.DefaultRouteSettings are undefined or null", + "issueType": "MissingAttribute", + "similarityID": "c404a6d75ee7b545dec20045a174ffce59c25c26dc526a21ad0edbf8ab2163c3", + "search_line": 4 }, { "queryName": "API Gateway V2 Stage Access Logging Settings Not Defined", "severity": "MEDIUM", "line": 19, - "fileName": "positive10.json" + "fileName": "positive10.json", + "resourceType": "AWS::ApiGateway::Stage", + "resourceName": "Prod", + "searchKey": "Resources.MyStage.Properties.MethodSettings", + "searchValue": "", + "expectedValue": "Resources.MyStage.Properties.MethodSettings.LoggingLevel should be defined and not null", + "actualValue": "Resources.MyStage.Properties.MethodSettings.LoggingLevel are undefined or null", + "issueType": "MissingAttribute", + "similarityID": "a586c7cdf42da440266b946b2ad0506d0c716f1c6ce0c9a8ac89f659611ef09f", + "search_line": 19 }, { "queryName": "API Gateway V2 Stage Access Logging Settings Not Defined", "severity": "MEDIUM", "line": 4, - "fileName": "positive11.yaml" + "fileName": "positive11.yaml", + "resourceType": "AWS::ApiGateway::Stage", + "resourceName": "Prod", + "searchKey": "Resources.Prod.Properties", + "searchValue": "MethodSettings", + "expectedValue": "Resources.Prod.Properties.MethodSettings should be defined and not null", + "actualValue": "Resources.Prod.Properties.MethodSettings are undefined or null", + "issueType": "MissingAttribute", + "similarityID": "077f0ee5fd55396ecaecbb8388193b8051c30ecc3e2390f87964d9946b551585", + "search_line": 4 }, { "queryName": "API Gateway V2 Stage Access Logging Settings Not Defined", "severity": "MEDIUM", "line": 13, - "fileName": "positive11.yaml" + "fileName": "positive11.yaml", + "resourceType": "AWS::ApiGateway::Stage", + "resourceName": "Prod", + "searchKey": "Resources.Prod.Properties.MethodSettings", + "searchValue": "", + "expectedValue": "Resources.Prod.Properties.MethodSettings.LoggingLevel should be defined and not null", + "actualValue": "Resources.Prod.Properties.MethodSettings.LoggingLevel are undefined or null", + "issueType": "MissingAttribute", + "similarityID": "8ce53551315ee906d93983af73cea7010cff69ba199db4fe2440d3cf3a82705b", + "search_line": 13 }, { "queryName": "API Gateway V2 Stage Access Logging Settings Not Defined", "severity": "MEDIUM", "line": 21, - "fileName": "positive12.json" + "fileName": "positive12.json", + "resourceType": "AWS::ApiGateway::Stage", + "resourceName": "Prod", + "searchKey": "Resources.MyStage.Properties.MethodSettings.LoggingLevel", + "searchValue": "", + "expectedValue": "Resources.MyStage.Properties.MethodSettings.LoggingLevel should not be set to OFF", + "actualValue": "Resources.MyStage.Properties.MethodSettings.LoggingLevel is OFF", + "issueType": "IncorrectValue", + "similarityID": "64336b436e20da412273036751e1a7b1ea99e2b69a12dd0e74b1915c074f9c80", + "search_line": 21 }, { "queryName": "API Gateway V2 Stage Access Logging Settings Not Defined", "severity": "MEDIUM", "line": 4, - "fileName": "positive13.yaml" + "fileName": "positive13.yaml", + "resourceType": "AWS::ApiGatewayV2::Stage", + "resourceName": "Prod", + "searchKey": "Resources.Prod.Properties", + "searchValue": "DefaultRouteSettings", + "expectedValue": "Resources.Prod.Properties.DefaultRouteSettings should be defined and not null", + "actualValue": "Resources.Prod.Properties.DefaultRouteSettings are undefined or null", + "issueType": "MissingAttribute", + "similarityID": "2c7e65a8345c2dc09b36d51e9efb5db26ef89c89b90dd97e9d43a6d24cfc6b0a", + "search_line": 4 }, { "queryName": "API Gateway V2 Stage Access Logging Settings Not Defined", "severity": "MEDIUM", "line": 14, - "fileName": "positive13.yaml" + "fileName": "positive13.yaml", + "resourceType": "AWS::ApiGatewayV2::Stage", + "resourceName": "Prod", + "searchKey": "Resources.Prod.Properties.DefaultRouteSettings", + "searchValue": "", + "expectedValue": "Resources.Prod.Properties.DefaultRouteSettings.LoggingLevel should be defined and not null", + "actualValue": "Resources.Prod.Properties.DefaultRouteSettings.LoggingLevel are undefined or null", + "issueType": "MissingAttribute", + "similarityID": "34c71df402a8014158e1ac5dfa0ba24509968a9b8e199c8ffaf357552ae34c1c", + "search_line": 14 }, { "queryName": "API Gateway V2 Stage Access Logging Settings Not Defined", "severity": "MEDIUM", "line": 14, - "fileName": "positive14.yaml" + "fileName": "positive14.yaml", + "resourceType": "AWS::ApiGateway::Stage", + "resourceName": "Prod", + "searchKey": "Resources.Prod.Properties.MethodSettings.LoggingLevel", + "searchValue": "", + "expectedValue": "Resources.Prod.Properties.MethodSettings.LoggingLevel should not be set to OFF", + "actualValue": "Resources.Prod.Properties.MethodSettings.LoggingLevel is OFF", + "issueType": "IncorrectValue", + "similarityID": "99fff70b4599a6a4ebf1c5308c7ad736fbacb5f478a2b351e116e3e317d05666", + "search_line": 14 }, { "queryName": "API Gateway V2 Stage Access Logging Settings Not Defined", "severity": "MEDIUM", "line": 15, - "fileName": "positive15.yaml" + "fileName": "positive15.yaml", + "resourceType": "AWS::ApiGatewayV2::Stage", + "resourceName": "Prod", + "searchKey": "Resources.Prod.Properties.DefaultRouteSettings.LoggingLevel", + "searchValue": "", + "expectedValue": "Resources.Prod.Properties.DefaultRouteSettings.LoggingLevel should not be set to OFF", + "actualValue": "Resources.Prod.Properties.DefaultRouteSettings.LoggingLevel is OFF", + "issueType": "IncorrectValue", + "similarityID": "b3fdf734be67d8e2dfb0682d44e567b97ac04e908969d1f3a8510eaa877bff3f", + "search_line": 15 }, { "queryName": "API Gateway V2 Stage Access Logging Settings Not Defined", "severity": "MEDIUM", "line": 4, - "fileName": "positive16.yaml" + "fileName": "positive16.yaml", + "resourceType": "AWS::ApiGateway::Stage", + "resourceName": "Prod", + "searchKey": "Resources.Prod.Properties", + "searchValue": "AccessLogSetting", + "expectedValue": "'AccessLogSetting' should be defined", + "actualValue": "'AccessLogSetting' is not defined", + "issueType": "MissingAttribute", + "similarityID": "34d8897514b224a07609f31b3fc69dadad4c47fa30f945b30ec908f0fafa86f4", + "search_line": 4 }, { "queryName": "API Gateway V2 Stage Access Logging Settings Not Defined", "severity": "MEDIUM", "line": 4, - "fileName": "positive17.yaml" + "fileName": "positive17.yaml", + "resourceType": "AWS::ApiGatewayV2::Stage", + "resourceName": "Prod", + "searchKey": "Resources.Prod.Properties", + "searchValue": "AccessLogSettings", + "expectedValue": "'AccessLogSettings' should be defined", + "actualValue": "'AccessLogSettings' is not defined", + "issueType": "MissingAttribute", + "similarityID": "f14880f02968a21e7152f2c1f11a739f80384960cdc31143b1eced531f96199d", + "search_line": 4 } ] diff --git a/assets/queries/cloudFormation/aws/api_gateway_cache_cluster_disabled/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/api_gateway_cache_cluster_disabled/test/positive_expected_result.json index 5c7f7c57d03..c455af7110a 100644 --- a/assets/queries/cloudFormation/aws/api_gateway_cache_cluster_disabled/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/api_gateway_cache_cluster_disabled/test/positive_expected_result.json @@ -3,36 +3,90 @@ "queryName": "API Gateway Cache Cluster Disabled", "severity": "LOW", "line": 6, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::ApiGateway::Stage", + "resourceName": "Prod", + "searchKey": "Resources.ProdPos1.Properties", + "searchValue": "", + "expectedValue": "Resources.ProdPos1.Properties.CacheClusterEnabled should be defined and not null", + "actualValue": "Resources.ProdPos1.Properties.CacheClusterEnabled is undefined or null", + "issueType": "MissingAttribute", + "similarityID": "3961b1385f8afe28cfbd45084abe599d514e6242fcb9d29a988877fa00cff0ed", + "search_line": 6 }, { "queryName": "API Gateway Cache Cluster Disabled", "severity": "LOW", "line": 31, - "fileName": "positive2.yaml" + "fileName": "positive2.yaml", + "resourceType": "AWS::ApiGateway::Stage", + "resourceName": "Prod", + "searchKey": "Resources.ProdPos2.Properties.CacheClusterEnabled", + "searchValue": "", + "expectedValue": "Resources.ProdPos2.Properties.CacheClusterEnabled should be set to true", + "actualValue": "Resources.ProdPos2.Properties.CacheClusterEnabled is set to false", + "issueType": "IncorrectValue", + "similarityID": "01bfa5f3da0ec5337390b4547ab94e068d8ebdc6d94b55214daea0f70003959d", + "search_line": 31 }, { "queryName": "API Gateway Cache Cluster Disabled", "severity": "LOW", "line": 6, - "fileName": "positive3.json" + "fileName": "positive3.json", + "resourceType": "AWS::ApiGateway::Stage", + "resourceName": "Prod", + "searchKey": "Resources.ProdPos1.Properties", + "searchValue": "", + "expectedValue": "Resources.ProdPos1.Properties.CacheClusterEnabled should be defined and not null", + "actualValue": "Resources.ProdPos1.Properties.CacheClusterEnabled is undefined or null", + "issueType": "MissingAttribute", + "similarityID": "7330bd6aaa97ee2f866f6c6bfdc278d38a003f9f26da8710031b36c92a422d48", + "search_line": 6 }, { "queryName": "API Gateway Cache Cluster Disabled", "severity": "LOW", "line": 6, - "fileName": "positive4.json" + "fileName": "positive4.json", + "resourceType": "AWS::ApiGateway::Stage", + "resourceName": "Prod", + "searchKey": "Resources.ProdPos2.Properties.CacheClusterEnabled", + "searchValue": "", + "expectedValue": "Resources.ProdPos2.Properties.CacheClusterEnabled should be set to true", + "actualValue": "Resources.ProdPos2.Properties.CacheClusterEnabled is set to false", + "issueType": "IncorrectValue", + "similarityID": "d651f8a6604b6edc6272ba301e199f4dbffdd2962836de4ba962b88633ca9755", + "search_line": 6 }, { "queryName": "API Gateway Cache Cluster Disabled", "severity": "LOW", "line": 31, - "fileName": "positive5.yaml" + "fileName": "positive5.yaml", + "resourceType": "AWS::ApiGateway::Stage", + "resourceName": "Prod", + "searchKey": "Resources.ProdPos2.Properties.CacheClusterEnabled", + "searchValue": "", + "expectedValue": "Resources.ProdPos2.Properties.CacheClusterEnabled should be set to true", + "actualValue": "Resources.ProdPos2.Properties.CacheClusterEnabled is set to false", + "issueType": "IncorrectValue", + "similarityID": "3fd835d8cb792169ea97193633a68cd29f3ddd729207a13a6c7204f024d1c8c4", + "search_line": 31 }, { "queryName": "API Gateway Cache Cluster Disabled", "severity": "LOW", "line": 6, - "fileName": "positive6.json" + "fileName": "positive6.json", + "resourceType": "AWS::ApiGateway::Stage", + "resourceName": "Prod", + "searchKey": "Resources.ProdPos2.Properties.CacheClusterEnabled", + "searchValue": "", + "expectedValue": "Resources.ProdPos2.Properties.CacheClusterEnabled should be set to true", + "actualValue": "Resources.ProdPos2.Properties.CacheClusterEnabled is set to false", + "issueType": "IncorrectValue", + "similarityID": "5692f88f52405eb98a064a3b732b832de2516fed5450a4db799141e81aea187e", + "search_line": 6 } ] diff --git a/assets/queries/cloudFormation/aws/api_gateway_cache_encrypted_disabled/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/api_gateway_cache_encrypted_disabled/test/positive_expected_result.json index fc1ce51db13..809abfd450d 100644 --- a/assets/queries/cloudFormation/aws/api_gateway_cache_encrypted_disabled/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/api_gateway_cache_encrypted_disabled/test/positive_expected_result.json @@ -1,38 +1,92 @@ [ { - "fileName": "positive1.yaml", "queryName": "API Gateway Cache Encrypted Disabled", "severity": "HIGH", - "line": 8 + "line": 8, + "fileName": "positive1.yaml", + "resourceType": "AWS::ApiGateway::Deployment", + "resourceName": "DummyStage", + "searchKey": "Resources.Deployment.Properties.StageDescription", + "searchValue": "", + "expectedValue": "'Resources.Deployment.Properties.StageDescription.CacheDataEncrypted' should be defined and not null", + "actualValue": "'Resources.Deployment.Properties.StageDescription.CacheDataEncrypted' is undefined or null", + "issueType": "MissingAttribute", + "similarityID": "ec4415bf988435c241c2c7dba66840fae130cf89050d49a5f9e3acc70dfd4407", + "search_line": -1 }, { - "fileName": "positive2.json", "queryName": "API Gateway Cache Encrypted Disabled", "severity": "HIGH", - "line": 11 + "line": 11, + "fileName": "positive2.json", + "resourceType": "AWS::ApiGateway::Deployment", + "resourceName": "DummyStage", + "searchKey": "Resources.Deployment.Properties.StageDescription", + "searchValue": "", + "expectedValue": "'Resources.Deployment.Properties.StageDescription.CacheDataEncrypted' should be defined and not null", + "actualValue": "'Resources.Deployment.Properties.StageDescription.CacheDataEncrypted' is undefined or null", + "issueType": "MissingAttribute", + "similarityID": "c1c0587ed5a071ab2c8d6f61f28ab3be1a65dde147d121fc3918a9dfe5502a0d", + "search_line": -1 }, { - "fileName": "positive3.yaml", "queryName": "API Gateway Cache Encrypted Disabled", "severity": "HIGH", - "line": 9 + "line": 9, + "fileName": "positive3.yaml", + "resourceType": "AWS::ApiGateway::Deployment", + "resourceName": "DummyStage", + "searchKey": "Resources.Deployment.Properties.StageDescription.CacheDataEncrypted", + "searchValue": "", + "expectedValue": "'Resources.Deployment.Properties.StageDescription.CacheDataEncrypted' should be set to true", + "actualValue": "'Resources.Deployment.Properties.StageDescription.CacheDataEncrypted' is set to false", + "issueType": "IncorrectValue", + "similarityID": "b5f4ef7d18adfe36931dd143408a42f2c5ade3663643060d7be177166b48a353", + "search_line": -1 }, { - "fileName": "positive4.json", "queryName": "API Gateway Cache Encrypted Disabled", "severity": "HIGH", - "line": 12 + "line": 12, + "fileName": "positive4.json", + "resourceType": "AWS::ApiGateway::Deployment", + "resourceName": "DummyStage", + "searchKey": "Resources.Deployment.Properties.StageDescription.CacheDataEncrypted", + "searchValue": "", + "expectedValue": "'Resources.Deployment.Properties.StageDescription.CacheDataEncrypted' should be set to true", + "actualValue": "'Resources.Deployment.Properties.StageDescription.CacheDataEncrypted' is set to false", + "issueType": "IncorrectValue", + "similarityID": "ee8d1563c85056248101aabb1c218af26d4125a343a0d4235aea6a3046253dda", + "search_line": -1 }, { - "fileName": "positive5.yaml", "queryName": "API Gateway Cache Encrypted Disabled", "severity": "HIGH", - "line": 9 + "line": 9, + "fileName": "positive5.yaml", + "resourceType": "AWS::ApiGateway::Deployment", + "resourceName": "DummyStage", + "searchKey": "Resources.Deployment.Properties.StageDescription.CacheDataEncrypted", + "searchValue": "", + "expectedValue": "'Resources.Deployment.Properties.StageDescription.CacheDataEncrypted' should be set to true", + "actualValue": "'Resources.Deployment.Properties.StageDescription.CacheDataEncrypted' is set to false", + "issueType": "IncorrectValue", + "similarityID": "597b3c1cb36a76c3018ec181e7703f3b0390483e0b6a37ad786c4447c347373e", + "search_line": -1 }, { - "fileName": "positive6.json", "queryName": "API Gateway Cache Encrypted Disabled", "severity": "HIGH", - "line": 12 + "line": 12, + "fileName": "positive6.json", + "resourceType": "AWS::ApiGateway::Deployment", + "resourceName": "DummyStage", + "searchKey": "Resources.Deployment.Properties.StageDescription.CacheDataEncrypted", + "searchValue": "", + "expectedValue": "'Resources.Deployment.Properties.StageDescription.CacheDataEncrypted' should be set to true", + "actualValue": "'Resources.Deployment.Properties.StageDescription.CacheDataEncrypted' is set to false", + "issueType": "IncorrectValue", + "similarityID": "bfe748b7abe11a1981fdbcde76cdd80724aa239e2648dd75cc5bb1469c9fa492", + "search_line": -1 } ] diff --git a/assets/queries/cloudFormation/aws/api_gateway_deployment_without_access_log_setting/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/api_gateway_deployment_without_access_log_setting/test/positive_expected_result.json index 348bf203e11..759241b4a43 100644 --- a/assets/queries/cloudFormation/aws/api_gateway_deployment_without_access_log_setting/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/api_gateway_deployment_without_access_log_setting/test/positive_expected_result.json @@ -2,37 +2,91 @@ { "queryName": "API Gateway Deployment Without Access Log Setting", "severity": "MEDIUM", - "line": 21, - "fileName": "positive2.yaml" + "line": 29, + "fileName": "positive1.yaml", + "resourceType": "AWS::ApiGateway::Deployment", + "resourceName": "DummyStage", + "searchKey": "Resources.ApiDeployment.Properties.StageDescription.AccessLogSetting", + "searchValue": "", + "expectedValue": "Resources.ApiDeployment.Properties.StageDescriptionAccessLogSetting should be defined", + "actualValue": "Resources.ApiDeployment.Properties.StageDescription.AccessLogSetting is not defined", + "issueType": "MissingAttribute", + "similarityID": "c064e1ad78bfba5c7692b3628ad0fd057f1ced52fc5de43a0d2ddce4601ab5a6", + "search_line": -1 }, { - "fileName": "positive3.yaml", "queryName": "API Gateway Deployment Without Access Log Setting", "severity": "MEDIUM", - "line": 21 + "line": 21, + "fileName": "positive2.yaml", + "resourceType": "AWS::ApiGateway::Deployment", + "resourceName": "DummyStage", + "searchKey": "Resources.ApiDeployment1", + "searchValue": "", + "expectedValue": "Resources.ApiDeployment1 should have AWS::ApiGateway::Stage associated, DeploymentId.Ref should be the same as the ApiGateway::Stage resource", + "actualValue": "Resources.ApiDeployment1 should have AWS::ApiGateway::Stage associated, DeploymentId.Ref should be the same in the ApiGateway::Stage resource", + "issueType": "IncorrectValue", + "similarityID": "c16879add6efae8a9f40420a776ee587233a8adaff01fdb70479c59e845895b7", + "search_line": -1 }, { "queryName": "API Gateway Deployment Without Access Log Setting", "severity": "MEDIUM", - "line": 29, - "fileName": "positive1.yaml" + "line": 21, + "fileName": "positive3.yaml", + "resourceType": "AWS::ApiGateway::Deployment", + "resourceName": "DummyStage", + "searchKey": "Resources.ApiDeployment2", + "searchValue": "", + "expectedValue": "Resources.ApiDeployment2 should have AWS::ApiGateway::Stage associated, DeploymentId.Ref should be the same as the ApiGateway::Stage resource", + "actualValue": "Resources.ApiDeployment2 should have AWS::ApiGateway::Stage associated, DeploymentId.Ref should be the same in the ApiGateway::Stage resource", + "issueType": "IncorrectValue", + "similarityID": "27c25fdad18950a371b38824c05122e18328b4717e019e46968ee21854fdb002", + "search_line": -1 }, { - "fileName": "positive4.json", "queryName": "API Gateway Deployment Without Access Log Setting", "severity": "MEDIUM", - "line": 15 + "line": 15, + "fileName": "positive4.json", + "resourceType": "AWS::ApiGateway::Deployment", + "resourceName": "DummyStage", + "searchKey": "Resources.ApiDeployment.Properties.StageDescription.AccessLogSetting", + "searchValue": "", + "expectedValue": "Resources.ApiDeployment.Properties.StageDescriptionAccessLogSetting should be defined", + "actualValue": "Resources.ApiDeployment.Properties.StageDescription.AccessLogSetting is not defined", + "issueType": "MissingAttribute", + "similarityID": "d33aa1083328614ea69ccf03cfead13a1ec1a8ab95d09d675d20a13d4f3acd15", + "search_line": -1 }, { "queryName": "API Gateway Deployment Without Access Log Setting", "severity": "MEDIUM", "line": 31, - "fileName": "positive5.json" + "fileName": "positive5.json", + "resourceType": "AWS::ApiGateway::Deployment", + "resourceName": "DummyStage", + "searchKey": "Resources.ApiDeployment1", + "searchValue": "", + "expectedValue": "Resources.ApiDeployment1 should have AWS::ApiGateway::Stage associated, DeploymentId.Ref should be the same as the ApiGateway::Stage resource", + "actualValue": "Resources.ApiDeployment1 should have AWS::ApiGateway::Stage associated, DeploymentId.Ref should be the same in the ApiGateway::Stage resource", + "issueType": "IncorrectValue", + "similarityID": "8f7a48991863a8ffdd033f27f6502f56e85beb7a9c68315949f92ed0514f2f07", + "search_line": -1 }, { "queryName": "API Gateway Deployment Without Access Log Setting", "severity": "MEDIUM", "line": 31, - "fileName": "positive6.json" + "fileName": "positive6.json", + "resourceType": "AWS::ApiGateway::Deployment", + "resourceName": "DummyStage", + "searchKey": "Resources.ApiDeployment2", + "searchValue": "", + "expectedValue": "Resources.ApiDeployment2 should have AWS::ApiGateway::Stage associated, DeploymentId.Ref should be the same as the ApiGateway::Stage resource", + "actualValue": "Resources.ApiDeployment2 should have AWS::ApiGateway::Stage associated, DeploymentId.Ref should be the same in the ApiGateway::Stage resource", + "issueType": "IncorrectValue", + "similarityID": "125ed9ee1727ed3080f7a0dc28d5ca77c94b3c9f8158d974d79a8a4427c5b97a", + "search_line": -1 } ] diff --git a/assets/queries/cloudFormation/aws/api_gateway_deployment_without_api_gateway_usage_plan_associated/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/api_gateway_deployment_without_api_gateway_usage_plan_associated/test/positive_expected_result.json index 98171acb95d..5897aca43b9 100644 --- a/assets/queries/cloudFormation/aws/api_gateway_deployment_without_api_gateway_usage_plan_associated/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/api_gateway_deployment_without_api_gateway_usage_plan_associated/test/positive_expected_result.json @@ -3,36 +3,90 @@ "queryName": "API Gateway Deployment Without API Gateway UsagePlan Associated", "severity": "LOW", "line": 4, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::ApiGateway::Deployment", + "resourceName": "Prod", + "searchKey": "Resources.Deployment", + "searchValue": "", + "expectedValue": "Resources.Deployment should have UsagePlan defined", + "actualValue": "Resources.Deployment doesn't have UsagePlan defined", + "issueType": "MissingAttribute", + "similarityID": "18286655dafa2e529915d48668af24d5c63e56b523a100d2018d32a8ded68cb5", + "search_line": 4 }, { + "queryName": "API Gateway Deployment Without API Gateway UsagePlan Associated", + "severity": "LOW", "line": 4, "fileName": "positive2.yaml", - "queryName": "API Gateway Deployment Without API Gateway UsagePlan Associated", - "severity": "LOW" + "resourceType": "AWS::ApiGateway::Deployment", + "resourceName": "Prod", + "searchKey": "Resources.Deployment1", + "searchValue": "", + "expectedValue": "Resources.Deployment1 should have AWS::ApiGateway::UsagePlan associated, RestApiId and StageName should be the same as the Deployment1 resource", + "actualValue": "Resources.Deployment1 should have AWS::ApiGateway::UsagePlan associated, RestApiId and StageName should be the same in the Deployment1 resource", + "issueType": "IncorrectValue", + "similarityID": "7c5b721891b4325c6c30288fe4e064b25a43bd0cd64e7778c8cd4f7dfd6b6d0c", + "search_line": 4 }, { "queryName": "API Gateway Deployment Without API Gateway UsagePlan Associated", "severity": "LOW", "line": 4, - "fileName": "positive3.yaml" + "fileName": "positive3.yaml", + "resourceType": "AWS::ApiGateway::Deployment", + "resourceName": "Prod1", + "searchKey": "Resources.Deployment2", + "searchValue": "", + "expectedValue": "Resources.Deployment2 should have AWS::ApiGateway::UsagePlan associated, RestApiId and StageName should be the same as the Deployment2 resource", + "actualValue": "Resources.Deployment2 should have AWS::ApiGateway::UsagePlan associated, RestApiId and StageName should be the same in the Deployment2 resource", + "issueType": "IncorrectValue", + "similarityID": "c0f3a0dfe8e503b5ff9f727afd808f64caf8597c3c2c4e603182c8f9ac884f64", + "search_line": 4 }, { + "queryName": "API Gateway Deployment Without API Gateway UsagePlan Associated", + "severity": "LOW", "line": 5, "fileName": "positive4.json", - "queryName": "API Gateway Deployment Without API Gateway UsagePlan Associated", - "severity": "LOW" + "resourceType": "AWS::ApiGateway::Deployment", + "resourceName": "Prod", + "searchKey": "Resources.Deployment", + "searchValue": "", + "expectedValue": "Resources.Deployment should have UsagePlan defined", + "actualValue": "Resources.Deployment doesn't have UsagePlan defined", + "issueType": "MissingAttribute", + "similarityID": "f7dc694668a05b302b5fc77f34de765a3e3c02eef2fba312a02f485b22e778e3", + "search_line": 5 }, { - "fileName": "positive5.json", "queryName": "API Gateway Deployment Without API Gateway UsagePlan Associated", "severity": "LOW", - "line": 5 + "line": 5, + "fileName": "positive5.json", + "resourceType": "AWS::ApiGateway::Deployment", + "resourceName": "Prod", + "searchKey": "Resources.Deployment1", + "searchValue": "", + "expectedValue": "Resources.Deployment1 should have AWS::ApiGateway::UsagePlan associated, RestApiId and StageName should be the same as the Deployment1 resource", + "actualValue": "Resources.Deployment1 should have AWS::ApiGateway::UsagePlan associated, RestApiId and StageName should be the same in the Deployment1 resource", + "issueType": "IncorrectValue", + "similarityID": "db7780ea7b84b8d7af1ee90ac37b54e60217d18c5e67f290b25e542b0e6c9278", + "search_line": 5 }, { "queryName": "API Gateway Deployment Without API Gateway UsagePlan Associated", "severity": "LOW", "line": 5, - "fileName": "positive6.json" + "fileName": "positive6.json", + "resourceType": "AWS::ApiGateway::Deployment", + "resourceName": "Prod1", + "searchKey": "Resources.Deployment2", + "searchValue": "", + "expectedValue": "Resources.Deployment2 should have AWS::ApiGateway::UsagePlan associated, RestApiId and StageName should be the same as the Deployment2 resource", + "actualValue": "Resources.Deployment2 should have AWS::ApiGateway::UsagePlan associated, RestApiId and StageName should be the same in the Deployment2 resource", + "issueType": "IncorrectValue", + "similarityID": "c3f1118397d53042c85bd4717a5ddcd0d41a93ac1c04b6dcb9f002fca987b855", + "search_line": 5 } ] diff --git a/assets/queries/cloudFormation/aws/api_gateway_endpoint_config_is_not_private/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/api_gateway_endpoint_config_is_not_private/test/positive_expected_result.json index 61437b8b033..f4539f9a65b 100644 --- a/assets/queries/cloudFormation/aws/api_gateway_endpoint_config_is_not_private/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/api_gateway_endpoint_config_is_not_private/test/positive_expected_result.json @@ -3,24 +3,60 @@ "queryName": "API Gateway Endpoint Config is Not Private", "severity": "MEDIUM", "line": 5, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::ApiGateway::RestApi", + "resourceName": "myRestApi", + "searchKey": "Resources.MyRestApi.Properties", + "searchValue": "", + "expectedValue": "'Resources.MyRestApi.EndpointConfiguration' should be defined", + "actualValue": "'Resources.MyRestApi.EndpointConfiguration' is undefined", + "issueType": "MissingAttribute", + "similarityID": "dbbbe7ec889e7f0b6ff104110df23a80b2d60946e0f6d45119f71e4c7a12166a", + "search_line": -1 }, { "queryName": "API Gateway Endpoint Config is Not Private", "severity": "MEDIUM", "line": 11, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::ApiGateway::RestApi", + "resourceName": "myRestApi2", + "searchKey": "Resources.MyRestApi2.Properties.EndpointConfiguration.Types", + "searchValue": "", + "expectedValue": "'Resources.MyRestApi2.EndpointConfiguration.Types' should contain 'PRIVATE'", + "actualValue": "'Resources.MyRestApi2.EndpointConfiguration.Types' does not contain 'PRIVATE'", + "issueType": "IncorrectValue", + "similarityID": "e548570aec53d28a9fe5ec4d3b149eea83bf03218124cd775cde0dde4c24c55b", + "search_line": -1 }, { "queryName": "API Gateway Endpoint Config is Not Private", "severity": "MEDIUM", "line": 6, - "fileName": "positive2.json" + "fileName": "positive2.json", + "resourceType": "AWS::ApiGateway::RestApi", + "resourceName": "myRestApi", + "searchKey": "Resources.MyRestApi.Properties", + "searchValue": "", + "expectedValue": "'Resources.MyRestApi.EndpointConfiguration' should be defined", + "actualValue": "'Resources.MyRestApi.EndpointConfiguration' is undefined", + "issueType": "MissingAttribute", + "similarityID": "0b8fbd578b8e31d0de6702695362ca3575a56bdbf7152724a42526d924266599", + "search_line": -1 }, { + "queryName": "API Gateway Endpoint Config is Not Private", + "severity": "MEDIUM", "line": 14, "fileName": "positive2.json", - "queryName": "API Gateway Endpoint Config is Not Private", - "severity": "MEDIUM" + "resourceType": "AWS::ApiGateway::RestApi", + "resourceName": "myRestApi2", + "searchKey": "Resources.MyRestApi2.Properties.EndpointConfiguration.Types", + "searchValue": "", + "expectedValue": "'Resources.MyRestApi2.EndpointConfiguration.Types' should contain 'PRIVATE'", + "actualValue": "'Resources.MyRestApi2.EndpointConfiguration.Types' does not contain 'PRIVATE'", + "issueType": "IncorrectValue", + "similarityID": "32d54a5f03d33802bace15efaa264b60474c934c5a4506ebf250c6494d14dd77", + "search_line": -1 } ] diff --git a/assets/queries/cloudFormation/aws/api_gateway_method_does_not_contains_an_api_key/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/api_gateway_method_does_not_contains_an_api_key/test/positive_expected_result.json index 2862d01c542..f0d028c375c 100644 --- a/assets/queries/cloudFormation/aws/api_gateway_method_does_not_contains_an_api_key/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/api_gateway_method_does_not_contains_an_api_key/test/positive_expected_result.json @@ -3,36 +3,90 @@ "queryName": "API Gateway Method Does Not Contains An API Key", "severity": "MEDIUM", "line": 7, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::ApiGateway::Method", + "resourceName": "MockMethod", + "searchKey": "Resources.MockMethod.Properties.ApiKeyRequired", + "searchValue": "", + "expectedValue": "Resources.MockMethod.Properties.ApiKeyRequired should be true", + "actualValue": "Resources.MockMethod.Properties.ApiKeyRequired is false", + "issueType": "IncorrectValue", + "similarityID": "6241fbad717dbba4c6cefb42f09f342cbaaab9e2ea0a215cf67afa56817c260b", + "search_line": -1 }, { "queryName": "API Gateway Method Does Not Contains An API Key", "severity": "MEDIUM", "line": 6, - "fileName": "positive2.yaml" + "fileName": "positive2.yaml", + "resourceType": "AWS::ApiGateway::Method", + "resourceName": "MockMethod1", + "searchKey": "Resources.MockMethod1.Properties", + "searchValue": "", + "expectedValue": "Resources.MockMethod1.Properties.ApiKeyRequired should be defined", + "actualValue": "Resources.MockMethod1.Properties.ApiKeyRequired is undefined", + "issueType": "MissingAttribute", + "similarityID": "67e2090621e849457e9f4cf3c4ec0a862243566eda124ef2f148b6e950bc5b73", + "search_line": -1 }, { "queryName": "API Gateway Method Does Not Contains An API Key", "severity": "MEDIUM", "line": 13, - "fileName": "positive3.json" + "fileName": "positive3.json", + "resourceType": "AWS::ApiGateway::Method", + "resourceName": "MockMethod", + "searchKey": "Resources.MockMethod.Properties.ApiKeyRequired", + "searchValue": "", + "expectedValue": "Resources.MockMethod.Properties.ApiKeyRequired should be true", + "actualValue": "Resources.MockMethod.Properties.ApiKeyRequired is false", + "issueType": "IncorrectValue", + "similarityID": "0804f6d2e2eda35b338ecefee8ea2bfcc5844c43a771b8dd4ba2f0cd7226ebb3", + "search_line": -1 }, { "queryName": "API Gateway Method Does Not Contains An API Key", "severity": "MEDIUM", "line": 6, - "fileName": "positive4.json" + "fileName": "positive4.json", + "resourceType": "AWS::ApiGateway::Method", + "resourceName": "MockMethod1", + "searchKey": "Resources.MockMethod1.Properties", + "searchValue": "", + "expectedValue": "Resources.MockMethod1.Properties.ApiKeyRequired should be defined", + "actualValue": "Resources.MockMethod1.Properties.ApiKeyRequired is undefined", + "issueType": "MissingAttribute", + "similarityID": "497d56f8acec06af844c4e7026caed49a823a7ea0d98af59a29c9cb10c059b47", + "search_line": -1 }, { "queryName": "API Gateway Method Does Not Contains An API Key", "severity": "MEDIUM", "line": 13, - "fileName": "positive5.json" + "fileName": "positive5.json", + "resourceType": "AWS::ApiGateway::Method", + "resourceName": "MockMethod", + "searchKey": "Resources.MockMethod.Properties.ApiKeyRequired", + "searchValue": "", + "expectedValue": "Resources.MockMethod.Properties.ApiKeyRequired should be true", + "actualValue": "Resources.MockMethod.Properties.ApiKeyRequired is false", + "issueType": "IncorrectValue", + "similarityID": "ff2917e65ad56d41b7b827a3b33b5d5b3fdede4584dd14fa185f51760bed75d5", + "search_line": -1 }, { "queryName": "API Gateway Method Does Not Contains An API Key", "severity": "MEDIUM", "line": 7, - "fileName": "positive6.yaml" + "fileName": "positive6.yaml", + "resourceType": "AWS::ApiGateway::Method", + "resourceName": "MockMethod", + "searchKey": "Resources.MockMethod.Properties.ApiKeyRequired", + "searchValue": "", + "expectedValue": "Resources.MockMethod.Properties.ApiKeyRequired should be true", + "actualValue": "Resources.MockMethod.Properties.ApiKeyRequired is false", + "issueType": "IncorrectValue", + "similarityID": "8df157e4db2e01b267758c0e5ece466ff0d43561f46c4b96f8189920e85c809b", + "search_line": -1 } ] diff --git a/assets/queries/cloudFormation/aws/api_gateway_stage_without_api_gateway_usage_plan_associated/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/api_gateway_stage_without_api_gateway_usage_plan_associated/test/positive_expected_result.json index bc88b844206..562ba33ed51 100644 --- a/assets/queries/cloudFormation/aws/api_gateway_stage_without_api_gateway_usage_plan_associated/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/api_gateway_stage_without_api_gateway_usage_plan_associated/test/positive_expected_result.json @@ -1,38 +1,92 @@ [ { + "queryName": "API Gateway Stage Without API Gateway UsagePlan Associated", "severity": "LOW", "line": 4, "fileName": "positive1.yaml", - "queryName": "API Gateway Stage Without API Gateway UsagePlan Associated" + "resourceType": "AWS::ApiGateway::Stage", + "resourceName": "Prod", + "searchKey": "Resources.Prod", + "searchValue": "", + "expectedValue": "Resources.Prod should have UsagePlan defined", + "actualValue": "Resources.Prod doesn't have UsagePlan defined", + "issueType": "MissingAttribute", + "similarityID": "16399bc3e4d59cc8b5303be83bcf3080fac7566012fa5a1f40e47219c68bc3c3", + "search_line": 4 }, { "queryName": "API Gateway Stage Without API Gateway UsagePlan Associated", "severity": "LOW", "line": 4, - "fileName": "positive2.yaml" + "fileName": "positive2.yaml", + "resourceType": "AWS::ApiGateway::Stage", + "resourceName": "Prod", + "searchKey": "Resources.Prod1", + "searchValue": "", + "expectedValue": "Resources.Prod1 should have AWS::ApiGateway::UsagePlan associated, RestApiId and StageName should be the same as the Prod1 resource", + "actualValue": "Resources.Prod1 should have AWS::ApiGateway::UsagePlan associated, RestApiId and StageName should be the same in the Prod1 resource", + "issueType": "IncorrectValue", + "similarityID": "306001988694c536f6a8b9c47786a6280d33c2c8eb3f12173a065617bff3a8b3", + "search_line": 4 }, { "queryName": "API Gateway Stage Without API Gateway UsagePlan Associated", "severity": "LOW", "line": 4, - "fileName": "positive3.yaml" + "fileName": "positive3.yaml", + "resourceType": "AWS::ApiGateway::Stage", + "resourceName": "Prod", + "searchKey": "Resources.Prod2", + "searchValue": "", + "expectedValue": "Resources.Prod2 should have AWS::ApiGateway::UsagePlan associated, RestApiId and StageName should be the same as the Prod2 resource", + "actualValue": "Resources.Prod2 should have AWS::ApiGateway::UsagePlan associated, RestApiId and StageName should be the same in the Prod2 resource", + "issueType": "IncorrectValue", + "similarityID": "d85734bbda9214a852e950c023a262181a15bdc73a4fb225a772fb2b1d76eb0c", + "search_line": 4 }, { "queryName": "API Gateway Stage Without API Gateway UsagePlan Associated", "severity": "LOW", "line": 5, - "fileName": "positive4.json" + "fileName": "positive4.json", + "resourceType": "AWS::ApiGateway::Stage", + "resourceName": "Prod", + "searchKey": "Resources.Prod", + "searchValue": "", + "expectedValue": "Resources.Prod should have UsagePlan defined", + "actualValue": "Resources.Prod doesn't have UsagePlan defined", + "issueType": "MissingAttribute", + "similarityID": "91c4523996eb5dfc788a400776c8727307bcc5b0ea5f23991a5c0f663f5ef8a4", + "search_line": 5 }, { "queryName": "API Gateway Stage Without API Gateway UsagePlan Associated", "severity": "LOW", "line": 5, - "fileName": "positive5.json" + "fileName": "positive5.json", + "resourceType": "AWS::ApiGateway::Stage", + "resourceName": "Prod", + "searchKey": "Resources.Prod1", + "searchValue": "", + "expectedValue": "Resources.Prod1 should have AWS::ApiGateway::UsagePlan associated, RestApiId and StageName should be the same as the Prod1 resource", + "actualValue": "Resources.Prod1 should have AWS::ApiGateway::UsagePlan associated, RestApiId and StageName should be the same in the Prod1 resource", + "issueType": "IncorrectValue", + "similarityID": "5b57591f7101490d29e1b37019c794581a53f194b0a463cd193f1eb8f0ca8afe", + "search_line": 5 }, { "queryName": "API Gateway Stage Without API Gateway UsagePlan Associated", "severity": "LOW", "line": 5, - "fileName": "positive6.json" + "fileName": "positive6.json", + "resourceType": "AWS::ApiGateway::Stage", + "resourceName": "Prod", + "searchKey": "Resources.Prod2", + "searchValue": "", + "expectedValue": "Resources.Prod2 should have AWS::ApiGateway::UsagePlan associated, RestApiId and StageName should be the same as the Prod2 resource", + "actualValue": "Resources.Prod2 should have AWS::ApiGateway::UsagePlan associated, RestApiId and StageName should be the same in the Prod2 resource", + "issueType": "IncorrectValue", + "similarityID": "dcab5ecc21ae9821adb441df1e6116aac1ca191dbad5b4476e82f20eac61e95f", + "search_line": 5 } ] diff --git a/assets/queries/cloudFormation/aws/api_gateway_with_invalid_compression/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/api_gateway_with_invalid_compression/test/positive_expected_result.json index 476b31885dd..c435bbe8fb1 100644 --- a/assets/queries/cloudFormation/aws/api_gateway_with_invalid_compression/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/api_gateway_with_invalid_compression/test/positive_expected_result.json @@ -3,36 +3,90 @@ "queryName": "API Gateway With Invalid Compression", "severity": "LOW", "line": 17, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::ApiGateway::RestApi", + "resourceName": "myApi", + "searchKey": "Resources.RestApi3.Properties.MinimumCompressionSize", + "searchValue": "", + "expectedValue": "Resources.RestApi3.Properties.MinimumCompressionSize should be greater than -1 and smaller than 10485760", + "actualValue": "Resources.RestApi3.Properties.MinimumCompressionSize is set to smaller than 0", + "issueType": "IncorrectValue", + "similarityID": "0b5b47cfce9fda1f02fa9bd9b1abd02a7fadf633cbd05023a37b18287aa9d1a2", + "search_line": 17 }, { "queryName": "API Gateway With Invalid Compression", "severity": "LOW", - "line": 22, - "fileName": "positive4.json" + "line": 17, + "fileName": "positive2.yaml", + "resourceType": "AWS::ApiGateway::RestApi", + "resourceName": "myApi", + "searchKey": "Resources.RestApi4.Properties.MinimumCompressionSize", + "searchValue": "", + "expectedValue": "Resources.RestApi4.Properties.MinimumCompressionSize should be greater than -1 and smaller than 10485760", + "actualValue": "Resources.RestApi4.Properties.MinimumCompressionSize is set to greater than 10485759", + "issueType": "IncorrectValue", + "similarityID": "50da7698a5cb142ab64e900ea0f53f7b61a7bf908b803d011970b0ca50bb13f3", + "search_line": 17 }, { "queryName": "API Gateway With Invalid Compression", "severity": "LOW", - "line": 17, - "fileName": "positive2.yaml" + "line": 5, + "fileName": "positive3.yaml", + "resourceType": "AWS::ApiGateway::RestApi", + "resourceName": "myApi", + "searchKey": "Resources.RestApi5.Properties", + "searchValue": "", + "expectedValue": "Resources.RestApi5.Properties.MinimumCompressionSize should be defined", + "actualValue": "Resources.RestApi5.Properties.MinimumCompressionSize is not defined", + "issueType": "MissingAttribute", + "similarityID": "0c645df2ddf654a526211b2b09a8e10ea5a37e701cee092e9c289fbfd6e64cb6", + "search_line": 5 }, { "queryName": "API Gateway With Invalid Compression", "severity": "LOW", "line": 22, - "fileName": "positive5.json" + "fileName": "positive4.json", + "resourceType": "AWS::ApiGateway::RestApi", + "resourceName": "myApi", + "searchKey": "Resources.RestApi6.Properties.MinimumCompressionSize", + "searchValue": "", + "expectedValue": "Resources.RestApi6.Properties.MinimumCompressionSize should be greater than -1 and smaller than 10485760", + "actualValue": "Resources.RestApi6.Properties.MinimumCompressionSize is set to smaller than 0", + "issueType": "IncorrectValue", + "similarityID": "d131596f115850d372b9ac0b2ab5f848fa310346b7d9f6e429a02f1156347cea", + "search_line": 22 }, { "queryName": "API Gateway With Invalid Compression", "severity": "LOW", - "line": 5, - "fileName": "positive3.yaml" + "line": 22, + "fileName": "positive5.json", + "resourceType": "AWS::ApiGateway::RestApi", + "resourceName": "myApi", + "searchKey": "Resources.RestApi7.Properties.MinimumCompressionSize", + "searchValue": "", + "expectedValue": "Resources.RestApi7.Properties.MinimumCompressionSize should be greater than -1 and smaller than 10485760", + "actualValue": "Resources.RestApi7.Properties.MinimumCompressionSize is set to greater than 10485759", + "issueType": "IncorrectValue", + "similarityID": "e07ed7701ded6a67f9304e0c69efdf663129c2e1ccddded035c2489db4315e61", + "search_line": 22 }, { "queryName": "API Gateway With Invalid Compression", "severity": "LOW", "line": 5, - "fileName": "positive6.json" + "fileName": "positive6.json", + "resourceType": "AWS::ApiGateway::RestApi", + "resourceName": "myApi", + "searchKey": "Resources.RestApi8.Properties", + "searchValue": "", + "expectedValue": "Resources.RestApi8.Properties.MinimumCompressionSize should be defined", + "actualValue": "Resources.RestApi8.Properties.MinimumCompressionSize is not defined", + "issueType": "MissingAttribute", + "similarityID": "8cbb42c9b883cf1683489b02c521efd578246aa2a21a1c16a579c61c8f1ecd43", + "search_line": 5 } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/api_gateway_with_open_access/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/api_gateway_with_open_access/test/positive_expected_result.json index 75c0bb8a047..87034e8acd0 100644 --- a/assets/queries/cloudFormation/aws/api_gateway_with_open_access/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/api_gateway_with_open_access/test/positive_expected_result.json @@ -3,12 +3,30 @@ "queryName": "API Gateway With Open Access", "severity": "MEDIUM", "line": 6, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::ApiGateway::Method", + "resourceName": "MockMethod", + "searchKey": "Resources.MockMethod.Properties", + "searchValue": "", + "expectedValue": "Resources.MockMethod.Properties.AuthorizationType is NONE and Resources.MockMethod.Properties.HttpMethod should be OPTIONS", + "actualValue": "Resources.MockMethod.Properties.AuthorizationType is NONE and Resources.MockMethod.Properties.HttpMethod is not OPTIONS", + "issueType": "IncorrectValue", + "similarityID": "60ae20601164da97a27b1dc58a04ca824f25a46f0dc5d6ad6c84ffd17d79f37a", + "search_line": -1 }, { "queryName": "API Gateway With Open Access", "severity": "MEDIUM", "line": 7, - "fileName": "positive2.json" + "fileName": "positive2.json", + "resourceType": "AWS::ApiGateway::Method", + "resourceName": "MockMethod", + "searchKey": "Resources.MockMethod.Properties", + "searchValue": "", + "expectedValue": "Resources.MockMethod.Properties.AuthorizationType is NONE and Resources.MockMethod.Properties.HttpMethod should be OPTIONS", + "actualValue": "Resources.MockMethod.Properties.AuthorizationType is NONE and Resources.MockMethod.Properties.HttpMethod is not OPTIONS", + "issueType": "IncorrectValue", + "similarityID": "b0192bb9b01dc9cc6820477e0e8985c7d13a03fd05f2e16ef3bd28c9bf788fe3", + "search_line": -1 } ] diff --git a/assets/queries/cloudFormation/aws/api_gateway_without_configured_authorizer/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/api_gateway_without_configured_authorizer/test/positive_expected_result.json index f12a5dcc457..0b63de9f971 100644 --- a/assets/queries/cloudFormation/aws/api_gateway_without_configured_authorizer/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/api_gateway_without_configured_authorizer/test/positive_expected_result.json @@ -3,48 +3,120 @@ "queryName": "API Gateway Without Configured Authorizer", "severity": "MEDIUM", "line": 3, - "fileName": "positive3.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::ApiGatewayV2::Api", + "resourceName": "TL-Dev-WebSocket-API", + "searchKey": "Resources.DevWebSocket", + "searchValue": "", + "expectedValue": "API Gateway REST API should be associated with an API Gateway Authorizer", + "actualValue": "API Gateway REST API is not associated with an API Gateway Authorizer", + "issueType": "IncorrectValue", + "similarityID": "8af5fd710e83cc0860cd1fb0bb2763f5d050dff6da3e39cd6b9718db5b2ab670", + "search_line": 3 }, { "queryName": "API Gateway Without Configured Authorizer", "severity": "MEDIUM", "line": 3, - "fileName": "positive4.yaml" + "fileName": "positive2.yaml", + "resourceType": "AWS::ApiGatewayV2::Api", + "resourceName": "TL-Dev-WebSocket-API", + "searchKey": "Resources.DevWebSocket5", + "searchValue": "", + "expectedValue": "API Gateway REST API should be associated with an API Gateway Authorizer", + "actualValue": "API Gateway REST API is not associated with an API Gateway Authorizer", + "issueType": "IncorrectValue", + "similarityID": "f4aa457538e4257632d3e3831e99d8334d341e431a9e01be831ec3cc896d0a80", + "search_line": 3 }, { "queryName": "API Gateway Without Configured Authorizer", "severity": "MEDIUM", - "line": 4, - "fileName": "positive7.json" + "line": 3, + "fileName": "positive3.yaml", + "resourceType": "AWS::ApiGateway::RestApi", + "resourceName": "myRestApi", + "searchKey": "Resources.MyRestApi6", + "searchValue": "", + "expectedValue": "API Gateway REST API should be associated with an API Gateway Authorizer", + "actualValue": "API Gateway REST API is not associated with an API Gateway Authorizer", + "issueType": "IncorrectValue", + "similarityID": "a2ac757bc8a19a5dcb481c5e80705bd8731f4fd447e82c792b5024a76ce40d29", + "search_line": 3 }, { "queryName": "API Gateway Without Configured Authorizer", "severity": "MEDIUM", - "line": 4, - "fileName": "positive8.json" + "line": 3, + "fileName": "positive4.yaml", + "resourceType": "AWS::ApiGateway::RestApi", + "resourceName": "myRestApi", + "searchKey": "Resources.MyRestApi7", + "searchValue": "", + "expectedValue": "API Gateway REST API should be associated with an API Gateway Authorizer", + "actualValue": "API Gateway REST API is not associated with an API Gateway Authorizer", + "issueType": "IncorrectValue", + "similarityID": "c7aa5529cd2fc09df85162b821a46fdde23acbbecbc04eff6bf5de5ceba704e9", + "search_line": 3 }, { "queryName": "API Gateway Without Configured Authorizer", "severity": "MEDIUM", - "line": 3, - "fileName": "positive1.yaml" + "line": 4, + "fileName": "positive5.json", + "resourceType": "AWS::ApiGatewayV2::Api", + "resourceName": "TL-Dev-WebSocket-API", + "searchKey": "Resources.DevWebSocket8", + "searchValue": "", + "expectedValue": "API Gateway REST API should be associated with an API Gateway Authorizer", + "actualValue": "API Gateway REST API is not associated with an API Gateway Authorizer", + "issueType": "IncorrectValue", + "similarityID": "19f593ac5cec0dc069c911c213a2eecacd7261a6b4c550a1543f9565f74bc208", + "search_line": 4 }, { "queryName": "API Gateway Without Configured Authorizer", "severity": "MEDIUM", - "line": 3, - "fileName": "positive2.yaml" + "line": 20, + "fileName": "positive6.json", + "resourceType": "AWS::ApiGatewayV2::Api", + "resourceName": "TL-Dev-WebSocket-API", + "searchKey": "Resources.DevWebSocket9", + "searchValue": "", + "expectedValue": "API Gateway REST API should be associated with an API Gateway Authorizer", + "actualValue": "API Gateway REST API is not associated with an API Gateway Authorizer", + "issueType": "IncorrectValue", + "similarityID": "1fefca9a40eac51505ccf8ac0709fe5556b4937874a0141d4fd0c60a20e6c49d", + "search_line": 20 }, { "queryName": "API Gateway Without Configured Authorizer", "severity": "MEDIUM", "line": 4, - "fileName": "positive5.json" + "fileName": "positive7.json", + "resourceType": "AWS::ApiGateway::RestApi", + "resourceName": "myRestApi", + "searchKey": "Resources.MyRestApi10", + "searchValue": "", + "expectedValue": "API Gateway REST API should be associated with an API Gateway Authorizer", + "actualValue": "API Gateway REST API is not associated with an API Gateway Authorizer", + "issueType": "IncorrectValue", + "similarityID": "b55972b5c1022371977da0d672629509bcf62f582eb1180ecea12f88f70f1d2b", + "search_line": 4 }, { "queryName": "API Gateway Without Configured Authorizer", "severity": "MEDIUM", - "line": 20, - "fileName": "positive6.json" + "line": 4, + "fileName": "positive8.json", + "resourceType": "AWS::ApiGateway::RestApi", + "resourceName": "myRestApi", + "searchKey": "Resources.MyRestApi11", + "searchValue": "", + "expectedValue": "API Gateway REST API should be associated with an API Gateway Authorizer", + "actualValue": "API Gateway REST API is not associated with an API Gateway Authorizer", + "issueType": "IncorrectValue", + "similarityID": "bb9fbdb85fc5bc154e4d9305fff97fe98aca8a6c7cedae41cab729c60ddfa485", + "search_line": 4 } ] diff --git a/assets/queries/cloudFormation/aws/api_gateway_without_security_policy/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/api_gateway_without_security_policy/test/positive_expected_result.json index b41df1f3039..f059bb014ab 100644 --- a/assets/queries/cloudFormation/aws/api_gateway_without_security_policy/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/api_gateway_without_security_policy/test/positive_expected_result.json @@ -2,25 +2,61 @@ { "queryName": "API Gateway Without Security Policy", "severity": "MEDIUM", - "line": 13, - "fileName": "positive2.yaml" + "line": 20, + "fileName": "positive1.yaml", + "resourceType": "AWS::ApiGateway::DomainName", + "resourceName": "cfnDomainName", + "searchKey": "Resources.myDomainName.Properties.SecurityPolicy", + "searchValue": "", + "expectedValue": "Resources.myDomainName.Properties.SecurityPolicy should be TLS_1_2", + "actualValue": "Resources.myDomainName.Properties.SecurityPolicy should be TLS_1_2", + "issueType": "IncorrectValue", + "similarityID": "f7977889d37e3c6f01124372148560a2d8e22a73b6b585a1793639c312622faf", + "search_line": -1 }, { "queryName": "API Gateway Without Security Policy", "severity": "MEDIUM", - "line": 20, - "fileName": "positive1.yaml" + "line": 13, + "fileName": "positive2.yaml", + "resourceType": "AWS::ApiGateway::DomainName", + "resourceName": "cfnDomainName", + "searchKey": "Resources.myDomainName1.Properties.SecurityPolicy", + "searchValue": "", + "expectedValue": "Resources.myDomainName1.Properties.SecurityPolicy should not be defined", + "actualValue": "Resources.myDomainName1.Properties.SecurityPolicy is defined", + "issueType": "MissingAttribute", + "similarityID": "48dcf475a74ebb982a0efb07dc4dc1365eaac7c1c93df0bb5898ed6025ef4d1f", + "search_line": -1 }, { "queryName": "API Gateway Without Security Policy", "severity": "MEDIUM", "line": 26, - "fileName": "positive3.json" + "fileName": "positive3.json", + "resourceType": "AWS::ApiGateway::DomainName", + "resourceName": "cfnDomainName", + "searchKey": "Resources.myDomainName.Properties.SecurityPolicy", + "searchValue": "", + "expectedValue": "Resources.myDomainName.Properties.SecurityPolicy should be TLS_1_2", + "actualValue": "Resources.myDomainName.Properties.SecurityPolicy should be TLS_1_2", + "issueType": "IncorrectValue", + "similarityID": "3e756abeeb85580d7b85ca77a0eb1806168b3ef8f5df44214541f6fe9447d0c1", + "search_line": -1 }, { - "fileName": "positive4.json", "queryName": "API Gateway Without Security Policy", "severity": "MEDIUM", - "line": 15 + "line": 15, + "fileName": "positive4.json", + "resourceType": "AWS::ApiGateway::DomainName", + "resourceName": "cfnDomainName", + "searchKey": "Resources.myDomainName1.Properties.SecurityPolicy", + "searchValue": "", + "expectedValue": "Resources.myDomainName1.Properties.SecurityPolicy should not be defined", + "actualValue": "Resources.myDomainName1.Properties.SecurityPolicy is defined", + "issueType": "MissingAttribute", + "similarityID": "7e299efff7353ebeca7bac3db1af9385552a0467ae2c78d162ea6894ff06aff0", + "search_line": -1 } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/api_gateway_without_ssl_certificate/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/api_gateway_without_ssl_certificate/test/positive_expected_result.json index 7809abfcec6..c8909d7c2fe 100644 --- a/assets/queries/cloudFormation/aws/api_gateway_without_ssl_certificate/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/api_gateway_without_ssl_certificate/test/positive_expected_result.json @@ -3,12 +3,30 @@ "queryName": "API Gateway Without SSL Certificate", "severity": "MEDIUM", "line": 5, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::ApiGateway::Stage", + "resourceName": "Prod", + "searchKey": "Resources.ProdApiGatewayStagePos.Properties", + "searchValue": "", + "expectedValue": "Resources.ProdApiGatewayStagePos.Properties should have ClientCertificateId defined", + "actualValue": "Resources.ProdApiGatewayStagePos.Properties doesn't have ClientCertificateId defined", + "issueType": "MissingAttribute", + "similarityID": "40c1ed82ce6cc3fcdf215529337fbb1481dc97053950dbd37a2528c871c06d85", + "search_line": -1 }, { "queryName": "API Gateway Without SSL Certificate", "severity": "MEDIUM", "line": 6, - "fileName": "positive2.json" + "fileName": "positive2.json", + "resourceType": "AWS::ApiGateway::Stage", + "resourceName": "Prod", + "searchKey": "Resources.ProdApiGatewayStagePos2.Properties", + "searchValue": "", + "expectedValue": "Resources.ProdApiGatewayStagePos2.Properties should have ClientCertificateId defined", + "actualValue": "Resources.ProdApiGatewayStagePos2.Properties doesn't have ClientCertificateId defined", + "issueType": "MissingAttribute", + "similarityID": "939e4851672f8da634d11f74297d9eb6bea5ab2bb5bd474c76051e01099a4fdc", + "search_line": -1 } ] diff --git a/assets/queries/cloudFormation/aws/api_gateway_without_waf/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/api_gateway_without_waf/test/positive_expected_result.json index 6bd883801f4..d1ff85c90bd 100644 --- a/assets/queries/cloudFormation/aws/api_gateway_without_waf/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/api_gateway_without_waf/test/positive_expected_result.json @@ -1,14 +1,32 @@ [ { "queryName": "API Gateway without WAF", - "severity": "MEDIUM", + "severity": "MEDIUM", "line": 7, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::ApiGateway::Stage", + "resourceName": "Prod", + "searchKey": "Resources.Prod.Properties.StageName", + "searchValue": "", + "expectedValue": "API Gateway Stage should be associated with a Web Application Firewall", + "actualValue": "API Gateway Stage is not associated with a Web Application Firewall", + "issueType": "IncorrectValue", + "similarityID": "4d5c1fd573d888ee1ea76053fb46ac0b1792847111364538a1a704dc0a1c5c59", + "search_line": 7 }, { "queryName": "API Gateway without WAF", "severity": "MEDIUM", "line": 33, - "fileName": "positive2.json" + "fileName": "positive2.json", + "resourceType": "AWS::ApiGateway::Stage", + "resourceName": "Prod", + "searchKey": "Resources.Prod.Properties.StageName", + "searchValue": "", + "expectedValue": "API Gateway Stage should be associated with a Web Application Firewall", + "actualValue": "API Gateway Stage is not associated with a Web Application Firewall", + "issueType": "IncorrectValue", + "similarityID": "cdb49ab2d4c3816c712f6e1adea31c8c2afe6e9a93225eb8017c3dac7334c6e8", + "search_line": 33 } ] diff --git a/assets/queries/cloudFormation/aws/api_gateway_xray_disabled/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/api_gateway_xray_disabled/test/positive_expected_result.json index 8eeda87f4fb..7c693f23119 100644 --- a/assets/queries/cloudFormation/aws/api_gateway_xray_disabled/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/api_gateway_xray_disabled/test/positive_expected_result.json @@ -3,24 +3,60 @@ "queryName": "API Gateway X-Ray Disabled", "severity": "LOW", "line": 13, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::ApiGateway::Stage", + "resourceName": "Prod", + "searchKey": "Resources.ProdPos3.Properties.TracingEnabled", + "searchValue": "", + "expectedValue": "Resources.ProdPos3.Properties.TracingEnabled should be true", + "actualValue": "Resources.ProdPos3.Properties.TracingEnabled is false", + "issueType": "IncorrectValue", + "similarityID": "1d8f6af2d4e6b351b9ed4c34ccfc9e98bdf630009369d71c2605a11b653063e2", + "search_line": -1 }, { "queryName": "API Gateway X-Ray Disabled", "severity": "LOW", "line": 6, - "fileName": "positive2.yaml" + "fileName": "positive2.yaml", + "resourceType": "AWS::ApiGateway::Stage", + "resourceName": "Prod", + "searchKey": "Resources.ProdPos4.Properties", + "searchValue": "", + "expectedValue": "Resources.ProdPos4.Properties.TracingEnabled should be defined", + "actualValue": "Resources.ProdPos4.Properties.TracingEnabled is undefined", + "issueType": "MissingAttribute", + "similarityID": "cc82edc6709bd3b49a3077f7a47c86e8ceebde2c10f8d9911ab06edc335e8caa", + "search_line": -1 }, { "queryName": "API Gateway X-Ray Disabled", "severity": "LOW", "line": 23, - "fileName": "positive3.json" + "fileName": "positive3.json", + "resourceType": "AWS::ApiGateway::Stage", + "resourceName": "Prod", + "searchKey": "Resources.ProdPos1.Properties.TracingEnabled", + "searchValue": "", + "expectedValue": "Resources.ProdPos1.Properties.TracingEnabled should be true", + "actualValue": "Resources.ProdPos1.Properties.TracingEnabled is false", + "issueType": "IncorrectValue", + "similarityID": "00b03350ff58c06882f864988bb4be39014019cbcfab64aae7cb545f853a6a9e", + "search_line": -1 }, { "queryName": "API Gateway X-Ray Disabled", "severity": "LOW", "line": 6, - "fileName": "positive4.json" + "fileName": "positive4.json", + "resourceType": "AWS::ApiGateway::Stage", + "resourceName": "Prod", + "searchKey": "Resources.ProdPos2.Properties", + "searchValue": "", + "expectedValue": "Resources.ProdPos2.Properties.TracingEnabled should be defined", + "actualValue": "Resources.ProdPos2.Properties.TracingEnabled is undefined", + "issueType": "MissingAttribute", + "similarityID": "b6f2b464acf02473142ea2134ee45c8161a8b0258763b0de49f0e90092020290", + "search_line": -1 } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/auto_scaling_group_with_no_associated_elb/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/auto_scaling_group_with_no_associated_elb/test/positive_expected_result.json index 8e31712dcf2..d81063ad2e7 100644 --- a/assets/queries/cloudFormation/aws/auto_scaling_group_with_no_associated_elb/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/auto_scaling_group_with_no_associated_elb/test/positive_expected_result.json @@ -1,38 +1,92 @@ [ { + "queryName": "Auto Scaling Group With No Associated ELB", + "severity": "MEDIUM", "line": 28, "fileName": "positive1.yaml", - "queryName": "Auto Scaling Group With No Associated ELB", - "severity": "MEDIUM" + "resourceType": "AWS::AutoScaling::AutoScalingGroup", + "resourceName": "myASG", + "searchKey": "Resources.myASG.Properties", + "searchValue": "", + "expectedValue": "'Resources.myASG.Properties.LoadBalancerNames' should be defined", + "actualValue": "'Resources.myASG.Properties.LoadBalancerNames' is not defined", + "issueType": "MissingAttribute", + "similarityID": "5ebcffe06a8729dd73224510ea07e1eea66fd89ebfa9c866082266d37ae19efb", + "search_line": -1 }, { - "fileName": "positive1.yaml", "queryName": "Auto Scaling Group With No Associated ELB", "severity": "MEDIUM", - "line": 60 + "line": 60, + "fileName": "positive1.yaml", + "resourceType": "AWS::AutoScaling::AutoScalingGroup", + "resourceName": "myASG2", + "searchKey": "Resources.myASG2.Properties.LoadBalancerNames", + "searchValue": "", + "expectedValue": "'Resources.myASG2.Properties.LoadBalancerNames' should not be empty", + "actualValue": "'Resources.myASG2.Properties.LoadBalancerNames' is empty", + "issueType": "IncorrectValue", + "similarityID": "e4697f3b270b5aaed8a4f85a5bbb1363912e7f41d6bb4667f105ba806817c333", + "search_line": -1 }, { "queryName": "Auto Scaling Group With No Associated ELB", "severity": "MEDIUM", "line": 87, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::AutoScaling::AutoScalingGroup", + "resourceName": "myASG", + "searchKey": "Resources.myASG3.Properties.LoadBalancerNames", + "searchValue": "", + "expectedValue": "'Resources.myASG3.Properties.LoadBalancerNames' should not be empty", + "actualValue": "'Resources.myASG3.Properties.LoadBalancerNames' is empty", + "issueType": "IncorrectValue", + "similarityID": "a9685b071c1ffa403a3479fd3140430eb3245facc116a41eb7bdba1d91f17b8f", + "search_line": -1 }, { "queryName": "Auto Scaling Group With No Associated ELB", "severity": "MEDIUM", "line": 38, - "fileName": "positive2.json" + "fileName": "positive2.json", + "resourceType": "AWS::AutoScaling::AutoScalingGroup", + "resourceName": "myASG", + "searchKey": "Resources.myASG.Properties", + "searchValue": "", + "expectedValue": "'Resources.myASG.Properties.LoadBalancerNames' should be defined", + "actualValue": "'Resources.myASG.Properties.LoadBalancerNames' is not defined", + "issueType": "MissingAttribute", + "similarityID": "1d256cf030fc4bf6b7baabc542328b5d20601ad0c5c3fc10f9b16a1f80b285bc", + "search_line": -1 }, { "queryName": "Auto Scaling Group With No Associated ELB", "severity": "MEDIUM", "line": 78, - "fileName": "positive2.json" + "fileName": "positive2.json", + "resourceType": "AWS::AutoScaling::AutoScalingGroup", + "resourceName": "myASG2", + "searchKey": "Resources.myASG2.Properties.LoadBalancerNames", + "searchValue": "", + "expectedValue": "'Resources.myASG2.Properties.LoadBalancerNames' should not be empty", + "actualValue": "'Resources.myASG2.Properties.LoadBalancerNames' is empty", + "issueType": "IncorrectValue", + "similarityID": "36f370ab009e286a0dd79b23385f9d9c04223fb8be341af6a4d403a7967ce149", + "search_line": -1 }, { - "fileName": "positive2.json", "queryName": "Auto Scaling Group With No Associated ELB", "severity": "MEDIUM", - "line": 126 + "line": 126, + "fileName": "positive2.json", + "resourceType": "AWS::AutoScaling::AutoScalingGroup", + "resourceName": "myASG", + "searchKey": "Resources.myASG3.Properties.LoadBalancerNames", + "searchValue": "", + "expectedValue": "'Resources.myASG3.Properties.LoadBalancerNames' should not be empty", + "actualValue": "'Resources.myASG3.Properties.LoadBalancerNames' is empty", + "issueType": "IncorrectValue", + "similarityID": "9f22536c9c5cb0c5e3033c2ba4debfbdc3e9c21d2de0b95b9e11fbd3db29bbee", + "search_line": -1 } ] diff --git a/assets/queries/cloudFormation/aws/automatic_minor_upgrades_disabled/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/automatic_minor_upgrades_disabled/test/positive_expected_result.json index a7a2b2484ab..bea5fb6939b 100644 --- a/assets/queries/cloudFormation/aws/automatic_minor_upgrades_disabled/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/automatic_minor_upgrades_disabled/test/positive_expected_result.json @@ -3,48 +3,120 @@ "queryName": "Automatic Minor Upgrades Disabled", "severity": "LOW", "line": 18, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::RDS::DBInstance", + "resourceName": "DBName", + "searchKey": "Resources.MyDB.Properties", + "searchValue": "", + "expectedValue": "'Resources.MyDB.Properties.AutoMinorVersionUpgrade' should be defined", + "actualValue": "'Resources.MyDB.Properties.AutoMinorVersionUpgrade' is undefined", + "issueType": "MissingAttribute", + "similarityID": "d246b41a091955b5986c00faec8315576f91a6ab4231f4c7688cafc015990ec2", + "search_line": -1 }, { "queryName": "Automatic Minor Upgrades Disabled", "severity": "LOW", "line": 42, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::RDS::DBInstance", + "resourceName": "DBName", + "searchKey": "Resources.MyDB2.Properties.AutoMinorVersionUpgrade", + "searchValue": "", + "expectedValue": "'Resources.MyDB2.Properties.AutoMinorVersionUpgrade' should be true", + "actualValue": "'Resources.MyDB2.Properties.AutoMinorVersionUpgrade' is false", + "issueType": "IncorrectValue", + "similarityID": "237103b5a3ac5aca971e921a2616c81389fd4b2455dd667e40a1aaaced5f5412", + "search_line": -1 }, { "queryName": "Automatic Minor Upgrades Disabled", "severity": "LOW", "line": 17, - "fileName": "positive2.json" + "fileName": "positive2.json", + "resourceType": "AWS::RDS::DBInstance", + "resourceName": "DBName", + "searchKey": "Resources.MyDB.Properties", + "searchValue": "", + "expectedValue": "'Resources.MyDB.Properties.AutoMinorVersionUpgrade' should be defined", + "actualValue": "'Resources.MyDB.Properties.AutoMinorVersionUpgrade' is undefined", + "issueType": "MissingAttribute", + "similarityID": "73155dae4ba991dfad609aa735a3314649d09c183953ccbcddaee5ec0e0173b9", + "search_line": -1 }, { "queryName": "Automatic Minor Upgrades Disabled", "severity": "LOW", "line": 44, - "fileName": "positive2.json" + "fileName": "positive2.json", + "resourceType": "AWS::RDS::DBInstance", + "resourceName": "DBName", + "searchKey": "Resources.MyDB2.Properties.AutoMinorVersionUpgrade", + "searchValue": "", + "expectedValue": "'Resources.MyDB2.Properties.AutoMinorVersionUpgrade' should be true", + "actualValue": "'Resources.MyDB2.Properties.AutoMinorVersionUpgrade' is false", + "issueType": "IncorrectValue", + "similarityID": "0323a19db9ab707ea870175676d74a3f8a26660948b830c475f38faff8ac17a6", + "search_line": -1 }, { "queryName": "Automatic Minor Upgrades Disabled", "severity": "LOW", "line": 18, - "fileName": "positive3.yaml" + "fileName": "positive3.yaml", + "resourceType": "AWS::RDS::DBInstance", + "resourceName": "DBName", + "searchKey": "Resources.MyDB.Properties", + "searchValue": "", + "expectedValue": "'Resources.MyDB.Properties.AutoMinorVersionUpgrade' should be defined", + "actualValue": "'Resources.MyDB.Properties.AutoMinorVersionUpgrade' is undefined", + "issueType": "MissingAttribute", + "similarityID": "0c3d5fbde079c8b029759cbc1d9ca166156754305a53b8b3d6ce9991529b5691", + "search_line": -1 }, { "queryName": "Automatic Minor Upgrades Disabled", "severity": "LOW", "line": 42, - "fileName": "positive3.yaml" + "fileName": "positive3.yaml", + "resourceType": "AWS::RDS::DBInstance", + "resourceName": "DBName", + "searchKey": "Resources.MyDB2.Properties.AutoMinorVersionUpgrade", + "searchValue": "", + "expectedValue": "'Resources.MyDB2.Properties.AutoMinorVersionUpgrade' should be true", + "actualValue": "'Resources.MyDB2.Properties.AutoMinorVersionUpgrade' is false", + "issueType": "IncorrectValue", + "similarityID": "afadffe55c7df200199604ac1297b0f3c57d8c8450fcc6382fa812e038a861e6", + "search_line": -1 }, { "queryName": "Automatic Minor Upgrades Disabled", "severity": "LOW", "line": 17, - "fileName": "positive4.json" + "fileName": "positive4.json", + "resourceType": "AWS::RDS::DBInstance", + "resourceName": "DBName", + "searchKey": "Resources.MyDB.Properties", + "searchValue": "", + "expectedValue": "'Resources.MyDB.Properties.AutoMinorVersionUpgrade' should be defined", + "actualValue": "'Resources.MyDB.Properties.AutoMinorVersionUpgrade' is undefined", + "issueType": "MissingAttribute", + "similarityID": "bf491bb3acc04c35202db332813e2df5be7dda48014c118b29c65cacc2cafe7f", + "search_line": -1 }, { "queryName": "Automatic Minor Upgrades Disabled", "severity": "LOW", "line": 44, - "fileName": "positive4.json" + "fileName": "positive4.json", + "resourceType": "AWS::RDS::DBInstance", + "resourceName": "DBName", + "searchKey": "Resources.MyDB2.Properties.AutoMinorVersionUpgrade", + "searchValue": "", + "expectedValue": "'Resources.MyDB2.Properties.AutoMinorVersionUpgrade' should be true", + "actualValue": "'Resources.MyDB2.Properties.AutoMinorVersionUpgrade' is false", + "issueType": "IncorrectValue", + "similarityID": "a5895e83c3df2a2d4ece13a0bbffffba3f113aa1536225bea0af13c6c7dc4c35", + "search_line": -1 } ] diff --git a/assets/queries/cloudFormation/aws/batch_job_definition_with_privileged_container_properties/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/batch_job_definition_with_privileged_container_properties/test/positive_expected_result.json index 2a6d712aed3..0c558946318 100644 --- a/assets/queries/cloudFormation/aws/batch_job_definition_with_privileged_container_properties/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/batch_job_definition_with_privileged_container_properties/test/positive_expected_result.json @@ -3,24 +3,60 @@ "queryName": "Batch Job Definition With Privileged Container Properties", "severity": "HIGH", "line": 21, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::Batch::JobDefinition", + "resourceName": "nvidia-smi", + "searchKey": "Resources.JobDefinition.Properties.ContainerProperties.Privileged", + "searchValue": "", + "expectedValue": "Resources.JobDefinition.Properties.ContainerProperties.Privileged should be set to false", + "actualValue": "Resources.JobDefinition.Properties.ContainerProperties.Privileged is true", + "issueType": "IncorrectValue", + "similarityID": "07ede3f523529eadee5bbe059424625affa78a8c072c33f5ed266df8f5788966", + "search_line": -1 }, { "queryName": "Batch Job Definition With Privileged Container Properties", "severity": "HIGH", "line": 12, - "fileName": "positive2.json" + "fileName": "positive2.json", + "resourceType": "AWS::Batch::JobDefinition", + "resourceName": "nvidia-smi", + "searchKey": "Resources.JobDefinition.Properties.ContainerProperties.Privileged", + "searchValue": "", + "expectedValue": "Resources.JobDefinition.Properties.ContainerProperties.Privileged should be set to false", + "actualValue": "Resources.JobDefinition.Properties.ContainerProperties.Privileged is true", + "issueType": "IncorrectValue", + "similarityID": "b10fc49b9004031457e009bda89e8f90ba2098e24e4bf457c2e2284eeea22e44", + "search_line": -1 }, { "queryName": "Batch Job Definition With Privileged Container Properties", "severity": "HIGH", "line": 21, - "fileName": "positive3.yaml" + "fileName": "positive3.yaml", + "resourceType": "AWS::Batch::JobDefinition", + "resourceName": "nvidia-smi", + "searchKey": "Resources.JobDefinition.Properties.ContainerProperties.Privileged", + "searchValue": "", + "expectedValue": "Resources.JobDefinition.Properties.ContainerProperties.Privileged should be set to false", + "actualValue": "Resources.JobDefinition.Properties.ContainerProperties.Privileged is true", + "issueType": "IncorrectValue", + "similarityID": "9a7e75df0210e9c85f02aeb32340162c901b2d98cc142f634e3d2202ee859c4b", + "search_line": -1 }, { "queryName": "Batch Job Definition With Privileged Container Properties", "severity": "HIGH", "line": 12, - "fileName": "positive4.json" + "fileName": "positive4.json", + "resourceType": "AWS::Batch::JobDefinition", + "resourceName": "nvidia-smi", + "searchKey": "Resources.JobDefinition.Properties.ContainerProperties.Privileged", + "searchValue": "", + "expectedValue": "Resources.JobDefinition.Properties.ContainerProperties.Privileged should be set to false", + "actualValue": "Resources.JobDefinition.Properties.ContainerProperties.Privileged is true", + "issueType": "IncorrectValue", + "similarityID": "98c28ae2b3f77253a6b87dad8a80df58ff40b7a9c8024698f0a865ebdc1936d9", + "search_line": -1 } ] diff --git a/assets/queries/cloudFormation/aws/block_device_is_not_encrypted/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/block_device_is_not_encrypted/test/positive_expected_result.json index 939db20c092..63a6b1cda61 100644 --- a/assets/queries/cloudFormation/aws/block_device_is_not_encrypted/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/block_device_is_not_encrypted/test/positive_expected_result.json @@ -3,72 +3,180 @@ "queryName": "Block Device Is Not Encrypted", "severity": "HIGH", "line": 14, - "fileName": "positive1.json" + "fileName": "positive1.json", + "resourceType": "AWS::EC2::Instance", + "resourceName": "MyEC2Instance", + "searchKey": "Resources.MyEC2Instance.Properties.BlockDeviceMappings[0].Ebs.Encrypted", + "searchValue": "", + "expectedValue": "'BlockDeviceMappings[0].Ebs.Encrypted' should be defined to 'true'", + "actualValue": "'BlockDeviceMappings[0].Ebs.Encrypted' is not defined to 'true'", + "issueType": "IncorrectValue", + "similarityID": "3f68ad5d39fc1fa582f4bd52695348786158ede92c8e6a989c5104c8aa0fc1b5", + "search_line": 14 }, { "queryName": "Block Device Is Not Encrypted", "severity": "HIGH", "line": 12, - "fileName": "positive2.yaml" + "fileName": "positive2.yaml", + "resourceType": "AWS::EC2::Instance", + "resourceName": "MyEC2Instance", + "searchKey": "Resources.MyEC2Instance.Properties.BlockDeviceMappings[0].Ebs.Encrypted", + "searchValue": "", + "expectedValue": "'BlockDeviceMappings[0].Ebs.Encrypted' should be defined to 'true'", + "actualValue": "'BlockDeviceMappings[0].Ebs.Encrypted' is not defined to 'true'", + "issueType": "IncorrectValue", + "similarityID": "33d429c94190cce37748cd14d3193496de4e3147c983a04ef3b0e94070c36770", + "search_line": 12 }, { "queryName": "Block Device Is Not Encrypted", "severity": "HIGH", "line": 12, - "fileName": "positive3.json" + "fileName": "positive3.json", + "resourceType": "AWS::EC2::Instance", + "resourceName": "MyEC2Instance", + "searchKey": "Resources.MyEC2Instance.Properties.BlockDeviceMappings[0].Ebs", + "searchValue": "", + "expectedValue": "'BlockDeviceMappings[0].Ebs.Encrypted' should be defined to 'true'", + "actualValue": "'BlockDeviceMappings[0].Ebs.Encrypted' is not defined", + "issueType": "MissingAttribute", + "similarityID": "a71180933ed68f97fa22c5f2f9be35fdd2061db09a1f39114bfd9ab4c65f2bd1", + "search_line": 12 }, { "queryName": "Block Device Is Not Encrypted", "severity": "HIGH", "line": 10, - "fileName": "positive4.yaml" + "fileName": "positive4.yaml", + "resourceType": "AWS::EC2::Instance", + "resourceName": "MyEC2Instance", + "searchKey": "Resources.MyEC2Instance.Properties.BlockDeviceMappings[0].Ebs", + "searchValue": "", + "expectedValue": "'BlockDeviceMappings[0].Ebs.Encrypted' should be defined to 'true'", + "actualValue": "'BlockDeviceMappings[0].Ebs.Encrypted' is not defined", + "issueType": "MissingAttribute", + "similarityID": "0eb14c99c2ba087a0b08bd50e9c5577e80f93f3c76ac5dd1ab0ef2492bc35b2f", + "search_line": 10 }, { "queryName": "Block Device Is Not Encrypted", "severity": "HIGH", "line": 15, - "fileName": "positive5.json" + "fileName": "positive5.json", + "resourceType": "AWS::AutoScaling::LaunchConfiguration", + "resourceName": "MyLaunchConfiguration", + "searchKey": "Resources.MyLaunchConfiguration.Properties.BlockDeviceMappings[0].Ebs.Encrypted", + "searchValue": "", + "expectedValue": "'BlockDeviceMappings[0].Ebs.Encrypted' should be defined to 'true'", + "actualValue": "'BlockDeviceMappings[0].Ebs.Encrypted' is not defined to 'true'", + "issueType": "IncorrectValue", + "similarityID": "18e52f384a6941183d38f0e101c8f95175e0b2e2c31ee4f8eca7648f460fdb34", + "search_line": 15 }, { "queryName": "Block Device Is Not Encrypted", "severity": "HIGH", "line": 12, - "fileName": "positive6.yaml" + "fileName": "positive6.yaml", + "resourceType": "AWS::AutoScaling::LaunchConfiguration", + "resourceName": "MyLaunchConfiguration", + "searchKey": "Resources.MyLaunchConfiguration.Properties.BlockDeviceMappings[0].Ebs.Encrypted", + "searchValue": "", + "expectedValue": "'BlockDeviceMappings[0].Ebs.Encrypted' should be defined to 'true'", + "actualValue": "'BlockDeviceMappings[0].Ebs.Encrypted' is not defined to 'true'", + "issueType": "IncorrectValue", + "similarityID": "f08b68757b64b3a9e977d33c4c20a58b5110801a19d1b984302a12ede7dee8d5", + "search_line": 12 }, { "queryName": "Block Device Is Not Encrypted", "severity": "HIGH", "line": 13, - "fileName": "positive7.json" + "fileName": "positive7.json", + "resourceType": "AWS::AutoScaling::LaunchConfiguration", + "resourceName": "MyLaunchConfiguration", + "searchKey": "Resources.MyLaunchConfiguration.Properties.BlockDeviceMappings[0].Ebs", + "searchValue": "", + "expectedValue": "'BlockDeviceMappings[0].Ebs.Encrypted' should be defined to 'true'", + "actualValue": "'BlockDeviceMappings[0].Ebs.Encrypted' is not defined", + "issueType": "MissingAttribute", + "similarityID": "57ecd3f0d275f1b792d1788f056b5c16caa54d7b33592f542e47587146908eb7", + "search_line": 13 }, { "queryName": "Block Device Is Not Encrypted", "severity": "HIGH", "line": 10, - "fileName": "positive8.yaml" + "fileName": "positive8.yaml", + "resourceType": "AWS::AutoScaling::LaunchConfiguration", + "resourceName": "MyLaunchConfiguration", + "searchKey": "Resources.MyLaunchConfiguration.Properties.BlockDeviceMappings[0].Ebs", + "searchValue": "", + "expectedValue": "'BlockDeviceMappings[0].Ebs.Encrypted' should be defined to 'true'", + "actualValue": "'BlockDeviceMappings[0].Ebs.Encrypted' is not defined", + "issueType": "MissingAttribute", + "similarityID": "689218e67739a053e6818ae29a2d91646020359f3ac237c69b635435805a3a2b", + "search_line": 10 }, { "queryName": "Block Device Is Not Encrypted", "severity": "HIGH", "line": 14, - "fileName": "positive9.json" + "fileName": "positive9.json", + "resourceType": "AWS::EC2::Instance", + "resourceName": "MyEC2Instance", + "searchKey": "Resources.MyEC2Instance.Properties.BlockDeviceMappings[0].Ebs.Encrypted", + "searchValue": "", + "expectedValue": "'BlockDeviceMappings[0].Ebs.Encrypted' should be defined to 'true'", + "actualValue": "'BlockDeviceMappings[0].Ebs.Encrypted' is not defined to 'true'", + "issueType": "IncorrectValue", + "similarityID": "c75954adc05e1063aa40aceae9dc9eaa03ffdd38646e0d49cfcf15f0cb0ccc63", + "search_line": 14 }, { "queryName": "Block Device Is Not Encrypted", "severity": "HIGH", "line": 12, - "fileName": "positive10.yaml" + "fileName": "positive10.yaml", + "resourceType": "AWS::EC2::Instance", + "resourceName": "MyEC2Instance", + "searchKey": "Resources.MyEC2Instance.Properties.BlockDeviceMappings[0].Ebs.Encrypted", + "searchValue": "", + "expectedValue": "'BlockDeviceMappings[0].Ebs.Encrypted' should be defined to 'true'", + "actualValue": "'BlockDeviceMappings[0].Ebs.Encrypted' is not defined to 'true'", + "issueType": "IncorrectValue", + "similarityID": "22f3eb069c05adf47f9730e08d0f0ceae15f0cf5b07153c5af8de955060fd698", + "search_line": 12 }, { "queryName": "Block Device Is Not Encrypted", "severity": "HIGH", "line": 15, - "fileName": "positive11.json" + "fileName": "positive11.json", + "resourceType": "AWS::AutoScaling::LaunchConfiguration", + "resourceName": "MyLaunchConfiguration", + "searchKey": "Resources.MyLaunchConfiguration.Properties.BlockDeviceMappings[0].Ebs.Encrypted", + "searchValue": "", + "expectedValue": "'BlockDeviceMappings[0].Ebs.Encrypted' should be defined to 'true'", + "actualValue": "'BlockDeviceMappings[0].Ebs.Encrypted' is not defined to 'true'", + "issueType": "IncorrectValue", + "similarityID": "8686e7ddfd611cc9e410d7101ac88bc26390d82c4878b297f42d518cf6f0917f", + "search_line": 15 }, { "queryName": "Block Device Is Not Encrypted", "severity": "HIGH", "line": 12, - "fileName": "positive12.yaml" + "fileName": "positive12.yaml", + "resourceType": "AWS::AutoScaling::LaunchConfiguration", + "resourceName": "MyLaunchConfiguration", + "searchKey": "Resources.MyLaunchConfiguration.Properties.BlockDeviceMappings[0].Ebs.Encrypted", + "searchValue": "", + "expectedValue": "'BlockDeviceMappings[0].Ebs.Encrypted' should be defined to 'true'", + "actualValue": "'BlockDeviceMappings[0].Ebs.Encrypted' is not defined to 'true'", + "issueType": "IncorrectValue", + "similarityID": "9928995e5ceda500d74ff464479ef399008cc165adb8bba3e57a4196d2235a9e", + "search_line": 12 } ] diff --git a/assets/queries/cloudFormation/aws/cdn_configuration_is_missing/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/cdn_configuration_is_missing/test/positive_expected_result.json index 2dc7aa82920..3d9ab6d35f6 100644 --- a/assets/queries/cloudFormation/aws/cdn_configuration_is_missing/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/cdn_configuration_is_missing/test/positive_expected_result.json @@ -3,24 +3,60 @@ "queryName": "CDN Configuration Is Missing", "severity": "LOW", "line": 6, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::CloudFront::Distribution", + "resourceName": "myDistribution", + "searchKey": "Resources.myDistribution.Properties.DistributionConfig", + "searchValue": "", + "expectedValue": "Resources.myDistribution.Properties.DistributionConfig should contain an 'Origins' object", + "actualValue": "Resources.myDistribution.Properties.DistributionConfig does not contain an 'Origins' object configured", + "issueType": "MissingAttribute", + "similarityID": "17aac5c7db00f76782e0c1901957189b14ed6e41a341ec4afac7f87479b3c126", + "search_line": -1 }, { "queryName": "CDN Configuration Is Missing", "severity": "LOW", "line": 7, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::CloudFront::Distribution", + "resourceName": "myDistribution", + "searchKey": "Resources.myDistribution.Properties.DistributionConfig.Enabled", + "searchValue": "", + "expectedValue": "Resources.myDistribution.Properties.DistributionConfig.Enabled should be 'true'", + "actualValue": "Resources.myDistribution.Properties.DistributionConfig.Enabled is configured as 'false'", + "issueType": "IncorrectValue", + "similarityID": "32ddb137e3e553181f3c3811688e214a3775bcfa99c890c9496005070281b30c", + "search_line": -1 }, { + "queryName": "CDN Configuration Is Missing", "severity": "LOW", "line": 7, "fileName": "positive2.json", - "queryName": "CDN Configuration Is Missing" + "resourceType": "AWS::CloudFront::Distribution", + "resourceName": "myDistribution", + "searchKey": "Resources.myDistribution.Properties.DistributionConfig", + "searchValue": "", + "expectedValue": "Resources.myDistribution.Properties.DistributionConfig should contain an 'Origins' object", + "actualValue": "Resources.myDistribution.Properties.DistributionConfig does not contain an 'Origins' object configured", + "issueType": "MissingAttribute", + "similarityID": "3a8d177a936501bb9f58bbbc617bf0e21aca23bc5735757ada7979537abd0e7c", + "search_line": -1 }, { - "fileName": "positive2.json", "queryName": "CDN Configuration Is Missing", "severity": "LOW", - "line": 15 + "line": 15, + "fileName": "positive2.json", + "resourceType": "AWS::CloudFront::Distribution", + "resourceName": "myDistribution", + "searchKey": "Resources.myDistribution.Properties.DistributionConfig.Enabled", + "searchValue": "", + "expectedValue": "Resources.myDistribution.Properties.DistributionConfig.Enabled should be 'true'", + "actualValue": "Resources.myDistribution.Properties.DistributionConfig.Enabled is configured as 'false'", + "issueType": "IncorrectValue", + "similarityID": "3fe01167e7c145b7d8d8ad4093d21c5b8fc58db5ae66f90eead24242d7343758", + "search_line": -1 } ] diff --git a/assets/queries/cloudFormation/aws/cloudformation_specifying_credentials_not_safe/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/cloudformation_specifying_credentials_not_safe/test/positive_expected_result.json index 8ce4013218e..51251520b0c 100644 --- a/assets/queries/cloudFormation/aws/cloudformation_specifying_credentials_not_safe/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/cloudformation_specifying_credentials_not_safe/test/positive_expected_result.json @@ -1,38 +1,92 @@ [ { + "queryName": "CloudFormation Specifying Credentials Not Safe", "severity": "MEDIUM", "line": 33, "fileName": "positive1.yaml", - "queryName": "CloudFormation Specifying Credentials Not Safe" + "resourceType": "AWS::EC2::Instance", + "resourceName": "WebServer", + "searchKey": "Resources.WebServer.Metadata.AWS::CloudFormation::Authentication.S3AccessCreds.accessKeyId", + "searchValue": "", + "expectedValue": "Resources.WebServer.Metadata.AWS::CloudFormation::Authentication.S3AccessCreds.accessKeyId should not exist", + "actualValue": "Resources.WebServer.Metadata.AWS::CloudFormation::Authentication.S3AccessCreds.accessKeyId exists", + "issueType": "MissingAttribute", + "similarityID": "a52999d0f3fe9657104bb9bd1bc67585fd8820446bfbfb2a542b11d9ea97f9e3", + "search_line": -1 }, { "queryName": "CloudFormation Specifying Credentials Not Safe", "severity": "MEDIUM", "line": 35, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::EC2::Instance", + "resourceName": "WebServer", + "searchKey": "Resources.WebServer.Metadata.AWS::CloudFormation::Authentication.S3AccessCreds.secretKey", + "searchValue": "", + "expectedValue": "Resources.WebServer.Metadata.AWS::CloudFormation::Authentication.S3AccessCreds.secretKey should not exist", + "actualValue": "Resources.WebServer.Metadata.AWS::CloudFormation::Authentication.S3AccessCreds.secretKey exists", + "issueType": "MissingAttribute", + "similarityID": "8e23886c676ffdaf40425647f945bfe5fdd261d33094daf67614c375efee2529", + "search_line": -1 }, { "queryName": "CloudFormation Specifying Credentials Not Safe", "severity": "MEDIUM", "line": 71, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::EC2::Instance", + "resourceName": "WebServer2", + "searchKey": "Resources.WebServer2.Metadata.AWS::CloudFormation::Authentication.BasicAccessCreds.password", + "searchValue": "", + "expectedValue": "Resources.WebServer2.Metadata.AWS::CloudFormation::Authentication.BasicAccessCreds.password should not exist", + "actualValue": "Resources.WebServer2.Metadata.AWS::CloudFormation::Authentication.BasicAccessCreds.password exists", + "issueType": "MissingAttribute", + "similarityID": "4ef0eb694c10cd1b5c2b0b50a7d46c6f70415d1ad4fe91cac85cba14866a0e11", + "search_line": -1 }, { "queryName": "CloudFormation Specifying Credentials Not Safe", "severity": "MEDIUM", "line": 48, - "fileName": "positive2.json" + "fileName": "positive2.json", + "resourceType": "AWS::EC2::Instance", + "resourceName": "WebServer", + "searchKey": "Resources.WebServer.Metadata.AWS::CloudFormation::Authentication.S3AccessCreds.accessKeyId", + "searchValue": "", + "expectedValue": "Resources.WebServer.Metadata.AWS::CloudFormation::Authentication.S3AccessCreds.accessKeyId should not exist", + "actualValue": "Resources.WebServer.Metadata.AWS::CloudFormation::Authentication.S3AccessCreds.accessKeyId exists", + "issueType": "MissingAttribute", + "similarityID": "bf1f3a2fa1218895110e88731ade87e91e148dc5520d2f57ad9de09bc9725dc7", + "search_line": -1 }, { + "queryName": "CloudFormation Specifying Credentials Not Safe", + "severity": "MEDIUM", "line": 51, "fileName": "positive2.json", - "queryName": "CloudFormation Specifying Credentials Not Safe", - "severity": "MEDIUM" + "resourceType": "AWS::EC2::Instance", + "resourceName": "WebServer", + "searchKey": "Resources.WebServer.Metadata.AWS::CloudFormation::Authentication.S3AccessCreds.secretKey", + "searchValue": "", + "expectedValue": "Resources.WebServer.Metadata.AWS::CloudFormation::Authentication.S3AccessCreds.secretKey should not exist", + "actualValue": "Resources.WebServer.Metadata.AWS::CloudFormation::Authentication.S3AccessCreds.secretKey exists", + "issueType": "MissingAttribute", + "similarityID": "e623c2af59901d88a39bcdb53406affb93ce566d25a5721b7971ddccafde6635", + "search_line": -1 }, { "queryName": "CloudFormation Specifying Credentials Not Safe", "severity": "MEDIUM", "line": 112, - "fileName": "positive2.json" + "fileName": "positive2.json", + "resourceType": "AWS::EC2::Instance", + "resourceName": "WebServer2", + "searchKey": "Resources.WebServer2.Metadata.AWS::CloudFormation::Authentication.BasicAccessCreds.password", + "searchValue": "", + "expectedValue": "Resources.WebServer2.Metadata.AWS::CloudFormation::Authentication.BasicAccessCreds.password should not exist", + "actualValue": "Resources.WebServer2.Metadata.AWS::CloudFormation::Authentication.BasicAccessCreds.password exists", + "issueType": "MissingAttribute", + "similarityID": "d21e0bce906390f2220030399cecacfde6a88e70ec26377fb7b11cacc0b856ee", + "search_line": -1 } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/cloudfront_logging_disabled/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/cloudfront_logging_disabled/test/positive_expected_result.json index 309047d4b3d..1d8cd3b6125 100644 --- a/assets/queries/cloudFormation/aws/cloudfront_logging_disabled/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/cloudfront_logging_disabled/test/positive_expected_result.json @@ -3,24 +3,60 @@ "queryName": "CloudFront Logging Disabled", "severity": "MEDIUM", "line": 5, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::CloudFront::Distribution", + "resourceName": "myDistribution1", + "searchKey": "Resources.myDistribution1.Properties", + "searchValue": "", + "expectedValue": "Resources.myDistribution1.Properties.DistributionConfig.Logging should be defined", + "actualValue": "Resources.myDistribution1.Properties.DistributionConfig.Logging is undefined", + "issueType": "MissingAttribute", + "similarityID": "6903e307c3dddbfbe2f4c20ed98934468668c555a32a6205e1572f972ae8b9c9", + "search_line": -1 }, { + "queryName": "CloudFront Logging Disabled", + "severity": "MEDIUM", "line": 30, "fileName": "positive2.yaml", - "queryName": "CloudFront Logging Disabled", - "severity": "MEDIUM" + "resourceType": "AWS::CloudFront::Distribution", + "resourceName": "myDistribution2", + "searchKey": "Resources.myDistribution2.Properties.DistributionConfig.Logging.Bucket", + "searchValue": "", + "expectedValue": "Resources.myDistribution2.Properties.DistributionConfig.Logging.Bucket should have the domain '.s3.amazonaws.com'", + "actualValue": "Resources.myDistribution2.Properties.DistributionConfig.Logging.Bucket does not have the correct domain", + "issueType": "IncorrectValue", + "similarityID": "9aab6fd06c7574d31c7598de97ff4180cc1d67d1654855f898c5854410cc458a", + "search_line": -1 }, { + "queryName": "CloudFront Logging Disabled", + "severity": "MEDIUM", "line": 6, "fileName": "positive3.json", - "queryName": "CloudFront Logging Disabled", - "severity": "MEDIUM" + "resourceType": "AWS::CloudFront::Distribution", + "resourceName": "myDistribution1", + "searchKey": "Resources.myDistribution1.Properties", + "searchValue": "", + "expectedValue": "Resources.myDistribution1.Properties.DistributionConfig.Logging should be defined", + "actualValue": "Resources.myDistribution1.Properties.DistributionConfig.Logging is undefined", + "issueType": "MissingAttribute", + "similarityID": "2ffa5e17e1fc04c83496de985de1add5ecfb9aad4641c6967a2227434fb762ff", + "search_line": -1 }, { + "queryName": "CloudFront Logging Disabled", + "severity": "MEDIUM", "line": 40, "fileName": "positive4.json", - "queryName": "CloudFront Logging Disabled", - "severity": "MEDIUM" + "resourceType": "AWS::CloudFront::Distribution", + "resourceName": "myDistribution2", + "searchKey": "Resources.myDistribution2.Properties.DistributionConfig.Logging.Bucket", + "searchValue": "", + "expectedValue": "Resources.myDistribution2.Properties.DistributionConfig.Logging.Bucket should have the domain '.s3.amazonaws.com'", + "actualValue": "Resources.myDistribution2.Properties.DistributionConfig.Logging.Bucket does not have the correct domain", + "issueType": "IncorrectValue", + "similarityID": "ad6303d7ff99974af2cea1dbf23eff4fc820f8bd557de1a426fa565a495ca4bf", + "search_line": -1 } ] diff --git a/assets/queries/cloudFormation/aws/cloudfront_viewer_protocol_policy_allows_http/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/cloudfront_viewer_protocol_policy_allows_http/test/positive_expected_result.json index 6d69099acae..c68d12a5b0c 100644 --- a/assets/queries/cloudFormation/aws/cloudfront_viewer_protocol_policy_allows_http/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/cloudfront_viewer_protocol_policy_allows_http/test/positive_expected_result.json @@ -3,24 +3,60 @@ "queryName": "Cloudfront Viewer Protocol Policy Allows HTTP", "severity": "MEDIUM", "line": 13, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::CloudFront::Distribution", + "resourceName": "cloudfrontdistribution_1", + "searchKey": "Resources.cloudfrontdistribution_1.Properties.DistributionConfig.DefaultCacheBehavior.ViewerProtocolPolicy", + "searchValue": "", + "expectedValue": "Resources.cloudfrontdistribution_1.Properties.DistributionConfig.DefaultCacheBehavior.ViewerProtocolPolicy is 'https-only' or 'redirect-to-https'", + "actualValue": "Resources.cloudfrontdistribution_1.Properties.DistributionConfig.DefaultCacheBehavior.ViewerProtocolPolicy is 'allow-all'", + "issueType": "IncorrectValue", + "similarityID": "af2d2449fbe56cba75c87118f7161a477f9c83afd38558bec077ea3697451079", + "search_line": -1 }, { + "queryName": "Cloudfront Viewer Protocol Policy Allows HTTP", "severity": "MEDIUM", "line": 30, "fileName": "positive1.yaml", - "queryName": "Cloudfront Viewer Protocol Policy Allows HTTP" + "resourceType": "AWS::CloudFront::Distribution", + "resourceName": "cloudfrontdistribution_2", + "searchKey": "Resources.cloudfrontdistribution_2.Properties.DistributionConfig.CacheBehaviors.ViewerProtocolPolicy", + "searchValue": "", + "expectedValue": "Resources.cloudfrontdistribution_2.Properties.DistributionConfig.CacheBehaviors.ViewerProtocolPolicy is 'https-only' or 'redirect-to-https'", + "actualValue": "Resources.cloudfrontdistribution_2.Properties.DistributionConfig.CacheBehaviors.ViewerProtocolPolicy is 'allow-all'", + "issueType": "IncorrectValue", + "similarityID": "9faec37ec266103399589523c1db7e2ac0d18d5d976aa8a906033340100c217f", + "search_line": -1 }, { "queryName": "Cloudfront Viewer Protocol Policy Allows HTTP", "severity": "MEDIUM", "line": 10, - "fileName": "positive2.json" + "fileName": "positive2.json", + "resourceType": "AWS::CloudFront::Distribution", + "resourceName": "cloudfrontdistribution_2", + "searchKey": "Resources.cloudfrontdistribution_2.Properties.DistributionConfig.CacheBehaviors.ViewerProtocolPolicy", + "searchValue": "", + "expectedValue": "Resources.cloudfrontdistribution_2.Properties.DistributionConfig.CacheBehaviors.ViewerProtocolPolicy is 'https-only' or 'redirect-to-https'", + "actualValue": "Resources.cloudfrontdistribution_2.Properties.DistributionConfig.CacheBehaviors.ViewerProtocolPolicy is 'allow-all'", + "issueType": "IncorrectValue", + "similarityID": "c34f7ed212238dbe5bdc8980f9379adaffd3532eac7366f5f6f76cb94b7f4050", + "search_line": -1 }, { - "fileName": "positive2.json", "queryName": "Cloudfront Viewer Protocol Policy Allows HTTP", "severity": "MEDIUM", - "line": 50 + "line": 50, + "fileName": "positive2.json", + "resourceType": "AWS::CloudFront::Distribution", + "resourceName": "cloudfrontdistribution_1", + "searchKey": "Resources.cloudfrontdistribution_1.Properties.DistributionConfig.DefaultCacheBehavior.ViewerProtocolPolicy", + "searchValue": "", + "expectedValue": "Resources.cloudfrontdistribution_1.Properties.DistributionConfig.DefaultCacheBehavior.ViewerProtocolPolicy is 'https-only' or 'redirect-to-https'", + "actualValue": "Resources.cloudfrontdistribution_1.Properties.DistributionConfig.DefaultCacheBehavior.ViewerProtocolPolicy is 'allow-all'", + "issueType": "IncorrectValue", + "similarityID": "513b39feb375e44868366eb78b92de452f639d7685364337151aa7dab1b36b06", + "search_line": -1 } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/cloudfront_without_minimum_protocol_tls_1.2/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/cloudfront_without_minimum_protocol_tls_1.2/test/positive_expected_result.json index 53cec9a0d72..d7bb1005881 100644 --- a/assets/queries/cloudFormation/aws/cloudfront_without_minimum_protocol_tls_1.2/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/cloudfront_without_minimum_protocol_tls_1.2/test/positive_expected_result.json @@ -3,24 +3,60 @@ "queryName": "CloudFront Without Minimum Protocol TLS 1.2", "severity": "MEDIUM", "line": 25, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::CloudFront::Distribution", + "resourceName": "cloudfrontdistribution", + "searchKey": "Resources.cloudfrontdistribution.Properties.DistributionConfig.ViewerCertificate.MinimumProtocolVersion", + "searchValue": "", + "expectedValue": "Resources.cloudfrontdistribution.Properties.DistributionConfig.ViewerCertificate.MinimumProtocolVersion' should be TLSv1.2_x", + "actualValue": "Resources.cloudfrontdistribution.Properties.DistributionConfig.ViewerCertificate.MinimumProtocolVersion' is TLSv1.1_2016", + "issueType": "IncorrectValue", + "similarityID": "e68f7181656999f64c338f0d54461b74ba748bdf714c699fa0ac1bff4cecfe45", + "search_line": 25 }, { "queryName": "CloudFront Without Minimum Protocol TLS 1.2", "severity": "MEDIUM", "line": 33, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::CloudFront::Distribution", + "resourceName": "cloudfrontdistribution2", + "searchKey": "Resources.cloudfrontdistribution2.Properties.DistributionConfig", + "searchValue": "", + "expectedValue": "Resources.cloudfrontdistribution2.Properties.DistributionConfig.ViewerCertificate' should be defined", + "actualValue": "Resources.cloudfrontdistribution2.Properties.DistributionConfig.ViewerCertificate' is undefined", + "issueType": "MissingAttribute", + "similarityID": "dba0538061d124a2043e602845d119fcda1da44394d52838c52916d45966ce6c", + "search_line": 33 }, { - "line": 55, - "fileName": "positive2.json", "queryName": "CloudFront Without Minimum Protocol TLS 1.2", - "severity": "MEDIUM" + "severity": "MEDIUM", + "line": 11, + "fileName": "positive2.json", + "resourceType": "AWS::CloudFront::Distribution", + "resourceName": "cloudfrontdistribution", + "searchKey": "Resources.cloudfrontdistribution.Properties.DistributionConfig.ViewerCertificate.MinimumProtocolVersion", + "searchValue": "", + "expectedValue": "Resources.cloudfrontdistribution.Properties.DistributionConfig.ViewerCertificate.MinimumProtocolVersion' should be TLSv1.2_x", + "actualValue": "Resources.cloudfrontdistribution.Properties.DistributionConfig.ViewerCertificate.MinimumProtocolVersion' is TLSv1.1_2016", + "issueType": "IncorrectValue", + "similarityID": "8a1490757c920bb2b66744d3ff7dfe00aa75352f9b63d1003e4cda95c06819d8", + "search_line": 11 }, { + "queryName": "CloudFront Without Minimum Protocol TLS 1.2", "severity": "MEDIUM", - "line": 11, + "line": 55, "fileName": "positive2.json", - "queryName": "CloudFront Without Minimum Protocol TLS 1.2" + "resourceType": "AWS::CloudFront::Distribution", + "resourceName": "cloudfrontdistribution2", + "searchKey": "Resources.cloudfrontdistribution2.Properties.DistributionConfig", + "searchValue": "", + "expectedValue": "Resources.cloudfrontdistribution2.Properties.DistributionConfig.ViewerCertificate' should be defined", + "actualValue": "Resources.cloudfrontdistribution2.Properties.DistributionConfig.ViewerCertificate' is undefined", + "issueType": "MissingAttribute", + "similarityID": "f13d559840d5b469b0c6efcfb5719d4e53f0e590a8872b87035e54fabafad528", + "search_line": 55 } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/cloudfront_without_waf/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/cloudfront_without_waf/test/positive_expected_result.json index ed9820e4c0b..94ea1594985 100644 --- a/assets/queries/cloudFormation/aws/cloudfront_without_waf/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/cloudfront_without_waf/test/positive_expected_result.json @@ -3,24 +3,60 @@ "queryName": "CloudFront Without WAF", "severity": "MEDIUM", "line": 6, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::CloudFront::Distribution", + "resourceName": "cloudfrontdistribution", + "searchKey": "Resources.cloudfrontdistribution.Properties.DistributionConfig", + "searchValue": "", + "expectedValue": "Resources.cloudfrontdistribution.Properties.DistributionConfig.WebACLId should be defined", + "actualValue": "Resources.cloudfrontdistribution.Properties.DistributionConfig.WebACLId is undefined", + "issueType": "MissingAttribute", + "similarityID": "d127886b4eb55e1258450a7e88f668387f7c789a6127254c45528a65133c0d44", + "search_line": -1 }, { - "fileName": "positive2.json", "queryName": "CloudFront Without WAF", "severity": "MEDIUM", - "line": 13 + "line": 13, + "fileName": "positive2.json", + "resourceType": "AWS::CloudFront::Distribution", + "resourceName": "cloudfrontdistribution", + "searchKey": "Resources.cloudfrontdistribution.Properties.DistributionConfig", + "searchValue": "", + "expectedValue": "Resources.cloudfrontdistribution.Properties.DistributionConfig.WebACLId should be defined", + "actualValue": "Resources.cloudfrontdistribution.Properties.DistributionConfig.WebACLId is undefined", + "issueType": "MissingAttribute", + "similarityID": "70c0efe7b2b71380dfaa51c851d9c1608ff3fe875775956803ecee0be891db2b", + "search_line": -1 }, { - "fileName": "positive3.yaml", "queryName": "CloudFront Without WAF", "severity": "MEDIUM", - "line": 21 + "line": 21, + "fileName": "positive3.yaml", + "resourceType": "AWS::CloudFront::Distribution", + "resourceName": "cloudfrontdistribution", + "searchKey": "Resources.cloudfrontdistribution.Properties.DistributionConfig.WebACLId", + "searchValue": "", + "expectedValue": "Resources..Properties.DistributionConfig.WebACLId should be properly defined", + "actualValue": "Resources..Properties.DistributionConfig.WebACLId contains invalid value", + "issueType": "IncorrectValue", + "similarityID": "a30624ec18326f80a08cb8cdb6d1ac4bfa047d7541e564a0f921bcf13cffa452", + "search_line": -1 }, { - "fileName": "positive4.json", "queryName": "CloudFront Without WAF", "severity": "MEDIUM", - "line": 36 + "line": 36, + "fileName": "positive4.json", + "resourceType": "AWS::CloudFront::Distribution", + "resourceName": "cloudfrontdistribution", + "searchKey": "Resources.cloudfrontdistribution.Properties.DistributionConfig.WebACLId", + "searchValue": "", + "expectedValue": "Resources..Properties.DistributionConfig.WebACLId should be properly defined", + "actualValue": "Resources..Properties.DistributionConfig.WebACLId contains invalid value", + "issueType": "IncorrectValue", + "similarityID": "046e5496bc6b6e8bcc4b2910295bc09f1513b4646b116444a6815da56ae4f92e", + "search_line": -1 } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/cloudtrail_log_file_validation_disabled/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/cloudtrail_log_file_validation_disabled/test/positive_expected_result.json index 0a532feff98..f360967a10b 100644 --- a/assets/queries/cloudFormation/aws/cloudtrail_log_file_validation_disabled/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/cloudtrail_log_file_validation_disabled/test/positive_expected_result.json @@ -3,48 +3,120 @@ "queryName": "CloudTrail Log File Validation Disabled", "severity": "LOW", "line": 62, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::CloudTrail::Trail", + "resourceName": "myTrail", + "searchKey": "Resources.myTrail.Properties", + "searchValue": "", + "expectedValue": "'Resources.myTrail.Properties.EnableLogFileValidation' should exist", + "actualValue": "'Resources.myTrail.Properties.EnableLogFileValidation' is missing", + "issueType": "MissingAttribute", + "similarityID": "a65eb62561846f36db73c315c37aef47fd09e8c9cb53a188a2495073ce9bd69d", + "search_line": -1 }, { "queryName": "CloudTrail Log File Validation Disabled", "severity": "LOW", "line": 77, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::CloudTrail::Trail", + "resourceName": "myTrail2", + "searchKey": "Resources.myTrail2.Properties.EnableLogFileValidation", + "searchValue": "", + "expectedValue": "'Resources.myTrail2.Properties.EnableLogFileValidation' should be true", + "actualValue": "'Resources.myTrail2.Properties.EnableLogFileValidation' is not true", + "issueType": "IncorrectValue", + "similarityID": "3f5463283cd3cf176b75a00df40369fa891252b112f4e2f9d2a681574efeb20f", + "search_line": -1 }, { "queryName": "CloudTrail Log File Validation Disabled", "severity": "LOW", "line": 87, - "fileName": "positive2.json" + "fileName": "positive2.json", + "resourceType": "AWS::CloudTrail::Trail", + "resourceName": "myTrail", + "searchKey": "Resources.myTrail.Properties", + "searchValue": "", + "expectedValue": "'Resources.myTrail.Properties.EnableLogFileValidation' should exist", + "actualValue": "'Resources.myTrail.Properties.EnableLogFileValidation' is missing", + "issueType": "MissingAttribute", + "similarityID": "55daf7df0a900468fe064ec740b7dc1a89dfef7be499915f9a1b870bafb577ba", + "search_line": -1 }, { "queryName": "CloudTrail Log File Validation Disabled", "severity": "LOW", "line": 108, - "fileName": "positive2.json" + "fileName": "positive2.json", + "resourceType": "AWS::CloudTrail::Trail", + "resourceName": "myTrail2", + "searchKey": "Resources.myTrail2.Properties.EnableLogFileValidation", + "searchValue": "", + "expectedValue": "'Resources.myTrail2.Properties.EnableLogFileValidation' should be true", + "actualValue": "'Resources.myTrail2.Properties.EnableLogFileValidation' is not true", + "issueType": "IncorrectValue", + "similarityID": "5c8658fbaa0486f4b46f03b5bc32b995b59a6f88057aa62cb332e678f1708076", + "search_line": -1 }, { "queryName": "CloudTrail Log File Validation Disabled", "severity": "LOW", "line": 62, - "fileName": "positive3.yaml" + "fileName": "positive3.yaml", + "resourceType": "AWS::CloudTrail::Trail", + "resourceName": "myTrail", + "searchKey": "Resources.myTrail.Properties", + "searchValue": "", + "expectedValue": "'Resources.myTrail.Properties.EnableLogFileValidation' should exist", + "actualValue": "'Resources.myTrail.Properties.EnableLogFileValidation' is missing", + "issueType": "MissingAttribute", + "similarityID": "96569bc644135d9300e145c9344e4b07b257cc577e3d827c0c380421bf4a1142", + "search_line": -1 }, { "queryName": "CloudTrail Log File Validation Disabled", "severity": "LOW", "line": 77, - "fileName": "positive3.yaml" + "fileName": "positive3.yaml", + "resourceType": "AWS::CloudTrail::Trail", + "resourceName": "myTrail2", + "searchKey": "Resources.myTrail2.Properties.EnableLogFileValidation", + "searchValue": "", + "expectedValue": "'Resources.myTrail2.Properties.EnableLogFileValidation' should be true", + "actualValue": "'Resources.myTrail2.Properties.EnableLogFileValidation' is not true", + "issueType": "IncorrectValue", + "similarityID": "f2acaf6944d1ba2ac68f667d7d7dbbed730d0a77940b44856d8f94bde2ca64c8", + "search_line": -1 }, { "queryName": "CloudTrail Log File Validation Disabled", "severity": "LOW", "line": 87, - "fileName": "positive4.json" + "fileName": "positive4.json", + "resourceType": "AWS::CloudTrail::Trail", + "resourceName": "myTrail", + "searchKey": "Resources.myTrail.Properties", + "searchValue": "", + "expectedValue": "'Resources.myTrail.Properties.EnableLogFileValidation' should exist", + "actualValue": "'Resources.myTrail.Properties.EnableLogFileValidation' is missing", + "issueType": "MissingAttribute", + "similarityID": "d6f56b807f3d4e43bf6cae75bc1486adb8f555ac5826075a832f081ce7cb4a1a", + "search_line": -1 }, { "queryName": "CloudTrail Log File Validation Disabled", "severity": "LOW", "line": 108, - "fileName": "positive4.json" + "fileName": "positive4.json", + "resourceType": "AWS::CloudTrail::Trail", + "resourceName": "myTrail2", + "searchKey": "Resources.myTrail2.Properties.EnableLogFileValidation", + "searchValue": "", + "expectedValue": "'Resources.myTrail2.Properties.EnableLogFileValidation' should be true", + "actualValue": "'Resources.myTrail2.Properties.EnableLogFileValidation' is not true", + "issueType": "IncorrectValue", + "similarityID": "1df195d1ea8da1c86cd17b27a263f5828d5d35745ae8c867fdb379a4bacd62ae", + "search_line": -1 } ] diff --git a/assets/queries/cloudFormation/aws/cloudtrail_log_files_not_encrypted_with_kms/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/cloudtrail_log_files_not_encrypted_with_kms/test/positive_expected_result.json index 0c9a19e668c..36a3264c91d 100644 --- a/assets/queries/cloudFormation/aws/cloudtrail_log_files_not_encrypted_with_kms/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/cloudtrail_log_files_not_encrypted_with_kms/test/positive_expected_result.json @@ -3,18 +3,45 @@ "queryName": "CloudTrail Log Files Not Encrypted With KMS", "severity": "LOW", "line": 62, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::CloudTrail::Trail", + "resourceName": "myTrail", + "searchKey": "Resources.myTrail.Properties", + "searchValue": "", + "expectedValue": "'Resources.myTrail.Properties.KMSKeyId' should be defined and not null", + "actualValue": "'Resources.myTrail.Properties.KMSKeyId' is undefined or null", + "issueType": "MissingAttribute", + "similarityID": "37c4ba735af642506e39f3ca19a95b1020e36ce48e3f725e53599455f0ea5d9a", + "search_line": -1 }, { "queryName": "CloudTrail Log Files Not Encrypted With KMS", "severity": "LOW", "line": 53, - "fileName": "positive2.json" + "fileName": "positive2.json", + "resourceType": "AWS::CloudTrail::Trail", + "resourceName": "myTrail", + "searchKey": "Resources.myTrail.Properties", + "searchValue": "", + "expectedValue": "'Resources.myTrail.Properties.KMSKeyId' should be defined and not null", + "actualValue": "'Resources.myTrail.Properties.KMSKeyId' is undefined or null", + "issueType": "MissingAttribute", + "similarityID": "3f69026eed54088cc49f3e94058203dd2393041b6de494140cd162e4dbb9a9c7", + "search_line": -1 }, { "queryName": "CloudTrail Log Files Not Encrypted With KMS", "severity": "LOW", "line": 6, - "fileName": "positive3.json" + "fileName": "positive3.json", + "resourceType": "AWS::CloudTrail::Trail", + "resourceName": "myTrail", + "searchKey": "Resources.myTrail.Properties", + "searchValue": "", + "expectedValue": "'Resources.myTrail.Properties.KMSKeyId' should be defined and not null", + "actualValue": "'Resources.myTrail.Properties.KMSKeyId' is undefined or null", + "issueType": "MissingAttribute", + "similarityID": "f4e5adc36e27c35b04479a9467c75e21d38060eeec8faa4b4032b6235df7afe6", + "search_line": -1 } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/cloudtrail_logging_disabled/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/cloudtrail_logging_disabled/test/positive_expected_result.json index 989c8dbedb1..c1f2b8319cb 100644 --- a/assets/queries/cloudFormation/aws/cloudtrail_logging_disabled/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/cloudtrail_logging_disabled/test/positive_expected_result.json @@ -3,36 +3,90 @@ "queryName": "CloudTrail Logging Disabled", "severity": "MEDIUM", "line": 19, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::CloudTrail::Trail", + "resourceName": "myTrail3", + "searchKey": "Resources.myTrail3.Properties.IsLogging", + "searchValue": "", + "expectedValue": "'Resources.myTrail3.Properties.IsLogging' should be true", + "actualValue": "'Resources.myTrail3.Properties.IsLogging' is false", + "issueType": "IncorrectValue", + "similarityID": "a44fc0032411840383ac80113f22f756fd23943ea0ecb8df495426e71cdf1a5c", + "search_line": -1 }, { "queryName": "CloudTrail Logging Disabled", "severity": "MEDIUM", "line": 34, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::CloudTrail::Trail", + "resourceName": "myTrail4", + "searchKey": "Resources.myTrail4.Properties.IsLogging", + "searchValue": "", + "expectedValue": "'Resources.myTrail4.Properties.IsLogging' should be true", + "actualValue": "'Resources.myTrail4.Properties.IsLogging' is false", + "issueType": "IncorrectValue", + "similarityID": "8d54c3d684cff8f033cc1bb2ced177d916cc0385a9dc2b4ac0be16878458780b", + "search_line": -1 }, { "queryName": "CloudTrail Logging Disabled", "severity": "MEDIUM", "line": 25, - "fileName": "positive2.json" + "fileName": "positive2.json", + "resourceType": "AWS::CloudTrail::Trail", + "resourceName": "myTrail5", + "searchKey": "Resources.myTrail5.Properties.IsLogging", + "searchValue": "", + "expectedValue": "'Resources.myTrail5.Properties.IsLogging' should be true", + "actualValue": "'Resources.myTrail5.Properties.IsLogging' is false", + "issueType": "IncorrectValue", + "similarityID": "75c3224d6543613f0fad8e55c7382f66bc45e37abfa3fab69deb2214a6fd7906", + "search_line": -1 }, { "queryName": "CloudTrail Logging Disabled", "severity": "MEDIUM", "line": 45, - "fileName": "positive2.json" + "fileName": "positive2.json", + "resourceType": "AWS::CloudTrail::Trail", + "resourceName": "myTrail6", + "searchKey": "Resources.myTrail6.Properties.IsLogging", + "searchValue": "", + "expectedValue": "'Resources.myTrail6.Properties.IsLogging' should be true", + "actualValue": "'Resources.myTrail6.Properties.IsLogging' is false", + "issueType": "IncorrectValue", + "similarityID": "9e4bbd655f113775db68f7f3683373547a1bcbe59cac606fb33d1544ae24fd09", + "search_line": -1 }, { "queryName": "CloudTrail Logging Disabled", "severity": "MEDIUM", "line": 20, - "fileName": "positive3.yaml" + "fileName": "positive3.yaml", + "resourceType": "AWS::CloudTrail::Trail", + "resourceName": "myTrail", + "searchKey": "Resources.myTrail.Properties.IsLogging", + "searchValue": "", + "expectedValue": "'Resources.myTrail.Properties.IsLogging' should be true", + "actualValue": "'Resources.myTrail.Properties.IsLogging' is false", + "issueType": "IncorrectValue", + "similarityID": "4dcd5e79c2e4c82041e9c7f85464aab03799e51c23d1d75350033cdf39c9504b", + "search_line": -1 }, { "queryName": "CloudTrail Logging Disabled", "severity": "MEDIUM", "line": 25, - "fileName": "positive4.json" + "fileName": "positive4.json", + "resourceType": "AWS::CloudTrail::Trail", + "resourceName": "myTrail5", + "searchKey": "Resources.myTrail5.Properties.IsLogging", + "searchValue": "", + "expectedValue": "'Resources.myTrail5.Properties.IsLogging' should be true", + "actualValue": "'Resources.myTrail5.Properties.IsLogging' is false", + "issueType": "IncorrectValue", + "similarityID": "158cbefc7c4a9283ac331234147ac749ca8527da6be0ea0d8b8089b48a79b245", + "search_line": -1 } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/cloudtrail_multi_region_disabled/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/cloudtrail_multi_region_disabled/test/positive_expected_result.json index ed813dff05c..f09e7837aa5 100644 --- a/assets/queries/cloudFormation/aws/cloudtrail_multi_region_disabled/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/cloudtrail_multi_region_disabled/test/positive_expected_result.json @@ -1,32 +1,77 @@ [ - { + { "queryName": "CloudTrail Multi Region Disabled", "severity": "LOW", "line": 70, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::CloudTrail::Trail", + "resourceName": "myTrail", + "searchKey": "Resources.myTrail.Properties.IsMultiRegionTrail", + "searchValue": "", + "expectedValue": "'Resources.myTrail.Properties.IsMultiRegionTrail' should be true", + "actualValue": "'Resources.myTrail.Properties.IsMultiRegionTrail' is not true", + "issueType": "IncorrectValue", + "similarityID": "604b589c8fec50af7e069363048af5dee36836731454b34d11dcaf4b506915d1", + "search_line": -1 }, { "queryName": "CloudTrail Multi Region Disabled", "severity": "LOW", "line": 76, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::CloudTrail::Trail", + "resourceName": "myTrail2", + "searchKey": "Resources.myTrail2.Properties", + "searchValue": "", + "expectedValue": "'Resources.myTrail2.Properties.IsMultiRegionTrail' should exist", + "actualValue": "'Resources.myTrail2.Properties.IsMultiRegionTrail' is missing", + "issueType": "MissingAttribute", + "similarityID": "b53c81198ee5335c1cb14e2396ed21020af2487c01510e6987d2f7f2e96ad2cb", + "search_line": -1 }, { "queryName": "CloudTrail Multi Region Disabled", "severity": "LOW", "line": 17, - "fileName": "positive2.json" + "fileName": "positive2.json", + "resourceType": "AWS::CloudTrail::Trail", + "resourceName": "myTrail", + "searchKey": "Resources.myTrail.Properties.IsMultiRegionTrail", + "searchValue": "", + "expectedValue": "'Resources.myTrail.Properties.IsMultiRegionTrail' should be true", + "actualValue": "'Resources.myTrail.Properties.IsMultiRegionTrail' is not true", + "issueType": "IncorrectValue", + "similarityID": "d97c73c12852a97f159c6b578f72fe3d9afe81efcc8e87963036c3bb77c1a1ad", + "search_line": -1 }, { "queryName": "CloudTrail Multi Region Disabled", "severity": "LOW", "line": 32, - "fileName": "positive2.json" + "fileName": "positive2.json", + "resourceType": "AWS::CloudTrail::Trail", + "resourceName": "myTrail2", + "searchKey": "Resources.myTrail2.Properties", + "searchValue": "", + "expectedValue": "'Resources.myTrail2.Properties.IsMultiRegionTrail' should exist", + "actualValue": "'Resources.myTrail2.Properties.IsMultiRegionTrail' is missing", + "issueType": "MissingAttribute", + "similarityID": "d1575c8987b6f97bb751de89ac13a141f1d345a689534b0c85f1931604113adc", + "search_line": -1 }, { "queryName": "CloudTrail Multi Region Disabled", "severity": "LOW", "line": 70, - "fileName": "positive3.yaml" + "fileName": "positive3.yaml", + "resourceType": "AWS::CloudTrail::Trail", + "resourceName": "myTrail", + "searchKey": "Resources.myTrail.Properties.IsMultiRegionTrail", + "searchValue": "", + "expectedValue": "'Resources.myTrail.Properties.IsMultiRegionTrail' should be true", + "actualValue": "'Resources.myTrail.Properties.IsMultiRegionTrail' is not true", + "issueType": "IncorrectValue", + "similarityID": "7d07be61b725f431f9744162a06e4c66676b8d8ad3cd403436b66ea84be143f5", + "search_line": -1 } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/cloudtrail_not_integrated_with_cloudwatch/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/cloudtrail_not_integrated_with_cloudwatch/test/positive_expected_result.json index 309385fe204..fe8b944d8f7 100644 --- a/assets/queries/cloudFormation/aws/cloudtrail_not_integrated_with_cloudwatch/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/cloudtrail_not_integrated_with_cloudwatch/test/positive_expected_result.json @@ -1,50 +1,122 @@ [ { + "queryName": "CloudTrail Not Integrated With CloudWatch", "severity": "LOW", "line": 62, "fileName": "positive1.yaml", - "queryName": "CloudTrail Not Integrated With CloudWatch" + "resourceType": "AWS::CloudTrail::Trail", + "resourceName": "myTrail", + "searchKey": "Resources.myTrail.Properties", + "searchValue": "CloudWatchLogsLogGroupArn", + "expectedValue": "'Resources.myTrail.Properties.CloudWatchLogsLogGroupArn' should be declared", + "actualValue": "'Resources.myTrail.Properties.CloudWatchLogsLogGroupArn' is not declared", + "issueType": "MissingAttribute", + "similarityID": "aca63cdd64f5b741097c7fab316696f2c3d819a529c0ead0f0d92f02c53135c2", + "search_line": 62 }, { + "queryName": "CloudTrail Not Integrated With CloudWatch", "severity": "LOW", "line": 62, "fileName": "positive1.yaml", - "queryName": "CloudTrail Not Integrated With CloudWatch" + "resourceType": "AWS::CloudTrail::Trail", + "resourceName": "myTrail", + "searchKey": "Resources.myTrail.Properties", + "searchValue": "CloudWatchLogsRoleArn", + "expectedValue": "'Resources.myTrail.Properties.CloudWatchLogsRoleArn' should be declared", + "actualValue": "'Resources.myTrail.Properties.CloudWatchLogsRoleArn' is not declared", + "issueType": "MissingAttribute", + "similarityID": "cf28f17f20e3d0bffa92e83502e21af6cbc5cdcc632ff2e68b9cce46f69951ec", + "search_line": 62 }, { + "queryName": "CloudTrail Not Integrated With CloudWatch", "severity": "LOW", "line": 62, "fileName": "positive2.yaml", - "queryName": "CloudTrail Not Integrated With CloudWatch" + "resourceType": "AWS::CloudTrail::Trail", + "resourceName": "myTrail2", + "searchKey": "Resources.myTrail2.Properties", + "searchValue": "CloudWatchLogsLogGroupArn", + "expectedValue": "'Resources.myTrail2.Properties.CloudWatchLogsLogGroupArn' should be declared", + "actualValue": "'Resources.myTrail2.Properties.CloudWatchLogsLogGroupArn' is not declared", + "issueType": "MissingAttribute", + "similarityID": "26b49d474eb1c2fbefe509298df1aeb2e27bc3738320e37f77acbe1418efd9b0", + "search_line": 62 }, { + "queryName": "CloudTrail Not Integrated With CloudWatch", "severity": "LOW", "line": 62, "fileName": "positive3.yaml", - "queryName": "CloudTrail Not Integrated With CloudWatch" + "resourceType": "AWS::CloudTrail::Trail", + "resourceName": "myTrail3", + "searchKey": "Resources.myTrail3.Properties", + "searchValue": "CloudWatchLogsRoleArn", + "expectedValue": "'Resources.myTrail3.Properties.CloudWatchLogsRoleArn' should be declared", + "actualValue": "'Resources.myTrail3.Properties.CloudWatchLogsRoleArn' is not declared", + "issueType": "MissingAttribute", + "similarityID": "da44e628cf71389409a79b64cc5144334e86d212db63a37d260c9c8a0599073e", + "search_line": 62 }, { "queryName": "CloudTrail Not Integrated With CloudWatch", "severity": "LOW", "line": 82, - "fileName": "positive4.json" + "fileName": "positive4.json", + "resourceType": "AWS::CloudTrail::Trail", + "resourceName": "myTrail", + "searchKey": "Resources.myTrail.Properties", + "searchValue": "CloudWatchLogsLogGroupArn", + "expectedValue": "'Resources.myTrail.Properties.CloudWatchLogsLogGroupArn' should be declared", + "actualValue": "'Resources.myTrail.Properties.CloudWatchLogsLogGroupArn' is not declared", + "issueType": "MissingAttribute", + "similarityID": "5c5b2cc97dc138461e4c7f28a0cbdd343a3cc74057d36b56969f39bd123f8ebb", + "search_line": 82 }, { "queryName": "CloudTrail Not Integrated With CloudWatch", "severity": "LOW", "line": 82, - "fileName": "positive4.json" + "fileName": "positive4.json", + "resourceType": "AWS::CloudTrail::Trail", + "resourceName": "myTrail", + "searchKey": "Resources.myTrail.Properties", + "searchValue": "CloudWatchLogsRoleArn", + "expectedValue": "'Resources.myTrail.Properties.CloudWatchLogsRoleArn' should be declared", + "actualValue": "'Resources.myTrail.Properties.CloudWatchLogsRoleArn' is not declared", + "issueType": "MissingAttribute", + "similarityID": "f3eeaeb5642faf2a306ffba407da1ff4c891342000602bda870893def0f93e8b", + "search_line": 82 }, { "queryName": "CloudTrail Not Integrated With CloudWatch", "severity": "LOW", "line": 82, - "fileName": "positive5.json" + "fileName": "positive5.json", + "resourceType": "AWS::CloudTrail::Trail", + "resourceName": "myTrail", + "searchKey": "Resources.myTrail.Properties", + "searchValue": "CloudWatchLogsLogGroupArn", + "expectedValue": "'Resources.myTrail.Properties.CloudWatchLogsLogGroupArn' should be declared", + "actualValue": "'Resources.myTrail.Properties.CloudWatchLogsLogGroupArn' is not declared", + "issueType": "MissingAttribute", + "similarityID": "e640acb79684bbb6cff66e6340c8e4a814e3df126792362104a091d21f3feb33", + "search_line": 82 }, { "queryName": "CloudTrail Not Integrated With CloudWatch", "severity": "LOW", "line": 82, - "fileName": "positive6.json" + "fileName": "positive6.json", + "resourceType": "AWS::CloudTrail::Trail", + "resourceName": "myTrail", + "searchKey": "Resources.myTrail.Properties", + "searchValue": "CloudWatchLogsRoleArn", + "expectedValue": "'Resources.myTrail.Properties.CloudWatchLogsRoleArn' should be declared", + "actualValue": "'Resources.myTrail.Properties.CloudWatchLogsRoleArn' is not declared", + "issueType": "MissingAttribute", + "similarityID": "086f6e794b3b258ec012fd73a5ecf60448ef9ed0ea9f2e15b8bf1193b1f12b5e", + "search_line": 82 } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/cloudtrail_sns_topic_name_undefined/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/cloudtrail_sns_topic_name_undefined/test/positive_expected_result.json index c7914b58792..f820bee8384 100644 --- a/assets/queries/cloudFormation/aws/cloudtrail_sns_topic_name_undefined/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/cloudtrail_sns_topic_name_undefined/test/positive_expected_result.json @@ -3,24 +3,60 @@ "queryName": "CloudTrail SNS Topic Name Undefined", "severity": "LOW", "line": 12, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::CloudTrail::Trail", + "resourceName": "myTrail3", + "searchKey": "Resources.myTrail3.Properties", + "searchValue": "", + "expectedValue": "'Resources.myTrail3.Properties.SnsTopicName' should be set", + "actualValue": "'Resources.myTrail3.Properties.SnsTopicName' is undefined", + "issueType": "MissingAttribute", + "similarityID": "24da60e19b14247b32472ef98935749ff1d264ede98af7d87b47e1fe5de8bb26", + "search_line": -1 }, { "queryName": "CloudTrail SNS Topic Name Undefined", "severity": "LOW", "line": 22, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::CloudTrail::Trail", + "resourceName": "myTrail4", + "searchKey": "Resources.myTrail4.Properties", + "searchValue": "", + "expectedValue": "'Resources.myTrail4.Properties.SnsTopicName' should be set", + "actualValue": "'Resources.myTrail4.Properties.SnsTopicName' is undefined", + "issueType": "MissingAttribute", + "similarityID": "2b56ba9209bdc63569afb5ad3c9c7d82a21ce108b73c01f352c226f9726f0712", + "search_line": -1 }, { + "queryName": "CloudTrail SNS Topic Name Undefined", + "severity": "LOW", "line": 9, "fileName": "positive2.json", - "queryName": "CloudTrail SNS Topic Name Undefined", - "severity": "LOW" + "resourceType": "AWS::CloudTrail::Trail", + "resourceName": "myTrail5", + "searchKey": "Resources.myTrail5.Properties", + "searchValue": "", + "expectedValue": "'Resources.myTrail5.Properties.SnsTopicName' should be set", + "actualValue": "'Resources.myTrail5.Properties.SnsTopicName' is undefined", + "issueType": "MissingAttribute", + "similarityID": "5f5e08c0ebd642d38c4562f6b0acd480046a1a24a68b41a8a8db85518cf4e686", + "search_line": -1 }, { "queryName": "CloudTrail SNS Topic Name Undefined", "severity": "LOW", "line": 23, - "fileName": "positive2.json" + "fileName": "positive2.json", + "resourceType": "AWS::CloudTrail::Trail", + "resourceName": "myTrail6", + "searchKey": "Resources.myTrail6.Properties", + "searchValue": "", + "expectedValue": "'Resources.myTrail6.Properties.SnsTopicName' should be set", + "actualValue": "'Resources.myTrail6.Properties.SnsTopicName' is undefined", + "issueType": "MissingAttribute", + "similarityID": "4c0a28a5ca8688cab5da72c0a6ee3477fe1adc7fe2ff48eef5609244d94f36a2", + "search_line": -1 } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/cloudwatch_logging_disabled/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/cloudwatch_logging_disabled/test/positive_expected_result.json index 372d5fa2709..f452ce2a9a9 100644 --- a/assets/queries/cloudFormation/aws/cloudwatch_logging_disabled/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/cloudwatch_logging_disabled/test/positive_expected_result.json @@ -1,14 +1,32 @@ [ { + "queryName": "CloudWatch Logging Disabled", "severity": "MEDIUM", "line": 6, "fileName": "positive1.yaml", - "queryName": "CloudWatch Logging Disabled" + "resourceType": "AWS::Route53::HostedZone", + "resourceName": "HostedZone", + "searchKey": "Resources.HostedZone3.Properties", + "searchValue": "", + "expectedValue": "Resources.HostedZone3.QueryLoggingConfig should be set", + "actualValue": "Resources.HostedZone3.QueryLoggingConfig is undefined", + "issueType": "MissingAttribute", + "similarityID": "15dfdcb3e8b652adb036919f01182b149c8ba1c08d2d50c3cb22dc423b6c68c3", + "search_line": -1 }, { "queryName": "CloudWatch Logging Disabled", "severity": "MEDIUM", "line": 7, - "fileName": "positive2.json" + "fileName": "positive2.json", + "resourceType": "AWS::Route53::HostedZone", + "resourceName": "HostedZone", + "searchKey": "Resources.HostedZone4.Properties", + "searchValue": "", + "expectedValue": "Resources.HostedZone4.QueryLoggingConfig should be set", + "actualValue": "Resources.HostedZone4.QueryLoggingConfig is undefined", + "issueType": "MissingAttribute", + "similarityID": "6f3f2491e00b0327db73eed9cf14eb157789fea3e9ce6b64fb3f805ae61006d9", + "search_line": -1 } ] diff --git a/assets/queries/cloudFormation/aws/cloudwatch_metrics_disabled/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/cloudwatch_metrics_disabled/test/positive_expected_result.json index d67127722ba..9e774d057bb 100644 --- a/assets/queries/cloudFormation/aws/cloudwatch_metrics_disabled/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/cloudwatch_metrics_disabled/test/positive_expected_result.json @@ -3,48 +3,120 @@ "queryName": "CloudWatch Metrics Disabled", "severity": "MEDIUM", "line": 18, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::ApiGateway::Stage", + "resourceName": "Prod", + "searchKey": "Resources.Prod.Properties.MethodSettings", + "searchValue": "", + "expectedValue": "Resources.Prod.Properties.MethodSettings[0].MetricsEnabled should be set to true", + "actualValue": "Resources.Prod.Properties.MethodSettings[0].MetricsEnabled is set to false", + "issueType": "MissingAttribute", + "similarityID": "87eb63a2d27c65d5ad5ecbb1afc24476777590f284b2b853bc6ce9d6fbcd564f", + "search_line": 18 }, { "queryName": "CloudWatch Metrics Disabled", "severity": "MEDIUM", "line": 20, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::ApiGateway::Stage", + "resourceName": "Prod", + "searchKey": "Resources.Prod.Properties.MethodSettings", + "searchValue": "", + "expectedValue": "Resources.Prod.Properties.MethodSettings[1].MetricsEnabled should be set to true", + "actualValue": "Resources.Prod.Properties.MethodSettings[1].MetricsEnabled is undefined", + "issueType": "MissingAttribute", + "similarityID": "0cd65bd2b8d7ebf36a4c91a99188a5c4e438382e297dec89ca42d72be04c9262", + "search_line": 20 }, { "queryName": "CloudWatch Metrics Disabled", "severity": "MEDIUM", "line": 25, - "fileName": "positive2.json" + "fileName": "positive2.json", + "resourceType": "AWS::ApiGateway::Stage", + "resourceName": "Prod", + "searchKey": "Resources.Prod.Properties.MethodSettings", + "searchValue": "", + "expectedValue": "Resources.Prod.Properties.MethodSettings[0].MetricsEnabled should be set to true", + "actualValue": "Resources.Prod.Properties.MethodSettings[0].MetricsEnabled is undefined", + "issueType": "MissingAttribute", + "similarityID": "3d14c6ea2dc74f33490e40b2ffb8eab2ff9eb88159088f6fcdd518e970be8136", + "search_line": 25 }, { "queryName": "CloudWatch Metrics Disabled", "severity": "MEDIUM", "line": 32, - "fileName": "positive2.json" + "fileName": "positive2.json", + "resourceType": "AWS::ApiGateway::Stage", + "resourceName": "Prod", + "searchKey": "Resources.Prod.Properties.MethodSettings", + "searchValue": "", + "expectedValue": "Resources.Prod.Properties.MethodSettings[1].MetricsEnabled should be set to true", + "actualValue": "Resources.Prod.Properties.MethodSettings[1].MetricsEnabled is set to false", + "issueType": "MissingAttribute", + "similarityID": "2ab275464a417b6435933ea581292c7175c17721ab323cafec93b9a44e8589a0", + "search_line": 32 }, { "queryName": "CloudWatch Metrics Disabled", "severity": "MEDIUM", "line": 6, - "fileName": "positive3.yaml" + "fileName": "positive3.yaml", + "resourceType": "AWS::ApiGateway::Stage", + "resourceName": "Prod", + "searchKey": "Resources.Prod.Properties", + "searchValue": "", + "expectedValue": "Resources.Prod.Properties.MethodSettings should be defined", + "actualValue": "Resources.Prod.Properties.MethodSettings is undefined", + "issueType": "MissingAttribute", + "similarityID": "cd007a3238ff73d9667da08bd0b1c46132fe5962e8e10e0b6c2ec76101233989", + "search_line": 6 }, { "queryName": "CloudWatch Metrics Disabled", "severity": "MEDIUM", "line": 5, - "fileName": "positive4.json" + "fileName": "positive4.json", + "resourceType": "AWS::ApiGateway::Stage", + "resourceName": "Prod", + "searchKey": "Resources.Prod.Properties", + "searchValue": "", + "expectedValue": "Resources.Prod.Properties.MethodSettings should be defined", + "actualValue": "Resources.Prod.Properties.MethodSettings is undefined", + "issueType": "MissingAttribute", + "similarityID": "d17c0af5991bd7e3959fab3378f2757d582ab19933e1e4b09e9cdd867c721cf4", + "search_line": 5 }, { "queryName": "CloudWatch Metrics Disabled", "severity": "MEDIUM", "line": 18, - "fileName": "positive5.yaml" + "fileName": "positive5.yaml", + "resourceType": "AWS::ApiGateway::Stage", + "resourceName": "Prod", + "searchKey": "Resources.Prod.Properties.MethodSettings", + "searchValue": "", + "expectedValue": "Resources.Prod.Properties.MethodSettings[0].MetricsEnabled should be set to true", + "actualValue": "Resources.Prod.Properties.MethodSettings[0].MetricsEnabled is set to false", + "issueType": "MissingAttribute", + "similarityID": "a3d42e4a20b571a04f12170637e33a9c9bae2de431a73631d92e1da8e2b97314", + "search_line": 18 }, { "queryName": "CloudWatch Metrics Disabled", "severity": "MEDIUM", "line": 20, - "fileName": "positive5.yaml" + "fileName": "positive5.yaml", + "resourceType": "AWS::ApiGateway::Stage", + "resourceName": "Prod", + "searchKey": "Resources.Prod.Properties.MethodSettings", + "searchValue": "", + "expectedValue": "Resources.Prod.Properties.MethodSettings[1].MetricsEnabled should be set to true", + "actualValue": "Resources.Prod.Properties.MethodSettings[1].MetricsEnabled is undefined", + "issueType": "MissingAttribute", + "similarityID": "eb556a14fc0e356e47cf5a3509b1994e45125031e8607f7627509833f499909c", + "search_line": 20 } ] diff --git a/assets/queries/cloudFormation/aws/cmk_is_unusable/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/cmk_is_unusable/test/positive_expected_result.json index d1b3cd303b5..05959835c8c 100644 --- a/assets/queries/cloudFormation/aws/cmk_is_unusable/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/cmk_is_unusable/test/positive_expected_result.json @@ -3,30 +3,75 @@ "queryName": "CMK Is Unusable", "severity": "MEDIUM", "line": 5, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::KMS::Key", + "resourceName": "myKey", + "searchKey": "Resources.myKey.Properties.Enabled", + "searchValue": "", + "expectedValue": "'Resources.myKey.Properties.Enabled' should be true", + "actualValue": "'Resources.myKey.Properties.Enabled' is false", + "issueType": "IncorrectValue", + "similarityID": "e4c2911840d84a62fffd169cd18879c5fec283229ed004f7b12386bdf562bd49", + "search_line": -1 }, { "queryName": "CMK Is Unusable", "severity": "MEDIUM", "line": 30, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::KMS::Key", + "resourceName": "myKey2", + "searchKey": "Resources.myKey2.Properties.PendingWindowInDays", + "searchValue": "", + "expectedValue": "'Resources.myKey2.Properties.PendingWindowInDays' should be undefined", + "actualValue": "'Resources.myKey2.Properties.PendingWindowInDays' is defined", + "issueType": "IncorrectValue", + "similarityID": "03017fd7380110ecd6b56f494a8b79b132d773b04826103c0f7f87eded35736a", + "search_line": -1 }, { "queryName": "CMK Is Unusable", "severity": "MEDIUM", "line": 6, - "fileName": "positive2.json" + "fileName": "positive2.json", + "resourceType": "AWS::KMS::Key", + "resourceName": "myKey", + "searchKey": "Resources.myKey.Properties.Enabled", + "searchValue": "", + "expectedValue": "'Resources.myKey.Properties.Enabled' should be true", + "actualValue": "'Resources.myKey.Properties.Enabled' is false", + "issueType": "IncorrectValue", + "similarityID": "e3a05f236d26eb9b1c5d5d845058fd662d1daed3512f3da5383cbc890e152a6b", + "search_line": -1 }, { "queryName": "CMK Is Unusable", "severity": "MEDIUM", "line": 59, - "fileName": "positive2.json" + "fileName": "positive2.json", + "resourceType": "AWS::KMS::Key", + "resourceName": "myKey2", + "searchKey": "Resources.myKey2.Properties.PendingWindowInDays", + "searchValue": "", + "expectedValue": "'Resources.myKey2.Properties.PendingWindowInDays' should be undefined", + "actualValue": "'Resources.myKey2.Properties.PendingWindowInDays' is defined", + "issueType": "IncorrectValue", + "similarityID": "d262782549487107105f27928b918e942cf869ee1f1cec666a7cf0fee937098a", + "search_line": -1 }, { "queryName": "CMK Is Unusable", "severity": "MEDIUM", "line": 5, - "fileName": "positive3.yaml" + "fileName": "positive3.yaml", + "resourceType": "AWS::KMS::Key", + "resourceName": "myKey", + "searchKey": "Resources.myKey.Properties.Enabled", + "searchValue": "", + "expectedValue": "'Resources.myKey.Properties.Enabled' should be true", + "actualValue": "'Resources.myKey.Properties.Enabled' is false", + "issueType": "IncorrectValue", + "similarityID": "7a02bd5629600fd9e987c14b6502fe4ae750a0535fe1960b59958cc86b31a85e", + "search_line": -1 } ] diff --git a/assets/queries/cloudFormation/aws/cmk_rotation_disabled/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/cmk_rotation_disabled/test/positive_expected_result.json index 5ebce8e3f8f..7e01a991b2d 100644 --- a/assets/queries/cloudFormation/aws/cmk_rotation_disabled/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/cmk_rotation_disabled/test/positive_expected_result.json @@ -3,30 +3,75 @@ "queryName": "CMK Rotation Disabled", "severity": "LOW", "line": 5, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::KMS::Key", + "resourceName": "myKey", + "searchKey": "Resources.myKey.Properties", + "searchValue": "", + "expectedValue": "'Resources.myKey.Properties.EnableKeyRotation' should be defined and not null", + "actualValue": "'Resources.myKey.Properties.EnableKeyRotation' is undefined or null", + "issueType": "MissingAttribute", + "similarityID": "1ddda8eb0f95b12ad879fe4319fbaf43dd408c8034ec467a04c5928489ea91ef", + "search_line": -1 }, { "queryName": "CMK Rotation Disabled", "severity": "LOW", "line": 31, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::KMS::Key", + "resourceName": "myKey2", + "searchKey": "Resources.myKey2.Properties.EnableKeyRotation", + "searchValue": "", + "expectedValue": "'Resources.myKey2.Properties.EnableKeyRotation' should be true", + "actualValue": "'Resources.myKey2.Properties.EnableKeyRotation' is false", + "issueType": "IncorrectValue", + "similarityID": "63a2db6139961fa79a93b0ea6f9197144c9205ddb51bdd62f285a9b7de1edfec", + "search_line": -1 }, { "queryName": "CMK Rotation Disabled", "severity": "LOW", "line": 5, - "fileName": "positive2.json" + "fileName": "positive2.json", + "resourceType": "AWS::KMS::Key", + "resourceName": "myKey", + "searchKey": "Resources.myKey.Properties", + "searchValue": "", + "expectedValue": "'Resources.myKey.Properties.EnableKeyRotation' should be defined and not null", + "actualValue": "'Resources.myKey.Properties.EnableKeyRotation' is undefined or null", + "issueType": "MissingAttribute", + "similarityID": "1ad799e06a57eb11ed33a30375d1466506a78e814bd1d36d9fef3b6b58ae5044", + "search_line": -1 }, { "queryName": "CMK Rotation Disabled", "severity": "LOW", "line": 49, - "fileName": "positive2.json" + "fileName": "positive2.json", + "resourceType": "AWS::KMS::Key", + "resourceName": "myKey2", + "searchKey": "Resources.myKey2.Properties.EnableKeyRotation", + "searchValue": "", + "expectedValue": "'Resources.myKey2.Properties.EnableKeyRotation' should be true", + "actualValue": "'Resources.myKey2.Properties.EnableKeyRotation' is false", + "issueType": "IncorrectValue", + "similarityID": "f9fe3f842c101b1fde77c6a7eb85647a35e810e5b86de52a1e3c18abd4e07953", + "search_line": -1 }, { "queryName": "CMK Rotation Disabled", "severity": "LOW", "line": 7, - "fileName": "positive3.yaml" + "fileName": "positive3.yaml", + "resourceType": "AWS::KMS::Key", + "resourceName": "myKey2", + "searchKey": "Resources.myKey2.Properties.EnableKeyRotation", + "searchValue": "", + "expectedValue": "'Resources.myKey2.Properties.EnableKeyRotation' should be true", + "actualValue": "'Resources.myKey2.Properties.EnableKeyRotation' is false", + "issueType": "IncorrectValue", + "similarityID": "1d7a62cae8a8fa6eb498d75bc587bd496f1d780b0a1d7fc1303a31adfce04832", + "search_line": -1 } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/cmk_unencrypted_storage/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/cmk_unencrypted_storage/test/positive_expected_result.json index 33a0d16b773..197b2d41a94 100644 --- a/assets/queries/cloudFormation/aws/cmk_unencrypted_storage/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/cmk_unencrypted_storage/test/positive_expected_result.json @@ -3,48 +3,120 @@ "queryName": "CMK Unencrypted Storage", "severity": "HIGH", "line": 54, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::RDS::DBInstance", + "resourceName": "DBName", + "searchKey": "Resources.MyDB.Properties", + "searchValue": "", + "expectedValue": "Resources.MyDB.Properties.StorageEncrypted should be defined", + "actualValue": "Resources.MyDB.Properties.StorageEncrypted is undefined", + "issueType": "MissingAttribute", + "similarityID": "4a5cda582ba6f2a6dc02b69b54632b31ec7e4b953f8ccf0a0b2816bdd83aa388", + "search_line": -1 }, { "queryName": "CMK Unencrypted Storage", "severity": "HIGH", "line": 24, - "fileName": "positive2.yaml" + "fileName": "positive2.yaml", + "resourceType": "AWS::RDS::DBCluster", + "resourceName": "RDSCluster1", + "searchKey": "Resources.RDSCluster1.Properties", + "searchValue": "", + "expectedValue": "Resources.RDSCluster1.Properties.StorageEncrypted should be defined", + "actualValue": "Resources.RDSCluster1.Properties.StorageEncrypted is undefined", + "issueType": "MissingAttribute", + "similarityID": "91bcf3e8cb9a5e951f73a1bef43deddfec547b8a69eafebf52220eecaa27cad7", + "search_line": -1 }, { + "queryName": "CMK Unencrypted Storage", "severity": "HIGH", "line": 36, "fileName": "positive3.yaml", - "queryName": "CMK Unencrypted Storage" + "resourceType": "AWS::RDS::DBCluster", + "resourceName": "RDSCluster-2", + "searchKey": "Resources.RDSCluster-2.Properties.StorageEncrypted", + "searchValue": "", + "expectedValue": "Resources.RDSCluster-2.Properties.StorageEncrypted should be true", + "actualValue": "Resources.RDSCluster-2.Properties.StorageEncrypted is false", + "issueType": "IncorrectValue", + "similarityID": "1f655630315371c421209a25d53676326067a74f9d55c5dd720a6e9bcd2e865d", + "search_line": -1 }, { + "queryName": "CMK Unencrypted Storage", "severity": "HIGH", "line": 58, "fileName": "positive4.json", - "queryName": "CMK Unencrypted Storage" + "resourceType": "AWS::RDS::DBInstance", + "resourceName": "DBName", + "searchKey": "Resources.MyDB.Properties", + "searchValue": "", + "expectedValue": "Resources.MyDB.Properties.StorageEncrypted should be defined", + "actualValue": "Resources.MyDB.Properties.StorageEncrypted is undefined", + "issueType": "MissingAttribute", + "similarityID": "c1a4044746fabec20be1c73a64b7866bc8deab45e671f8c005a27456906bc1e5", + "search_line": -1 }, { "queryName": "CMK Unencrypted Storage", "severity": "HIGH", "line": 25, - "fileName": "positive5.json" + "fileName": "positive5.json", + "resourceType": "AWS::RDS::DBCluster", + "resourceName": "RDSCluster1", + "searchKey": "Resources.RDSCluster1.Properties", + "searchValue": "", + "expectedValue": "Resources.RDSCluster1.Properties.StorageEncrypted should be defined", + "actualValue": "Resources.RDSCluster1.Properties.StorageEncrypted is undefined", + "issueType": "MissingAttribute", + "similarityID": "403c2cd42a393c0d95f4c2fe96c20e1c5cd418fa93feca8d5f0bac42aee28145", + "search_line": -1 }, { - "fileName": "positive6.json", "queryName": "CMK Unencrypted Storage", "severity": "HIGH", - "line": 37 + "line": 37, + "fileName": "positive6.json", + "resourceType": "AWS::RDS::DBCluster", + "resourceName": "RDSCluster-2", + "searchKey": "Resources.RDSCluster-2.Properties.StorageEncrypted", + "searchValue": "", + "expectedValue": "Resources.RDSCluster-2.Properties.StorageEncrypted should be true", + "actualValue": "Resources.RDSCluster-2.Properties.StorageEncrypted is false", + "issueType": "IncorrectValue", + "similarityID": "ff9e84303b208090be01e89107037f26b5f486a90e7f61dbf9fee49b2b0b38ad", + "search_line": -1 }, { - "fileName": "positive7.yaml", "queryName": "CMK Unencrypted Storage", "severity": "HIGH", - "line": 4 + "line": 4, + "fileName": "positive7.yaml", + "resourceType": "AWS::Redshift::Cluster", + "resourceName": "mydb", + "searchKey": "Resources.myCluster.Properties", + "searchValue": "", + "expectedValue": "Resources.myCluster.Properties.Encrypted should be defined", + "actualValue": "Resources.myCluster.Properties.Encrypted is undefined", + "issueType": "MissingAttribute", + "similarityID": "f3db8b4f8a2515e3b0b11966da7bd81411871b8a0f5c3d260e14a7e72411f6f9", + "search_line": -1 }, { - "fileName": "positive8.json", "queryName": "CMK Unencrypted Storage", "severity": "HIGH", - "line": 5 + "line": 5, + "fileName": "positive8.json", + "resourceType": "AWS::Redshift::Cluster", + "resourceName": "mydb", + "searchKey": "Resources.myCluster.Properties", + "searchValue": "", + "expectedValue": "Resources.myCluster.Properties.Encrypted should be defined", + "actualValue": "Resources.myCluster.Properties.Encrypted is undefined", + "issueType": "MissingAttribute", + "similarityID": "88aa2fb74f839accc1fde0229559534b68635fe8a6a0c8c4f31a7cef26d281c5", + "search_line": -1 } ] diff --git a/assets/queries/cloudFormation/aws/codebuild_not_encrypted/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/codebuild_not_encrypted/test/positive_expected_result.json index 7c93149d589..8b2ce07f03d 100644 --- a/assets/queries/cloudFormation/aws/codebuild_not_encrypted/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/codebuild_not_encrypted/test/positive_expected_result.json @@ -1,14 +1,32 @@ [ { + "queryName": "CodeBuild Not Encrypted", "severity": "MEDIUM", "line": 7, "fileName": "positive1.yaml", - "queryName": "CodeBuild Not Encrypted" + "resourceType": "AWS::CodeBuild::Project", + "resourceName": "CodeBuildProject", + "searchKey": "Resources.CodeBuildProject.Project.Properties", + "searchValue": "", + "expectedValue": "Resources.CodeBuildProject.Project.Properties.EncryptionKey' should be defined and not null", + "actualValue": "Resources.CodeBuildProject.Project.Properties.EncryptionKey' is undefined or null", + "issueType": "MissingAttribute", + "similarityID": "53ab299493b2c5e53efe91e5e3e5f627c5046cc76356e9ff6a442cbaeba6a9a8", + "search_line": -1 }, { "queryName": "CodeBuild Not Encrypted", "severity": "MEDIUM", "line": 8, - "fileName": "positive2.json" + "fileName": "positive2.json", + "resourceType": "AWS::CodeBuild::Project", + "resourceName": "CodeBuildProject", + "searchKey": "Resources.CodeBuildProject.Project.Properties", + "searchValue": "", + "expectedValue": "Resources.CodeBuildProject.Project.Properties.EncryptionKey' should be defined and not null", + "actualValue": "Resources.CodeBuildProject.Project.Properties.EncryptionKey' is undefined or null", + "issueType": "MissingAttribute", + "similarityID": "85df0516b1df55f01f25a37351c9123be80a3cd0674db0c97d9b05a167a6091a", + "search_line": -1 } ] diff --git a/assets/queries/cloudFormation/aws/cognito_userpool_without_mfa/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/cognito_userpool_without_mfa/test/positive_expected_result.json index ae5f99ba86a..c581a44fa2c 100644 --- a/assets/queries/cloudFormation/aws/cognito_userpool_without_mfa/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/cognito_userpool_without_mfa/test/positive_expected_result.json @@ -2,25 +2,61 @@ { "queryName": "Cognito UserPool Without MFA", "severity": "LOW", - "line": 14, - "fileName": "positive1.yaml" + "line": 8, + "fileName": "positive1.yaml", + "resourceType": "AWS::Cognito::UserPool", + "resourceName": "${AuthName}-user-pool", + "searchKey": "Resources.UserPool2.Properties.MfaConfiguration", + "searchValue": "", + "expectedValue": "Resources.UserPool2.Properties.MfaConfiguration should be set to ON or OPTIONAL", + "actualValue": "Resources.UserPool2.Properties.MfaConfiguration is set to OFF", + "issueType": "IncorrectValue", + "similarityID": "44e97632695c346a18c35e8d3b438f7ed30c4eaf80d08d2d3bfa353c937ea057", + "search_line": -1 }, { "queryName": "Cognito UserPool Without MFA", "severity": "LOW", - "line": 8, - "fileName": "positive1.yaml" + "line": 14, + "fileName": "positive1.yaml", + "resourceType": "AWS::Cognito::UserPool", + "resourceName": "${AuthName}-user-pool", + "searchKey": "Resources.UserPool4.Properties", + "searchValue": "", + "expectedValue": "Resources.UserPool4.Properties.MfaConfiguration should be set", + "actualValue": "Resources.UserPool4.Properties.MfaConfiguration is undefined", + "issueType": "MissingAttribute", + "similarityID": "8334313a4b0b2f22ee127e005ed36951dc84134cd5fef95dac77e53b28622862", + "search_line": -1 }, { "queryName": "Cognito UserPool Without MFA", "severity": "LOW", - "line": 19, - "fileName": "positive2.json" + "line": 10, + "fileName": "positive2.json", + "resourceType": "AWS::Cognito::UserPool", + "resourceName": "${AuthName}-user-pool", + "searchKey": "Resources.UserPool2.Properties.MfaConfiguration", + "searchValue": "", + "expectedValue": "Resources.UserPool2.Properties.MfaConfiguration should be set to ON or OPTIONAL", + "actualValue": "Resources.UserPool2.Properties.MfaConfiguration is set to OFF", + "issueType": "IncorrectValue", + "similarityID": "194a8048aac84a3c7546b61246413c2ddbbf5ff7656a69242890b8cbd410c245", + "search_line": -1 }, { + "queryName": "Cognito UserPool Without MFA", "severity": "LOW", - "line": 10, + "line": 19, "fileName": "positive2.json", - "queryName": "Cognito UserPool Without MFA" + "resourceType": "AWS::Cognito::UserPool", + "resourceName": "${AuthName}-user-pool", + "searchKey": "Resources.UserPool4.Properties", + "searchValue": "", + "expectedValue": "Resources.UserPool4.Properties.MfaConfiguration should be set", + "actualValue": "Resources.UserPool4.Properties.MfaConfiguration is undefined", + "issueType": "MissingAttribute", + "similarityID": "259f290f5a591da6aa61605b163fa7a742737ef9a555bec4858c6f9a02f456ce", + "search_line": -1 } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/config_configuration_aggregator_to_all_regions_disabled/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/config_configuration_aggregator_to_all_regions_disabled/test/positive_expected_result.json index b59fb53e28f..c104fdc6e1d 100644 --- a/assets/queries/cloudFormation/aws/config_configuration_aggregator_to_all_regions_disabled/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/config_configuration_aggregator_to_all_regions_disabled/test/positive_expected_result.json @@ -3,54 +3,135 @@ "queryName": "Configuration Aggregator to All Regions Disabled", "severity": "LOW", "line": 10, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::Config::ConfigurationAggregator", + "resourceName": "ConfigurationAggregator1", + "searchKey": "Resources.ConfigurationAggregator1.Properties.AccountAggregationSources", + "searchValue": "", + "expectedValue": "'Resources.ConfigurationAggregator1.Properties.AccountAggregationSources' have all configurations with AllAwsRegions", + "actualValue": "'Resources.ConfigurationAggregator1.Properties.AccountAggregationSources' has a configuration without AllAwsRegions", + "issueType": "MissingAttribute", + "similarityID": "12e5a137ee3040a562af2edd76ea25f19ec9959100d8f0f2e727c0cf12ab0802", + "search_line": -1 }, { "queryName": "Configuration Aggregator to All Regions Disabled", "severity": "LOW", "line": 21, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::Config::ConfigurationAggregator", + "resourceName": "ConfigurationAggregator2", + "searchKey": "Resources.ConfigurationAggregator2.Properties.AccountAggregationSources", + "searchValue": "", + "expectedValue": "'Resources.ConfigurationAggregator2.Properties.AccountAggregationSources' have all configurations with AllAwsRegions set to true", + "actualValue": "'Resources.ConfigurationAggregator2.Properties.AccountAggregationSources' has a configuration with AllAwsRegions set to false", + "issueType": "IncorrectValue", + "similarityID": "bd2f99f723b638829fc79fa03bba8bf30a754778a54f295f2902e933e1719fcf", + "search_line": -1 }, { "queryName": "Configuration Aggregator to All Regions Disabled", "severity": "LOW", "line": 33, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::Config::ConfigurationAggregator", + "resourceName": "MyConfigurationAggregator", + "searchKey": "Resources.ConfigurationAggregator3.Properties.OrganizationAggregationSource", + "searchValue": "", + "expectedValue": "'Resources.ConfigurationAggregator3.Properties.OrganizationAggregationSource.AllAwsRegions' should be set", + "actualValue": "'Resources.ConfigurationAggregator3.Properties.OrganizationAggregationSource.AllAwsRegions' is undefined", + "issueType": "MissingAttribute", + "similarityID": "a3d5600d887a1a857e3e562baedfa7b643e4142201f8514c356785780f52a43b", + "search_line": -1 }, { "queryName": "Configuration Aggregator to All Regions Disabled", "severity": "LOW", "line": 49, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::Config::ConfigurationAggregator", + "resourceName": "MyConfigurationAggregator", + "searchKey": "Resources.ConfigurationAggregator4.Properties.OrganizationAggregationSource.AllAwsRegions", + "searchValue": "", + "expectedValue": "'Resources.ConfigurationAggregator4.Properties.OrganizationAggregationSource.AllAwsRegions' is true", + "actualValue": "'Resources.ConfigurationAggregator4.Properties.OrganizationAggregationSource.AllAwsRegions' is false", + "issueType": "IncorrectValue", + "similarityID": "89445fc12edae2316c53fbf9d6ddc3cbec9fbe864bd6bd679f55186baa4c056b", + "search_line": -1 }, { "queryName": "Configuration Aggregator to All Regions Disabled", "severity": "LOW", "line": 6, - "fileName": "positive2.json" + "fileName": "positive2.json", + "resourceType": "AWS::Config::ConfigurationAggregator", + "resourceName": "MyConfigurationAggregator", + "searchKey": "Resources.ConfigurationAggregator5.Properties.AccountAggregationSources", + "searchValue": "", + "expectedValue": "'Resources.ConfigurationAggregator5.Properties.AccountAggregationSources' have all configurations with AllAwsRegions", + "actualValue": "'Resources.ConfigurationAggregator5.Properties.AccountAggregationSources' has a configuration without AllAwsRegions", + "issueType": "MissingAttribute", + "similarityID": "1e281756019672cf57db1c5a749a36fd0928fe3941b7397688aea13d14ed3668", + "search_line": -1 }, { "queryName": "Configuration Aggregator to All Regions Disabled", "severity": "LOW", "line": 24, - "fileName": "positive2.json" + "fileName": "positive2.json", + "resourceType": "AWS::Config::ConfigurationAggregator", + "resourceName": "MyConfigurationAggregator", + "searchKey": "Resources.ConfigurationAggregator6.Properties.AccountAggregationSources", + "searchValue": "", + "expectedValue": "'Resources.ConfigurationAggregator6.Properties.AccountAggregationSources' have all configurations with AllAwsRegions set to true", + "actualValue": "'Resources.ConfigurationAggregator6.Properties.AccountAggregationSources' has a configuration with AllAwsRegions set to false", + "issueType": "IncorrectValue", + "similarityID": "02e83ab8f7a9672777d2331c3246d83b285bbac9bb2bb56ccef32feca7f7060e", + "search_line": -1 }, { "queryName": "Configuration Aggregator to All Regions Disabled", "severity": "LOW", "line": 43, - "fileName": "positive2.json" + "fileName": "positive2.json", + "resourceType": "AWS::Config::ConfigurationAggregator", + "resourceName": "MyConfigurationAggregator", + "searchKey": "Resources.ConfigurationAggregator7.Properties.OrganizationAggregationSource", + "searchValue": "", + "expectedValue": "'Resources.ConfigurationAggregator7.Properties.OrganizationAggregationSource.AllAwsRegions' should be set", + "actualValue": "'Resources.ConfigurationAggregator7.Properties.OrganizationAggregationSource.AllAwsRegions' is undefined", + "issueType": "MissingAttribute", + "similarityID": "770780fbe8698290a6fcc78b85fcc2181a3f391d1acb3591b5c812824ef05dd4", + "search_line": -1 }, { "queryName": "Configuration Aggregator to All Regions Disabled", "severity": "LOW", "line": 62, - "fileName": "positive2.json" + "fileName": "positive2.json", + "resourceType": "AWS::Config::ConfigurationAggregator", + "resourceName": "MyConfigurationAggregator", + "searchKey": "Resources.ConfigurationAggregator8.Properties.OrganizationAggregationSource.AllAwsRegions", + "searchValue": "", + "expectedValue": "'Resources.ConfigurationAggregator8.Properties.OrganizationAggregationSource.AllAwsRegions' is true", + "actualValue": "'Resources.ConfigurationAggregator8.Properties.OrganizationAggregationSource.AllAwsRegions' is false", + "issueType": "IncorrectValue", + "similarityID": "c2b4c3c2c6200887a66c987a7200b1f12e17dfaea51a099ff9bfe37f433e3088", + "search_line": -1 }, { "queryName": "Configuration Aggregator to All Regions Disabled", "severity": "LOW", "line": 10, - "fileName": "positive3.yaml" + "fileName": "positive3.yaml", + "resourceType": "AWS::Config::ConfigurationAggregator", + "resourceName": "ConfigurationAggregator2", + "searchKey": "Resources.ConfigurationAggregator2.Properties.AccountAggregationSources", + "searchValue": "", + "expectedValue": "'Resources.ConfigurationAggregator2.Properties.AccountAggregationSources' have all configurations with AllAwsRegions set to true", + "actualValue": "'Resources.ConfigurationAggregator2.Properties.AccountAggregationSources' has a configuration with AllAwsRegions set to false", + "issueType": "IncorrectValue", + "similarityID": "bd1db9ba2424a35ac59c05700d047641f4485c5228774c52ad3063f9d883db3a", + "search_line": -1 } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/config_rule_for_encryption_volumes_disabled/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/config_rule_for_encryption_volumes_disabled/test/positive_expected_result.json index 695b9f2ccc9..19fb305c053 100644 --- a/assets/queries/cloudFormation/aws/config_rule_for_encryption_volumes_disabled/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/config_rule_for_encryption_volumes_disabled/test/positive_expected_result.json @@ -3,12 +3,30 @@ "queryName": "Config Rule For Encrypted Volumes Disabled", "severity": "HIGH", "line": 2, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::Config::ConfigRule", + "resourceName": "access-keys-rotated", + "searchKey": "Resources.ConfigRule", + "searchValue": "", + "expectedValue": "There should be a ConfigRule for encrypted volumes.", + "actualValue": "There isn't a ConfigRule for encrypted volumes.", + "issueType": "MissingAttribute", + "similarityID": "a582c15be132ccb867ec17d4062c572345e37b6d39058b5830c9f76e4fe28f05", + "search_line": -1 }, { - "fileName": "positive2.json", "queryName": "Config Rule For Encrypted Volumes Disabled", "severity": "HIGH", - "line": 3 + "line": 3, + "fileName": "positive2.json", + "resourceType": "AWS::Config::ConfigRule", + "resourceName": "access-keys-rotated", + "searchKey": "Resources.ConfigRule", + "searchValue": "", + "expectedValue": "There should be a ConfigRule for encrypted volumes.", + "actualValue": "There isn't a ConfigRule for encrypted volumes.", + "issueType": "MissingAttribute", + "similarityID": "12caece8a1ab0e7d3abf1957569a5e7cc69c895197c8547b8ff244258202ef2d", + "search_line": -1 } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/connection_between_cloudfront_origin_not_encrypted/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/connection_between_cloudfront_origin_not_encrypted/test/positive_expected_result.json index acd66f251b2..e04ad4f18cc 100644 --- a/assets/queries/cloudFormation/aws/connection_between_cloudfront_origin_not_encrypted/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/connection_between_cloudfront_origin_not_encrypted/test/positive_expected_result.json @@ -1,26 +1,62 @@ [ { + "queryName": "Connection Between CloudFront Origin Not Encrypted", + "severity": "MEDIUM", "line": 13, "fileName": "positive1.yaml", - "queryName": "Connection Between CloudFront Origin Not Encrypted", - "severity": "MEDIUM" + "resourceType": "AWS::CloudFront::Distribution", + "resourceName": "cloudfrontdistribution_1", + "searchKey": "Resources.cloudfrontdistribution_1.Properties.DistributionConfig.DefaultCacheBehavior.ViewerProtocolPolicy", + "searchValue": "", + "expectedValue": "Resources.cloudfrontdistribution_1.Properties.DistributionConfig.DefaultCacheBehavior.ViewerProtocolPolicy should be 'https-only' or 'redirect-to-https'", + "actualValue": "Resources.cloudfrontdistribution_1.Properties.DistributionConfig.DefaultCacheBehavior.ViewerProtocolPolicy 'isn't https-only' or 'redirect-to-https'", + "issueType": "IncorrectValue", + "similarityID": "5225205cc07ab6bdf09e7b1f3c86247edaa79a03e9e5c48aa9aa94051a01d148", + "search_line": -1 }, { "queryName": "Connection Between CloudFront Origin Not Encrypted", "severity": "MEDIUM", "line": 30, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::CloudFront::Distribution", + "resourceName": "cloudfrontdistribution_2", + "searchKey": "Resources.cloudfrontdistribution_2.Properties.DistributionConfig.CacheBehaviors.ViewerProtocolPolicy", + "searchValue": "", + "expectedValue": "Resources.cloudfrontdistribution_2.Properties.DistributionConfig.CacheBehaviors.ViewerProtocolPolicy should be 'https-only' or 'redirect-to-https'", + "actualValue": "Resources.cloudfrontdistribution_2.Properties.DistributionConfig.CacheBehaviors.ViewerProtocolPolicy 'isn't https-only' or 'redirect-to-https'", + "issueType": "IncorrectValue", + "similarityID": "04ef5e109fead81b14808c1201cd99825f55c7bfbcc8e19c1a63f6a227840fd0", + "search_line": -1 }, { "queryName": "Connection Between CloudFront Origin Not Encrypted", "severity": "MEDIUM", "line": 19, - "fileName": "positive2.json" + "fileName": "positive2.json", + "resourceType": "AWS::CloudFront::Distribution", + "resourceName": "cloudfrontdistribution_1", + "searchKey": "Resources.cloudfrontdistribution_1.Properties.DistributionConfig.DefaultCacheBehavior.ViewerProtocolPolicy", + "searchValue": "", + "expectedValue": "Resources.cloudfrontdistribution_1.Properties.DistributionConfig.DefaultCacheBehavior.ViewerProtocolPolicy should be 'https-only' or 'redirect-to-https'", + "actualValue": "Resources.cloudfrontdistribution_1.Properties.DistributionConfig.DefaultCacheBehavior.ViewerProtocolPolicy 'isn't https-only' or 'redirect-to-https'", + "issueType": "IncorrectValue", + "similarityID": "defef2d011239ac1ed3d0d68da0aaf023584b78ff3e497a3aa091c9636d6a29c", + "search_line": -1 }, { + "queryName": "Connection Between CloudFront Origin Not Encrypted", "severity": "MEDIUM", "line": 56, "fileName": "positive2.json", - "queryName": "Connection Between CloudFront Origin Not Encrypted" + "resourceType": "AWS::CloudFront::Distribution", + "resourceName": "cloudfrontdistribution_2", + "searchKey": "Resources.cloudfrontdistribution_2.Properties.DistributionConfig.CacheBehaviors.ViewerProtocolPolicy", + "searchValue": "", + "expectedValue": "Resources.cloudfrontdistribution_2.Properties.DistributionConfig.CacheBehaviors.ViewerProtocolPolicy should be 'https-only' or 'redirect-to-https'", + "actualValue": "Resources.cloudfrontdistribution_2.Properties.DistributionConfig.CacheBehaviors.ViewerProtocolPolicy 'isn't https-only' or 'redirect-to-https'", + "issueType": "IncorrectValue", + "similarityID": "129fc57922337e9a517363ac97991cf495ce8c252053561922fb7ab3df9b4d69", + "search_line": -1 } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/cross_account_iam_assume_role_policy_without_external_id_or_mfa/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/cross_account_iam_assume_role_policy_without_external_id_or_mfa/test/positive_expected_result.json index efb66945b4a..0ca221865a3 100644 --- a/assets/queries/cloudFormation/aws/cross_account_iam_assume_role_policy_without_external_id_or_mfa/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/cross_account_iam_assume_role_policy_without_external_id_or_mfa/test/positive_expected_result.json @@ -3,36 +3,90 @@ "queryName": "Cross-Account IAM Assume Role Policy Without ExternalId or MFA", "severity": "HIGH", "line": 6, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::IAM::Role", + "resourceName": "RootRole", + "searchKey": "Resources.RootRole.Properties.AssumeRolePolicyDocument", + "searchValue": "", + "expectedValue": "Resources.RootRole.Properties.AssumeRolePolicyDocument should require external ID or MFA", + "actualValue": "Resources.RootRole.Properties.AssumeRolePolicyDocument does not require external ID or MFA", + "issueType": "IncorrectValue", + "similarityID": "3c9d2b161e434ee7d16c1a2ac3df892c71052fcd2dfd4c2b8bf369910f420fe0", + "search_line": 6 }, { "queryName": "Cross-Account IAM Assume Role Policy Without ExternalId or MFA", "severity": "HIGH", "line": 7, - "fileName": "positive2.json" + "fileName": "positive2.json", + "resourceType": "AWS::IAM::Role", + "resourceName": "RootRole", + "searchKey": "Resources.RootRole.Properties.AssumeRolePolicyDocument", + "searchValue": "", + "expectedValue": "Resources.RootRole.Properties.AssumeRolePolicyDocument should require external ID or MFA", + "actualValue": "Resources.RootRole.Properties.AssumeRolePolicyDocument does not require external ID or MFA", + "issueType": "IncorrectValue", + "similarityID": "2fc30a8683375ea30483bba974ac892e748c65d11e9149958e2ddc104ef656dd", + "search_line": 7 }, { "queryName": "Cross-Account IAM Assume Role Policy Without ExternalId or MFA", "severity": "HIGH", "line": 6, - "fileName": "positive3.yaml" + "fileName": "positive3.yaml", + "resourceType": "AWS::IAM::Role", + "resourceName": "RootRole", + "searchKey": "Resources.RootRole.Properties.AssumeRolePolicyDocument", + "searchValue": "", + "expectedValue": "Resources.RootRole.Properties.AssumeRolePolicyDocument should require external ID or MFA", + "actualValue": "Resources.RootRole.Properties.AssumeRolePolicyDocument does not require external ID or MFA", + "issueType": "IncorrectValue", + "similarityID": "b3dc04613ba893e99107d46507828a3ff8ef0095bbfd3e9200d3c2a1affa9a00", + "search_line": 6 }, { "queryName": "Cross-Account IAM Assume Role Policy Without ExternalId or MFA", "severity": "HIGH", "line": 7, - "fileName": "positive4.json" + "fileName": "positive4.json", + "resourceType": "AWS::IAM::Role", + "resourceName": "RootRole", + "searchKey": "Resources.RootRole.Properties.AssumeRolePolicyDocument", + "searchValue": "", + "expectedValue": "Resources.RootRole.Properties.AssumeRolePolicyDocument should require external ID or MFA", + "actualValue": "Resources.RootRole.Properties.AssumeRolePolicyDocument does not require external ID or MFA", + "issueType": "IncorrectValue", + "similarityID": "eefa97bd3ef7bce9f0707d77d3b4638df51b075c5fcc5e39860d3119ea0ca126", + "search_line": 7 }, { "queryName": "Cross-Account IAM Assume Role Policy Without ExternalId or MFA", "severity": "HIGH", "line": 6, - "fileName": "positive5.yaml" + "fileName": "positive5.yaml", + "resourceType": "AWS::IAM::Role", + "resourceName": "RootRole", + "searchKey": "Resources.RootRole.Properties.AssumeRolePolicyDocument", + "searchValue": "", + "expectedValue": "Resources.RootRole.Properties.AssumeRolePolicyDocument should require external ID or MFA", + "actualValue": "Resources.RootRole.Properties.AssumeRolePolicyDocument does not require external ID or MFA", + "issueType": "IncorrectValue", + "similarityID": "b4da666e992a90832eb6774f1d4dca1be6ff95018f7decb3df68f7603fa4e031", + "search_line": 6 }, { "queryName": "Cross-Account IAM Assume Role Policy Without ExternalId or MFA", "severity": "HIGH", "line": 7, - "fileName": "positive6.json" + "fileName": "positive6.json", + "resourceType": "AWS::IAM::Role", + "resourceName": "RootRole", + "searchKey": "Resources.RootRole.Properties.AssumeRolePolicyDocument", + "searchValue": "", + "expectedValue": "Resources.RootRole.Properties.AssumeRolePolicyDocument should require external ID or MFA", + "actualValue": "Resources.RootRole.Properties.AssumeRolePolicyDocument does not require external ID or MFA", + "issueType": "IncorrectValue", + "similarityID": "5b88327a9e371265986920664140607227ab54d408d973a66d9a1cb2044a37c1", + "search_line": 7 } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/dax_cluster_not_encrypted/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/dax_cluster_not_encrypted/test/positive_expected_result.json index c34b2aca335..27953eb6cbf 100644 --- a/assets/queries/cloudFormation/aws/dax_cluster_not_encrypted/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/dax_cluster_not_encrypted/test/positive_expected_result.json @@ -3,48 +3,120 @@ "queryName": "DAX Cluster Not Encrypted", "severity": "HIGH", "line": 8, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::DAX::Cluster", + "resourceName": "daxCluster", + "searchKey": "Resources.daxCluster.Properties.SSESpecification.SSEEnabled", + "searchValue": "", + "expectedValue": "'Resources.daxCluster.Properties.SSESpecification.SSEEnabled' should be set to true.", + "actualValue": "'Resources.daxCluster.Properties.SSESpecification.SSEEnabled' is set to false.", + "issueType": "IncorrectValue", + "similarityID": "c61d689311cbf4575546d26cdf72f7c6bd4d4639b88d3c16c9849ed003bdaa04", + "search_line": -1 }, { "queryName": "DAX Cluster Not Encrypted", "severity": "HIGH", "line": 8, - "fileName": "positive2.yaml" + "fileName": "positive2.yaml", + "resourceType": "AWS::DAX::Cluster", + "resourceName": "daxCluster", + "searchKey": "Resources.daxCluster.Properties.SSESpecification.SSEEnabled", + "searchValue": "", + "expectedValue": "'Resources.daxCluster.Properties.SSESpecification.SSEEnabled' should be set to true.", + "actualValue": "'Resources.daxCluster.Properties.SSESpecification.SSEEnabled' is set to false.", + "issueType": "IncorrectValue", + "similarityID": "2794cc0b4c232803965a513fc961d40540f8e4a9fe84c2854aabea8a4d2fdc10", + "search_line": -1 }, { "queryName": "DAX Cluster Not Encrypted", "severity": "HIGH", "line": 7, - "fileName": "positive3.yaml" + "fileName": "positive3.yaml", + "resourceType": "AWS::DAX::Cluster", + "resourceName": "daxCluster", + "searchKey": "Resources.daxCluster.Properties.SSESpecification", + "searchValue": "", + "expectedValue": "'Resources.daxCluster.Properties.SSESpecification' should have SSEEnabled declared and set to true.", + "actualValue": "'Resources.daxCluster.Properties.SSESpecification' does not declare SSEEnabled.", + "issueType": "MissingAttribute", + "similarityID": "179d924ea33f4d11fb8d77b8de2632784a0c0b5ff504433afdb634af73b0d3ff", + "search_line": -1 }, { "queryName": "DAX Cluster Not Encrypted", "severity": "HIGH", "line": 6, - "fileName": "positive4.yaml" + "fileName": "positive4.yaml", + "resourceType": "AWS::DAX::Cluster", + "resourceName": "daxCluster", + "searchKey": "Resources.daxCluster.Properties", + "searchValue": "", + "expectedValue": "'Resources.daxCluster.Properties' should have SSESpecification declared.", + "actualValue": "'Resources.daxCluster.Properties' does not declare SSESpecification.", + "issueType": "MissingAttribute", + "similarityID": "5d6d6a7bef3869af7b6af8d6af41ed89b4b0194268df37d8c4e269ec57b8c683", + "search_line": -1 }, { "queryName": "DAX Cluster Not Encrypted", "severity": "HIGH", "line": 9, - "fileName": "positive5.json" + "fileName": "positive5.json", + "resourceType": "AWS::DAX::Cluster", + "resourceName": "daxCluster", + "searchKey": "Resources.daxCluster.Properties.SSESpecification.SSEEnabled", + "searchValue": "", + "expectedValue": "'Resources.daxCluster.Properties.SSESpecification.SSEEnabled' should be set to true.", + "actualValue": "'Resources.daxCluster.Properties.SSESpecification.SSEEnabled' is set to false.", + "issueType": "IncorrectValue", + "similarityID": "c494ff5694f92184e48a4d7ddd8c906442881327cdc1dc18c0cb38be4b8fc92c", + "search_line": -1 }, { "queryName": "DAX Cluster Not Encrypted", "severity": "HIGH", "line": 9, - "fileName": "positive6.json" + "fileName": "positive6.json", + "resourceType": "AWS::DAX::Cluster", + "resourceName": "daxCluster", + "searchKey": "Resources.daxCluster.Properties.SSESpecification.SSEEnabled", + "searchValue": "", + "expectedValue": "'Resources.daxCluster.Properties.SSESpecification.SSEEnabled' should be set to true.", + "actualValue": "'Resources.daxCluster.Properties.SSESpecification.SSEEnabled' is set to false.", + "issueType": "IncorrectValue", + "similarityID": "13e884914d7f367c8b076872d01a20d5cf7bd2fd5a4daba549b14be2888cc47e", + "search_line": -1 }, { "queryName": "DAX Cluster Not Encrypted", "severity": "HIGH", "line": 8, - "fileName": "positive7.json" + "fileName": "positive7.json", + "resourceType": "AWS::DAX::Cluster", + "resourceName": "daxCluster", + "searchKey": "Resources.daxCluster.Properties.SSESpecification", + "searchValue": "", + "expectedValue": "'Resources.daxCluster.Properties.SSESpecification' should have SSEEnabled declared and set to true.", + "actualValue": "'Resources.daxCluster.Properties.SSESpecification' does not declare SSEEnabled.", + "issueType": "MissingAttribute", + "similarityID": "091db55a1b93d1bd49f3df5a801f0d0894d485f86342cffc25fe8a94921354c4", + "search_line": -1 }, { "queryName": "DAX Cluster Not Encrypted", "severity": "HIGH", "line": 7, - "fileName": "positive8.json" + "fileName": "positive8.json", + "resourceType": "AWS::DAX::Cluster", + "resourceName": "daxCluster", + "searchKey": "Resources.daxCluster.Properties", + "searchValue": "", + "expectedValue": "'Resources.daxCluster.Properties' should have SSESpecification declared.", + "actualValue": "'Resources.daxCluster.Properties' does not declare SSESpecification.", + "issueType": "MissingAttribute", + "similarityID": "17458e139dbba0e272c0d2aeb7c1dc6bcb09c38a0dc21d28028312c01e44d861", + "search_line": -1 } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/db_security_group_open_to_large_scope/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/db_security_group_open_to_large_scope/test/positive_expected_result.json index 14755c73640..45d3949c48a 100644 --- a/assets/queries/cloudFormation/aws/db_security_group_open_to_large_scope/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/db_security_group_open_to_large_scope/test/positive_expected_result.json @@ -3,72 +3,180 @@ "queryName": "DB Security Group Open To Large Scope", "severity": "HIGH", "line": 8, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::RDS::DBSecurityGroup", + "resourceName": "DbSecurity", + "searchKey": "Resources.DbSecurity.Properties.DBSecurityGroupIngress[0].CIDRIP", + "searchValue": "", + "expectedValue": "'Resources.DbSecurity.Properties.DBSecurityGroupIngress[0].CIDRIP' should not have more than 256 hosts.", + "actualValue": "'Resources.DbSecurity.Properties.DBSecurityGroupIngress[0].CIDRIP' has more than 256 hosts.", + "issueType": "IncorrectValue", + "similarityID": "5c0ba6b70197ec49b356c09bb2334fe639e40d14c7515d6f158683cd35331fee", + "search_line": 8 }, { "queryName": "DB Security Group Open To Large Scope", "severity": "HIGH", "line": 15, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "DbSecurityByEC2SecurityGroup1", + "searchKey": "Resources.DbSecurityByEC2SecurityGroup1.Properties.SecurityGroupIngress[0].CidrIp", + "searchValue": "", + "expectedValue": "'Resources.DbSecurityByEC2SecurityGroup1.Properties.SecurityGroupIngress[0].CidrIp' should not have more than 256 hosts.", + "actualValue": "'Resources.DbSecurityByEC2SecurityGroup1.Properties.SecurityGroupIngress[0].CidrIp' has more than 256 hosts.", + "issueType": "IncorrectValue", + "similarityID": "0275eda19f07cd30f406b1d4d30df40d3586cba872f35ad684cb2a81051473c1", + "search_line": 15 }, { "queryName": "DB Security Group Open To Large Scope", "severity": "HIGH", "line": 22, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "DbSecurityByEC2SecurityGroup2", + "searchKey": "Resources.DbSecurityByEC2SecurityGroup2.Properties.SecurityGroupIngress[0].CidrIpv6", + "searchValue": "", + "expectedValue": "'Resources.DbSecurityByEC2SecurityGroup2.Properties.SecurityGroupIngress[0].CidrIpv6' should not have more than 256 hosts.", + "actualValue": "'Resources.DbSecurityByEC2SecurityGroup2.Properties.SecurityGroupIngress[0].CidrIpv6' has more than 256 hosts.", + "issueType": "IncorrectValue", + "similarityID": "f077a590a68528d77ec0b71fa8f5578aa982a6c5128ca2f725bdf8fbfd29aeff", + "search_line": 22 }, { "queryName": "DB Security Group Open To Large Scope", "severity": "HIGH", "line": 7, - "fileName": "positive2.yaml" + "fileName": "positive2.yaml", + "resourceType": "AWS::RDS::DBSecurityGroupIngress", + "resourceName": "MyDBSecurityGroupIngress", + "searchKey": "Resources.MyDBSecurityGroupIngress.Properties.CIDRIP", + "searchValue": "", + "expectedValue": "'Resources.MyDBSecurityGroupIngress.Properties.CIDRIP' should not have more than 256 hosts.", + "actualValue": "'Resources.MyDBSecurityGroupIngress.Properties.CIDRIP' has more than 256 hosts.", + "issueType": "IncorrectValue", + "similarityID": "eadcfc43a4a0bdcd49a5efd8b7093bece14857a5a13f40d6565da7504d1bd272", + "search_line": 7 }, { "queryName": "DB Security Group Open To Large Scope", "severity": "HIGH", "line": 13, - "fileName": "positive2.yaml" + "fileName": "positive2.yaml", + "resourceType": "AWS::EC2::SecurityGroupIngress", + "resourceName": "StandaloneIngressIPv4", + "searchKey": "Resources.StandaloneIngressIPv4.Properties.CidrIp", + "searchValue": "", + "expectedValue": "'Resources.StandaloneIngressIPv4.Properties.CidrIp' should not have more than 256 hosts.", + "actualValue": "'Resources.StandaloneIngressIPv4.Properties.CidrIp' has more than 256 hosts.", + "issueType": "IncorrectValue", + "similarityID": "66955022a45da12369a9e151e39362e417d71dfb610d125209477d968885ff35", + "search_line": 13 }, { "queryName": "DB Security Group Open To Large Scope", "severity": "HIGH", "line": 19, - "fileName": "positive2.yaml" + "fileName": "positive2.yaml", + "resourceType": "AWS::EC2::SecurityGroupIngress", + "resourceName": "StandaloneIngressIPv6", + "searchKey": "Resources.StandaloneIngressIPv6.Properties.CidrIpv6", + "searchValue": "", + "expectedValue": "'Resources.StandaloneIngressIPv6.Properties.CidrIpv6' should not have more than 256 hosts.", + "actualValue": "'Resources.StandaloneIngressIPv6.Properties.CidrIpv6' has more than 256 hosts.", + "issueType": "IncorrectValue", + "similarityID": "f96929965191a3a19d90d549e09591557d59330fa7a0e7707e81ccf958959746", + "search_line": 19 }, { "queryName": "DB Security Group Open To Large Scope", "severity": "HIGH", "line": 9, - "fileName": "positive3.json" + "fileName": "positive3.json", + "resourceType": "AWS::RDS::DBSecurityGroup", + "resourceName": "DbSecurity", + "searchKey": "Resources.DbSecurity.Properties.DBSecurityGroupIngress[0].CIDRIP", + "searchValue": "", + "expectedValue": "'Resources.DbSecurity.Properties.DBSecurityGroupIngress[0].CIDRIP' should not have more than 256 hosts.", + "actualValue": "'Resources.DbSecurity.Properties.DBSecurityGroupIngress[0].CIDRIP' has more than 256 hosts.", + "issueType": "IncorrectValue", + "similarityID": "6e2eb7ea9bff6a1ab35293d6cc59c212a1eaaca74aef67a703855f56ce3e13f1", + "search_line": 9 }, { "queryName": "DB Security Group Open To Large Scope", "severity": "HIGH", "line": 20, - "fileName": "positive3.json" + "fileName": "positive3.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "DbSecurityByEC2SecurityGroup1", + "searchKey": "Resources.DbSecurityByEC2SecurityGroup1.Properties.SecurityGroupIngress[0].CidrIp", + "searchValue": "", + "expectedValue": "'Resources.DbSecurityByEC2SecurityGroup1.Properties.SecurityGroupIngress[0].CidrIp' should not have more than 256 hosts.", + "actualValue": "'Resources.DbSecurityByEC2SecurityGroup1.Properties.SecurityGroupIngress[0].CidrIp' has more than 256 hosts.", + "issueType": "IncorrectValue", + "similarityID": "5191804cb2969109158bfc8684c0f2e08b5496a7e5910fffab036344ee964659", + "search_line": 20 }, { "queryName": "DB Security Group Open To Large Scope", "severity": "HIGH", "line": 31, - "fileName": "positive3.json" + "fileName": "positive3.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "DbSecurityByEC2SecurityGroup2", + "searchKey": "Resources.DbSecurityByEC2SecurityGroup2.Properties.SecurityGroupIngress[0].CidrIpv6", + "searchValue": "", + "expectedValue": "'Resources.DbSecurityByEC2SecurityGroup2.Properties.SecurityGroupIngress[0].CidrIpv6' should not have more than 256 hosts.", + "actualValue": "'Resources.DbSecurityByEC2SecurityGroup2.Properties.SecurityGroupIngress[0].CidrIpv6' has more than 256 hosts.", + "issueType": "IncorrectValue", + "similarityID": "a3ead9fe7b9f509cdb4a46a2920eb7fba13e2757208ecdedb72c81945cdda8f0", + "search_line": 31 }, { "queryName": "DB Security Group Open To Large Scope", "severity": "HIGH", "line": 9, - "fileName": "positive4.json" + "fileName": "positive4.json", + "resourceType": "AWS::RDS::DBSecurityGroupIngress", + "resourceName": "MyDBSecurityGroupIngress", + "searchKey": "Resources.MyDBSecurityGroupIngress.Properties.CIDRIP", + "searchValue": "", + "expectedValue": "'Resources.MyDBSecurityGroupIngress.Properties.CIDRIP' should not have more than 256 hosts.", + "actualValue": "'Resources.MyDBSecurityGroupIngress.Properties.CIDRIP' has more than 256 hosts.", + "issueType": "IncorrectValue", + "similarityID": "b1eca0c00a83cd9ac7bef7bce80aa1e7411ba0a5d91d52d8f9855c1c4045aa75", + "search_line": 9 }, { "queryName": "DB Security Group Open To Large Scope", "severity": "HIGH", "line": 18, - "fileName": "positive4.json" + "fileName": "positive4.json", + "resourceType": "AWS::EC2::SecurityGroupIngress", + "resourceName": "StandaloneIngressIPv4", + "searchKey": "Resources.StandaloneIngressIPv4.Properties.CidrIp", + "searchValue": "", + "expectedValue": "'Resources.StandaloneIngressIPv4.Properties.CidrIp' should not have more than 256 hosts.", + "actualValue": "'Resources.StandaloneIngressIPv4.Properties.CidrIp' has more than 256 hosts.", + "issueType": "IncorrectValue", + "similarityID": "f082ae4a79f70c2dd446682b2f6edacf5c5bea121315dfd9abc3c45ff6ebe360", + "search_line": 18 }, { "queryName": "DB Security Group Open To Large Scope", "severity": "HIGH", "line": 27, - "fileName": "positive4.json" + "fileName": "positive4.json", + "resourceType": "AWS::EC2::SecurityGroupIngress", + "resourceName": "StandaloneIngressIPv6", + "searchKey": "Resources.StandaloneIngressIPv6.Properties.CidrIpv6", + "searchValue": "", + "expectedValue": "'Resources.StandaloneIngressIPv6.Properties.CidrIpv6' should not have more than 256 hosts.", + "actualValue": "'Resources.StandaloneIngressIPv6.Properties.CidrIpv6' has more than 256 hosts.", + "issueType": "IncorrectValue", + "similarityID": "ceb759c76e7c65930c163d52d98c3d296263577b187e55f87f9f25c0d3a177b5", + "search_line": 27 } ] diff --git a/assets/queries/cloudFormation/aws/db_security_group_with_public_scope/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/db_security_group_with_public_scope/test/positive_expected_result.json index 09e8322a452..e662bd5f9a2 100644 --- a/assets/queries/cloudFormation/aws/db_security_group_with_public_scope/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/db_security_group_with_public_scope/test/positive_expected_result.json @@ -3,90 +3,225 @@ "queryName": "DB Security Group With Public Scope", "severity": "CRITICAL", "line": 8, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::RDS::DBSecurityGroup", + "resourceName": "DbSecurityByEC2SecurityGroupInline_pos1", + "searchKey": "Resources.DbSecurityByEC2SecurityGroupInline_pos1.Properties.DBSecurityGroupIngress[0].CIDRIP", + "searchValue": "", + "expectedValue": "'Resources.DbSecurityByEC2SecurityGroupInline_pos1.Properties.DBSecurityGroupIngress[0].CIDRIP' should not be '0.0.0.0/0'.", + "actualValue": "'Resources.DbSecurityByEC2SecurityGroupInline_pos1.Properties.DBSecurityGroupIngress[0].CIDRIP' is '0.0.0.0/0'.", + "issueType": "IncorrectValue", + "similarityID": "ff493c0acb1c6e5fbd5c2e6640de1f2a6851e7c9fea434cd19c598d041f40567", + "search_line": 8 }, { "queryName": "DB Security Group With Public Scope", "severity": "CRITICAL", "line": 20, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::RDS::DBSecurityGroupIngress", + "resourceName": "DbSecurityIngressRule_pos1", + "searchKey": "Resources.DbSecurityIngressRule_pos1.Properties.CIDRIP", + "searchValue": "", + "expectedValue": "'Resources.DbSecurityIngressRule_pos1.Properties.CIDRIP' should not be '0.0.0.0/0'.", + "actualValue": "'Resources.DbSecurityIngressRule_pos1.Properties.CIDRIP' is '0.0.0.0/0'.", + "issueType": "IncorrectValue", + "similarityID": "bd05113dfd825c61e4bd48769e058715b600df4a593e8cf2fc9a617425b647a9", + "search_line": 20 }, { "queryName": "DB Security Group With Public Scope", "severity": "CRITICAL", "line": 32, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "DBEC2SecurityGroupInline_pos1", + "searchKey": "Resources.DBEC2SecurityGroupInline_pos1.Properties.SecurityGroupIngress[0].CidrIp", + "searchValue": "", + "expectedValue": "'Resources.DBEC2SecurityGroupInline_pos1.Properties.SecurityGroupIngress[0].CidrIp' should not be '0.0.0.0/0'.", + "actualValue": "'Resources.DBEC2SecurityGroupInline_pos1.Properties.SecurityGroupIngress[0].CidrIp' is '0.0.0.0/0'.", + "issueType": "IncorrectValue", + "similarityID": "a5329fcf04ac483fbbcb96c12ee4b110b3549a5a37b3e42547375223a7125e1d", + "search_line": 32 }, { "queryName": "DB Security Group With Public Scope", "severity": "CRITICAL", "line": 36, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "DBEC2SecurityGroupInline_pos1", + "searchKey": "Resources.DBEC2SecurityGroupInline_pos1.Properties.SecurityGroupIngress[1].CidrIpv6", + "searchValue": "", + "expectedValue": "'Resources.DBEC2SecurityGroupInline_pos1.Properties.SecurityGroupIngress[1].CidrIpv6' should not be '::/0'.", + "actualValue": "'Resources.DBEC2SecurityGroupInline_pos1.Properties.SecurityGroupIngress[1].CidrIpv6' is '::/0'.", + "issueType": "IncorrectValue", + "similarityID": "76966c6de6c9a5da12f7f833b220880ded341dd9388786925c5ebd7577b8c7de", + "search_line": 36 }, { "queryName": "DB Security Group With Public Scope", "severity": "CRITICAL", "line": 52, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroupIngress", + "resourceName": "DBEC2SecurityGroupIngress_pos1", + "searchKey": "Resources.DBEC2SecurityGroupIngress_pos1.Properties.CidrIp", + "searchValue": "", + "expectedValue": "'Resources.DBEC2SecurityGroupIngress_pos1.Properties.CidrIp' should not be '0.0.0.0/0'.", + "actualValue": "'Resources.DBEC2SecurityGroupIngress_pos1.Properties.CidrIp' is '0.0.0.0/0'.", + "issueType": "IncorrectValue", + "similarityID": "915c0037b44596100c8954f3f52693e6c8f16cb278061b6e5ddcd06bc2c6c7cc", + "search_line": 52 }, { "queryName": "DB Security Group With Public Scope", "severity": "CRITICAL", "line": 61, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroupIngress", + "resourceName": "DBEC2SecurityGroupIngressIPv6_pos1", + "searchKey": "Resources.DBEC2SecurityGroupIngressIPv6_pos1.Properties.CidrIpv6", + "searchValue": "", + "expectedValue": "'Resources.DBEC2SecurityGroupIngressIPv6_pos1.Properties.CidrIpv6' should not be '0000:0000:0000:0000:0000:0000:0000:0000/0'.", + "actualValue": "'Resources.DBEC2SecurityGroupIngressIPv6_pos1.Properties.CidrIpv6' is '0000:0000:0000:0000:0000:0000:0000:0000/0'.", + "issueType": "IncorrectValue", + "similarityID": "cd63c0b5750ab88e09029fba2d77c0a35614f1ecd43dd1de3e1996f0eec57c2b", + "search_line": 61 }, { "queryName": "DB Security Group With Public Scope", "severity": "CRITICAL", "line": 8, - "fileName": "positive2.yaml" + "fileName": "positive2.yaml", + "resourceType": "AWS::RDS::DBSecurityGroup", + "resourceName": "DbSecurityByEC2SecurityGroup_pos2", + "searchKey": "Resources.DbSecurityByEC2SecurityGroup_pos2.Properties.DBSecurityGroupIngress[0].CIDRIP", + "searchValue": "", + "expectedValue": "'Resources.DbSecurityByEC2SecurityGroup_pos2.Properties.DBSecurityGroupIngress[0].CIDRIP' should not be '0.0.0.0/0'.", + "actualValue": "'Resources.DbSecurityByEC2SecurityGroup_pos2.Properties.DBSecurityGroupIngress[0].CIDRIP' is '0.0.0.0/0'.", + "issueType": "IncorrectValue", + "similarityID": "b34f1e91d20f29c364625fbda83acdc1f978e3a31eb47c6beafa22551ec99750", + "search_line": 8 }, { "queryName": "DB Security Group With Public Scope", "severity": "CRITICAL", "line": 9, - "fileName": "positive3.json" + "fileName": "positive3.json", + "resourceType": "AWS::RDS::DBSecurityGroup", + "resourceName": "DbSecurityByEC2SecurityGroupInline_pos3", + "searchKey": "Resources.DbSecurityByEC2SecurityGroupInline_pos3.Properties.DBSecurityGroupIngress[0].CIDRIP", + "searchValue": "", + "expectedValue": "'Resources.DbSecurityByEC2SecurityGroupInline_pos3.Properties.DBSecurityGroupIngress[0].CIDRIP' should not be '0.0.0.0/0'.", + "actualValue": "'Resources.DbSecurityByEC2SecurityGroupInline_pos3.Properties.DBSecurityGroupIngress[0].CIDRIP' is '0.0.0.0/0'.", + "issueType": "IncorrectValue", + "similarityID": "f278fd42a9ff428edbbf02b432b94f3b7d0826fe5a389b2155333c64897ad1ef", + "search_line": 9 }, { "queryName": "DB Security Group With Public Scope", "severity": "CRITICAL", "line": 26, - "fileName": "positive3.json" + "fileName": "positive3.json", + "resourceType": "AWS::RDS::DBSecurityGroupIngress", + "resourceName": "DbSecurityIngressRule_pos3", + "searchKey": "Resources.DbSecurityIngressRule_pos3.Properties.CIDRIP", + "searchValue": "", + "expectedValue": "'Resources.DbSecurityIngressRule_pos3.Properties.CIDRIP' should not be '0.0.0.0/0'.", + "actualValue": "'Resources.DbSecurityIngressRule_pos3.Properties.CIDRIP' is '0.0.0.0/0'.", + "issueType": "IncorrectValue", + "similarityID": "f33bf4e30265c4b1329a804718d0b9ccdc7723931ac5d0ffd94b519acc1475ef", + "search_line": 26 }, { "queryName": "DB Security Group With Public Scope", "severity": "CRITICAL", "line": 41, - "fileName": "positive3.json" + "fileName": "positive3.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "DBEC2SecurityGroupInline_pos3", + "searchKey": "Resources.DBEC2SecurityGroupInline_pos3.Properties.SecurityGroupIngress[0].CidrIp", + "searchValue": "", + "expectedValue": "'Resources.DBEC2SecurityGroupInline_pos3.Properties.SecurityGroupIngress[0].CidrIp' should not be '0.0.0.0/0'.", + "actualValue": "'Resources.DBEC2SecurityGroupInline_pos3.Properties.SecurityGroupIngress[0].CidrIp' is '0.0.0.0/0'.", + "issueType": "IncorrectValue", + "similarityID": "2b1fa6fe1295172fadc7bb6cdfa2eeb0d071a6e2804122c249f8d6cda8c35f55", + "search_line": 41 }, { "queryName": "DB Security Group With Public Scope", "severity": "CRITICAL", "line": 47, - "fileName": "positive3.json" + "fileName": "positive3.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "DBEC2SecurityGroupInline_pos3", + "searchKey": "Resources.DBEC2SecurityGroupInline_pos3.Properties.SecurityGroupIngress[1].CidrIpv6", + "searchValue": "", + "expectedValue": "'Resources.DBEC2SecurityGroupInline_pos3.Properties.SecurityGroupIngress[1].CidrIpv6' should not be '::/0'.", + "actualValue": "'Resources.DBEC2SecurityGroupInline_pos3.Properties.SecurityGroupIngress[1].CidrIpv6' is '::/0'.", + "issueType": "IncorrectValue", + "similarityID": "0b48faa14c9f110ff5b1cfcfae20b12c7ec8fea796e9a41716cefa3a759b414b", + "search_line": 47 }, { "queryName": "DB Security Group With Public Scope", "severity": "CRITICAL", "line": 70, - "fileName": "positive3.json" + "fileName": "positive3.json", + "resourceType": "AWS::EC2::SecurityGroupIngress", + "resourceName": "DBEC2SecurityGroupIngress_pos3", + "searchKey": "Resources.DBEC2SecurityGroupIngress_pos3.Properties.CidrIp", + "searchValue": "", + "expectedValue": "'Resources.DBEC2SecurityGroupIngress_pos3.Properties.CidrIp' should not be '0.0.0.0/0'.", + "actualValue": "'Resources.DBEC2SecurityGroupIngress_pos3.Properties.CidrIp' is '0.0.0.0/0'.", + "issueType": "IncorrectValue", + "similarityID": "d58bff6eaeb4b571aca3dc5cb269186de8aa8b575f0294c9f09446c927c9e4fb", + "search_line": 70 }, { "queryName": "DB Security Group With Public Scope", "severity": "CRITICAL", "line": 82, - "fileName": "positive3.json" + "fileName": "positive3.json", + "resourceType": "AWS::EC2::SecurityGroupIngress", + "resourceName": "DBEC2SecurityGroupIngressIPv6_pos3", + "searchKey": "Resources.DBEC2SecurityGroupIngressIPv6_pos3.Properties.CidrIpv6", + "searchValue": "", + "expectedValue": "'Resources.DBEC2SecurityGroupIngressIPv6_pos3.Properties.CidrIpv6' should not be '0000:0000:0000:0000:0000:0000:0000:0000/0'.", + "actualValue": "'Resources.DBEC2SecurityGroupIngressIPv6_pos3.Properties.CidrIpv6' is '0000:0000:0000:0000:0000:0000:0000:0000/0'.", + "issueType": "IncorrectValue", + "similarityID": "940178e13c1e7b332e4d252f32d1a3b515c757339c6823e270c383dec277f1f6", + "search_line": 82 }, { "queryName": "DB Security Group With Public Scope", "severity": "CRITICAL", "line": 9, - "fileName": "positive4.json" + "fileName": "positive4.json", + "resourceType": "AWS::RDS::DBSecurityGroup", + "resourceName": "DbSecurityByEC2SecurityGroup_pos4", + "searchKey": "Resources.DbSecurityByEC2SecurityGroup_pos4.Properties.DBSecurityGroupIngress[0].CIDRIP", + "searchValue": "", + "expectedValue": "'Resources.DbSecurityByEC2SecurityGroup_pos4.Properties.DBSecurityGroupIngress[0].CIDRIP' should not be '0.0.0.0/0'.", + "actualValue": "'Resources.DbSecurityByEC2SecurityGroup_pos4.Properties.DBSecurityGroupIngress[0].CIDRIP' is '0.0.0.0/0'.", + "issueType": "IncorrectValue", + "similarityID": "c130e94f9632fc701c97b70d05d6d46c72cf3bdf44419ea21de7e8429565e1a9", + "search_line": 9 }, { "queryName": "DB Security Group With Public Scope", "severity": "CRITICAL", "line": 8, - "fileName": "positive5.yaml" + "fileName": "positive5.yaml", + "resourceType": "AWS::RDS::DBSecurityGroup", + "resourceName": "DbSecurityByEC2SecurityGroup_pos5", + "searchKey": "Resources.DbSecurityByEC2SecurityGroup_pos5.Properties.DBSecurityGroupIngress[0].CIDRIP", + "searchValue": "", + "expectedValue": "'Resources.DbSecurityByEC2SecurityGroup_pos5.Properties.DBSecurityGroupIngress[0].CIDRIP' should not be '0.0.0.0/0'.", + "actualValue": "'Resources.DbSecurityByEC2SecurityGroup_pos5.Properties.DBSecurityGroupIngress[0].CIDRIP' is '0.0.0.0/0'.", + "issueType": "IncorrectValue", + "similarityID": "3da1bedac17a12bb04e6f867615bd72fb19731051b9dc81d324feddba76ced15", + "search_line": 8 } ] diff --git a/assets/queries/cloudFormation/aws/default_kms_key_usage/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/default_kms_key_usage/test/positive_expected_result.json index 4df0f766fc8..a342cb989bd 100644 --- a/assets/queries/cloudFormation/aws/default_kms_key_usage/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/default_kms_key_usage/test/positive_expected_result.json @@ -3,18 +3,45 @@ "queryName": "Default KMS Key Usage", "severity": "MEDIUM", "line": 24, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::RDS::DBCluster", + "resourceName": "RDSCluster1", + "searchKey": "Resources.RDSCluster1.Properties", + "searchValue": "", + "expectedValue": "Resources.RDSCluster1.Properties.KmsKeyId should be defined with AWS-Managed CMK", + "actualValue": "Resources.RDSCluster1.Properties.KmsKeyId is undefined", + "issueType": "MissingAttribute", + "similarityID": "361b90d1adbc81a8aed732d3121be7fe0c2f934ded6612b3debf5b3a53c97e55", + "search_line": 24 }, { "queryName": "Default KMS Key Usage", "severity": "MEDIUM", "line": 25, - "fileName": "positive2.json" + "fileName": "positive2.json", + "resourceType": "AWS::RDS::DBCluster", + "resourceName": "RDSCluster1", + "searchKey": "Resources.RDSCluster1.Properties", + "searchValue": "", + "expectedValue": "Resources.RDSCluster1.Properties.KmsKeyId should be defined with AWS-Managed CMK", + "actualValue": "Resources.RDSCluster1.Properties.KmsKeyId is undefined", + "issueType": "MissingAttribute", + "similarityID": "5c6f7baa5f0adf3444075bd0c294eeabb3c882533846dce9d72df5e96efff169", + "search_line": 25 }, { "queryName": "Default KMS Key Usage", "severity": "MEDIUM", "line": 24, - "fileName": "positive3.yaml" + "fileName": "positive3.yaml", + "resourceType": "AWS::RDS::DBCluster", + "resourceName": "RDSCluster1", + "searchKey": "Resources.RDSCluster1.Properties", + "searchValue": "", + "expectedValue": "Resources.RDSCluster1.Properties.KmsKeyId should be defined with AWS-Managed CMK", + "actualValue": "Resources.RDSCluster1.Properties.KmsKeyId is undefined", + "issueType": "MissingAttribute", + "similarityID": "248bed942d93204ee30ddc166954c6be1802ebd87c1e4c58c05d32df78ce97e7", + "search_line": 24 } ] diff --git a/assets/queries/cloudFormation/aws/default_security_groups_with_unrestricted_traffic/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/default_security_groups_with_unrestricted_traffic/test/positive_expected_result.json index b90bf1cf9c9..e407bfae29c 100644 --- a/assets/queries/cloudFormation/aws/default_security_groups_with_unrestricted_traffic/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/default_security_groups_with_unrestricted_traffic/test/positive_expected_result.json @@ -3,48 +3,120 @@ "queryName": "Default Security Groups With Unrestricted Traffic", "severity": "HIGH", "line": 4, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "default", + "searchKey": "Resources.InstanceSecurityGroup_ingress.Properties", + "searchValue": "", + "expectedValue": "Any 'AWS::EC2::SecurityGroup' with 'Properties.GroupName' set to 'default' should not have any traffic rules set.", + "actualValue": "'Resources.InstanceSecurityGroup_ingress' has 'Properties.GroupName' set to 'default' and traffic rules set in 'Properties'.", + "issueType": "IncorrectValue", + "similarityID": "e9eb1bc7fd51a06a345acb27430b6a5f9f43a04ee87a93b1be2d2a9284fc99b1", + "search_line": 4 }, { "queryName": "Default Security Groups With Unrestricted Traffic", "severity": "HIGH", "line": 15, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "default", + "searchKey": "Resources.InstanceSecurityGroup_egress.Properties", + "searchValue": "", + "expectedValue": "Any 'AWS::EC2::SecurityGroup' with 'Properties.GroupName' set to 'default' should not have any traffic rules set.", + "actualValue": "'Resources.InstanceSecurityGroup_egress' has 'Properties.GroupName' set to 'default' and traffic rules set in 'Properties'.", + "issueType": "IncorrectValue", + "similarityID": "207493992fa575cf4653596e88a74d1342795b20803b7d9877ae21899cd21a80", + "search_line": 15 }, { "queryName": "Default Security Groups With Unrestricted Traffic", "severity": "HIGH", "line": 11, - "fileName": "positive2.yaml" + "fileName": "positive2.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "default", + "searchKey": "Resources.InstanceSecurityGroupIngress.Properties.GroupId", + "searchValue": "", + "expectedValue": "Any 'AWS::EC2::SecurityGroup' with 'Properties.GroupName' set to 'default' should not have any traffic rules set.", + "actualValue": "'Resources.InstanceSecurityGroup_default' has 'Properties.GroupName' set to 'default' and a standalone 'AWS::EC2::SecurityGroupIngress' rule set.", + "issueType": "IncorrectValue", + "similarityID": "41c24dbdbf19620b4ce1c645b8b43a4b0fe69f617095a42126b5b645f7ba3082", + "search_line": 11 }, { "queryName": "Default Security Groups With Unrestricted Traffic", "severity": "HIGH", "line": 20, - "fileName": "positive2.yaml" + "fileName": "positive2.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "default", + "searchKey": "Resources.InstanceSecurityGroupEgress.Properties.GroupId", + "searchValue": "", + "expectedValue": "Any 'AWS::EC2::SecurityGroup' with 'Properties.GroupName' set to 'default' should not have any traffic rules set.", + "actualValue": "'Resources.InstanceSecurityGroup_default' has 'Properties.GroupName' set to 'default' and a standalone 'AWS::EC2::SecurityGroupEgress' rule set.", + "issueType": "IncorrectValue", + "similarityID": "3d1979110cc0b2e3fc2005bd3484be070a75324d0705923f99a69f76f075200c", + "search_line": 20 }, { "queryName": "Default Security Groups With Unrestricted Traffic", "severity": "HIGH", "line": 5, - "fileName": "positive3.json" + "fileName": "positive3.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "default", + "searchKey": "Resources.InstanceSecurityGroup_ingress.Properties", + "searchValue": "", + "expectedValue": "Any 'AWS::EC2::SecurityGroup' with 'Properties.GroupName' set to 'default' should not have any traffic rules set.", + "actualValue": "'Resources.InstanceSecurityGroup_ingress' has 'Properties.GroupName' set to 'default' and traffic rules set in 'Properties'.", + "issueType": "IncorrectValue", + "similarityID": "bb88d4a9886411dd9685e096bb982dfad67727e0372b1fe7236e5ccafc423268", + "search_line": 5 }, { "queryName": "Default Security Groups With Unrestricted Traffic", "severity": "HIGH", "line": 20, - "fileName": "positive3.json" + "fileName": "positive3.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "default", + "searchKey": "Resources.InstanceSecurityGroup_egress.Properties", + "searchValue": "", + "expectedValue": "Any 'AWS::EC2::SecurityGroup' with 'Properties.GroupName' set to 'default' should not have any traffic rules set.", + "actualValue": "'Resources.InstanceSecurityGroup_egress' has 'Properties.GroupName' set to 'default' and traffic rules set in 'Properties'.", + "issueType": "IncorrectValue", + "similarityID": "0410524f0aa2388fa58ae56e9d334d2bfe0d0d27fe96b9de630c7d1efe5265f1", + "search_line": 20 }, { "queryName": "Default Security Groups With Unrestricted Traffic", "severity": "HIGH", "line": 13, - "fileName": "positive4.json" + "fileName": "positive4.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "default", + "searchKey": "Resources.InstanceSecurityGroupIngress.Properties.GroupId", + "searchValue": "", + "expectedValue": "Any 'AWS::EC2::SecurityGroup' with 'Properties.GroupName' set to 'default' should not have any traffic rules set.", + "actualValue": "'Resources.InstanceSecurityGroup_default' has 'Properties.GroupName' set to 'default' and a standalone 'AWS::EC2::SecurityGroupIngress' rule set.", + "issueType": "IncorrectValue", + "similarityID": "ad8612ce8590954f558a02cad37ac8ec5927ecfab74126237e3beff71ee00d4f", + "search_line": 13 }, { "queryName": "Default Security Groups With Unrestricted Traffic", "severity": "HIGH", "line": 25, - "fileName": "positive4.json" + "fileName": "positive4.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "default", + "searchKey": "Resources.InstanceSecurityGroupEgress.Properties.GroupId", + "searchValue": "", + "expectedValue": "Any 'AWS::EC2::SecurityGroup' with 'Properties.GroupName' set to 'default' should not have any traffic rules set.", + "actualValue": "'Resources.InstanceSecurityGroup_default' has 'Properties.GroupName' set to 'default' and a standalone 'AWS::EC2::SecurityGroupEgress' rule set.", + "issueType": "IncorrectValue", + "similarityID": "9aca9c323df68376a8acece42b1d57200041552ae6f464f4d0681cdaebe43ad2", + "search_line": 25 } ] diff --git a/assets/queries/cloudFormation/aws/directory_service_microsoft_ad_password_set_to_plaintext_or_default_ref/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/directory_service_microsoft_ad_password_set_to_plaintext_or_default_ref/test/positive_expected_result.json index 208eae633ff..a6f9a7532c1 100644 --- a/assets/queries/cloudFormation/aws/directory_service_microsoft_ad_password_set_to_plaintext_or_default_ref/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/directory_service_microsoft_ad_password_set_to_plaintext_or_default_ref/test/positive_expected_result.json @@ -2,37 +2,91 @@ { "queryName": "Directory Service Microsoft AD Password Set to Plaintext or Default Ref", "severity": "HIGH", - "line": 5, - "fileName": "positive3.yaml" + "line": 14, + "fileName": "positive1.yaml", + "resourceType": "AWS::DirectoryService::MicrosoftAD", + "resourceName": "String", + "searchKey": "Resources.NewAmpApp-2.Properties.Password", + "searchValue": "", + "expectedValue": "Resources.NewAmpApp-2.Properties.Password must be defined as a parameter or have a secret manager referenced", + "actualValue": "Resources.NewAmpApp-2.Properties.Password must not be in plain text string", + "issueType": "IncorrectValue", + "similarityID": "2b673b6fd22d6ca845e9f99eda08b32ee4f66c51f0fcb4493842e4a13ba8d9f4", + "search_line": -1 }, { "queryName": "Directory Service Microsoft AD Password Set to Plaintext or Default Ref", "severity": "HIGH", "line": 9, - "fileName": "positive2.yaml" + "fileName": "positive2.yaml", + "resourceType": "AWS::DirectoryService::MicrosoftAD", + "resourceName": "String", + "searchKey": "Resources.NewAmpApp.Properties.Password", + "searchValue": "", + "expectedValue": "Resources.NewAmpApp.Properties.Password must be defined as a parameter or have a secret manager referenced", + "actualValue": "Resources.NewAmpApp.Properties.Password must not be in plain text string", + "issueType": "IncorrectValue", + "similarityID": "e9d6c23478d3467db670193e7243455c19236860ee8739501ee13487df441819", + "search_line": -1 }, { "queryName": "Directory Service Microsoft AD Password Set to Plaintext or Default Ref", "severity": "HIGH", - "line": 14, - "fileName": "positive1.yaml" + "line": 5, + "fileName": "positive3.yaml", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "Parameters.ParentMasterPassword.Default", + "searchValue": "", + "expectedValue": "Parameters.ParentMasterPassword.Default should not be defined", + "actualValue": "Parameters.ParentMasterPassword.Default is defined", + "issueType": "IncorrectValue", + "similarityID": "6259df86759c23df2313c0b92d15157b07e9f8add97316d4fc3cb379f7295958", + "search_line": -1 }, { "queryName": "Directory Service Microsoft AD Password Set to Plaintext or Default Ref", "severity": "HIGH", "line": 17, - "fileName": "positive4.json" + "fileName": "positive4.json", + "resourceType": "AWS::DirectoryService::MicrosoftAD", + "resourceName": "String", + "searchKey": "Resources.NewAmpApp-2.Properties.Password", + "searchValue": "", + "expectedValue": "Resources.NewAmpApp-2.Properties.Password must be defined as a parameter or have a secret manager referenced", + "actualValue": "Resources.NewAmpApp-2.Properties.Password must not be in plain text string", + "issueType": "IncorrectValue", + "similarityID": "26f1937259b3fcf3427f8026ee2f74430b57dbad80a09a465553db74ba48e5fe", + "search_line": -1 }, { + "queryName": "Directory Service Microsoft AD Password Set to Plaintext or Default Ref", "severity": "HIGH", "line": 11, - "queryName": "Directory Service Microsoft AD Password Set to Plaintext or Default Ref", - "fileName": "positive5.json" + "fileName": "positive5.json", + "resourceType": "AWS::DirectoryService::MicrosoftAD", + "resourceName": "String", + "searchKey": "Resources.NewAmpApp.Properties.Password", + "searchValue": "", + "expectedValue": "Resources.NewAmpApp.Properties.Password must be defined as a parameter or have a secret manager referenced", + "actualValue": "Resources.NewAmpApp.Properties.Password must not be in plain text string", + "issueType": "IncorrectValue", + "similarityID": "6a9116985e70f4c8876dd90d65afc7c5fa0b384269d7408fc2d05b9ef0b21c29", + "search_line": -1 }, { "queryName": "Directory Service Microsoft AD Password Set to Plaintext or Default Ref", "severity": "HIGH", "line": 5, - "fileName": "positive6.json" + "fileName": "positive6.json", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "Parameters.ParentMasterPassword.Default", + "searchValue": "", + "expectedValue": "Parameters.ParentMasterPassword.Default should not be defined", + "actualValue": "Parameters.ParentMasterPassword.Default is defined", + "issueType": "IncorrectValue", + "similarityID": "3ddb1cf4fe7f069b857062da3e64c3055e1f395c5f389aafe2d87a10d8a1b6b2", + "search_line": -1 } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/directory_service_simple_ad_password_exposed/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/directory_service_simple_ad_password_exposed/test/positive_expected_result.json index 8df12a589f9..98bd06d5bd5 100644 --- a/assets/queries/cloudFormation/aws/directory_service_simple_ad_password_exposed/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/directory_service_simple_ad_password_exposed/test/positive_expected_result.json @@ -1,38 +1,92 @@ [ { - "fileName": "positive3.yaml", "queryName": "Directory Service Simple AD Password Exposed", "severity": "HIGH", - "line": 5 + "line": 18, + "fileName": "positive1.yaml", + "resourceType": "AWS::DirectoryService::SimpleAD", + "resourceName": "String", + "searchKey": "Resources.NewAmpApp4.Properties.Password", + "searchValue": "", + "expectedValue": "Resources.NewAmpApp4.Properties.Password must not be in plain text string", + "actualValue": "Resources.NewAmpApp4.Properties.Password must be defined as a parameter or have a secret manager referenced", + "issueType": "IncorrectValue", + "similarityID": "3ff87ea6f39a95e27d777bfbbfb9db3a9e4a2e2598fd85800bc3810c0f2edefc", + "search_line": -1 }, { + "queryName": "Directory Service Simple AD Password Exposed", "severity": "HIGH", "line": 9, "fileName": "positive2.yaml", - "queryName": "Directory Service Simple AD Password Exposed" + "resourceType": "AWS::DirectoryService::SimpleAD", + "resourceName": "String", + "searchKey": "Resources.NewAmpApp5.Properties.Password", + "searchValue": "", + "expectedValue": "Resources.NewAmpApp5.Properties.Password must not be in plain text string", + "actualValue": "Resources.NewAmpApp5.Properties.Password must be defined as a parameter or have a secret manager referenced", + "issueType": "IncorrectValue", + "similarityID": "b60cc505b4b0322cca37603bd12318b8530c7b53c00c3aec8e16fb7decebc65d", + "search_line": -1 }, { "queryName": "Directory Service Simple AD Password Exposed", "severity": "HIGH", - "line": 18, - "fileName": "positive1.yaml" + "line": 5, + "fileName": "positive3.yaml", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "Parameters.ParentMasterPassword.Default", + "searchValue": "", + "expectedValue": "Parameters.ParentMasterPassword.Default should be defined", + "actualValue": "Parameters.ParentMasterPassword.Default shouldn't be defined", + "issueType": "IncorrectValue", + "similarityID": "76dff54f5c6bb181e68ba556b29adf6981f284825586f94d4af2111a7d2e7676", + "search_line": -1 }, { + "queryName": "Directory Service Simple AD Password Exposed", "severity": "HIGH", "line": 20, "fileName": "positive4.json", - "queryName": "Directory Service Simple AD Password Exposed" + "resourceType": "AWS::DirectoryService::SimpleAD", + "resourceName": "String", + "searchKey": "Resources.NewAmpApp4.Properties.Password", + "searchValue": "", + "expectedValue": "Resources.NewAmpApp4.Properties.Password must not be in plain text string", + "actualValue": "Resources.NewAmpApp4.Properties.Password must be defined as a parameter or have a secret manager referenced", + "issueType": "IncorrectValue", + "similarityID": "56f8682d933662e78e3dc03424c5d78af9b161f8301d993a22dd9cd28d0cfbdf", + "search_line": -1 }, { - "fileName": "positive5.json", "queryName": "Directory Service Simple AD Password Exposed", "severity": "HIGH", - "line": 12 + "line": 12, + "fileName": "positive5.json", + "resourceType": "AWS::DirectoryService::SimpleAD", + "resourceName": "String", + "searchKey": "Resources.NewAmpApp5.Properties.Password", + "searchValue": "", + "expectedValue": "Resources.NewAmpApp5.Properties.Password must not be in plain text string", + "actualValue": "Resources.NewAmpApp5.Properties.Password must be defined as a parameter or have a secret manager referenced", + "issueType": "IncorrectValue", + "similarityID": "3135fcbdb15ff557be91c30425a2741a9e003866b514d77ab9ef46b3eb499d6f", + "search_line": -1 }, { "queryName": "Directory Service Simple AD Password Exposed", "severity": "HIGH", "line": 6, - "fileName": "positive6.json" + "fileName": "positive6.json", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "Parameters.ParentMasterPassword.Default", + "searchValue": "", + "expectedValue": "Parameters.ParentMasterPassword.Default should be defined", + "actualValue": "Parameters.ParentMasterPassword.Default shouldn't be defined", + "issueType": "IncorrectValue", + "similarityID": "97afc49d5a2273bc748385edab58aaccb978819d9aee475fe87aed47ac6b4e40", + "search_line": -1 } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/dms_endpoint_mongo_db_settings_password_exposed/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/dms_endpoint_mongo_db_settings_password_exposed/test/positive_expected_result.json index cb7f890e5bb..56e94fe35fb 100644 --- a/assets/queries/cloudFormation/aws/dms_endpoint_mongo_db_settings_password_exposed/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/dms_endpoint_mongo_db_settings_password_exposed/test/positive_expected_result.json @@ -1,38 +1,92 @@ [ { + "queryName": "DMS Endpoint MongoDB Settings Password Exposed", + "severity": "HIGH", "line": 13, "fileName": "positive1.yaml", - "queryName": "DMS Endpoint MongoDB Settings Password Exposed", - "severity": "HIGH" + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "Parameters.MasterMongoDBPassword.Default", + "searchValue": "", + "expectedValue": "Parameters.MasterMongoDBPassword.Default should be defined", + "actualValue": "Parameters.MasterMongoDBPassword.Default shouldn't be defined", + "issueType": "IncorrectValue", + "similarityID": "2052bef22e0df2ecb6e3a80487aec0415a5150ae57c64fa6edc33fd4397e609a", + "search_line": -1 }, { + "queryName": "DMS Endpoint MongoDB Settings Password Exposed", + "severity": "HIGH", "line": 24, "fileName": "positive2.yaml", - "queryName": "DMS Endpoint MongoDB Settings Password Exposed", - "severity": "HIGH" + "resourceType": "AWS::DMS::Endpoint", + "resourceName": "NewAmpApp5", + "searchKey": "Resources.NewAmpApp5.Properties.MongoDbSettings.Password", + "searchValue": "", + "expectedValue": "Resources.NewAmpApp5.Properties.MongoDbSettings.Password must not be in plain text string", + "actualValue": "Resources.NewAmpApp5.Properties.MongoDbSettings.Password must be defined as a parameter or have a secret manager referenced", + "issueType": "IncorrectValue", + "similarityID": "d3ccd6298104c938fad39830445bd895865754ace36b86727e6255a2ca1372a2", + "search_line": -1 }, { + "queryName": "DMS Endpoint MongoDB Settings Password Exposed", "severity": "HIGH", "line": 35, "fileName": "positive3.yaml", - "queryName": "DMS Endpoint MongoDB Settings Password Exposed" + "resourceType": "AWS::DMS::Endpoint", + "resourceName": "NewAmpApp6", + "searchKey": "Resources.NewAmpApp6.Properties.MongoDbSettings.Password", + "searchValue": "", + "expectedValue": "Resources.NewAmpApp6.Properties.MongoDbSettings.Password must not be in plain text string", + "actualValue": "Resources.NewAmpApp6.Properties.MongoDbSettings.Password must be defined as a parameter or have a secret manager referenced", + "issueType": "IncorrectValue", + "similarityID": "d6a8e8ad01fd2d87f81b54908ad1f88b887ac929880f9afb42fce5238e211f16", + "search_line": -1 }, { "queryName": "DMS Endpoint MongoDB Settings Password Exposed", "severity": "HIGH", "line": 16, - "fileName": "positive4.json" + "fileName": "positive4.json", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "Parameters.MasterMongoDBPassword.Default", + "searchValue": "", + "expectedValue": "Parameters.MasterMongoDBPassword.Default should be defined", + "actualValue": "Parameters.MasterMongoDBPassword.Default shouldn't be defined", + "issueType": "IncorrectValue", + "similarityID": "161097d9cc6b4283e2e35049881e08e8da7f06d43080b30b558388327340ae8b", + "search_line": -1 }, { "queryName": "DMS Endpoint MongoDB Settings Password Exposed", "severity": "HIGH", "line": 26, - "fileName": "positive5.json" + "fileName": "positive5.json", + "resourceType": "AWS::DMS::Endpoint", + "resourceName": "NewAmpApp5", + "searchKey": "Resources.NewAmpApp5.Properties.MongoDbSettings.Password", + "searchValue": "", + "expectedValue": "Resources.NewAmpApp5.Properties.MongoDbSettings.Password must not be in plain text string", + "actualValue": "Resources.NewAmpApp5.Properties.MongoDbSettings.Password must be defined as a parameter or have a secret manager referenced", + "issueType": "IncorrectValue", + "similarityID": "fcdab12370e90aeb483b1ae3ac1c3e713d1b05dda9faf2bdcdfd9e2802f6c23f", + "search_line": -1 }, { "queryName": "DMS Endpoint MongoDB Settings Password Exposed", "severity": "HIGH", "line": 38, - "fileName": "positive6.json" + "fileName": "positive6.json", + "resourceType": "AWS::DMS::Endpoint", + "resourceName": "NewAmpApp6", + "searchKey": "Resources.NewAmpApp6.Properties.MongoDbSettings.Password", + "searchValue": "", + "expectedValue": "Resources.NewAmpApp6.Properties.MongoDbSettings.Password must not be in plain text string", + "actualValue": "Resources.NewAmpApp6.Properties.MongoDbSettings.Password must be defined as a parameter or have a secret manager referenced", + "issueType": "IncorrectValue", + "similarityID": "545c0e3fa78fb814488b877642927fc2350d455491f1f38e9972c3b02429cdbb", + "search_line": -1 } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/dms_endpoint_password_exposed/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/dms_endpoint_password_exposed/test/positive_expected_result.json index f309b51052e..188061b1ccf 100644 --- a/assets/queries/cloudFormation/aws/dms_endpoint_password_exposed/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/dms_endpoint_password_exposed/test/positive_expected_result.json @@ -2,37 +2,91 @@ { "queryName": "DMS Endpoint Password Exposed", "severity": "HIGH", - "line": 5, - "fileName": "positive2.yaml" + "line": 20, + "fileName": "positive1.yaml", + "resourceType": "AWS::DMS::Endpoint", + "resourceName": "DMSEndpoint4", + "searchKey": "Resources.DMSEndpoint4.Properties.Password", + "searchValue": "", + "expectedValue": "Resources.DMSEndpoint4.Properties.Password must not be in plain text string", + "actualValue": "Resources.DMSEndpoint4.Properties.Password must be defined as a parameter or have a secret manager referenced", + "issueType": "IncorrectValue", + "similarityID": "d50d0540b05b5dc3c190a38e7f83d305f24750daf715680258412846d2904c71", + "search_line": -1 }, { "queryName": "DMS Endpoint Password Exposed", "severity": "HIGH", - "line": 20, - "fileName": "positive1.yaml" + "line": 5, + "fileName": "positive2.yaml", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "Parameters.ParentMasterPassword.Default", + "searchValue": "", + "expectedValue": "Parameters.ParentMasterPassword.Default should be defined", + "actualValue": "Parameters.ParentMasterPassword.Default shouldn't be defined", + "issueType": "IncorrectValue", + "similarityID": "683dae86bbe8ed3c4b5037fb7dfa227bfcfca7e732b42f943b5c102564bf682a", + "search_line": -1 }, { "queryName": "DMS Endpoint Password Exposed", "severity": "HIGH", "line": 25, - "fileName": "positive3.yaml" + "fileName": "positive3.yaml", + "resourceType": "AWS::DMS::Endpoint", + "resourceName": "DMSEndpoint6", + "searchKey": "Resources.DMSEndpoint6.Properties.Password", + "searchValue": "", + "expectedValue": "Resources.DMSEndpoint6.Properties.Password must not be in plain text string", + "actualValue": "Resources.DMSEndpoint6.Properties.Password must be defined as a parameter or have a secret manager referenced", + "issueType": "IncorrectValue", + "similarityID": "311f8ee416ffa5ec51f7f415d8d79b9762dfba44f0eddd40f67a0053faca84dc", + "search_line": -1 }, { "queryName": "DMS Endpoint Password Exposed", "severity": "HIGH", "line": 23, - "fileName": "positive4.json" + "fileName": "positive4.json", + "resourceType": "AWS::DMS::Endpoint", + "resourceName": "DMSEndpoint4", + "searchKey": "Resources.DMSEndpoint4.Properties.Password", + "searchValue": "", + "expectedValue": "Resources.DMSEndpoint4.Properties.Password must not be in plain text string", + "actualValue": "Resources.DMSEndpoint4.Properties.Password must be defined as a parameter or have a secret manager referenced", + "issueType": "IncorrectValue", + "similarityID": "4c8f0a8a73c28a9ae7d10425cae171087c8654506a07f01abaf28742f4389fc4", + "search_line": -1 }, { "queryName": "DMS Endpoint Password Exposed", "severity": "HIGH", "line": 6, - "fileName": "positive5.json" + "fileName": "positive5.json", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "Parameters.ParentMasterPassword.Default", + "searchValue": "", + "expectedValue": "Parameters.ParentMasterPassword.Default should be defined", + "actualValue": "Parameters.ParentMasterPassword.Default shouldn't be defined", + "issueType": "IncorrectValue", + "similarityID": "218584054f507cfb2e2f1c76c72895d0698fd5701db3d5a5d44a0bcf0b40e4e8", + "search_line": -1 }, { "queryName": "DMS Endpoint Password Exposed", "severity": "HIGH", "line": 26, - "fileName": "positive6.json" + "fileName": "positive6.json", + "resourceType": "AWS::DMS::Endpoint", + "resourceName": "DMSEndpoint6", + "searchKey": "Resources.DMSEndpoint6.Properties.Password", + "searchValue": "", + "expectedValue": "Resources.DMSEndpoint6.Properties.Password must not be in plain text string", + "actualValue": "Resources.DMSEndpoint6.Properties.Password must be defined as a parameter or have a secret manager referenced", + "issueType": "IncorrectValue", + "similarityID": "dc03e7f000e92d8c5eb971af3e303912fdcc44c113603cbd29cac49b93b7cc4f", + "search_line": -1 } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/docdb_cluster_master_password_in_plaintext/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/docdb_cluster_master_password_in_plaintext/test/positive_expected_result.json index da879bc197f..0e32bf48abb 100644 --- a/assets/queries/cloudFormation/aws/docdb_cluster_master_password_in_plaintext/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/docdb_cluster_master_password_in_plaintext/test/positive_expected_result.json @@ -1,38 +1,92 @@ [ { + "queryName": "DocDB Cluster Master Password In Plaintext", "severity": "HIGH", - "line": 5, - "fileName": "positive2.yaml", - "queryName": "DocDB Cluster Master Password In Plaintext" + "line": 12, + "fileName": "positive1.yaml", + "resourceType": "AWS::DocDB::DBCluster", + "resourceName": "NewAmpApp", + "searchKey": "Resources.NewAmpApp.Properties.MasterUserPassword", + "searchValue": "", + "expectedValue": "Resources.NewAmpApp.Properties.MasterUserPassword must not be in plain text string", + "actualValue": "Resources.NewAmpApp.Properties.MasterUserPassword must be defined as a parameter or have a secret manager referenced", + "issueType": "IncorrectValue", + "similarityID": "5499d6c7b0370102d44806e800da49e1a84d8067b78856451171450c11aca616", + "search_line": -1 }, { "queryName": "DocDB Cluster Master Password In Plaintext", "severity": "HIGH", - "line": 12, - "fileName": "positive1.yaml" + "line": 5, + "fileName": "positive2.yaml", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "Parameters.ParentMasterPassword.Default", + "searchValue": "", + "expectedValue": "Parameters.ParentMasterPassword.Default should be defined", + "actualValue": "Parameters.ParentMasterPassword.Default shouldn't be defined", + "issueType": "IncorrectValue", + "similarityID": "84996c0182eff5176aef01adf7771e635c5dddba341cf4ced49eddb751166dc2", + "search_line": -1 }, { "queryName": "DocDB Cluster Master Password In Plaintext", "severity": "HIGH", "line": 12, - "fileName": "positive3.yaml" + "fileName": "positive3.yaml", + "resourceType": "AWS::DocDB::DBCluster", + "resourceName": "NewAmpApp03", + "searchKey": "Resources.NewAmpApp03.Properties.MasterUserPassword", + "searchValue": "", + "expectedValue": "Resources.NewAmpApp03.Properties.MasterUserPassword must not be in plain text string", + "actualValue": "Resources.NewAmpApp03.Properties.MasterUserPassword must be defined as a parameter or have a secret manager referenced", + "issueType": "IncorrectValue", + "similarityID": "8d4b9b6e07c26b128688829b28c739d110cb3068e2a9e9b9abc3140fce231448", + "search_line": -1 }, { + "queryName": "DocDB Cluster Master Password In Plaintext", "severity": "HIGH", "line": 17, "fileName": "positive4.json", - "queryName": "DocDB Cluster Master Password In Plaintext" + "resourceType": "AWS::DocDB::DBCluster", + "resourceName": "NewAmpApp", + "searchKey": "Resources.NewAmpApp.Properties.MasterUserPassword", + "searchValue": "", + "expectedValue": "Resources.NewAmpApp.Properties.MasterUserPassword must not be in plain text string", + "actualValue": "Resources.NewAmpApp.Properties.MasterUserPassword must be defined as a parameter or have a secret manager referenced", + "issueType": "IncorrectValue", + "similarityID": "95c06ac2572dd5dc6fe62f450ac683fad6d563c634dd144d4f28f89585e4193a", + "search_line": -1 }, { "queryName": "DocDB Cluster Master Password In Plaintext", "severity": "HIGH", "line": 6, - "fileName": "positive5.json" + "fileName": "positive5.json", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "Parameters.ParentMasterPassword.Default", + "searchValue": "", + "expectedValue": "Parameters.ParentMasterPassword.Default should be defined", + "actualValue": "Parameters.ParentMasterPassword.Default shouldn't be defined", + "issueType": "IncorrectValue", + "similarityID": "b9fec10d4a817d58bc0f2683fd03794f0750af09891020d8736bd86b02a3f4f9", + "search_line": -1 }, { "queryName": "DocDB Cluster Master Password In Plaintext", "severity": "HIGH", "line": 18, - "fileName": "positive6.json" + "fileName": "positive6.json", + "resourceType": "AWS::DocDB::DBCluster", + "resourceName": "NewAmpApp03", + "searchKey": "Resources.NewAmpApp03.Properties.MasterUserPassword", + "searchValue": "", + "expectedValue": "Resources.NewAmpApp03.Properties.MasterUserPassword must not be in plain text string", + "actualValue": "Resources.NewAmpApp03.Properties.MasterUserPassword must be defined as a parameter or have a secret manager referenced", + "issueType": "IncorrectValue", + "similarityID": "277eee3093b60c16858c1bc783d7f2f74948899ccc6d05f4ab6fa5295c7ff8cb", + "search_line": -1 } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/docdb_logging_disabled/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/docdb_logging_disabled/test/positive_expected_result.json index ffbae5321d4..6eb58b5d544 100644 --- a/assets/queries/cloudFormation/aws/docdb_logging_disabled/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/docdb_logging_disabled/test/positive_expected_result.json @@ -3,24 +3,60 @@ "queryName": "DocDB Logging Is Disabled", "severity": "MEDIUM", "line": 6, - "filename": "positive1.json" + "fileName": "positive1.json", + "resourceType": "AWS::DocDB::DBCluster", + "resourceName": "MyDocDBCluster", + "searchKey": "Resources.MyDocDBCluster.Properties", + "searchValue": "", + "expectedValue": "AWS::DocDB::DBCluster.Properties.EnableCloudwatchLogsExports should be defined", + "actualValue": "AWS::DocDB::DBCluster.Properties.EnableCloudwatchLogsExports is undefined", + "issueType": "MissingAttribute", + "similarityID": "cbdbc6d3d89c7311d43c3fd230820015094dc28af79e11072375fa0f83cf01fc", + "search_line": 6 }, { "queryName": "DocDB Logging Is Disabled", "severity": "MEDIUM", "line": 15, - "filename": "positive2.yaml" + "fileName": "positive2.yaml", + "resourceType": "AWS::DocDB::DBCluster", + "resourceName": "MyDocDBCluster", + "searchKey": "Resources.MyDocDBCluster.Properties.EnableCloudwatchLogsExports", + "searchValue": "", + "expectedValue": "AWS::DocDB::DBCluster.Properties.EnableCloudwatchLogsExports should have all following values: audit, profiler", + "actualValue": "AWS::DocDB::DBCluster.Properties.EnableCloudwatchLogsExports haven't got the following values: audit, profiler", + "issueType": "IncorrectValue", + "similarityID": "40b60bd01ef669dc4af8ca6a4b4da9eb4ef2051fa7b3b9f6445e2a3f8b7a3cd8", + "search_line": 15 }, { "queryName": "DocDB Logging Is Disabled", "severity": "MEDIUM", "line": 15, - "filename": "positive3.yaml" + "fileName": "positive3.yaml", + "resourceType": "AWS::DocDB::DBCluster", + "resourceName": "MyDocDBCluster", + "searchKey": "Resources.MyDocDBCluster.Properties.EnableCloudwatchLogsExports", + "searchValue": "", + "expectedValue": "AWS::DocDB::DBCluster.Properties.EnableCloudwatchLogsExports should have all following values: audit, profiler", + "actualValue": "AWS::DocDB::DBCluster.Properties.EnableCloudwatchLogsExports haven't got the following values: audit", + "issueType": "IncorrectValue", + "similarityID": "f0519c977dced925acc1c40490d3ff3360024d34e4fa93397b471c72e6c48bde", + "search_line": 15 }, { "queryName": "DocDB Logging Is Disabled", "severity": "MEDIUM", "line": 14, - "filename": "positive4.json" + "fileName": "positive4.json", + "resourceType": "AWS::DocDB::DBCluster", + "resourceName": "MyDocDBCluster", + "searchKey": "Resources.MyDocDBCluster.Properties.EnableCloudwatchLogsExports", + "searchValue": "", + "expectedValue": "AWS::DocDB::DBCluster.Properties.EnableCloudwatchLogsExports should have all following values: audit, profiler", + "actualValue": "AWS::DocDB::DBCluster.Properties.EnableCloudwatchLogsExports haven't got the following values: profiler", + "issueType": "IncorrectValue", + "similarityID": "1c4c4db8d3086a6eab779f7c58992aa4d1b2253f44246362f519b243c65fe827", + "search_line": 14 } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/dynamodb_table_not_encrypted/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/dynamodb_table_not_encrypted/test/positive_expected_result.json index ca734781071..79b109378a5 100644 --- a/assets/queries/cloudFormation/aws/dynamodb_table_not_encrypted/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/dynamodb_table_not_encrypted/test/positive_expected_result.json @@ -3,18 +3,45 @@ "queryName": "DynamoDB Table Not Encrypted", "severity": "HIGH", "line": 18, - "filename": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::DynamoDB::Table", + "resourceName": "my-table", + "searchKey": "Resources.MyDynamoDBTable.Properties.SSESpecification.SSEEnabled", + "searchValue": "", + "expectedValue": "Resources[MyDynamoDBTable].Properties.SSESpecification.SSEEnabled should be 'true'", + "actualValue": "Resources[MyDynamoDBTable].Properties.SSESpecification.SSEEnabled is 'false'", + "issueType": "IncorrectValue", + "similarityID": "f8107ab6da5aea6a546e91f2c1dfe8816812a8292709c4379559b6cd2c336c40", + "search_line": -1 }, { "queryName": "DynamoDB Table Not Encrypted", "severity": "HIGH", "line": 17, - "filename": "positive2.yaml" + "fileName": "positive2.yaml", + "resourceType": "AWS::DynamoDB::Table", + "resourceName": "my-table", + "searchKey": "Resources.MyDynamoDBTable.Properties.SSESpecification", + "searchValue": "", + "expectedValue": "Resources[MyDynamoDBTable].Properties.SSESpecification.SSEEnabled should be set and to 'true'", + "actualValue": "Resources[MyDynamoDBTable].Properties.SSESpecification.SSEEnabled is not set", + "issueType": "MissingAttribute", + "similarityID": "94c22350b87e85d747228e3c42bff602473661919a7694efea41d07193e40250", + "search_line": -1 }, { "queryName": "DynamoDB Table Not Encrypted", "severity": "HIGH", "line": 8, - "filename": "positive3.yaml" + "fileName": "positive3.yaml", + "resourceType": "AWS::DynamoDB::Table", + "resourceName": "AuthorsTable_prod", + "searchKey": "Resources.OrdersTable.Properties.SSESpecification.SSEEnabled", + "searchValue": "", + "expectedValue": "Resources[OrdersTable].Properties.SSESpecification.SSEEnabled should be 'true'", + "actualValue": "Resources[OrdersTable].Properties.SSESpecification.SSEEnabled is 'false'", + "issueType": "IncorrectValue", + "similarityID": "527496487f7e956604665a2ddd08b5cd2cb7819192e48a76185edc4bf0f1fc48", + "search_line": -1 } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/dynamodb_table_point_in_time_recovery_disabled/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/dynamodb_table_point_in_time_recovery_disabled/test/positive_expected_result.json index 6b9c1de7eae..20d808284dd 100644 --- a/assets/queries/cloudFormation/aws/dynamodb_table_point_in_time_recovery_disabled/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/dynamodb_table_point_in_time_recovery_disabled/test/positive_expected_result.json @@ -3,42 +3,105 @@ "queryName": "DynamoDB Table Point In Time Recovery Disabled", "severity": "INFO", "line": 6, - "filename": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::DynamoDB::Table", + "resourceName": "MyDynamoDBTable", + "searchKey": "Resources.MyDynamoDBTable.Properties.PointInTimeRecoverySpecification.PointInTimeRecoveryEnabled", + "searchValue": "", + "expectedValue": "Resources[MyDynamoDBTable].Properties.PointInTimeRecoverySpecification.PointInTimeRecoveryEnabled should be set to 'true'", + "actualValue": "Resources[MyDynamoDBTable].Properties.PointInTimeRecoverySpecification.PointInTimeRecoveryEnabled is set to 'false'", + "issueType": "IncorrectValue", + "similarityID": "eea3fd621870e7e3681adceb2da0bed5f8dfaf6ade44ba9d61c7aaee630fd4c2", + "search_line": -1 }, { "queryName": "DynamoDB Table Point In Time Recovery Disabled", "severity": "INFO", "line": 4, - "filename": "positive2.yaml" + "fileName": "positive2.yaml", + "resourceType": "AWS::DynamoDB::Table", + "resourceName": "my-table", + "searchKey": "Resources.MyDynamoDBTable.Properties", + "searchValue": "", + "expectedValue": "Resources[MyDynamoDBTable].Properties.PointInTimeRecoverySpecification.PointInTimeRecoveryEnabled should be defined and set to 'true'", + "actualValue": "Resources[MyDynamoDBTable].Properties.PointInTimeRecoverySpecification is not defined", + "issueType": "MissingAttribute", + "similarityID": "73dec88315aae62ef445848c501ae83b7d848e55ac27ad9397990631874368ee", + "search_line": -1 }, { "queryName": "DynamoDB Table Point In Time Recovery Disabled", "severity": "INFO", "line": 8, - "filename": "positive3.json" + "fileName": "positive3.json", + "resourceType": "AWS::DynamoDB::Table", + "resourceName": "DynamoDBOnDemandTable1", + "searchKey": "Resources.DynamoDBOnDemandTable1.Properties.PointInTimeRecoverySpecification.PointInTimeRecoveryEnabled", + "searchValue": "", + "expectedValue": "Resources[DynamoDBOnDemandTable1].Properties.PointInTimeRecoverySpecification.PointInTimeRecoveryEnabled should be set to 'true'", + "actualValue": "Resources[DynamoDBOnDemandTable1].Properties.PointInTimeRecoverySpecification.PointInTimeRecoveryEnabled is set to 'false'", + "issueType": "IncorrectValue", + "similarityID": "9db15d5a87a0b6d2c1d386111463ab79031f4642f2fc4c38c6c0251880eaaa61", + "search_line": -1 }, { "queryName": "DynamoDB Table Point In Time Recovery Disabled", "severity": "INFO", "line": 5, - "filename": "positive4.json" + "fileName": "positive4.json", + "resourceType": "AWS::DynamoDB::Table", + "resourceName": "DynamoDBOnDemandTable1", + "searchKey": "Resources.DynamoDBOnDemandTable1.Properties", + "searchValue": "", + "expectedValue": "Resources[DynamoDBOnDemandTable1].Properties.PointInTimeRecoverySpecification.PointInTimeRecoveryEnabled should be defined and set to 'true'", + "actualValue": "Resources[DynamoDBOnDemandTable1].Properties.PointInTimeRecoverySpecification is not defined", + "issueType": "MissingAttribute", + "similarityID": "a0596acc03be147488b11954139803c6c4497e187f7a98444d956739f6942c1d", + "search_line": -1 }, { "queryName": "DynamoDB Table Point In Time Recovery Disabled", "severity": "INFO", "line": 5, - "filename": "positive5.yaml" + "fileName": "positive5.yaml", + "resourceType": "AWS::DynamoDB::Table", + "resourceName": "MyDynamoDBTable", + "searchKey": "Resources.MyDynamoDBTable.Properties.PointInTimeRecoverySpecification", + "searchValue": "", + "expectedValue": "Resources[MyDynamoDBTable].Properties.PointInTimeRecoverySpecification.PointInTimeRecoveryEnabled should be defined and set to 'true'", + "actualValue": "Resources[MyDynamoDBTable].Properties.PointInTimeRecoverySpecification.PointInTimeRecoveryEnabled is not defined", + "issueType": "MissingAttribute", + "similarityID": "025a2c5cbb8d2a9d3d35929c6cdd9df73dc0aa3c53f784c9756c38c7a7b3de9c", + "search_line": -1 }, { "queryName": "DynamoDB Table Point In Time Recovery Disabled", "severity": "INFO", "line": 7, - "filename": "positive6.json" + "fileName": "positive6.json", + "resourceType": "AWS::DynamoDB::Table", + "resourceName": "DynamoDBOnDemandTable1", + "searchKey": "Resources.DynamoDBOnDemandTable1.Properties.PointInTimeRecoverySpecification", + "searchValue": "", + "expectedValue": "Resources[DynamoDBOnDemandTable1].Properties.PointInTimeRecoverySpecification.PointInTimeRecoveryEnabled should be defined and set to 'true'", + "actualValue": "Resources[DynamoDBOnDemandTable1].Properties.PointInTimeRecoverySpecification.PointInTimeRecoveryEnabled is not defined", + "issueType": "MissingAttribute", + "similarityID": "04d52f9062968e5b7315948acdc626d5f576e744d5b47df8b0fb52401557f093", + "search_line": -1 }, { "queryName": "DynamoDB Table Point In Time Recovery Disabled", "severity": "INFO", "line": 6, - "filename": "positive7.yaml" + "fileName": "positive7.yaml", + "resourceType": "AWS::DynamoDB::Table", + "resourceName": "MyDynamoDBTable", + "searchKey": "Resources.MyDynamoDBTable.Properties.PointInTimeRecoverySpecification.PointInTimeRecoveryEnabled", + "searchValue": "", + "expectedValue": "Resources[MyDynamoDBTable].Properties.PointInTimeRecoverySpecification.PointInTimeRecoveryEnabled should be set to 'true'", + "actualValue": "Resources[MyDynamoDBTable].Properties.PointInTimeRecoverySpecification.PointInTimeRecoveryEnabled is set to 'false'", + "issueType": "IncorrectValue", + "similarityID": "7e10cc23b0d83e1e6ad26e16a6cca89200e0b4d76aae56ae7707bd5f6168118a", + "search_line": -1 } ] diff --git a/assets/queries/cloudFormation/aws/dynamodb_with_aws_owned_cmk/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/dynamodb_with_aws_owned_cmk/test/positive_expected_result.json index 9e900553ca0..693554bfe51 100644 --- a/assets/queries/cloudFormation/aws/dynamodb_with_aws_owned_cmk/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/dynamodb_with_aws_owned_cmk/test/positive_expected_result.json @@ -3,42 +3,105 @@ "queryName": "DynamoDB With Aws Owned CMK", "severity": "HIGH", "line": 4, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::DynamoDB::Table", + "resourceName": "dynamodb-kms-0", + "searchKey": "Resources.DynamoDBOnDemandTable2.properties;", + "searchValue": "", + "expectedValue": "Resources[DynamoDBOnDemandTable2].properties.SSESpecification.SSEEnabled should be true", + "actualValue": "Resources[DynamoDBOnDemandTable2].properties.SSESpecification.SSEEnabled is false", + "issueType": "IncorrectValue", + "similarityID": "4dc914e358a900f65820277abdf8e319d47e8d02f59df55c11f2a893454b0d9d", + "search_line": -1 }, { "queryName": "DynamoDB With Aws Owned CMK", "severity": "HIGH", "line": 4, - "fileName": "positive2.yaml" + "fileName": "positive2.yaml", + "resourceType": "AWS::DynamoDB::Table", + "resourceName": "dynamodb-kms-3", + "searchKey": "Resources.DynamoDBOnDemandTable5.properties;", + "searchValue": "", + "expectedValue": "Resources.DynamoDBOnDemandTable5.properties.SSESpecification should be set", + "actualValue": "Resources.DynamoDBOnDemandTable5.properties.SSESpecification is undefined", + "issueType": "MissingAttribute", + "similarityID": "d520716336c01df98c465ed633cb2ed41c0a3f26868871cde3ce3279cacf8536", + "search_line": -1 }, { "queryName": "DynamoDB With Aws Owned CMK", "severity": "HIGH", "line": 4, - "fileName": "positive3.yaml" + "fileName": "positive3.yaml", + "resourceType": "AWS::DynamoDB::Table", + "resourceName": "dynamodb-kms-2", + "searchKey": "Resources.DynamoDBOnDemandTable4.properties;", + "searchValue": "", + "expectedValue": "Resources.DynamoDBOnDemandTable4.properties.SSESpecification.SSEEnabled should be set", + "actualValue": "Resources.DynamoDBOnDemandTable4.properties.SSESpecification.SSEEnabled is undefined", + "issueType": "MissingAttribute", + "similarityID": "87c57d1fb82da77497645f4d9c6bf6b04887625f2caa9af5a374dc0ddcc54168", + "search_line": -1 }, { "queryName": "DynamoDB With Aws Owned CMK", "severity": "HIGH", "line": 5, - "fileName": "positive4.json" + "fileName": "positive4.json", + "resourceType": "AWS::DynamoDB::Table", + "resourceName": "dynamodb-kms-0", + "searchKey": "Resources.DynamoDBOnDemandTable2.properties;", + "searchValue": "", + "expectedValue": "Resources[DynamoDBOnDemandTable2].properties.SSESpecification.SSEEnabled should be true", + "actualValue": "Resources[DynamoDBOnDemandTable2].properties.SSESpecification.SSEEnabled is false", + "issueType": "IncorrectValue", + "similarityID": "ba0ce772f8e65144828ccee15d5dfbdf7847aa269b279dfb82e29a34506b5ac6", + "search_line": -1 }, { "queryName": "DynamoDB With Aws Owned CMK", "severity": "HIGH", "line": 4, - "fileName": "positive5.json" + "fileName": "positive5.json", + "resourceType": "AWS::DynamoDB::Table", + "resourceName": "dynamodb-kms-2", + "searchKey": "Resources.DynamoDBOnDemandTable4.properties;", + "searchValue": "", + "expectedValue": "Resources.DynamoDBOnDemandTable4.properties.SSESpecification.SSEEnabled should be set", + "actualValue": "Resources.DynamoDBOnDemandTable4.properties.SSESpecification.SSEEnabled is undefined", + "issueType": "MissingAttribute", + "similarityID": "8489b972ab734b7ee51a76789e4de2349ee534b4261c34caf72ab0a69ad104ea", + "search_line": -1 }, { "queryName": "DynamoDB With Aws Owned CMK", "severity": "HIGH", "line": 5, - "fileName": "positive6.json" + "fileName": "positive6.json", + "resourceType": "AWS::DynamoDB::Table", + "resourceName": "dynamodb-kms-3", + "searchKey": "Resources.DynamoDBOnDemandTable5.properties;", + "searchValue": "", + "expectedValue": "Resources.DynamoDBOnDemandTable5.properties.SSESpecification should be set", + "actualValue": "Resources.DynamoDBOnDemandTable5.properties.SSESpecification is undefined", + "issueType": "MissingAttribute", + "similarityID": "6f4599709c27a98488682bd296ea12e9a8a9ad8a6a5f0b0e5b89d532a35a53d2", + "search_line": -1 }, { "queryName": "DynamoDB With Aws Owned CMK", "severity": "HIGH", "line": 4, - "fileName": "positive7.yaml" + "fileName": "positive7.yaml", + "resourceType": "AWS::DynamoDB::Table", + "resourceName": "dynamodb-kms-0", + "searchKey": "Resources.DynamoDBOnDemandTable2.properties;", + "searchValue": "", + "expectedValue": "Resources[DynamoDBOnDemandTable2].properties.SSESpecification.SSEEnabled should be true", + "actualValue": "Resources[DynamoDBOnDemandTable2].properties.SSESpecification.SSEEnabled is false", + "issueType": "IncorrectValue", + "similarityID": "6a80e43902d299677d443ecc439d6743ebd37f95ebb5163f0f4b4d31befc36c6", + "search_line": -1 } ] diff --git a/assets/queries/cloudFormation/aws/dynamodb_with_table_billing_mode_not_recommended/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/dynamodb_with_table_billing_mode_not_recommended/test/positive_expected_result.json index 9d6b05aba69..c32d68383b4 100644 --- a/assets/queries/cloudFormation/aws/dynamodb_with_table_billing_mode_not_recommended/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/dynamodb_with_table_billing_mode_not_recommended/test/positive_expected_result.json @@ -3,12 +3,30 @@ "queryName": "DynamoDB With Not Recommended Table Billing Mode", "severity": "LOW", "line": 13, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::DynamoDB::Table", + "resourceName": "myTableName", + "searchKey": "Resources.myDynamoDBTable.Properties.BillingMode", + "searchValue": "", + "expectedValue": "Resources.myDynamoDBTable.Properties.BillingMode should not be 'PROVISIONED' or 'PAY_PER_REQUEST'", + "actualValue": "Resources.myDynamoDBTable.Properties.BillingMode is 'PROVISIONED' or 'PAY_PER_REQUEST'", + "issueType": "IncorrectValue", + "similarityID": "3c541fa78273c6f7e22991790a3c70ea3787106d01316e49715fa1cec50d466b", + "search_line": -1 }, { "queryName": "DynamoDB With Not Recommended Table Billing Mode", "severity": "LOW", "line": 16, - "fileName": "positive2.json" + "fileName": "positive2.json", + "resourceType": "AWS::DynamoDB::Table", + "resourceName": "myTableName", + "searchKey": "Resources.myDynamoDBTable.Properties.BillingMode", + "searchValue": "", + "expectedValue": "Resources.myDynamoDBTable.Properties.BillingMode should not be 'PROVISIONED' or 'PAY_PER_REQUEST'", + "actualValue": "Resources.myDynamoDBTable.Properties.BillingMode is 'PROVISIONED' or 'PAY_PER_REQUEST'", + "issueType": "IncorrectValue", + "similarityID": "544e33df01e5ab5cfffdebd808641fbdfbde6e02a4422ff7c9c4df2cfb6ed291", + "search_line": -1 } ] diff --git a/assets/queries/cloudFormation/aws/ebs_volume_encryption_disabled/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/ebs_volume_encryption_disabled/test/positive_expected_result.json index 79ec37039ae..66485cce0bd 100644 --- a/assets/queries/cloudFormation/aws/ebs_volume_encryption_disabled/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/ebs_volume_encryption_disabled/test/positive_expected_result.json @@ -3,30 +3,75 @@ "queryName": "EBS Volume Encryption Disabled", "severity": "HIGH", "line": 8, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::EC2::Volume", + "resourceName": "NewVolume", + "searchKey": "Resources.NewVolume.Properties.Encrypted", + "searchValue": "", + "expectedValue": "Resources.NewVolume.Properties.Encrypted should be true", + "actualValue": "Resources.NewVolume.Properties.Encrypted is false", + "issueType": "IncorrectValue", + "similarityID": "5e5308f1cc7a76218bf0d9e53a1c325f3fae9e26ba5110e1d4a490b05c60448e", + "search_line": -1 }, { "queryName": "EBS Volume Encryption Disabled", "severity": "HIGH", "line": 6, - "fileName": "positive2.yaml" + "fileName": "positive2.yaml", + "resourceType": "AWS::EC2::Volume", + "resourceName": "NewVolume02", + "searchKey": "Resources.NewVolume02.Properties", + "searchValue": "", + "expectedValue": "Resources.NewVolume02.Properties.Encrypted should be defined and not null", + "actualValue": "Resources.NewVolume02.Properties.Encrypted is undefined or null", + "issueType": "MissingAttribute", + "similarityID": "538738a942530a0848df80e10c8dd76fb19dabd6d69943c827c092f4ccf7fe6e", + "search_line": -1 }, { "queryName": "EBS Volume Encryption Disabled", "severity": "HIGH", "line": 15, - "fileName": "positive3.json" + "fileName": "positive3.json", + "resourceType": "AWS::EC2::Volume", + "resourceName": "NewVolume", + "searchKey": "Resources.NewVolume.Properties.Encrypted", + "searchValue": "", + "expectedValue": "Resources.NewVolume.Properties.Encrypted should be true", + "actualValue": "Resources.NewVolume.Properties.Encrypted is false", + "issueType": "IncorrectValue", + "similarityID": "41137defb8d6b404879b28b16a67167678e36fb13c591b585b7d9ee0089ff24f", + "search_line": -1 }, { "queryName": "EBS Volume Encryption Disabled", "severity": "HIGH", "line": 6, - "fileName": "positive4.json" + "fileName": "positive4.json", + "resourceType": "AWS::EC2::Volume", + "resourceName": "NewVolume02", + "searchKey": "Resources.NewVolume02.Properties", + "searchValue": "", + "expectedValue": "Resources.NewVolume02.Properties.Encrypted should be defined and not null", + "actualValue": "Resources.NewVolume02.Properties.Encrypted is undefined or null", + "issueType": "MissingAttribute", + "similarityID": "bf647376c3edb214a881633b1e37690fdc75a68a3382be8b5e4da576e29760af", + "search_line": -1 }, { "queryName": "EBS Volume Encryption Disabled", "severity": "HIGH", "line": 8, - "fileName": "positive5.yaml" + "fileName": "positive5.yaml", + "resourceType": "AWS::EC2::Volume", + "resourceName": "NewVolume", + "searchKey": "Resources.NewVolume.Properties.Encrypted", + "searchValue": "", + "expectedValue": "Resources.NewVolume.Properties.Encrypted should be true", + "actualValue": "Resources.NewVolume.Properties.Encrypted is false", + "issueType": "IncorrectValue", + "similarityID": "39216c134af3b85bffb252622c8ba5f4403a50fb73ee1233df35c1bc6a7c38ce", + "search_line": -1 } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/ebs_volume_not_attached_to_instances/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/ebs_volume_not_attached_to_instances/test/positive_expected_result.json index f16e1565d8e..456485d82fd 100644 --- a/assets/queries/cloudFormation/aws/ebs_volume_not_attached_to_instances/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/ebs_volume_not_attached_to_instances/test/positive_expected_result.json @@ -3,12 +3,30 @@ "queryName": "EBS Volume Not Attached To Instances", "severity": "LOW", "line": 3, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::EC2::Volume", + "resourceName": "NewVolume", + "searchKey": "Resources.NewVolume", + "searchValue": "", + "expectedValue": "'Resources.NewVolume' should be attached to instances", + "actualValue": "'Resources.NewVolume' is not attached to instances", + "issueType": "MissingAttribute", + "similarityID": "603ab1ea978fe701502898c59dd2f9d516e7bc4e8d7aa7f52b97304dc14f7a22", + "search_line": -1 }, { "queryName": "EBS Volume Not Attached To Instances", "severity": "LOW", "line": 4, - "fileName": "positive2.json" + "fileName": "positive2.json", + "resourceType": "AWS::EC2::Volume", + "resourceName": "NewVolume", + "searchKey": "Resources.NewVolume", + "searchValue": "", + "expectedValue": "'Resources.NewVolume' should be attached to instances", + "actualValue": "'Resources.NewVolume' is not attached to instances", + "issueType": "MissingAttribute", + "similarityID": "afa9eb22385571da59cc3448a6a4980b5c03b500df840e399fbec2fbcbbf8862", + "search_line": -1 } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/ebs_volume_without_kms_key_id/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/ebs_volume_without_kms_key_id/test/positive_expected_result.json index fffab5be473..257b07b69ce 100644 --- a/assets/queries/cloudFormation/aws/ebs_volume_without_kms_key_id/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/ebs_volume_without_kms_key_id/test/positive_expected_result.json @@ -3,12 +3,30 @@ "queryName": "EBS Volume Without KmsKeyId", "severity": "LOW", "line": 6, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::EC2::Volume", + "resourceName": "NewVolume", + "searchKey": "Resources.NewVolume.Properties", + "searchValue": "", + "expectedValue": "Resources.NewVolume.Properties.KmsKeyId should be defined", + "actualValue": "Resources.NewVolume.Properties.KmsKeyId is undefined", + "issueType": "MissingAttribute", + "similarityID": "833cb68e1ff42c49e559518e2a281bea000f871696016752700a4f1886ef25e1", + "search_line": -1 }, { + "queryName": "EBS Volume Without KmsKeyId", + "severity": "LOW", "line": 7, "fileName": "positive2.json", - "queryName": "EBS Volume Without KmsKeyId", - "severity": "LOW" + "resourceType": "AWS::EC2::Volume", + "resourceName": "NewVolume", + "searchKey": "Resources.NewVolume.Properties", + "searchValue": "", + "expectedValue": "Resources.NewVolume.Properties.KmsKeyId should be defined", + "actualValue": "Resources.NewVolume.Properties.KmsKeyId is undefined", + "issueType": "MissingAttribute", + "similarityID": "6514ad222e5e2938c1ad2525c2abf672f8a60b2be2c854a5b347b00897e402b4", + "search_line": -1 } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/ec2_instance_has_no_iam_role/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/ec2_instance_has_no_iam_role/test/positive_expected_result.json index 3b88d058195..e1e91c6936b 100644 --- a/assets/queries/cloudFormation/aws/ec2_instance_has_no_iam_role/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/ec2_instance_has_no_iam_role/test/positive_expected_result.json @@ -3,54 +3,135 @@ "queryName": "EC2 Instance Has No IAM Role", "severity": "MEDIUM", "line": 4, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::EC2::Instance", + "resourceName": "Test", + "searchKey": "Resources.NoIAM.Properties", + "searchValue": "", + "expectedValue": "'Resources.NoIAM.Properties.IamInstanceProfile' should be set", + "actualValue": "'Resources.NoIAM.Properties.IamInstanceProfile' is undefined", + "issueType": "MissingAttribute", + "similarityID": "dfce532d6a94c4097e7e3a755510faded324510d0f8eb6d20741d034ba69141e", + "search_line": -1 }, { "queryName": "EC2 Instance Has No IAM Role", "severity": "MEDIUM", "line": 29, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::EC2::Instance", + "resourceName": "Test", + "searchKey": "Resources.IAM_Missing.Properties.IamInstanceProfile", + "searchValue": "", + "expectedValue": "'Resources.IAM_Missing.Properties.IamInstanceProfile' should have a matching IamInstanceProfile resource", + "actualValue": "'Resources.IAM_Missing.Properties.IamInstanceProfile' does not have matching IamInstanceProfile resource", + "issueType": "MissingAttribute", + "similarityID": "3daa6cbb648645c48578508a518502bd7e4cf80107897a3e1401a08524b71047", + "search_line": -1 }, { + "queryName": "EC2 Instance Has No IAM Role", "severity": "MEDIUM", "line": 55, "fileName": "positive1.yaml", - "queryName": "EC2 Instance Has No IAM Role" + "resourceType": "AWS::EC2::Instance", + "resourceName": "Test", + "searchKey": "Resources.NoRolesProfile.Properties", + "searchValue": "", + "expectedValue": "'Resources.NoRolesProfile.Properties.Roles' should be set", + "actualValue": "'Resources.NoRolesProfile.Properties.Roles' is undefined", + "issueType": "MissingAttribute", + "similarityID": "7b17f4ab2c3b70e4b0961a8c496c4bf800c8ac58f8caa120defcacd2fed69f70", + "search_line": -1 }, { "queryName": "EC2 Instance Has No IAM Role", "severity": "MEDIUM", "line": 5, - "fileName": "positive2.json" + "fileName": "positive2.json", + "resourceType": "AWS::EC2::Instance", + "resourceName": "Test", + "searchKey": "Resources.NoIAM.Properties", + "searchValue": "", + "expectedValue": "'Resources.NoIAM.Properties.IamInstanceProfile' should be set", + "actualValue": "'Resources.NoIAM.Properties.IamInstanceProfile' is undefined", + "issueType": "MissingAttribute", + "similarityID": "10ae56832e930fc000d3191d8868f8ca4586839e3b1628b869c3c88e5c46c3cc", + "search_line": -1 }, { + "queryName": "EC2 Instance Has No IAM Role", + "severity": "MEDIUM", "line": 47, "fileName": "positive2.json", - "queryName": "EC2 Instance Has No IAM Role", - "severity": "MEDIUM" + "resourceType": "AWS::EC2::Instance", + "resourceName": "Test", + "searchKey": "Resources.IAM_Missing.Properties.IamInstanceProfile", + "searchValue": "", + "expectedValue": "'Resources.IAM_Missing.Properties.IamInstanceProfile' should have a matching IamInstanceProfile resource", + "actualValue": "'Resources.IAM_Missing.Properties.IamInstanceProfile' does not have matching IamInstanceProfile resource", + "issueType": "MissingAttribute", + "similarityID": "16bf055f45c9fbb75dccc1a8ef195a026ea3253156296754abd0210dff227f89", + "search_line": -1 }, { - "fileName": "positive2.json", "queryName": "EC2 Instance Has No IAM Role", "severity": "MEDIUM", - "line": 94 + "line": 94, + "fileName": "positive2.json", + "resourceType": "AWS::EC2::Instance", + "resourceName": "Test", + "searchKey": "Resources.NoRolesProfile.Properties", + "searchValue": "", + "expectedValue": "'Resources.NoRolesProfile.Properties.Roles' should be set", + "actualValue": "'Resources.NoRolesProfile.Properties.Roles' is undefined", + "issueType": "MissingAttribute", + "similarityID": "8c23f6a279beec37b19d77b04952a6f0482600f4fceba49d8553b9093ddb3ddf", + "search_line": -1 }, { - "line": 53, - "fileName": "positive3.yaml", "queryName": "EC2 Instance Has No IAM Role", - "severity": "MEDIUM" - }, - { + "severity": "MEDIUM", "line": 4, "fileName": "positive3.yaml", - "queryName": "EC2 Instance Has No IAM Role", - "severity": "MEDIUM" + "resourceType": "AWS::EC2::Instance", + "resourceName": "Test", + "searchKey": "Resources.NoIAM.Properties", + "searchValue": "", + "expectedValue": "'Resources.NoIAM.Properties.IamInstanceProfile' should be set", + "actualValue": "'Resources.NoIAM.Properties.IamInstanceProfile' is undefined", + "issueType": "MissingAttribute", + "similarityID": "91be4ebaa3d22ae299ff65eb99ff97d60dd1420c162e85eca83659fe0d55eb7a", + "search_line": -1 }, { + "queryName": "EC2 Instance Has No IAM Role", + "severity": "MEDIUM", "line": 29, "fileName": "positive3.yaml", + "resourceType": "AWS::EC2::Instance", + "resourceName": "Test", + "searchKey": "Resources.IAM_Missing.Properties.IamInstanceProfile", + "searchValue": "", + "expectedValue": "'Resources.IAM_Missing.Properties.IamInstanceProfile' should have a matching IamInstanceProfile resource", + "actualValue": "'Resources.IAM_Missing.Properties.IamInstanceProfile' does not have matching IamInstanceProfile resource", + "issueType": "MissingAttribute", + "similarityID": "0a32f1e1bac09a8e6a26164d144f95b329046ddb252f4462eac6aff5045c1025", + "search_line": -1 + }, + { "queryName": "EC2 Instance Has No IAM Role", - "severity": "MEDIUM" + "severity": "MEDIUM", + "line": 53, + "fileName": "positive3.yaml", + "resourceType": "AWS::EC2::Instance", + "resourceName": "Test", + "searchKey": "Resources.NoRolesProfile.Properties", + "searchValue": "", + "expectedValue": "'Resources.NoRolesProfile.Properties.Roles' should be set", + "actualValue": "'Resources.NoRolesProfile.Properties.Roles' is undefined", + "issueType": "MissingAttribute", + "similarityID": "b5feba9bfea540846ef3d238d7fb3bec876865cc4793453a543b1135a668408d", + "search_line": -1 } ] diff --git a/assets/queries/cloudFormation/aws/ec2_instance_monitoring_disabled/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/ec2_instance_monitoring_disabled/test/positive_expected_result.json index 98e34e6fa58..76f5e757b3e 100644 --- a/assets/queries/cloudFormation/aws/ec2_instance_monitoring_disabled/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/ec2_instance_monitoring_disabled/test/positive_expected_result.json @@ -3,18 +3,45 @@ "queryName": "EC2 Instance Monitoring Disabled", "severity": "MEDIUM", "line": 7, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::EC2::Instance", + "resourceName": "MyEC2Instance", + "searchKey": "Resources.MyEC2Instance.Properties.Monitoring", + "searchValue": "", + "expectedValue": "'Resources.MyEC2Instance.Properties.Monitoring' should be set to 'true'", + "actualValue": "'Resources.MyEC2Instance.Properties.Monitoring' is set to 'false'", + "issueType": "IncorrectValue", + "similarityID": "c9cd34a5393cc62e1a4517d74e8df6e0b585cac89ac400786b523354630b67ff", + "search_line": -1 }, { "queryName": "EC2 Instance Monitoring Disabled", "severity": "MEDIUM", "line": 4, - "fileName": "positive2.yaml" + "fileName": "positive2.yaml", + "resourceType": "AWS::EC2::Instance", + "resourceName": "MyEC2Instance", + "searchKey": "Resources.MyEC2Instance.Properties.Monitoring", + "searchValue": "", + "expectedValue": "'Resources.MyEC2Instance.Properties.Monitoring' should be set and to 'true'", + "actualValue": "'Resources.MyEC2Instance.Properties.Monitoring' is not set", + "issueType": "MissingAttribute", + "similarityID": "7317427e95d7f07f55f0b2a90b5781bc6f5e68ab1d6c73ed2cb99d89c3008d7a", + "search_line": -1 }, { "queryName": "EC2 Instance Monitoring Disabled", "severity": "MEDIUM", "line": 7, - "fileName": "positive3.yaml" + "fileName": "positive3.yaml", + "resourceType": "AWS::EC2::Instance", + "resourceName": "MyEC2Instance", + "searchKey": "Resources.MyEC2Instance.Properties.Monitoring", + "searchValue": "", + "expectedValue": "'Resources.MyEC2Instance.Properties.Monitoring' should be set to 'true'", + "actualValue": "'Resources.MyEC2Instance.Properties.Monitoring' is set to 'false'", + "issueType": "IncorrectValue", + "similarityID": "2c8740f0e26cb781b13b5cf3441696a0adbeedc6a998179fc41a077b29430555", + "search_line": -1 } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/ec2_instance_subnet_has_public_ip_mapping_on_launch/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/ec2_instance_subnet_has_public_ip_mapping_on_launch/test/positive_expected_result.json index 95bff5b59c4..c874f647131 100644 --- a/assets/queries/cloudFormation/aws/ec2_instance_subnet_has_public_ip_mapping_on_launch/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/ec2_instance_subnet_has_public_ip_mapping_on_launch/test/positive_expected_result.json @@ -3,18 +3,45 @@ "queryName": "EC2 Instance Subnet Has Public IP Mapping On Launch", "severity": "MEDIUM", "line": 7, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::EC2::Subnet", + "resourceName": "mySubnet", + "searchKey": "Resources.mySubnet.Properties.MapPublicIpOnLaunch", + "searchValue": "", + "expectedValue": "'Resources.mySubnet.Properties.MapPublicIpOnLaunch' should be false", + "actualValue": "'Resources.mySubnet.Properties.MapPublicIpOnLaunch' is true", + "issueType": "IncorrectValue", + "similarityID": "070f6e584cdd88308cfa2e3afc34a91ebc7716dc363b4f0d7c27c73d0bb8c057", + "search_line": -1 }, { "queryName": "EC2 Instance Subnet Has Public IP Mapping On Launch", "severity": "MEDIUM", "line": 8, - "fileName": "positive2.json" + "fileName": "positive2.json", + "resourceType": "AWS::EC2::Subnet", + "resourceName": "mySubnet", + "searchKey": "Resources.mySubnet.Properties.MapPublicIpOnLaunch", + "searchValue": "", + "expectedValue": "'Resources.mySubnet.Properties.MapPublicIpOnLaunch' should be false", + "actualValue": "'Resources.mySubnet.Properties.MapPublicIpOnLaunch' is true", + "issueType": "IncorrectValue", + "similarityID": "cf191242f2403558e137700367a77450ceda737e4c1482cdf12c1c22a5594d47", + "search_line": -1 }, { "queryName": "EC2 Instance Subnet Has Public IP Mapping On Launch", "severity": "MEDIUM", "line": 7, - "fileName": "positive3.yaml" + "fileName": "positive3.yaml", + "resourceType": "AWS::EC2::Subnet", + "resourceName": "mySubnet", + "searchKey": "Resources.mySubnet.Properties.MapPublicIpOnLaunch", + "searchValue": "", + "expectedValue": "'Resources.mySubnet.Properties.MapPublicIpOnLaunch' should be false", + "actualValue": "'Resources.mySubnet.Properties.MapPublicIpOnLaunch' is true", + "issueType": "IncorrectValue", + "similarityID": "c6c15101a665fef1470604bb4e7f8d4613d93fb7e6ed724e08b7a5afea665aaa", + "search_line": -1 } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/ec2_instance_using_default_security_group/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/ec2_instance_using_default_security_group/test/positive_expected_result.json index 21e8b9adb1c..ac92e1e6c02 100644 --- a/assets/queries/cloudFormation/aws/ec2_instance_using_default_security_group/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/ec2_instance_using_default_security_group/test/positive_expected_result.json @@ -3,12 +3,30 @@ "queryName": "EC2 Instance Using Default Security Group", "severity": "MEDIUM", "line": 8, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::EC2::Instance", + "resourceName": "MyEC2Instance", + "searchKey": "Resources.MyEC2Instance.Properties.SecurityGroups", + "searchValue": "", + "expectedValue": "'Resources.MyEC2Instance.Properties.SecurityGroups' should not be using default security group", + "actualValue": "'Resources.MyEC2Instance.Properties.SecurityGroups' is using default security group", + "issueType": "IncorrectValue", + "similarityID": "a97f18d5c1784385f3956a284030963cdaad4dcb5c93478f2d90f0eb11c632c5", + "search_line": 8 }, { "queryName": "EC2 Instance Using Default Security Group", "severity": "MEDIUM", "line": 23, - "fileName": "positive2.json" + "fileName": "positive2.json", + "resourceType": "AWS::EC2::Instance", + "resourceName": "MyEC2Instance", + "searchKey": "Resources.MyEC2Instance.Properties.SecurityGroups", + "searchValue": "", + "expectedValue": "'Resources.MyEC2Instance.Properties.SecurityGroups' should not be using default security group", + "actualValue": "'Resources.MyEC2Instance.Properties.SecurityGroups' is using default security group", + "issueType": "IncorrectValue", + "similarityID": "880a5051d5ce313d84369fce20037124d7cff9d402f61b709f8d62d38b2bed9e", + "search_line": 23 } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/ec2_instance_using_default_vpc/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/ec2_instance_using_default_vpc/test/positive_expected_result.json index 13ad6579c84..3cf456b65ac 100644 --- a/assets/queries/cloudFormation/aws/ec2_instance_using_default_vpc/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/ec2_instance_using_default_vpc/test/positive_expected_result.json @@ -3,12 +3,30 @@ "queryName": "EC2 Instance Using Default VPC", "severity": "LOW", "line": 7, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::EC2::Instance", + "resourceName": "DefaultVPC", + "searchKey": "Resources.DefaultVPC.Properties.SubnetId", + "searchValue": "", + "expectedValue": "Resources.DefaultVPC.Properties.SubnetId should not be associated with a default VPC", + "actualValue": "Resources.DefaultVPC.Properties.SubnetId is associated with a default VPC", + "issueType": "IncorrectValue", + "similarityID": "b1b27e2909e09447a302d117ae94021c708ebcd6aaf0ab1778533e17a3a1baf1", + "search_line": -1 }, { "queryName": "EC2 Instance Using Default VPC", "severity": "LOW", "line": 7, - "fileName": "positive2.json" + "fileName": "positive2.json", + "resourceType": "AWS::EC2::Instance", + "resourceName": "DefaultVPC", + "searchKey": "Resources.DefaultVPC.Properties.SubnetId", + "searchValue": "", + "expectedValue": "Resources.DefaultVPC.Properties.SubnetId should not be associated with a default VPC", + "actualValue": "Resources.DefaultVPC.Properties.SubnetId is associated with a default VPC", + "issueType": "IncorrectValue", + "similarityID": "8b6cfc24e88a3326b29030eb83d44a2846ec68b9d4545ffa084423810fa4acec", + "search_line": -1 } ] diff --git a/assets/queries/cloudFormation/aws/ec2_network_acl_duplicate_rule/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/ec2_network_acl_duplicate_rule/test/positive_expected_result.json index 76b37110772..c617de2afe8 100644 --- a/assets/queries/cloudFormation/aws/ec2_network_acl_duplicate_rule/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/ec2_network_acl_duplicate_rule/test/positive_expected_result.json @@ -1,50 +1,122 @@ [ { + "queryName": "EC2 Network ACL Duplicate Rule", "severity": "INFO", "line": 12, "fileName": "positive1.yaml", - "queryName": "EC2 Network ACL Duplicate Rule" + "resourceType": "AWS::EC2::NetworkAclEntry", + "resourceName": "InboundRule", + "searchKey": "Resources.InboundRule.Properties.RuleNumber", + "searchValue": "", + "expectedValue": "'Resources.InboundRule' shouldn't have the same rule number as other entry for the same NetworkACL", + "actualValue": "'Resources.InboundRule' has the same rule number as other entry for the same NetworkACL", + "issueType": "IncorrectValue", + "similarityID": "b322f51510a8db0597bf24c6bc04b3991b6817b0abc034a46a6fa1dd4e1e0784", + "search_line": -1 }, { + "queryName": "EC2 Network ACL Duplicate Rule", "severity": "INFO", "line": 25, "fileName": "positive1.yaml", - "queryName": "EC2 Network ACL Duplicate Rule" + "resourceType": "AWS::EC2::NetworkAclEntry", + "resourceName": "OutboundRule", + "searchKey": "Resources.OutboundRule.Properties.RuleNumber", + "searchValue": "", + "expectedValue": "'Resources.OutboundRule' shouldn't have the same rule number as other entry for the same NetworkACL", + "actualValue": "'Resources.OutboundRule' has the same rule number as other entry for the same NetworkACL", + "issueType": "IncorrectValue", + "similarityID": "d94432b251a0dc0e92e609fd14d1e417fd1f10f2f7e3945599505970baebdaad", + "search_line": -1 }, { "queryName": "EC2 Network ACL Duplicate Rule", "severity": "INFO", "line": 39, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::EC2::NetworkAclEntry", + "resourceName": "InboundRule2", + "searchKey": "Resources.InboundRule2.Properties.RuleNumber", + "searchValue": "", + "expectedValue": "'Resources.InboundRule2' shouldn't have the same rule number as other entry for the same NetworkACL", + "actualValue": "'Resources.InboundRule2' has the same rule number as other entry for the same NetworkACL", + "issueType": "IncorrectValue", + "similarityID": "c18028f9594bf78c490577fe99bc05dbd5b4a9ac18e0b8ebaab1bdecba6be568", + "search_line": -1 }, { "queryName": "EC2 Network ACL Duplicate Rule", "severity": "INFO", "line": 52, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::EC2::NetworkAclEntry", + "resourceName": "OutboundRule2", + "searchKey": "Resources.OutboundRule2.Properties.RuleNumber", + "searchValue": "", + "expectedValue": "'Resources.OutboundRule2' shouldn't have the same rule number as other entry for the same NetworkACL", + "actualValue": "'Resources.OutboundRule2' has the same rule number as other entry for the same NetworkACL", + "issueType": "IncorrectValue", + "similarityID": "84a2740157e3c9411d5717fd2a3733be2bc25712359826f62c6a433af9391025", + "search_line": -1 }, { - "line": 33, - "fileName": "positive2.json", "queryName": "EC2 Network ACL Duplicate Rule", - "severity": "INFO" + "severity": "INFO", + "line": 23, + "fileName": "positive2.json", + "resourceType": "AWS::EC2::NetworkAclEntry", + "resourceName": "InboundRule", + "searchKey": "Resources.InboundRule.Properties.RuleNumber", + "searchValue": "", + "expectedValue": "'Resources.InboundRule' shouldn't have the same rule number as other entry for the same NetworkACL", + "actualValue": "'Resources.InboundRule' has the same rule number as other entry for the same NetworkACL", + "issueType": "IncorrectValue", + "similarityID": "9ece8efa0848dba0b4547d87277fea46f3304dd6e49076374800bfc12ad77cb5", + "search_line": -1 }, { "queryName": "EC2 Network ACL Duplicate Rule", "severity": "INFO", - "line": 71, - "fileName": "positive2.json" + "line": 33, + "fileName": "positive2.json", + "resourceType": "AWS::EC2::NetworkAclEntry", + "resourceName": "OutboundRule", + "searchKey": "Resources.OutboundRule.Properties.RuleNumber", + "searchValue": "", + "expectedValue": "'Resources.OutboundRule' shouldn't have the same rule number as other entry for the same NetworkACL", + "actualValue": "'Resources.OutboundRule' has the same rule number as other entry for the same NetworkACL", + "issueType": "IncorrectValue", + "similarityID": "fed0560259af9d5a704db501de11b488126bf54fac7bed27e20db2e2839e2966", + "search_line": -1 }, { "queryName": "EC2 Network ACL Duplicate Rule", "severity": "INFO", - "line": 23, - "fileName": "positive2.json" + "line": 57, + "fileName": "positive2.json", + "resourceType": "AWS::EC2::NetworkAclEntry", + "resourceName": "InboundRule2", + "searchKey": "Resources.InboundRule2.Properties.RuleNumber", + "searchValue": "", + "expectedValue": "'Resources.InboundRule2' shouldn't have the same rule number as other entry for the same NetworkACL", + "actualValue": "'Resources.InboundRule2' has the same rule number as other entry for the same NetworkACL", + "issueType": "IncorrectValue", + "similarityID": "5cab84bb0ec1ea84ac37dfef34051fc64ddb38d67c10bcd9c01e8905059622fb", + "search_line": -1 }, { "queryName": "EC2 Network ACL Duplicate Rule", "severity": "INFO", - "line": 57, - "fileName": "positive2.json" + "line": 71, + "fileName": "positive2.json", + "resourceType": "AWS::EC2::NetworkAclEntry", + "resourceName": "OutboundRule2", + "searchKey": "Resources.OutboundRule2.Properties.RuleNumber", + "searchValue": "", + "expectedValue": "'Resources.OutboundRule2' shouldn't have the same rule number as other entry for the same NetworkACL", + "actualValue": "'Resources.OutboundRule2' has the same rule number as other entry for the same NetworkACL", + "issueType": "IncorrectValue", + "similarityID": "448d607481c88d9449533e466a0b16f98b2d33b373002ac5db967ea6a22ff9dd", + "search_line": -1 } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/ec2_network_acl_ineffective_denied_traffic/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/ec2_network_acl_ineffective_denied_traffic/test/positive_expected_result.json index d21807992f5..2c3ef672056 100644 --- a/assets/queries/cloudFormation/aws/ec2_network_acl_ineffective_denied_traffic/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/ec2_network_acl_ineffective_denied_traffic/test/positive_expected_result.json @@ -3,12 +3,30 @@ "queryName": "EC2 Network ACL Ineffective Denied Traffic", "severity": "MEDIUM", "line": 17, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::EC2::NetworkAclEntry", + "resourceName": "InboundRule", + "searchKey": "Resources.InboundRule.Properties.CidrBlock", + "searchValue": "", + "expectedValue": "Traffic denial should be effective (Action is 'Deny' when CidrBlock is '0.0.0.0/0')%!(EXTRA string=InboundRule)", + "actualValue": "Traffic denial is ineffective (Action is 'Deny' when CidrBlock is different from '0.0.0.0/0'%!(EXTRA string=InboundRule)", + "issueType": "IncorrectValue", + "similarityID": "4f8e237fde9bfdf2e0f23eb6b8a273ccc1c236ab5e10748444b847e64c7f5798", + "search_line": -1 }, { "queryName": "EC2 Network ACL Ineffective Denied Traffic", "severity": "MEDIUM", "line": 20, - "fileName": "positive2.json" + "fileName": "positive2.json", + "resourceType": "AWS::EC2::NetworkAclEntry", + "resourceName": "InboundRule", + "searchKey": "Resources.InboundRule.Properties.CidrBlock", + "searchValue": "", + "expectedValue": "Traffic denial should be effective (Action is 'Deny' when CidrBlock is '0.0.0.0/0')%!(EXTRA string=InboundRule)", + "actualValue": "Traffic denial is ineffective (Action is 'Deny' when CidrBlock is different from '0.0.0.0/0'%!(EXTRA string=InboundRule)", + "issueType": "IncorrectValue", + "similarityID": "2a168d80486b181a4375eb5c471eb64f8ed1225af3368675b909f78638bda525", + "search_line": -1 } ] diff --git a/assets/queries/cloudFormation/aws/ec2_network_acl_overlapping_ports/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/ec2_network_acl_overlapping_ports/test/positive_expected_result.json index 07ad254cb0d..b0ebc7d1e78 100644 --- a/assets/queries/cloudFormation/aws/ec2_network_acl_overlapping_ports/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/ec2_network_acl_overlapping_ports/test/positive_expected_result.json @@ -2,73 +2,181 @@ { "queryName": "EC2 Network ACL Overlapping Ports", "severity": "MEDIUM", - "line": 78, - "fileName": "positive1.yaml" + "line": 18, + "fileName": "positive1.yaml", + "resourceType": "AWS::EC2::NetworkAclEntry", + "resourceName": "InboundRule", + "searchKey": "Resources.InboundRule.Properties.PortRange", + "searchValue": "", + "expectedValue": "'Resources.InboundRule.Properties.PortRange should be configured with a different unused port range to avoid overlapping'", + "actualValue": "'Resources.InboundRule.Properties.PortRange has port rage config that is overlapping with others resources and causing ineffective rules'", + "issueType": "IncorrectValue", + "similarityID": "d773610aa4437bf0166e2e88f34bb289f18653226eab52dfa10b7a9159873434", + "search_line": -1 }, { "queryName": "EC2 Network ACL Overlapping Ports", "severity": "MEDIUM", - "line": 90, - "fileName": "positive1.yaml" + "line": 30, + "fileName": "positive1.yaml", + "resourceType": "AWS::EC2::NetworkAclEntry", + "resourceName": "OutboundRule", + "searchKey": "Resources.OutboundRule.Properties.PortRange", + "searchValue": "", + "expectedValue": "'Resources.OutboundRule.Properties.PortRange should be configured with a different unused port range to avoid overlapping'", + "actualValue": "'Resources.OutboundRule.Properties.PortRange has port rage config that is overlapping with others resources and causing ineffective rules'", + "issueType": "IncorrectValue", + "similarityID": "6432fc6bb2ef9545ce6566dc20420de0d813f364f0edc3839270ae786fbabea1", + "search_line": -1 }, { "queryName": "EC2 Network ACL Overlapping Ports", "severity": "MEDIUM", - "line": 18, - "fileName": "positive1.yaml" + "line": 42, + "fileName": "positive1.yaml", + "resourceType": "AWS::EC2::NetworkAclEntry", + "resourceName": "OutboundTests", + "searchKey": "Resources.OutboundTests.Properties.PortRange", + "searchValue": "", + "expectedValue": "'Resources.OutboundTests.Properties.PortRange should be configured with a different unused port range to avoid overlapping'", + "actualValue": "'Resources.OutboundTests.Properties.PortRange has port rage config that is overlapping with others resources and causing ineffective rules'", + "issueType": "IncorrectValue", + "similarityID": "1e7ce87e6684c294ef2e8e50e21fca1e2464869d6266afeec6bdbd58ea002a24", + "search_line": -1 }, { - "fileName": "positive1.yaml", "queryName": "EC2 Network ACL Overlapping Ports", "severity": "MEDIUM", - "line": 30 + "line": 54, + "fileName": "positive1.yaml", + "resourceType": "AWS::EC2::NetworkAclEntry", + "resourceName": "InboundTests", + "searchKey": "Resources.InboundTests.Properties.PortRange", + "searchValue": "", + "expectedValue": "'Resources.InboundTests.Properties.PortRange should be configured with a different unused port range to avoid overlapping'", + "actualValue": "'Resources.InboundTests.Properties.PortRange has port rage config that is overlapping with others resources and causing ineffective rules'", + "issueType": "IncorrectValue", + "similarityID": "dc12df538da95f45bb0b876f44e2be60259fb957b0a113bac12d7b1026479509", + "search_line": -1 }, { + "queryName": "EC2 Network ACL Overlapping Ports", "severity": "MEDIUM", - "line": 42, + "line": 78, "fileName": "positive1.yaml", - "queryName": "EC2 Network ACL Overlapping Ports" + "resourceType": "AWS::EC2::NetworkAclEntry", + "resourceName": "Match", + "searchKey": "Resources.Match.Properties.PortRange", + "searchValue": "", + "expectedValue": "'Resources.Match.Properties.PortRange should be configured with a different unused port range to avoid overlapping'", + "actualValue": "'Resources.Match.Properties.PortRange has port rage config that is overlapping with others resources and causing ineffective rules'", + "issueType": "IncorrectValue", + "similarityID": "cb76b9f4d9e9294e0ae07898e0ad799bcecc03aabeb83a72e083051af350d222", + "search_line": -1 }, { "queryName": "EC2 Network ACL Overlapping Ports", "severity": "MEDIUM", - "line": 54, - "fileName": "positive1.yaml" + "line": 90, + "fileName": "positive1.yaml", + "resourceType": "AWS::EC2::NetworkAclEntry", + "resourceName": "EqualMatch", + "searchKey": "Resources.EqualMatch.Properties.PortRange", + "searchValue": "", + "expectedValue": "'Resources.EqualMatch.Properties.PortRange should be configured with a different unused port range to avoid overlapping'", + "actualValue": "'Resources.EqualMatch.Properties.PortRange has port rage config that is overlapping with others resources and causing ineffective rules'", + "issueType": "IncorrectValue", + "similarityID": "78d2fecc45f7201f2bd80b6c8838e743f1ccca818a956ebc44a880f6200109c8", + "search_line": -1 }, { "queryName": "EC2 Network ACL Overlapping Ports", "severity": "MEDIUM", - "line": 73, - "fileName": "positive2.json" + "line": 22, + "fileName": "positive2.json", + "resourceType": "AWS::EC2::NetworkAclEntry", + "resourceName": "Match", + "searchKey": "Resources.Match.Properties.PortRange", + "searchValue": "", + "expectedValue": "'Resources.Match.Properties.PortRange should be configured with a different unused port range to avoid overlapping'", + "actualValue": "'Resources.Match.Properties.PortRange has port rage config that is overlapping with others resources and causing ineffective rules'", + "issueType": "IncorrectValue", + "similarityID": "3babd0eba68bcf9d2cfb47a5d4bd48c23e396f59ce8b76f97866996c7fd8d765", + "search_line": -1 }, { - "line": 116, - "fileName": "positive2.json", "queryName": "EC2 Network ACL Overlapping Ports", - "severity": "MEDIUM" + "severity": "MEDIUM", + "line": 38, + "fileName": "positive2.json", + "resourceType": "AWS::EC2::NetworkAclEntry", + "resourceName": "EqualMatch", + "searchKey": "Resources.EqualMatch.Properties.PortRange", + "searchValue": "", + "expectedValue": "'Resources.EqualMatch.Properties.PortRange should be configured with a different unused port range to avoid overlapping'", + "actualValue": "'Resources.EqualMatch.Properties.PortRange has port rage config that is overlapping with others resources and causing ineffective rules'", + "issueType": "IncorrectValue", + "similarityID": "d58a0d33c4e54778aee65be9d085b8066414cee81091612b2778ac9ad11cfcab", + "search_line": -1 }, { "queryName": "EC2 Network ACL Overlapping Ports", "severity": "MEDIUM", - "line": 22, - "fileName": "positive2.json" + "line": 73, + "fileName": "positive2.json", + "resourceType": "AWS::EC2::NetworkAclEntry", + "resourceName": "InboundRule", + "searchKey": "Resources.InboundRule.Properties.PortRange", + "searchValue": "", + "expectedValue": "'Resources.InboundRule.Properties.PortRange should be configured with a different unused port range to avoid overlapping'", + "actualValue": "'Resources.InboundRule.Properties.PortRange has port rage config that is overlapping with others resources and causing ineffective rules'", + "issueType": "IncorrectValue", + "similarityID": "e711b0f36399131b3e057626eda15dffa4dd42d9b0dab298db9c326f3c6ec3e4", + "search_line": -1 }, { + "queryName": "EC2 Network ACL Overlapping Ports", + "severity": "MEDIUM", "line": 82, "fileName": "positive2.json", - "queryName": "EC2 Network ACL Overlapping Ports", - "severity": "MEDIUM" + "resourceType": "AWS::EC2::NetworkAclEntry", + "resourceName": "OutboundRule", + "searchKey": "Resources.OutboundRule.Properties.PortRange", + "searchValue": "", + "expectedValue": "'Resources.OutboundRule.Properties.PortRange should be configured with a different unused port range to avoid overlapping'", + "actualValue": "'Resources.OutboundRule.Properties.PortRange has port rage config that is overlapping with others resources and causing ineffective rules'", + "issueType": "IncorrectValue", + "similarityID": "9df534f012878ef5351a810acf863b140e96b4a6780152758bc2de781120402a", + "search_line": -1 }, { + "queryName": "EC2 Network ACL Overlapping Ports", + "severity": "MEDIUM", "line": 105, "fileName": "positive2.json", - "queryName": "EC2 Network ACL Overlapping Ports", - "severity": "MEDIUM" + "resourceType": "AWS::EC2::NetworkAclEntry", + "resourceName": "OutboundTests", + "searchKey": "Resources.OutboundTests.Properties.PortRange", + "searchValue": "", + "expectedValue": "'Resources.OutboundTests.Properties.PortRange should be configured with a different unused port range to avoid overlapping'", + "actualValue": "'Resources.OutboundTests.Properties.PortRange has port rage config that is overlapping with others resources and causing ineffective rules'", + "issueType": "IncorrectValue", + "similarityID": "6be4d80004398885189ebba48d224c7e3fd8018ce2b3db172c8836edf967ed22", + "search_line": -1 }, { "queryName": "EC2 Network ACL Overlapping Ports", "severity": "MEDIUM", - "line": 38, - "fileName": "positive2.json" + "line": 116, + "fileName": "positive2.json", + "resourceType": "AWS::EC2::NetworkAclEntry", + "resourceName": "InboundTests", + "searchKey": "Resources.InboundTests.Properties.PortRange", + "searchValue": "", + "expectedValue": "'Resources.InboundTests.Properties.PortRange should be configured with a different unused port range to avoid overlapping'", + "actualValue": "'Resources.InboundTests.Properties.PortRange has port rage config that is overlapping with others resources and causing ineffective rules'", + "issueType": "IncorrectValue", + "similarityID": "a585c14c3314ddbbd30d269a0be0d0f347c26240c9e92e5e4d710eae428ac612", + "search_line": -1 } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/ec2_not_ebs_optimized/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/ec2_not_ebs_optimized/test/positive_expected_result.json index 53aad6fca47..daf7e471080 100644 --- a/assets/queries/cloudFormation/aws/ec2_not_ebs_optimized/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/ec2_not_ebs_optimized/test/positive_expected_result.json @@ -3,42 +3,105 @@ "queryName": "EC2 Not EBS Optimized", "severity": "INFO", "line": 4, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::EC2::Instance", + "resourceName": "MyEC2Instance", + "searchKey": "Resources.MyEC2Instance.Properties.EbsOptimized", + "searchValue": "", + "expectedValue": "Resources.MyEC2Instance.Properties should have EbsOptimized set to true.", + "actualValue": "Resources.MyEC2Instance.Properties doesn't have EbsOptimized set to true.", + "issueType": "MissingAttribute", + "similarityID": "7b24abad2c1d3540e7bb3afdb0404192028a8c591baf22c301a8267154980312", + "search_line": -1 }, { "queryName": "EC2 Not EBS Optimized", "severity": "INFO", "line": 5, - "fileName": "positive2.json" + "fileName": "positive2.json", + "resourceType": "AWS::EC2::Instance", + "resourceName": "MyEC2Instance", + "searchKey": "Resources.MyEC2Instance.Properties.EbsOptimized", + "searchValue": "", + "expectedValue": "Resources.MyEC2Instance.Properties should have EbsOptimized set to true.", + "actualValue": "Resources.MyEC2Instance.Properties doesn't have EbsOptimized set to true.", + "issueType": "MissingAttribute", + "similarityID": "260c94b9b7e00a729745a3cba05e596ab5354313068f28d7cee18f49c0ae7cf6", + "search_line": -1 }, { "queryName": "EC2 Not EBS Optimized", "severity": "INFO", "line": 16, - "fileName": "positive3.yaml" + "fileName": "positive3.yaml", + "resourceType": "AWS::EC2::Instance", + "resourceName": "MyEC2Instance", + "searchKey": "Resources.MyEC2Instance.Properties.EbsOptimized", + "searchValue": "", + "expectedValue": "Resources.MyEC2Instance.Properties should have EbsOptimized set to true.", + "actualValue": "Resources.MyEC2Instance.Properties.EbsOptimized is set to false.", + "issueType": "IncorrectValue", + "similarityID": "6f30ff370cd0d0283fc14649d9c7e0efa97f66b626189124fc49c7ed2e8de4f4", + "search_line": -1 }, { "queryName": "EC2 Not EBS Optimized", "severity": "INFO", "line": 23, - "fileName": "positive4.json" + "fileName": "positive4.json", + "resourceType": "AWS::EC2::Instance", + "resourceName": "MyEC2Instance", + "searchKey": "Resources.MyEC2Instance.Properties.EbsOptimized", + "searchValue": "", + "expectedValue": "Resources.MyEC2Instance.Properties should have EbsOptimized set to true.", + "actualValue": "Resources.MyEC2Instance.Properties.EbsOptimized is set to false.", + "issueType": "IncorrectValue", + "similarityID": "74a3f9cf2b12bf0bb0f25cc0ca82ca02b32ddce3246dde606afdf7c7574929f9", + "search_line": -1 }, { "queryName": "EC2 Not EBS Optimized", "severity": "INFO", "line": 4, - "fileName": "positive5.yaml" + "fileName": "positive5.yaml", + "resourceType": "AWS::EC2::Instance", + "resourceName": "MyEC2Instance", + "searchKey": "Resources.MyEC2Instance.Properties.EbsOptimized", + "searchValue": "", + "expectedValue": "Resources.MyEC2Instance.Properties should have EbsOptimized set to true.", + "actualValue": "Resources.MyEC2Instance.Properties doesn't have EbsOptimized set to true.", + "issueType": "MissingAttribute", + "similarityID": "790fda67d1621ad364144131e41b15a0d23e51019a0501316012f2d9c8f84d2d", + "search_line": -1 }, { "queryName": "EC2 Not EBS Optimized", "severity": "INFO", "line": 5, - "fileName": "positive6.json" + "fileName": "positive6.json", + "resourceType": "AWS::EC2::Instance", + "resourceName": "MyEC2Instance", + "searchKey": "Resources.MyEC2Instance.Properties.EbsOptimized", + "searchValue": "", + "expectedValue": "Resources.MyEC2Instance.Properties should have EbsOptimized set to true.", + "actualValue": "Resources.MyEC2Instance.Properties doesn't have EbsOptimized set to true.", + "issueType": "MissingAttribute", + "similarityID": "2f79ff1d22a917b2833800454de4c80e4ab32454db145f432458914bb31bbcdf", + "search_line": -1 }, { "queryName": "EC2 Not EBS Optimized", "severity": "INFO", "line": 16, - "fileName": "positive7.yaml" + "fileName": "positive7.yaml", + "resourceType": "AWS::EC2::Instance", + "resourceName": "MyEC2Instance", + "searchKey": "Resources.MyEC2Instance.Properties.EbsOptimized", + "searchValue": "", + "expectedValue": "Resources.MyEC2Instance.Properties should have EbsOptimized set to true.", + "actualValue": "Resources.MyEC2Instance.Properties.EbsOptimized is set to false.", + "issueType": "IncorrectValue", + "similarityID": "6148d7bee5d0388f955c474c8237b50a32949da98c7a823d8ce2148b6a23b977", + "search_line": -1 } ] diff --git a/assets/queries/cloudFormation/aws/ec2_permissive_network_acl_protocols/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/ec2_permissive_network_acl_protocols/test/positive_expected_result.json index 4e0fafdad8d..234674531c4 100644 --- a/assets/queries/cloudFormation/aws/ec2_permissive_network_acl_protocols/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/ec2_permissive_network_acl_protocols/test/positive_expected_result.json @@ -3,12 +3,30 @@ "queryName": "EC2 Permissive Network ACL Protocols", "severity": "MEDIUM", "line": 17, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::EC2::NetworkAclEntry", + "resourceName": "OutboundRule", + "searchKey": "Resources.OutboundRule.Properties.Protocol", + "searchValue": "", + "expectedValue": "'Resources.OutboundRule.Properties.Protocol' should be either 6 (for TCP), 17 (for UDP), 1 (for ICMP), or 58 (for ICMPv6, which must include an IPv6 CIDR block, ICMP type, and code)", + "actualValue": "'Resources.OutboundRule.Properties.Protocol' is configured with a protocol different than 6 (for TCP), 17 (for UDP), 1 (for ICMP), or 58 (for ICMPv6, which must include an IPv6 CIDR block, ICMP type, and code)", + "issueType": "IncorrectValue", + "similarityID": "924aefbb48bcf7045e2b99a1c2fd533dcd435455f07b2b27ee92b0292975f6ef", + "search_line": -1 }, { + "queryName": "EC2 Permissive Network ACL Protocols", "severity": "MEDIUM", "line": 24, "fileName": "positive2.json", - "queryName": "EC2 Permissive Network ACL Protocols" + "resourceType": "AWS::EC2::NetworkAclEntry", + "resourceName": "OutboundRule", + "searchKey": "Resources.OutboundRule.Properties.Protocol", + "searchValue": "", + "expectedValue": "'Resources.OutboundRule.Properties.Protocol' should be either 6 (for TCP), 17 (for UDP), 1 (for ICMP), or 58 (for ICMPv6, which must include an IPv6 CIDR block, ICMP type, and code)", + "actualValue": "'Resources.OutboundRule.Properties.Protocol' is configured with a protocol different than 6 (for TCP), 17 (for UDP), 1 (for ICMP), or 58 (for ICMPv6, which must include an IPv6 CIDR block, ICMP type, and code)", + "issueType": "IncorrectValue", + "similarityID": "a4fa006e1ae82d0d069d6c62fa5c411beb631e1bf4084e72f421a5523d5e5c3e", + "search_line": -1 } ] diff --git a/assets/queries/cloudFormation/aws/ec2_public_instance_exposed_through_subnet/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/ec2_public_instance_exposed_through_subnet/test/positive_expected_result.json index 5f3620a8431..577744aadb4 100644 --- a/assets/queries/cloudFormation/aws/ec2_public_instance_exposed_through_subnet/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/ec2_public_instance_exposed_through_subnet/test/positive_expected_result.json @@ -1,14 +1,32 @@ [ { - "fileName": "positive1.yaml", "queryName": "EC2 Public Instance Exposed Through Subnet", "severity": "MEDIUM", - "line": 28 + "line": 28, + "fileName": "positive1.yaml", + "resourceType": "AWS::EC2::Instance", + "resourceName": "Ec2Instance", + "searchKey": "Resources.mySubnet", + "searchValue": "", + "expectedValue": "Resources.mySubnet should be a private subnet", + "actualValue": "Resources.mySubnet has a route for unrestricted internet traffic", + "issueType": "IncorrectValue", + "similarityID": "79bfcf9c54eca56509bdc02fa5e95425e8d4ed64fe6fefa6acf67edda4db7631", + "search_line": -1 }, { "queryName": "EC2 Public Instance Exposed Through Subnet", "severity": "MEDIUM", "line": 3, - "fileName": "positive2.json" + "fileName": "positive2.json", + "resourceType": "AWS::EC2::Instance", + "resourceName": "Ec2Instance", + "searchKey": "Resources.mySubnet", + "searchValue": "", + "expectedValue": "Resources.mySubnet should be a private subnet", + "actualValue": "Resources.mySubnet has a route for unrestricted internet traffic", + "issueType": "IncorrectValue", + "similarityID": "b80737956adee6b155f60e81e666af3f8868af8de8e9b22a1fea9265ef336bf1", + "search_line": -1 } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/ec2_sensitive_port_is_publicly_exposed/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/ec2_sensitive_port_is_publicly_exposed/test/positive_expected_result.json index 0adf53057a5..d6256021bd6 100644 --- a/assets/queries/cloudFormation/aws/ec2_sensitive_port_is_publicly_exposed/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/ec2_sensitive_port_is_publicly_exposed/test/positive_expected_result.json @@ -3,1092 +3,2730 @@ "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", "line": 21, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/UDP:53", + "expectedValue": "DNS (UDP:53) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "DNS (UDP:53) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue", + "similarityID": "69f2b4272d9bb5340587a77b1a10a5c0570fb42285d1f06cf2b9e197a75750c5", + "search_line": 21 }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", "line": 31, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_2", + "searchKey": "Resources.Positive1IPv4_2.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/TCP:80", + "expectedValue": "HTTP (TCP:80) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "HTTP (TCP:80) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue", + "similarityID": "a87e7a3bf4065729872b2f80260f869747681e1aaf86670916fb745ac95f0741", + "search_line": 31 }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", "line": 41, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1ArrayTestIPv4", + "searchKey": "Resources.Positive1ArrayTestIPv4.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/UDP:53", + "expectedValue": "DNS (UDP:53) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "DNS (UDP:53) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue", + "similarityID": "3b12f8c9770f967c5e1e413f61fd6c2b4af76b8b73f5f269d0386abf3440db7b", + "search_line": 41 }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", "line": 49, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1ArrayTestIPv4", + "searchKey": "Resources.Positive1ArrayTestIPv4.Properties.SecurityGroupIngress[2]", + "searchValue": "EC2Instance01/UDP:137", + "expectedValue": "NetBIOS Name Service (UDP:137) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "NetBIOS Name Service (UDP:137) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue", + "similarityID": "78c04a4eb63cee6b8d872e793b77f6d35feaeb78d43512161539aece4284bbb0", + "search_line": 49 }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", "line": 60, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/TCP:110", + "expectedValue": "POP3 (TCP:110) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "POP3 (TCP:110) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue", + "similarityID": "70ebb0e4c0e31f49b0e5e2625c7f10a9aa6c85f631ad2f54b5e5f4717f0dd8ab", + "search_line": 60 }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", "line": 60, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/TCP:11211", + "expectedValue": "Memcached (TCP:11211) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Memcached (TCP:11211) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue", + "similarityID": "90bce27cc80bbe21821447ce15bf53f968d7bbc6f6b26c8f0c41f078f67dbe59", + "search_line": 60 }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", "line": 60, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/TCP:11214", + "expectedValue": "Memcached SSL (TCP:11214) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Memcached SSL (TCP:11214) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue", + "similarityID": "f3d3cdb383e6713af4721b7124aa3fd3a865146bd2bf617879f59efa5c8149ae", + "search_line": 60 }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", "line": 60, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/TCP:11215", + "expectedValue": "Memcached SSL (TCP:11215) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Memcached SSL (TCP:11215) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue", + "similarityID": "165b7779518fb945c9bee2e62e163d65f12e88a34668e74f32b2fa9e659a79ce", + "search_line": 60 }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", "line": 60, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/TCP:135", + "expectedValue": "MSSQL Debugger (TCP:135) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "MSSQL Debugger (TCP:135) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue", + "similarityID": "6f1dfe8183db88d7fa8354f93d001c85ca00cfca4eff539fe1a3cd1c0a3779ac", + "search_line": 60 }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", "line": 60, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/TCP:137", + "expectedValue": "NetBIOS Name Service (TCP:137) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "NetBIOS Name Service (TCP:137) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue", + "similarityID": "53006c990725b02f1158c3d39369a1121b0784f65b77b247287ed548965a56a1", + "search_line": 60 }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", "line": 60, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/TCP:138", + "expectedValue": "NetBIOS Datagram Service (TCP:138) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "NetBIOS Datagram Service (TCP:138) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue", + "similarityID": "df1cb103be4b56a4b04157d3efa2d7566eebb0dc0efbd6c04d2f3eecfc5a4e3b", + "search_line": 60 }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", "line": 60, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/TCP:139", + "expectedValue": "NetBIOS Session Service (TCP:139) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "NetBIOS Session Service (TCP:139) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue", + "similarityID": "90a79c1f53ba8ec103f13c54f0ebb807ed2d2cd724577a95b3f1f8ecacc22676", + "search_line": 60 }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", "line": 60, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/TCP:1433", + "expectedValue": "MSSQL Server (TCP:1433) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "MSSQL Server (TCP:1433) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue", + "similarityID": "321b258dc043fbe93a60456dbd97c8a54e50f506750399a0c60cf921bfc2af94", + "search_line": 60 }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", "line": 60, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/TCP:1434", + "expectedValue": "MSSQL Browser (TCP:1434) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "MSSQL Browser (TCP:1434) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue", + "similarityID": "9693c626bf7f4cd72cac3522870746d55fa872cb952acf2332bb6154590fb05d", + "search_line": 60 }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", "line": 60, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/TCP:1521", + "expectedValue": "Oracl DB (TCP:1521) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Oracl DB (TCP:1521) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue", + "similarityID": "5242d33c957512f2a9499d0948c7b45613a66efdf2ccc5c8d0c07562ea643ba7", + "search_line": 60 }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", "line": 60, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/TCP:1522", + "expectedValue": "Oracle Auto Data Warehouse (TCP:1522) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Oracle Auto Data Warehouse (TCP:1522) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue", + "similarityID": "f04f7807306a00c535fc33b64c6454575254ca32abf256595dcf0a0b82a341e4", + "search_line": 60 }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", "line": 60, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/TCP:161", + "expectedValue": "SNMP (TCP:161) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "SNMP (TCP:161) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue", + "similarityID": "8e943fa1dbc1b509e2888fa1d0664834d720b735f92f532d9810184c67850a6c", + "search_line": 60 }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", "line": 60, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/TCP:20", + "expectedValue": "FTP (TCP:20) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "FTP (TCP:20) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue", + "similarityID": "07f7dcec7364b7b98037dd2879a82699c190e492d3ca18e0b6d99c7966ecae9f", + "search_line": 60 }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", "line": 60, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/TCP:21", + "expectedValue": "FTP (TCP:21) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "FTP (TCP:21) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue", + "similarityID": "de54b1140c890a78b5c72a33b1230d89d362bdd0822fa780f097cab4fd1f17ac", + "search_line": 60 }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", "line": 60, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/TCP:22", + "expectedValue": "SSH (TCP:22) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "SSH (TCP:22) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue", + "similarityID": "e2fecfda625d1507043990c83598a186983784ee66fd59b19aaff22754269e10", + "search_line": 60 }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", "line": 60, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/TCP:23", + "expectedValue": "Telnet (TCP:23) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Telnet (TCP:23) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue", + "similarityID": "7a52a0a25fc9fbbba6fe77c8d51e26b11bdeace7e4c170beabdef2fafbb38c0e", + "search_line": 60 }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", "line": 60, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/TCP:2375", + "expectedValue": "Docker (TCP:2375) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Docker (TCP:2375) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue", + "similarityID": "7c244ecebc20d5d0ec2a46621ce92bb4dc26ff8af8d7ed645d231b1db4a2d1e5", + "search_line": 60 }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", "line": 60, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/TCP:2376", + "expectedValue": "Docker (TCP:2376) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Docker (TCP:2376) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue", + "similarityID": "4528aa2bdea1979e6def65af6b97837e7a607629257dfb28d4ab58c81ee79ae6", + "search_line": 60 }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", "line": 60, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/TCP:2382", + "expectedValue": "SQL Server Analysis (TCP:2382) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "SQL Server Analysis (TCP:2382) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue", + "similarityID": "f66c05072474d19cff625b5842af14aff89fbb4580987adf8d72270c5c5ac3e9", + "search_line": 60 }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", "line": 60, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/TCP:2383", + "expectedValue": "SQL Server Analysis (TCP:2383) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "SQL Server Analysis (TCP:2383) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue", + "similarityID": "c820cb6620428fd94caeeebe12b7a69d43ad2190b1dce55224d5e444e29b8d4f", + "search_line": 60 }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", "line": 60, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/TCP:2483", + "expectedValue": "Oracle DB SSL (TCP:2483) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Oracle DB SSL (TCP:2483) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue", + "similarityID": "e70f28c44d7d4123bd244392fdaaf37a908c5d1a7e6684c4e91d10dc57171918", + "search_line": 60 }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", "line": 60, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/TCP:2484", + "expectedValue": "Oracle DB SSL (TCP:2484) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Oracle DB SSL (TCP:2484) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue", + "similarityID": "f7d979b71d37fb6e6af67f67e38b95e448f6964d11753ce597082b5c749c4ec7", + "search_line": 60 }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", "line": 60, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/TCP:25", + "expectedValue": "SMTP (TCP:25) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "SMTP (TCP:25) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue", + "similarityID": "4549e0e37e755cd9d1fbb159cfb870380a3d9a47d963960726cfcc6bd9e694ad", + "search_line": 60 }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", "line": 60, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/TCP:27017", + "expectedValue": "Mongo (TCP:27017) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Mongo (TCP:27017) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue", + "similarityID": "65fa5ba6a690eb15645dbcd499ea91bfb530d441386095e75133b4de42f96595", + "search_line": 60 }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", "line": 60, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/TCP:27018", + "expectedValue": "Mongo Web Portal (TCP:27018) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Mongo Web Portal (TCP:27018) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue", + "similarityID": "d0220dc16c6d3bdc7fb751754a9a9044e06edbb8e7a36443021e6f412eaf76c3", + "search_line": 60 }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", "line": 60, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/TCP:3000", + "expectedValue": "Prevalent known internal port (TCP:3000) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Prevalent known internal port (TCP:3000) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue", + "similarityID": "cb749e2a887cd7325ce8706fc64bd6198322c99ba98df00863e7acfca5494c88", + "search_line": 60 }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", "line": 60, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/TCP:3020", + "expectedValue": "CIFS / SMB (TCP:3020) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "CIFS / SMB (TCP:3020) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue", + "similarityID": "54f0f045f33efb32842d1b072f0b9de99ec1a95b8a8c88bbce78b039a78a36b6", + "search_line": 60 }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", "line": 60, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/TCP:3306", + "expectedValue": "MySQL (TCP:3306) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "MySQL (TCP:3306) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue", + "similarityID": "70045ce29779833f067855e86c787881f4bd16779941e9642c6ab02a03d5f344", + "search_line": 60 }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", "line": 60, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/TCP:3389", + "expectedValue": "Remote Desktop (TCP:3389) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Remote Desktop (TCP:3389) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue", + "similarityID": "c8e36ff4e75b9e6997a600a8792a58632abc673111b43e4ac22a7117d7f03bae", + "search_line": 60 }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", "line": 60, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/TCP:389", + "expectedValue": "LDAP (TCP:389) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "LDAP (TCP:389) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue", + "similarityID": "027fd1f8cc37610f90ad03a002605be05b96e79660206b35f64ac511a22e8640", + "search_line": 60 }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", "line": 60, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/TCP:4333", + "expectedValue": "MySQL (TCP:4333) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "MySQL (TCP:4333) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue", + "similarityID": "a79e767e93867bfc51d47a9a3bd45563f372542ed94f42dd7e6f3e75bfa7147a", + "search_line": 60 }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", "line": 60, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/TCP:443", + "expectedValue": "HTTPS (TCP:443) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "HTTPS (TCP:443) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue", + "similarityID": "0839b20d8832f7a7d364155babbdc060b0025e684288eb1f2085c7f17aff49b6", + "search_line": 60 }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", "line": 60, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/TCP:445", + "expectedValue": "Microsoft-DS (TCP:445) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Microsoft-DS (TCP:445) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue", + "similarityID": "13f1953c93d62c648c62b6a5264d0836c3927ed311e46c930cc0d98acdcb29e7", + "search_line": 60 }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", "line": 60, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/TCP:4505", + "expectedValue": "SaltStack Master (TCP:4505) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "SaltStack Master (TCP:4505) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue", + "similarityID": "9d61a3ccc99e31fe7521db16ddacc2fbabdff7a9cb6f8124aef391e52194cdb9", + "search_line": 60 }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", "line": 60, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/TCP:4506", + "expectedValue": "SaltStack Master (TCP:4506) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "SaltStack Master (TCP:4506) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue", + "similarityID": "eaf9a2d52a312987f1683c7f1d4bf00c446ad79c23800129c93f92943053d178", + "search_line": 60 }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", "line": 60, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/TCP:50070", + "expectedValue": "HDFS NameNode WebUI (TCP:50070) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "HDFS NameNode WebUI (TCP:50070) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue", + "similarityID": "9bfb92375cf83e82b36cf231118dc8139bdf032b92902eae397f69705209c688", + "search_line": 60 }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", "line": 60, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/TCP:50470", + "expectedValue": "HDFS NameNode WebUI (TCP:50470) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "HDFS NameNode WebUI (TCP:50470) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue", + "similarityID": "805ac1d3a3b8f2ec627df0b04e6b9077a86a0547411898068f656b1fc3db2d3b", + "search_line": 60 }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", "line": 60, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/TCP:53", + "expectedValue": "DNS (TCP:53) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "DNS (TCP:53) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue", + "similarityID": "0ed0e17bdf9df15dad84cff044a4fcf9cfd6b4b1c4bd0e4b6b75a8480b07f3bd", + "search_line": 60 }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", "line": 60, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/TCP:5432", + "expectedValue": "PostgreSQL (TCP:5432) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "PostgreSQL (TCP:5432) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue", + "similarityID": "48a56ebafa691c27c2b85d84edb608fe138d2172de6a7f065e675be35b05565e", + "search_line": 60 }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", "line": 60, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/TCP:5500", + "expectedValue": "VNC Listener (TCP:5500) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "VNC Listener (TCP:5500) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue", + "similarityID": "90b6feccaf6aeb76bc5553b67520268b2db7e413db2f21f068f087be9cf3bf51", + "search_line": 60 }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", "line": 60, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/TCP:5601", + "expectedValue": "Kibana (TCP:5601) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Kibana (TCP:5601) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue", + "similarityID": "ad2b6a980815f70c4c29dac0accbca4d1202d7e875116f24a783da69df3f68df", + "search_line": 60 }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", "line": 60, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/TCP:5900", + "expectedValue": "VNC Server (TCP:5900) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "VNC Server (TCP:5900) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue", + "similarityID": "c54bb71d811951644ec7ae8a84926473f40ea02243fda35248022ab8aef9ad88", + "search_line": 60 }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", "line": 60, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/TCP:5985", + "expectedValue": "WinRM for HTTP (TCP:5985) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "WinRM for HTTP (TCP:5985) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue", + "similarityID": "10ad73f7473cccc3bf898b10c983ce0827fd1af2c29ba421cd59ed2b9dceee58", + "search_line": 60 }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", "line": 60, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/TCP:61620", + "expectedValue": "Cassandra OpsCenter (TCP:61620) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Cassandra OpsCenter (TCP:61620) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue", + "similarityID": "4edd59d604b60681c91e018f963c69e7e47a9c361c54235653ed0fe40d72e1b4", + "search_line": 60 }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", "line": 60, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/TCP:61621", + "expectedValue": "Cassandra OpsCenter (TCP:61621) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Cassandra OpsCenter (TCP:61621) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue", + "similarityID": "34fffc7b2c344632868653ceea24e617244982d414b21014c7341a9fe3aeaf2e", + "search_line": 60 }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", "line": 60, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/TCP:636", + "expectedValue": "LDAP SSL (TCP:636) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "LDAP SSL (TCP:636) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue", + "similarityID": "a00fd6d3582e66599347b20229304fa5acabf01ea7b614c3776eb1ce46589188", + "search_line": 60 }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", "line": 60, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/TCP:6379", + "expectedValue": "Redis (TCP:6379) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Redis (TCP:6379) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue", + "similarityID": "ae26d32aadbefe1b9a88278a490b0b26939b573c6b6c073bdef142452ded09c2", + "search_line": 60 }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", "line": 60, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/TCP:7000", + "expectedValue": "Cassandra Internode Communication (TCP:7000) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Cassandra Internode Communication (TCP:7000) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue", + "similarityID": "78dab29885ac53a84aed599df1ea98ad4687bed79a14d1cd844a24716e92a172", + "search_line": 60 }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", "line": 60, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/TCP:7001", + "expectedValue": "Cassandra (TCP:7001) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Cassandra (TCP:7001) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue", + "similarityID": "cb45e245261ac9ba84f98e67babc1c3b705e2be85af53663ff4b00c816590c37", + "search_line": 60 }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", "line": 60, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/TCP:7199", + "expectedValue": "Cassandra Monitoring (TCP:7199) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Cassandra Monitoring (TCP:7199) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue", + "similarityID": "bab65340838cdf31a8119171e842daeba672cb1b148da4a229b9cecd9761ff2b", + "search_line": 60 }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", "line": 60, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/TCP:80", + "expectedValue": "HTTP (TCP:80) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "HTTP (TCP:80) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue", + "similarityID": "75b2e40b2074be983814d65da831599f694f517adda8e44f08b53831c1e569da", + "search_line": 60 }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", "line": 60, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/TCP:8000", + "expectedValue": "Known internal web port (TCP:8000) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Known internal web port (TCP:8000) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue", + "similarityID": "978b045b0ddb2700497f8a321b61194f9a5a93937240f4a1a0a0414f630bdbec", + "search_line": 60 }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", "line": 60, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/TCP:8020", + "expectedValue": "HDFS NameNode (TCP:8020) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "HDFS NameNode (TCP:8020) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue", + "similarityID": "944f4a785eeeef49e5fa7e80c74846c7d155b64a653246ce17a0b70b39449d56", + "search_line": 60 }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", "line": 60, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/TCP:8080", + "expectedValue": "Known internal web port (TCP:8080) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Known internal web port (TCP:8080) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue", + "similarityID": "4c970b66822561933da924b3e00297bcd1d9246bc65da1c1bf8bb949d4345f31", + "search_line": 60 }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", "line": 60, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/TCP:8140", + "expectedValue": "Puppet Master (TCP:8140) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Puppet Master (TCP:8140) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue", + "similarityID": "3f992fd8c38806639c98c03ae4131cd417ec81c94cab1ff4a8aa4e13ca7fdc5b", + "search_line": 60 }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", "line": 60, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/TCP:8888", + "expectedValue": "Cassandra OpsCenter Website (TCP:8888) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Cassandra OpsCenter Website (TCP:8888) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue", + "similarityID": "e2dde00656ce3e1cc7bff53a98ed6e3355070a85f868feba9711adf1c1750d1b", + "search_line": 60 }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", "line": 60, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/TCP:9000", + "expectedValue": "Hadoop Name Node (TCP:9000) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Hadoop Name Node (TCP:9000) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue", + "similarityID": "6b9fa65a91ba2cd1af63c3760874fe6c9b0c5fc23f14056c356eac2a9a506b8b", + "search_line": 60 }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", "line": 60, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/TCP:9042", + "expectedValue": "Cassandra Client (TCP:9042) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Cassandra Client (TCP:9042) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue", + "similarityID": "d62a9a853db139c730fd238e0e8ce8576c0d7fe3f9587fca38544b9db6e8263e", + "search_line": 60 }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", "line": 60, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/TCP:9090", + "expectedValue": "CiscoSecure, WebSM (TCP:9090) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "CiscoSecure, WebSM (TCP:9090) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue", + "similarityID": "9104d29808072c315296d44c4cf4f50c137d095a72605d907dc1390c63a6797b", + "search_line": 60 }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", "line": 60, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/TCP:9160", + "expectedValue": "Cassandra Thrift (TCP:9160) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Cassandra Thrift (TCP:9160) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue", + "similarityID": "d35825f4ac310d792347ecc8b671787649a5b67b33626de11635e3f91313a7b9", + "search_line": 60 }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", "line": 60, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/TCP:9200", + "expectedValue": "Elastic Search (TCP:9200) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Elastic Search (TCP:9200) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue", + "similarityID": "63a5189488617b44ff6828f16552405a597f3c7260f96cfd4ca8d42a40de1c96", + "search_line": 60 }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", "line": 60, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/TCP:9300", + "expectedValue": "Elastic Search (TCP:9300) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Elastic Search (TCP:9300) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue", + "similarityID": "b1e83914fd4e3c3cba60aa8f157e760423adcd642ba99e017294bb517288439d", + "search_line": 60 }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", "line": 60, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/UDP:11211", + "expectedValue": "Memcached (UDP:11211) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Memcached (UDP:11211) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue", + "similarityID": "ba862a6d21460aaa93c9786f7796f4c9922e14a0ac92188fc321083a861382f5", + "search_line": 60 }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", "line": 60, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/UDP:11214", + "expectedValue": "Memcached SSL (UDP:11214) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Memcached SSL (UDP:11214) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue", + "similarityID": "95883cc7f7445b21ebcb23066a442624ed68eda0e98971a33b33f322ff7a0176", + "search_line": 60 }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", "line": 60, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/UDP:11215", + "expectedValue": "Memcached SSL (UDP:11215) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Memcached SSL (UDP:11215) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue", + "similarityID": "5ad9e79a7c3b05c40a1e7e3186197f079da3e21fdc635e68c62ac6b8dc05b451", + "search_line": 60 }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", "line": 60, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/UDP:137", + "expectedValue": "NetBIOS Name Service (UDP:137) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "NetBIOS Name Service (UDP:137) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue", + "similarityID": "3dd61af8a291c4a869c10c88fa30d712af769cae263ad73aec81db1ed55732cd", + "search_line": 60 }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", "line": 60, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/UDP:138", + "expectedValue": "NetBIOS Datagram Service (UDP:138) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "NetBIOS Datagram Service (UDP:138) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue", + "similarityID": "e5e0c58ca0c57ccda122116e67dcc2ce7fe531d955969e06e93f2fef9ace349f", + "search_line": 60 }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", "line": 60, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/UDP:139", + "expectedValue": "NetBIOS Session Service (UDP:139) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "NetBIOS Session Service (UDP:139) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue", + "similarityID": "d043f7f570722fff830db15a7d0054b357528e6d5f0b449f9b11bed96c4ca3b7", + "search_line": 60 }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", "line": 60, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/UDP:1434", + "expectedValue": "MSSQL Browser (UDP:1434) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "MSSQL Browser (UDP:1434) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue", + "similarityID": "ddfd56fbba2977f1f06cbe34dfe8e7483c3d496b900f4121a11d05ccebda5e17", + "search_line": 60 }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", "line": 60, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/UDP:161", + "expectedValue": "SNMP (UDP:161) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "SNMP (UDP:161) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue", + "similarityID": "96e08a9e985610b4ea2b506afff2cdef9944ccaf11f50a0d090d7c6bdd67ab18", + "search_line": 60 }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", "line": 60, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/UDP:2483", + "expectedValue": "Oracle DB SSL (UDP:2483) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Oracle DB SSL (UDP:2483) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue", + "similarityID": "9a16a47352f32d023ee2f5dfb6b7372c9280bcd38208f23c9e9336ce863f2500", + "search_line": 60 }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", "line": 60, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/UDP:2484", + "expectedValue": "Oracle DB SSL (UDP:2484) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Oracle DB SSL (UDP:2484) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue", + "similarityID": "e6b9e3e5c12610ee60803cca6ca9071ce634e154e31bde69b54f6b9b4f9e7c7c", + "search_line": 60 }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", "line": 60, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/UDP:389", + "expectedValue": "LDAP (UDP:389) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "LDAP (UDP:389) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue", + "similarityID": "7c36e91c3006726b98eff2f4e9288d028d530173af198224cb6ed9610d0c03f1", + "search_line": 60 }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", "line": 60, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/UDP:53", + "expectedValue": "DNS (UDP:53) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "DNS (UDP:53) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue", + "similarityID": "b305deac3b7b04621b561a13c6671d81b6420318cfca8d4e0786cacfe5b1b9f6", + "search_line": 60 }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", "line": 60, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/UDP:5432", + "expectedValue": "PostgreSQL (UDP:5432) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "PostgreSQL (UDP:5432) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue", + "similarityID": "7dbc60bd2532f099dde99a1eb33a85aef2cf1baf3fad692163c1e1ad1c57ff5f", + "search_line": 60 }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", "line": 70, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_2", + "searchKey": "Resources.Positive1IPv6_2.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/TCP:22", + "expectedValue": "SSH (TCP:22) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "SSH (TCP:22) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue", + "similarityID": "f7595aaa1e3fe04fe212c1922045a7fd89a4d106df50d6e1c31920f0aede1a7b", + "search_line": 70 }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", "line": 80, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1ArrayTestIPv6", + "searchKey": "Resources.Positive1ArrayTestIPv6.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/UDP:53", + "expectedValue": "DNS (UDP:53) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "DNS (UDP:53) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue", + "similarityID": "3986516c6e2a7991f2c1f0c7de378281b71d6f581b43d95f011f5c47a3e62775", + "search_line": 80 }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", "line": 84, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1ArrayTestIPv6", + "searchKey": "Resources.Positive1ArrayTestIPv6.Properties.SecurityGroupIngress[1]", + "searchValue": "EC2Instance01/UDP:137", + "expectedValue": "NetBIOS Name Service (UDP:137) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "NetBIOS Name Service (UDP:137) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue", + "similarityID": "57a16ce6b41555f473b61b206d9e7bf81811fede356333a8af7a175e757df9f0", + "search_line": 84 }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", "line": 20, - "fileName": "positive2.yaml" + "fileName": "positive2.yaml", + "resourceType": "AWS::EC2::SecurityGroupIngress", + "resourceName": "DualStackSecurityGroup", + "searchKey": "Resources.IPv4Ingress1.Properties", + "searchValue": "EC2Instance01/TCP:22", + "expectedValue": "SSH (TCP:22) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "SSH (TCP:22) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue", + "similarityID": "b761a6fd4766998d5b1d2cf3047cb731d887a412b05b25a196ffc68374c604b4", + "search_line": 20 }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", "line": 29, - "fileName": "positive2.yaml" + "fileName": "positive2.yaml", + "resourceType": "AWS::EC2::SecurityGroupIngress", + "resourceName": "DualStackSecurityGroup", + "searchKey": "Resources.IPv4Ingress2.Properties", + "searchValue": "EC2Instance01/TCP:22", + "expectedValue": "SSH (TCP:22) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "SSH (TCP:22) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue", + "similarityID": "8ea8ff6b60a2ed271211a9fae47a844dd1c8df58f8eb9d47d075b4f45197c56a", + "search_line": 29 }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", "line": 38, - "fileName": "positive2.yaml" + "fileName": "positive2.yaml", + "resourceType": "AWS::EC2::SecurityGroupIngress", + "resourceName": "DualStackSecurityGroup", + "searchKey": "Resources.IPv4Ingress3.Properties", + "searchValue": "EC2Instance01/UDP:53", + "expectedValue": "DNS (UDP:53) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "DNS (UDP:53) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue", + "similarityID": "07343df655b3ad7651625109ba59e5d39572933c460bb86fc988fdef12f29cb2", + "search_line": 38 }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", "line": 47, - "fileName": "positive2.yaml" + "fileName": "positive2.yaml", + "resourceType": "AWS::EC2::SecurityGroupIngress", + "resourceName": "DualStackSecurityGroup", + "searchKey": "Resources.IPv4Ingress4.Properties", + "searchValue": "EC2Instance01/UDP:137", + "expectedValue": "NetBIOS Name Service (UDP:137) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "NetBIOS Name Service (UDP:137) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue", + "similarityID": "38cdbea0c5665975016e5ba72e3a7c4343fbeffb7b7434278531d65dd8666664", + "search_line": 47 }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", "line": 57, - "fileName": "positive2.yaml" + "fileName": "positive2.yaml", + "resourceType": "AWS::EC2::SecurityGroupIngress", + "resourceName": "DualStackSecurityGroup", + "searchKey": "Resources.IPv6Ingress1.Properties", + "searchValue": "EC2Instance01/TCP:22", + "expectedValue": "SSH (TCP:22) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "SSH (TCP:22) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue", + "similarityID": "545cee687c4b06545ae5014ad66ef7cdbb61f1fbb90fe78da38b3559e391d2d8", + "search_line": 57 }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", "line": 66, - "fileName": "positive2.yaml" + "fileName": "positive2.yaml", + "resourceType": "AWS::EC2::SecurityGroupIngress", + "resourceName": "DualStackSecurityGroup", + "searchKey": "Resources.IPv6Ingress2.Properties", + "searchValue": "EC2Instance01/TCP:22", + "expectedValue": "SSH (TCP:22) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "SSH (TCP:22) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue", + "similarityID": "9d3b9a0bfc37ae3e308c492c63d565923ec269fbd8edc97f23cfa3882f1f5009", + "search_line": 66 }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", "line": 75, - "fileName": "positive2.yaml" + "fileName": "positive2.yaml", + "resourceType": "AWS::EC2::SecurityGroupIngress", + "resourceName": "DualStackSecurityGroup", + "searchKey": "Resources.IPv6Ingress3.Properties", + "searchValue": "EC2Instance01/UDP:53", + "expectedValue": "DNS (UDP:53) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "DNS (UDP:53) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue", + "similarityID": "bf73269380cfb98ec2a73a99a6783bcbb5b1f0c7b18665dccd13fc42bd181512", + "search_line": 75 }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", "line": 84, - "fileName": "positive2.yaml" + "fileName": "positive2.yaml", + "resourceType": "AWS::EC2::SecurityGroupIngress", + "resourceName": "DualStackSecurityGroup", + "searchKey": "Resources.IPv6Ingress4.Properties", + "searchValue": "EC2Instance01/UDP:137", + "expectedValue": "NetBIOS Name Service (UDP:137) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "NetBIOS Name Service (UDP:137) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue", + "similarityID": "f6508d944aa8efbe10ce052f30625f522b11849ab502c7fe27a94a250f11a8e6", + "search_line": 84 }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", "line": 25, - "fileName": "positive3.json" + "fileName": "positive3.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/UDP:53", + "expectedValue": "DNS (UDP:53) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "DNS (UDP:53) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue", + "similarityID": "9bc2b67c6156b7e78dd5cd85c439413f064868b71e41dee6c7df8946f95589ce", + "search_line": 25 }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", "line": 39, - "fileName": "positive3.json" + "fileName": "positive3.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_2", + "searchKey": "Resources.Positive1IPv4_2.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/TCP:80", + "expectedValue": "HTTP (TCP:80) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "HTTP (TCP:80) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue", + "similarityID": "0af797bf32245ed03f6cd6de4c0844c5d06e7b49039ce11b2d16308e9dcbbd7b", + "search_line": 39 }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", "line": 53, - "fileName": "positive3.json" + "fileName": "positive3.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1ArrayTestIPv4", + "searchKey": "Resources.Positive1ArrayTestIPv4.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/UDP:53", + "expectedValue": "DNS (UDP:53) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "DNS (UDP:53) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue", + "similarityID": "21b6d8be697c68b1404ca8034c7e8b5082d7c218f10050429d7a04a527f70ba0", + "search_line": 53 }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", "line": 65, - "fileName": "positive3.json" + "fileName": "positive3.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1ArrayTestIPv4", + "searchKey": "Resources.Positive1ArrayTestIPv4.Properties.SecurityGroupIngress[2]", + "searchValue": "EC2Instance01/UDP:137", + "expectedValue": "NetBIOS Name Service (UDP:137) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "NetBIOS Name Service (UDP:137) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue", + "similarityID": "467b0c926048dcc9c172ea625ff338a25dec1ad907518092ec684f06a1f509c7", + "search_line": 65 }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", "line": 79, - "fileName": "positive3.json" + "fileName": "positive3.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/TCP:110", + "expectedValue": "POP3 (TCP:110) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "POP3 (TCP:110) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue", + "similarityID": "468efd756ef273880d8ef962129e58f9b04239708e378449d2d3e89800aa8069", + "search_line": 79 }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", "line": 79, - "fileName": "positive3.json" + "fileName": "positive3.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/TCP:11211", + "expectedValue": "Memcached (TCP:11211) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Memcached (TCP:11211) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue", + "similarityID": "153c1e46095ccfd51b0f279d3f3dc3300f31a233de62ac591d206939f8d8c50c", + "search_line": 79 }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", "line": 79, - "fileName": "positive3.json" + "fileName": "positive3.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/TCP:11214", + "expectedValue": "Memcached SSL (TCP:11214) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Memcached SSL (TCP:11214) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue", + "similarityID": "c9f6297c450dc7cdbdf4d5ec8eadcfb06ae665c17220dfa02763f25321d42e07", + "search_line": 79 }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", "line": 79, - "fileName": "positive3.json" + "fileName": "positive3.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/TCP:11215", + "expectedValue": "Memcached SSL (TCP:11215) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Memcached SSL (TCP:11215) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue", + "similarityID": "134ff69385911c8fe08616b477941aee573f278be07defb070664d0c9d008f89", + "search_line": 79 }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", "line": 79, - "fileName": "positive3.json" + "fileName": "positive3.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/TCP:135", + "expectedValue": "MSSQL Debugger (TCP:135) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "MSSQL Debugger (TCP:135) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue", + "similarityID": "0a84e77867fd175dee0182260488969e2373054c35ee0a7680eb6549f89057b1", + "search_line": 79 }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", "line": 79, - "fileName": "positive3.json" + "fileName": "positive3.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/TCP:137", + "expectedValue": "NetBIOS Name Service (TCP:137) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "NetBIOS Name Service (TCP:137) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue", + "similarityID": "4b14bcde88dc95f89281386757d13659460559ab1ddef97f7853a219cc0bd69b", + "search_line": 79 }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", "line": 79, - "fileName": "positive3.json" + "fileName": "positive3.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/TCP:138", + "expectedValue": "NetBIOS Datagram Service (TCP:138) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "NetBIOS Datagram Service (TCP:138) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue", + "similarityID": "df17620d948b0a3e1cc4491441a335baf4f7028a95020fa7935b4d55a99c85e7", + "search_line": 79 }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", "line": 79, - "fileName": "positive3.json" + "fileName": "positive3.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/TCP:139", + "expectedValue": "NetBIOS Session Service (TCP:139) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "NetBIOS Session Service (TCP:139) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue", + "similarityID": "f95c65cf3caacdbf0bd662a70d2f708df8956d640ebae5dd34f50c8e97f40756", + "search_line": 79 }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", "line": 79, - "fileName": "positive3.json" + "fileName": "positive3.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/TCP:1433", + "expectedValue": "MSSQL Server (TCP:1433) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "MSSQL Server (TCP:1433) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue", + "similarityID": "20463afd1e0f57f953a62ce1056e250b5d297ce9141b8b169496567399899f39", + "search_line": 79 }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", "line": 79, - "fileName": "positive3.json" + "fileName": "positive3.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/TCP:1434", + "expectedValue": "MSSQL Browser (TCP:1434) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "MSSQL Browser (TCP:1434) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue", + "similarityID": "7d5c2f5f2178bbce6469e9096993083c17f45d00296e624ffe9282d2f47742d2", + "search_line": 79 }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", "line": 79, - "fileName": "positive3.json" + "fileName": "positive3.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/TCP:1521", + "expectedValue": "Oracl DB (TCP:1521) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Oracl DB (TCP:1521) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue", + "similarityID": "0c60908e6332ee073f14e58b7045eac90ed6352770398423afb3ea11d3671f5c", + "search_line": 79 }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", "line": 79, - "fileName": "positive3.json" + "fileName": "positive3.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/TCP:1522", + "expectedValue": "Oracle Auto Data Warehouse (TCP:1522) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Oracle Auto Data Warehouse (TCP:1522) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue", + "similarityID": "f08443b8064c6d8d5b2bfc721149916e0f18a7df6257972db36f225f8ea56325", + "search_line": 79 }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", "line": 79, - "fileName": "positive3.json" + "fileName": "positive3.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/TCP:161", + "expectedValue": "SNMP (TCP:161) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "SNMP (TCP:161) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue", + "similarityID": "9e3513211d661dd613047c0823bfa7071e57bdcd2b4fd3a26fbf91cd2b927831", + "search_line": 79 }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", "line": 79, - "fileName": "positive3.json" + "fileName": "positive3.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/TCP:20", + "expectedValue": "FTP (TCP:20) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "FTP (TCP:20) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue", + "similarityID": "d966cfccb17040ddadbc1973de732f704ed719d3f9b09a91a3f620e9a1c81939", + "search_line": 79 }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", "line": 79, - "fileName": "positive3.json" + "fileName": "positive3.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/TCP:21", + "expectedValue": "FTP (TCP:21) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "FTP (TCP:21) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue", + "similarityID": "8ed604fcc944d3399f2a79df2608924d12ea195d75eaef363afafd7020f54720", + "search_line": 79 }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", "line": 79, - "fileName": "positive3.json" + "fileName": "positive3.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/TCP:22", + "expectedValue": "SSH (TCP:22) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "SSH (TCP:22) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue", + "similarityID": "c58a985bc9294ff2658a2b69576f6536fb3dd701a74eaf8efbb40b6b7d9d4f9e", + "search_line": 79 }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", "line": 79, - "fileName": "positive3.json" + "fileName": "positive3.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/TCP:23", + "expectedValue": "Telnet (TCP:23) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Telnet (TCP:23) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue", + "similarityID": "c4749c3d5c5f18068f5df3ebcb05ede361fa6f87fb401eb65a1860ac1741c6c7", + "search_line": 79 }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", "line": 79, - "fileName": "positive3.json" + "fileName": "positive3.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/TCP:2375", + "expectedValue": "Docker (TCP:2375) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Docker (TCP:2375) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue", + "similarityID": "62c6c03906df0d5bf9a38e7a7fea9ffceed4eb69decc34c9063663600678c1a4", + "search_line": 79 }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", "line": 79, - "fileName": "positive3.json" + "fileName": "positive3.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/TCP:2376", + "expectedValue": "Docker (TCP:2376) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Docker (TCP:2376) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue", + "similarityID": "e5d81e085f7febdc53274d7cd507cd4cd67cca870e80d1290ce793624159e073", + "search_line": 79 }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", "line": 79, - "fileName": "positive3.json" + "fileName": "positive3.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/TCP:2382", + "expectedValue": "SQL Server Analysis (TCP:2382) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "SQL Server Analysis (TCP:2382) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue", + "similarityID": "599c0246fcc8a9c360a4a188451763835b0ef2c336b27922651d554cc15540b8", + "search_line": 79 }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", "line": 79, - "fileName": "positive3.json" + "fileName": "positive3.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/TCP:2383", + "expectedValue": "SQL Server Analysis (TCP:2383) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "SQL Server Analysis (TCP:2383) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue", + "similarityID": "b9fd76beb4cce37d7a4acfb7f4811c57a9d0b0ea8f0633dfba61f8bdbf8cce21", + "search_line": 79 }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", "line": 79, - "fileName": "positive3.json" + "fileName": "positive3.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/TCP:2483", + "expectedValue": "Oracle DB SSL (TCP:2483) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Oracle DB SSL (TCP:2483) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue", + "similarityID": "4924a374a977867145e90485270f4e24882d0f7e6e00a12f40dd93789ae36f13", + "search_line": 79 }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", "line": 79, - "fileName": "positive3.json" + "fileName": "positive3.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/TCP:2484", + "expectedValue": "Oracle DB SSL (TCP:2484) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Oracle DB SSL (TCP:2484) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue", + "similarityID": "dbd4df26c366599995995b37b511259ab47797926e376f9f8e2fb1abe2c08aea", + "search_line": 79 }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", "line": 79, - "fileName": "positive3.json" + "fileName": "positive3.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/TCP:25", + "expectedValue": "SMTP (TCP:25) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "SMTP (TCP:25) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue", + "similarityID": "8cd1c421e6c52ad665d43b4fc6363d7f114bbc2bb0155adf1ca5332c2ada0476", + "search_line": 79 }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", "line": 79, - "fileName": "positive3.json" + "fileName": "positive3.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/TCP:27017", + "expectedValue": "Mongo (TCP:27017) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Mongo (TCP:27017) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue", + "similarityID": "32762319622bda52f194c9f15381c43080c888553464206768adecce11ad2c9f", + "search_line": 79 }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", "line": 79, - "fileName": "positive3.json" + "fileName": "positive3.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/TCP:27018", + "expectedValue": "Mongo Web Portal (TCP:27018) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Mongo Web Portal (TCP:27018) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue", + "similarityID": "df7a0c374bfd3193c5ff6cf0a27ceac714931b57dfcc7912d1a519f0e9f0c532", + "search_line": 79 }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", "line": 79, - "fileName": "positive3.json" + "fileName": "positive3.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/TCP:3000", + "expectedValue": "Prevalent known internal port (TCP:3000) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Prevalent known internal port (TCP:3000) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue", + "similarityID": "f47ae38b000caa729608be9a3cc88c53796d9fe79d56b4cae1e3a21c756b8983", + "search_line": 79 }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", "line": 79, - "fileName": "positive3.json" + "fileName": "positive3.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/TCP:3020", + "expectedValue": "CIFS / SMB (TCP:3020) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "CIFS / SMB (TCP:3020) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue", + "similarityID": "833e65d3d0b8d091835ecc751732358331b059147553bcf70b613a4009892e08", + "search_line": 79 }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", "line": 79, - "fileName": "positive3.json" + "fileName": "positive3.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/TCP:3306", + "expectedValue": "MySQL (TCP:3306) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "MySQL (TCP:3306) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue", + "similarityID": "9dc15f2293ed0207c5fcfc94df594b78859380c887c6bbe6934cb5e546b4abe9", + "search_line": 79 }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", "line": 79, - "fileName": "positive3.json" + "fileName": "positive3.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/TCP:3389", + "expectedValue": "Remote Desktop (TCP:3389) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Remote Desktop (TCP:3389) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue", + "similarityID": "127be2dfb4df6d7e97dd8047bca14ffeb008003eb0bda89eccdabed066ef13ff", + "search_line": 79 }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", "line": 79, - "fileName": "positive3.json" + "fileName": "positive3.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/TCP:389", + "expectedValue": "LDAP (TCP:389) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "LDAP (TCP:389) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue", + "similarityID": "26740bc13eeb32611fa459819d580f2c8b085fdc6a5c6372aaca66c0a09b442c", + "search_line": 79 }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", "line": 79, - "fileName": "positive3.json" + "fileName": "positive3.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/TCP:4333", + "expectedValue": "MySQL (TCP:4333) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "MySQL (TCP:4333) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue", + "similarityID": "a925d744c4f18d56166183709f5ee90971cda70106e1340865a418b99ce039d0", + "search_line": 79 }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", "line": 79, - "fileName": "positive3.json" + "fileName": "positive3.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/TCP:443", + "expectedValue": "HTTPS (TCP:443) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "HTTPS (TCP:443) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue", + "similarityID": "e6d84971e9c38daafe2e5325a135b79d992f56e28e3816eb95195d4917aaa388", + "search_line": 79 }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", "line": 79, - "fileName": "positive3.json" + "fileName": "positive3.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/TCP:445", + "expectedValue": "Microsoft-DS (TCP:445) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Microsoft-DS (TCP:445) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue", + "similarityID": "764510d8aebc44cc72ec012e92c6a6831e832d889bdb6f13fa4eef1d485abe3f", + "search_line": 79 }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", "line": 79, - "fileName": "positive3.json" + "fileName": "positive3.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/TCP:4505", + "expectedValue": "SaltStack Master (TCP:4505) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "SaltStack Master (TCP:4505) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue", + "similarityID": "2cad6883ecb0445145fe5ac40d6db1bb44de2a9416d4774771e56c2a8225c3b1", + "search_line": 79 }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", "line": 79, - "fileName": "positive3.json" + "fileName": "positive3.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/TCP:4506", + "expectedValue": "SaltStack Master (TCP:4506) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "SaltStack Master (TCP:4506) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue", + "similarityID": "9889cc41ef245609390042ec45bb48c3c5ef2069449c6f36e44e8f95cbc39406", + "search_line": 79 }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", "line": 79, - "fileName": "positive3.json" + "fileName": "positive3.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/TCP:50070", + "expectedValue": "HDFS NameNode WebUI (TCP:50070) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "HDFS NameNode WebUI (TCP:50070) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue", + "similarityID": "f1bce6aed8e61eaba466bd31df125123928eeb552d830e8139a38875c7023a72", + "search_line": 79 }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", "line": 79, - "fileName": "positive3.json" + "fileName": "positive3.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/TCP:50470", + "expectedValue": "HDFS NameNode WebUI (TCP:50470) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "HDFS NameNode WebUI (TCP:50470) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue", + "similarityID": "a086309a71d65e643b2cc8597e9ab9a9086ae0d670609e0b823ce28a6c4a0698", + "search_line": 79 }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", "line": 79, - "fileName": "positive3.json" + "fileName": "positive3.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/TCP:53", + "expectedValue": "DNS (TCP:53) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "DNS (TCP:53) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue", + "similarityID": "7102de9a5002394375e075f2b3f557dc7f4b5c354e0d5bed0ecef47a8625c090", + "search_line": 79 }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", "line": 79, - "fileName": "positive3.json" + "fileName": "positive3.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/TCP:5432", + "expectedValue": "PostgreSQL (TCP:5432) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "PostgreSQL (TCP:5432) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue", + "similarityID": "22fdc122193ee50094ff33d77e1a2c2b596fd78c0ba5305eae65c595e55ac703", + "search_line": 79 }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", "line": 79, - "fileName": "positive3.json" + "fileName": "positive3.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/TCP:5500", + "expectedValue": "VNC Listener (TCP:5500) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "VNC Listener (TCP:5500) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue", + "similarityID": "967b8e27b8fc6c26f5c38d3373e5e1687e2eeee6ab173c83a1aea471535686fb", + "search_line": 79 }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", "line": 79, - "fileName": "positive3.json" + "fileName": "positive3.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/TCP:5601", + "expectedValue": "Kibana (TCP:5601) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Kibana (TCP:5601) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue", + "similarityID": "4a0727ed8ecb60ef711df72c4386327355594c4730a1e8139c406f9292f3e98b", + "search_line": 79 }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", "line": 79, - "fileName": "positive3.json" + "fileName": "positive3.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/TCP:5900", + "expectedValue": "VNC Server (TCP:5900) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "VNC Server (TCP:5900) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue", + "similarityID": "12cc19d97e0a398cbed1f4af96a33b60db48548c792d8ec432ed3e132991b85c", + "search_line": 79 }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", "line": 79, - "fileName": "positive3.json" + "fileName": "positive3.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/TCP:5985", + "expectedValue": "WinRM for HTTP (TCP:5985) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "WinRM for HTTP (TCP:5985) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue", + "similarityID": "55b92908c94b21cf668032e2b40658c12bcd3fa200b58f820eebf308094afdec", + "search_line": 79 }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", "line": 79, - "fileName": "positive3.json" + "fileName": "positive3.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/TCP:61620", + "expectedValue": "Cassandra OpsCenter (TCP:61620) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Cassandra OpsCenter (TCP:61620) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue", + "similarityID": "472fa04531c9f054cc2b8367a3d79bb6a1e87b00fd90d506505066e815f28d5d", + "search_line": 79 }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", "line": 79, - "fileName": "positive3.json" + "fileName": "positive3.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/TCP:61621", + "expectedValue": "Cassandra OpsCenter (TCP:61621) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Cassandra OpsCenter (TCP:61621) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue", + "similarityID": "96c4b1fd44eddfca94caeae03d416340f0fe88eb5651416f8d0964ec787e6ace", + "search_line": 79 }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", "line": 79, - "fileName": "positive3.json" + "fileName": "positive3.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/TCP:636", + "expectedValue": "LDAP SSL (TCP:636) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "LDAP SSL (TCP:636) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue", + "similarityID": "ed9e7bb1ff7a54ac3714ddd3ff1efebb7a4833f08419bcaf71d89516013a9d8a", + "search_line": 79 }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", "line": 79, - "fileName": "positive3.json" + "fileName": "positive3.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/TCP:6379", + "expectedValue": "Redis (TCP:6379) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Redis (TCP:6379) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue", + "similarityID": "55983c38d09a913b9da17dfaf0d084bca2db88021409e759dc6b3d0f8f43062e", + "search_line": 79 }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", "line": 79, - "fileName": "positive3.json" + "fileName": "positive3.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/TCP:7000", + "expectedValue": "Cassandra Internode Communication (TCP:7000) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Cassandra Internode Communication (TCP:7000) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue", + "similarityID": "cca96363eb73b7a0b4698bb3c3344b4aec0aae579339ae03a09c05b24c2a64de", + "search_line": 79 }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", "line": 79, - "fileName": "positive3.json" + "fileName": "positive3.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/TCP:7001", + "expectedValue": "Cassandra (TCP:7001) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Cassandra (TCP:7001) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue", + "similarityID": "55051925a543d2024ebc35f186629ac7a2cb6c7c8a9aee725ed30b8d093bad16", + "search_line": 79 }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", "line": 79, - "fileName": "positive3.json" + "fileName": "positive3.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/TCP:7199", + "expectedValue": "Cassandra Monitoring (TCP:7199) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Cassandra Monitoring (TCP:7199) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue", + "similarityID": "e658332c821a0fcb5bbb65673945d16fc088d4ea198acfe2e4864a28abe40bc5", + "search_line": 79 }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", "line": 79, - "fileName": "positive3.json" + "fileName": "positive3.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/TCP:80", + "expectedValue": "HTTP (TCP:80) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "HTTP (TCP:80) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue", + "similarityID": "96e92eafd843c5bf0872eeba2dc6c37d841f36f5667dcf85e8b6655f1498fb2d", + "search_line": 79 }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", "line": 79, - "fileName": "positive3.json" + "fileName": "positive3.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/TCP:8000", + "expectedValue": "Known internal web port (TCP:8000) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Known internal web port (TCP:8000) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue", + "similarityID": "c50bfb977f2853bb850141ec252afa2150d047ae6023fcb60a2570a2033ec08d", + "search_line": 79 }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", "line": 79, - "fileName": "positive3.json" + "fileName": "positive3.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/TCP:8020", + "expectedValue": "HDFS NameNode (TCP:8020) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "HDFS NameNode (TCP:8020) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue", + "similarityID": "6ca916cda5db6a881753511d20f12c6a594cc085821830669b47263b30de38c6", + "search_line": 79 }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", "line": 79, - "fileName": "positive3.json" + "fileName": "positive3.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/TCP:8080", + "expectedValue": "Known internal web port (TCP:8080) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Known internal web port (TCP:8080) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue", + "similarityID": "2dba98b6edbd4346e67e4d0bbb0adc6ce344aa3ef31f81dc5004e067e95a04ca", + "search_line": 79 }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", "line": 79, - "fileName": "positive3.json" + "fileName": "positive3.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/TCP:8140", + "expectedValue": "Puppet Master (TCP:8140) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Puppet Master (TCP:8140) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue", + "similarityID": "00fd111d30e965ed8d9aeb33d1535102d4b0cc92202d355685420c99ae616fe3", + "search_line": 79 }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", "line": 79, - "fileName": "positive3.json" + "fileName": "positive3.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/TCP:8888", + "expectedValue": "Cassandra OpsCenter Website (TCP:8888) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Cassandra OpsCenter Website (TCP:8888) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue", + "similarityID": "3158586289aae3684e170e0f16764b6791bc8997d9502d04123375797f0aaf10", + "search_line": 79 }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", "line": 79, - "fileName": "positive3.json" + "fileName": "positive3.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/TCP:9000", + "expectedValue": "Hadoop Name Node (TCP:9000) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Hadoop Name Node (TCP:9000) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue", + "similarityID": "45da24bb7a408e5fbac58281c4b111605d8ab7c29943b5425916ed2289b5e20e", + "search_line": 79 }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", "line": 79, - "fileName": "positive3.json" + "fileName": "positive3.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/TCP:9042", + "expectedValue": "Cassandra Client (TCP:9042) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Cassandra Client (TCP:9042) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue", + "similarityID": "4bc3b3ef95fb6c70eecdcf3112e3fcdfc81c3079d3cab94eac7a2dedf4051ebe", + "search_line": 79 }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", "line": 79, - "fileName": "positive3.json" + "fileName": "positive3.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/TCP:9090", + "expectedValue": "CiscoSecure, WebSM (TCP:9090) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "CiscoSecure, WebSM (TCP:9090) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue", + "similarityID": "cb75f1edbcbe704a55673e44d40be01abfb0ab38725d398ffcc2a466343f4631", + "search_line": 79 }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", "line": 79, - "fileName": "positive3.json" + "fileName": "positive3.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/TCP:9160", + "expectedValue": "Cassandra Thrift (TCP:9160) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Cassandra Thrift (TCP:9160) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue", + "similarityID": "f953355d8c0f31f36527b7f681e6b741a40c87d11c58e4694fba6707a0f876b8", + "search_line": 79 }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", "line": 79, - "fileName": "positive3.json" + "fileName": "positive3.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/TCP:9200", + "expectedValue": "Elastic Search (TCP:9200) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Elastic Search (TCP:9200) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue", + "similarityID": "d34c4beed4672dabfd14cd380e7d5cdd3f8ceeb062e3396c034739ae727317eb", + "search_line": 79 }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", "line": 79, - "fileName": "positive3.json" + "fileName": "positive3.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/TCP:9300", + "expectedValue": "Elastic Search (TCP:9300) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Elastic Search (TCP:9300) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue", + "similarityID": "ccc35d18828649e8c47ce552fd597f240b8f6a92e063d8a2ea1a5032e16557d3", + "search_line": 79 }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", "line": 79, - "fileName": "positive3.json" + "fileName": "positive3.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/UDP:11211", + "expectedValue": "Memcached (UDP:11211) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Memcached (UDP:11211) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue", + "similarityID": "1b5988830a2665926c50971c7b31751e707effb1991de0624881c50e31289bd8", + "search_line": 79 }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", "line": 79, - "fileName": "positive3.json" + "fileName": "positive3.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/UDP:11214", + "expectedValue": "Memcached SSL (UDP:11214) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Memcached SSL (UDP:11214) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue", + "similarityID": "ec06a7f7e5aaf22adae1441c7839b58f1dbd0e3c5afce0e2a2265fa371d69025", + "search_line": 79 }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", "line": 79, - "fileName": "positive3.json" + "fileName": "positive3.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/UDP:11215", + "expectedValue": "Memcached SSL (UDP:11215) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Memcached SSL (UDP:11215) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue", + "similarityID": "1d97e624cf2777b461edc2f4290d54cd40037705fcd9f7ab215315bc07369aab", + "search_line": 79 }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", "line": 79, - "fileName": "positive3.json" + "fileName": "positive3.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/UDP:137", + "expectedValue": "NetBIOS Name Service (UDP:137) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "NetBIOS Name Service (UDP:137) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue", + "similarityID": "83731eaf3175885c299a1b43c8bacecfd373f314dc08b1c6d941e0bc7409ca6a", + "search_line": 79 }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", "line": 79, - "fileName": "positive3.json" + "fileName": "positive3.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/UDP:138", + "expectedValue": "NetBIOS Datagram Service (UDP:138) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "NetBIOS Datagram Service (UDP:138) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue", + "similarityID": "25b41cbfb08a475df69c73eb5a492b9c3091ff5e29698dea9cc9b7ffd55c4377", + "search_line": 79 }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", "line": 79, - "fileName": "positive3.json" + "fileName": "positive3.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/UDP:139", + "expectedValue": "NetBIOS Session Service (UDP:139) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "NetBIOS Session Service (UDP:139) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue", + "similarityID": "56c4033e13f8afb04a34aa7aac0c32fdf81d0181ad90c7203331acdf298ef68a", + "search_line": 79 }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", "line": 79, - "fileName": "positive3.json" + "fileName": "positive3.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/UDP:1434", + "expectedValue": "MSSQL Browser (UDP:1434) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "MSSQL Browser (UDP:1434) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue", + "similarityID": "40dba132def192b61b4bfb2a96a78ebf4508733295ebee94b2c908341eaeca4c", + "search_line": 79 }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", "line": 79, - "fileName": "positive3.json" + "fileName": "positive3.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/UDP:161", + "expectedValue": "SNMP (UDP:161) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "SNMP (UDP:161) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue", + "similarityID": "3ccdc03ad5aa3de8802825946060e3fbff54c69dbf244100a80455a3d6c16d50", + "search_line": 79 }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", "line": 79, - "fileName": "positive3.json" + "fileName": "positive3.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/UDP:2483", + "expectedValue": "Oracle DB SSL (UDP:2483) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Oracle DB SSL (UDP:2483) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue", + "similarityID": "27d8d282452cadd734209af645861f476d0bb8f0ed41289ced916be0a4786f32", + "search_line": 79 }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", "line": 79, - "fileName": "positive3.json" + "fileName": "positive3.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/UDP:2484", + "expectedValue": "Oracle DB SSL (UDP:2484) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "Oracle DB SSL (UDP:2484) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue", + "similarityID": "d7dc9239670cda46f8f05f2637e1fd70361f01218dd9b2d86ff362af8bf19ff6", + "search_line": 79 }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", "line": 79, - "fileName": "positive3.json" + "fileName": "positive3.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/UDP:389", + "expectedValue": "LDAP (UDP:389) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "LDAP (UDP:389) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue", + "similarityID": "5d336a0bb5155b4457dd24d0fed999dc99d56d685041c6b9f4ae7799391eceba", + "search_line": 79 }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", "line": 79, - "fileName": "positive3.json" + "fileName": "positive3.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/UDP:53", + "expectedValue": "DNS (UDP:53) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "DNS (UDP:53) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue", + "similarityID": "5909b2c078e93bbef0586e77772d1a65345338112a4e1fc7c7b101bdc4925158", + "search_line": 79 }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", "line": 79, - "fileName": "positive3.json" + "fileName": "positive3.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/UDP:5432", + "expectedValue": "PostgreSQL (UDP:5432) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "PostgreSQL (UDP:5432) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue", + "similarityID": "355b78e8dd8adaf6505f4493b06fcdc60005dbec1ade942da2ffcc2ad696e9db", + "search_line": 79 }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", "line": 93, - "fileName": "positive3.json" + "fileName": "positive3.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_2", + "searchKey": "Resources.Positive1IPv6_2.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/TCP:22", + "expectedValue": "SSH (TCP:22) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "SSH (TCP:22) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue", + "similarityID": "ed4e88a1414a24d970d4430da05d88a75338f71186fbbc3f87cc8d0ccd39c2b7", + "search_line": 93 }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", "line": 107, - "fileName": "positive3.json" + "fileName": "positive3.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1ArrayTestIPv6", + "searchKey": "Resources.Positive1ArrayTestIPv6.Properties.SecurityGroupIngress[0]", + "searchValue": "EC2Instance01/UDP:53", + "expectedValue": "DNS (UDP:53) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "DNS (UDP:53) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue", + "similarityID": "05d22311f705065d2bb0544b27841d39be2381629b7276b72bb0dd7b9a501148", + "search_line": 107 }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", "line": 113, - "fileName": "positive3.json" + "fileName": "positive3.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1ArrayTestIPv6", + "searchKey": "Resources.Positive1ArrayTestIPv6.Properties.SecurityGroupIngress[1]", + "searchValue": "EC2Instance01/UDP:137", + "expectedValue": "NetBIOS Name Service (UDP:137) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "NetBIOS Name Service (UDP:137) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue", + "similarityID": "4abf1627dc951f1a6e83522fc1b97ed983acaf96d2fea48008aedb1d8bd5d172", + "search_line": 113 }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", "line": 24, - "fileName": "positive4.json" + "fileName": "positive4.json", + "resourceType": "AWS::EC2::SecurityGroupIngress", + "resourceName": "DualStackSecurityGroup", + "searchKey": "Resources.IPv4Ingress1.Properties", + "searchValue": "EC2Instance01/TCP:22", + "expectedValue": "SSH (TCP:22) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "SSH (TCP:22) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue", + "similarityID": "611c676bfeb9a29cbdcc8fa119e89e2f43ba48e622215eb707b17100309123c1", + "search_line": 24 }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", "line": 34, - "fileName": "positive4.json" + "fileName": "positive4.json", + "resourceType": "AWS::EC2::SecurityGroupIngress", + "resourceName": "DualStackSecurityGroup", + "searchKey": "Resources.IPv4Ingress2.Properties", + "searchValue": "EC2Instance01/TCP:22", + "expectedValue": "SSH (TCP:22) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "SSH (TCP:22) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue", + "similarityID": "5c6c9ec49bade7497356bb53923109f21b99e7a7ab426889c10372886905b133", + "search_line": 34 }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", "line": 44, - "fileName": "positive4.json" + "fileName": "positive4.json", + "resourceType": "AWS::EC2::SecurityGroupIngress", + "resourceName": "DualStackSecurityGroup", + "searchKey": "Resources.IPv4Ingress3.Properties", + "searchValue": "EC2Instance01/UDP:53", + "expectedValue": "DNS (UDP:53) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "DNS (UDP:53) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue", + "similarityID": "139edc7e1250934070ae53a9d51faf5085b5875a3991a6a3b194d565fe07d8cd", + "search_line": 44 }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", "line": 54, - "fileName": "positive4.json" + "fileName": "positive4.json", + "resourceType": "AWS::EC2::SecurityGroupIngress", + "resourceName": "DualStackSecurityGroup", + "searchKey": "Resources.IPv4Ingress4.Properties", + "searchValue": "EC2Instance01/UDP:137", + "expectedValue": "NetBIOS Name Service (UDP:137) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "NetBIOS Name Service (UDP:137) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue", + "similarityID": "f7c0e20c28b2aa67697756f8c1fdd93de335773ff2524702aecd684eec76c09c", + "search_line": 54 }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", "line": 64, - "fileName": "positive4.json" + "fileName": "positive4.json", + "resourceType": "AWS::EC2::SecurityGroupIngress", + "resourceName": "DualStackSecurityGroup", + "searchKey": "Resources.IPv6Ingress1.Properties", + "searchValue": "EC2Instance01/TCP:22", + "expectedValue": "SSH (TCP:22) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "SSH (TCP:22) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue", + "similarityID": "a8ed45761e7c3d9db8d59508d8bd43653df9aebc9c16d071768a30e20c51bfde", + "search_line": 64 }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", "line": 74, - "fileName": "positive4.json" + "fileName": "positive4.json", + "resourceType": "AWS::EC2::SecurityGroupIngress", + "resourceName": "DualStackSecurityGroup", + "searchKey": "Resources.IPv6Ingress2.Properties", + "searchValue": "EC2Instance01/TCP:22", + "expectedValue": "SSH (TCP:22) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "SSH (TCP:22) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue", + "similarityID": "72e99f5a1431e27f0504cda9be17354a05e5fe513e82903870ceff933b1eb178", + "search_line": 74 }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", "line": 84, - "fileName": "positive4.json" + "fileName": "positive4.json", + "resourceType": "AWS::EC2::SecurityGroupIngress", + "resourceName": "DualStackSecurityGroup", + "searchKey": "Resources.IPv6Ingress3.Properties", + "searchValue": "EC2Instance01/UDP:53", + "expectedValue": "DNS (UDP:53) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "DNS (UDP:53) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue", + "similarityID": "b5d9ef8c3c522c80c8f48d75a64d35589766007a75e5ec10a0f727b9565fdc70", + "search_line": 84 }, { "queryName": "EC2 Sensitive Port Is Publicly Exposed", "severity": "HIGH", "line": 94, - "fileName": "positive4.json" + "fileName": "positive4.json", + "resourceType": "AWS::EC2::SecurityGroupIngress", + "resourceName": "DualStackSecurityGroup", + "searchKey": "Resources.IPv6Ingress4.Properties", + "searchValue": "EC2Instance01/UDP:137", + "expectedValue": "NetBIOS Name Service (UDP:137) should not be allowed in EC2 security group for instance 'EC2Instance01'", + "actualValue": "NetBIOS Name Service (UDP:137) is allowed in EC2 security group for instance 'EC2Instance01'", + "issueType": "IncorrectValue", + "similarityID": "f00904a9b47cce144a209cb11509cd78d46992ae1dd26ea60f2bd15f2cbf2c28", + "search_line": 94 } ] diff --git a/assets/queries/cloudFormation/aws/ecr_image_tag_not_immutable/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/ecr_image_tag_not_immutable/test/positive_expected_result.json index d6ad7efe073..079fd8b18af 100644 --- a/assets/queries/cloudFormation/aws/ecr_image_tag_not_immutable/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/ecr_image_tag_not_immutable/test/positive_expected_result.json @@ -3,24 +3,60 @@ "queryName": "ECR Image Tag Not Immutable", "severity": "MEDIUM", "line": 5, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::ECR::Repository", + "resourceName": "test-repository", + "searchKey": "Resources.MyRepository3.Properties.ImageTagMutability", + "searchValue": "", + "expectedValue": "Resources.MyRepository3.Properties.ImageTagMutability should be 'IMMUTABLE'", + "actualValue": "Resources.MyRepository3.Properties.ImageTagMutability is 'MUTABLE'", + "issueType": "IncorrectValue", + "similarityID": "d9b89376f3398a14b6d554b4e8c0bf5caee530ff4fe5ab777d58c97c0ca2f816", + "search_line": -1 }, { "queryName": "ECR Image Tag Not Immutable", "severity": "MEDIUM", "line": 27, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::ECR::Repository", + "resourceName": "test-repository", + "searchKey": "Resources.MyRepository4.Properties", + "searchValue": "", + "expectedValue": "Resources.MyRepository4.Properties.ImageTagMutability should be defined and not null", + "actualValue": "Resources.MyRepository4.Properties.ImageTagMutability is undefined or null", + "issueType": "MissingAttribute", + "similarityID": "9c7bdd213469ef671572202ff13f274e8b474be8f821ff32998ffc9fb5d6d21e", + "search_line": -1 }, { "queryName": "ECR Image Tag Not Immutable", "severity": "MEDIUM", "line": 6, - "fileName": "positive2.json" + "fileName": "positive2.json", + "resourceType": "AWS::ECR::Repository", + "resourceName": "test-repository", + "searchKey": "Resources.MyRepository5.Properties.ImageTagMutability", + "searchValue": "", + "expectedValue": "Resources.MyRepository5.Properties.ImageTagMutability should be 'IMMUTABLE'", + "actualValue": "Resources.MyRepository5.Properties.ImageTagMutability is 'MUTABLE'", + "issueType": "IncorrectValue", + "similarityID": "f6da41f47473d647e7aa4fb9bd704c38c924a5ab663a3cdca068dd575171768d", + "search_line": -1 }, { "queryName": "ECR Image Tag Not Immutable", "severity": "MEDIUM", "line": 36, - "fileName": "positive2.json" + "fileName": "positive2.json", + "resourceType": "AWS::ECR::Repository", + "resourceName": "test-repository", + "searchKey": "Resources.MyRepository6.Properties", + "searchValue": "", + "expectedValue": "Resources.MyRepository6.Properties.ImageTagMutability should be defined and not null", + "actualValue": "Resources.MyRepository6.Properties.ImageTagMutability is undefined or null", + "issueType": "MissingAttribute", + "similarityID": "f3526894af63c8eff164f48eb9aa6efc03c2d0750f2f7b518b504e9a0500c36a", + "search_line": -1 } ] diff --git a/assets/queries/cloudFormation/aws/ecr_repository_is_publicly_accessible/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/ecr_repository_is_publicly_accessible/test/positive_expected_result.json index 9118d4b848e..6a5aa273aee 100644 --- a/assets/queries/cloudFormation/aws/ecr_repository_is_publicly_accessible/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/ecr_repository_is_publicly_accessible/test/positive_expected_result.json @@ -3,12 +3,30 @@ "queryName": "ECR Repository Is Publicly Accessible", "severity": "CRITICAL", "line": 6, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::ECR::Repository", + "resourceName": "test-repository", + "searchKey": "Resources.MyRepository3.Properties.RepositoryPolicyText", + "searchValue": "", + "expectedValue": "Resources.MyRepository3.Properties.RepositoryPolicyText.Statement.Principal shouldn't contain '*'", + "actualValue": "Resources.MyRepository3.Properties.RepositoryPolicyText.Statement.Principal contains '*'", + "issueType": "IncorrectValue", + "similarityID": "69ab6fbc517ca1eb6e30f2d2056c15c35e90ae5def0faf767c97aad5045e39ae", + "search_line": -1 }, { "queryName": "ECR Repository Is Publicly Accessible", "severity": "CRITICAL", "line": 7, - "fileName": "positive2.json" + "fileName": "positive2.json", + "resourceType": "AWS::ECR::Repository", + "resourceName": "test-repository", + "searchKey": "Resources.MyRepository4.Properties.RepositoryPolicyText", + "searchValue": "", + "expectedValue": "Resources.MyRepository4.Properties.RepositoryPolicyText.Statement.Principal shouldn't contain '*'", + "actualValue": "Resources.MyRepository4.Properties.RepositoryPolicyText.Statement.Principal contains '*'", + "issueType": "IncorrectValue", + "similarityID": "9782e41ce5767e9fe87f927eae83e93eed1f42e33688db199bb8a88f5559be11", + "search_line": -1 } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/ecr_repository_not_encrypted_with_CMK/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/ecr_repository_not_encrypted_with_CMK/test/positive_expected_result.json index 951a94d2d37..a61212b16cd 100644 --- a/assets/queries/cloudFormation/aws/ecr_repository_not_encrypted_with_CMK/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/ecr_repository_not_encrypted_with_CMK/test/positive_expected_result.json @@ -3,60 +3,150 @@ "queryName": "ECR Repository Not Encrypted With CMK", "severity": "LOW", "line": 6, - "fileName": "positive1.json" + "fileName": "positive1.json", + "resourceType": "AWS::ECR::Repository", + "resourceName": "test-repository", + "searchKey": "Resources.MyRepository.Properties", + "searchValue": "", + "expectedValue": "Resources.MyRepository.Properties.EncryptionConfiguration should be defined and not null", + "actualValue": "Resources.MyRepository.Properties.EncryptionConfiguration is undefined or null", + "issueType": "MissingAttribute", + "similarityID": "83465947aa718961e2043a1e53c5b17260528786943bb00df9821ab7de687488", + "search_line": 6 }, { "queryName": "ECR Repository Not Encrypted With CMK", "severity": "LOW", "line": 12, - "fileName": "positive2.json" + "fileName": "positive2.json", + "resourceType": "AWS::ECR::Repository", + "resourceName": "test-repository", + "searchKey": "Resources.MyRepository.Properties.EncryptionConfiguration.EncryptionType", + "searchValue": "", + "expectedValue": "Resources.MyRepository.Properties.EncryptionConfiguration.EncryptionType should be 'KMS_DSSE' or 'KMS'", + "actualValue": "Resources.MyRepository.Properties.EncryptionConfiguration.EncryptionType is 'AES256'", + "issueType": "IncorrectValue", + "similarityID": "0fd99d6ae0fe06af99ec303742544c7d3261b63f8a99320be3a15974c860637a", + "search_line": 12 }, { "queryName": "ECR Repository Not Encrypted With CMK", "severity": "LOW", "line": 12, - "fileName": "positive3.json" + "fileName": "positive3.json", + "resourceType": "AWS::ECR::Repository", + "resourceName": "test-repository", + "searchKey": "Resources.MyRepository.Properties.EncryptionConfiguration.EncryptionType", + "searchValue": "", + "expectedValue": "Resources.MyRepository.Properties.EncryptionConfiguration.EncryptionType should be 'KMS_DSSE' or 'KMS'", + "actualValue": "Resources.MyRepository.Properties.EncryptionConfiguration.EncryptionType is 'AES256'", + "issueType": "IncorrectValue", + "similarityID": "e74983ec0ad2d5d0cf1256e25cbcbae414e8ed8458fe0805cf84a23bc8ec41ba", + "search_line": 12 }, { "queryName": "ECR Repository Not Encrypted With CMK", "severity": "LOW", "line": 11, - "fileName": "positive4.json" + "fileName": "positive4.json", + "resourceType": "AWS::ECR::Repository", + "resourceName": "test-repository", + "searchKey": "Resources.MyRepository.Properties.EncryptionConfiguration", + "searchValue": "", + "expectedValue": "Resources.MyRepository.Properties.EncryptionConfiguration.KmsKey should be defined and not null", + "actualValue": "Resources.MyRepository.Properties.EncryptionConfiguration.KmsKey is undefined or null", + "issueType": "MissingAttribute", + "similarityID": "4703bbe5971b2d44545f527ba40725f05197cc1903721b61753e56635311578c", + "search_line": 11 }, { "queryName": "ECR Repository Not Encrypted With CMK", "severity": "LOW", "line": 11, - "fileName": "positive5.json" + "fileName": "positive5.json", + "resourceType": "AWS::ECR::Repository", + "resourceName": "test-repository", + "searchKey": "Resources.MyRepository.Properties.EncryptionConfiguration", + "searchValue": "", + "expectedValue": "Resources.MyRepository.Properties.EncryptionConfiguration.KmsKey should be defined and not null", + "actualValue": "Resources.MyRepository.Properties.EncryptionConfiguration.KmsKey is undefined or null", + "issueType": "MissingAttribute", + "similarityID": "1333b15e125b4f8c5f61de2f0e511fb33eb6071e845461cead77d0f434c590ed", + "search_line": 11 }, - { + { "queryName": "ECR Repository Not Encrypted With CMK", "severity": "LOW", "line": 5, - "fileName": "positive6.yaml" + "fileName": "positive6.yaml", + "resourceType": "AWS::ECR::Repository", + "resourceName": "ecrepo", + "searchKey": "Resources.ecrepo.Properties", + "searchValue": "", + "expectedValue": "Resources.ecrepo.Properties.EncryptionConfiguration should be defined and not null", + "actualValue": "Resources.ecrepo.Properties.EncryptionConfiguration is undefined or null", + "issueType": "MissingAttribute", + "similarityID": "0a331b5c19ccb6ffc3c7a3aecece5b4383f8c7f6b48ef43fb0155be76acb6051", + "search_line": 5 }, { "queryName": "ECR Repository Not Encrypted With CMK", "severity": "LOW", "line": 9, - "fileName": "positive7.yaml" + "fileName": "positive7.yaml", + "resourceType": "AWS::ECR::Repository", + "resourceName": "ecrepo", + "searchKey": "Resources.ecrepo.Properties.EncryptionConfiguration.EncryptionType", + "searchValue": "", + "expectedValue": "Resources.ecrepo.Properties.EncryptionConfiguration.EncryptionType should be 'KMS_DSSE' or 'KMS'", + "actualValue": "Resources.ecrepo.Properties.EncryptionConfiguration.EncryptionType is 'AES256'", + "issueType": "IncorrectValue", + "similarityID": "13b3bfbf10045eb62197da6118ea1714704bada514c9ab63ebee26c98d326951", + "search_line": 9 }, { "queryName": "ECR Repository Not Encrypted With CMK", "severity": "LOW", "line": 9, - "fileName": "positive8.yaml" + "fileName": "positive8.yaml", + "resourceType": "AWS::ECR::Repository", + "resourceName": "ecrepo", + "searchKey": "Resources.ecrepo.Properties.EncryptionConfiguration.EncryptionType", + "searchValue": "", + "expectedValue": "Resources.ecrepo.Properties.EncryptionConfiguration.EncryptionType should be 'KMS_DSSE' or 'KMS'", + "actualValue": "Resources.ecrepo.Properties.EncryptionConfiguration.EncryptionType is 'AES256'", + "issueType": "IncorrectValue", + "similarityID": "f020279c07d8d2666f9fee559a50997bf1105dd5151f8f652d2c0d805221e8fe", + "search_line": 9 }, { "queryName": "ECR Repository Not Encrypted With CMK", "severity": "LOW", "line": 8, - "fileName": "positive9.yaml" + "fileName": "positive9.yaml", + "resourceType": "AWS::ECR::Repository", + "resourceName": "ecrepo", + "searchKey": "Resources.ecrepo.Properties.EncryptionConfiguration", + "searchValue": "", + "expectedValue": "Resources.ecrepo.Properties.EncryptionConfiguration.KmsKey should be defined and not null", + "actualValue": "Resources.ecrepo.Properties.EncryptionConfiguration.KmsKey is undefined or null", + "issueType": "MissingAttribute", + "similarityID": "a26dd56c1219e29060d045f73cf407dc7d470e8876c802f2f9f6d063d74627f4", + "search_line": 8 }, { "queryName": "ECR Repository Not Encrypted With CMK", "severity": "LOW", "line": 8, - "fileName": "positive10.yaml" + "fileName": "positive10.yaml", + "resourceType": "AWS::ECR::Repository", + "resourceName": "ecrepo", + "searchKey": "Resources.ecrepo.Properties.EncryptionConfiguration", + "searchValue": "", + "expectedValue": "Resources.ecrepo.Properties.EncryptionConfiguration.KmsKey should be defined and not null", + "actualValue": "Resources.ecrepo.Properties.EncryptionConfiguration.KmsKey is undefined or null", + "issueType": "MissingAttribute", + "similarityID": "4f899b45a287aab2ddfa69b4a015fa51269aa1ed9e7ea119cf935d92e4b465db", + "search_line": 8 } ] diff --git a/assets/queries/cloudFormation/aws/ecs_cluster_container_insights_disabled/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/ecs_cluster_container_insights_disabled/test/positive_expected_result.json index cd03c0a5a7c..f387f53e9ae 100644 --- a/assets/queries/cloudFormation/aws/ecs_cluster_container_insights_disabled/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/ecs_cluster_container_insights_disabled/test/positive_expected_result.json @@ -3,18 +3,45 @@ "queryName": "ECS Cluster with Container Insights Disabled", "severity": "LOW", "line": 4, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::ECS::Cluster", + "resourceName": "ECSCluster", + "searchKey": "Resources.ECSCluster.Properties", + "searchValue": "", + "expectedValue": "Resources.ECSCluster.Properties.ClusterSettings should be defined and have a ClusterSetting named containerInsights which value is 'enabled'", + "actualValue": "Resources.ECSCluster.Properties.ClusterSettings is not defined", + "issueType": "MissingAttribute", + "similarityID": "7393462de6827b647ad910ef131a55aadcbedf56544fbf64926cca626986c2ff", + "search_line": 4 }, { + "queryName": "ECS Cluster with Container Insights Disabled", "severity": "LOW", "line": 7, "fileName": "positive2.json", - "queryName": "ECS Cluster with Container Insights Disabled" + "resourceType": "AWS::ECS::Cluster", + "resourceName": "ECSCluster", + "searchKey": "Resources.ECSCluster.Properties.ClusterSettings", + "searchValue": "", + "expectedValue": "Resources.ECSCluster.Properties.ClusterSettings should have a ClusterSetting named 'containerInsights' which value is 'enabled'", + "actualValue": "Resources.ECSCluster.Properties.ClusterSettings hasn't got a ClusterSetting named 'containerInsights' which value is 'enabled'", + "issueType": "IncorrectValue", + "similarityID": "d20b4d06d6739a8a5d1db0a735606e3352ab27fd3aff29edd95b3bb71326ed8e", + "search_line": 7 }, { + "queryName": "ECS Cluster with Container Insights Disabled", "severity": "LOW", "line": 7, "fileName": "positive3.json", - "queryName": "ECS Cluster with Container Insights Disabled" + "resourceType": "AWS::ECS::Cluster", + "resourceName": "ECSCluster", + "searchKey": "Resources.ECSCluster.Properties.ClusterSettings", + "searchValue": "", + "expectedValue": "Resources.ECSCluster.Properties.ClusterSettings should have a ClusterSetting named 'containerInsights' which value is 'enabled'", + "actualValue": "Resources.ECSCluster.Properties.ClusterSettings hasn't got a ClusterSetting named 'containerInsights' which value is 'enabled'", + "issueType": "IncorrectValue", + "similarityID": "944129039c33d90c4cc22c9cd003cba3fcb365942ab76c04ffb4487edeec0844", + "search_line": 7 } ] diff --git a/assets/queries/cloudFormation/aws/ecs_cluster_not_encrypted_at_rest/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/ecs_cluster_not_encrypted_at_rest/test/positive_expected_result.json index acd4c922ed6..d70109163fd 100644 --- a/assets/queries/cloudFormation/aws/ecs_cluster_not_encrypted_at_rest/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/ecs_cluster_not_encrypted_at_rest/test/positive_expected_result.json @@ -3,24 +3,60 @@ "queryName": "ECS Cluster Not Encrypted At Rest", "severity": "HIGH", "line": 37, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::ECS::Service", + "resourceName": "service", + "searchKey": "Resources.taskdefinition.Properties.Volumes", + "searchValue": "", + "expectedValue": "Resources.taskdefinition.Properties.Volumes[0].EFSVolumeConfiguration.TransitEncryption should be enabled", + "actualValue": "Resources.taskdefinition.Properties.Volumes[0].EFSVolumeConfiguration.TransitEncryption is disabled", + "issueType": "IncorrectValue", + "similarityID": "f3840eb7e23c4a431eda68779879aae0b83719df00ac8d83d405ae9a05d6ac9d", + "search_line": -1 }, { + "queryName": "ECS Cluster Not Encrypted At Rest", "severity": "HIGH", "line": 26, "fileName": "positive2.yaml", - "queryName": "ECS Cluster Not Encrypted At Rest" + "resourceType": "AWS::ECS::Service", + "resourceName": "service", + "searchKey": "Resources.taskdefinition1", + "searchValue": "", + "expectedValue": "Resources.taskdefinition1 should be defined", + "actualValue": "Resources.taskdefinition1 is not defined.", + "issueType": "MissingAttribute", + "similarityID": "25856e60812109cc6f49f83672e2cc32595ab20d0a2110b40b7a466a0b181138", + "search_line": -1 }, { + "queryName": "ECS Cluster Not Encrypted At Rest", "severity": "HIGH", "line": 122, "fileName": "positive3.json", - "queryName": "ECS Cluster Not Encrypted At Rest" + "resourceType": "AWS::ECS::Service", + "resourceName": "service", + "searchKey": "Resources.taskdefinition.Properties.Volumes", + "searchValue": "", + "expectedValue": "Resources.taskdefinition.Properties.Volumes[0].EFSVolumeConfiguration.TransitEncryption should be enabled", + "actualValue": "Resources.taskdefinition.Properties.Volumes[0].EFSVolumeConfiguration.TransitEncryption is disabled", + "issueType": "IncorrectValue", + "similarityID": "ad47ad5311652dc0a9f9f02107719160c7bf0d227000b939a80f362475de7480", + "search_line": -1 }, { "queryName": "ECS Cluster Not Encrypted At Rest", "severity": "HIGH", "line": 54, - "fileName": "positive4.json" + "fileName": "positive4.json", + "resourceType": "AWS::ECS::Service", + "resourceName": "service", + "searchKey": "Resources.taskdefinition1", + "searchValue": "", + "expectedValue": "Resources.taskdefinition1 should be defined", + "actualValue": "Resources.taskdefinition1 is not defined.", + "issueType": "MissingAttribute", + "similarityID": "169667ee07f6d4bc1aac4b64e28ffa1d35c49ad6d293afb759fc7f7dc766364f", + "search_line": -1 } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/ecs_no_load_balancer_attached/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/ecs_no_load_balancer_attached/test/positive_expected_result.json index 380d9611400..4bc03d10054 100644 --- a/assets/queries/cloudFormation/aws/ecs_no_load_balancer_attached/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/ecs_no_load_balancer_attached/test/positive_expected_result.json @@ -3,24 +3,60 @@ "queryName": "ECS No Load Balancer Attached", "severity": "MEDIUM", "line": 7, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::ECS::Service", + "resourceName": "ECSService", + "searchKey": "Resources.ECSService.Properties", + "searchValue": "", + "expectedValue": "'Resources.ECSService.Properties.LoadBalancers' should be defined", + "actualValue": "'Resources.ECSService.Properties.LoadBalancers' is not defined", + "issueType": "MissingAttribute", + "similarityID": "cb4066849eb338dbfa1fdd8ec0e675e9c8e61f70afbe9d9a6f8e7f916c45fde9", + "search_line": -1 }, { "queryName": "ECS No Load Balancer Attached", "severity": "MEDIUM", "line": 25, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::ECS::Service", + "resourceName": "ECSService2", + "searchKey": "Resources.ECSService2.Properties.LoadBalancers", + "searchValue": "", + "expectedValue": "'Resources.ECSService2.Properties.LoadBalancers' should not be empty", + "actualValue": "'Resources.ECSService2.Properties.LoadBalancers' is empty", + "issueType": "IncorrectValue", + "similarityID": "3372f5b012225a7143a9e46fc248f873558f927ebcbec644b0150f8b20154975", + "search_line": -1 }, { "queryName": "ECS No Load Balancer Attached", "severity": "MEDIUM", "line": 7, - "fileName": "positive2.json" + "fileName": "positive2.json", + "resourceType": "AWS::ECS::Service", + "resourceName": "ECSService", + "searchKey": "Resources.ECSService.Properties", + "searchValue": "", + "expectedValue": "'Resources.ECSService.Properties.LoadBalancers' should be defined", + "actualValue": "'Resources.ECSService.Properties.LoadBalancers' is not defined", + "issueType": "MissingAttribute", + "similarityID": "3dffc812ed939cbb130b6fe6b8808f36aec875db83a537025e9487c7b4475228", + "search_line": -1 }, { + "queryName": "ECS No Load Balancer Attached", "severity": "MEDIUM", "line": 27, "fileName": "positive2.json", - "queryName": "ECS No Load Balancer Attached" + "resourceType": "AWS::ECS::Service", + "resourceName": "ECSService2", + "searchKey": "Resources.ECSService2.Properties.LoadBalancers", + "searchValue": "", + "expectedValue": "'Resources.ECSService2.Properties.LoadBalancers' should not be empty", + "actualValue": "'Resources.ECSService2.Properties.LoadBalancers' is empty", + "issueType": "IncorrectValue", + "similarityID": "6a8bdf5af9bd3f6dc36c1a846694da4a23a74f047b04c6ac642f186c41e1ac72", + "search_line": -1 } ] diff --git a/assets/queries/cloudFormation/aws/ecs_service_admin_role_is_present/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/ecs_service_admin_role_is_present/test/positive_expected_result.json index 54d894980d7..f8bc396467e 100644 --- a/assets/queries/cloudFormation/aws/ecs_service_admin_role_is_present/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/ecs_service_admin_role_is_present/test/positive_expected_result.json @@ -3,12 +3,30 @@ "queryName": "ECS Service Admin Role Is Present", "severity": "HIGH", "line": 87, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::ECS::Service", + "resourceName": "ServiceName", + "searchKey": "Resources.service.Properties.Role", + "searchValue": "", + "expectedValue": "Resources.service.Properties.Role should not be an admin role", + "actualValue": "Resources.service.Properties.Role is an admin role", + "issueType": "IncorrectValue", + "similarityID": "6bbe41297d1f85579cfee0663301090f59166fe0511c1d8e2555a69d85526116", + "search_line": -1 }, { "queryName": "ECS Service Admin Role Is Present", "severity": "HIGH", "line": 66, - "fileName": "positive2.json" + "fileName": "positive2.json", + "resourceType": "AWS::ECS::Service", + "resourceName": "ServiceName", + "searchKey": "Resources.service.Properties.Role", + "searchValue": "", + "expectedValue": "Resources.service.Properties.Role should not be an admin role", + "actualValue": "Resources.service.Properties.Role is an admin role", + "issueType": "IncorrectValue", + "similarityID": "78bde878127a577f391d15037b7c7e181057a448ad2afe90b949225a4ca2bb9e", + "search_line": -1 } ] diff --git a/assets/queries/cloudFormation/aws/ecs_service_without_running_tasks/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/ecs_service_without_running_tasks/test/positive_expected_result.json index 565c78ce282..3e4f5423642 100644 --- a/assets/queries/cloudFormation/aws/ecs_service_without_running_tasks/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/ecs_service_without_running_tasks/test/positive_expected_result.json @@ -1,14 +1,32 @@ [ { - "fileName": "positive1.yaml", "queryName": "ECS Service Without Running Tasks", "severity": "LOW", - "line": 64 + "line": 64, + "fileName": "positive1.yaml", + "resourceType": "AWS::ECS::Service", + "resourceName": "ServiceName", + "searchKey": "Resources.service.Properties", + "searchValue": "", + "expectedValue": "Resources.service.Properties.DeploymentConfiguration should be defined and not null", + "actualValue": "Resources.service.Properties.DeploymentConfiguration is undefined or null", + "issueType": "MissingAttribute", + "similarityID": "f1b8a19a4cbd26cf37bccb186aba9067ef75403fdb500e1a55830d8756584325", + "search_line": -1 }, { "queryName": "ECS Service Without Running Tasks", "severity": "LOW", "line": 152, - "fileName": "positive2.json" + "fileName": "positive2.json", + "resourceType": "AWS::ECS::Service", + "resourceName": "ServiceName", + "searchKey": "Resources.service.Properties", + "searchValue": "", + "expectedValue": "Resources.service.Properties.DeploymentConfiguration should be defined and not null", + "actualValue": "Resources.service.Properties.DeploymentConfiguration is undefined or null", + "issueType": "MissingAttribute", + "similarityID": "3915c80f2c408b47a467bbe682baf5b2226c63909930ba8e476949bff4ec6555", + "search_line": -1 } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/ecs_services_assigned_with_public_ip_address/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/ecs_services_assigned_with_public_ip_address/test/positive_expected_result.json index 00b22e5a9dd..6edabec568a 100644 --- a/assets/queries/cloudFormation/aws/ecs_services_assigned_with_public_ip_address/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/ecs_services_assigned_with_public_ip_address/test/positive_expected_result.json @@ -1,14 +1,32 @@ [ { + "queryName": "ECS Services assigned with public IP address", "severity": "MEDIUM", "line": 54, - "queryName": "ECS Services assigned with public IP address", - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::ECS::Service", + "resourceName": "cfn-service", + "searchKey": "Resources.ECSService.Properties.NetworkConfiguration.AwsvpcConfiguration.AssignPublicIp", + "searchValue": "", + "expectedValue": "'AssignPublicIp' field should be defined to 'DISABLED' (defaults to 'DISABLED')", + "actualValue": "'AssignPublicIp' field is defined to 'ENABLED'", + "issueType": "IncorrectValue", + "similarityID": "0083ecb1f2893b163733335b3553bf15cc0b3a454a754ace4bb27d6953a139f9", + "search_line": 54 }, { + "queryName": "ECS Services assigned with public IP address", "severity": "MEDIUM", "line": 66, - "queryName": "ECS Services assigned with public IP address", - "fileName": "positive2.json" + "fileName": "positive2.json", + "resourceType": "AWS::ECS::Service", + "resourceName": "cfn-service", + "searchKey": "Resources.ECSService.Properties.NetworkConfiguration.AwsvpcConfiguration.AssignPublicIp", + "searchValue": "", + "expectedValue": "'AssignPublicIp' field should be defined to 'DISABLED' (defaults to 'DISABLED')", + "actualValue": "'AssignPublicIp' field is defined to 'ENABLED'", + "issueType": "IncorrectValue", + "similarityID": "99d4d922f924600fffb88bbe63951bab45cc6c1cfda58b2065d4be6e4bb36e72", + "search_line": 66 } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/ecs_task_definition_healthcheck_missing/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/ecs_task_definition_healthcheck_missing/test/positive_expected_result.json index 803ab1f8440..80700087fdb 100644 --- a/assets/queries/cloudFormation/aws/ecs_task_definition_healthcheck_missing/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/ecs_task_definition_healthcheck_missing/test/positive_expected_result.json @@ -1,14 +1,32 @@ [ { - "fileName": "positive1.yaml", "queryName": "ECS Task Definition HealthCheck Missing", "severity": "LOW", - "line": 48 + "line": 48, + "fileName": "positive1.yaml", + "resourceType": "AWS::ECS::TaskDefinition", + "resourceName": "taskdefinition", + "searchKey": "Resources.taskdefinition.Properties.ContainerDefinitions.1.Name.Ref=AppName", + "searchValue": "", + "expectedValue": "'Resources.taskdefinition.Properties.ContainerDefinitions' should contain 'HealthCheck' property", + "actualValue": "'Resources.taskdefinition.Properties.ContainerDefinitions' doesn't contain 'HealthCheck' property", + "issueType": "MissingAttribute", + "similarityID": "7ff75d7dd49b59485e4f80970bb0c0ea1859d1c5c938b2eeedd5ec86982ac9ea", + "search_line": 48 }, { + "queryName": "ECS Task Definition HealthCheck Missing", + "severity": "LOW", "line": 55, "fileName": "positive2.json", - "queryName": "ECS Task Definition HealthCheck Missing", - "severity": "LOW" + "resourceType": "AWS::ECS::TaskDefinition", + "resourceName": "taskdefinition", + "searchKey": "Resources.taskdefinition.Properties.ContainerDefinitions.0.Name.Ref=AppName", + "searchValue": "", + "expectedValue": "'Resources.taskdefinition.Properties.ContainerDefinitions' should contain 'HealthCheck' property", + "actualValue": "'Resources.taskdefinition.Properties.ContainerDefinitions' doesn't contain 'HealthCheck' property", + "issueType": "MissingAttribute", + "similarityID": "502b866e2154d9d83e5bcdd346febd3770ec1283a740dc1d10a2da8a440257a2", + "search_line": 55 } ] diff --git a/assets/queries/cloudFormation/aws/ecs_task_definition_invalid_cpu_or_memory/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/ecs_task_definition_invalid_cpu_or_memory/test/positive_expected_result.json index 1b13003f4ec..a407b85edfe 100644 --- a/assets/queries/cloudFormation/aws/ecs_task_definition_invalid_cpu_or_memory/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/ecs_task_definition_invalid_cpu_or_memory/test/positive_expected_result.json @@ -1,26 +1,62 @@ [ { - "fileName": "positive1.yaml", "queryName": "ECS Task Definition Invalid CPU or Memory", "severity": "LOW", - "line": 42 + "line": 42, + "fileName": "positive1.yaml", + "resourceType": "AWS::ECS::Service", + "resourceName": "ECSService", + "searchKey": "Resources.taskdefinition.Properties.ContainerDefinitions.Name.Ref=AppName", + "searchValue": "", + "expectedValue": "'Resources.taskdefinition.Properties.ContainerDefinitions.Memory' shouldn't have incorrect values", + "actualValue": "'Resources.taskdefinition.Properties.ContainerDefinitions.Memory' has incorrect value", + "issueType": "IncorrectValue", + "similarityID": "0760f23e8092221b1d2a5f812afc7ebc8b309f2f4604e32609807b5f78cc1be5", + "search_line": 42 }, { "queryName": "ECS Task Definition Invalid CPU or Memory", "severity": "LOW", "line": 58, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::ECS::Service", + "resourceName": "ECSService", + "searchKey": "Resources.taskdefinition2.Properties.ContainerDefinitions.Name.Ref=AppName2", + "searchValue": "", + "expectedValue": "'Resources.taskdefinition2.Properties.ContainerDefinitions.Cpu' shouldn't have incorrect values", + "actualValue": "'Resources.taskdefinition2.Properties.ContainerDefinitions.Cpu' has incorrect value", + "issueType": "IncorrectValue", + "similarityID": "80392e0fd6ab4066bcea56af074dcdab655444739ffcc4c2bcc996e7afe5e48f", + "search_line": 58 }, { "queryName": "ECS Task Definition Invalid CPU or Memory", "severity": "LOW", "line": 63, - "fileName": "positive2.json" + "fileName": "positive2.json", + "resourceType": "AWS::ECS::Service", + "resourceName": "ECSService", + "searchKey": "Resources.taskdefinition.Properties.ContainerDefinitions.Name.Ref=AppName", + "searchValue": "", + "expectedValue": "'Resources.taskdefinition.Properties.ContainerDefinitions.Memory' shouldn't have incorrect values", + "actualValue": "'Resources.taskdefinition.Properties.ContainerDefinitions.Memory' has incorrect value", + "issueType": "IncorrectValue", + "similarityID": "e50b4a3084eecc33adcc0c46f87b49fe3f6543bf68d0357bab4810c87052b833", + "search_line": 63 }, { "queryName": "ECS Task Definition Invalid CPU or Memory", "severity": "LOW", "line": 93, - "fileName": "positive2.json" + "fileName": "positive2.json", + "resourceType": "AWS::ECS::Service", + "resourceName": "ECSService", + "searchKey": "Resources.taskdefinition2.Properties.ContainerDefinitions.Name.Ref=AppName2", + "searchValue": "", + "expectedValue": "'Resources.taskdefinition2.Properties.ContainerDefinitions.Cpu' shouldn't have incorrect values", + "actualValue": "'Resources.taskdefinition2.Properties.ContainerDefinitions.Cpu' has incorrect value", + "issueType": "IncorrectValue", + "similarityID": "660d90a763386a36d8be973b2ab841fd8d887ebb5c2ebd5368f5c87500dc6dc4", + "search_line": 93 } ] diff --git a/assets/queries/cloudFormation/aws/ecs_task_definition_network_mode_not_recommended/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/ecs_task_definition_network_mode_not_recommended/test/positive_expected_result.json index 3ee7e3ba995..73a2c088afc 100644 --- a/assets/queries/cloudFormation/aws/ecs_task_definition_network_mode_not_recommended/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/ecs_task_definition_network_mode_not_recommended/test/positive_expected_result.json @@ -1,14 +1,32 @@ [ { - "fileName": "positive1.yaml", "queryName": "ECS Task Definition Network Mode Not Recommended", "severity": "MEDIUM", - "line": 7 + "line": 7, + "fileName": "positive1.yaml", + "resourceType": "AWS::ECS::TaskDefinition", + "resourceName": "taskdefinition", + "searchKey": "Resources.taskdefinition.Properties.NetworkMode", + "searchValue": "", + "expectedValue": "'Resources.taskdefinition.Properties.NetworkMode' should be 'awsvpc'", + "actualValue": "'Resources.taskdefinition.Properties.NetworkMode' is 'none'", + "issueType": "IncorrectValue", + "similarityID": "8b26b6c75549915a2b3b4f2f69b69223863ceda3cf5e4b516e87054df574dd92", + "search_line": -1 }, { + "queryName": "ECS Task Definition Network Mode Not Recommended", + "severity": "MEDIUM", "line": 7, "fileName": "positive2.json", - "queryName": "ECS Task Definition Network Mode Not Recommended", - "severity": "MEDIUM" + "resourceType": "AWS::ECS::TaskDefinition", + "resourceName": "taskdefinition", + "searchKey": "Resources.taskdefinition.Properties", + "searchValue": "", + "expectedValue": "'Resources.taskdefinition.Properties.NetworkMode' should be set and should be 'awsvpc'", + "actualValue": "'Resources.taskdefinition.Properties.NetworkMode' is undefined and defaults to 'bridge'", + "issueType": "MissingAttribute", + "similarityID": "0ca0e1117fc06eaa1b852767bfcfdada3e613f042dddfb707f940a0b9502d6b7", + "search_line": -1 } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/efs_not_encrypted/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/efs_not_encrypted/test/positive_expected_result.json index fc9de30c639..603d5480cf3 100644 --- a/assets/queries/cloudFormation/aws/efs_not_encrypted/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/efs_not_encrypted/test/positive_expected_result.json @@ -3,18 +3,45 @@ "queryName": "EFS Not Encrypted", "severity": "HIGH", "line": 49, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::EFS::FileSystem", + "resourceName": "test-VPC-EFS", + "searchKey": "Resources.EFSFileSystem01.Properties.Encrypted", + "searchValue": "", + "expectedValue": "EFS resource 'EFSFileSystem01' should have encryption enabled", + "actualValue": "EFS resource 'EFSFileSystem01' has encryption set to false", + "issueType": "IncorrectValue", + "similarityID": "ea8d57696d56e14b3c09cb678680ff0760c60832e645946e30733a22b0567c6d", + "search_line": -1 }, { "queryName": "EFS Not Encrypted", "severity": "HIGH", "line": 90, - "fileName": "positive2.json" + "fileName": "positive2.json", + "resourceType": "AWS::EFS::FileSystem", + "resourceName": "test-VPC-EFS", + "searchKey": "Resources.EFSFileSystem01.Properties.Encrypted", + "searchValue": "", + "expectedValue": "EFS resource 'EFSFileSystem01' should have encryption enabled", + "actualValue": "EFS resource 'EFSFileSystem01' has encryption set to false", + "issueType": "IncorrectValue", + "similarityID": "23ef605a47217c04f4bbc873fb2c7b300a663075a5f944fe369d59c69e5a38f5", + "search_line": -1 }, { "queryName": "EFS Not Encrypted", "severity": "HIGH", "line": 49, - "fileName": "positive3.yaml" + "fileName": "positive3.yaml", + "resourceType": "AWS::EFS::FileSystem", + "resourceName": "test-VPC-EFS", + "searchKey": "Resources.EFSFileSystem01.Properties.Encrypted", + "searchValue": "", + "expectedValue": "EFS resource 'EFSFileSystem01' should have encryption enabled", + "actualValue": "EFS resource 'EFSFileSystem01' has encryption set to false", + "issueType": "IncorrectValue", + "similarityID": "75407b6034ad88706bffe25fa775b35c8aa5016493b0952ed560fb529782dfbd", + "search_line": -1 } ] diff --git a/assets/queries/cloudFormation/aws/efs_volume_with_disabled_transit_encryption/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/efs_volume_with_disabled_transit_encryption/test/positive_expected_result.json index 454f88a6484..5e88bea1d1a 100644 --- a/assets/queries/cloudFormation/aws/efs_volume_with_disabled_transit_encryption/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/efs_volume_with_disabled_transit_encryption/test/positive_expected_result.json @@ -3,180 +3,450 @@ "queryName": "EFS Volume With Disabled Transit Encryption", "severity": "MEDIUM", "line": 35, - "fileName": "positive1.json" + "fileName": "positive1.json", + "resourceType": "AWS::ECS::TaskDefinition", + "resourceName": "taskdefinition", + "searchKey": "Resources.taskdefinition.Properties.Volumes[0].EFSVolumeConfiguration.TransitEncryption", + "searchValue": "", + "expectedValue": "Resources.taskdefinition.Properties.Volumes[0].EFSVolumeConfiguration.TransitEncryption should be enabled", + "actualValue": "Resources.taskdefinition.Properties.Volumes[0].EFSVolumeConfiguration.TransitEncryption is disabled", + "issueType": "IncorrectValue", + "similarityID": "d479a2ec00b5aa73c1444d1c051cb64fc0cfcd4a51ca22fa87ea8f37ff78bbcd", + "search_line": 35 }, { "queryName": "EFS Volume With Disabled Transit Encryption", "severity": "MEDIUM", "line": 26, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::ECS::TaskDefinition", + "resourceName": "taskdefinition", + "searchKey": "Resources.taskdefinition.Properties.Volumes[0].EFSVolumeConfiguration.TransitEncryption", + "searchValue": "", + "expectedValue": "Resources.taskdefinition.Properties.Volumes[0].EFSVolumeConfiguration.TransitEncryption should be enabled", + "actualValue": "Resources.taskdefinition.Properties.Volumes[0].EFSVolumeConfiguration.TransitEncryption is disabled", + "issueType": "IncorrectValue", + "similarityID": "5f1cdaaf00d37e8c83ec7941e00e610d3dfa3cb760090f623b970dfc6c8e45bf", + "search_line": 26 }, { "queryName": "EFS Volume With Disabled Transit Encryption", "severity": "MEDIUM", "line": 31, - "fileName": "positive2.json" + "fileName": "positive2.json", + "resourceType": "AWS::ECS::TaskDefinition", + "resourceName": "taskdefinition", + "searchKey": "Resources.taskdefinition.Properties.Volumes[0].EFSVolumeConfiguration", + "searchValue": "", + "expectedValue": "Resources.taskdefinition.Properties.Volumes[0].EFSVolumeConfiguration.TransitEncryption should be defined", + "actualValue": "Resources.taskdefinition.Properties.Volumes[0].EFSVolumeConfiguration.TransitEncryption is not defined (set to DISABLED by default)", + "issueType": "MissingAttribute", + "similarityID": "049e669534cc3fcc108754c5fb84536536eed5d28e787f6671acb59c731f1f72", + "search_line": 31 }, { "queryName": "EFS Volume With Disabled Transit Encryption", "severity": "MEDIUM", "line": 22, - "fileName": "positive2.yaml" + "fileName": "positive2.yaml", + "resourceType": "AWS::ECS::TaskDefinition", + "resourceName": "taskdefinition", + "searchKey": "Resources.taskdefinition.Properties.Volumes[0].EFSVolumeConfiguration", + "searchValue": "", + "expectedValue": "Resources.taskdefinition.Properties.Volumes[0].EFSVolumeConfiguration.TransitEncryption should be defined", + "actualValue": "Resources.taskdefinition.Properties.Volumes[0].EFSVolumeConfiguration.TransitEncryption is not defined (set to DISABLED by default)", + "issueType": "MissingAttribute", + "similarityID": "060e960869a6a66d5ba265233e8a47dbe3892556c844de54c7f8a295bb7bd656", + "search_line": 22 }, { "queryName": "EFS Volume With Disabled Transit Encryption", "severity": "MEDIUM", "line": 30, - "fileName": "positive3.json" + "fileName": "positive3.json", + "resourceType": "AWS::ECS::TaskDefinition", + "resourceName": "taskdefinition", + "searchKey": "Resources.taskdefinition.Properties.Volumes[0]", + "searchValue": "", + "expectedValue": "Resources.taskdefinition.Properties.Volumes[0].EFSVolumeConfiguration should be defined", + "actualValue": "Resources.taskdefinition.Properties.Volumes[0].EFSVolumeConfiguration is not defined", + "issueType": "MissingAttribute", + "similarityID": "9d2948466ed9bdc99d91fac5d72b8835fee656e2101a35a9af1ce693f6b176fd", + "search_line": 30 }, { "queryName": "EFS Volume With Disabled Transit Encryption", "severity": "MEDIUM", "line": 21, - "fileName": "positive3.yaml" + "fileName": "positive3.yaml", + "resourceType": "AWS::ECS::TaskDefinition", + "resourceName": "taskdefinition", + "searchKey": "Resources.taskdefinition.Properties.Volumes[0]", + "searchValue": "", + "expectedValue": "Resources.taskdefinition.Properties.Volumes[0].EFSVolumeConfiguration should be defined", + "actualValue": "Resources.taskdefinition.Properties.Volumes[0].EFSVolumeConfiguration is not defined", + "issueType": "MissingAttribute", + "similarityID": "2af717d40a98df49cd75984a9e72d12e8e0fb6f93e6b29156dee8953052e12a8", + "search_line": 21 }, { "queryName": "EFS Volume With Disabled Transit Encryption", "severity": "MEDIUM", "line": 7, - "fileName": "positive4.json" + "fileName": "positive4.json", + "resourceType": "AWS::ECS::TaskDefinition", + "resourceName": "taskdefinition", + "searchKey": "Resources.taskdefinition.Properties", + "searchValue": "", + "expectedValue": "Resources.taskdefinition.Properties.Volumes should be defined", + "actualValue": "Resources.taskdefinition.Properties.Volumes is not defined", + "issueType": "MissingAttribute", + "similarityID": "0a14a6ea0cf9197537aed7d144e460085a96513c2829e5c7f22aaca82b4b5760", + "search_line": 7 }, { "queryName": "EFS Volume With Disabled Transit Encryption", "severity": "MEDIUM", "line": 4, - "fileName": "positive4.yaml" + "fileName": "positive4.yaml", + "resourceType": "AWS::ECS::TaskDefinition", + "resourceName": "taskdefinition", + "searchKey": "Resources.taskdefinition.Properties", + "searchValue": "", + "expectedValue": "Resources.taskdefinition.Properties.Volumes should be defined", + "actualValue": "Resources.taskdefinition.Properties.Volumes is not defined", + "issueType": "MissingAttribute", + "similarityID": "836234c384e3cfbef8c170b14df1821596da8a5eb6b8d98e5fde4ae7d0603c84", + "search_line": 4 }, { "queryName": "EFS Volume With Disabled Transit Encryption", "severity": "MEDIUM", "line": 45, - "fileName": "positive5.json" + "fileName": "positive5.json", + "resourceType": "AWS::ECS::TaskDefinition", + "resourceName": "taskdefinition", + "searchKey": "Resources.taskdefinition.Properties.Volumes[0].EFSVolumeConfiguration.TransitEncryption", + "searchValue": "", + "expectedValue": "Resources.taskdefinition.Properties.Volumes[0].EFSVolumeConfiguration.TransitEncryption should be enabled", + "actualValue": "Resources.taskdefinition.Properties.Volumes[0].EFSVolumeConfiguration.TransitEncryption is disabled", + "issueType": "IncorrectValue", + "similarityID": "ae66aa5d3a1152ad801a89cb7210e1853fdbb8598ba1cb6f8858e490e0c2a166", + "search_line": 45 }, { "queryName": "EFS Volume With Disabled Transit Encryption", "severity": "MEDIUM", "line": 35, - "fileName": "positive5.yaml" + "fileName": "positive5.yaml", + "resourceType": "AWS::ECS::TaskDefinition", + "resourceName": "taskdefinition", + "searchKey": "Resources.taskdefinition.Properties.Volumes[0].EFSVolumeConfiguration.TransitEncryption", + "searchValue": "", + "expectedValue": "Resources.taskdefinition.Properties.Volumes[0].EFSVolumeConfiguration.TransitEncryption should be enabled", + "actualValue": "Resources.taskdefinition.Properties.Volumes[0].EFSVolumeConfiguration.TransitEncryption is disabled", + "issueType": "IncorrectValue", + "similarityID": "8553158bd8cf3bb2f0c5719e9f94f272e81286e972e427e9eb1c0a6c115b5e3f", + "search_line": 35 }, { "queryName": "EFS Volume With Disabled Transit Encryption", "severity": "MEDIUM", "line": 41, - "fileName": "positive6.json" + "fileName": "positive6.json", + "resourceType": "AWS::ECS::TaskDefinition", + "resourceName": "taskdefinition", + "searchKey": "Resources.taskdefinition.Properties.Volumes[0]", + "searchValue": "", + "expectedValue": "Resources.taskdefinition.Properties.Volumes[0].EFSVolumeConfiguration should be defined", + "actualValue": "Resources.taskdefinition.Properties.Volumes[0].EFSVolumeConfiguration is not defined", + "issueType": "MissingAttribute", + "similarityID": "1cc3fe96c064a259bd8f95b3036b1d868083e3ce5a64f0881119cea312fe2c08", + "search_line": 41 }, { "queryName": "EFS Volume With Disabled Transit Encryption", "severity": "MEDIUM", "line": 32, - "fileName": "positive6.yaml" + "fileName": "positive6.yaml", + "resourceType": "AWS::ECS::TaskDefinition", + "resourceName": "taskdefinition", + "searchKey": "Resources.taskdefinition.Properties.Volumes[0]", + "searchValue": "", + "expectedValue": "Resources.taskdefinition.Properties.Volumes[0].EFSVolumeConfiguration should be defined", + "actualValue": "Resources.taskdefinition.Properties.Volumes[0].EFSVolumeConfiguration is not defined", + "issueType": "MissingAttribute", + "similarityID": "a356e772bc958a07d9a91c6fae6d31555646d93a1d7938b4bb4e8ba8b8f5bd10", + "search_line": 32 }, { "queryName": "EFS Volume With Disabled Transit Encryption", "severity": "MEDIUM", "line": 41, - "fileName": "positive7.json" + "fileName": "positive7.json", + "resourceType": "AWS::ECS::TaskDefinition", + "resourceName": "taskdefinition", + "searchKey": "Resources.taskdefinition.Properties.Volumes[0]", + "searchValue": "", + "expectedValue": "Resources.taskdefinition.Properties.Volumes[0].EFSVolumeConfiguration should be defined", + "actualValue": "Resources.taskdefinition.Properties.Volumes[0].EFSVolumeConfiguration is not defined", + "issueType": "MissingAttribute", + "similarityID": "b9ac5a0a72ef86d0422cc9868bb03e716c00409d32c82605d8a40fd0c5441d79", + "search_line": 41 }, { "queryName": "EFS Volume With Disabled Transit Encryption", "severity": "MEDIUM", "line": 32, - "fileName": "positive7.yaml" + "fileName": "positive7.yaml", + "resourceType": "AWS::ECS::TaskDefinition", + "resourceName": "taskdefinition", + "searchKey": "Resources.taskdefinition.Properties.Volumes[0]", + "searchValue": "", + "expectedValue": "Resources.taskdefinition.Properties.Volumes[0].EFSVolumeConfiguration should be defined", + "actualValue": "Resources.taskdefinition.Properties.Volumes[0].EFSVolumeConfiguration is not defined", + "issueType": "MissingAttribute", + "similarityID": "14f44c2fbbb8c67d7c74fe296b46f86b0b5cf77b88c3e74727a847ef7e24009e", + "search_line": 32 }, { "queryName": "EFS Volume With Disabled Transit Encryption", "severity": "MEDIUM", "line": 7, - "fileName": "positive8.json" + "fileName": "positive8.json", + "resourceType": "AWS::ECS::TaskDefinition", + "resourceName": "taskdefinition", + "searchKey": "Resources.taskdefinition.Properties", + "searchValue": "", + "expectedValue": "Resources.taskdefinition.Properties.Volumes should be defined", + "actualValue": "Resources.taskdefinition.Properties.Volumes is not defined", + "issueType": "MissingAttribute", + "similarityID": "e1be45dd7f5132459e1ab3e5bca23e118e6da04b368232f608e02a7ca54ea55b", + "search_line": 7 }, { "queryName": "EFS Volume With Disabled Transit Encryption", "severity": "MEDIUM", "line": 4, - "fileName": "positive8.yaml" + "fileName": "positive8.yaml", + "resourceType": "AWS::ECS::TaskDefinition", + "resourceName": "taskdefinition", + "searchKey": "Resources.taskdefinition.Properties", + "searchValue": "", + "expectedValue": "Resources.taskdefinition.Properties.Volumes should be defined", + "actualValue": "Resources.taskdefinition.Properties.Volumes is not defined", + "issueType": "MissingAttribute", + "similarityID": "717ec86e9dedc4f72da2980f990e0cd722cf07cc5fa80797e42637f7090e2983", + "search_line": 4 }, { "queryName": "EFS Volume With Disabled Transit Encryption", "severity": "MEDIUM", "line": 30, - "fileName": "positive9.json" + "fileName": "positive9.json", + "resourceType": "AWS::ECS::TaskDefinition", + "resourceName": "taskdefinition", + "searchKey": "Resources.taskdefinition.Properties.Volumes[0].EFSVolumeConfiguration.TransitEncryption", + "searchValue": "", + "expectedValue": "Resources.taskdefinition.Properties.Volumes[0].EFSVolumeConfiguration.TransitEncryption should be enabled", + "actualValue": "Resources.taskdefinition.Properties.Volumes[0].EFSVolumeConfiguration.TransitEncryption is disabled", + "issueType": "IncorrectValue", + "similarityID": "6bfa048a23660283cd89618a53ecfabb480fa76d494e62d7aacb4fd46b733b46", + "search_line": 30 }, { "queryName": "EFS Volume With Disabled Transit Encryption", "severity": "MEDIUM", "line": 39, - "fileName": "positive9.json" + "fileName": "positive9.json", + "resourceType": "AWS::ECS::TaskDefinition", + "resourceName": "taskdefinition", + "searchKey": "Resources.taskdefinition.Properties.Volumes[1].EFSVolumeConfiguration.TransitEncryption", + "searchValue": "", + "expectedValue": "Resources.taskdefinition.Properties.Volumes[1].EFSVolumeConfiguration.TransitEncryption should be enabled", + "actualValue": "Resources.taskdefinition.Properties.Volumes[1].EFSVolumeConfiguration.TransitEncryption is disabled", + "issueType": "IncorrectValue", + "similarityID": "69ad35e26ebde1076d31935db4039cdfba9b1e1948db05806d819577c420dee7", + "search_line": 39 }, { "queryName": "EFS Volume With Disabled Transit Encryption", "severity": "MEDIUM", "line": 22, - "fileName": "positive9.yaml" + "fileName": "positive9.yaml", + "resourceType": "AWS::ECS::TaskDefinition", + "resourceName": "taskdefinition", + "searchKey": "Resources.taskdefinition.Properties.Volumes[0].EFSVolumeConfiguration.TransitEncryption", + "searchValue": "", + "expectedValue": "Resources.taskdefinition.Properties.Volumes[0].EFSVolumeConfiguration.TransitEncryption should be enabled", + "actualValue": "Resources.taskdefinition.Properties.Volumes[0].EFSVolumeConfiguration.TransitEncryption is disabled", + "issueType": "IncorrectValue", + "similarityID": "2abbc80106af4a4392e3de748c23b0cc90a6ff0a4f9c420565fa52b5f0ffef2d", + "search_line": 22 }, { "queryName": "EFS Volume With Disabled Transit Encryption", "severity": "MEDIUM", "line": 29, - "fileName": "positive9.yaml" + "fileName": "positive9.yaml", + "resourceType": "AWS::ECS::TaskDefinition", + "resourceName": "taskdefinition", + "searchKey": "Resources.taskdefinition.Properties.Volumes[1].EFSVolumeConfiguration.TransitEncryption", + "searchValue": "", + "expectedValue": "Resources.taskdefinition.Properties.Volumes[1].EFSVolumeConfiguration.TransitEncryption should be enabled", + "actualValue": "Resources.taskdefinition.Properties.Volumes[1].EFSVolumeConfiguration.TransitEncryption is disabled", + "issueType": "IncorrectValue", + "similarityID": "c02fa1b1378526c07ba9c29834d696d146178991b4733cb94935c14f4bce511a", + "search_line": 29 }, { "queryName": "EFS Volume With Disabled Transit Encryption", "severity": "MEDIUM", "line": 27, - "fileName": "positive10.json" + "fileName": "positive10.json", + "resourceType": "AWS::ECS::TaskDefinition", + "resourceName": "taskdefinition", + "searchKey": "Resources.taskdefinition.Properties.Volumes[0].EFSVolumeConfiguration", + "searchValue": "", + "expectedValue": "Resources.taskdefinition.Properties.Volumes[0].EFSVolumeConfiguration.TransitEncryption should be defined", + "actualValue": "Resources.taskdefinition.Properties.Volumes[0].EFSVolumeConfiguration.TransitEncryption is not defined (set to DISABLED by default)", + "issueType": "MissingAttribute", + "similarityID": "a499f2efc96418e07fe4372ac7e270684d5d641d908fe4a3d9a079604f05f9f1", + "search_line": 27 }, { "queryName": "EFS Volume With Disabled Transit Encryption", "severity": "MEDIUM", "line": 35, - "fileName": "positive10.json" + "fileName": "positive10.json", + "resourceType": "AWS::ECS::TaskDefinition", + "resourceName": "taskdefinition", + "searchKey": "Resources.taskdefinition.Properties.Volumes[1].EFSVolumeConfiguration", + "searchValue": "", + "expectedValue": "Resources.taskdefinition.Properties.Volumes[1].EFSVolumeConfiguration.TransitEncryption should be defined", + "actualValue": "Resources.taskdefinition.Properties.Volumes[1].EFSVolumeConfiguration.TransitEncryption is not defined (set to DISABLED by default)", + "issueType": "MissingAttribute", + "similarityID": "c8c5e3f072e705b0ddab5a19760f1efb7e6296f0ef6e04f75235d00f227b259e", + "search_line": 35 }, { "queryName": "EFS Volume With Disabled Transit Encryption", "severity": "MEDIUM", "line": 19, - "fileName": "positive10.yaml" + "fileName": "positive10.yaml", + "resourceType": "AWS::ECS::TaskDefinition", + "resourceName": "taskdefinition", + "searchKey": "Resources.taskdefinition.Properties.Volumes[0].EFSVolumeConfiguration", + "searchValue": "", + "expectedValue": "Resources.taskdefinition.Properties.Volumes[0].EFSVolumeConfiguration.TransitEncryption should be defined", + "actualValue": "Resources.taskdefinition.Properties.Volumes[0].EFSVolumeConfiguration.TransitEncryption is not defined (set to DISABLED by default)", + "issueType": "MissingAttribute", + "similarityID": "e47b56779c9a7603b605acbdbb1d79142b13921a290cb6f9147d6ef97be4284d", + "search_line": 19 }, { "queryName": "EFS Volume With Disabled Transit Encryption", "severity": "MEDIUM", "line": 25, - "fileName": "positive10.yaml" + "fileName": "positive10.yaml", + "resourceType": "AWS::ECS::TaskDefinition", + "resourceName": "taskdefinition", + "searchKey": "Resources.taskdefinition.Properties.Volumes[1].EFSVolumeConfiguration", + "searchValue": "", + "expectedValue": "Resources.taskdefinition.Properties.Volumes[1].EFSVolumeConfiguration.TransitEncryption should be defined", + "actualValue": "Resources.taskdefinition.Properties.Volumes[1].EFSVolumeConfiguration.TransitEncryption is not defined (set to DISABLED by default)", + "issueType": "MissingAttribute", + "similarityID": "358f6f9c9ab4834f56f1523e72ade31191387d16a9aa9c0873122a544fcb01d8", + "search_line": 25 }, { "queryName": "EFS Volume With Disabled Transit Encryption", "severity": "MEDIUM", "line": 26, - "fileName": "positive11.json" + "fileName": "positive11.json", + "resourceType": "AWS::ECS::TaskDefinition", + "resourceName": "taskdefinition", + "searchKey": "Resources.taskdefinition.Properties.Volumes[0]", + "searchValue": "", + "expectedValue": "Resources.taskdefinition.Properties.Volumes[0].EFSVolumeConfiguration should be defined", + "actualValue": "Resources.taskdefinition.Properties.Volumes[0].EFSVolumeConfiguration is not defined", + "issueType": "MissingAttribute", + "similarityID": "dd91439c1df9b9641b32ac7fa8a52f758f0b736ee1cec955c6679d3752ae3c40", + "search_line": 26 }, { "queryName": "EFS Volume With Disabled Transit Encryption", "severity": "MEDIUM", "line": 32, - "fileName": "positive11.json" + "fileName": "positive11.json", + "resourceType": "AWS::ECS::TaskDefinition", + "resourceName": "taskdefinition", + "searchKey": "Resources.taskdefinition.Properties.Volumes[1]", + "searchValue": "", + "expectedValue": "Resources.taskdefinition.Properties.Volumes[1].EFSVolumeConfiguration should be defined", + "actualValue": "Resources.taskdefinition.Properties.Volumes[1].EFSVolumeConfiguration is not defined", + "issueType": "MissingAttribute", + "similarityID": "769c5eb627b79bbe242abc03264ee86c61b12c2e61563b36ac73ba34377a0e03", + "search_line": 32 }, { "queryName": "EFS Volume With Disabled Transit Encryption", "severity": "MEDIUM", "line": 18, - "fileName": "positive11.yaml" + "fileName": "positive11.yaml", + "resourceType": "AWS::ECS::TaskDefinition", + "resourceName": "taskdefinition", + "searchKey": "Resources.taskdefinition.Properties.Volumes[0]", + "searchValue": "", + "expectedValue": "Resources.taskdefinition.Properties.Volumes[0].EFSVolumeConfiguration should be defined", + "actualValue": "Resources.taskdefinition.Properties.Volumes[0].EFSVolumeConfiguration is not defined", + "issueType": "MissingAttribute", + "similarityID": "809660e97ec536cf8b1617d37c913c4bcc3466c59f16c354baf1981895b328d9", + "search_line": 18 }, { "queryName": "EFS Volume With Disabled Transit Encryption", "severity": "MEDIUM", "line": 22, - "fileName": "positive11.yaml" + "fileName": "positive11.yaml", + "resourceType": "AWS::ECS::TaskDefinition", + "resourceName": "taskdefinition", + "searchKey": "Resources.taskdefinition.Properties.Volumes[1]", + "searchValue": "", + "expectedValue": "Resources.taskdefinition.Properties.Volumes[1].EFSVolumeConfiguration should be defined", + "actualValue": "Resources.taskdefinition.Properties.Volumes[1].EFSVolumeConfiguration is not defined", + "issueType": "MissingAttribute", + "similarityID": "2cdb43a67d0d70924b96a2698a8f945e9e7d8848c8d687c45117935bd3379191", + "search_line": 22 }, { "queryName": "EFS Volume With Disabled Transit Encryption", "severity": "MEDIUM", "line": 39, - "fileName": "positive12.json" + "fileName": "positive12.json", + "resourceType": "AWS::ECS::TaskDefinition", + "resourceName": "taskdefinition", + "searchKey": "Resources.taskdefinition.Properties.Volumes[1].EFSVolumeConfiguration.TransitEncryption", + "searchValue": "", + "expectedValue": "Resources.taskdefinition.Properties.Volumes[1].EFSVolumeConfiguration.TransitEncryption should be enabled", + "actualValue": "Resources.taskdefinition.Properties.Volumes[1].EFSVolumeConfiguration.TransitEncryption is disabled", + "issueType": "IncorrectValue", + "similarityID": "73fdd4f4a2468e75aa076c7fcf475e6b7b18ff68f49f54adf73710f7d4618f72", + "search_line": 39 }, { "queryName": "EFS Volume With Disabled Transit Encryption", "severity": "MEDIUM", "line": 29, - "fileName": "positive12.yaml" + "fileName": "positive12.yaml", + "resourceType": "AWS::ECS::TaskDefinition", + "resourceName": "taskdefinition", + "searchKey": "Resources.taskdefinition.Properties.Volumes[1].EFSVolumeConfiguration.TransitEncryption", + "searchValue": "", + "expectedValue": "Resources.taskdefinition.Properties.Volumes[1].EFSVolumeConfiguration.TransitEncryption should be enabled", + "actualValue": "Resources.taskdefinition.Properties.Volumes[1].EFSVolumeConfiguration.TransitEncryption is disabled", + "issueType": "IncorrectValue", + "similarityID": "bb8cadf0411fc075536aeb9af00ca88d72d88200c6a44539a51a1783adb2a8ba", + "search_line": 29 } ] diff --git a/assets/queries/cloudFormation/aws/efs_without_kms/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/efs_without_kms/test/positive_expected_result.json index b3569a8fb15..2187896e3ed 100644 --- a/assets/queries/cloudFormation/aws/efs_without_kms/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/efs_without_kms/test/positive_expected_result.json @@ -3,18 +3,45 @@ "queryName": "EFS Without KMS", "severity": "LOW", "line": 82, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::EFS::FileSystem", + "resourceName": "test-VPC-EFS", + "searchKey": "Resources.EFSFileSystem01", + "searchValue": "", + "expectedValue": "EFS resource 'EFSFileSystem01' should have encryption enabled using KMS CMK customer-managed keys instead of AWS managed-keys", + "actualValue": "EFS resource 'EFSFileSystem01' is not encrypted using KMS CMK customer-managed keys instead of AWS managed-keys", + "issueType": "MissingAttribute", + "similarityID": "bc4451341477cb129e71b931c361338f562acc2aff996d3001dcafd3f062068a", + "search_line": -1 }, { "queryName": "EFS Without KMS", "severity": "LOW", "line": 157, - "fileName": "positive2.json" + "fileName": "positive2.json", + "resourceType": "AWS::EFS::FileSystem", + "resourceName": "test-VPC-EFS", + "searchKey": "Resources.EFSFileSystem01", + "searchValue": "", + "expectedValue": "EFS resource 'EFSFileSystem01' should have encryption enabled using KMS CMK customer-managed keys instead of AWS managed-keys", + "actualValue": "EFS resource 'EFSFileSystem01' is not encrypted using KMS CMK customer-managed keys instead of AWS managed-keys", + "issueType": "MissingAttribute", + "similarityID": "732c4ee452d49dbb2aff7fd44c6503e0771feacee1b9f5bc5fd51a64b3b40beb", + "search_line": -1 }, { "queryName": "EFS Without KMS", "severity": "LOW", "line": 82, - "fileName": "positive3.yaml" + "fileName": "positive3.yaml", + "resourceType": "AWS::EFS::FileSystem", + "resourceName": "test-VPC-EFS", + "searchKey": "Resources.EFSFileSystem01", + "searchValue": "", + "expectedValue": "EFS resource 'EFSFileSystem01' should have encryption enabled using KMS CMK customer-managed keys instead of AWS managed-keys", + "actualValue": "EFS resource 'EFSFileSystem01' is not encrypted using KMS CMK customer-managed keys instead of AWS managed-keys", + "issueType": "MissingAttribute", + "similarityID": "ac60fd76f83a516128298d000cee439e93584349a9b95176e9d9a3dea029b3bc", + "search_line": -1 } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/efs_without_tags/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/efs_without_tags/test/positive_expected_result.json index f69d1cd120b..8f8131df442 100644 --- a/assets/queries/cloudFormation/aws/efs_without_tags/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/efs_without_tags/test/positive_expected_result.json @@ -3,12 +3,30 @@ "queryName": "EFS Without Tags", "severity": "LOW", "line": 15, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::EFS::FileSystem", + "resourceName": "FileSystem", + "searchKey": "Resources.FileSystem", + "searchValue": "", + "expectedValue": "'Resources.FileSystem.Properties.FileSystemTags' should be defined and not null", + "actualValue": "'Resources.FileSystem.Properties.FileSystemTags' is undefined or null", + "issueType": "MissingAttribute", + "similarityID": "dae7ce2fc0101a888608f94789a445fb512d1eb6328e835a7169a54716f4f274", + "search_line": -1 }, { "queryName": "EFS Without Tags", "severity": "LOW", "line": 40, - "fileName": "positive2.json" + "fileName": "positive2.json", + "resourceType": "AWS::EFS::FileSystem", + "resourceName": "FileSystem", + "searchKey": "Resources.FileSystem", + "searchValue": "", + "expectedValue": "'Resources.FileSystem.Properties.FileSystemTags' should be defined and not null", + "actualValue": "'Resources.FileSystem.Properties.FileSystemTags' is undefined or null", + "issueType": "MissingAttribute", + "similarityID": "6b023613d8fff416ce1e01d5767aac736d646b8972e1a366d82a3676cfe2bdfa", + "search_line": -1 } ] diff --git a/assets/queries/cloudFormation/aws/eks_cluster_encryption_disabled/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/eks_cluster_encryption_disabled/test/positive_expected_result.json index e1ca5a31001..69ad171d157 100644 --- a/assets/queries/cloudFormation/aws/eks_cluster_encryption_disabled/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/eks_cluster_encryption_disabled/test/positive_expected_result.json @@ -1,26 +1,62 @@ [ { + "queryName": "EKS Cluster Encryption Disabled", "severity": "HIGH", "line": 5, - "queryName": "EKS Cluster Encryption Disabled", - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::EKS::Cluster", + "resourceName": "MyEKSClusterA", + "searchKey": "Resources.MyEKSClusterA.Properties", + "searchValue": "", + "expectedValue": "'EncryptionConfig' should be defined and not null", + "actualValue": "'EncryptionConfig' is undefined or null", + "issueType": "MissingAttribute", + "similarityID": "b70b61478902fc0c03d737d4f5410ee15bdedc3bd35734c9ddf40677990d7430", + "search_line": 5 }, { + "queryName": "EKS Cluster Encryption Disabled", "severity": "HIGH", "line": 6, - "queryName": "EKS Cluster Encryption Disabled", - "fileName": "positive2.json" + "fileName": "positive2.json", + "resourceType": "AWS::EKS::Cluster", + "resourceName": "MyEKSClusterA", + "searchKey": "Resources.MyEKSClusterA.Properties", + "searchValue": "", + "expectedValue": "'EncryptionConfig' should be defined and not null", + "actualValue": "'EncryptionConfig' is undefined or null", + "issueType": "MissingAttribute", + "similarityID": "64d643c2f1f399c6afadd04b3d5baa9f955f7f133a66e487edef2842e80c23a6", + "search_line": 6 }, { + "queryName": "EKS Cluster Encryption Disabled", "severity": "HIGH", "line": 16, - "queryName": "EKS Cluster Encryption Disabled", - "fileName": "positive3.yaml" + "fileName": "positive3.yaml", + "resourceType": "AWS::EKS::Cluster", + "resourceName": "MyEKSClusterB", + "searchKey": "Resources.MyEKSClusterB.Properties.EncryptionConfig", + "searchValue": "", + "expectedValue": "'secrets' should be defined inside the Resources field", + "actualValue": "'secrets' is undefined on the Resources field", + "issueType": "IncorrectValue", + "similarityID": "4b78a75ce32b33a7b5ad911f95de94099fc3f4280e9759dcbdd9f2651524139d", + "search_line": 16 }, { + "queryName": "EKS Cluster Encryption Disabled", "severity": "HIGH", "line": 19, - "queryName": "EKS Cluster Encryption Disabled", - "fileName": "positive4.json" + "fileName": "positive4.json", + "resourceType": "AWS::EKS::Cluster", + "resourceName": "MyEKSClusterB", + "searchKey": "Resources.MyEKSClusterB.Properties.EncryptionConfig", + "searchValue": "", + "expectedValue": "'secrets' should be defined inside the Resources field", + "actualValue": "'secrets' is undefined on the Resources field", + "issueType": "IncorrectValue", + "similarityID": "bcfdd22d97777d0b9ef3b77162c9c0bed4d2901702039da8361c29f4abc9fe81", + "search_line": 19 } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/eks_node_group_remote_access/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/eks_node_group_remote_access/test/positive_expected_result.json index facfe6cd979..b90932aac1a 100644 --- a/assets/queries/cloudFormation/aws/eks_node_group_remote_access/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/eks_node_group_remote_access/test/positive_expected_result.json @@ -3,12 +3,30 @@ "queryName": "EKS node group remote access", "severity": "MEDIUM", "line": 17, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::EKS::Nodegroup", + "resourceName": "EKSNodegroup", + "searchKey": "Resources.EKSNodegroup.Properties.RemoteAccess", + "searchValue": "", + "expectedValue": "'Resources.EKSNodegroup.Properties.RemoteAccess.SourceSecurityGroups' should be defined and not null", + "actualValue": "'Resources.EKSNodegroup.Properties.RemoteAccess.Source SecurityGroups' is undefined or null", + "issueType": "MissingAttribute", + "similarityID": "49ef9d0890c6e4e8aea29d7dd464ed5c349afa820549918d8aacf8e22113f4a4", + "search_line": -1 }, { "queryName": "EKS node group remote access", "severity": "MEDIUM", "line": 21, - "fileName": "positive2.json" + "fileName": "positive2.json", + "resourceType": "AWS::EKS::Nodegroup", + "resourceName": "EKSNodegroup", + "searchKey": "Resources.EKSNodegroup.Properties.RemoteAccess", + "searchValue": "", + "expectedValue": "'Resources.EKSNodegroup.Properties.RemoteAccess.SourceSecurityGroups' should be defined and not null", + "actualValue": "'Resources.EKSNodegroup.Properties.RemoteAccess.Source SecurityGroups' is undefined or null", + "issueType": "MissingAttribute", + "similarityID": "a91cdcf97cad0535476919491270af56adb4c9c14e00b3793934e1da10505d4b", + "search_line": -1 } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/elasticache_nodes_not_created_across_multi_az/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/elasticache_nodes_not_created_across_multi_az/test/positive_expected_result.json index e8a84d33553..e86a2301b9d 100644 --- a/assets/queries/cloudFormation/aws/elasticache_nodes_not_created_across_multi_az/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/elasticache_nodes_not_created_across_multi_az/test/positive_expected_result.json @@ -1,26 +1,62 @@ [ { + "queryName": "ElastiCache Nodes Not Created Across Multi AZ", + "severity": "MEDIUM", "line": 6, "fileName": "positive1.yaml", - "queryName": "ElastiCache Nodes Not Created Across Multi AZ", - "severity": "MEDIUM" + "resourceType": "AWS::ElastiCache::CacheCluster", + "resourceName": "myCacheCluster3", + "searchKey": "Resources.myCacheCluster3.Properties.AZMode", + "searchValue": "", + "expectedValue": "Resources.myCacheCluster3.Properties.AZMode is 'cross-az'", + "actualValue": "Resources.myCacheCluster3.Properties.AZMode is 'single-az", + "issueType": "IncorrectValue", + "similarityID": "47cf39490c5f2445a59ff08379d607db9e18ae4c0d9465fdffc79434d728f53c", + "search_line": -1 }, { - "fileName": "positive3.json", "queryName": "ElastiCache Nodes Not Created Across Multi AZ", "severity": "MEDIUM", - "line": 6 + "line": 5, + "fileName": "positive2.yaml", + "resourceType": "AWS::ElastiCache::CacheCluster", + "resourceName": "myCacheCluster4", + "searchKey": "Resources.myCacheCluster4.Properties", + "searchValue": "", + "expectedValue": "Resources.myCacheCluster4.Properties.AZMode should be defined and is 'cross-az'", + "actualValue": "Resources.myCacheCluster4.Properties.AZMode is not defined, default value is 'single-az'", + "issueType": "MissingAttribute", + "similarityID": "8f5c1e2e44b55b104749c518e82cb1460b3a463c622b9245b62b8fa42c5cb6f8", + "search_line": -1 }, { "queryName": "ElastiCache Nodes Not Created Across Multi AZ", "severity": "MEDIUM", - "line": 5, - "fileName": "positive2.yaml" + "line": 6, + "fileName": "positive3.json", + "resourceType": "AWS::ElastiCache::CacheCluster", + "resourceName": "myCacheCluster5", + "searchKey": "Resources.myCacheCluster5.Properties.AZMode", + "searchValue": "", + "expectedValue": "Resources.myCacheCluster5.Properties.AZMode is 'cross-az'", + "actualValue": "Resources.myCacheCluster5.Properties.AZMode is 'single-az", + "issueType": "IncorrectValue", + "similarityID": "8070523e8dd2d443ce2b689f824adf59e1e668303056301973677ac1ab83dbf0", + "search_line": -1 }, { "queryName": "ElastiCache Nodes Not Created Across Multi AZ", "severity": "MEDIUM", "line": 5, - "fileName": "positive4.json" + "fileName": "positive4.json", + "resourceType": "AWS::ElastiCache::CacheCluster", + "resourceName": "myCacheCluster6", + "searchKey": "Resources.myCacheCluster6.Properties", + "searchValue": "", + "expectedValue": "Resources.myCacheCluster6.Properties.AZMode should be defined and is 'cross-az'", + "actualValue": "Resources.myCacheCluster6.Properties.AZMode is not defined, default value is 'single-az'", + "issueType": "MissingAttribute", + "similarityID": "6a5b56eea6302d1bdad01826d54a4ff8f8b224cf7d2e414cd8c1940931f9b3ac", + "search_line": -1 } ] diff --git a/assets/queries/cloudFormation/aws/elasticache_using_default_port/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/elasticache_using_default_port/test/positive_expected_result.json index 20174b78ed6..9eb0751bc26 100644 --- a/assets/queries/cloudFormation/aws/elasticache_using_default_port/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/elasticache_using_default_port/test/positive_expected_result.json @@ -3,24 +3,60 @@ "queryName": "ElastiCache Using Default Port", "severity": "LOW", "line": 12, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::ElastiCache::ReplicationGroup", + "resourceName": "BasicReplicationGroup", + "searchKey": "Resources.BasicReplicationGroup.Properties.Port", + "searchValue": "", + "expectedValue": "Resources.BasicReplicationGroup.Properties.Port should not be set to 6379", + "actualValue": "Resources.BasicReplicationGroup.Properties.Port is set to 6379", + "issueType": "IncorrectValue", + "similarityID": "38ff5348380c539ac6c1977eed8f7605c05fb4c4e90a337edbda08becb042e0d", + "search_line": 12 }, { "queryName": "ElastiCache Using Default Port", "severity": "LOW", "line": 12, - "fileName": "positive2.yaml" + "fileName": "positive2.yaml", + "resourceType": "AWS::ElastiCache::ReplicationGroup", + "resourceName": "BasicReplicationGroup", + "searchKey": "Resources.BasicReplicationGroup.Properties.Port", + "searchValue": "", + "expectedValue": "Resources.BasicReplicationGroup.Properties.Port should not be set to 11211", + "actualValue": "Resources.BasicReplicationGroup.Properties.Port is set to 11211", + "issueType": "IncorrectValue", + "similarityID": "92208f5127605ab40b31029da514d7183c8ec47cf3d3eecffce99e4c5200aa33", + "search_line": 12 }, { "queryName": "ElastiCache Using Default Port", "severity": "LOW", "line": 15, - "fileName": "positive3.json" + "fileName": "positive3.json", + "resourceType": "AWS::ElastiCache::ReplicationGroup", + "resourceName": "BasicReplicationGroup", + "searchKey": "Resources.BasicReplicationGroup.Properties.Port", + "searchValue": "", + "expectedValue": "Resources.BasicReplicationGroup.Properties.Port should not be set to 6379", + "actualValue": "Resources.BasicReplicationGroup.Properties.Port is set to 6379", + "issueType": "IncorrectValue", + "similarityID": "53e96241b059bd572c92dc0775c174f2957684bb7a930fbb753783e28bba7ffd", + "search_line": 15 }, { "queryName": "ElastiCache Using Default Port", "severity": "LOW", "line": 15, - "fileName": "positive4.json" + "fileName": "positive4.json", + "resourceType": "AWS::ElastiCache::ReplicationGroup", + "resourceName": "BasicReplicationGroup", + "searchKey": "Resources.BasicReplicationGroup.Properties.Port", + "searchValue": "", + "expectedValue": "Resources.BasicReplicationGroup.Properties.Port should not be set to 11211", + "actualValue": "Resources.BasicReplicationGroup.Properties.Port is set to 11211", + "issueType": "IncorrectValue", + "similarityID": "dad145f555b41455f149c131c0a5a5f524af3b4ca996df12f3d823f11de489ee", + "search_line": 15 } ] diff --git a/assets/queries/cloudFormation/aws/elasticache_with_disabled_at_rest_encryption/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/elasticache_with_disabled_at_rest_encryption/test/positive_expected_result.json index 36188c1bb62..1e639bb1827 100644 --- a/assets/queries/cloudFormation/aws/elasticache_with_disabled_at_rest_encryption/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/elasticache_with_disabled_at_rest_encryption/test/positive_expected_result.json @@ -3,30 +3,75 @@ "queryName": "ElastiCache With Disabled at Rest Encryption", "severity": "HIGH", "line": 10, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::ElastiCache::ReplicationGroup", + "resourceName": "ReplicationGroup", + "searchKey": "Resources.ReplicationGroup.Properties.AtRestEncryptionEnabled", + "searchValue": "", + "expectedValue": "Resources.ReplicationGroup.Properties.AtRestEncryptionEnabled should be true", + "actualValue": "Resources.ReplicationGroup.Properties.AtRestEncryptionEnabled is false", + "issueType": "IncorrectValue", + "similarityID": "bb46a6c320980668edacbd51dedfd95eb6496b2f98343b69f22ffc04050fbb74", + "search_line": -1 }, { "queryName": "ElastiCache With Disabled at Rest Encryption", "severity": "HIGH", "line": 8, - "fileName": "positive2.yaml" + "fileName": "positive2.yaml", + "resourceType": "AWS::ElastiCache::ReplicationGroup", + "resourceName": "MyReplicationGroup", + "searchKey": "Resources.MyReplicationGroup.Properties", + "searchValue": "", + "expectedValue": "Resources.MyReplicationGroup.Properties.AtRestEncryptionEnabled should be defined", + "actualValue": "Resources.MyReplicationGroup.Properties.AtRestEncryptionEnabled is undefined", + "issueType": "MissingAttribute", + "similarityID": "b2ec728fb513b825dff59b54cccca2dd622ecc9df3adac2153a833cba68bc7eb", + "search_line": -1 }, { "queryName": "ElastiCache With Disabled at Rest Encryption", "severity": "HIGH", "line": 19, - "fileName": "positive3.json" + "fileName": "positive3.json", + "resourceType": "AWS::ElastiCache::ReplicationGroup", + "resourceName": "ReplicationGroup", + "searchKey": "Resources.ReplicationGroup.Properties.AtRestEncryptionEnabled", + "searchValue": "", + "expectedValue": "Resources.ReplicationGroup.Properties.AtRestEncryptionEnabled should be true", + "actualValue": "Resources.ReplicationGroup.Properties.AtRestEncryptionEnabled is false", + "issueType": "IncorrectValue", + "similarityID": "7c15309fb657c5019e5feecdf6b4cf6c82515e3944070c3b788b6bca09fa5cd0", + "search_line": -1 }, { "queryName": "ElastiCache With Disabled at Rest Encryption", "severity": "HIGH", "line": 7, - "fileName": "positive4.json" + "fileName": "positive4.json", + "resourceType": "AWS::ElastiCache::ReplicationGroup", + "resourceName": "MyReplicationGroup", + "searchKey": "Resources.MyReplicationGroup.Properties", + "searchValue": "", + "expectedValue": "Resources.MyReplicationGroup.Properties.AtRestEncryptionEnabled should be defined", + "actualValue": "Resources.MyReplicationGroup.Properties.AtRestEncryptionEnabled is undefined", + "issueType": "MissingAttribute", + "similarityID": "a14938ebc79c3b627bb5b89d2176828b7e6aff60a3d127f05ae5d7a2cc36b155", + "search_line": -1 }, { "queryName": "ElastiCache With Disabled at Rest Encryption", "severity": "HIGH", "line": 10, - "fileName": "positive5.yaml" + "fileName": "positive5.yaml", + "resourceType": "AWS::ElastiCache::ReplicationGroup", + "resourceName": "ReplicationGroup", + "searchKey": "Resources.ReplicationGroup.Properties.AtRestEncryptionEnabled", + "searchValue": "", + "expectedValue": "Resources.ReplicationGroup.Properties.AtRestEncryptionEnabled should be true", + "actualValue": "Resources.ReplicationGroup.Properties.AtRestEncryptionEnabled is false", + "issueType": "IncorrectValue", + "similarityID": "c3bdb66dedb3c96d1aed459aaf5814aa18a8a03041912525c15541c714792262", + "search_line": -1 } ] diff --git a/assets/queries/cloudFormation/aws/elasticache_with_disabled_transit_encryption/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/elasticache_with_disabled_transit_encryption/test/positive_expected_result.json index 303cc495823..7628f0ca429 100644 --- a/assets/queries/cloudFormation/aws/elasticache_with_disabled_transit_encryption/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/elasticache_with_disabled_transit_encryption/test/positive_expected_result.json @@ -3,30 +3,75 @@ "queryName": "ElastiCache With Disabled Transit Encryption", "severity": "MEDIUM", "line": 6, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::ElastiCache::ReplicationGroup", + "resourceName": "ReplicationGroup", + "searchKey": "Resources.ReplicationGroup.Properties", + "searchValue": "", + "expectedValue": "Resources.ReplicationGroup.Properties.TransitEncryptionEnabled should be defined", + "actualValue": "Resources.ReplicationGroup.Properties.TransitEncryptionEnabled is undefined", + "issueType": "MissingAttribute", + "similarityID": "d49736b2abf2619fa34edfa4ad67a124ca682e93756d898390102bfe6598083c", + "search_line": -1 }, { "queryName": "ElastiCache With Disabled Transit Encryption", "severity": "MEDIUM", "line": 26, - "fileName": "positive2.yaml" + "fileName": "positive2.yaml", + "resourceType": "AWS::ElastiCache::ReplicationGroup", + "resourceName": "MyReplicationGroup", + "searchKey": "Resources.MyReplicationGroup.Properties.TransitEncryptionEnabled", + "searchValue": "", + "expectedValue": "Resources.MyReplicationGroup.Properties.TransitEncryptionEnabled should be true", + "actualValue": "Resources.MyReplicationGroup.Properties.TransitEncryptionEnabled is false", + "issueType": "IncorrectValue", + "similarityID": "076febe7d552a7748139ddaaed4d57b6fafef8d2ac8c43d857084685dfdd7f16", + "search_line": -1 }, { "queryName": "ElastiCache With Disabled Transit Encryption", "severity": "MEDIUM", "line": 4, - "fileName": "positive3.json" + "fileName": "positive3.json", + "resourceType": "AWS::ElastiCache::ReplicationGroup", + "resourceName": "ReplicationGroup", + "searchKey": "Resources.ReplicationGroup.Properties", + "searchValue": "", + "expectedValue": "Resources.ReplicationGroup.Properties.TransitEncryptionEnabled should be defined", + "actualValue": "Resources.ReplicationGroup.Properties.TransitEncryptionEnabled is undefined", + "issueType": "MissingAttribute", + "similarityID": "2f168f8851b854dec7ae352367ee050bb731fcbfd5132f16d5a9059211d7b53a", + "search_line": -1 }, { "queryName": "ElastiCache With Disabled Transit Encryption", "severity": "MEDIUM", "line": 18, - "fileName": "positive4.json" + "fileName": "positive4.json", + "resourceType": "AWS::ElastiCache::ReplicationGroup", + "resourceName": "MyReplicationGroup", + "searchKey": "Resources.MyReplicationGroup.Properties.TransitEncryptionEnabled", + "searchValue": "", + "expectedValue": "Resources.MyReplicationGroup.Properties.TransitEncryptionEnabled should be true", + "actualValue": "Resources.MyReplicationGroup.Properties.TransitEncryptionEnabled is false", + "issueType": "IncorrectValue", + "similarityID": "829d76ef13a70fc1284ec88a182b679eda0e98852f9a129b13529d10f8462900", + "search_line": -1 }, { "queryName": "ElastiCache With Disabled Transit Encryption", "severity": "MEDIUM", "line": 6, - "fileName": "positive5.yaml" + "fileName": "positive5.yaml", + "resourceType": "AWS::ElastiCache::ReplicationGroup", + "resourceName": "ReplicationGroup", + "searchKey": "Resources.ReplicationGroup.Properties", + "searchValue": "", + "expectedValue": "Resources.ReplicationGroup.Properties.TransitEncryptionEnabled should be defined", + "actualValue": "Resources.ReplicationGroup.Properties.TransitEncryptionEnabled is undefined", + "issueType": "MissingAttribute", + "similarityID": "dc1e6c79fe6544b0fbfecf3f682aa8ee933f6410d22cf2fee6fb149475550eb9", + "search_line": -1 } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/elasticache_without_vpc/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/elasticache_without_vpc/test/positive_expected_result.json index 7031db962ef..c87331c62d0 100644 --- a/assets/queries/cloudFormation/aws/elasticache_without_vpc/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/elasticache_without_vpc/test/positive_expected_result.json @@ -3,12 +3,30 @@ "queryName": "ElastiCache Without VPC", "severity": "LOW", "line": 4, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::ElastiCache::CacheCluster", + "resourceName": "ElasticacheCluster", + "searchKey": "Resources.ElasticacheCluster.Properties", + "searchValue": "", + "expectedValue": "Resources.ElasticacheCluster.Properties.CacheSubnetGroupName should be defined and not null", + "actualValue": "Resources.ElasticacheCluster.Properties.CacheSubnetGroupName is undefined or null", + "issueType": "MissingAttribute", + "similarityID": "090112d4e7ee690638d4d257825628d2aa0d102e473aba83a9267e056c6f3517", + "search_line": 4 }, { "queryName": "ElastiCache Without VPC", "severity": "LOW", "line": 5, - "fileName": "positive2.json" + "fileName": "positive2.json", + "resourceType": "AWS::ElastiCache::CacheCluster", + "resourceName": "ElasticacheCluster", + "searchKey": "Resources.ElasticacheCluster.Properties", + "searchValue": "", + "expectedValue": "Resources.ElasticacheCluster.Properties.CacheSubnetGroupName should be defined and not null", + "actualValue": "Resources.ElasticacheCluster.Properties.CacheSubnetGroupName is undefined or null", + "issueType": "MissingAttribute", + "similarityID": "a1e3227d59979966544e1b91bea05de04cde08febc80926b98bab41397d0b1f3", + "search_line": 5 } ] diff --git a/assets/queries/cloudFormation/aws/elasticsearch_domain_encryption_with_kms_disabled/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/elasticsearch_domain_encryption_with_kms_disabled/test/positive_expected_result.json index c1b2e200ba8..fce4127aeee 100644 --- a/assets/queries/cloudFormation/aws/elasticsearch_domain_encryption_with_kms_disabled/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/elasticsearch_domain_encryption_with_kms_disabled/test/positive_expected_result.json @@ -3,24 +3,60 @@ "queryName": "ElasticSearch Encryption With KMS Disabled", "severity": "HIGH", "line": 15, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::Elasticsearch::Domain", + "resourceName": "test", + "searchKey": "Resources.ElasticsearchDomain.Properties.EncryptionAtRestOptions", + "searchValue": "", + "expectedValue": "Resources.ElasticsearchDomain.Properties.EncryptionAtRestOptions.KmsKeyId should be set", + "actualValue": "Resources.ElasticsearchDomain.Properties.EncryptionAtRestOptions.KmsKeyId is undefined", + "issueType": "MissingAttribute", + "similarityID": "24774623e4212be567e40d6f2ed54209a3e6b7c0d012b5df05f7cc716b063225", + "search_line": -1 }, { + "queryName": "ElasticSearch Encryption With KMS Disabled", + "severity": "HIGH", "line": 7, "fileName": "positive2.json", - "queryName": "ElasticSearch Encryption With KMS Disabled", - "severity": "HIGH" + "resourceType": "AWS::Elasticsearch::Domain", + "resourceName": "test", + "searchKey": "Resources.ElasticsearchDomain.Properties.EncryptionAtRestOptions", + "searchValue": "", + "expectedValue": "Resources.ElasticsearchDomain.Properties.EncryptionAtRestOptions.KmsKeyId should be set", + "actualValue": "Resources.ElasticsearchDomain.Properties.EncryptionAtRestOptions.KmsKeyId is undefined", + "issueType": "MissingAttribute", + "similarityID": "742b9ac705bfd4e31f4f1ab688059ad0f8aca2955c8467b03cc6bf7f5797e04a", + "search_line": -1 }, { + "queryName": "ElasticSearch Encryption With KMS Disabled", + "severity": "HIGH", "line": 6, "fileName": "positive3.yaml", - "queryName": "ElasticSearch Encryption With KMS Disabled", - "severity": "HIGH" + "resourceType": "AWS::Elasticsearch::Domain", + "resourceName": "test", + "searchKey": "Resources.ElasticsearchDomain.Properties", + "searchValue": "", + "expectedValue": "Resources.ElasticsearchDomain.Properties.EncryptionAtRestOptions should be defined and not null", + "actualValue": "Resources.ElasticsearchDomain.Properties.EncryptionAtRestOptions is undefined or null", + "issueType": "MissingAttribute", + "similarityID": "aeebfe0068900d036229d10b2f94a6ac550e29489dabb8bdcbedd0e27e6618fd", + "search_line": -1 }, { + "queryName": "ElasticSearch Encryption With KMS Disabled", + "severity": "HIGH", "line": 6, "fileName": "positive4.json", - "queryName": "ElasticSearch Encryption With KMS Disabled", - "severity": "HIGH" + "resourceType": "AWS::Elasticsearch::Domain", + "resourceName": "test", + "searchKey": "Resources.ElasticsearchDomain.Properties", + "searchValue": "", + "expectedValue": "Resources.ElasticsearchDomain.Properties.EncryptionAtRestOptions should be defined and not null", + "actualValue": "Resources.ElasticsearchDomain.Properties.EncryptionAtRestOptions is undefined or null", + "issueType": "MissingAttribute", + "similarityID": "a6a79486929b5363bc8c961e54ef7c556f61f2ca666f9ebc22eefba7735bdb6b", + "search_line": -1 } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/elasticsearch_domain_not_encrypted_node_to_node/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/elasticsearch_domain_not_encrypted_node_to_node/test/positive_expected_result.json index d07d400b7a1..2ecee868f1e 100644 --- a/assets/queries/cloudFormation/aws/elasticsearch_domain_not_encrypted_node_to_node/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/elasticsearch_domain_not_encrypted_node_to_node/test/positive_expected_result.json @@ -3,72 +3,180 @@ "queryName": "Elasticsearch Domain Not Encrypted Node To Node", "severity": "MEDIUM", "line": 7, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::OpenSearchService::Domain", + "resourceName": "MyOpenSearchDomain", + "searchKey": "Resources.MyOpenSearchDomain.Properties", + "searchValue": "", + "expectedValue": "'Resources.MyOpenSearchDomain.Properties.NodeToNodeEncryptionOptions' should be defined", + "actualValue": "'Resources.MyOpenSearchDomain.Properties.NodeToNodeEncryptionOptions' is null or not defined", + "issueType": "MissingAttribute", + "similarityID": "271f070d54633dce20b7c9736a75de9619cf570496f7fcb1b6efc45e3b4f7df1", + "search_line": 7 }, { "queryName": "Elasticsearch Domain Not Encrypted Node To Node", "severity": "MEDIUM", "line": 7, - "fileName": "positive2.json" + "fileName": "positive2.json", + "resourceType": "AWS::OpenSearchService::Domain", + "resourceName": "MyOpenSearchDomain", + "searchKey": "Resources.MyOpenSearchDomain.Properties", + "searchValue": "", + "expectedValue": "'Resources.MyOpenSearchDomain.Properties.NodeToNodeEncryptionOptions' should be defined", + "actualValue": "'Resources.MyOpenSearchDomain.Properties.NodeToNodeEncryptionOptions' is null or not defined", + "issueType": "MissingAttribute", + "similarityID": "e8e910d9ee8951a12926962bd03ef7875444cc654ddc393538173f6a535a1067", + "search_line": 7 }, { "queryName": "Elasticsearch Domain Not Encrypted Node To Node", "severity": "MEDIUM", "line": 34, - "fileName": "positive3.yaml" + "fileName": "positive3.yaml", + "resourceType": "AWS::OpenSearchService::Domain", + "resourceName": "MyOpenSearchDomain", + "searchKey": "Resources.MyOpenSearchDomain.Properties.NodeToNodeEncryptionOptions.Enabled", + "searchValue": "", + "expectedValue": "'Resources.MyOpenSearchDomain.Properties.NodeToNodeEncryptionOptions.Enabled' should be defined to true", + "actualValue": "'Resources.MyOpenSearchDomain.Properties.NodeToNodeEncryptionOptions.Enabled' is not defined to true", + "issueType": "IncorrectValue", + "similarityID": "bb1ed80abbafa460406ed8e63a14a67f25cd0f89fe6d4ff25051d1587aa85fec", + "search_line": 34 }, { "queryName": "Elasticsearch Domain Not Encrypted Node To Node", "severity": "MEDIUM", "line": 44, - "fileName": "positive4.json" + "fileName": "positive4.json", + "resourceType": "AWS::OpenSearchService::Domain", + "resourceName": "MyOpenSearchDomain", + "searchKey": "Resources.MyOpenSearchDomain.Properties.NodeToNodeEncryptionOptions.Enabled", + "searchValue": "", + "expectedValue": "'Resources.MyOpenSearchDomain.Properties.NodeToNodeEncryptionOptions.Enabled' should be defined to true", + "actualValue": "'Resources.MyOpenSearchDomain.Properties.NodeToNodeEncryptionOptions.Enabled' is not defined to true", + "issueType": "IncorrectValue", + "similarityID": "98362e4281a427fd05d9e2b9ff46aed10fbd9fd53a804496daedf332a53f88cb", + "search_line": 44 }, { "queryName": "Elasticsearch Domain Not Encrypted Node To Node", "severity": "MEDIUM", "line": 7, - "fileName": "positive5.yaml" + "fileName": "positive5.yaml", + "resourceType": "AWS::Elasticsearch::Domain", + "resourceName": "my-es-domain", + "searchKey": "Resources.MyElasticsearchDomain.Properties", + "searchValue": "", + "expectedValue": "'Resources.MyElasticsearchDomain.Properties.NodeToNodeEncryptionOptions' should be defined", + "actualValue": "'Resources.MyElasticsearchDomain.Properties.NodeToNodeEncryptionOptions' is null or not defined", + "issueType": "MissingAttribute", + "similarityID": "e8a051876063232a7945753b13164ba67038b474416ddb6f9800c8feff1226bf", + "search_line": 7 }, { "queryName": "Elasticsearch Domain Not Encrypted Node To Node", "severity": "MEDIUM", "line": 7, - "fileName": "positive6.json" + "fileName": "positive6.json", + "resourceType": "AWS::Elasticsearch::Domain", + "resourceName": "my-es-domain", + "searchKey": "Resources.MyElasticsearchDomain.Properties", + "searchValue": "", + "expectedValue": "'Resources.MyElasticsearchDomain.Properties.NodeToNodeEncryptionOptions' should be defined", + "actualValue": "'Resources.MyElasticsearchDomain.Properties.NodeToNodeEncryptionOptions' is null or not defined", + "issueType": "MissingAttribute", + "similarityID": "4e1a3f955efe708f90b144215b655a71e644699202ca29ba3225ac9828aef6d6", + "search_line": 7 }, { "queryName": "Elasticsearch Domain Not Encrypted Node To Node", "severity": "MEDIUM", "line": 32, - "fileName": "positive7.yaml" + "fileName": "positive7.yaml", + "resourceType": "AWS::Elasticsearch::Domain", + "resourceName": "my-es-domain", + "searchKey": "Resources.MyElasticsearchDomain.Properties.NodeToNodeEncryptionOptions.Enabled", + "searchValue": "", + "expectedValue": "'Resources.MyElasticsearchDomain.Properties.NodeToNodeEncryptionOptions.Enabled' should be defined to true", + "actualValue": "'Resources.MyElasticsearchDomain.Properties.NodeToNodeEncryptionOptions.Enabled' is not defined to true", + "issueType": "IncorrectValue", + "similarityID": "8daf59f8d7cb9c49a10a055c8428b45eebd3e9ecba651b11d3acde77202fb0e0", + "search_line": 32 }, { "queryName": "Elasticsearch Domain Not Encrypted Node To Node", "severity": "MEDIUM", "line": 42, - "fileName": "positive8.json" + "fileName": "positive8.json", + "resourceType": "AWS::Elasticsearch::Domain", + "resourceName": "my-es-domain", + "searchKey": "Resources.MyElasticsearchDomain.Properties.NodeToNodeEncryptionOptions.Enabled", + "searchValue": "", + "expectedValue": "'Resources.MyElasticsearchDomain.Properties.NodeToNodeEncryptionOptions.Enabled' should be defined to true", + "actualValue": "'Resources.MyElasticsearchDomain.Properties.NodeToNodeEncryptionOptions.Enabled' is not defined to true", + "issueType": "IncorrectValue", + "similarityID": "c58ea3c51299ceb50005a83c68bd2df8849d4666a9e97f5c6073f1bb8e07cb3d", + "search_line": 42 }, { "queryName": "Elasticsearch Domain Not Encrypted Node To Node", "severity": "MEDIUM", "line": 7, - "fileName": "positive9.yaml" + "fileName": "positive9.yaml", + "resourceType": "AWS::OpenSearchService::Domain", + "resourceName": "MyOpenSearchDomain", + "searchKey": "Resources.MyOpenSearchDomain.Properties", + "searchValue": "", + "expectedValue": "'Resources.MyOpenSearchDomain.Properties.NodeToNodeEncryptionOptions' should be defined", + "actualValue": "'Resources.MyOpenSearchDomain.Properties.NodeToNodeEncryptionOptions' is null or not defined", + "issueType": "MissingAttribute", + "similarityID": "75a79b49dfc40011fbab2d3b979584d2b3fba662b31413ef546dd8ee993648c2", + "search_line": 7 }, { "queryName": "Elasticsearch Domain Not Encrypted Node To Node", "severity": "MEDIUM", "line": 10, - "fileName": "positive10.json" + "fileName": "positive10.json", + "resourceType": "AWS::OpenSearchService::Domain", + "resourceName": "MyOpenSearchDomain", + "searchKey": "Resources.MyOpenSearchDomain.Properties.NodeToNodeEncryptionOptions", + "searchValue": "", + "expectedValue": "'Resources.MyOpenSearchDomain.Properties.NodeToNodeEncryptionOptions' should be defined", + "actualValue": "'Resources.MyOpenSearchDomain.Properties.NodeToNodeEncryptionOptions' is null or not defined", + "issueType": "MissingAttribute", + "similarityID": "8d6cae288068d43938730c274bc3aa640041db40d355ba9045a915101ca02c90", + "search_line": 10 }, { "queryName": "Elasticsearch Domain Not Encrypted Node To Node", "severity": "MEDIUM", "line": 7, - "fileName": "positive11.yaml" + "fileName": "positive11.yaml", + "resourceType": "AWS::Elasticsearch::Domain", + "resourceName": "my-es-domain", + "searchKey": "Resources.MyElasticsearchDomain.Properties", + "searchValue": "", + "expectedValue": "'Resources.MyElasticsearchDomain.Properties.NodeToNodeEncryptionOptions' should be defined", + "actualValue": "'Resources.MyElasticsearchDomain.Properties.NodeToNodeEncryptionOptions' is null or not defined", + "issueType": "MissingAttribute", + "similarityID": "5d9e5c45224a82bc1ceb4c0be9d5191a0448bd18839486b6d08b0da1be29e59b", + "search_line": 7 }, { "queryName": "Elasticsearch Domain Not Encrypted Node To Node", "severity": "MEDIUM", "line": 10, - "fileName": "positive12.json" + "fileName": "positive12.json", + "resourceType": "AWS::Elasticsearch::Domain", + "resourceName": "my-es-domain", + "searchKey": "Resources.MyElasticsearchDomain.Properties.NodeToNodeEncryptionOptions", + "searchValue": "", + "expectedValue": "'Resources.MyElasticsearchDomain.Properties.NodeToNodeEncryptionOptions' should be defined", + "actualValue": "'Resources.MyElasticsearchDomain.Properties.NodeToNodeEncryptionOptions' is null or not defined", + "issueType": "MissingAttribute", + "similarityID": "66beadb720b0311279103f7760c593c5ca5b7303c6ebe6206dee29c27c87876f", + "search_line": 10 } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/elasticsearch_not_encrypted_at_rest/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/elasticsearch_not_encrypted_at_rest/test/positive_expected_result.json index 572646d6388..8585f754532 100644 --- a/assets/queries/cloudFormation/aws/elasticsearch_not_encrypted_at_rest/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/elasticsearch_not_encrypted_at_rest/test/positive_expected_result.json @@ -3,30 +3,75 @@ "queryName": "ElasticSearch Not Encrypted At Rest", "severity": "HIGH", "line": 16, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::Elasticsearch::Domain", + "resourceName": "test", + "searchKey": "Resources.ElasticsearchDomain.Properties.EncryptionAtRestOptions.Enabled", + "searchValue": "", + "expectedValue": "Resources.ElasticsearchDomain.Properties.EncryptionAtRestOptions should be enabled", + "actualValue": "Resources.ElasticsearchDomain.Properties.EncryptionAtRestOptions is disabled", + "issueType": "IncorrectValue", + "similarityID": "c9b20a7ff4f3cfa1b855199f41f9a971fadb972e6f8c14178316df5ff38a070f", + "search_line": -1 }, { "queryName": "ElasticSearch Not Encrypted At Rest", "severity": "HIGH", "line": 6, - "fileName": "positive2.yaml" + "fileName": "positive2.yaml", + "resourceType": "AWS::Elasticsearch::Domain", + "resourceName": "test", + "searchKey": "Resources.ElasticsearchDomain1.Properties", + "searchValue": "", + "expectedValue": "Resources.ElasticsearchDomain1.Properties.EncryptionAtRestOptions should be defined and not null", + "actualValue": "Resources.ElasticsearchDomain1.Properties.EncryptionAtRestOptions is undefined or null", + "issueType": "MissingAttribute", + "similarityID": "883632222952de5c5896446b37cfae08362f2d4c2d9c53b359724b3339a8a503", + "search_line": -1 }, { "queryName": "ElasticSearch Not Encrypted At Rest", "severity": "HIGH", "line": 8, - "fileName": "positive3.json" + "fileName": "positive3.json", + "resourceType": "AWS::Elasticsearch::Domain", + "resourceName": "test", + "searchKey": "Resources.ElasticsearchDomain.Properties.EncryptionAtRestOptions.Enabled", + "searchValue": "", + "expectedValue": "Resources.ElasticsearchDomain.Properties.EncryptionAtRestOptions should be enabled", + "actualValue": "Resources.ElasticsearchDomain.Properties.EncryptionAtRestOptions is disabled", + "issueType": "IncorrectValue", + "similarityID": "9f0923a2ce65a2758bbf86c5d74a10df54d3d5571c0da36c5569ad007a0f0e2c", + "search_line": -1 }, { "queryName": "ElasticSearch Not Encrypted At Rest", "severity": "HIGH", "line": 5, - "fileName": "positive4.json" + "fileName": "positive4.json", + "resourceType": "AWS::Elasticsearch::Domain", + "resourceName": "test", + "searchKey": "Resources.ElasticsearchDomain1.Properties", + "searchValue": "", + "expectedValue": "Resources.ElasticsearchDomain1.Properties.EncryptionAtRestOptions should be defined and not null", + "actualValue": "Resources.ElasticsearchDomain1.Properties.EncryptionAtRestOptions is undefined or null", + "issueType": "MissingAttribute", + "similarityID": "cd45d76d364dc971eeb7d47a76ef6c6ea17586e58dd8c26845e7a244083e83d7", + "search_line": -1 }, { "queryName": "ElasticSearch Not Encrypted At Rest", "severity": "HIGH", "line": 16, - "fileName": "positive5.yaml" + "fileName": "positive5.yaml", + "resourceType": "AWS::Elasticsearch::Domain", + "resourceName": "test", + "searchKey": "Resources.ElasticsearchDomain.Properties.EncryptionAtRestOptions.Enabled", + "searchValue": "", + "expectedValue": "Resources.ElasticsearchDomain.Properties.EncryptionAtRestOptions should be enabled", + "actualValue": "Resources.ElasticsearchDomain.Properties.EncryptionAtRestOptions is disabled", + "issueType": "IncorrectValue", + "similarityID": "ac38388246a9aa6c1db863f37a74297c5920e91fc07ecef60211782424b4dd89", + "search_line": -1 } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/elasticsearch_with_https_disabled/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/elasticsearch_with_https_disabled/test/positive_expected_result.json index 2e61a6091c4..7b26b317feb 100644 --- a/assets/queries/cloudFormation/aws/elasticsearch_with_https_disabled/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/elasticsearch_with_https_disabled/test/positive_expected_result.json @@ -3,24 +3,60 @@ "queryName": "Elasticsearch with HTTPS disabled", "severity": "MEDIUM", "line": 15, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::OpenSearchService::Domain", + "resourceName": "OpenSearchDomain", + "searchKey": "Resources.OpenSearchDomain.Properties.DomainEndpointOptions.EnforceHTTPS", + "searchValue": "", + "expectedValue": "Resources.OpenSearchDomain.Properties.DomainEndpointOptions.EnforceHTTPS should be set to 'true'", + "actualValue": "Resources.OpenSearchDomain.Properties.DomainEndpointOptions.EnforceHTTPS is set to 'false'", + "issueType": "IncorrectValue", + "similarityID": "bbf2cb8312f4d48653d0445725c6d2e40a072c6899442cc238fda6ed5e9231b8", + "search_line": -1 }, { "queryName": "Elasticsearch with HTTPS disabled", "severity": "MEDIUM", "line": 24, - "fileName": "positive2.yaml" + "fileName": "positive2.yaml", + "resourceType": "AWS::Elasticsearch::Domain", + "resourceName": "my-elasticsearch-domain", + "searchKey": "Resources.ElasticsearchDomain.Properties.DomainEndpointOptions", + "searchValue": "", + "expectedValue": "Resources.ElasticsearchDomain.Properties.DomainEndpointOptions.EnforceHTTPS should be defined and set to 'true'", + "actualValue": "Resources.ElasticsearchDomain.Properties.DomainEndpointOptions.EnforceHTTPS is not set", + "issueType": "MissingAttribute", + "similarityID": "b850cb96e5e402030eb76cb6daedf2fd6962993055dff77407cbf92484b2dad8", + "search_line": -1 }, { "queryName": "Elasticsearch with HTTPS disabled", "severity": "MEDIUM", "line": 6, - "fileName": "positive3.yaml" + "fileName": "positive3.yaml", + "resourceType": "AWS::Elasticsearch::Domain", + "resourceName": "my-elasticsearch-domain", + "searchKey": "Resources.ElasticsearchDomain.Properties", + "searchValue": "", + "expectedValue": "Resources.ElasticsearchDomain.Properties.DomainEndpointOptions.EnforceHTTPS should be defined and set to 'true'", + "actualValue": "Resources.ElasticsearchDomain.Properties.DomainEndpointOptions.EnforceHTTPS is not set", + "issueType": "MissingAttribute", + "similarityID": "2dde1e15555b405dbf6465cf5bd9e29cbccbf71b25f277936b80ce2c9a40eebf", + "search_line": -1 }, { "queryName": "Elasticsearch with HTTPS disabled", "severity": "MEDIUM", "line": 15, - "fileName": "positive4.yaml" + "fileName": "positive4.yaml", + "resourceType": "AWS::OpenSearchService::Domain", + "resourceName": "OpenSearchDomain", + "searchKey": "Resources.OpenSearchDomain.Properties.DomainEndpointOptions.EnforceHTTPS", + "searchValue": "", + "expectedValue": "Resources.OpenSearchDomain.Properties.DomainEndpointOptions.EnforceHTTPS should be set to 'true'", + "actualValue": "Resources.OpenSearchDomain.Properties.DomainEndpointOptions.EnforceHTTPS is set to 'false'", + "issueType": "IncorrectValue", + "similarityID": "902085ca73cdc744053e67273333577ead73c2d85308506587f019538f86c437", + "search_line": -1 } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/elasticsearch_without_audit_logs/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/elasticsearch_without_audit_logs/test/positive_expected_result.json index 5047b434ad6..02b6790b3d5 100644 --- a/assets/queries/cloudFormation/aws/elasticsearch_without_audit_logs/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/elasticsearch_without_audit_logs/test/positive_expected_result.json @@ -3,120 +3,300 @@ "queryName": "ElasticSearch Without Audit Logs", "severity": "MEDIUM", "line": 13, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::Elasticsearch::Domain", + "resourceName": "", + "searchKey": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.AUDIT_LOGS.Enabled", + "searchValue": "", + "expectedValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.AUDIT_LOGS.Enabled should be defined and set to 'true'", + "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.AUDIT_LOGS.Enabled is set to 'false'", + "issueType": "IncorrectValue", + "similarityID": "7d1fe3b7404dabc8d5b1a5cc7d0ad4d029a827923042f8742ba4acda9e14cc10", + "search_line": 13 }, { "queryName": "ElasticSearch Without Audit Logs", "severity": "MEDIUM", "line": 9, - "fileName": "positive2.yaml" + "fileName": "positive2.yaml", + "resourceType": "AWS::Elasticsearch::Domain", + "resourceName": "", + "searchKey": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions", + "searchValue": "", + "expectedValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions should declare audit logs", + "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions does not declare audit logs", + "issueType": "MissingAttribute", + "similarityID": "d1c25ee3148f071d5703c549ee6857f90cc95823e1876ffc04a527ec94ec7b8f", + "search_line": 9 }, { "queryName": "ElasticSearch Without Audit Logs", "severity": "MEDIUM", "line": 6, - "fileName": "positive3.yaml" + "fileName": "positive3.yaml", + "resourceType": "AWS::Elasticsearch::Domain", + "resourceName": "", + "searchKey": "Resources.ElasticsearchDomain.Properties", + "searchValue": "", + "expectedValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions should be defined and not null", + "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions is undefined or null", + "issueType": "MissingAttribute", + "similarityID": "ed08015539fa6b9fc9800be291333d6035eeb1894dd5a908c40091156a22e334", + "search_line": 6 }, { "queryName": "ElasticSearch Without Audit Logs", "severity": "MEDIUM", "line": 13, - "fileName": "positive4.yaml" + "fileName": "positive4.yaml", + "resourceType": "AWS::Elasticsearch::Domain", + "resourceName": "", + "searchKey": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.AUDIT_LOGS.Enabled", + "searchValue": "", + "expectedValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.AUDIT_LOGS.Enabled should be defined and set to 'true'", + "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.AUDIT_LOGS.Enabled is set to 'false'", + "issueType": "IncorrectValue", + "similarityID": "9cf0d9d88953453a12bd738d9253bfa679a2604cff4e829f6ad3678a888d4348", + "search_line": 13 }, { "queryName": "ElasticSearch Without Audit Logs", "severity": "MEDIUM", "line": 10, - "fileName": "positive5.yaml" + "fileName": "positive5.yaml", + "resourceType": "AWS::Elasticsearch::Domain", + "resourceName": "", + "searchKey": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.AUDIT_LOGS", + "searchValue": "", + "expectedValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.AUDIT_LOGS.Enabled should be defined and set to 'true'", + "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.AUDIT_LOGS.Enabled is undefined", + "issueType": "IncorrectValue", + "similarityID": "eff470c86af6818fc9a94e71f376f334f83f33b1c0623d75d40697a741080837", + "search_line": 10 }, { "queryName": "ElasticSearch Without Audit Logs", "severity": "MEDIUM", "line": 13, - "fileName": "positive6.yaml" + "fileName": "positive6.yaml", + "resourceType": "AWS::OpenSearchService::Domain", + "resourceName": "ElasticsearchDomain", + "searchKey": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.AUDIT_LOGS.Enabled", + "searchValue": "", + "expectedValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.AUDIT_LOGS.Enabled should be defined and set to 'true'", + "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.AUDIT_LOGS.Enabled is set to 'false'", + "issueType": "IncorrectValue", + "similarityID": "d08af32b7d70c1e82b50713701104006685ad87fb37067b0671493a95d3283a8", + "search_line": 13 }, { "queryName": "ElasticSearch Without Audit Logs", "severity": "MEDIUM", "line": 9, - "fileName": "positive7.yaml" + "fileName": "positive7.yaml", + "resourceType": "AWS::OpenSearchService::Domain", + "resourceName": "ElasticsearchDomain", + "searchKey": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions", + "searchValue": "", + "expectedValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions should declare audit logs", + "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions does not declare audit logs", + "issueType": "MissingAttribute", + "similarityID": "89d9a04acb70c9dd4df637d516738a2333fa55507073bbec7786b4af0cb29de3", + "search_line": 9 }, { "queryName": "ElasticSearch Without Audit Logs", "severity": "MEDIUM", "line": 6, - "fileName": "positive8.yaml" + "fileName": "positive8.yaml", + "resourceType": "AWS::OpenSearchService::Domain", + "resourceName": "ElasticsearchDomain", + "searchKey": "Resources.ElasticsearchDomain.Properties", + "searchValue": "", + "expectedValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions should be defined and not null", + "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions is undefined or null", + "issueType": "MissingAttribute", + "similarityID": "f547a63473f42fad211e2e0ce72be69c7c1f8e0578ab2fb14a35fa06e74d62f6", + "search_line": 6 }, { "queryName": "ElasticSearch Without Audit Logs", "severity": "MEDIUM", "line": 13, - "fileName": "positive9.yaml" + "fileName": "positive9.yaml", + "resourceType": "AWS::OpenSearchService::Domain", + "resourceName": "ElasticsearchDomain", + "searchKey": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.AUDIT_LOGS.Enabled", + "searchValue": "", + "expectedValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.AUDIT_LOGS.Enabled should be defined and set to 'true'", + "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.AUDIT_LOGS.Enabled is set to 'false'", + "issueType": "IncorrectValue", + "similarityID": "efe3fe5ba15099192d46d9397679c7337d1e2963057ae21ff98e30a5d4efdc5f", + "search_line": 13 }, { "queryName": "ElasticSearch Without Audit Logs", "severity": "MEDIUM", "line": 10, - "fileName": "positive10.yaml" + "fileName": "positive10.yaml", + "resourceType": "AWS::OpenSearchService::Domain", + "resourceName": "ElasticsearchDomain", + "searchKey": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.AUDIT_LOGS", + "searchValue": "", + "expectedValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.AUDIT_LOGS.Enabled should be defined and set to 'true'", + "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.AUDIT_LOGS.Enabled is undefined", + "issueType": "IncorrectValue", + "similarityID": "f136372ee8e31a4c5cbd9efb8d8374c7068b465c9e687602d19fbbf2f952ff81", + "search_line": 10 }, { "queryName": "ElasticSearch Without Audit Logs", "severity": "MEDIUM", "line": 14, - "fileName": "positive11.json" + "fileName": "positive11.json", + "resourceType": "AWS::Elasticsearch::Domain", + "resourceName": "", + "searchKey": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.AUDIT_LOGS.Enabled", + "searchValue": "", + "expectedValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.AUDIT_LOGS.Enabled should be defined and set to 'true'", + "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.AUDIT_LOGS.Enabled is set to 'false'", + "issueType": "IncorrectValue", + "similarityID": "71229afa53fb58441af0072cc97c7fba0819449f5eea4cd702caba18d0df29a5", + "search_line": 14 }, { "queryName": "ElasticSearch Without Audit Logs", "severity": "MEDIUM", "line": 11, - "fileName": "positive12.json" + "fileName": "positive12.json", + "resourceType": "AWS::Elasticsearch::Domain", + "resourceName": "", + "searchKey": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions", + "searchValue": "", + "expectedValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions should declare audit logs", + "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions does not declare audit logs", + "issueType": "MissingAttribute", + "similarityID": "31a4f0bea14335cf781ae92fa442a7542f9375a681233b5f6fe33db1c2b4da84", + "search_line": 11 }, { "queryName": "ElasticSearch Without Audit Logs", "severity": "MEDIUM", "line": 7, - "fileName": "positive13.json" + "fileName": "positive13.json", + "resourceType": "AWS::Elasticsearch::Domain", + "resourceName": "", + "searchKey": "Resources.ElasticsearchDomain.Properties", + "searchValue": "", + "expectedValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions should be defined and not null", + "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions is undefined or null", + "issueType": "MissingAttribute", + "similarityID": "d4e819708f489b736c7607eef68f57121967a4be1292361d1debe6e21fbedbd3", + "search_line": 7 }, { "queryName": "ElasticSearch Without Audit Logs", "severity": "MEDIUM", "line": 14, - "fileName": "positive14.json" + "fileName": "positive14.json", + "resourceType": "AWS::Elasticsearch::Domain", + "resourceName": "", + "searchKey": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.AUDIT_LOGS.Enabled", + "searchValue": "", + "expectedValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.AUDIT_LOGS.Enabled should be defined and set to 'true'", + "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.AUDIT_LOGS.Enabled is set to 'false'", + "issueType": "IncorrectValue", + "similarityID": "811eb1201f533cc4fc9a16c14d79d4a519bf8afa930b057c14bb8c1b728d6360", + "search_line": 14 }, { "queryName": "ElasticSearch Without Audit Logs", "severity": "MEDIUM", "line": 12, - "fileName": "positive15.json" + "fileName": "positive15.json", + "resourceType": "AWS::Elasticsearch::Domain", + "resourceName": "", + "searchKey": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.AUDIT_LOGS", + "searchValue": "", + "expectedValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.AUDIT_LOGS.Enabled should be defined and set to 'true'", + "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.AUDIT_LOGS.Enabled is undefined", + "issueType": "IncorrectValue", + "similarityID": "22e38c9dd3747e812c3fa421afb5a147691af09cc306b923bdd7f8f0336bb5f4", + "search_line": 12 }, { "queryName": "ElasticSearch Without Audit Logs", "severity": "MEDIUM", "line": 14, - "fileName": "positive16.json" + "fileName": "positive16.json", + "resourceType": "AWS::OpenSearchService::Domain", + "resourceName": "ElasticsearchDomain", + "searchKey": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.AUDIT_LOGS.Enabled", + "searchValue": "", + "expectedValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.AUDIT_LOGS.Enabled should be defined and set to 'true'", + "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.AUDIT_LOGS.Enabled is set to 'false'", + "issueType": "IncorrectValue", + "similarityID": "d7d817f8d4da581dc9f15bc762421fd2a134d1ed6e94e7f680841a60de7664ac", + "search_line": 14 }, { "queryName": "ElasticSearch Without Audit Logs", "severity": "MEDIUM", "line": 11, - "fileName": "positive17.json" + "fileName": "positive17.json", + "resourceType": "AWS::OpenSearchService::Domain", + "resourceName": "ElasticsearchDomain", + "searchKey": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions", + "searchValue": "", + "expectedValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions should declare audit logs", + "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions does not declare audit logs", + "issueType": "MissingAttribute", + "similarityID": "8d7166a6f4920acd71d1b2714e19ab12d8410863e5d218753f532614e1d05032", + "search_line": 11 }, { "queryName": "ElasticSearch Without Audit Logs", "severity": "MEDIUM", "line": 7, - "fileName": "positive18.json" + "fileName": "positive18.json", + "resourceType": "AWS::OpenSearchService::Domain", + "resourceName": "ElasticsearchDomain", + "searchKey": "Resources.ElasticsearchDomain.Properties", + "searchValue": "", + "expectedValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions should be defined and not null", + "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions is undefined or null", + "issueType": "MissingAttribute", + "similarityID": "597faafa64bc457dc93b196c200bd64aae866701de70ab58446793607b915842", + "search_line": 7 }, { "queryName": "ElasticSearch Without Audit Logs", "severity": "MEDIUM", "line": 14, - "fileName": "positive19.json" + "fileName": "positive19.json", + "resourceType": "AWS::OpenSearchService::Domain", + "resourceName": "ElasticsearchDomain", + "searchKey": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.AUDIT_LOGS.Enabled", + "searchValue": "", + "expectedValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.AUDIT_LOGS.Enabled should be defined and set to 'true'", + "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.AUDIT_LOGS.Enabled is set to 'false'", + "issueType": "IncorrectValue", + "similarityID": "b484f1c3ca65eae12eb1b700acab03fe5b1ea41c5f16755f649efc41d72bc6c3", + "search_line": 14 }, { "queryName": "ElasticSearch Without Audit Logs", "severity": "MEDIUM", "line": 12, - "fileName": "positive20.json" + "fileName": "positive20.json", + "resourceType": "AWS::OpenSearchService::Domain", + "resourceName": "ElasticsearchDomain", + "searchKey": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.AUDIT_LOGS", + "searchValue": "", + "expectedValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.AUDIT_LOGS.Enabled should be defined and set to 'true'", + "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.AUDIT_LOGS.Enabled is undefined", + "issueType": "IncorrectValue", + "similarityID": "62c8dd754574a76531c2227d29b9c45502fa6e5521add04c17c409124d8f748a", + "search_line": 12 } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/elasticsearch_without_es_application_logs/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/elasticsearch_without_es_application_logs/test/positive_expected_result.json index 60b2f117754..ef0e396e8cd 100644 --- a/assets/queries/cloudFormation/aws/elasticsearch_without_es_application_logs/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/elasticsearch_without_es_application_logs/test/positive_expected_result.json @@ -3,120 +3,300 @@ "queryName": "ElasticSearch Without Es Application Logs", "severity": "MEDIUM", "line": 13, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::Elasticsearch::Domain", + "resourceName": "", + "searchKey": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.ES_APPLICATION_LOGS.Enabled", + "searchValue": "", + "expectedValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.ES_APPLICATION_LOGS.Enabled should be defined and set to 'true'", + "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.ES_APPLICATION_LOGS.Enabled is set to 'false'", + "issueType": "IncorrectValue", + "similarityID": "8514bbbbc7bb0432bc163a9d5a14e63751fdaebbdf44e13f5acdd1fcf4579139", + "search_line": 13 }, { "queryName": "ElasticSearch Without Es Application Logs", "severity": "MEDIUM", "line": 9, - "fileName": "positive2.yaml" + "fileName": "positive2.yaml", + "resourceType": "AWS::Elasticsearch::Domain", + "resourceName": "", + "searchKey": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions", + "searchValue": "", + "expectedValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions should declare es application logs", + "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions does not declare es application logs", + "issueType": "MissingAttribute", + "similarityID": "34282fd2c19d74c5c45e6c42a2c0009d100410a7e9bc6f2eded4d0046a2d847a", + "search_line": 9 }, { "queryName": "ElasticSearch Without Es Application Logs", "severity": "MEDIUM", "line": 6, - "fileName": "positive3.yaml" + "fileName": "positive3.yaml", + "resourceType": "AWS::Elasticsearch::Domain", + "resourceName": "", + "searchKey": "Resources.ElasticsearchDomain.Properties", + "searchValue": "", + "expectedValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions should be defined and not null", + "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions is undefined or null", + "issueType": "MissingAttribute", + "similarityID": "4b5cb0ccda2658bddc498fdbdcef922752af1f6313924d5ccc115435efa51771", + "search_line": 6 }, { "queryName": "ElasticSearch Without Es Application Logs", "severity": "MEDIUM", "line": 13, - "fileName": "positive4.yaml" + "fileName": "positive4.yaml", + "resourceType": "AWS::Elasticsearch::Domain", + "resourceName": "", + "searchKey": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.ES_APPLICATION_LOGS.Enabled", + "searchValue": "", + "expectedValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.ES_APPLICATION_LOGS.Enabled should be defined and set to 'true'", + "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.ES_APPLICATION_LOGS.Enabled is set to 'false'", + "issueType": "IncorrectValue", + "similarityID": "70d951d7c8333d56b163caf3037368c25bb1cd167d047f5a3ff8621d4d67e936", + "search_line": 13 }, { "queryName": "ElasticSearch Without Es Application Logs", "severity": "MEDIUM", "line": 10, - "fileName": "positive5.yaml" + "fileName": "positive5.yaml", + "resourceType": "AWS::Elasticsearch::Domain", + "resourceName": "", + "searchKey": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.ES_APPLICATION_LOGS", + "searchValue": "", + "expectedValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.ES_APPLICATION_LOGS.Enabled should be defined and set to 'true'", + "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.ES_APPLICATION_LOGS.Enabled is undefined", + "issueType": "IncorrectValue", + "similarityID": "35dd8ed9926ebddbb3f50a62927d07a882cba4b3a87a9e455a04331d141a1f3a", + "search_line": 10 }, { "queryName": "ElasticSearch Without Es Application Logs", "severity": "MEDIUM", "line": 13, - "fileName": "positive6.yaml" + "fileName": "positive6.yaml", + "resourceType": "AWS::OpenSearchService::Domain", + "resourceName": "ElasticsearchDomain", + "searchKey": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.ES_APPLICATION_LOGS.Enabled", + "searchValue": "", + "expectedValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.ES_APPLICATION_LOGS.Enabled should be defined and set to 'true'", + "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.ES_APPLICATION_LOGS.Enabled is set to 'false'", + "issueType": "IncorrectValue", + "similarityID": "c24f0921c1f0065282e9003b9280eb09fa3ec2a91ca03914224f8c0077681e32", + "search_line": 13 }, { "queryName": "ElasticSearch Without Es Application Logs", "severity": "MEDIUM", "line": 9, - "fileName": "positive7.yaml" + "fileName": "positive7.yaml", + "resourceType": "AWS::OpenSearchService::Domain", + "resourceName": "ElasticsearchDomain", + "searchKey": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions", + "searchValue": "", + "expectedValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions should declare es application logs", + "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions does not declare es application logs", + "issueType": "MissingAttribute", + "similarityID": "10c4a564a5ed4baca3781007dc6dc1150171b54d628c6a8120194f04a3c0846d", + "search_line": 9 }, { "queryName": "ElasticSearch Without Es Application Logs", "severity": "MEDIUM", "line": 6, - "fileName": "positive8.yaml" + "fileName": "positive8.yaml", + "resourceType": "AWS::OpenSearchService::Domain", + "resourceName": "ElasticsearchDomain", + "searchKey": "Resources.ElasticsearchDomain.Properties", + "searchValue": "", + "expectedValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions should be defined and not null", + "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions is undefined or null", + "issueType": "MissingAttribute", + "similarityID": "f962810bc4e7c58dd8e739822d7ffcf0b48390e196ce0c14e6ccaef1a8ce595c", + "search_line": 6 }, { "queryName": "ElasticSearch Without Es Application Logs", "severity": "MEDIUM", "line": 13, - "fileName": "positive9.yaml" + "fileName": "positive9.yaml", + "resourceType": "AWS::OpenSearchService::Domain", + "resourceName": "ElasticsearchDomain", + "searchKey": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.ES_APPLICATION_LOGS.Enabled", + "searchValue": "", + "expectedValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.ES_APPLICATION_LOGS.Enabled should be defined and set to 'true'", + "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.ES_APPLICATION_LOGS.Enabled is set to 'false'", + "issueType": "IncorrectValue", + "similarityID": "0273290f90b46ef2a39bd34ef19f07d102fe6ae4684a1eb1b03feda16fbe7ea7", + "search_line": 13 }, { "queryName": "ElasticSearch Without Es Application Logs", "severity": "MEDIUM", "line": 10, - "fileName": "positive10.yaml" + "fileName": "positive10.yaml", + "resourceType": "AWS::OpenSearchService::Domain", + "resourceName": "ElasticsearchDomain", + "searchKey": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.ES_APPLICATION_LOGS", + "searchValue": "", + "expectedValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.ES_APPLICATION_LOGS.Enabled should be defined and set to 'true'", + "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.ES_APPLICATION_LOGS.Enabled is undefined", + "issueType": "IncorrectValue", + "similarityID": "8c435e903d7b256a7e198b7aefd676334f5b2cf24eb0fadf14e318b20faf8827", + "search_line": 10 }, { "queryName": "ElasticSearch Without Es Application Logs", "severity": "MEDIUM", "line": 14, - "fileName": "positive11.json" + "fileName": "positive11.json", + "resourceType": "AWS::Elasticsearch::Domain", + "resourceName": "", + "searchKey": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.ES_APPLICATION_LOGS.Enabled", + "searchValue": "", + "expectedValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.ES_APPLICATION_LOGS.Enabled should be defined and set to 'true'", + "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.ES_APPLICATION_LOGS.Enabled is set to 'false'", + "issueType": "IncorrectValue", + "similarityID": "eb5468fb9e9888f2f0f37fac8fa72f7bf7403faa4cc9aa4d8601b83ff446162d", + "search_line": 14 }, { "queryName": "ElasticSearch Without Es Application Logs", "severity": "MEDIUM", "line": 11, - "fileName": "positive12.json" + "fileName": "positive12.json", + "resourceType": "AWS::Elasticsearch::Domain", + "resourceName": "", + "searchKey": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions", + "searchValue": "", + "expectedValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions should declare es application logs", + "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions does not declare es application logs", + "issueType": "MissingAttribute", + "similarityID": "94dd10c8805750daa97a9146947eb7c2ba132f3e29cc87231aa9cf071c93ab3f", + "search_line": 11 }, { "queryName": "ElasticSearch Without Es Application Logs", "severity": "MEDIUM", "line": 7, - "fileName": "positive13.json" + "fileName": "positive13.json", + "resourceType": "AWS::Elasticsearch::Domain", + "resourceName": "", + "searchKey": "Resources.ElasticsearchDomain.Properties", + "searchValue": "", + "expectedValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions should be defined and not null", + "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions is undefined or null", + "issueType": "MissingAttribute", + "similarityID": "cde7dbb078cd26236604b57814573029b70868dbac6e7a66983beb711d7a315c", + "search_line": 7 }, { "queryName": "ElasticSearch Without Es Application Logs", "severity": "MEDIUM", "line": 14, - "fileName": "positive14.json" + "fileName": "positive14.json", + "resourceType": "AWS::Elasticsearch::Domain", + "resourceName": "", + "searchKey": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.ES_APPLICATION_LOGS.Enabled", + "searchValue": "", + "expectedValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.ES_APPLICATION_LOGS.Enabled should be defined and set to 'true'", + "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.ES_APPLICATION_LOGS.Enabled is set to 'false'", + "issueType": "IncorrectValue", + "similarityID": "a3983ce20dff56b1486719c2e04f57db26530bf3aeadc56a061719220e7f61f9", + "search_line": 14 }, { "queryName": "ElasticSearch Without Es Application Logs", "severity": "MEDIUM", "line": 12, - "fileName": "positive15.json" + "fileName": "positive15.json", + "resourceType": "AWS::Elasticsearch::Domain", + "resourceName": "", + "searchKey": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.ES_APPLICATION_LOGS", + "searchValue": "", + "expectedValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.ES_APPLICATION_LOGS.Enabled should be defined and set to 'true'", + "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.ES_APPLICATION_LOGS.Enabled is undefined", + "issueType": "IncorrectValue", + "similarityID": "b6d917dcb1bbba5ee76491d247a5a24a5d99656da08be330ed5e8bc691cf540e", + "search_line": 12 }, { "queryName": "ElasticSearch Without Es Application Logs", "severity": "MEDIUM", "line": 14, - "fileName": "positive16.json" + "fileName": "positive16.json", + "resourceType": "AWS::OpenSearchService::Domain", + "resourceName": "ElasticsearchDomain", + "searchKey": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.ES_APPLICATION_LOGS.Enabled", + "searchValue": "", + "expectedValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.ES_APPLICATION_LOGS.Enabled should be defined and set to 'true'", + "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.ES_APPLICATION_LOGS.Enabled is set to 'false'", + "issueType": "IncorrectValue", + "similarityID": "bfe63381fe3596fe92b7a90ed97f8e914d83d2c12919cee82efa696d64defbdb", + "search_line": 14 }, { "queryName": "ElasticSearch Without Es Application Logs", "severity": "MEDIUM", "line": 11, - "fileName": "positive17.json" + "fileName": "positive17.json", + "resourceType": "AWS::OpenSearchService::Domain", + "resourceName": "ElasticsearchDomain", + "searchKey": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions", + "searchValue": "", + "expectedValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions should declare es application logs", + "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions does not declare es application logs", + "issueType": "MissingAttribute", + "similarityID": "3c139512eb3b31c8d1989a46a9cdccfb66242cbfae4211ea805b089da0b718ea", + "search_line": 11 }, { "queryName": "ElasticSearch Without Es Application Logs", "severity": "MEDIUM", "line": 7, - "fileName": "positive18.json" + "fileName": "positive18.json", + "resourceType": "AWS::OpenSearchService::Domain", + "resourceName": "ElasticsearchDomain", + "searchKey": "Resources.ElasticsearchDomain.Properties", + "searchValue": "", + "expectedValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions should be defined and not null", + "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions is undefined or null", + "issueType": "MissingAttribute", + "similarityID": "bb02633c22dea832371244866860f03a81fe078f8689605dd88acebb7b6ae0c5", + "search_line": 7 }, { "queryName": "ElasticSearch Without Es Application Logs", "severity": "MEDIUM", "line": 14, - "fileName": "positive19.json" + "fileName": "positive19.json", + "resourceType": "AWS::OpenSearchService::Domain", + "resourceName": "ElasticsearchDomain", + "searchKey": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.ES_APPLICATION_LOGS.Enabled", + "searchValue": "", + "expectedValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.ES_APPLICATION_LOGS.Enabled should be defined and set to 'true'", + "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.ES_APPLICATION_LOGS.Enabled is set to 'false'", + "issueType": "IncorrectValue", + "similarityID": "951dc98dc24538e2662e07ff8ec418fb842345a7673041f749db0b72606b0504", + "search_line": 14 }, { "queryName": "ElasticSearch Without Es Application Logs", "severity": "MEDIUM", "line": 12, - "fileName": "positive20.json" + "fileName": "positive20.json", + "resourceType": "AWS::OpenSearchService::Domain", + "resourceName": "ElasticsearchDomain", + "searchKey": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.ES_APPLICATION_LOGS", + "searchValue": "", + "expectedValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.ES_APPLICATION_LOGS.Enabled should be defined and set to 'true'", + "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.ES_APPLICATION_LOGS.Enabled is undefined", + "issueType": "IncorrectValue", + "similarityID": "0a4ea4424418c5728ab062e31c919618a8ca447916dca0145709b237bf40187e", + "search_line": 12 } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/elasticsearch_without_iam_authentication/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/elasticsearch_without_iam_authentication/test/positive_expected_result.json index 5986337a1f0..53f652f43e9 100644 --- a/assets/queries/cloudFormation/aws/elasticsearch_without_iam_authentication/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/elasticsearch_without_iam_authentication/test/positive_expected_result.json @@ -3,12 +3,30 @@ "queryName": "Elasticsearch Without IAM Authentication", "severity": "MEDIUM", "line": 24, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::Elasticsearch::Domain", + "resourceName": "test", + "searchKey": "Resources.ElasticsearchDomain.Properties.AccessPolicies.Statement", + "searchValue": "", + "expectedValue": "Elasticsearch Domain should ensure IAM Authentication", + "actualValue": "Elasticsearch Domain does not ensure IAM Authentication", + "issueType": "IncorrectValue", + "similarityID": "c075b4ea15a2f1713ecd4f399b6e57df5cf57a3ed3e2119e2820da52976a91ec", + "search_line": 24 }, { "queryName": "Elasticsearch Without IAM Authentication", "severity": "MEDIUM", "line": 26, - "fileName": "positive2.json" + "fileName": "positive2.json", + "resourceType": "AWS::Elasticsearch::Domain", + "resourceName": "test", + "searchKey": "Resources.ElasticsearchDomain.Properties.AccessPolicies.Statement", + "searchValue": "", + "expectedValue": "Elasticsearch Domain should ensure IAM Authentication", + "actualValue": "Elasticsearch Domain does not ensure IAM Authentication", + "issueType": "IncorrectValue", + "similarityID": "257acf14ffb2d6f15167d004151f7a45df6422d1652f83f24472d31153b1c8c3", + "search_line": 26 } ] diff --git a/assets/queries/cloudFormation/aws/elasticsearch_without_slow_logs/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/elasticsearch_without_slow_logs/test/positive_expected_result.json index 9872b4ed14c..f2a003eb49e 100644 --- a/assets/queries/cloudFormation/aws/elasticsearch_without_slow_logs/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/elasticsearch_without_slow_logs/test/positive_expected_result.json @@ -3,192 +3,480 @@ "queryName": "ElasticSearch Without Slow Logs", "severity": "LOW", "line": 13, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::Elasticsearch::Domain", + "resourceName": "", + "searchKey": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.SEARCH_SLOW_LOGS.Enabled", + "searchValue": "", + "expectedValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.SEARCH_SLOW_LOGS.Enabled should be defined and set to 'true'", + "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.SEARCH_SLOW_LOGS.Enabled is set to 'false'", + "issueType": "IncorrectValue", + "similarityID": "330f83b20b22df510507193567216dbb6285e526fc90f1aeb9c7c3ef5c2094ca", + "search_line": 13 }, { "queryName": "ElasticSearch Without Slow Logs", "severity": "LOW", "line": 17, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::Elasticsearch::Domain", + "resourceName": "", + "searchKey": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.INDEX_SLOW_LOGS.Enabled", + "searchValue": "", + "expectedValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.INDEX_SLOW_LOGS.Enabled should be defined and set to 'true'", + "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.INDEX_SLOW_LOGS.Enabled is set to 'false'", + "issueType": "IncorrectValue", + "similarityID": "fed2580a5143957b8775243f4cfb545248430b5e8248187ba4dfe8e7bca751a8", + "search_line": 17 }, { "queryName": "ElasticSearch Without Slow Logs", "severity": "LOW", "line": 9, - "fileName": "positive2.yaml" + "fileName": "positive2.yaml", + "resourceType": "AWS::Elasticsearch::Domain", + "resourceName": "", + "searchKey": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions", + "searchValue": "", + "expectedValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions should declare slow logs", + "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions does not declare slow logs", + "issueType": "MissingAttribute", + "similarityID": "d540b2e6884acbcfc30d75ef719e2405437e3356a908ac7e20d4c8cea121dd4f", + "search_line": 9 }, { "queryName": "ElasticSearch Without Slow Logs", "severity": "LOW", "line": 6, - "fileName": "positive3.yaml" + "fileName": "positive3.yaml", + "resourceType": "AWS::Elasticsearch::Domain", + "resourceName": "", + "searchKey": "Resources.ElasticsearchDomain.Properties", + "searchValue": "", + "expectedValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions should be defined and not null", + "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions is undefined or null", + "issueType": "MissingAttribute", + "similarityID": "3b8ea28755011fcda9499ed4f45cbf0897de7799e3838fd7adb17f750afdb23a", + "search_line": 6 }, { "queryName": "ElasticSearch Without Slow Logs", "severity": "LOW", "line": 13, - "fileName": "positive4.yaml" + "fileName": "positive4.yaml", + "resourceType": "AWS::Elasticsearch::Domain", + "resourceName": "", + "searchKey": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.SEARCH_SLOW_LOGS.Enabled", + "searchValue": "", + "expectedValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.SEARCH_SLOW_LOGS.Enabled should be defined and set to 'true'", + "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.SEARCH_SLOW_LOGS.Enabled is set to 'false'", + "issueType": "IncorrectValue", + "similarityID": "d6ed9d105e09f4484524bf48899c1152b0cb04deff32e0ec05110e991dcd52b6", + "search_line": 13 }, { "queryName": "ElasticSearch Without Slow Logs", "severity": "LOW", "line": 17, - "fileName": "positive4.yaml" + "fileName": "positive4.yaml", + "resourceType": "AWS::Elasticsearch::Domain", + "resourceName": "", + "searchKey": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.INDEX_SLOW_LOGS.Enabled", + "searchValue": "", + "expectedValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.INDEX_SLOW_LOGS.Enabled should be defined and set to 'true'", + "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.INDEX_SLOW_LOGS.Enabled is set to 'false'", + "issueType": "IncorrectValue", + "similarityID": "bc94e404132ce0ff48546d74fe954d52c370d198ba9e4cbab5b1a7eecdb070c4", + "search_line": 17 }, { "queryName": "ElasticSearch Without Slow Logs", "severity": "LOW", "line": 10, - "fileName": "positive5.yaml" + "fileName": "positive5.yaml", + "resourceType": "AWS::Elasticsearch::Domain", + "resourceName": "", + "searchKey": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.SEARCH_SLOW_LOGS", + "searchValue": "", + "expectedValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.SEARCH_SLOW_LOGS.Enabled should be defined and set to 'true'", + "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.SEARCH_SLOW_LOGS.Enabled is undefined", + "issueType": "IncorrectValue", + "similarityID": "b5a9f6063f0f2bcd889beadcc22661a03eee5f7d284730811181bc5c4bbe8644", + "search_line": 10 }, { "queryName": "ElasticSearch Without Slow Logs", "severity": "LOW", "line": 13, - "fileName": "positive5.yaml" + "fileName": "positive5.yaml", + "resourceType": "AWS::Elasticsearch::Domain", + "resourceName": "", + "searchKey": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.INDEX_SLOW_LOGS", + "searchValue": "", + "expectedValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.INDEX_SLOW_LOGS.Enabled should be defined and set to 'true'", + "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.INDEX_SLOW_LOGS.Enabled is undefined", + "issueType": "IncorrectValue", + "similarityID": "0a3088c88141cbe40ae906e5e4f291b7839cf9ab4c9d4ea153176956cfd62575", + "search_line": 13 }, { "queryName": "ElasticSearch Without Slow Logs", "severity": "LOW", "line": 13, - "fileName": "positive6.yaml" + "fileName": "positive6.yaml", + "resourceType": "AWS::OpenSearchService::Domain", + "resourceName": "ElasticsearchDomain", + "searchKey": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.SEARCH_SLOW_LOGS.Enabled", + "searchValue": "", + "expectedValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.SEARCH_SLOW_LOGS.Enabled should be defined and set to 'true'", + "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.SEARCH_SLOW_LOGS.Enabled is set to 'false'", + "issueType": "IncorrectValue", + "similarityID": "dc08cedb5aad1ccfbc6999350b8e01697376ca05366e957af99617d916319c11", + "search_line": 13 }, { "queryName": "ElasticSearch Without Slow Logs", "severity": "LOW", "line": 17, - "fileName": "positive6.yaml" + "fileName": "positive6.yaml", + "resourceType": "AWS::OpenSearchService::Domain", + "resourceName": "ElasticsearchDomain", + "searchKey": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.INDEX_SLOW_LOGS.Enabled", + "searchValue": "", + "expectedValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.INDEX_SLOW_LOGS.Enabled should be defined and set to 'true'", + "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.INDEX_SLOW_LOGS.Enabled is set to 'false'", + "issueType": "IncorrectValue", + "similarityID": "07bde6874091c952dc071ee2f66d31992ece12aac481d60a42651bc7306bc6e5", + "search_line": 17 }, { "queryName": "ElasticSearch Without Slow Logs", "severity": "LOW", "line": 9, - "fileName": "positive7.yaml" + "fileName": "positive7.yaml", + "resourceType": "AWS::OpenSearchService::Domain", + "resourceName": "ElasticsearchDomain", + "searchKey": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions", + "searchValue": "", + "expectedValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions should declare slow logs", + "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions does not declare slow logs", + "issueType": "MissingAttribute", + "similarityID": "a725384e83c4a1201771cae671b9c7402ed10810ba8a0653ee15cacbdfd53640", + "search_line": 9 }, { "queryName": "ElasticSearch Without Slow Logs", "severity": "LOW", "line": 6, - "fileName": "positive8.yaml" + "fileName": "positive8.yaml", + "resourceType": "AWS::OpenSearchService::Domain", + "resourceName": "ElasticsearchDomain", + "searchKey": "Resources.ElasticsearchDomain.Properties", + "searchValue": "", + "expectedValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions should be defined and not null", + "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions is undefined or null", + "issueType": "MissingAttribute", + "similarityID": "62733ae1476ef3c2e38f9e931ea7bc3af164d67f1629426ebaab0efaa0abf106", + "search_line": 6 }, { "queryName": "ElasticSearch Without Slow Logs", "severity": "LOW", "line": 13, - "fileName": "positive9.yaml" + "fileName": "positive9.yaml", + "resourceType": "AWS::OpenSearchService::Domain", + "resourceName": "ElasticsearchDomain", + "searchKey": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.SEARCH_SLOW_LOGS.Enabled", + "searchValue": "", + "expectedValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.SEARCH_SLOW_LOGS.Enabled should be defined and set to 'true'", + "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.SEARCH_SLOW_LOGS.Enabled is set to 'false'", + "issueType": "IncorrectValue", + "similarityID": "cdb1d6d4aae3b57e914dbac69c16aedf59a4c531f2ab4a21e7a84bc556c98dae", + "search_line": 13 }, { "queryName": "ElasticSearch Without Slow Logs", "severity": "LOW", "line": 17, - "fileName": "positive9.yaml" + "fileName": "positive9.yaml", + "resourceType": "AWS::OpenSearchService::Domain", + "resourceName": "ElasticsearchDomain", + "searchKey": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.INDEX_SLOW_LOGS.Enabled", + "searchValue": "", + "expectedValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.INDEX_SLOW_LOGS.Enabled should be defined and set to 'true'", + "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.INDEX_SLOW_LOGS.Enabled is set to 'false'", + "issueType": "IncorrectValue", + "similarityID": "61b44b464169fed115a16ce2d8f1a75acd31d66b01ac03a08582ea1b91f4eb7f", + "search_line": 17 }, { "queryName": "ElasticSearch Without Slow Logs", "severity": "LOW", "line": 10, - "fileName": "positive10.yaml" + "fileName": "positive10.yaml", + "resourceType": "AWS::OpenSearchService::Domain", + "resourceName": "ElasticsearchDomain", + "searchKey": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.SEARCH_SLOW_LOGS", + "searchValue": "", + "expectedValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.SEARCH_SLOW_LOGS.Enabled should be defined and set to 'true'", + "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.SEARCH_SLOW_LOGS.Enabled is undefined", + "issueType": "IncorrectValue", + "similarityID": "5cd0e8e9e66ed7c184aa3270494ee28907af5bf3fcb9fb8ee47f50dfafecedaf", + "search_line": 10 }, { "queryName": "ElasticSearch Without Slow Logs", "severity": "LOW", "line": 13, - "fileName": "positive10.yaml" + "fileName": "positive10.yaml", + "resourceType": "AWS::OpenSearchService::Domain", + "resourceName": "ElasticsearchDomain", + "searchKey": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.INDEX_SLOW_LOGS", + "searchValue": "", + "expectedValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.INDEX_SLOW_LOGS.Enabled should be defined and set to 'true'", + "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.INDEX_SLOW_LOGS.Enabled is undefined", + "issueType": "IncorrectValue", + "similarityID": "6f31201018e6bfd54d8bc4f15ed1b048a7935114e1c64e98e974967ecc10f34a", + "search_line": 13 }, { "queryName": "ElasticSearch Without Slow Logs", "severity": "LOW", "line": 14, - "fileName": "positive11.json" + "fileName": "positive11.json", + "resourceType": "AWS::Elasticsearch::Domain", + "resourceName": "", + "searchKey": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.SEARCH_SLOW_LOGS.Enabled", + "searchValue": "", + "expectedValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.SEARCH_SLOW_LOGS.Enabled should be defined and set to 'true'", + "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.SEARCH_SLOW_LOGS.Enabled is set to 'false'", + "issueType": "IncorrectValue", + "similarityID": "663410986d64515929815e31c5eec8bc6f38b0f5e196d7081ca57c9073a58fe9", + "search_line": 14 }, { "queryName": "ElasticSearch Without Slow Logs", "severity": "LOW", "line": 18, - "fileName": "positive11.json" + "fileName": "positive11.json", + "resourceType": "AWS::Elasticsearch::Domain", + "resourceName": "", + "searchKey": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.INDEX_SLOW_LOGS.Enabled", + "searchValue": "", + "expectedValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.INDEX_SLOW_LOGS.Enabled should be defined and set to 'true'", + "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.INDEX_SLOW_LOGS.Enabled is set to 'false'", + "issueType": "IncorrectValue", + "similarityID": "ad243a1d78add55823ac7720b7308de6f8269876267b475b12066eeab9359892", + "search_line": 18 }, { "queryName": "ElasticSearch Without Slow Logs", "severity": "LOW", "line": 11, - "fileName": "positive12.json" + "fileName": "positive12.json", + "resourceType": "AWS::Elasticsearch::Domain", + "resourceName": "", + "searchKey": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions", + "searchValue": "", + "expectedValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions should declare slow logs", + "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions does not declare slow logs", + "issueType": "MissingAttribute", + "similarityID": "c66e100c98e6302695b86b6c5e9f8086dbc76af48a732721ecd88497b1063e01", + "search_line": 11 }, { "queryName": "ElasticSearch Without Slow Logs", "severity": "LOW", "line": 7, - "fileName": "positive13.json" + "fileName": "positive13.json", + "resourceType": "AWS::Elasticsearch::Domain", + "resourceName": "", + "searchKey": "Resources.ElasticsearchDomain.Properties", + "searchValue": "", + "expectedValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions should be defined and not null", + "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions is undefined or null", + "issueType": "MissingAttribute", + "similarityID": "6fc2003e28ae5cf4de77919a0333292a8325112188c4ea01102b3fa23c4bcebc", + "search_line": 7 }, { "queryName": "ElasticSearch Without Slow Logs", "severity": "LOW", "line": 14, - "fileName": "positive14.json" + "fileName": "positive14.json", + "resourceType": "AWS::Elasticsearch::Domain", + "resourceName": "", + "searchKey": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.SEARCH_SLOW_LOGS.Enabled", + "searchValue": "", + "expectedValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.SEARCH_SLOW_LOGS.Enabled should be defined and set to 'true'", + "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.SEARCH_SLOW_LOGS.Enabled is set to 'false'", + "issueType": "IncorrectValue", + "similarityID": "198471ccfa0fcf16ddd06390cd13d23aa2dde93f272c295f611240380cb93b12", + "search_line": 14 }, { "queryName": "ElasticSearch Without Slow Logs", "severity": "LOW", "line": 18, - "fileName": "positive14.json" + "fileName": "positive14.json", + "resourceType": "AWS::Elasticsearch::Domain", + "resourceName": "", + "searchKey": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.INDEX_SLOW_LOGS.Enabled", + "searchValue": "", + "expectedValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.INDEX_SLOW_LOGS.Enabled should be defined and set to 'true'", + "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.INDEX_SLOW_LOGS.Enabled is set to 'false'", + "issueType": "IncorrectValue", + "similarityID": "38f347c6e15eaecab7ecd61fd32e72e7450b155087d26371bf3430b61f7d5441", + "search_line": 18 }, { "queryName": "ElasticSearch Without Slow Logs", "severity": "LOW", "line": 12, - "fileName": "positive15.json" + "fileName": "positive15.json", + "resourceType": "AWS::Elasticsearch::Domain", + "resourceName": "", + "searchKey": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.SEARCH_SLOW_LOGS", + "searchValue": "", + "expectedValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.SEARCH_SLOW_LOGS.Enabled should be defined and set to 'true'", + "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.SEARCH_SLOW_LOGS.Enabled is undefined", + "issueType": "IncorrectValue", + "similarityID": "5b2b6aaa106c06529793231b0ce05786e0ae3b6e75f73dddc0713353ed6f2f72", + "search_line": 12 }, { "queryName": "ElasticSearch Without Slow Logs", "severity": "LOW", "line": 15, - "fileName": "positive15.json" + "fileName": "positive15.json", + "resourceType": "AWS::Elasticsearch::Domain", + "resourceName": "", + "searchKey": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.INDEX_SLOW_LOGS", + "searchValue": "", + "expectedValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.INDEX_SLOW_LOGS.Enabled should be defined and set to 'true'", + "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.INDEX_SLOW_LOGS.Enabled is undefined", + "issueType": "IncorrectValue", + "similarityID": "f8af367b85369d2909b7f381fa690c4bece37e74959f9ce930aa60103e9f793f", + "search_line": 15 }, { "queryName": "ElasticSearch Without Slow Logs", "severity": "LOW", "line": 14, - "fileName": "positive16.json" + "fileName": "positive16.json", + "resourceType": "AWS::OpenSearchService::Domain", + "resourceName": "ElasticsearchDomain", + "searchKey": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.SEARCH_SLOW_LOGS.Enabled", + "searchValue": "", + "expectedValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.SEARCH_SLOW_LOGS.Enabled should be defined and set to 'true'", + "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.SEARCH_SLOW_LOGS.Enabled is set to 'false'", + "issueType": "IncorrectValue", + "similarityID": "5e4a6cfcb634bdf101f0e561975706841d308df52d25526f357ed7269dbb02df", + "search_line": 14 }, { "queryName": "ElasticSearch Without Slow Logs", "severity": "LOW", "line": 18, - "fileName": "positive16.json" + "fileName": "positive16.json", + "resourceType": "AWS::OpenSearchService::Domain", + "resourceName": "ElasticsearchDomain", + "searchKey": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.INDEX_SLOW_LOGS.Enabled", + "searchValue": "", + "expectedValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.INDEX_SLOW_LOGS.Enabled should be defined and set to 'true'", + "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.INDEX_SLOW_LOGS.Enabled is set to 'false'", + "issueType": "IncorrectValue", + "similarityID": "78fff1cc08217593c866b9a95d8f088f3fd696b749b7e2da497a6fa7296cb3ec", + "search_line": 18 }, { "queryName": "ElasticSearch Without Slow Logs", "severity": "LOW", "line": 11, - "fileName": "positive17.json" + "fileName": "positive17.json", + "resourceType": "AWS::OpenSearchService::Domain", + "resourceName": "ElasticsearchDomain", + "searchKey": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions", + "searchValue": "", + "expectedValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions should declare slow logs", + "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions does not declare slow logs", + "issueType": "MissingAttribute", + "similarityID": "f10fb203ea10b4eb651d60efbd9eb8217ec997a7567507d8636ade4f69f337c3", + "search_line": 11 }, { "queryName": "ElasticSearch Without Slow Logs", "severity": "LOW", "line": 7, - "fileName": "positive18.json" + "fileName": "positive18.json", + "resourceType": "AWS::OpenSearchService::Domain", + "resourceName": "ElasticsearchDomain", + "searchKey": "Resources.ElasticsearchDomain.Properties", + "searchValue": "", + "expectedValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions should be defined and not null", + "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions is undefined or null", + "issueType": "MissingAttribute", + "similarityID": "6bccbf4e1edaec60705c0b586f3a52303b9baca07eb4bc76825af1babec66f24", + "search_line": 7 }, { "queryName": "ElasticSearch Without Slow Logs", "severity": "LOW", "line": 14, - "fileName": "positive19.json" + "fileName": "positive19.json", + "resourceType": "AWS::OpenSearchService::Domain", + "resourceName": "ElasticsearchDomain", + "searchKey": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.SEARCH_SLOW_LOGS.Enabled", + "searchValue": "", + "expectedValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.SEARCH_SLOW_LOGS.Enabled should be defined and set to 'true'", + "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.SEARCH_SLOW_LOGS.Enabled is set to 'false'", + "issueType": "IncorrectValue", + "similarityID": "a7a25e5ee5c645737941b84d0f3ebb195bb03c8a04ff3baede23bb1a7827dc88", + "search_line": 14 }, { "queryName": "ElasticSearch Without Slow Logs", "severity": "LOW", "line": 18, - "fileName": "positive19.json" + "fileName": "positive19.json", + "resourceType": "AWS::OpenSearchService::Domain", + "resourceName": "ElasticsearchDomain", + "searchKey": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.INDEX_SLOW_LOGS.Enabled", + "searchValue": "", + "expectedValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.INDEX_SLOW_LOGS.Enabled should be defined and set to 'true'", + "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.INDEX_SLOW_LOGS.Enabled is set to 'false'", + "issueType": "IncorrectValue", + "similarityID": "130ba5d5edf4acfd31f6bc25a7c9fc85cd12c2527e3ae6fdec15e13bff0451f8", + "search_line": 18 }, { "queryName": "ElasticSearch Without Slow Logs", "severity": "LOW", "line": 12, - "fileName": "positive20.json" + "fileName": "positive20.json", + "resourceType": "AWS::OpenSearchService::Domain", + "resourceName": "ElasticsearchDomain", + "searchKey": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.SEARCH_SLOW_LOGS", + "searchValue": "", + "expectedValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.SEARCH_SLOW_LOGS.Enabled should be defined and set to 'true'", + "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.SEARCH_SLOW_LOGS.Enabled is undefined", + "issueType": "IncorrectValue", + "similarityID": "09c0375e6d9696de1b018efaa37b67b819875fce4b92682f89354b7298908420", + "search_line": 12 }, { "queryName": "ElasticSearch Without Slow Logs", "severity": "LOW", "line": 15, - "fileName": "positive20.json" + "fileName": "positive20.json", + "resourceType": "AWS::OpenSearchService::Domain", + "resourceName": "ElasticsearchDomain", + "searchKey": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.INDEX_SLOW_LOGS", + "searchValue": "", + "expectedValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.INDEX_SLOW_LOGS.Enabled should be defined and set to 'true'", + "actualValue": "Resources.ElasticsearchDomain.Properties.LogPublishingOptions.INDEX_SLOW_LOGS.Enabled is undefined", + "issueType": "IncorrectValue", + "similarityID": "7469d4a3a06de62e62652344d7376cd0b712eb0e068f8f29fa01924ff28fa688", + "search_line": 15 } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/elb_access_log_disabled/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/elb_access_log_disabled/test/positive_expected_result.json index d4dfeba79a3..acad8638439 100644 --- a/assets/queries/cloudFormation/aws/elb_access_log_disabled/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/elb_access_log_disabled/test/positive_expected_result.json @@ -3,30 +3,75 @@ "queryName": "ELB Access Log Disabled", "severity": "MEDIUM", "line": 6, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::ElasticLoadBalancing::LoadBalancer", + "resourceName": "MyLoadBalancer", + "searchKey": "Resources.MyLoadBalancer.Properties", + "searchValue": "", + "expectedValue": "'Resources.MyLoadBalancer.Properties.AccessLoggingPolicy' should exist", + "actualValue": "'Resources.MyLoadBalancer.Properties.AccessLoggingPolicy' is missing", + "issueType": "MissingAttribute", + "similarityID": "16d588cf576401f607f3ed6ac6d6240ef20552d9f6396df88e7cc2b46075026a", + "search_line": -1 }, { "queryName": "ELB Access Log Disabled", "severity": "MEDIUM", "line": 31, - "fileName": "positive2.yaml" + "fileName": "positive2.yaml", + "resourceType": "AWS::ElasticLoadBalancing::LoadBalancer", + "resourceName": "MyLoadBalancer2", + "searchKey": "Resources.MyLoadBalancer2.Properties.AccessLoggingPolicy.Enabled", + "searchValue": "", + "expectedValue": "'Resources.MyLoadBalancer2.Properties.AccessLoggingPolicy.Enabled' is true", + "actualValue": "'Resources.MyLoadBalancer2.Properties.AccessLoggingPolicy.Enabled' is false", + "issueType": "IncorrectValue", + "similarityID": "d0af674356cd7231aaea234d133afe250814f013f3cce9d5eb331e181588523d", + "search_line": -1 }, { "queryName": "ELB Access Log Disabled", "severity": "MEDIUM", "line": 7, - "fileName": "positive3.json" + "fileName": "positive3.json", + "resourceType": "AWS::ElasticLoadBalancing::LoadBalancer", + "resourceName": "MyLoadBalancer", + "searchKey": "Resources.MyLoadBalancer.Properties", + "searchValue": "", + "expectedValue": "'Resources.MyLoadBalancer.Properties.AccessLoggingPolicy' should exist", + "actualValue": "'Resources.MyLoadBalancer.Properties.AccessLoggingPolicy' is missing", + "issueType": "MissingAttribute", + "similarityID": "3e4ef8103ae6f99dd3e2613211fd2b732338d737223522dd9d7d060a5a023159", + "search_line": -1 }, { "queryName": "ELB Access Log Disabled", "severity": "MEDIUM", "line": 18, - "fileName": "positive4.json" + "fileName": "positive4.json", + "resourceType": "AWS::ElasticLoadBalancing::LoadBalancer", + "resourceName": "MyLoadBalancer2", + "searchKey": "Resources.MyLoadBalancer2.Properties.AccessLoggingPolicy.Enabled", + "searchValue": "", + "expectedValue": "'Resources.MyLoadBalancer2.Properties.AccessLoggingPolicy.Enabled' is true", + "actualValue": "'Resources.MyLoadBalancer2.Properties.AccessLoggingPolicy.Enabled' is false", + "issueType": "IncorrectValue", + "similarityID": "d048a68e2abdf1e213d46ae792f2449a16614c8f8db1a07516c6e5b5e054f8c0", + "search_line": -1 }, { "queryName": "ELB Access Log Disabled", "severity": "MEDIUM", "line": 31, - "fileName": "positive5.yaml" + "fileName": "positive5.yaml", + "resourceType": "AWS::ElasticLoadBalancing::LoadBalancer", + "resourceName": "MyLoadBalancer2", + "searchKey": "Resources.MyLoadBalancer2.Properties.AccessLoggingPolicy.Enabled", + "searchValue": "", + "expectedValue": "'Resources.MyLoadBalancer2.Properties.AccessLoggingPolicy.Enabled' is true", + "actualValue": "'Resources.MyLoadBalancer2.Properties.AccessLoggingPolicy.Enabled' is false", + "issueType": "IncorrectValue", + "similarityID": "7fc0162e54bd244bc1491c724a425ec10b0da0d1a6a6e07c1bc3b31ecbea7bc9", + "search_line": -1 } ] diff --git a/assets/queries/cloudFormation/aws/elb_sensitive_port_is_exposed_to_entire_network/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/elb_sensitive_port_is_exposed_to_entire_network/test/positive_expected_result.json index 419d903f827..0c400b387cb 100644 --- a/assets/queries/cloudFormation/aws/elb_sensitive_port_is_exposed_to_entire_network/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/elb_sensitive_port_is_exposed_to_entire_network/test/positive_expected_result.json @@ -3,1236 +3,3090 @@ "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 22, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,110", + "expectedValue": "POP3 (TCP:110) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "POP3 (TCP:110) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue", + "similarityID": "0a25da3b0c42bbaecc2184b78b2a950925cbde65b0a819dc18124a14644e81b5", + "search_line": 22 }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 22, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,11211", + "expectedValue": "Memcached (TCP:11211) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Memcached (TCP:11211) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue", + "similarityID": "8a0b5e0750001ba276196808d05998ad71cb2f0539b6668233c3884c82578a64", + "search_line": 22 }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 22, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,11214", + "expectedValue": "Memcached SSL (TCP:11214) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Memcached SSL (TCP:11214) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue", + "similarityID": "15f80a8e4d6af59b598595ee50dc5854369af75faba26a35fe6307db3b7237f3", + "search_line": 22 }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 22, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,11215", + "expectedValue": "Memcached SSL (TCP:11215) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Memcached SSL (TCP:11215) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue", + "similarityID": "e33bdbdb54b3c665db350a0c911ce31e745ee1152e74d7c32205b2d9a3893ba0", + "search_line": 22 }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 22, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,135", + "expectedValue": "MSSQL Debugger (TCP:135) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "MSSQL Debugger (TCP:135) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue", + "similarityID": "72a4ce36c866838216b96ecd494d2ef3e143db76ebf28b92286ddcda2d12c895", + "search_line": 22 }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 22, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,137", + "expectedValue": "NetBIOS Name Service (TCP:137) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "NetBIOS Name Service (TCP:137) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue", + "similarityID": "9c1d4d29fc8f18fae7a6311c40c944eaf81fc122753409c9a50b0f72cdd5f06b", + "search_line": 22 }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 22, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,138", + "expectedValue": "NetBIOS Datagram Service (TCP:138) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "NetBIOS Datagram Service (TCP:138) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue", + "similarityID": "666ff17c345a81e133eabda0e045848fb458273f16eef044ed90f86ac4c623ad", + "search_line": 22 }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 22, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,139", + "expectedValue": "NetBIOS Session Service (TCP:139) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "NetBIOS Session Service (TCP:139) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue", + "similarityID": "ed31fd8ac09d2fb5f6a24126c78e9297282108502f5fd7d4b36e8899d9892d1f", + "search_line": 22 }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 22, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,1433", + "expectedValue": "MSSQL Server (TCP:1433) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "MSSQL Server (TCP:1433) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue", + "similarityID": "bc0842a22d1e75b6d68b3ab75c366ef0530d5d993744d2b1004fc835b74611bc", + "search_line": 22 }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 22, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,1434", + "expectedValue": "MSSQL Browser (TCP:1434) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "MSSQL Browser (TCP:1434) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue", + "similarityID": "72ccf021929c572760573897e36980203507224f9b65e361c9518c9be725198d", + "search_line": 22 }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 22, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,1521", + "expectedValue": "Oracl DB (TCP:1521) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Oracl DB (TCP:1521) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue", + "similarityID": "0307a70de77bf5b1ea7d211f2a2e67981c0fb6414cdbfc41f3fb9057b128f97e", + "search_line": 22 }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 22, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,1522", + "expectedValue": "Oracle Auto Data Warehouse (TCP:1522) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Oracle Auto Data Warehouse (TCP:1522) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue", + "similarityID": "baf9b0d332e8fd3fa0f3b9f50a8947cd1cb1eef3cd1e69e7396b7606cf40d83f", + "search_line": 22 }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 22, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,161", + "expectedValue": "SNMP (TCP:161) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "SNMP (TCP:161) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue", + "similarityID": "398d6ed7de719c9d9a53b07a525ecb3263721b8af1f333d36397dbd4ae4d3a07", + "search_line": 22 }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 22, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,20", + "expectedValue": "FTP (TCP:20) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "FTP (TCP:20) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue", + "similarityID": "72c16e8512a58070a34a92b50739067157f8d27b224bbce72128820aae73bdd7", + "search_line": 22 }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 22, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,21", + "expectedValue": "FTP (TCP:21) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "FTP (TCP:21) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue", + "similarityID": "636074f0f80bba3d4855be219c8f1cc2b6936a3a6ac68dac11d5edbb5e908bf1", + "search_line": 22 }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 22, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,22", + "expectedValue": "SSH (TCP:22) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "SSH (TCP:22) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue", + "similarityID": "6dcce2c9353861ca952688d28de4682f03c61bfda623df4639a4522a68db73a1", + "search_line": 22 }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 22, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,23", + "expectedValue": "Telnet (TCP:23) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Telnet (TCP:23) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue", + "similarityID": "1cdf12ff3f4de7bf15dfb7eb42190ce758df1c6fa1d5cae72d3ecac09ed2d7c4", + "search_line": 22 }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 22, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,2375", + "expectedValue": "Docker (TCP:2375) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Docker (TCP:2375) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue", + "similarityID": "f019dd2770901b34b67328f62ae589c0fdf70136485a12f6dc7654dc58fa2136", + "search_line": 22 }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 22, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,2376", + "expectedValue": "Docker (TCP:2376) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Docker (TCP:2376) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue", + "similarityID": "8fafeb3a42a5c3ad6945014beab7264faf4558485aa6112cfa8be92c3a0461d0", + "search_line": 22 }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 22, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,2382", + "expectedValue": "SQL Server Analysis (TCP:2382) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "SQL Server Analysis (TCP:2382) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue", + "similarityID": "d73aa2e91918e09eb17770982b877e4f3aa07259cc615254d1f5765296a11d92", + "search_line": 22 }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 22, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,2383", + "expectedValue": "SQL Server Analysis (TCP:2383) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "SQL Server Analysis (TCP:2383) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue", + "similarityID": "8027ee3cc62da392d42746b2af54af954b347b70ef33f16f6867b1492c46b08c", + "search_line": 22 }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 22, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,2483", + "expectedValue": "Oracle DB SSL (TCP:2483) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Oracle DB SSL (TCP:2483) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue", + "similarityID": "2683a9d25e9aced8ae6defdfa15a5041c3184e1721a32974e5035293df82c162", + "search_line": 22 }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 22, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,2484", + "expectedValue": "Oracle DB SSL (TCP:2484) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Oracle DB SSL (TCP:2484) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue", + "similarityID": "43e0b16863c5642cff145d7cf89cd50c885a40d4408a847902d23f9623f0b5ac", + "search_line": 22 }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 22, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,25", + "expectedValue": "SMTP (TCP:25) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "SMTP (TCP:25) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue", + "similarityID": "e41deaf7780252a23c1988c1a5d6e00b63f6c0874e7a5b2fede3bb97dad5e2b9", + "search_line": 22 }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 22, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,27017", + "expectedValue": "Mongo (TCP:27017) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Mongo (TCP:27017) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue", + "similarityID": "b399729d8f8e3f674f8fc070e31f09479e6e1664e6a052fd720232bb34702e85", + "search_line": 22 }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 22, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,27018", + "expectedValue": "Mongo Web Portal (TCP:27018) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Mongo Web Portal (TCP:27018) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue", + "similarityID": "8632895ea1c5e4746a0834d49f985b46a7bbd17cf3162cfbcdfb2973f0a4d293", + "search_line": 22 }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 22, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,3000", + "expectedValue": "Prevalent known internal port (TCP:3000) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Prevalent known internal port (TCP:3000) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue", + "similarityID": "3474641eb1a5a6de16f265c628251c77d0b1340589d7bea0504095276ca7bb95", + "search_line": 22 }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 22, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,3020", + "expectedValue": "CIFS / SMB (TCP:3020) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "CIFS / SMB (TCP:3020) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue", + "similarityID": "2a80d1d209f870e4fac5268a77fc013ec46eaa2e29c5736a0ce1ca5507446410", + "search_line": 22 }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 22, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,3306", + "expectedValue": "MySQL (TCP:3306) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "MySQL (TCP:3306) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue", + "similarityID": "a671fb5aedc8713afec09139854511ccad97f8539a170ffb481d3e9c62bbb792", + "search_line": 22 }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 22, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,3389", + "expectedValue": "Remote Desktop (TCP:3389) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Remote Desktop (TCP:3389) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue", + "similarityID": "76234dd75c936588740ab4c4a7f4df596cc8a3e7127b851bc789ebcf73b64e43", + "search_line": 22 }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 22, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,389", + "expectedValue": "LDAP (TCP:389) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "LDAP (TCP:389) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue", + "similarityID": "9c7afb635a86b4dba14ac6ea6f91733d4e9bc8af918f35c26e6450fd3027e76d", + "search_line": 22 }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 22, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,4333", + "expectedValue": "MySQL (TCP:4333) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "MySQL (TCP:4333) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue", + "similarityID": "94d06b0b7cfb8c2f6adf0ffd9f4934654dba14d153978c078a0a430d12afaf41", + "search_line": 22 }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 22, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,443", + "expectedValue": "HTTPS (TCP:443) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "HTTPS (TCP:443) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue", + "similarityID": "a646be43d24a8043a3b52f545db74c9c1abba371e3814dc5aa01497b0f157579", + "search_line": 22 }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 22, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,445", + "expectedValue": "Microsoft-DS (TCP:445) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Microsoft-DS (TCP:445) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue", + "similarityID": "d7a36e634b424a084151b6eb4c4c7a24adf74b3f0fde016e2a5922598e5b9f5c", + "search_line": 22 }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 22, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,4505", + "expectedValue": "SaltStack Master (TCP:4505) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "SaltStack Master (TCP:4505) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue", + "similarityID": "f1db59b6c75cd28053f22874fff0ced246f4fdf935a45d30f7537dbeba2f02ec", + "search_line": 22 }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 22, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,4506", + "expectedValue": "SaltStack Master (TCP:4506) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "SaltStack Master (TCP:4506) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue", + "similarityID": "d1808e5b3d8d0d394a8ecf694b168a715831c1f48f922cf228dcc122d5d1424b", + "search_line": 22 }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 22, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,50070", + "expectedValue": "HDFS NameNode WebUI (TCP:50070) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "HDFS NameNode WebUI (TCP:50070) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue", + "similarityID": "cf77e7615bd22b1e8f40335c2b52b3bfecae49375b4275b87543eae3db91b932", + "search_line": 22 }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 22, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,50470", + "expectedValue": "HDFS NameNode WebUI (TCP:50470) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "HDFS NameNode WebUI (TCP:50470) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue", + "similarityID": "c9432f619ce345a2cf0e93b3709ecdc5dd2f8091cf84ca4f408ad8b47abe25d2", + "search_line": 22 }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 22, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,53", + "expectedValue": "DNS (TCP:53) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "DNS (TCP:53) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue", + "similarityID": "ecedef162d7d1228be0c1aff1341aab1c9a111529f0a01cd0fcc5fb84115eb15", + "search_line": 22 }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 22, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,5432", + "expectedValue": "PostgreSQL (TCP:5432) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "PostgreSQL (TCP:5432) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue", + "similarityID": "5119fc2fe8ac257e9dc12e3e6ae9bf8c098a9fa1e68811c2be0b0a9293c3fc19", + "search_line": 22 }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 22, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,5500", + "expectedValue": "VNC Listener (TCP:5500) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "VNC Listener (TCP:5500) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue", + "similarityID": "f2760ce906191d7ab0456c710ce044d80792aa5053e09c5759c8ea6fd27675ec", + "search_line": 22 }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 22, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,5601", + "expectedValue": "Kibana (TCP:5601) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Kibana (TCP:5601) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue", + "similarityID": "d8a7bb434a92020547e284d1e68d82f2ab6642f8205acc4b4a62bf574c39a18e", + "search_line": 22 }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 22, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,5900", + "expectedValue": "VNC Server (TCP:5900) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "VNC Server (TCP:5900) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue", + "similarityID": "6c82bd0dbb87a5693e0546c1edc8268e8cf40988736d12876c0948897cff4971", + "search_line": 22 }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 22, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,5985", + "expectedValue": "WinRM for HTTP (TCP:5985) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "WinRM for HTTP (TCP:5985) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue", + "similarityID": "f78a282d2f040ddf28566082cf19c5c8c4d07b5dc7e078b679f8ec497ff48179", + "search_line": 22 }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 22, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,61620", + "expectedValue": "Cassandra OpsCenter (TCP:61620) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Cassandra OpsCenter (TCP:61620) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue", + "similarityID": "478f212afa13a1614c96df2d87e1242e832a6fa17ae8d582704feb77d565b51a", + "search_line": 22 }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 22, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,61621", + "expectedValue": "Cassandra OpsCenter (TCP:61621) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Cassandra OpsCenter (TCP:61621) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue", + "similarityID": "34ddd161e73ee23e1001bcd63c3679ca7b04f90b6c85889dfec05f437a2154c1", + "search_line": 22 }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 22, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,636", + "expectedValue": "LDAP SSL (TCP:636) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "LDAP SSL (TCP:636) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue", + "similarityID": "335884b7a8482dc8f52bd48319647a1beb291d4ed9740d51cf8fc6683ebf8b9d", + "search_line": 22 }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 22, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,6379", + "expectedValue": "Redis (TCP:6379) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Redis (TCP:6379) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue", + "similarityID": "9f43c961a6b3e1ee1f2819f1d3a5634a52b176f8f17b01ffe7fb91f3f6bf7c91", + "search_line": 22 }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 22, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,7000", + "expectedValue": "Cassandra Internode Communication (TCP:7000) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Cassandra Internode Communication (TCP:7000) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue", + "similarityID": "b4219b8e03ee7e3108120cc0499f7c3ba687f1501c4a7b44c0ae88d31503456e", + "search_line": 22 }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 22, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,7001", + "expectedValue": "Cassandra (TCP:7001) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Cassandra (TCP:7001) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue", + "similarityID": "4a19eb53fe16bf2b79af7de72f95f1fd64890b61812f2bb7a33d92688a973853", + "search_line": 22 }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 22, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,7199", + "expectedValue": "Cassandra Monitoring (TCP:7199) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Cassandra Monitoring (TCP:7199) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue", + "similarityID": "c03ee3976fbe1ea314b8c594c642eafa75ca022851ac0b60f6cfc32841f7536b", + "search_line": 22 }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 22, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,80", + "expectedValue": "HTTP (TCP:80) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "HTTP (TCP:80) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue", + "similarityID": "a6e56704891d40dfec490820c7310ca55a2c420bac6e32b917f9d68118bf4d71", + "search_line": 22 }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 22, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,8000", + "expectedValue": "Known internal web port (TCP:8000) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Known internal web port (TCP:8000) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue", + "similarityID": "4edd77f038c1a5d486b9d740673c3c47820067d2cd01ac40903ea167243975d1", + "search_line": 22 }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 22, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,8020", + "expectedValue": "HDFS NameNode (TCP:8020) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "HDFS NameNode (TCP:8020) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue", + "similarityID": "f243cef664302d8a1319f7bb3e02dd6e10a6057e66c7b2c690ab7fb5144c0a17", + "search_line": 22 }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 22, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,8080", + "expectedValue": "Known internal web port (TCP:8080) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Known internal web port (TCP:8080) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue", + "similarityID": "f9350e73e9a8e6c9060c3a514cf30ee4177522e9b58cc5d382aa9e387d36a813", + "search_line": 22 }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 22, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,8140", + "expectedValue": "Puppet Master (TCP:8140) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Puppet Master (TCP:8140) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue", + "similarityID": "31524607e9d166e7ed0cda8f7165999f1875c351de8e3808da64a18585b53e91", + "search_line": 22 }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 22, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,8888", + "expectedValue": "Cassandra OpsCenter Website (TCP:8888) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Cassandra OpsCenter Website (TCP:8888) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue", + "similarityID": "0457951b5cdcb2a50a657ed6f7ef85d03c8e3234803e1c28d0f1dd36061d25ca", + "search_line": 22 }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 22, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,9000", + "expectedValue": "Hadoop Name Node (TCP:9000) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Hadoop Name Node (TCP:9000) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue", + "similarityID": "dddc83c385b23c295d8a1cc06ceb997a64b73df13cd3ef919b86a5602e7503e1", + "search_line": 22 }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 22, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,9042", + "expectedValue": "Cassandra Client (TCP:9042) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Cassandra Client (TCP:9042) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue", + "similarityID": "6f0c3bf65355a82318e436be9757a40d0c1bcfca2ea740eccdf4b21e1ed2fb3e", + "search_line": 22 }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 22, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,9090", + "expectedValue": "CiscoSecure, WebSM (TCP:9090) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "CiscoSecure, WebSM (TCP:9090) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue", + "similarityID": "782637db2d499ab027c9d9eec6f958193a23c50d94b0002088e8ddaf75a7c06c", + "search_line": 22 }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 22, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,9160", + "expectedValue": "Cassandra Thrift (TCP:9160) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Cassandra Thrift (TCP:9160) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue", + "similarityID": "91117722e2451bd20fd806219c549f6333185a52a5be087d54e95d0a319d320e", + "search_line": 22 }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 22, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,9200", + "expectedValue": "Elastic Search (TCP:9200) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Elastic Search (TCP:9200) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue", + "similarityID": "f3a3f20d8d6bf0cf3194e15bbe13d8d8ee7cb260c8847d15a442636c184df809", + "search_line": 22 }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 22, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,9300", + "expectedValue": "Elastic Search (TCP:9300) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Elastic Search (TCP:9300) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue", + "similarityID": "2be6a41afa955b1787f5cc268757c4576d2a4d3fc15c6fe795dcf0f306906860", + "search_line": 22 }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 22, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "UDP,11211", + "expectedValue": "Memcached (UDP:11211) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Memcached (UDP:11211) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue", + "similarityID": "1592fb257cd4bfa5c32796437629e44878d23b8ebe2c13faa8abbb7452069098", + "search_line": 22 }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 22, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "UDP,11214", + "expectedValue": "Memcached SSL (UDP:11214) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Memcached SSL (UDP:11214) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue", + "similarityID": "0cb95b86b5ddcca349dbe749ff729c5ef641ffa83fc99d5cfd85b995ffd07673", + "search_line": 22 }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 22, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "UDP,11215", + "expectedValue": "Memcached SSL (UDP:11215) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Memcached SSL (UDP:11215) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue", + "similarityID": "5d924753e37ad3a92d555fbc72b54e687eaa23eb4e3afd4db6a4db37ae881423", + "search_line": 22 }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 22, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "UDP,137", + "expectedValue": "NetBIOS Name Service (UDP:137) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "NetBIOS Name Service (UDP:137) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue", + "similarityID": "97683eb20fbc9fe503d2ebd70b70a932f635c0f224b0ce25c2dd510f7ef9e1e9", + "search_line": 22 }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 22, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "UDP,138", + "expectedValue": "NetBIOS Datagram Service (UDP:138) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "NetBIOS Datagram Service (UDP:138) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue", + "similarityID": "8334124a9c9ed70df9fe06976c3dacc85b4c0f756d50ebf33be043f2ef84e1d6", + "search_line": 22 }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 22, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "UDP,139", + "expectedValue": "NetBIOS Session Service (UDP:139) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "NetBIOS Session Service (UDP:139) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue", + "similarityID": "a8e14d2ef7fc4fd0d20b7c1ea7e8a3170fd4ac06d41676ab449bc19b5c28ac9d", + "search_line": 22 }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 22, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "UDP,1434", + "expectedValue": "MSSQL Browser (UDP:1434) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "MSSQL Browser (UDP:1434) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue", + "similarityID": "40a07d774c52846b9c4eeb57130001917415ff60ee16170fe1d45eaabe230e12", + "search_line": 22 }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 22, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "UDP,161", + "expectedValue": "SNMP (UDP:161) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "SNMP (UDP:161) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue", + "similarityID": "3bcab5fd99c6073770f99905b44d819d2e45a704e14931f938055d46415344c4", + "search_line": 22 }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 22, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "UDP,2483", + "expectedValue": "Oracle DB SSL (UDP:2483) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Oracle DB SSL (UDP:2483) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue", + "similarityID": "0243faa0f1019476a045fe8612f7365e2ec209d8e22574b42ac9f5ee1b3394a6", + "search_line": 22 }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 22, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "UDP,2484", + "expectedValue": "Oracle DB SSL (UDP:2484) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Oracle DB SSL (UDP:2484) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue", + "similarityID": "dbc79010c2ca1f0209078b3222af1fce3a4a33980bed1cf2ce4ca7dc8433f031", + "search_line": 22 }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 22, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "UDP,389", + "expectedValue": "LDAP (UDP:389) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "LDAP (UDP:389) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue", + "similarityID": "f7c8a90f208c08a5d31383b62a64e129f5e637ae34de1e54865e9d95de454357", + "search_line": 22 }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 22, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "UDP,53", + "expectedValue": "DNS (UDP:53) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "DNS (UDP:53) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue", + "similarityID": "272efbbe837039f5101638e11e6493a4cd010396243d92f3c894a94a37d34175", + "search_line": 22 }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 22, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "UDP,5432", + "expectedValue": "PostgreSQL (UDP:5432) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "PostgreSQL (UDP:5432) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue", + "similarityID": "923208c0d03e20b47c31389a2bde1f5e21c59ad111bb38c1940b5ea848a1d8b6", + "search_line": 22 }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 32, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_2", + "searchKey": "Resources.Positive1IPv4_2.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,22", + "expectedValue": "SSH (TCP:22) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "SSH (TCP:22) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue", + "similarityID": "26a312741b09b59fc2bd7b8ad19fee5b167f58fa38a5d8efaf9e6cb169460259", + "search_line": 32 }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 42, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1ArrayTestIPv4", + "searchKey": "Resources.Positive1ArrayTestIPv4.Properties.SecurityGroupIngress[0]", + "searchValue": "UDP,137", + "expectedValue": "NetBIOS Name Service (UDP:137) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "NetBIOS Name Service (UDP:137) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue", + "similarityID": "8312bde6c3a69cdc3c63a47bae98fdbd4c2c12a03e832b03baeaf84e5b3126db", + "search_line": 42 }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 50, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1ArrayTestIPv4", + "searchKey": "Resources.Positive1ArrayTestIPv4.Properties.SecurityGroupIngress[2]", + "searchValue": "UDP,138", + "expectedValue": "NetBIOS Datagram Service (UDP:138) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "NetBIOS Datagram Service (UDP:138) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue", + "similarityID": "d6307720b9bf35dbb504f63a45219075dcd1aad36c6023dda066a4f6debf4ace", + "search_line": 50 }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 61, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,22", + "expectedValue": "SSH (TCP:22) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "SSH (TCP:22) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue", + "similarityID": "fa6a8cf67a8f5cb8ad332d6ddd1968dd4e2e5c88b642c8a4d9be9d60432df61e", + "search_line": 61 }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 71, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_2", + "searchKey": "Resources.Positive1IPv6_2.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,22", + "expectedValue": "SSH (TCP:22) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "SSH (TCP:22) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue", + "similarityID": "9feced048b57aad815135e20ba6a54ed7cd67d25a412f27d5e08e95ddd0ae6c7", + "search_line": 71 }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 81, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1ArrayTestIPv6", + "searchKey": "Resources.Positive1ArrayTestIPv6.Properties.SecurityGroupIngress[0]", + "searchValue": "UDP,137", + "expectedValue": "NetBIOS Name Service (UDP:137) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "NetBIOS Name Service (UDP:137) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue", + "similarityID": "c75453bc052c1f4f1c1cf5849d6e23ff9600e3842171be6658ae1ad515067544", + "search_line": 81 }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 85, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1ArrayTestIPv6", + "searchKey": "Resources.Positive1ArrayTestIPv6.Properties.SecurityGroupIngress[1]", + "searchValue": "UDP,138", + "expectedValue": "NetBIOS Datagram Service (UDP:138) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "NetBIOS Datagram Service (UDP:138) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue", + "similarityID": "6de6f73e6a4ee356146e2c0b2dc535151ef854b31abf461f73a1d88f694f250f", + "search_line": 85 }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 17, - "fileName": "positive2.yaml" + "fileName": "positive2.yaml", + "resourceType": "AWS::EC2::SecurityGroupIngress", + "resourceName": "DualStackSecurityGroup", + "searchKey": "Resources.IPv4Ingress1.Properties", + "searchValue": "UDP,137", + "expectedValue": "NetBIOS Name Service (UDP:137) should not be allowed in application load balancer 'LoadBalancer01'", + "actualValue": "NetBIOS Name Service (UDP:137) is allowed in application load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue", + "similarityID": "8bc750b3454c8b884ab726a418e1e79438bbc62fc421de71769136015577e8cc", + "search_line": 17 }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 26, - "fileName": "positive2.yaml" + "fileName": "positive2.yaml", + "resourceType": "AWS::EC2::SecurityGroupIngress", + "resourceName": "DualStackSecurityGroup", + "searchKey": "Resources.IPv4Ingress2.Properties", + "searchValue": "TCP,22", + "expectedValue": "SSH (TCP:22) should not be allowed in application load balancer 'LoadBalancer01'", + "actualValue": "SSH (TCP:22) is allowed in application load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue", + "similarityID": "92ef252fa0381504551dc18ad2df3920384fa391d6164d2c59bd10636986cc71", + "search_line": 26 }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 35, - "fileName": "positive2.yaml" + "fileName": "positive2.yaml", + "resourceType": "AWS::EC2::SecurityGroupIngress", + "resourceName": "DualStackSecurityGroup", + "searchKey": "Resources.IPv4Ingress3.Properties", + "searchValue": "UDP,137", + "expectedValue": "NetBIOS Name Service (UDP:137) should not be allowed in application load balancer 'LoadBalancer01'", + "actualValue": "NetBIOS Name Service (UDP:137) is allowed in application load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue", + "similarityID": "4872eeaec4b423784d34a61960dd38c96d9fe9c63f28202637aac672704c60c1", + "search_line": 35 }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 44, - "fileName": "positive2.yaml" + "fileName": "positive2.yaml", + "resourceType": "AWS::EC2::SecurityGroupIngress", + "resourceName": "DualStackSecurityGroup", + "searchKey": "Resources.IPv4Ingress4.Properties", + "searchValue": "UDP,138", + "expectedValue": "NetBIOS Datagram Service (UDP:138) should not be allowed in application load balancer 'LoadBalancer01'", + "actualValue": "NetBIOS Datagram Service (UDP:138) is allowed in application load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue", + "similarityID": "d37a68091c2bed0ff686ed4a309682a9ebf424800acc320e7a6c5e05a1623b7d", + "search_line": 44 }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 54, - "fileName": "positive2.yaml" + "fileName": "positive2.yaml", + "resourceType": "AWS::EC2::SecurityGroupIngress", + "resourceName": "DualStackSecurityGroup", + "searchKey": "Resources.IPv6Ingress1.Properties", + "searchValue": "TCP,22", + "expectedValue": "SSH (TCP:22) should not be allowed in application load balancer 'LoadBalancer01'", + "actualValue": "SSH (TCP:22) is allowed in application load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue", + "similarityID": "ddf9ea0a3791d4b15c344fbfc5c5a4a8921e5894943c07f1db8e5a565ca6f916", + "search_line": 54 }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 63, - "fileName": "positive2.yaml" + "fileName": "positive2.yaml", + "resourceType": "AWS::EC2::SecurityGroupIngress", + "resourceName": "DualStackSecurityGroup", + "searchKey": "Resources.IPv6Ingress2.Properties", + "searchValue": "TCP,22", + "expectedValue": "SSH (TCP:22) should not be allowed in application load balancer 'LoadBalancer01'", + "actualValue": "SSH (TCP:22) is allowed in application load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue", + "similarityID": "1ef7b9061ba44e74d00f0c9c65077ef525fcb214957b7cf3770b0959f6fbdee4", + "search_line": 63 }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 72, - "fileName": "positive2.yaml" + "fileName": "positive2.yaml", + "resourceType": "AWS::EC2::SecurityGroupIngress", + "resourceName": "DualStackSecurityGroup", + "searchKey": "Resources.IPv6Ingress3.Properties", + "searchValue": "UDP,137", + "expectedValue": "NetBIOS Name Service (UDP:137) should not be allowed in application load balancer 'LoadBalancer01'", + "actualValue": "NetBIOS Name Service (UDP:137) is allowed in application load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue", + "similarityID": "68b3357bcf87ce0ddb3495d9fda99576e7ed3dededa6271f3f9a85ca28d7341b", + "search_line": 72 }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 81, - "fileName": "positive2.yaml" + "fileName": "positive2.yaml", + "resourceType": "AWS::EC2::SecurityGroupIngress", + "resourceName": "DualStackSecurityGroup", + "searchKey": "Resources.IPv6Ingress4.Properties", + "searchValue": "UDP,138", + "expectedValue": "NetBIOS Datagram Service (UDP:138) should not be allowed in application load balancer 'LoadBalancer01'", + "actualValue": "NetBIOS Datagram Service (UDP:138) is allowed in application load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue", + "similarityID": "7461e15d3e22225152c68d1183e2d116e8e99e4f99b28d1ec761c12ba0d35c46", + "search_line": 81 }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 26, - "fileName": "positive3.yaml" + "fileName": "positive3.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "InstancesSecGroup", + "searchKey": "Resources.InstancesSecGroup.Properties.SecurityGroupIngress[1]", + "searchValue": "TCP,636", + "expectedValue": "LDAP SSL (TCP:636) should not be allowed in classic load balancer 'GatewayLoadBalancer'", + "actualValue": "LDAP SSL (TCP:636) is allowed in classic load balancer 'GatewayLoadBalancer'", + "issueType": "IncorrectValue", + "similarityID": "ad4730850d5c3fd057bff2f0b0df014429527382e2eeaf40398559d8415ad7de", + "search_line": 26 }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 30, - "fileName": "positive3.yaml" + "fileName": "positive3.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "InstancesSecGroup", + "searchKey": "Resources.InstancesSecGroup.Properties.SecurityGroupIngress[2]", + "searchValue": "UDP,1434", + "expectedValue": "MSSQL Browser (UDP:1434) should not be allowed in classic load balancer 'GatewayLoadBalancer'", + "actualValue": "MSSQL Browser (UDP:1434) is allowed in classic load balancer 'GatewayLoadBalancer'", + "issueType": "IncorrectValue", + "similarityID": "ad4c3e48733632926b848d529d52ed42f938aff29285498cdef44cb6ff8a67c9", + "search_line": 30 }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 30, - "fileName": "positive3.yaml" + "fileName": "positive3.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "InstancesSecGroup", + "searchKey": "Resources.InstancesSecGroup.Properties.SecurityGroupIngress[2]", + "searchValue": "UDP,2483", + "expectedValue": "Oracle DB SSL (UDP:2483) should not be allowed in classic load balancer 'GatewayLoadBalancer'", + "actualValue": "Oracle DB SSL (UDP:2483) is allowed in classic load balancer 'GatewayLoadBalancer'", + "issueType": "IncorrectValue", + "similarityID": "7fae0501f6045c84644b6b0568a860a4173f2f33a036547fb178b2e97adb984a", + "search_line": 30 }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 30, - "fileName": "positive3.yaml" + "fileName": "positive3.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "InstancesSecGroup", + "searchKey": "Resources.InstancesSecGroup.Properties.SecurityGroupIngress[2]", + "searchValue": "UDP,2484", + "expectedValue": "Oracle DB SSL (UDP:2484) should not be allowed in classic load balancer 'GatewayLoadBalancer'", + "actualValue": "Oracle DB SSL (UDP:2484) is allowed in classic load balancer 'GatewayLoadBalancer'", + "issueType": "IncorrectValue", + "similarityID": "8c518f0474b43e1e20fccd61a8c471928f0818bbbf9fcf9259b13127f17db0f7", + "search_line": 30 }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 17, - "fileName": "positive4.yaml" + "fileName": "positive4.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "DualStackSecurityGroup", + "searchKey": "Resources.DualStackSecurityGroup.Properties.SecurityGroupIngress[0]", + "searchValue": "UDP,137", + "expectedValue": "NetBIOS Name Service (UDP:137) should not be allowed in application load balancer 'LoadBalancer01'", + "actualValue": "NetBIOS Name Service (UDP:137) is allowed in application load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue", + "similarityID": "a9a76fccc9e030a3ef79cdcffba612c391431feb047fcd48ca45705ba2940f23", + "search_line": 17 }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 22, - "fileName": "positive4.yaml" + "fileName": "positive4.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "DualStackSecurityGroup", + "searchKey": "Resources.DualStackSecurityGroup.Properties.SecurityGroupIngress[1]", + "searchValue": "TCP,22", + "expectedValue": "SSH (TCP:22) should not be allowed in application load balancer 'LoadBalancer01'", + "actualValue": "SSH (TCP:22) is allowed in application load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue", + "similarityID": "3f092d888e96a06d9a0da2c6913223d19c25f2c3bc3cf71ff5b73589734f966f", + "search_line": 22 }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 27, - "fileName": "positive4.yaml" + "fileName": "positive4.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "DualStackSecurityGroup", + "searchKey": "Resources.DualStackSecurityGroup.Properties.SecurityGroupIngress[2]", + "searchValue": "UDP,137", + "expectedValue": "NetBIOS Name Service (UDP:137) should not be allowed in application load balancer 'LoadBalancer01'", + "actualValue": "NetBIOS Name Service (UDP:137) is allowed in application load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue", + "similarityID": "8d6080d86b010792786dfbb6a3f325bb012e58994c8d5d53965cd7f615d44c8a", + "search_line": 27 }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 32, - "fileName": "positive4.yaml" + "fileName": "positive4.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "DualStackSecurityGroup", + "searchKey": "Resources.DualStackSecurityGroup.Properties.SecurityGroupIngress[3]", + "searchValue": "UDP,138", + "expectedValue": "NetBIOS Datagram Service (UDP:138) should not be allowed in application load balancer 'LoadBalancer01'", + "actualValue": "NetBIOS Datagram Service (UDP:138) is allowed in application load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue", + "similarityID": "0e449d7ab669d253e15958c589de541656b5c74eafc2cc704578df9a33ddc724", + "search_line": 32 }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 40, - "fileName": "positive4.yaml" + "fileName": "positive4.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "DualStackSecurityGroup", + "searchKey": "Resources.DualStackSecurityGroup.Properties.SecurityGroupIngress[4]", + "searchValue": "TCP,22", + "expectedValue": "SSH (TCP:22) should not be allowed in application load balancer 'LoadBalancer01'", + "actualValue": "SSH (TCP:22) is allowed in application load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue", + "similarityID": "0acc14d0c3464db3493e8d47e754f965be90e28eb790e2698e9d2234bcb137be", + "search_line": 40 }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 45, - "fileName": "positive4.yaml" + "fileName": "positive4.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "DualStackSecurityGroup", + "searchKey": "Resources.DualStackSecurityGroup.Properties.SecurityGroupIngress[5]", + "searchValue": "TCP,22", + "expectedValue": "SSH (TCP:22) should not be allowed in application load balancer 'LoadBalancer01'", + "actualValue": "SSH (TCP:22) is allowed in application load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue", + "similarityID": "5e217144d232761b09f7ad15f93647d675cd2f41e1f5d74047740bf584cad232", + "search_line": 45 }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 50, - "fileName": "positive4.yaml" + "fileName": "positive4.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "DualStackSecurityGroup", + "searchKey": "Resources.DualStackSecurityGroup.Properties.SecurityGroupIngress[6]", + "searchValue": "UDP,137", + "expectedValue": "NetBIOS Name Service (UDP:137) should not be allowed in application load balancer 'LoadBalancer01'", + "actualValue": "NetBIOS Name Service (UDP:137) is allowed in application load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue", + "similarityID": "f44f2f8420b88429dbd6629d06d1c5a8ceff14ecebbb9ad52af5633cddac2383", + "search_line": 50 }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 55, - "fileName": "positive4.yaml" + "fileName": "positive4.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "DualStackSecurityGroup", + "searchKey": "Resources.DualStackSecurityGroup.Properties.SecurityGroupIngress[7]", + "searchValue": "UDP,138", + "expectedValue": "NetBIOS Datagram Service (UDP:138) should not be allowed in application load balancer 'LoadBalancer01'", + "actualValue": "NetBIOS Datagram Service (UDP:138) is allowed in application load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue", + "similarityID": "0656dc673ec2991273cb412539aaf1036a56af3d93dac5a354a9019b053abd65", + "search_line": 55 }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 29, - "fileName": "positive5.json" + "fileName": "positive5.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,110", + "expectedValue": "POP3 (TCP:110) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "POP3 (TCP:110) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue", + "similarityID": "dc4edb6cc12b3b0342cdb07372c16e22a8f46fc35bae0c839a8e7839d9aaa7c7", + "search_line": 29 }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 29, - "fileName": "positive5.json" + "fileName": "positive5.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,11211", + "expectedValue": "Memcached (TCP:11211) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Memcached (TCP:11211) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue", + "similarityID": "c8f2366b74b157e2a373ee4337bc5e2ec3124e56166f00396b25a4d550133608", + "search_line": 29 }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 29, - "fileName": "positive5.json" + "fileName": "positive5.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,11214", + "expectedValue": "Memcached SSL (TCP:11214) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Memcached SSL (TCP:11214) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue", + "similarityID": "838ad35cb86838e6b3ac8c84d9c7bc9e67260fb46e1d66056ea4ab35f8cda623", + "search_line": 29 }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 29, - "fileName": "positive5.json" + "fileName": "positive5.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,11215", + "expectedValue": "Memcached SSL (TCP:11215) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Memcached SSL (TCP:11215) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue", + "similarityID": "a3eb9eb701bc5e7c870a4e1c029202222aa0769b3cceb23a22faf4628e04912c", + "search_line": 29 }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 29, - "fileName": "positive5.json" + "fileName": "positive5.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,135", + "expectedValue": "MSSQL Debugger (TCP:135) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "MSSQL Debugger (TCP:135) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue", + "similarityID": "23dd671205dcc305c6e22c07b81d6c742653a35308940270381de7ab20519227", + "search_line": 29 }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 29, - "fileName": "positive5.json" + "fileName": "positive5.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,137", + "expectedValue": "NetBIOS Name Service (TCP:137) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "NetBIOS Name Service (TCP:137) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue", + "similarityID": "12a67f7981ff7b8e820ada9dbd36b806c011f5a653f9bb06f9220c30fddba119", + "search_line": 29 }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 29, - "fileName": "positive5.json" + "fileName": "positive5.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,138", + "expectedValue": "NetBIOS Datagram Service (TCP:138) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "NetBIOS Datagram Service (TCP:138) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue", + "similarityID": "81a165934ef115166ba055806fa03a5fe7902ae7b3c49a500574d30d255d48b4", + "search_line": 29 }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 29, - "fileName": "positive5.json" + "fileName": "positive5.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,139", + "expectedValue": "NetBIOS Session Service (TCP:139) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "NetBIOS Session Service (TCP:139) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue", + "similarityID": "2c2089f1716e096a450e46316c85a54aa5e49777745310a70a9a3436b92e8ec6", + "search_line": 29 }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 29, - "fileName": "positive5.json" + "fileName": "positive5.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,1433", + "expectedValue": "MSSQL Server (TCP:1433) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "MSSQL Server (TCP:1433) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue", + "similarityID": "264266c95ec35ea9ae0143cf8d8968303c826aa8eabad05875adc9b86c832cdd", + "search_line": 29 }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 29, - "fileName": "positive5.json" + "fileName": "positive5.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,1434", + "expectedValue": "MSSQL Browser (TCP:1434) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "MSSQL Browser (TCP:1434) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue", + "similarityID": "2cdda5da590615990ddb5494afcb5f1136149711bb7d9c18c083a887898fe896", + "search_line": 29 }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 29, - "fileName": "positive5.json" + "fileName": "positive5.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,1521", + "expectedValue": "Oracl DB (TCP:1521) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Oracl DB (TCP:1521) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue", + "similarityID": "fc5b84a8f4aa99903b62b2f91833a63213f45257e2d390dcbcdfef80518fc3dc", + "search_line": 29 }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 29, - "fileName": "positive5.json" + "fileName": "positive5.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,1522", + "expectedValue": "Oracle Auto Data Warehouse (TCP:1522) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Oracle Auto Data Warehouse (TCP:1522) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue", + "similarityID": "0846ed4c02985499b7487cd5e0fd078194e3969b42142215e19855c0b5d82ec7", + "search_line": 29 }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 29, - "fileName": "positive5.json" + "fileName": "positive5.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,161", + "expectedValue": "SNMP (TCP:161) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "SNMP (TCP:161) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue", + "similarityID": "1473c78820b46787a9136838acb77ff4ac1b48751dcf5258c8ed415def3429bb", + "search_line": 29 }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 29, - "fileName": "positive5.json" + "fileName": "positive5.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,20", + "expectedValue": "FTP (TCP:20) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "FTP (TCP:20) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue", + "similarityID": "d1e642d74b0d2c16bd62f2af73e045f619f7f44c1958cb0b580b48f7526d701c", + "search_line": 29 }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 29, - "fileName": "positive5.json" + "fileName": "positive5.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,21", + "expectedValue": "FTP (TCP:21) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "FTP (TCP:21) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue", + "similarityID": "694d4c7a3a2f39cab6fa09b4fc58e577c0af8640f5e1ca8ec828eb0cd879f9ba", + "search_line": 29 }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 29, - "fileName": "positive5.json" + "fileName": "positive5.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,22", + "expectedValue": "SSH (TCP:22) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "SSH (TCP:22) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue", + "similarityID": "48693e40b2e4dde32aca81f67da52cf9b6cdf3ed07e9efab14236f4794ab9af1", + "search_line": 29 }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 29, - "fileName": "positive5.json" + "fileName": "positive5.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,23", + "expectedValue": "Telnet (TCP:23) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Telnet (TCP:23) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue", + "similarityID": "92d2b351aee8e1403de3ae98e707b7a50391b0b2a3411e22769f0cfa893f32e7", + "search_line": 29 }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 29, - "fileName": "positive5.json" + "fileName": "positive5.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,2375", + "expectedValue": "Docker (TCP:2375) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Docker (TCP:2375) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue", + "similarityID": "0cab27ea17746d9ade973703f35a47381bc7b789324770136e83281b9dfe932d", + "search_line": 29 }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 29, - "fileName": "positive5.json" + "fileName": "positive5.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,2376", + "expectedValue": "Docker (TCP:2376) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Docker (TCP:2376) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue", + "similarityID": "36ce53a90dfad55c71bc95c7c49b7c5b9a98638369e6b6cee17678e7ff2218ce", + "search_line": 29 }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 29, - "fileName": "positive5.json" + "fileName": "positive5.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,2382", + "expectedValue": "SQL Server Analysis (TCP:2382) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "SQL Server Analysis (TCP:2382) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue", + "similarityID": "ffcfbf704e905c7110908b2c209bc8aa0c2fba154a7d637bb0b891ccfaa9a4d9", + "search_line": 29 }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 29, - "fileName": "positive5.json" + "fileName": "positive5.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,2383", + "expectedValue": "SQL Server Analysis (TCP:2383) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "SQL Server Analysis (TCP:2383) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue", + "similarityID": "a1523f3bda562cba4cdbb991d024600380faa9e542b47d8f10c9a924a7329aaa", + "search_line": 29 }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 29, - "fileName": "positive5.json" + "fileName": "positive5.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,2483", + "expectedValue": "Oracle DB SSL (TCP:2483) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Oracle DB SSL (TCP:2483) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue", + "similarityID": "a605321e3513ef298c722b962f51b98677071b4841f1e107a06b6c0ec1df0171", + "search_line": 29 }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 29, - "fileName": "positive5.json" + "fileName": "positive5.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,2484", + "expectedValue": "Oracle DB SSL (TCP:2484) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Oracle DB SSL (TCP:2484) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue", + "similarityID": "d115c4813bdebf9dd9a3ffa34b01ce8e876f72b813f79bc9a1568fc4f7ca669e", + "search_line": 29 }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 29, - "fileName": "positive5.json" + "fileName": "positive5.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,25", + "expectedValue": "SMTP (TCP:25) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "SMTP (TCP:25) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue", + "similarityID": "8d78e71b70026bacad7819679caf813b10194b2239f8b3d1f8599196ef716c38", + "search_line": 29 }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 29, - "fileName": "positive5.json" + "fileName": "positive5.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,27017", + "expectedValue": "Mongo (TCP:27017) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Mongo (TCP:27017) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue", + "similarityID": "4eee28df5d818eeba54f0c7e3bd0eff9da83e04fb756aedcd7ce86844430b763", + "search_line": 29 }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 29, - "fileName": "positive5.json" + "fileName": "positive5.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,27018", + "expectedValue": "Mongo Web Portal (TCP:27018) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Mongo Web Portal (TCP:27018) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue", + "similarityID": "a2f7cee90b47a7658654c8d5e3f53996ccfa3d3054e227a36d3265f9c37a17e2", + "search_line": 29 }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 29, - "fileName": "positive5.json" + "fileName": "positive5.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,3000", + "expectedValue": "Prevalent known internal port (TCP:3000) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Prevalent known internal port (TCP:3000) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue", + "similarityID": "242464bfdc2584625cd7a6f3adcef3073ab8d94851a62277d4712e07af5e558f", + "search_line": 29 }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 29, - "fileName": "positive5.json" + "fileName": "positive5.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,3020", + "expectedValue": "CIFS / SMB (TCP:3020) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "CIFS / SMB (TCP:3020) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue", + "similarityID": "5fe73048a98384ff453b0db869b066d5d92b20ef501c529b6802fac6925291e3", + "search_line": 29 }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 29, - "fileName": "positive5.json" + "fileName": "positive5.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,3306", + "expectedValue": "MySQL (TCP:3306) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "MySQL (TCP:3306) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue", + "similarityID": "45feeb9de84a76dd2bc92282a8ef97ee0f324e5d600f6c10d975b0c65fc471c7", + "search_line": 29 }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 29, - "fileName": "positive5.json" + "fileName": "positive5.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,3389", + "expectedValue": "Remote Desktop (TCP:3389) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Remote Desktop (TCP:3389) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue", + "similarityID": "dcf4e276d5a4ff07e765683dba61a25cefc946f5417f8bbce0fd87cbea118ea2", + "search_line": 29 }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 29, - "fileName": "positive5.json" + "fileName": "positive5.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,389", + "expectedValue": "LDAP (TCP:389) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "LDAP (TCP:389) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue", + "similarityID": "3192c621c1b6c6cec79d6a7e8465b731ef69279f8673a2b79f01c3dd4c696fa6", + "search_line": 29 }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 29, - "fileName": "positive5.json" + "fileName": "positive5.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,4333", + "expectedValue": "MySQL (TCP:4333) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "MySQL (TCP:4333) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue", + "similarityID": "2f0f9e2e36ebb244fd8d695127e4c4b115690aac5166bef57ea1212f1a7ad9be", + "search_line": 29 }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 29, - "fileName": "positive5.json" + "fileName": "positive5.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,443", + "expectedValue": "HTTPS (TCP:443) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "HTTPS (TCP:443) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue", + "similarityID": "d4b50a9f1e14f1e060b4b557eba3680450722ea89ce1b0c2a3f74e0cd00bb909", + "search_line": 29 }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 29, - "fileName": "positive5.json" + "fileName": "positive5.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,445", + "expectedValue": "Microsoft-DS (TCP:445) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Microsoft-DS (TCP:445) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue", + "similarityID": "c48102b2b01f0e0d2bcf9d9e351562a91dc3c7b7a5790f85cf372eade810a57e", + "search_line": 29 }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 29, - "fileName": "positive5.json" + "fileName": "positive5.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,4505", + "expectedValue": "SaltStack Master (TCP:4505) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "SaltStack Master (TCP:4505) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue", + "similarityID": "e7e9aa7b85dde248c913fd7364daeb8f5947b99daf18dd0cf7967d733eac5f13", + "search_line": 29 }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 29, - "fileName": "positive5.json" + "fileName": "positive5.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,4506", + "expectedValue": "SaltStack Master (TCP:4506) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "SaltStack Master (TCP:4506) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue", + "similarityID": "9b38339d95b17b8a02832791f457fd1da3f099bffb20ad8d014e282ee33e89c8", + "search_line": 29 }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 29, - "fileName": "positive5.json" + "fileName": "positive5.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,50070", + "expectedValue": "HDFS NameNode WebUI (TCP:50070) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "HDFS NameNode WebUI (TCP:50070) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue", + "similarityID": "ad3ca51838b562b7ca62b04fa351facb2d702c75b8b9001641efb155455128e7", + "search_line": 29 }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 29, - "fileName": "positive5.json" + "fileName": "positive5.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,50470", + "expectedValue": "HDFS NameNode WebUI (TCP:50470) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "HDFS NameNode WebUI (TCP:50470) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue", + "similarityID": "042d2c10e7bcc2ee052ea89706bffe837ab6bf4289da4dac27bc38ade65782b2", + "search_line": 29 }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 29, - "fileName": "positive5.json" + "fileName": "positive5.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,53", + "expectedValue": "DNS (TCP:53) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "DNS (TCP:53) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue", + "similarityID": "61731de3b75b5063eed8d899db514003c197e909e299687073c0f49d0adc0996", + "search_line": 29 }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 29, - "fileName": "positive5.json" + "fileName": "positive5.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,5432", + "expectedValue": "PostgreSQL (TCP:5432) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "PostgreSQL (TCP:5432) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue", + "similarityID": "b588325189885e2a8475cb539b457b36678deda4bc70d265e3da304a93808d8f", + "search_line": 29 }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 29, - "fileName": "positive5.json" + "fileName": "positive5.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,5500", + "expectedValue": "VNC Listener (TCP:5500) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "VNC Listener (TCP:5500) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue", + "similarityID": "92eee55b3906541995d212f6c3c6f1b612a7946f05860abc7b384905b3dde3be", + "search_line": 29 }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 29, - "fileName": "positive5.json" + "fileName": "positive5.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,5601", + "expectedValue": "Kibana (TCP:5601) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Kibana (TCP:5601) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue", + "similarityID": "f6827059526909e723b95777ec88c7101b9bdff173a0c8d22e855d8df6b7013d", + "search_line": 29 }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 29, - "fileName": "positive5.json" + "fileName": "positive5.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,5900", + "expectedValue": "VNC Server (TCP:5900) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "VNC Server (TCP:5900) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue", + "similarityID": "e3986d249993ae4180a46e1644ac42e00803662b5820244041eb310db23c1261", + "search_line": 29 }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 29, - "fileName": "positive5.json" + "fileName": "positive5.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,5985", + "expectedValue": "WinRM for HTTP (TCP:5985) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "WinRM for HTTP (TCP:5985) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue", + "similarityID": "39a90cb67fcf28c64de0ab41e75151746f82e73c47119c4425b7f23eea73f2b7", + "search_line": 29 }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 29, - "fileName": "positive5.json" + "fileName": "positive5.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,61620", + "expectedValue": "Cassandra OpsCenter (TCP:61620) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Cassandra OpsCenter (TCP:61620) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue", + "similarityID": "38da3bb7e4167bcfcd3f5b89f462a9f048d5b3fa78c3d7e3f1478df854b6dcf9", + "search_line": 29 }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 29, - "fileName": "positive5.json" + "fileName": "positive5.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,61621", + "expectedValue": "Cassandra OpsCenter (TCP:61621) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Cassandra OpsCenter (TCP:61621) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue", + "similarityID": "970ba310d8f856fc61915cee81e44d9e018b3d93f8d65eba553718fac7c27fe2", + "search_line": 29 }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 29, - "fileName": "positive5.json" + "fileName": "positive5.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,636", + "expectedValue": "LDAP SSL (TCP:636) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "LDAP SSL (TCP:636) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue", + "similarityID": "6a65c600efc56656eeab14e0ee034143fe78e6352cae8049425a4753b8527765", + "search_line": 29 }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 29, - "fileName": "positive5.json" + "fileName": "positive5.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,6379", + "expectedValue": "Redis (TCP:6379) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Redis (TCP:6379) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue", + "similarityID": "d8c8a74c04ffa237f25d1bcf16af34ed819208f0bc18bf061f85679e441eee60", + "search_line": 29 }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 29, - "fileName": "positive5.json" + "fileName": "positive5.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,7000", + "expectedValue": "Cassandra Internode Communication (TCP:7000) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Cassandra Internode Communication (TCP:7000) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue", + "similarityID": "17f3e8f11c5ddc5ba83b06fd7b0abb7e3847ba039dea3c4425d066c35f939e26", + "search_line": 29 }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 29, - "fileName": "positive5.json" + "fileName": "positive5.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,7001", + "expectedValue": "Cassandra (TCP:7001) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Cassandra (TCP:7001) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue", + "similarityID": "a37dd4028663e6f38fe66fd8128ff115ad52bc3bed474dd00b022fb16627b335", + "search_line": 29 }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 29, - "fileName": "positive5.json" + "fileName": "positive5.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,7199", + "expectedValue": "Cassandra Monitoring (TCP:7199) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Cassandra Monitoring (TCP:7199) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue", + "similarityID": "adb496e3d20a752644ccbd0252608aa055535a547f9b069b66d00fea0f7604a5", + "search_line": 29 }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 29, - "fileName": "positive5.json" + "fileName": "positive5.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,80", + "expectedValue": "HTTP (TCP:80) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "HTTP (TCP:80) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue", + "similarityID": "7a0a7e50302ca14407df21f57c71071676534ffa85171fc0b18a04404581498f", + "search_line": 29 }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 29, - "fileName": "positive5.json" + "fileName": "positive5.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,8000", + "expectedValue": "Known internal web port (TCP:8000) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Known internal web port (TCP:8000) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue", + "similarityID": "f325a851da3c1d130dd6c78de590d577fb37f924ad1d682f8a0e6ca9fc41bab9", + "search_line": 29 }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 29, - "fileName": "positive5.json" + "fileName": "positive5.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,8020", + "expectedValue": "HDFS NameNode (TCP:8020) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "HDFS NameNode (TCP:8020) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue", + "similarityID": "a0d9e7101acfc628f3e8306a407f96bdb80ede1ce6912ffa07fb48539996cf40", + "search_line": 29 }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 29, - "fileName": "positive5.json" + "fileName": "positive5.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,8080", + "expectedValue": "Known internal web port (TCP:8080) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Known internal web port (TCP:8080) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue", + "similarityID": "70748bef0362283dc00cd2046b887deedb18dc68b37baf4d09f58b3e9f3dded5", + "search_line": 29 }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 29, - "fileName": "positive5.json" + "fileName": "positive5.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,8140", + "expectedValue": "Puppet Master (TCP:8140) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Puppet Master (TCP:8140) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue", + "similarityID": "309869fc90f7fca883e96385b4dd64973f1d0a15d020834c50fcea796de8ddb1", + "search_line": 29 }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 29, - "fileName": "positive5.json" + "fileName": "positive5.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,8888", + "expectedValue": "Cassandra OpsCenter Website (TCP:8888) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Cassandra OpsCenter Website (TCP:8888) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue", + "similarityID": "6f3e4c31feb24dd278b77dd6a019b8b73743b305f34991f7d2ab771aff5d1c03", + "search_line": 29 }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 29, - "fileName": "positive5.json" + "fileName": "positive5.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,9000", + "expectedValue": "Hadoop Name Node (TCP:9000) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Hadoop Name Node (TCP:9000) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue", + "similarityID": "6faef00ca72c6a4dab8ad8666a05294f4260d457de056ddfc287c431992613cf", + "search_line": 29 }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 29, - "fileName": "positive5.json" + "fileName": "positive5.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,9042", + "expectedValue": "Cassandra Client (TCP:9042) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Cassandra Client (TCP:9042) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue", + "similarityID": "6154870e563d7c10c194c3c2c3f319efffd564fdb59a2449ea9d99d54a1c685f", + "search_line": 29 }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 29, - "fileName": "positive5.json" + "fileName": "positive5.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,9090", + "expectedValue": "CiscoSecure, WebSM (TCP:9090) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "CiscoSecure, WebSM (TCP:9090) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue", + "similarityID": "978b4833c4d313bc0c9b3f54f8a17d825c44944dbc34bdd221e4c0d868257734", + "search_line": 29 }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 29, - "fileName": "positive5.json" + "fileName": "positive5.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,9160", + "expectedValue": "Cassandra Thrift (TCP:9160) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Cassandra Thrift (TCP:9160) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue", + "similarityID": "26819245d02c88e30cbd0745f4e590ac125eb2e625bad57e983158a9ca6daab0", + "search_line": 29 }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 29, - "fileName": "positive5.json" + "fileName": "positive5.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,9200", + "expectedValue": "Elastic Search (TCP:9200) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Elastic Search (TCP:9200) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue", + "similarityID": "e98bd3eb56d87d2837a2dc4d76fc7abf3d093a91be7e31eb5e75b4ac2edf5777", + "search_line": 29 }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 29, - "fileName": "positive5.json" + "fileName": "positive5.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,9300", + "expectedValue": "Elastic Search (TCP:9300) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Elastic Search (TCP:9300) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue", + "similarityID": "bda8b78c63e18dd870ded007394d24818e7ec7895463bce14b97e466b51f4fbf", + "search_line": 29 }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 29, - "fileName": "positive5.json" + "fileName": "positive5.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "UDP,11211", + "expectedValue": "Memcached (UDP:11211) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Memcached (UDP:11211) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue", + "similarityID": "08cbd73075cd70e43b446d55ce68178239380ea4028e9d6ed9c50f905e264e21", + "search_line": 29 }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 29, - "fileName": "positive5.json" + "fileName": "positive5.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "UDP,11214", + "expectedValue": "Memcached SSL (UDP:11214) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Memcached SSL (UDP:11214) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue", + "similarityID": "f26f1224e3205afbec93890d42ce2ef3ffc9e0ee955bdb6e5f74589f28435847", + "search_line": 29 }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 29, - "fileName": "positive5.json" + "fileName": "positive5.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "UDP,11215", + "expectedValue": "Memcached SSL (UDP:11215) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Memcached SSL (UDP:11215) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue", + "similarityID": "7e21a0d77fa41dd79164226b98cad8289a0b7b3771a722edbd63b6920dd8868f", + "search_line": 29 }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 29, - "fileName": "positive5.json" + "fileName": "positive5.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "UDP,137", + "expectedValue": "NetBIOS Name Service (UDP:137) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "NetBIOS Name Service (UDP:137) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue", + "similarityID": "04db6317e68a35772181634e53802d6cda16e264b652bc54cd88cbcfeaea3dea", + "search_line": 29 }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 29, - "fileName": "positive5.json" + "fileName": "positive5.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "UDP,138", + "expectedValue": "NetBIOS Datagram Service (UDP:138) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "NetBIOS Datagram Service (UDP:138) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue", + "similarityID": "b407ca3de33b66dad62d380781f418c53cbfc6f5ce00978f7e6971edd5c5dcb2", + "search_line": 29 }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 29, - "fileName": "positive5.json" + "fileName": "positive5.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "UDP,139", + "expectedValue": "NetBIOS Session Service (UDP:139) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "NetBIOS Session Service (UDP:139) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue", + "similarityID": "1713621444029573b8384b85477e5d32ffbe93ac0b6bd3cee9ed15eeec336bf5", + "search_line": 29 }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 29, - "fileName": "positive5.json" + "fileName": "positive5.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "UDP,1434", + "expectedValue": "MSSQL Browser (UDP:1434) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "MSSQL Browser (UDP:1434) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue", + "similarityID": "027a087610d6f271faa6169fc844f1092f6f44dd3e581a8a1a9f578a6743bfb1", + "search_line": 29 }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 29, - "fileName": "positive5.json" + "fileName": "positive5.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "UDP,161", + "expectedValue": "SNMP (UDP:161) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "SNMP (UDP:161) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue", + "similarityID": "21708aa92b92239d0afc7dcf64edf9a9a4b2a9ef215274274d6cb98aacd470c3", + "search_line": 29 }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 29, - "fileName": "positive5.json" + "fileName": "positive5.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "UDP,2483", + "expectedValue": "Oracle DB SSL (UDP:2483) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Oracle DB SSL (UDP:2483) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue", + "similarityID": "87c47a6afb4bcd838df23786cb5610967e34469a3d7cd6f5f814007bc890d841", + "search_line": 29 }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 29, - "fileName": "positive5.json" + "fileName": "positive5.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "UDP,2484", + "expectedValue": "Oracle DB SSL (UDP:2484) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "Oracle DB SSL (UDP:2484) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue", + "similarityID": "88b587f27885e45d41566a09ea8012a48cdec05b8888cc3a60eb04d52aa2a515", + "search_line": 29 }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 29, - "fileName": "positive5.json" + "fileName": "positive5.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "UDP,389", + "expectedValue": "LDAP (UDP:389) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "LDAP (UDP:389) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue", + "similarityID": "e9de2207d5f3c9cd2e7dcb6b9439c9dd83f4fb8deb73eee3d7069ec9b0203087", + "search_line": 29 }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 29, - "fileName": "positive5.json" + "fileName": "positive5.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "UDP,53", + "expectedValue": "DNS (UDP:53) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "DNS (UDP:53) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue", + "similarityID": "dabaff55db2954d70054e4a544906bd03552e310bf7de8ca282c0677958b2dd0", + "search_line": 29 }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 29, - "fileName": "positive5.json" + "fileName": "positive5.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "UDP,5432", + "expectedValue": "PostgreSQL (UDP:5432) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "PostgreSQL (UDP:5432) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue", + "similarityID": "afd0de9049159d9eac6f5cb488f3d72b8252da62cc5fadc55027c49d02c48735", + "search_line": 29 }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 43, - "fileName": "positive5.json" + "fileName": "positive5.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_2", + "searchKey": "Resources.Positive1IPv4_2.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,22", + "expectedValue": "SSH (TCP:22) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "SSH (TCP:22) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue", + "similarityID": "4f854b1b9874523a6641eac749d6e062a6456b9d5f18570582406fbfc1b6399c", + "search_line": 43 }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 57, - "fileName": "positive5.json" + "fileName": "positive5.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1ArrayTestIPv4", + "searchKey": "Resources.Positive1ArrayTestIPv4.Properties.SecurityGroupIngress[0]", + "searchValue": "UDP,137", + "expectedValue": "NetBIOS Name Service (UDP:137) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "NetBIOS Name Service (UDP:137) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue", + "similarityID": "105dfddae5f75dc74568f48b794466712fb7a3fce83bb96575c8c4ed7cdd0de3", + "search_line": 57 }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 69, - "fileName": "positive5.json" + "fileName": "positive5.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1ArrayTestIPv4", + "searchKey": "Resources.Positive1ArrayTestIPv4.Properties.SecurityGroupIngress[2]", + "searchValue": "UDP,138", + "expectedValue": "NetBIOS Datagram Service (UDP:138) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "NetBIOS Datagram Service (UDP:138) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue", + "similarityID": "fa9c504a8c92c937cab7538e2db2f9971337caa80a7501ca3726598fde8e000b", + "search_line": 69 }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 83, - "fileName": "positive5.json" + "fileName": "positive5.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,22", + "expectedValue": "SSH (TCP:22) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "SSH (TCP:22) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue", + "similarityID": "91ddfecb9c821b4d9f5915056cbf6a1027a9a25e3ad52a183172a84f16cc1c0c", + "search_line": 83 }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 97, - "fileName": "positive5.json" + "fileName": "positive5.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_2", + "searchKey": "Resources.Positive1IPv6_2.Properties.SecurityGroupIngress[0]", + "searchValue": "TCP,22", + "expectedValue": "SSH (TCP:22) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "SSH (TCP:22) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue", + "similarityID": "7d4ff8eb7bf267ab52462d73e3fc604d8183644c8456d4fd90d052be29bf66a1", + "search_line": 97 }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 111, - "fileName": "positive5.json" + "fileName": "positive5.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1ArrayTestIPv6", + "searchKey": "Resources.Positive1ArrayTestIPv6.Properties.SecurityGroupIngress[0]", + "searchValue": "UDP,137", + "expectedValue": "NetBIOS Name Service (UDP:137) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "NetBIOS Name Service (UDP:137) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue", + "similarityID": "879bf1f5ade7443f596282b3c225f1afa0f506fa07037f405c8b0c8a170fe143", + "search_line": 111 }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 117, - "fileName": "positive5.json" + "fileName": "positive5.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1ArrayTestIPv6", + "searchKey": "Resources.Positive1ArrayTestIPv6.Properties.SecurityGroupIngress[1]", + "searchValue": "UDP,138", + "expectedValue": "NetBIOS Datagram Service (UDP:138) should not be allowed in classic load balancer 'LoadBalancer01'", + "actualValue": "NetBIOS Datagram Service (UDP:138) is allowed in classic load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue", + "similarityID": "c309667803638b72082849c00793c16fc03101e0ae9ca53b7f7b6af6e09d8797", + "search_line": 117 }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 20, - "fileName": "positive6.json" + "fileName": "positive6.json", + "resourceType": "AWS::EC2::SecurityGroupIngress", + "resourceName": "DualStackSecurityGroup", + "searchKey": "Resources.IPv4Ingress1.Properties", + "searchValue": "UDP,137", + "expectedValue": "NetBIOS Name Service (UDP:137) should not be allowed in application load balancer 'LoadBalancer01'", + "actualValue": "NetBIOS Name Service (UDP:137) is allowed in application load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue", + "similarityID": "d290b8d2e2f4fa792f605608e04ef69cd26236a057c915c39135051c65609fcc", + "search_line": 20 }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 30, - "fileName": "positive6.json" + "fileName": "positive6.json", + "resourceType": "AWS::EC2::SecurityGroupIngress", + "resourceName": "DualStackSecurityGroup", + "searchKey": "Resources.IPv4Ingress2.Properties", + "searchValue": "TCP,22", + "expectedValue": "SSH (TCP:22) should not be allowed in application load balancer 'LoadBalancer01'", + "actualValue": "SSH (TCP:22) is allowed in application load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue", + "similarityID": "d70fe943376bbf8a25df13d34216045dfc0d7c4ad19b95367920ca2168699990", + "search_line": 30 }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 40, - "fileName": "positive6.json" + "fileName": "positive6.json", + "resourceType": "AWS::EC2::SecurityGroupIngress", + "resourceName": "DualStackSecurityGroup", + "searchKey": "Resources.IPv4Ingress3.Properties", + "searchValue": "UDP,137", + "expectedValue": "NetBIOS Name Service (UDP:137) should not be allowed in application load balancer 'LoadBalancer01'", + "actualValue": "NetBIOS Name Service (UDP:137) is allowed in application load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue", + "similarityID": "76b17f0c48314e32fb1a8a9bfaf7ab473816c133ef0c464e3d9fcae7e0a54515", + "search_line": 40 }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 50, - "fileName": "positive6.json" + "fileName": "positive6.json", + "resourceType": "AWS::EC2::SecurityGroupIngress", + "resourceName": "DualStackSecurityGroup", + "searchKey": "Resources.IPv4Ingress4.Properties", + "searchValue": "UDP,138", + "expectedValue": "NetBIOS Datagram Service (UDP:138) should not be allowed in application load balancer 'LoadBalancer01'", + "actualValue": "NetBIOS Datagram Service (UDP:138) is allowed in application load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue", + "similarityID": "102c69c42abf7cef15058c31eb9142f42b3198065c46410a3b05c26957f58af0", + "search_line": 50 }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 60, - "fileName": "positive6.json" + "fileName": "positive6.json", + "resourceType": "AWS::EC2::SecurityGroupIngress", + "resourceName": "DualStackSecurityGroup", + "searchKey": "Resources.IPv6Ingress1.Properties", + "searchValue": "TCP,22", + "expectedValue": "SSH (TCP:22) should not be allowed in application load balancer 'LoadBalancer01'", + "actualValue": "SSH (TCP:22) is allowed in application load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue", + "similarityID": "ad0f2068334b65d85c3d8df390ef8ebf6c6a02d4bc6b7881286dc49851621487", + "search_line": 60 }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 70, - "fileName": "positive6.json" + "fileName": "positive6.json", + "resourceType": "AWS::EC2::SecurityGroupIngress", + "resourceName": "DualStackSecurityGroup", + "searchKey": "Resources.IPv6Ingress2.Properties", + "searchValue": "TCP,22", + "expectedValue": "SSH (TCP:22) should not be allowed in application load balancer 'LoadBalancer01'", + "actualValue": "SSH (TCP:22) is allowed in application load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue", + "similarityID": "42c38f2344d781b88a7be1a6cf409d712964d2110e45663e4e8ecddaac70e8ca", + "search_line": 70 }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 80, - "fileName": "positive6.json" + "fileName": "positive6.json", + "resourceType": "AWS::EC2::SecurityGroupIngress", + "resourceName": "DualStackSecurityGroup", + "searchKey": "Resources.IPv6Ingress3.Properties", + "searchValue": "UDP,137", + "expectedValue": "NetBIOS Name Service (UDP:137) should not be allowed in application load balancer 'LoadBalancer01'", + "actualValue": "NetBIOS Name Service (UDP:137) is allowed in application load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue", + "similarityID": "9bf9f39ba07cd62ee370e886d45959256ed222e8166fbe3210a3cfc38519f861", + "search_line": 80 }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 90, - "fileName": "positive6.json" + "fileName": "positive6.json", + "resourceType": "AWS::EC2::SecurityGroupIngress", + "resourceName": "DualStackSecurityGroup", + "searchKey": "Resources.IPv6Ingress4.Properties", + "searchValue": "UDP,138", + "expectedValue": "NetBIOS Datagram Service (UDP:138) should not be allowed in application load balancer 'LoadBalancer01'", + "actualValue": "NetBIOS Datagram Service (UDP:138) is allowed in application load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue", + "similarityID": "99c01a003a160f77e11b76a8944325d0e6603c9b58a0e72747df541e722ebc37", + "search_line": 90 }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 39, - "fileName": "positive7.json" + "fileName": "positive7.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "InstancesSecGroup", + "searchKey": "Resources.InstancesSecGroup.Properties.SecurityGroupIngress[1]", + "searchValue": "TCP,636", + "expectedValue": "LDAP SSL (TCP:636) should not be allowed in classic load balancer 'GatewayLoadBalancer'", + "actualValue": "LDAP SSL (TCP:636) is allowed in classic load balancer 'GatewayLoadBalancer'", + "issueType": "IncorrectValue", + "similarityID": "6f295f57f7acfda1b0f1cb5668e1fc304641fd3e0ed68948c3756cf88a5fbc54", + "search_line": 39 }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 45, - "fileName": "positive7.json" + "fileName": "positive7.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "InstancesSecGroup", + "searchKey": "Resources.InstancesSecGroup.Properties.SecurityGroupIngress[2]", + "searchValue": "UDP,1434", + "expectedValue": "MSSQL Browser (UDP:1434) should not be allowed in classic load balancer 'GatewayLoadBalancer'", + "actualValue": "MSSQL Browser (UDP:1434) is allowed in classic load balancer 'GatewayLoadBalancer'", + "issueType": "IncorrectValue", + "similarityID": "7a6a336aa36ff7d1821d23b238b5bc8188847cd622ca84fd1e7ff7f8a3491532", + "search_line": 45 }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 45, - "fileName": "positive7.json" + "fileName": "positive7.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "InstancesSecGroup", + "searchKey": "Resources.InstancesSecGroup.Properties.SecurityGroupIngress[2]", + "searchValue": "UDP,2483", + "expectedValue": "Oracle DB SSL (UDP:2483) should not be allowed in classic load balancer 'GatewayLoadBalancer'", + "actualValue": "Oracle DB SSL (UDP:2483) is allowed in classic load balancer 'GatewayLoadBalancer'", + "issueType": "IncorrectValue", + "similarityID": "c9cc9ed38c5181c6937bc32cce9ad2e6c2abe9022548be39d690f10d4cbf84b5", + "search_line": 45 }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 45, - "fileName": "positive7.json" + "fileName": "positive7.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "InstancesSecGroup", + "searchKey": "Resources.InstancesSecGroup.Properties.SecurityGroupIngress[2]", + "searchValue": "UDP,2484", + "expectedValue": "Oracle DB SSL (UDP:2484) should not be allowed in classic load balancer 'GatewayLoadBalancer'", + "actualValue": "Oracle DB SSL (UDP:2484) is allowed in classic load balancer 'GatewayLoadBalancer'", + "issueType": "IncorrectValue", + "similarityID": "2c4d581109e111ee2fdc707f1a2af00dcba5f42093a6103f37b408b3f1649516", + "search_line": 45 }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 22, - "fileName": "positive8.json" + "fileName": "positive8.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "DualStackSecurityGroup", + "searchKey": "Resources.DualStackSecurityGroup.Properties.SecurityGroupIngress[0]", + "searchValue": "UDP,137", + "expectedValue": "NetBIOS Name Service (UDP:137) should not be allowed in application load balancer 'LoadBalancer01'", + "actualValue": "NetBIOS Name Service (UDP:137) is allowed in application load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue", + "similarityID": "c6dcaf82e9dcf94315c07102bba7c1e7b4f613b5abadf223358fd3570531e055", + "search_line": 22 }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 28, - "fileName": "positive8.json" + "fileName": "positive8.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "DualStackSecurityGroup", + "searchKey": "Resources.DualStackSecurityGroup.Properties.SecurityGroupIngress[1]", + "searchValue": "TCP,22", + "expectedValue": "SSH (TCP:22) should not be allowed in application load balancer 'LoadBalancer01'", + "actualValue": "SSH (TCP:22) is allowed in application load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue", + "similarityID": "0c0e2be2041078c33d78323c895cdde7f4825c2aa79134a5cea4ace7a8a6e8c6", + "search_line": 28 }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 34, - "fileName": "positive8.json" + "fileName": "positive8.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "DualStackSecurityGroup", + "searchKey": "Resources.DualStackSecurityGroup.Properties.SecurityGroupIngress[2]", + "searchValue": "UDP,137", + "expectedValue": "NetBIOS Name Service (UDP:137) should not be allowed in application load balancer 'LoadBalancer01'", + "actualValue": "NetBIOS Name Service (UDP:137) is allowed in application load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue", + "similarityID": "c7ba63752ef98202c78996d399c2f4388fa1ebc77a0b7e72ee20623d71bc2c3e", + "search_line": 34 }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 40, - "fileName": "positive8.json" + "fileName": "positive8.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "DualStackSecurityGroup", + "searchKey": "Resources.DualStackSecurityGroup.Properties.SecurityGroupIngress[3]", + "searchValue": "UDP,138", + "expectedValue": "NetBIOS Datagram Service (UDP:138) should not be allowed in application load balancer 'LoadBalancer01'", + "actualValue": "NetBIOS Datagram Service (UDP:138) is allowed in application load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue", + "similarityID": "4ef97625425ad4cc199de5630b552f187d811b6210561e0592e8a555a8418256", + "search_line": 40 }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 46, - "fileName": "positive8.json" + "fileName": "positive8.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "DualStackSecurityGroup", + "searchKey": "Resources.DualStackSecurityGroup.Properties.SecurityGroupIngress[4]", + "searchValue": "TCP,22", + "expectedValue": "SSH (TCP:22) should not be allowed in application load balancer 'LoadBalancer01'", + "actualValue": "SSH (TCP:22) is allowed in application load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue", + "similarityID": "607387f271ab0f33986879161f533d78ae49992016cdd2ac0f4b52a84d68f487", + "search_line": 46 }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 52, - "fileName": "positive8.json" + "fileName": "positive8.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "DualStackSecurityGroup", + "searchKey": "Resources.DualStackSecurityGroup.Properties.SecurityGroupIngress[5]", + "searchValue": "TCP,22", + "expectedValue": "SSH (TCP:22) should not be allowed in application load balancer 'LoadBalancer01'", + "actualValue": "SSH (TCP:22) is allowed in application load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue", + "similarityID": "ea4c4d9de6a03dbfbfeb4fe20d9ce8c8202f200fb5f485b5ddbf63df33675aea", + "search_line": 52 }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 58, - "fileName": "positive8.json" + "fileName": "positive8.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "DualStackSecurityGroup", + "searchKey": "Resources.DualStackSecurityGroup.Properties.SecurityGroupIngress[6]", + "searchValue": "UDP,137", + "expectedValue": "NetBIOS Name Service (UDP:137) should not be allowed in application load balancer 'LoadBalancer01'", + "actualValue": "NetBIOS Name Service (UDP:137) is allowed in application load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue", + "similarityID": "6c06eed91995443c5da65a5715748660148061612c4f45dc6470a8416e517e63", + "search_line": 58 }, { "queryName": "ELB Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 64, - "fileName": "positive8.json" + "fileName": "positive8.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "DualStackSecurityGroup", + "searchKey": "Resources.DualStackSecurityGroup.Properties.SecurityGroupIngress[7]", + "searchValue": "UDP,138", + "expectedValue": "NetBIOS Datagram Service (UDP:138) should not be allowed in application load balancer 'LoadBalancer01'", + "actualValue": "NetBIOS Datagram Service (UDP:138) is allowed in application load balancer 'LoadBalancer01'", + "issueType": "IncorrectValue", + "similarityID": "8d4ca34515642c918bd14f9a051962db45f28c5075351f8db6435e02f0055079", + "search_line": 64 } ] diff --git a/assets/queries/cloudFormation/aws/elb_using_insecure_protocols/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/elb_using_insecure_protocols/test/positive_expected_result.json index d13bf54bd5e..1269c39c607 100644 --- a/assets/queries/cloudFormation/aws/elb_using_insecure_protocols/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/elb_using_insecure_protocols/test/positive_expected_result.json @@ -3,24 +3,60 @@ "queryName": "ELB Using Insecure Protocols", "severity": "MEDIUM", "line": 27, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::ElasticLoadBalancing::LoadBalancer", + "resourceName": "MyLoadBalancer", + "searchKey": "Resources.MyLoadBalancer.Properties.Policies.PolicyName=My-SSLNegotiation-Policy.Attributes.Name=Protocol-SSLv2", + "searchValue": "", + "expectedValue": "'Resources.MyLoadBalancer.Properties.Policies.My-SSLNegotiation-Policy.Attributes.Protocol-SSLv2' should not be an insecure protocol", + "actualValue": "'Resources.MyLoadBalancer.Properties.Policies.My-SSLNegotiation-Policy.Attributes.Protocol-SSLv2' is an insecure protocol", + "issueType": "IncorrectValue", + "similarityID": "f77c4d0af32671cdecfe0e53bebe67ce4174f09b99a6aecc280c5b67d5a562c1", + "search_line": -1 }, { "queryName": "ELB Using Insecure Protocols", "severity": "MEDIUM", "line": 34, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::ElasticLoadBalancing::LoadBalancer", + "resourceName": "MyLoadBalancer", + "searchKey": "Resources.MyLoadBalancer.Properties.Policies.PolicyName=My-SSLNegotiation-Policy2.Attributes.Name=Protocol-TLSv1", + "searchValue": "", + "expectedValue": "'Resources.MyLoadBalancer.Properties.Policies.My-SSLNegotiation-Policy2.Attributes.Protocol-TLSv1' should not be an insecure protocol", + "actualValue": "'Resources.MyLoadBalancer.Properties.Policies.My-SSLNegotiation-Policy2.Attributes.Protocol-TLSv1' is an insecure protocol", + "issueType": "IncorrectValue", + "similarityID": "a956bbc2258175f82395e57d1b6cbdf348e9d75c145acf4906d6f42afb82908e", + "search_line": -1 }, { "queryName": "ELB Using Insecure Protocols", "severity": "MEDIUM", "line": 35, - "fileName": "positive2.json" + "fileName": "positive2.json", + "resourceType": "AWS::ElasticLoadBalancing::LoadBalancer", + "resourceName": "MyLoadBalancer", + "searchKey": "Resources.MyLoadBalancer.Properties.Policies.PolicyName=My-SSLNegotiation-Policy.Attributes.Name=Protocol-SSLv2", + "searchValue": "", + "expectedValue": "'Resources.MyLoadBalancer.Properties.Policies.My-SSLNegotiation-Policy.Attributes.Protocol-SSLv2' should not be an insecure protocol", + "actualValue": "'Resources.MyLoadBalancer.Properties.Policies.My-SSLNegotiation-Policy.Attributes.Protocol-SSLv2' is an insecure protocol", + "issueType": "IncorrectValue", + "similarityID": "7d19c48e5ddae801d6dc137a77da6395444c69ece326e9ba699a935dd6a871ce", + "search_line": -1 }, { "queryName": "ELB Using Insecure Protocols", "severity": "MEDIUM", "line": 50, - "fileName": "positive2.json" + "fileName": "positive2.json", + "resourceType": "AWS::ElasticLoadBalancing::LoadBalancer", + "resourceName": "MyLoadBalancer", + "searchKey": "Resources.MyLoadBalancer.Properties.Policies.PolicyName=My-SSLNegotiation-Policy2.Attributes.Name=Protocol-TLSv1", + "searchValue": "", + "expectedValue": "'Resources.MyLoadBalancer.Properties.Policies.My-SSLNegotiation-Policy2.Attributes.Protocol-TLSv1' should not be an insecure protocol", + "actualValue": "'Resources.MyLoadBalancer.Properties.Policies.My-SSLNegotiation-Policy2.Attributes.Protocol-TLSv1' is an insecure protocol", + "issueType": "IncorrectValue", + "similarityID": "79cb5384f341aaf0b9732c01ab385c43fa3fd2a7b9205c4d115198c445665d08", + "search_line": -1 } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/elb_using_weak_ciphers/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/elb_using_weak_ciphers/test/positive_expected_result.json index 0a839c95974..9dc74f65fc2 100644 --- a/assets/queries/cloudFormation/aws/elb_using_weak_ciphers/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/elb_using_weak_ciphers/test/positive_expected_result.json @@ -3,36 +3,90 @@ "queryName": "ELB Using Weak Ciphers", "severity": "HIGH", "line": 27, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::ElasticLoadBalancing::LoadBalancer", + "resourceName": "MyLoadBalancer", + "searchKey": "Resources.MyLoadBalancer.Properties.Policies.PolicyName=My-SSLNegotiation-Policy.Attributes.Name=TLS_RSA_NULL_SHA1", + "searchValue": "", + "expectedValue": "'Resources.MyLoadBalancer.Properties.Policies.My-SSLNegotiation-Policy.Attributes.TLS_RSA_NULL_SHA1' should not be a weak cipher", + "actualValue": "'Resources.MyLoadBalancer.Properties.Policies.My-SSLNegotiation-Policy.Attributes.TLS_RSA_NULL_SHA1' is a weak cipher", + "issueType": "IncorrectValue", + "similarityID": "94c170e9478848d655ae44fa705140a2281a30c2157de0f862d26535c034953a", + "search_line": -1 }, { "queryName": "ELB Using Weak Ciphers", "severity": "HIGH", "line": 29, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::ElasticLoadBalancing::LoadBalancer", + "resourceName": "MyLoadBalancer", + "searchKey": "Resources.MyLoadBalancer.Properties.Policies.PolicyName=My-SSLNegotiation-Policy.Attributes.Name=DHE-DSS-DES-CBC3-SHA", + "searchValue": "", + "expectedValue": "'Resources.MyLoadBalancer.Properties.Policies.My-SSLNegotiation-Policy.Attributes.DHE-DSS-DES-CBC3-SHA' should not be a weak cipher", + "actualValue": "'Resources.MyLoadBalancer.Properties.Policies.My-SSLNegotiation-Policy.Attributes.DHE-DSS-DES-CBC3-SHA' is a weak cipher", + "issueType": "IncorrectValue", + "similarityID": "6e37b87e0ad1b7eb474aa3e7dec8501ea2894f296e3dbb9526882ba1e992218d", + "search_line": -1 }, { "queryName": "ELB Using Weak Ciphers", "severity": "HIGH", "line": 34, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::ElasticLoadBalancing::LoadBalancer", + "resourceName": "MyLoadBalancer", + "searchKey": "Resources.MyLoadBalancer.Properties.Policies.PolicyName=My-SSLNegotiation-Policy2.Attributes.Name=TLS_DHE_PSK_WITH_NULL_SHA256", + "searchValue": "", + "expectedValue": "'Resources.MyLoadBalancer.Properties.Policies.My-SSLNegotiation-Policy2.Attributes.TLS_DHE_PSK_WITH_NULL_SHA256' should not be a weak cipher", + "actualValue": "'Resources.MyLoadBalancer.Properties.Policies.My-SSLNegotiation-Policy2.Attributes.TLS_DHE_PSK_WITH_NULL_SHA256' is a weak cipher", + "issueType": "IncorrectValue", + "similarityID": "44e688c5b8195098158e86cb5bb19820011f06047c6cf5495f3e30981c3908b1", + "search_line": -1 }, { "queryName": "ELB Using Weak Ciphers", "severity": "HIGH", "line": 35, - "fileName": "positive2.json" + "fileName": "positive2.json", + "resourceType": "AWS::ElasticLoadBalancing::LoadBalancer", + "resourceName": "MyLoadBalancer", + "searchKey": "Resources.MyLoadBalancer.Properties.Policies.PolicyName=My-SSLNegotiation-Policy.Attributes.Name=TLS_RSA_NULL_SHA1", + "searchValue": "", + "expectedValue": "'Resources.MyLoadBalancer.Properties.Policies.My-SSLNegotiation-Policy.Attributes.TLS_RSA_NULL_SHA1' should not be a weak cipher", + "actualValue": "'Resources.MyLoadBalancer.Properties.Policies.My-SSLNegotiation-Policy.Attributes.TLS_RSA_NULL_SHA1' is a weak cipher", + "issueType": "IncorrectValue", + "similarityID": "27046d2cb4c284a099c585b355ec3b00aa4b04cb564e4c98f46d7aa81b721b26", + "search_line": -1 }, { "queryName": "ELB Using Weak Ciphers", "severity": "HIGH", "line": 40, - "fileName": "positive2.json" + "fileName": "positive2.json", + "resourceType": "AWS::ElasticLoadBalancing::LoadBalancer", + "resourceName": "MyLoadBalancer", + "searchKey": "Resources.MyLoadBalancer.Properties.Policies.PolicyName=My-SSLNegotiation-Policy.Attributes.Name=DHE-DSS-DES-CBC3-SHA", + "searchValue": "", + "expectedValue": "'Resources.MyLoadBalancer.Properties.Policies.My-SSLNegotiation-Policy.Attributes.DHE-DSS-DES-CBC3-SHA' should not be a weak cipher", + "actualValue": "'Resources.MyLoadBalancer.Properties.Policies.My-SSLNegotiation-Policy.Attributes.DHE-DSS-DES-CBC3-SHA' is a weak cipher", + "issueType": "IncorrectValue", + "similarityID": "022461b13034ed21ce0cdf83016611656ff0fad15547678f593a991e5a855c4a", + "search_line": -1 }, { "queryName": "ELB Using Weak Ciphers", "severity": "HIGH", "line": 49, - "fileName": "positive2.json" + "fileName": "positive2.json", + "resourceType": "AWS::ElasticLoadBalancing::LoadBalancer", + "resourceName": "MyLoadBalancer", + "searchKey": "Resources.MyLoadBalancer.Properties.Policies.PolicyName=My-SSLNegotiation-Policy2.Attributes.Name=TLS_DHE_PSK_WITH_NULL_SHA256", + "searchValue": "", + "expectedValue": "'Resources.MyLoadBalancer.Properties.Policies.My-SSLNegotiation-Policy2.Attributes.TLS_DHE_PSK_WITH_NULL_SHA256' should not be a weak cipher", + "actualValue": "'Resources.MyLoadBalancer.Properties.Policies.My-SSLNegotiation-Policy2.Attributes.TLS_DHE_PSK_WITH_NULL_SHA256' is a weak cipher", + "issueType": "IncorrectValue", + "similarityID": "a7ff7f3251ef9c1f2c047375a855f57af019b1cd5b784f1101cd5cc01d2b7019", + "search_line": -1 } ] diff --git a/assets/queries/cloudFormation/aws/elb_v2_alb_access_log_disabled/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/elb_v2_alb_access_log_disabled/test/positive_expected_result.json index 37ff9f3c3f4..79684b5089c 100644 --- a/assets/queries/cloudFormation/aws/elb_v2_alb_access_log_disabled/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/elb_v2_alb_access_log_disabled/test/positive_expected_result.json @@ -3,30 +3,75 @@ "queryName": "ELBv2 ALB Access Log Disabled", "severity": "MEDIUM", "line": 22, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::ElasticLoadBalancingV2::LoadBalancer", + "resourceName": "EnvironmentName", + "searchKey": "Resources.LoadBalancer.Properties", + "searchValue": "", + "expectedValue": "'Resources.LoadBalancer.Properties' has LoadBalancerAttributes defined", + "actualValue": "'Resources.LoadBalancer.Properties' doesn't have LoadBalancerAttributes defined", + "issueType": "MissingAttribute", + "similarityID": "9e986beb118a4b83fce06a98055481ffe2bc6d0e159fdadecdfbc473ccb4a2d9", + "search_line": -1 }, { "queryName": "ELBv2 ALB Access Log Disabled", "severity": "MEDIUM", "line": 30, - "fileName": "positive2.yaml" + "fileName": "positive2.yaml", + "resourceType": "AWS::ElasticLoadBalancingV2::LoadBalancer", + "resourceName": "EnvironmentName", + "searchKey": "Resources.LoadBalancertest.Properties.LoadBalancerAttributes", + "searchValue": "", + "expectedValue": "'Resources.LoadBalancertest.Properties.LoadBalancerAttributes' has access_logs.s3.enabled with Value true", + "actualValue": "'Resources.LoadBalancertest.Properties.LoadBalancerAttributes' doesn't have access_logs.s3.enabled with Value true", + "issueType": "IncorrectValue", + "similarityID": "e1e611e560b5dd81ae41702b08a84010c64eac3c7d935dc050e61d5cdd843b8a", + "search_line": -1 }, { "queryName": "ELBv2 ALB Access Log Disabled", "severity": "MEDIUM", "line": 23, - "fileName": "positive3.json" + "fileName": "positive3.json", + "resourceType": "AWS::ElasticLoadBalancingV2::LoadBalancer", + "resourceName": "EnvironmentName", + "searchKey": "Resources.LoadBalancer.Properties", + "searchValue": "", + "expectedValue": "'Resources.LoadBalancer.Properties' has LoadBalancerAttributes defined", + "actualValue": "'Resources.LoadBalancer.Properties' doesn't have LoadBalancerAttributes defined", + "issueType": "MissingAttribute", + "similarityID": "d0f1733eae15da2e2a71eea5ad04f5d5629a126220ef923dac44418713ff60c1", + "search_line": -1 }, { "queryName": "ELBv2 ALB Access Log Disabled", "severity": "MEDIUM", "line": 36, - "fileName": "positive4.json" + "fileName": "positive4.json", + "resourceType": "AWS::ElasticLoadBalancingV2::LoadBalancer", + "resourceName": "EnvironmentName", + "searchKey": "Resources.LoadBalancertest.Properties.LoadBalancerAttributes", + "searchValue": "", + "expectedValue": "'Resources.LoadBalancertest.Properties.LoadBalancerAttributes' has access_logs.s3.enabled with Value true", + "actualValue": "'Resources.LoadBalancertest.Properties.LoadBalancerAttributes' doesn't have access_logs.s3.enabled with Value true", + "issueType": "IncorrectValue", + "similarityID": "2e3eb5d8fdbf80f73fddf7384ffabf382478357c2814d60dd2b57e720935c758", + "search_line": -1 }, { "queryName": "ELBv2 ALB Access Log Disabled", "severity": "MEDIUM", "line": 30, - "fileName": "positive5.yaml" + "fileName": "positive5.yaml", + "resourceType": "AWS::ElasticLoadBalancingV2::LoadBalancer", + "resourceName": "EnvironmentName", + "searchKey": "Resources.LoadBalancertest.Properties.LoadBalancerAttributes", + "searchValue": "", + "expectedValue": "'Resources.LoadBalancertest.Properties.LoadBalancerAttributes' has access_logs.s3.enabled with Value true", + "actualValue": "'Resources.LoadBalancertest.Properties.LoadBalancerAttributes' doesn't have access_logs.s3.enabled with Value true", + "issueType": "IncorrectValue", + "similarityID": "e426c92f62d352737998fafde067ac9809ba8b9a4d8b7a11d6e177d7f7be3545", + "search_line": -1 } ] diff --git a/assets/queries/cloudFormation/aws/elb_with_security_group_without_inbound_rules/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/elb_with_security_group_without_inbound_rules/test/positive_expected_result.json index 8f2c9fd3032..43736862ad8 100644 --- a/assets/queries/cloudFormation/aws/elb_with_security_group_without_inbound_rules/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/elb_with_security_group_without_inbound_rules/test/positive_expected_result.json @@ -3,24 +3,60 @@ "queryName": "ELB With Security Group Without Inbound Rules", "severity": "MEDIUM", "line": 5, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::ElasticLoadBalancing::LoadBalancer", + "resourceName": "MyLoadBalancer", + "searchKey": "Resources.sgwithoutingress.Properties", + "searchValue": "", + "expectedValue": "'Resources.sgwithoutingress.Properties.SecurityGroupIngress' should be defined", + "actualValue": "'Resources.sgwithoutingress.Properties.SecurityGroupIngress' is undefined", + "issueType": "MissingAttribute", + "similarityID": "4fe02a8aec9015a288b783553ee0697fbbda6d7e87bee8c9de14ec549737de63", + "search_line": 5 }, { "queryName": "ELB With Security Group Without Inbound Rules", "severity": "MEDIUM", "line": 6, - "fileName": "positive2.json" + "fileName": "positive2.json", + "resourceType": "AWS::ElasticLoadBalancing::LoadBalancer", + "resourceName": "MyLoadBalancer", + "searchKey": "Resources.sgwithoutingress.Properties", + "searchValue": "", + "expectedValue": "'Resources.sgwithoutingress.Properties.SecurityGroupIngress' should be defined", + "actualValue": "'Resources.sgwithoutingress.Properties.SecurityGroupIngress' is undefined", + "issueType": "MissingAttribute", + "similarityID": "91577ad792ea6a8e32cce23ed22858568b6595be7854973edc507df566a58c7c", + "search_line": 6 }, { "queryName": "ELB With Security Group Without Inbound Rules", "severity": "MEDIUM", "line": 5, - "fileName": "positive3.yaml" + "fileName": "positive3.yaml", + "resourceType": "AWS::ElasticLoadBalancingV2::LoadBalancer", + "resourceName": "MyLoadBalancer", + "searchKey": "Resources.sgwithingress.Properties", + "searchValue": "", + "expectedValue": "'Resources.sgwithingress.Properties.SecurityGroupIngress' should be defined", + "actualValue": "'Resources.sgwithingress.Properties.SecurityGroupIngress' is undefined", + "issueType": "MissingAttribute", + "similarityID": "fdfdc860cad1f3ad104d633645d354f9e3608814fefa3691d7a08af3390e4eaf", + "search_line": 5 }, { "queryName": "ELB With Security Group Without Inbound Rules", "severity": "MEDIUM", "line": 6, - "fileName": "positive4.json" + "fileName": "positive4.json", + "resourceType": "AWS::ElasticLoadBalancingV2::LoadBalancer", + "resourceName": "MyLoadBalancer", + "searchKey": "Resources.sgwithingress.Properties", + "searchValue": "", + "expectedValue": "'Resources.sgwithingress.Properties.SecurityGroupIngress' should be defined", + "actualValue": "'Resources.sgwithingress.Properties.SecurityGroupIngress' is undefined", + "issueType": "MissingAttribute", + "similarityID": "0c882dc9a7fb623b0d92b6a7771ef7b5a0772fcc89158efe5b709da6877022f0", + "search_line": 6 } ] diff --git a/assets/queries/cloudFormation/aws/elb_with_security_group_without_outbound_rules/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/elb_with_security_group_without_outbound_rules/test/positive_expected_result.json index bcde6e7171f..9dfd96f027c 100644 --- a/assets/queries/cloudFormation/aws/elb_with_security_group_without_outbound_rules/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/elb_with_security_group_without_outbound_rules/test/positive_expected_result.json @@ -3,72 +3,180 @@ "queryName": "ELB With Security Group Without Outbound Rules", "severity": "MEDIUM", "line": 5, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::ElasticLoadBalancing::LoadBalancer", + "resourceName": "MyLoadBalancer", + "searchKey": "Resources.sgwithoutegress.Properties", + "searchValue": "", + "expectedValue": "'Resources.sgwithoutegress.Properties.SecurityGroupEgress' should be defined", + "actualValue": "'Resources.sgwithoutegress.Properties.SecurityGroupEgress' is undefined", + "issueType": "MissingAttribute", + "similarityID": "776eda2f653e67e68a02062cc8218d7f50e821a9d9355d4cc7cc099d7d1bfc64", + "search_line": 5 }, { "queryName": "ELB With Security Group Without Outbound Rules", "severity": "MEDIUM", "line": 6, - "fileName": "positive2.json" + "fileName": "positive2.json", + "resourceType": "AWS::ElasticLoadBalancing::LoadBalancer", + "resourceName": "MyLoadBalancer", + "searchKey": "Resources.sgwithoutegress.Properties", + "searchValue": "", + "expectedValue": "'Resources.sgwithoutegress.Properties.SecurityGroupEgress' should be defined", + "actualValue": "'Resources.sgwithoutegress.Properties.SecurityGroupEgress' is undefined", + "issueType": "MissingAttribute", + "similarityID": "9f76aaf27a6e7c7f745c5510c25560911f223ec2c293c8cc9b5b0a8d3f8dfdaf", + "search_line": 6 }, { "queryName": "ELB With Security Group Without Outbound Rules", "severity": "MEDIUM", "line": 5, - "fileName": "positive3.yaml" + "fileName": "positive3.yaml", + "resourceType": "AWS::ElasticLoadBalancingV2::LoadBalancer", + "resourceName": "MyLoadBalancer", + "searchKey": "Resources.sgwithegress.Properties", + "searchValue": "", + "expectedValue": "'Resources.sgwithegress.Properties.SecurityGroupEgress' should be defined", + "actualValue": "'Resources.sgwithegress.Properties.SecurityGroupEgress' is undefined", + "issueType": "MissingAttribute", + "similarityID": "bafdacc408e3c44cd5db9267183ec27aade86752ee68fdb25e84bf97dcbcc631", + "search_line": 5 }, { "queryName": "ELB With Security Group Without Outbound Rules", "severity": "MEDIUM", "line": 6, - "fileName": "positive4.json" + "fileName": "positive4.json", + "resourceType": "AWS::ElasticLoadBalancingV2::LoadBalancer", + "resourceName": "MyLoadBalancer", + "searchKey": "Resources.sgwithegress.Properties", + "searchValue": "", + "expectedValue": "'Resources.sgwithegress.Properties.SecurityGroupEgress' should be defined", + "actualValue": "'Resources.sgwithegress.Properties.SecurityGroupEgress' is undefined", + "issueType": "MissingAttribute", + "similarityID": "00ddb1e12315d11d592c2dbb3b7135283277bb2570993402bdcdba05f33d0f4b", + "search_line": 6 }, { "queryName": "ELB With Security Group Without Outbound Rules", "severity": "MEDIUM", "line": 5, - "fileName": "positive5.yaml" + "fileName": "positive5.yaml", + "resourceType": "AWS::ElasticLoadBalancing::LoadBalancer", + "resourceName": "MyClassicLB", + "searchKey": "Resources.MySG.Properties", + "searchValue": "", + "expectedValue": "'Resources.MySG.Properties.SecurityGroupEgress' should be defined", + "actualValue": "'Resources.MySG.Properties.SecurityGroupEgress' is undefined", + "issueType": "MissingAttribute", + "similarityID": "73ae75e823b9ae87dbfe8cb2805c896272b4641a2d28e7f508cbe3fc5b6069a5", + "search_line": 5 }, { "queryName": "ELB With Security Group Without Outbound Rules", "severity": "MEDIUM", "line": 6, - "fileName": "positive6.json" + "fileName": "positive6.json", + "resourceType": "AWS::ElasticLoadBalancing::LoadBalancer", + "resourceName": "MyClassicLB", + "searchKey": "Resources.MySG.Properties", + "searchValue": "", + "expectedValue": "'Resources.MySG.Properties.SecurityGroupEgress' should be defined", + "actualValue": "'Resources.MySG.Properties.SecurityGroupEgress' is undefined", + "issueType": "MissingAttribute", + "similarityID": "441d793e79fa4036364a6144822c84bec1da2351eabd568fa7b15fad6e0183be", + "search_line": 6 }, { "queryName": "ELB With Security Group Without Outbound Rules", "severity": "MEDIUM", "line": 8, - "fileName": "positive7.yaml" + "fileName": "positive7.yaml", + "resourceType": "AWS::ElasticLoadBalancing::LoadBalancer", + "resourceName": "MyClassicLB", + "searchKey": "Resources.MySG.Properties.SecurityGroupEgress", + "searchValue": "", + "expectedValue": "'Resources.MySG.Properties.SecurityGroupEgress' should not be empty", + "actualValue": "'Resources.MySG.Properties.SecurityGroupEgress' is empty", + "issueType": "IncorrectValue", + "similarityID": "d5daf9de9dbf44a7e513f8dd450ede49a01012a8ab4ee111cd3d0732014ff5fd", + "search_line": 8 }, { "queryName": "ELB With Security Group Without Outbound Rules", "severity": "MEDIUM", "line": 9, - "fileName": "positive8.json" + "fileName": "positive8.json", + "resourceType": "AWS::ElasticLoadBalancing::LoadBalancer", + "resourceName": "MyClassicLB", + "searchKey": "Resources.MySG.Properties.SecurityGroupEgress", + "searchValue": "", + "expectedValue": "'Resources.MySG.Properties.SecurityGroupEgress' should not be empty", + "actualValue": "'Resources.MySG.Properties.SecurityGroupEgress' is empty", + "issueType": "IncorrectValue", + "similarityID": "e5f784d35979742d97a704a03a06859a3eaf1b3415fa5d44e79b3946ea2379f6", + "search_line": 9 }, { "queryName": "ELB With Security Group Without Outbound Rules", "severity": "MEDIUM", "line": 8, - "fileName": "positive9.yaml" + "fileName": "positive9.yaml", + "resourceType": "AWS::ElasticLoadBalancingV2::LoadBalancer", + "resourceName": "MyALB", + "searchKey": "Resources.MySGv2.Properties.SecurityGroupEgress", + "searchValue": "", + "expectedValue": "'Resources.MySGv2.Properties.SecurityGroupEgress' should not be empty", + "actualValue": "'Resources.MySGv2.Properties.SecurityGroupEgress' is empty", + "issueType": "IncorrectValue", + "similarityID": "cb672bca95abf1cfbe2c9ba79dd0d0987cb73ce53003fa1e53a9587fca756c41", + "search_line": 8 }, { "queryName": "ELB With Security Group Without Outbound Rules", "severity": "MEDIUM", "line": 9, - "fileName": "positive10.json" + "fileName": "positive10.json", + "resourceType": "AWS::ElasticLoadBalancingV2::LoadBalancer", + "resourceName": "MyALB", + "searchKey": "Resources.MySGv2.Properties.SecurityGroupEgress", + "searchValue": "", + "expectedValue": "'Resources.MySGv2.Properties.SecurityGroupEgress' should not be empty", + "actualValue": "'Resources.MySGv2.Properties.SecurityGroupEgress' is empty", + "issueType": "IncorrectValue", + "similarityID": "212de172a3cfbf01eb823be3cfd6a5eff2891631b45b6ce24414376885079843", + "search_line": 9 }, { "queryName": "ELB With Security Group Without Outbound Rules", "severity": "MEDIUM", "line": 5, - "fileName": "positive11.yaml" + "fileName": "positive11.yaml", + "resourceType": "AWS::ElasticLoadBalancing::LoadBalancer", + "resourceName": "MyClassicLB", + "searchKey": "Resources.MySG.Properties", + "searchValue": "", + "expectedValue": "'Resources.MySG.Properties.SecurityGroupEgress' should be defined", + "actualValue": "'Resources.MySG.Properties.SecurityGroupEgress' is undefined", + "issueType": "MissingAttribute", + "similarityID": "ba35c762376ceb53df0c0a7fd6775b42846465aeb60fd5111cf349cf629fdbb9", + "search_line": 5 }, { "queryName": "ELB With Security Group Without Outbound Rules", "severity": "MEDIUM", "line": 6, - "fileName": "positive12.json" + "fileName": "positive12.json", + "resourceType": "AWS::ElasticLoadBalancing::LoadBalancer", + "resourceName": "MyClassicLB", + "searchKey": "Resources.MySG.Properties", + "searchValue": "", + "expectedValue": "'Resources.MySG.Properties.SecurityGroupEgress' should be defined", + "actualValue": "'Resources.MySG.Properties.SecurityGroupEgress' is undefined", + "issueType": "MissingAttribute", + "similarityID": "e72476cbc554c9d60cc6009851c5e23f8040fb251e6dadfb509fa389d1f96f55", + "search_line": 6 } ] diff --git a/assets/queries/cloudFormation/aws/elb_without_secure_protocol/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/elb_without_secure_protocol/test/positive_expected_result.json index f4a043eaacb..88f779c698b 100644 --- a/assets/queries/cloudFormation/aws/elb_without_secure_protocol/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/elb_without_secure_protocol/test/positive_expected_result.json @@ -3,24 +3,60 @@ "queryName": "ELB Without Secure Protocol", "severity": "MEDIUM", "line": 11, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::ElasticLoadBalancing::LoadBalancer", + "resourceName": "MyLoadBalancer", + "searchKey": "Resources.MyLoadBalancer.Properties.Listeners", + "searchValue": "", + "expectedValue": "'Resources.MyLoadBalancer.Listeners.InstanceProtocol' should be set to 'SSL' or 'HTTPS'", + "actualValue": "'Resources.MyLoadBalancer.Listeners.InstanceProtocol' isn't set to 'SSL' or 'HTTPS'", + "issueType": "IncorrectValue", + "similarityID": "96b16cbd99efbafc3b3e85e9b60825685c1dbe0384c050237042382e0d14a128", + "search_line": 11 }, { "queryName": "ELB Without Secure Protocol", "severity": "MEDIUM", "line": 13, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::ElasticLoadBalancing::LoadBalancer", + "resourceName": "MyLoadBalancer", + "searchKey": "Resources.MyLoadBalancer.Properties.Listeners", + "searchValue": "", + "expectedValue": "'Resources.MyLoadBalancer.Listeners.Protocol' should be set to 'SSL' or 'HTTPS'", + "actualValue": "'Resources.MyLoadBalancer.Listeners.Protocol' isn't set to 'SSL' or 'HTTPS'", + "issueType": "IncorrectValue", + "similarityID": "cb72aa611ae2ae34bc9fe02f54bb5e6cdf50e3ef9fd4ecff7e556b1c41ce4857", + "search_line": 13 }, { "queryName": "ELB Without Secure Protocol", "severity": "MEDIUM", "line": 9, - "fileName": "positive2.json" + "fileName": "positive2.json", + "resourceType": "AWS::ElasticLoadBalancing::LoadBalancer", + "resourceName": "MyLoadBalancer", + "searchKey": "Resources.MyLoadBalancer.Properties.Listeners", + "searchValue": "", + "expectedValue": "'Resources.MyLoadBalancer.Listeners.InstanceProtocol' should be set to 'SSL' or 'HTTPS'", + "actualValue": "'Resources.MyLoadBalancer.Listeners.InstanceProtocol' isn't set to 'SSL' or 'HTTPS'", + "issueType": "IncorrectValue", + "similarityID": "c89167dfefbf2e5ac05fcc221cc3cdcdf91399af071b47bb865bc36d7b78b3b9", + "search_line": 9 }, { "queryName": "ELB Without Secure Protocol", "severity": "MEDIUM", "line": 11, - "fileName": "positive2.json" + "fileName": "positive2.json", + "resourceType": "AWS::ElasticLoadBalancing::LoadBalancer", + "resourceName": "MyLoadBalancer", + "searchKey": "Resources.MyLoadBalancer.Properties.Listeners", + "searchValue": "", + "expectedValue": "'Resources.MyLoadBalancer.Listeners.Protocol' should be set to 'SSL' or 'HTTPS'", + "actualValue": "'Resources.MyLoadBalancer.Listeners.Protocol' isn't set to 'SSL' or 'HTTPS'", + "issueType": "IncorrectValue", + "similarityID": "5f84c05ff07da52dcbe003854dea6585ab5e300e70cc2e186efe91be5c286dd8", + "search_line": 11 } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/empty_roles_for_ecs_cluster_task_definitions/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/empty_roles_for_ecs_cluster_task_definitions/test/positive_expected_result.json index b9e1a5fbe7a..1c0d8b60fcd 100644 --- a/assets/queries/cloudFormation/aws/empty_roles_for_ecs_cluster_task_definitions/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/empty_roles_for_ecs_cluster_task_definitions/test/positive_expected_result.json @@ -1,38 +1,92 @@ [ { + "queryName": "Empty Roles For ECS Cluster Task Definitions", "severity": "MEDIUM", "line": 6, "fileName": "positive1.yaml", - "queryName": "Empty Roles For ECS Cluster Task Definitions" + "resourceType": "AWS::ECS::Service", + "resourceName": "NoTaskDefinition", + "searchKey": "Resources.NoTaskDefinition.Properties", + "searchValue": "", + "expectedValue": "'Resources.NoTaskDefinition.Properties.TaskDefinition' should be set", + "actualValue": "'Resources.NoTaskDefinition.Properties.TaskDefinition' is undefined", + "issueType": "MissingAttribute", + "similarityID": "4d7398a40d64307fcf874861699ddc929c942d020819eca9d638054279493bea", + "search_line": -1 }, { - "fileName": "positive1.yaml", "queryName": "Empty Roles For ECS Cluster Task Definitions", "severity": "MEDIUM", - "line": 24 + "line": 24, + "fileName": "positive1.yaml", + "resourceType": "AWS::ECS::Service", + "resourceName": "InvalidTaskDefinition", + "searchKey": "Resources.InvalidTaskDefinition.Properties.TaskDefinition", + "searchValue": "", + "expectedValue": "'Resources.InvalidTaskDefinition.Properties.Taskdefinition' refers to a valid TaskDefinition", + "actualValue": "'Resources.InvalidTaskDefinition.Properties.Taskdefinition' does not refers to a valid TaskDefinition", + "issueType": "MissingAttribute", + "similarityID": "d32e70d742b08d0cd2b9fedf0404594263c07b734f1a952e98b68908b0b1c85a", + "search_line": -1 }, { "queryName": "Empty Roles For ECS Cluster Task Definitions", "severity": "MEDIUM", "line": 41, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::ECS::Service", + "resourceName": "TaskNoRole", + "searchKey": "Resources.TaskNoRole.Properties.TaskDefinition", + "searchValue": "", + "expectedValue": "'Resources.TaskNoRole.Properties.TaskDefinition' refers to a TaskDefinition with Role", + "actualValue": "'Resources.TaskNoRole.Properties.TaskDefinition' does not refer to a TaskDefinition with Role", + "issueType": "IncorrectValue", + "similarityID": "2128574e88efed8ce196db2eadcc7dc0b8e299586037b8fddcd412da6aa148d5", + "search_line": -1 }, { "queryName": "Empty Roles For ECS Cluster Task Definitions", "severity": "MEDIUM", - "line": 96, - "fileName": "positive2.json" + "line": 11, + "fileName": "positive2.json", + "resourceType": "AWS::ECS::Service", + "resourceName": "InvalidTaskDefinition", + "searchKey": "Resources.InvalidTaskDefinition.Properties.TaskDefinition", + "searchValue": "", + "expectedValue": "'Resources.InvalidTaskDefinition.Properties.Taskdefinition' refers to a valid TaskDefinition", + "actualValue": "'Resources.InvalidTaskDefinition.Properties.Taskdefinition' does not refers to a valid TaskDefinition", + "issueType": "MissingAttribute", + "similarityID": "95db9e01174086cb2e9aac095b39ebd5ba3f62bcc19b261ed06ef6fc75b26afb", + "search_line": -1 }, { "queryName": "Empty Roles For ECS Cluster Task Definitions", "severity": "MEDIUM", - "line": 11, - "fileName": "positive2.json" + "line": 39, + "fileName": "positive2.json", + "resourceType": "AWS::ECS::Service", + "resourceName": "TaskNoRole", + "searchKey": "Resources.TaskNoRole.Properties.TaskDefinition", + "searchValue": "", + "expectedValue": "'Resources.TaskNoRole.Properties.TaskDefinition' refers to a TaskDefinition with Role", + "actualValue": "'Resources.TaskNoRole.Properties.TaskDefinition' does not refer to a TaskDefinition with Role", + "issueType": "IncorrectValue", + "similarityID": "d0afce630dcf90a514506e6db150813d1c66694dbe1e0bab4c2aabfdd2c08cb9", + "search_line": -1 }, { "queryName": "Empty Roles For ECS Cluster Task Definitions", "severity": "MEDIUM", - "line": 39, - "fileName": "positive2.json" + "line": 96, + "fileName": "positive2.json", + "resourceType": "AWS::ECS::Service", + "resourceName": "NoTaskDefinition", + "searchKey": "Resources.NoTaskDefinition.Properties", + "searchValue": "", + "expectedValue": "'Resources.NoTaskDefinition.Properties.TaskDefinition' should be set", + "actualValue": "'Resources.NoTaskDefinition.Properties.TaskDefinition' is undefined", + "issueType": "MissingAttribute", + "similarityID": "da588997b9cb8a54179708db97eeb8f734640caa63a030239c1274dd3f8620ce", + "search_line": -1 } ] diff --git a/assets/queries/cloudFormation/aws/emr_cluster_without_security_configuration/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/emr_cluster_without_security_configuration/test/positive_expected_result.json index 10819b82da5..f10d8578bbd 100644 --- a/assets/queries/cloudFormation/aws/emr_cluster_without_security_configuration/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/emr_cluster_without_security_configuration/test/positive_expected_result.json @@ -3,24 +3,60 @@ "queryName": "EMR Cluster Without Security Configuration", "severity": "MEDIUM", "line": 18, - "fileName": "positive2.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::EMR::Cluster", + "resourceName": "CFNtest2", + "searchKey": "Resources.cluster.Properties", + "searchValue": "", + "expectedValue": "Resources.cluster has the same name as the AWS::EMR::SecurityConfiguration Resource", + "actualValue": "Resources.cluster has a different name from AWS::EMR::SecurityConfiguration Resource", + "issueType": "IncorrectValue", + "similarityID": "cad200ff340daa75e3608ccad3b43be3b917f79daf43f92ad548740af142dcbe", + "search_line": -1 }, { - "line": 18, - "fileName": "positive1.yaml", "queryName": "EMR Cluster Without Security Configuration", - "severity": "MEDIUM" + "severity": "MEDIUM", + "line": 18, + "fileName": "positive2.yaml", + "resourceType": "AWS::EMR::Cluster", + "resourceName": "CFNtest2", + "searchKey": "Resources.cluster1.Properties", + "searchValue": "", + "expectedValue": "Resources.cluster1.Properties.SecurityConfiguration should be defined", + "actualValue": "Resources.cluster1.Properties.SecurityConfiguration is undefined", + "issueType": "MissingAttribute", + "similarityID": "79a9bb96f385c29362da4a806781bc58046aa920ffdeaf0f2ec1024c9f283957", + "search_line": -1 }, { - "fileName": "positive3.json", "queryName": "EMR Cluster Without Security Configuration", "severity": "MEDIUM", - "line": 43 + "line": 43, + "fileName": "positive3.json", + "resourceType": "AWS::EMR::Cluster", + "resourceName": "CFNtest2", + "searchKey": "Resources.cluster.Properties", + "searchValue": "", + "expectedValue": "Resources.cluster has the same name as the AWS::EMR::SecurityConfiguration Resource", + "actualValue": "Resources.cluster has a different name from AWS::EMR::SecurityConfiguration Resource", + "issueType": "IncorrectValue", + "similarityID": "16dab21585cdd172f6321861d6b16b093b1c481ef37cde3acef74fe0c2a5cb27", + "search_line": -1 }, { "queryName": "EMR Cluster Without Security Configuration", "severity": "MEDIUM", "line": 5, - "fileName": "positive4.json" + "fileName": "positive4.json", + "resourceType": "AWS::EMR::Cluster", + "resourceName": "CFNtest2", + "searchKey": "Resources.cluster1.Properties", + "searchValue": "", + "expectedValue": "Resources.cluster1.Properties.SecurityConfiguration should be defined", + "actualValue": "Resources.cluster1.Properties.SecurityConfiguration is undefined", + "issueType": "MissingAttribute", + "similarityID": "ccbcf6350e9f03fd20eaf141b47a46996ee99b22b6f7d7472d359f852db3011f", + "search_line": -1 } ] diff --git a/assets/queries/cloudFormation/aws/emr_security_configuration_encryptions_enabled/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/emr_security_configuration_encryptions_enabled/test/positive_expected_result.json index 69b2e0f60fa..f8bb63101a0 100644 --- a/assets/queries/cloudFormation/aws/emr_security_configuration_encryptions_enabled/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/emr_security_configuration_encryptions_enabled/test/positive_expected_result.json @@ -3,96 +3,240 @@ "queryName": "EMR Security Configuration Encryption Disabled", "severity": "MEDIUM", "line": 8, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::EMR::SecurityConfiguration", + "resourceName": "String", + "searchKey": "Resources.EMRSecurityConfiguration.Properties.SecurityConfiguration.EncryptionConfiguration.EnableInTransitEncryption", + "searchValue": "", + "expectedValue": "Resources.EMRSecurityConfiguration.Properties.SecurityConfiguration.EncryptionConfiguration.EnableInTransitEncryption should be true", + "actualValue": "Resources.EMRSecurityConfiguration.Properties.SecurityConfiguration.EncryptionConfiguration.EnableInTransitEncryption is false", + "issueType": "IncorrectValue", + "similarityID": "45621def1e7efb3e6938df5dbaf57c8e5ac25eff3a7eca8e75496a40c2aa8751", + "search_line": -1 }, { "queryName": "EMR Security Configuration Encryption Disabled", "severity": "MEDIUM", "line": 9, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::EMR::SecurityConfiguration", + "resourceName": "String", + "searchKey": "Resources.EMRSecurityConfiguration.Properties.SecurityConfiguration.EncryptionConfiguration.EnableAtRestEncryption", + "searchValue": "", + "expectedValue": "Resources.EMRSecurityConfiguration.Properties.SecurityConfiguration.EncryptionConfiguration.EnableAtRestEncryption should be true", + "actualValue": "Resources.EMRSecurityConfiguration.Properties.SecurityConfiguration.EncryptionConfiguration.EnableAtRestEncryption is false", + "issueType": "IncorrectValue", + "similarityID": "a229b45135e29b894d11270ef68de9d0398bd160135fe00ef1029dd3e1975d97", + "search_line": -1 }, { "queryName": "EMR Security Configuration Encryption Disabled", "severity": "MEDIUM", "line": 9, - "fileName": "positive2.yaml" + "fileName": "positive2.yaml", + "resourceType": "AWS::EMR::SecurityConfiguration", + "resourceName": "String", + "searchKey": "Resources.EMRSecurityConfiguration01.Properties.SecurityConfiguration.EncryptionConfiguration.AtRestEncryptionConfiguration.LocalDiskEncryptionConfiguration", + "searchValue": "", + "expectedValue": "Resources.EMRSecurityConfiguration01.SecurityConfiguration.EncryptionConfiguration.AtRestEncryptionConfiguration.LocalDiskEncryptionConfiguration.EncryptionKeyProviderType must be defined", + "actualValue": "Resources.EMRSecurityConfiguration01.SecurityConfiguration.EncryptionConfiguration.AtRestEncryptionConfiguration.LocalDiskEncryptionConfiguration.EncryptionKeyProviderType is undefined", + "issueType": "IncorrectValue", + "similarityID": "ed2611553e845ed3b233c5eb25e37d6ef440951a9d0b68aa4f4a8b5c7db378f6", + "search_line": -1 }, { "queryName": "EMR Security Configuration Encryption Disabled", "severity": "MEDIUM", "line": 10, - "fileName": "positive2.yaml" + "fileName": "positive2.yaml", + "resourceType": "AWS::EMR::SecurityConfiguration", + "resourceName": "String", + "searchKey": "Resources.EMRSecurityConfiguration01.Properties.SecurityConfiguration.EncryptionConfiguration.AtRestEncryptionConfiguration.LocalDiskEncryptionConfiguration.EnableEbsEncryption", + "searchValue": "", + "expectedValue": "Resources.EMRSecurityConfiguration01.Properties.SecurityConfiguration.EncryptionConfiguration.AtRestEncryptionConfiguration.LocalDiskEncryptionConfiguration.EnableEbsEncryption should be true", + "actualValue": "Resources.EMRSecurityConfiguration01.Properties.SecurityConfiguration.EncryptionConfiguration.AtRestEncryptionConfiguration.LocalDiskEncryptionConfiguration.EnableEbsEncryption is false", + "issueType": "IncorrectValue", + "similarityID": "4acec3c521e79d6d373cae078c953452a761fc781d8dad6e68b4b4874932e436", + "search_line": -1 }, { "queryName": "EMR Security Configuration Encryption Disabled", "severity": "MEDIUM", "line": 8, - "fileName": "positive3.yaml" + "fileName": "positive3.yaml", + "resourceType": "AWS::EMR::SecurityConfiguration", + "resourceName": "String", + "searchKey": "Resources.EMRSecurityConfiguration03.Properties.SecurityConfiguration.EncryptionConfiguration.EnableInTransitEncryption", + "searchValue": "", + "expectedValue": "Resources.EMRSecurityConfiguration03.Properties.SecurityConfiguration.EncryptionConfiguration.EnableInTransitEncryption should be true", + "actualValue": "Resources.EMRSecurityConfiguration03.Properties.SecurityConfiguration.EncryptionConfiguration.EnableInTransitEncryption is false", + "issueType": "IncorrectValue", + "similarityID": "baa1a1370089c724ab8c540d6d4d114b3f9d1c45a0575ea5c30c5e19228f07b3", + "search_line": -1 }, { "queryName": "EMR Security Configuration Encryption Disabled", "severity": "MEDIUM", "line": 9, - "fileName": "positive3.yaml" + "fileName": "positive3.yaml", + "resourceType": "AWS::EMR::SecurityConfiguration", + "resourceName": "String", + "searchKey": "Resources.EMRSecurityConfiguration03.Properties.SecurityConfiguration.EncryptionConfiguration.EnableAtRestEncryption", + "searchValue": "", + "expectedValue": "Resources.EMRSecurityConfiguration03.Properties.SecurityConfiguration.EncryptionConfiguration.EnableAtRestEncryption should be true", + "actualValue": "Resources.EMRSecurityConfiguration03.Properties.SecurityConfiguration.EncryptionConfiguration.EnableAtRestEncryption is false", + "issueType": "IncorrectValue", + "similarityID": "43ff042a12f7735add4698591198387d91cbbca67f7eb607880caf79208f8858", + "search_line": -1 }, { "queryName": "EMR Security Configuration Encryption Disabled", "severity": "MEDIUM", "line": 6, - "fileName": "positive4.yaml" + "fileName": "positive4.yaml", + "resourceType": "AWS::EMR::SecurityConfiguration", + "resourceName": "String", + "searchKey": "Resources.EMRSecurityConfiguration04.Properties.SecurityConfiguration", + "searchValue": "", + "expectedValue": "Resources.EMRSecurityConfiguration04.SecurityConfiguration.EncryptionConfiguration must be defined", + "actualValue": "Resources.EMRSecurityConfiguration04.SecurityConfiguration.EncryptionConfiguration is undefined", + "issueType": "IncorrectValue", + "similarityID": "9afa18c2d2e0e811adff1461132fc03fe1ed09bc0d869ae161674b06d719677c", + "search_line": -1 }, { "queryName": "EMR Security Configuration Encryption Disabled", "severity": "MEDIUM", "line": 9, - "fileName": "positive5.json" + "fileName": "positive5.json", + "resourceType": "AWS::EMR::SecurityConfiguration", + "resourceName": "String", + "searchKey": "Resources.EMRSecurityConfiguration.Properties.SecurityConfiguration.EncryptionConfiguration.EnableInTransitEncryption", + "searchValue": "", + "expectedValue": "Resources.EMRSecurityConfiguration.Properties.SecurityConfiguration.EncryptionConfiguration.EnableInTransitEncryption should be true", + "actualValue": "Resources.EMRSecurityConfiguration.Properties.SecurityConfiguration.EncryptionConfiguration.EnableInTransitEncryption is false", + "issueType": "IncorrectValue", + "similarityID": "0273ba06a2c713660922841c077df5b7dfcaa49d0a10a7a8ed213550688293a1", + "search_line": -1 }, { "queryName": "EMR Security Configuration Encryption Disabled", "severity": "MEDIUM", "line": 10, - "fileName": "positive5.json" + "fileName": "positive5.json", + "resourceType": "AWS::EMR::SecurityConfiguration", + "resourceName": "String", + "searchKey": "Resources.EMRSecurityConfiguration.Properties.SecurityConfiguration.EncryptionConfiguration.EnableAtRestEncryption", + "searchValue": "", + "expectedValue": "Resources.EMRSecurityConfiguration.Properties.SecurityConfiguration.EncryptionConfiguration.EnableAtRestEncryption should be true", + "actualValue": "Resources.EMRSecurityConfiguration.Properties.SecurityConfiguration.EncryptionConfiguration.EnableAtRestEncryption is false", + "issueType": "IncorrectValue", + "similarityID": "48d5df5a144021eef4fc1d05c66f1875e338dc5ffee724acf74853a720d2f4a1", + "search_line": -1 }, { "queryName": "EMR Security Configuration Encryption Disabled", "severity": "MEDIUM", "line": 9, - "fileName": "positive6.json" + "fileName": "positive6.json", + "resourceType": "AWS::EMR::SecurityConfiguration", + "resourceName": "String", + "searchKey": "Resources.EMRSecurityConfiguration01.Properties.SecurityConfiguration.EncryptionConfiguration.AtRestEncryptionConfiguration.LocalDiskEncryptionConfiguration", + "searchValue": "", + "expectedValue": "Resources.EMRSecurityConfiguration01.SecurityConfiguration.EncryptionConfiguration.AtRestEncryptionConfiguration.LocalDiskEncryptionConfiguration.EncryptionKeyProviderType must be defined", + "actualValue": "Resources.EMRSecurityConfiguration01.SecurityConfiguration.EncryptionConfiguration.AtRestEncryptionConfiguration.LocalDiskEncryptionConfiguration.EncryptionKeyProviderType is undefined", + "issueType": "IncorrectValue", + "similarityID": "14ab41780e5c76f1ac4a887f47111aa70de1f2018dbba4f7381ec2cbc790e36c", + "search_line": -1 }, { "queryName": "EMR Security Configuration Encryption Disabled", "severity": "MEDIUM", "line": 10, - "fileName": "positive6.json" + "fileName": "positive6.json", + "resourceType": "AWS::EMR::SecurityConfiguration", + "resourceName": "String", + "searchKey": "Resources.EMRSecurityConfiguration01.Properties.SecurityConfiguration.EncryptionConfiguration.AtRestEncryptionConfiguration.LocalDiskEncryptionConfiguration.EnableEbsEncryption", + "searchValue": "", + "expectedValue": "Resources.EMRSecurityConfiguration01.Properties.SecurityConfiguration.EncryptionConfiguration.AtRestEncryptionConfiguration.LocalDiskEncryptionConfiguration.EnableEbsEncryption should be true", + "actualValue": "Resources.EMRSecurityConfiguration01.Properties.SecurityConfiguration.EncryptionConfiguration.AtRestEncryptionConfiguration.LocalDiskEncryptionConfiguration.EnableEbsEncryption is false", + "issueType": "IncorrectValue", + "similarityID": "abe9c8870c93a0ad59e5b4460d8bdef369e69696ad86ee20c9791196449b3d06", + "search_line": -1 }, { "queryName": "EMR Security Configuration Encryption Disabled", "severity": "MEDIUM", "line": 8, - "fileName": "positive7.json" + "fileName": "positive7.json", + "resourceType": "AWS::EMR::SecurityConfiguration", + "resourceName": "String", + "searchKey": "Resources.EMRSecurityConfiguration03.Properties.SecurityConfiguration.EncryptionConfiguration.EnableInTransitEncryption", + "searchValue": "", + "expectedValue": "Resources.EMRSecurityConfiguration03.Properties.SecurityConfiguration.EncryptionConfiguration.EnableInTransitEncryption should be true", + "actualValue": "Resources.EMRSecurityConfiguration03.Properties.SecurityConfiguration.EncryptionConfiguration.EnableInTransitEncryption is false", + "issueType": "IncorrectValue", + "similarityID": "2fbc0314679b18720022bbe1cc41eb4b675ef27e015fc467ea9011b48406ca1f", + "search_line": -1 }, { "queryName": "EMR Security Configuration Encryption Disabled", "severity": "MEDIUM", "line": 9, - "fileName": "positive7.json" + "fileName": "positive7.json", + "resourceType": "AWS::EMR::SecurityConfiguration", + "resourceName": "String", + "searchKey": "Resources.EMRSecurityConfiguration03.Properties.SecurityConfiguration.EncryptionConfiguration.EnableAtRestEncryption", + "searchValue": "", + "expectedValue": "Resources.EMRSecurityConfiguration03.Properties.SecurityConfiguration.EncryptionConfiguration.EnableAtRestEncryption should be true", + "actualValue": "Resources.EMRSecurityConfiguration03.Properties.SecurityConfiguration.EncryptionConfiguration.EnableAtRestEncryption is false", + "issueType": "IncorrectValue", + "similarityID": "520030945e759486161f05c4297395ea7be739281f1b6c36d3981c1bd08a5013", + "search_line": -1 }, { "queryName": "EMR Security Configuration Encryption Disabled", "severity": "MEDIUM", "line": 7, - "fileName": "positive8.json" + "fileName": "positive8.json", + "resourceType": "AWS::EMR::SecurityConfiguration", + "resourceName": "String", + "searchKey": "Resources.EMRSecurityConfiguration04.Properties.SecurityConfiguration", + "searchValue": "", + "expectedValue": "Resources.EMRSecurityConfiguration04.SecurityConfiguration.EncryptionConfiguration must be defined", + "actualValue": "Resources.EMRSecurityConfiguration04.SecurityConfiguration.EncryptionConfiguration is undefined", + "issueType": "IncorrectValue", + "similarityID": "487b9f96347b69f0466ba3a7b96e77e6841461386c54a643fa3fe1eadd3c5eaf", + "search_line": -1 }, { "queryName": "EMR Security Configuration Encryption Disabled", "severity": "MEDIUM", "line": 8, - "fileName": "positive9.yaml" + "fileName": "positive9.yaml", + "resourceType": "AWS::EMR::SecurityConfiguration", + "resourceName": "String", + "searchKey": "Resources.EMRSecurityConfiguration.Properties.SecurityConfiguration.EncryptionConfiguration.EnableInTransitEncryption", + "searchValue": "", + "expectedValue": "Resources.EMRSecurityConfiguration.Properties.SecurityConfiguration.EncryptionConfiguration.EnableInTransitEncryption should be true", + "actualValue": "Resources.EMRSecurityConfiguration.Properties.SecurityConfiguration.EncryptionConfiguration.EnableInTransitEncryption is false", + "issueType": "IncorrectValue", + "similarityID": "8de76f85cf5cf996ffde94385873a80ae548acfb3878d44d077918c595405156", + "search_line": -1 }, { "queryName": "EMR Security Configuration Encryption Disabled", "severity": "MEDIUM", "line": 9, - "fileName": "positive9.yaml" + "fileName": "positive9.yaml", + "resourceType": "AWS::EMR::SecurityConfiguration", + "resourceName": "String", + "searchKey": "Resources.EMRSecurityConfiguration.Properties.SecurityConfiguration.EncryptionConfiguration.EnableAtRestEncryption", + "searchValue": "", + "expectedValue": "Resources.EMRSecurityConfiguration.Properties.SecurityConfiguration.EncryptionConfiguration.EnableAtRestEncryption should be true", + "actualValue": "Resources.EMRSecurityConfiguration.Properties.SecurityConfiguration.EncryptionConfiguration.EnableAtRestEncryption is false", + "issueType": "IncorrectValue", + "similarityID": "082665b30f12ce28a500f8a43676ccadfa60911b403086f469e1e757d5f1d6c5", + "search_line": -1 } ] diff --git a/assets/queries/cloudFormation/aws/emr_wihout_vpc/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/emr_wihout_vpc/test/positive_expected_result.json index fd870c2a4f7..7d1782f7e31 100644 --- a/assets/queries/cloudFormation/aws/emr_wihout_vpc/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/emr_wihout_vpc/test/positive_expected_result.json @@ -3,12 +3,30 @@ "queryName": "EMR Without VPC", "severity": "LOW", "line": 23, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::EMR::Cluster", + "resourceName": "CFNtest", + "searchKey": "Resources.cluster.Properties.Instances", + "searchValue": "", + "expectedValue": "Resources.cluster.Properties.Instances.Ec2SubnetId should be defined and not null", + "actualValue": "Resources.cluster.Properties.Instances.Ec2SubnetId is undefined or null", + "issueType": "MissingAttribute", + "similarityID": "ca37e4be24b563d58bb3b30d5b192de7ff67c6535b1462224ca3e70a5a49944c", + "search_line": 23 }, { "queryName": "EMR Without VPC", "severity": "LOW", "line": 32, - "fileName": "positive2.json" + "fileName": "positive2.json", + "resourceType": "AWS::EMR::Cluster", + "resourceName": "CFNtest", + "searchKey": "Resources.cluster.Properties.Instances", + "searchValue": "", + "expectedValue": "Resources.cluster.Properties.Instances.Ec2SubnetId should be defined and not null", + "actualValue": "Resources.cluster.Properties.Instances.Ec2SubnetId is undefined or null", + "issueType": "MissingAttribute", + "similarityID": "4c918f4b6a3e7c4f8ab4cd3a1a23345573de924b385b0bd6d851c60a5f07ffc7", + "search_line": 32 } ] diff --git a/assets/queries/cloudFormation/aws/fully_open_ingress/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/fully_open_ingress/test/positive_expected_result.json index 152afc34c12..95be83c8276 100644 --- a/assets/queries/cloudFormation/aws/fully_open_ingress/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/fully_open_ingress/test/positive_expected_result.json @@ -3,48 +3,120 @@ "queryName": "Fully Open Ingress", "severity": "HIGH", "line": 19, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "DBEC2SecurityGroupInline", + "searchKey": "Resources.DBEC2SecurityGroupInline.Properties.SecurityGroupIngress[0].CidrIp", + "searchValue": "", + "expectedValue": "Resource 'DBEC2SecurityGroupInline' of type 'AWS::EC2::SecurityGroup' should not accept ingress connections from all addresses to all available ports", + "actualValue": "Resource 'DBEC2SecurityGroupInline' of type 'AWS::EC2::SecurityGroup' is accepting ingress connections from all addresses to all available ports", + "issueType": "IncorrectValue", + "similarityID": "b77e054788572e550100931739013de7b53072cdc67c5ff431ec247121b752b8", + "search_line": 19 }, { "queryName": "Fully Open Ingress", "severity": "HIGH", "line": 23, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "DBEC2SecurityGroupInline", + "searchKey": "Resources.DBEC2SecurityGroupInline.Properties.SecurityGroupIngress[1].CidrIpv6", + "searchValue": "", + "expectedValue": "Resource 'DBEC2SecurityGroupInline' of type 'AWS::EC2::SecurityGroup' should not accept ingress connections from all addresses to all available ports", + "actualValue": "Resource 'DBEC2SecurityGroupInline' of type 'AWS::EC2::SecurityGroup' is accepting ingress connections from all addresses to all available ports", + "issueType": "IncorrectValue", + "similarityID": "f56190940cba02b45d4b86a664aa4ec2213f42da88f4ef9558e51c063c078780", + "search_line": 23 }, { "queryName": "Fully Open Ingress", "severity": "HIGH", "line": 37, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroupIngress", + "resourceName": "DBEC2SecurityGroupIngress", + "searchKey": "Resources.DBEC2SecurityGroupIngress.Properties.CidrIp", + "searchValue": "", + "expectedValue": "Resource 'DBEC2SecurityGroupIngress' of type 'AWS::EC2::SecurityGroupIngress' should not accept ingress connections from all addresses to all available ports", + "actualValue": "Resource 'DBEC2SecurityGroupIngress' of type 'AWS::EC2::SecurityGroupIngress' is accepting ingress connections from all addresses to all available ports", + "issueType": "IncorrectValue", + "similarityID": "e4a1cf817b9338ecc6be603a654bb0d22b9be69ffa32006ac2090bc749e38b7b", + "search_line": 37 }, { "queryName": "Fully Open Ingress", "severity": "HIGH", "line": 46, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroupIngress", + "resourceName": "DBEC2SecurityGroupIngressIPv6", + "searchKey": "Resources.DBEC2SecurityGroupIngressIPv6.Properties.CidrIpv6", + "searchValue": "", + "expectedValue": "Resource 'DBEC2SecurityGroupIngressIPv6' of type 'AWS::EC2::SecurityGroupIngress' should not accept ingress connections from all addresses to all available ports", + "actualValue": "Resource 'DBEC2SecurityGroupIngressIPv6' of type 'AWS::EC2::SecurityGroupIngress' is accepting ingress connections from all addresses to all available ports", + "issueType": "IncorrectValue", + "similarityID": "6b8dee7914a7d0f9e5fe3a761b30113a43b84528499deef553b58a98dda2cbd6", + "search_line": 46 }, { "queryName": "Fully Open Ingress", "severity": "HIGH", "line": 26, - "fileName": "positive2.json" + "fileName": "positive2.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "DBEC2SecurityGroupInline", + "searchKey": "Resources.DBEC2SecurityGroupInline.Properties.SecurityGroupIngress[0].CidrIp", + "searchValue": "", + "expectedValue": "Resource 'DBEC2SecurityGroupInline' of type 'AWS::EC2::SecurityGroup' should not accept ingress connections from all addresses to all available ports", + "actualValue": "Resource 'DBEC2SecurityGroupInline' of type 'AWS::EC2::SecurityGroup' is accepting ingress connections from all addresses to all available ports", + "issueType": "IncorrectValue", + "similarityID": "ddab51fc54afd83b68b9eb657f3bdabd8451605e6db58a77d7abcb452cacef70", + "search_line": 26 }, { "queryName": "Fully Open Ingress", "severity": "HIGH", "line": 32, - "fileName": "positive2.json" + "fileName": "positive2.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "DBEC2SecurityGroupInline", + "searchKey": "Resources.DBEC2SecurityGroupInline.Properties.SecurityGroupIngress[1].CidrIpv6", + "searchValue": "", + "expectedValue": "Resource 'DBEC2SecurityGroupInline' of type 'AWS::EC2::SecurityGroup' should not accept ingress connections from all addresses to all available ports", + "actualValue": "Resource 'DBEC2SecurityGroupInline' of type 'AWS::EC2::SecurityGroup' is accepting ingress connections from all addresses to all available ports", + "issueType": "IncorrectValue", + "similarityID": "9041d1264617109a3e0827e0040a484331c761fbae849601764a23d5ce04c128", + "search_line": 32 }, { "queryName": "Fully Open Ingress", "severity": "HIGH", "line": 53, - "fileName": "positive2.json" + "fileName": "positive2.json", + "resourceType": "AWS::EC2::SecurityGroupIngress", + "resourceName": "DBEC2SecurityGroupIngress", + "searchKey": "Resources.DBEC2SecurityGroupIngress.Properties.CidrIp", + "searchValue": "", + "expectedValue": "Resource 'DBEC2SecurityGroupIngress' of type 'AWS::EC2::SecurityGroupIngress' should not accept ingress connections from all addresses to all available ports", + "actualValue": "Resource 'DBEC2SecurityGroupIngress' of type 'AWS::EC2::SecurityGroupIngress' is accepting ingress connections from all addresses to all available ports", + "issueType": "IncorrectValue", + "similarityID": "6cb7ecd6570b6b6f9cf7ca3efea5b5862444125cc44e619d37eb8aa3cc0e1b24", + "search_line": 53 }, { "queryName": "Fully Open Ingress", "severity": "HIGH", "line": 65, - "fileName": "positive2.json" + "fileName": "positive2.json", + "resourceType": "AWS::EC2::SecurityGroupIngress", + "resourceName": "DBEC2SecurityGroupIngressIPv6", + "searchKey": "Resources.DBEC2SecurityGroupIngressIPv6.Properties.CidrIpv6", + "searchValue": "", + "expectedValue": "Resource 'DBEC2SecurityGroupIngressIPv6' of type 'AWS::EC2::SecurityGroupIngress' should not accept ingress connections from all addresses to all available ports", + "actualValue": "Resource 'DBEC2SecurityGroupIngressIPv6' of type 'AWS::EC2::SecurityGroupIngress' is accepting ingress connections from all addresses to all available ports", + "issueType": "IncorrectValue", + "similarityID": "fe4b250ea850886ef34d394a4e67483466f66900140bed2a3b002edd7e439e22", + "search_line": 65 } ] diff --git a/assets/queries/cloudFormation/aws/gamelift_fleet_ec2_inbound_permissions_with_port_range/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/gamelift_fleet_ec2_inbound_permissions_with_port_range/test/positive_expected_result.json index d49354e3fdc..2c5d129ed26 100644 --- a/assets/queries/cloudFormation/aws/gamelift_fleet_ec2_inbound_permissions_with_port_range/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/gamelift_fleet_ec2_inbound_permissions_with_port_range/test/positive_expected_result.json @@ -1,50 +1,122 @@ [ { + "queryName": "GameLift Fleet EC2 InboundPermissions With Port Range", "severity": "MEDIUM", "line": 11, "fileName": "positive1.yaml", - "queryName": "GameLift Fleet EC2 InboundPermissions With Port Range" + "resourceType": "AWS::GameLift::Fleet", + "resourceName": "FleetResource1", + "searchKey": "Resources.FleetResource1.Properties.EC2InboundPermissions", + "searchValue": "", + "expectedValue": "Resources.FleetResource1.Properties.EC2InboundPermissions[0].FromPort is equal to Resources.FleetResource1.Properties.EC2InboundPermissions[0].ToPort", + "actualValue": "Resources.FleetResource1.Properties.EC2InboundPermissions[0].FromPort is not equal to Resources.FleetResource1.Properties.EC2InboundPermissions[0].ToPort", + "issueType": "IncorrectValue", + "similarityID": "baff2c78662d36421b85c5c3b9499d553a9eced070983874b50941879a48cde6", + "search_line": 11 }, { "queryName": "GameLift Fleet EC2 InboundPermissions With Port Range", "severity": "MEDIUM", "line": 15, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::GameLift::Fleet", + "resourceName": "FleetResource1", + "searchKey": "Resources.FleetResource1.Properties.EC2InboundPermissions", + "searchValue": "", + "expectedValue": "Resources.FleetResource1.Properties.EC2InboundPermissions[1].FromPort is equal to Resources.FleetResource1.Properties.EC2InboundPermissions[1].ToPort", + "actualValue": "Resources.FleetResource1.Properties.EC2InboundPermissions[1].FromPort is not equal to Resources.FleetResource1.Properties.EC2InboundPermissions[1].ToPort", + "issueType": "IncorrectValue", + "similarityID": "1751c45876cf10823cbbd3643271cc39904c96ab278223f7ab6109199434705e", + "search_line": 15 }, { + "queryName": "GameLift Fleet EC2 InboundPermissions With Port Range", "severity": "MEDIUM", "line": 28, "fileName": "positive1.yaml", - "queryName": "GameLift Fleet EC2 InboundPermissions With Port Range" + "resourceType": "AWS::GameLift::Fleet", + "resourceName": "FleetResource3", + "searchKey": "Resources.FleetResource3.Properties.EC2InboundPermissions", + "searchValue": "", + "expectedValue": "Resources.FleetResource3.Properties.EC2InboundPermissions[0].FromPort is equal to Resources.FleetResource3.Properties.EC2InboundPermissions[0].ToPort", + "actualValue": "Resources.FleetResource3.Properties.EC2InboundPermissions[0].FromPort is not equal to Resources.FleetResource3.Properties.EC2InboundPermissions[0].ToPort", + "issueType": "IncorrectValue", + "similarityID": "a6d0c861453a92bb7629f32a2e5379f968d55642837abce2b035664a73af2fe4", + "search_line": 28 }, { + "queryName": "GameLift Fleet EC2 InboundPermissions With Port Range", "severity": "MEDIUM", "line": 32, "fileName": "positive1.yaml", - "queryName": "GameLift Fleet EC2 InboundPermissions With Port Range" + "resourceType": "AWS::GameLift::Fleet", + "resourceName": "FleetResource3", + "searchKey": "Resources.FleetResource3.Properties.EC2InboundPermissions", + "searchValue": "", + "expectedValue": "Resources.FleetResource3.Properties.EC2InboundPermissions[1].FromPort is equal to Resources.FleetResource3.Properties.EC2InboundPermissions[1].ToPort", + "actualValue": "Resources.FleetResource3.Properties.EC2InboundPermissions[1].FromPort is not equal to Resources.FleetResource3.Properties.EC2InboundPermissions[1].ToPort", + "issueType": "IncorrectValue", + "similarityID": "b6e6a549cb6f871a457825e0c29db5e36f3aa359bb7429f7ad9928440ba26d9b", + "search_line": 32 }, { + "queryName": "GameLift Fleet EC2 InboundPermissions With Port Range", + "severity": "MEDIUM", "line": 8, "fileName": "positive2.json", - "queryName": "GameLift Fleet EC2 InboundPermissions With Port Range", - "severity": "MEDIUM" + "resourceType": "AWS::GameLift::Fleet", + "resourceName": "FleetResource1", + "searchKey": "Resources.FleetResource1.Properties.EC2InboundPermissions", + "searchValue": "", + "expectedValue": "Resources.FleetResource1.Properties.EC2InboundPermissions[0].FromPort is equal to Resources.FleetResource1.Properties.EC2InboundPermissions[0].ToPort", + "actualValue": "Resources.FleetResource1.Properties.EC2InboundPermissions[0].FromPort is not equal to Resources.FleetResource1.Properties.EC2InboundPermissions[0].ToPort", + "issueType": "IncorrectValue", + "similarityID": "e21de5d48d1ceb9e6f0b12f1f835fd1ff57398754a3c5131601e35cdcd12413b", + "search_line": 8 }, { + "queryName": "GameLift Fleet EC2 InboundPermissions With Port Range", "severity": "MEDIUM", "line": 14, "fileName": "positive2.json", - "queryName": "GameLift Fleet EC2 InboundPermissions With Port Range" + "resourceType": "AWS::GameLift::Fleet", + "resourceName": "FleetResource1", + "searchKey": "Resources.FleetResource1.Properties.EC2InboundPermissions", + "searchValue": "", + "expectedValue": "Resources.FleetResource1.Properties.EC2InboundPermissions[1].FromPort is equal to Resources.FleetResource1.Properties.EC2InboundPermissions[1].ToPort", + "actualValue": "Resources.FleetResource1.Properties.EC2InboundPermissions[1].FromPort is not equal to Resources.FleetResource1.Properties.EC2InboundPermissions[1].ToPort", + "issueType": "IncorrectValue", + "similarityID": "4174031a624ec23469f82d4e85a471b59774bc65c2dd7e0bf748d0c4bc5892ea", + "search_line": 14 }, { "queryName": "GameLift Fleet EC2 InboundPermissions With Port Range", "severity": "MEDIUM", "line": 39, - "fileName": "positive2.json" + "fileName": "positive2.json", + "resourceType": "AWS::GameLift::Fleet", + "resourceName": "FleetResource3", + "searchKey": "Resources.FleetResource3.Properties.EC2InboundPermissions", + "searchValue": "", + "expectedValue": "Resources.FleetResource3.Properties.EC2InboundPermissions[0].FromPort is equal to Resources.FleetResource3.Properties.EC2InboundPermissions[0].ToPort", + "actualValue": "Resources.FleetResource3.Properties.EC2InboundPermissions[0].FromPort is not equal to Resources.FleetResource3.Properties.EC2InboundPermissions[0].ToPort", + "issueType": "IncorrectValue", + "similarityID": "03ed173cd5d01d7fe2691a87c4c5123e1bfc3cbbfea3faec371b7ed5dddf9601", + "search_line": 39 }, { "queryName": "GameLift Fleet EC2 InboundPermissions With Port Range", "severity": "MEDIUM", "line": 45, - "fileName": "positive2.json" + "fileName": "positive2.json", + "resourceType": "AWS::GameLift::Fleet", + "resourceName": "FleetResource3", + "searchKey": "Resources.FleetResource3.Properties.EC2InboundPermissions", + "searchValue": "", + "expectedValue": "Resources.FleetResource3.Properties.EC2InboundPermissions[1].FromPort is equal to Resources.FleetResource3.Properties.EC2InboundPermissions[1].ToPort", + "actualValue": "Resources.FleetResource3.Properties.EC2InboundPermissions[1].FromPort is not equal to Resources.FleetResource3.Properties.EC2InboundPermissions[1].ToPort", + "issueType": "IncorrectValue", + "similarityID": "386c07dc8dd80de86557929eb3b5084cba02d7bf049f347c5ffd89e9615b93de", + "search_line": 45 } ] diff --git a/assets/queries/cloudFormation/aws/geo_restriction_disabled/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/geo_restriction_disabled/test/positive_expected_result.json index 364f0f18cd3..7e8f2e34582 100644 --- a/assets/queries/cloudFormation/aws/geo_restriction_disabled/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/geo_restriction_disabled/test/positive_expected_result.json @@ -1,14 +1,32 @@ [ { + "queryName": "Geo Restriction Disabled", "severity": "LOW", "line": 13, "fileName": "positive1.yaml", - "queryName": "Geo Restriction Disabled" + "resourceType": "AWS::CloudFront::Distribution", + "resourceName": "myDistribution", + "searchKey": "Resources.myDistribution.Properties.Restrictions.GeoRestriction.RestrictionType", + "searchValue": "", + "expectedValue": "Resources.myDistribution.Properties.Restrictions.GeoRestriction.RestrictionType should be enabled with whitelist or blacklist", + "actualValue": "Resources.myDistribution.Properties.Restrictions.GeoRestriction.RestrictionTypeallows is configured with none. Therefore, Geo Restriction is not enabled and it should be", + "issueType": "IncorrectValue", + "similarityID": "7f5fa56bd294d3a4a5d39cb873f977fbb281135004e02bc37a60816a74db4f66", + "search_line": -1 }, { "queryName": "Geo Restriction Disabled", "severity": "LOW", "line": 15, - "fileName": "positive2.json" + "fileName": "positive2.json", + "resourceType": "AWS::CloudFront::Distribution", + "resourceName": "myDistribution", + "searchKey": "Resources.myDistribution.Properties.Restrictions.GeoRestriction.RestrictionType", + "searchValue": "", + "expectedValue": "Resources.myDistribution.Properties.Restrictions.GeoRestriction.RestrictionType should be enabled with whitelist or blacklist", + "actualValue": "Resources.myDistribution.Properties.Restrictions.GeoRestriction.RestrictionTypeallows is configured with none. Therefore, Geo Restriction is not enabled and it should be", + "issueType": "IncorrectValue", + "similarityID": "60ef3dbcf3634e91bafb366fe8fe74099105d0a8f8115a279604b0e96cbeabef", + "search_line": -1 } ] diff --git a/assets/queries/cloudFormation/aws/github_repository_set_to_public/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/github_repository_set_to_public/test/positive_expected_result.json index 865819ed241..974dfc7fd11 100644 --- a/assets/queries/cloudFormation/aws/github_repository_set_to_public/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/github_repository_set_to_public/test/positive_expected_result.json @@ -3,30 +3,75 @@ "queryName": "GitHub Repository Set To Public", "severity": "MEDIUM", "line": 12, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::CodeStar::GitHubRepository", + "resourceName": "my-github-repo", + "searchKey": "Resources.MyRepo3.Properties.IsPrivate", + "searchValue": "", + "expectedValue": "'Resources.MyRepo3.Properties.IsPrivate' should be set to true", + "actualValue": "'Resources.MyRepo3.Properties.IsPrivate' is not set to true", + "issueType": "IncorrectValue", + "similarityID": "2b3b8441a158cdcb3524918c8a4d6259df78ab2c97a6e02b166084882cce017d", + "search_line": -1 }, { "queryName": "GitHub Repository Set To Public", "severity": "MEDIUM", "line": 5, - "fileName": "positive3.json" + "fileName": "positive2.yaml", + "resourceType": "AWS::CodeStar::GitHubRepository", + "resourceName": "my-github-repo", + "searchKey": "Resources.MyRepo4.Properties", + "searchValue": "", + "expectedValue": "'Resources.MyRepo4.IsPrivate' should be set", + "actualValue": "'Resources.MyRepo4.IsPrivate' is undefined", + "issueType": "MissingAttribute", + "similarityID": "5a1780c690886b71346e808d66c1c577c3ffc2ea78578786880dbfd13d0cfb7a", + "search_line": -1 }, { "queryName": "GitHub Repository Set To Public", "severity": "MEDIUM", "line": 5, - "fileName": "positive2.yaml" + "fileName": "positive3.json", + "resourceType": "AWS::CodeStar::GitHubRepository", + "resourceName": "my-github-repo", + "searchKey": "Resources.MyRepo5.Properties", + "searchValue": "", + "expectedValue": "'Resources.MyRepo5.IsPrivate' should be set", + "actualValue": "'Resources.MyRepo5.IsPrivate' is undefined", + "issueType": "MissingAttribute", + "similarityID": "66018f0fe68756823828ce703ea0551261b6b63f4bc18d4ce1be1040b273513d", + "search_line": -1 }, { "queryName": "GitHub Repository Set To Public", "severity": "MEDIUM", "line": 14, - "fileName": "positive4.json" + "fileName": "positive4.json", + "resourceType": "AWS::CodeStar::GitHubRepository", + "resourceName": "my-github-repo", + "searchKey": "Resources.MyRepo6.Properties.IsPrivate", + "searchValue": "", + "expectedValue": "'Resources.MyRepo6.Properties.IsPrivate' should be set to true", + "actualValue": "'Resources.MyRepo6.Properties.IsPrivate' is not set to true", + "issueType": "IncorrectValue", + "similarityID": "7f6c3af45ed08692493986ae0e21a50dbe3f6321ef2ccff4a33e23a89f35d8d4", + "search_line": -1 }, { "queryName": "GitHub Repository Set To Public", "severity": "MEDIUM", "line": 12, - "fileName": "positive5.yaml" + "fileName": "positive5.yaml", + "resourceType": "AWS::CodeStar::GitHubRepository", + "resourceName": "my-github-repo", + "searchKey": "Resources.MyRepo3.Properties.IsPrivate", + "searchValue": "", + "expectedValue": "'Resources.MyRepo3.Properties.IsPrivate' should be set to true", + "actualValue": "'Resources.MyRepo3.Properties.IsPrivate' is not set to true", + "issueType": "IncorrectValue", + "similarityID": "1f8fab7ee9646e53eb8635a6a0bc03b9add7cb997f72a7f6f36f12cf6e00f342", + "search_line": -1 } ] diff --git a/assets/queries/cloudFormation/aws/guardduty_detector_disabled/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/guardduty_detector_disabled/test/positive_expected_result.json index 31c42b15f5e..84f7c79af62 100644 --- a/assets/queries/cloudFormation/aws/guardduty_detector_disabled/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/guardduty_detector_disabled/test/positive_expected_result.json @@ -3,18 +3,45 @@ "queryName": "GuardDuty Detector Disabled", "severity": "MEDIUM", "line": 6, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::GuardDuty::Detector", + "resourceName": "mydetector3", + "searchKey": "Resources.mydetector3.Properties.Enable", + "searchValue": "", + "expectedValue": "Resources.mydetector3.Properties.Enable should be set to true", + "actualValue": "Resources.mydetector3.Properties.Enable is set to false", + "issueType": "IncorrectValue", + "similarityID": "06f3962ed380a891b8a3ba1d0e64191c3d3195be8404c6f699b9d83be9edef45", + "search_line": -1 }, { "queryName": "GuardDuty Detector Disabled", "severity": "MEDIUM", "line": 6, - "fileName": "positive2.json" + "fileName": "positive2.json", + "resourceType": "AWS::GuardDuty::Detector", + "resourceName": "mydetector4", + "searchKey": "Resources.mydetector4.Properties.Enable", + "searchValue": "", + "expectedValue": "Resources.mydetector4.Properties.Enable should be set to true", + "actualValue": "Resources.mydetector4.Properties.Enable is set to false", + "issueType": "IncorrectValue", + "similarityID": "8334fbbb025d876c2c45c573ba110389047b4b90b65d7bbc5aa97a60ef405874", + "search_line": -1 }, { "queryName": "GuardDuty Detector Disabled", "severity": "MEDIUM", "line": 6, - "fileName": "positive3.yaml" + "fileName": "positive3.yaml", + "resourceType": "AWS::GuardDuty::Detector", + "resourceName": "mydetector3", + "searchKey": "Resources.mydetector3.Properties.Enable", + "searchValue": "", + "expectedValue": "Resources.mydetector3.Properties.Enable should be set to true", + "actualValue": "Resources.mydetector3.Properties.Enable is set to false", + "issueType": "IncorrectValue", + "similarityID": "a2a5499ea451de4c9e16d3e3af32c636c081afd3ed1c60101eb03778e0cc8ba2", + "search_line": -1 } ] diff --git a/assets/queries/cloudFormation/aws/hardcoded_aws_access_key_in_lambda/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/hardcoded_aws_access_key_in_lambda/test/positive_expected_result.json index 522d250589f..04970a7aa56 100644 --- a/assets/queries/cloudFormation/aws/hardcoded_aws_access_key_in_lambda/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/hardcoded_aws_access_key_in_lambda/test/positive_expected_result.json @@ -3,24 +3,60 @@ "queryName": "Hardcoded AWS Access Key In Lambda", "severity": "HIGH", "line": 10, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::Lambda::Function", + "resourceName": "LambdaFunction3", + "searchKey": "Resources.LambdaFunction3.Properties.Environment.Variables", + "searchValue": "", + "expectedValue": "Resources.LambdaFunction3.Properties.Environment.Variables shouldn't contain access key", + "actualValue": "Resources.LambdaFunction3.Properties.Environment.Variables contains access key", + "issueType": "IncorrectValue", + "similarityID": "8a2841b8da21b94e9543c85cb3ab15951731221e3af8454e4f4c1973eec0a2be", + "search_line": -1 }, { "queryName": "Hardcoded AWS Access Key In Lambda", "severity": "HIGH", "line": 10, - "fileName": "positive2.yaml" + "fileName": "positive2.yaml", + "resourceType": "AWS::Lambda::Function", + "resourceName": "LambdaFunction4", + "searchKey": "Resources.LambdaFunction4.Properties.Environment.Variables", + "searchValue": "", + "expectedValue": "Resources.LambdaFunction4.Properties.Environment.Variables shouldn't contain access key", + "actualValue": "Resources.LambdaFunction4.Properties.Environment.Variables contains access key", + "issueType": "IncorrectValue", + "similarityID": "6caed1b228d47ae686ff328be82a24c3ecbc944fb61d66b21fbb462211014038", + "search_line": -1 }, { + "queryName": "Hardcoded AWS Access Key In Lambda", + "severity": "HIGH", "line": 29, "fileName": "positive3.json", - "queryName": "Hardcoded AWS Access Key In Lambda", - "severity": "HIGH" + "resourceType": "AWS::Lambda::Function", + "resourceName": "LambdaFunction5", + "searchKey": "Resources.LambdaFunction5.Properties.Environment.Variables", + "searchValue": "", + "expectedValue": "Resources.LambdaFunction5.Properties.Environment.Variables shouldn't contain access key", + "actualValue": "Resources.LambdaFunction5.Properties.Environment.Variables contains access key", + "issueType": "IncorrectValue", + "similarityID": "9de08d872871cb30100e04977785e3aeb5ca8fce5fc874025a949e8361a9dc03", + "search_line": -1 }, { "queryName": "Hardcoded AWS Access Key In Lambda", "severity": "HIGH", "line": 29, - "fileName": "positive4.json" + "fileName": "positive4.json", + "resourceType": "AWS::Lambda::Function", + "resourceName": "LambdaFunction6", + "searchKey": "Resources.LambdaFunction6.Properties.Environment.Variables", + "searchValue": "", + "expectedValue": "Resources.LambdaFunction6.Properties.Environment.Variables shouldn't contain access key", + "actualValue": "Resources.LambdaFunction6.Properties.Environment.Variables contains access key", + "issueType": "IncorrectValue", + "similarityID": "5dcab68603be1a6777e0f461f043a7467874e1efa1d7cdcc13d8b5413d31aacc", + "search_line": -1 } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/http_port_open/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/http_port_open/test/positive_expected_result.json index d3ef6c01790..3ce0d9a80e2 100644 --- a/assets/queries/cloudFormation/aws/http_port_open/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/http_port_open/test/positive_expected_result.json @@ -3,132 +3,330 @@ "queryName": "HTTP Port Open To Internet", "severity": "MEDIUM", "line": 10, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "", + "expectedValue": "'Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]' should not open the HTTP port (80)", + "actualValue": "'Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]' opens the HTTP port (80)", + "issueType": "IncorrectValue", + "similarityID": "f9a8eb56b6580c9a78531bcc185edafb5f021ef66c0b394b7fb60d6fe78f7b48", + "search_line": 10 }, { "queryName": "HTTP Port Open To Internet", "severity": "MEDIUM", "line": 22, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_2", + "searchKey": "Resources.Positive1IPv4_2.Properties.SecurityGroupIngress[0]", + "searchValue": "", + "expectedValue": "'Resources.Positive1IPv4_2.Properties.SecurityGroupIngress[0]' should not open the HTTP port (80)", + "actualValue": "'Resources.Positive1IPv4_2.Properties.SecurityGroupIngress[0]' opens the HTTP port (80)", + "issueType": "IncorrectValue", + "similarityID": "87a6c4caacc1daa1bd9b254f5e4f77c5b8becf5fee0ca063d4f5b3d7ffa82326", + "search_line": 22 }, { "queryName": "HTTP Port Open To Internet", "severity": "MEDIUM", "line": 38, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1ArrayTestIPv4", + "searchKey": "Resources.Positive1ArrayTestIPv4.Properties.SecurityGroupIngress[1]", + "searchValue": "", + "expectedValue": "'Resources.Positive1ArrayTestIPv4.Properties.SecurityGroupIngress[1]' should not open the HTTP port (80)", + "actualValue": "'Resources.Positive1ArrayTestIPv4.Properties.SecurityGroupIngress[1]' opens the HTTP port (80)", + "issueType": "IncorrectValue", + "similarityID": "67cd1c48d43bb6ba699c558cf079e0398f269d5165068bdd35115580ff3a0e90", + "search_line": 38 }, { "queryName": "HTTP Port Open To Internet", "severity": "MEDIUM", "line": 51, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "", + "expectedValue": "'Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]' should not open the HTTP port (80)", + "actualValue": "'Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]' opens the HTTP port (80)", + "issueType": "IncorrectValue", + "similarityID": "09ddc85167487cc9059824a8cefd991342822a3a90747824035e1aff68bd9050", + "search_line": 51 }, { "queryName": "HTTP Port Open To Internet", "severity": "MEDIUM", "line": 63, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_2", + "searchKey": "Resources.Positive1IPv6_2.Properties.SecurityGroupIngress[0]", + "searchValue": "", + "expectedValue": "'Resources.Positive1IPv6_2.Properties.SecurityGroupIngress[0]' should not open the HTTP port (80)", + "actualValue": "'Resources.Positive1IPv6_2.Properties.SecurityGroupIngress[0]' opens the HTTP port (80)", + "issueType": "IncorrectValue", + "similarityID": "79b3c54d3f2964ffce589dfbdcbba977f458a08d4ec7dda951f9cb12bc60c53c", + "search_line": 63 }, { "queryName": "HTTP Port Open To Internet", "severity": "MEDIUM", "line": 79, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1ArrayTestIPv6", + "searchKey": "Resources.Positive1ArrayTestIPv6.Properties.SecurityGroupIngress[1]", + "searchValue": "", + "expectedValue": "'Resources.Positive1ArrayTestIPv6.Properties.SecurityGroupIngress[1]' should not open the HTTP port (80)", + "actualValue": "'Resources.Positive1ArrayTestIPv6.Properties.SecurityGroupIngress[1]' opens the HTTP port (80)", + "issueType": "IncorrectValue", + "similarityID": "efb63d525194deee322f4dac8cd714df5cee863cf93cc09ac8385d027c51fa03", + "search_line": 79 }, { "queryName": "HTTP Port Open To Internet", "severity": "MEDIUM", "line": 12, - "fileName": "positive2.yaml" + "fileName": "positive2.yaml", + "resourceType": "AWS::EC2::SecurityGroupIngress", + "resourceName": "DualStackSecurityGroup", + "searchKey": "Resources.IPv4Ingress1.Properties", + "searchValue": "", + "expectedValue": "'Resources.IPv4Ingress1.Properties' should not open the HTTP port (80)", + "actualValue": "'Resources.IPv4Ingress1.Properties' opens the HTTP port (80)", + "issueType": "IncorrectValue", + "similarityID": "3320ef909ad98241b3f5900b033e339b6e5e4f59732d1c6537bb173f7425c0a7", + "search_line": 12 }, { "queryName": "HTTP Port Open To Internet", "severity": "MEDIUM", "line": 21, - "fileName": "positive2.yaml" + "fileName": "positive2.yaml", + "resourceType": "AWS::EC2::SecurityGroupIngress", + "resourceName": "DualStackSecurityGroup", + "searchKey": "Resources.IPv4Ingress2.Properties", + "searchValue": "", + "expectedValue": "'Resources.IPv4Ingress2.Properties' should not open the HTTP port (80)", + "actualValue": "'Resources.IPv4Ingress2.Properties' opens the HTTP port (80)", + "issueType": "IncorrectValue", + "similarityID": "9eb9b3aaa8bf6c8fb2ed2bea31f55bc7a4c8d69cd99d319e19fe2170395a5290", + "search_line": 21 }, { "queryName": "HTTP Port Open To Internet", "severity": "MEDIUM", "line": 31, - "fileName": "positive2.yaml" + "fileName": "positive2.yaml", + "resourceType": "AWS::EC2::SecurityGroupIngress", + "resourceName": "DualStackSecurityGroup", + "searchKey": "Resources.IPv6Ingress1.Properties", + "searchValue": "", + "expectedValue": "'Resources.IPv6Ingress1.Properties' should not open the HTTP port (80)", + "actualValue": "'Resources.IPv6Ingress1.Properties' opens the HTTP port (80)", + "issueType": "IncorrectValue", + "similarityID": "5efca30e96be19e5697da0f28ed806da22ee34e2859038ffa484c87b213efdf3", + "search_line": 31 }, { "queryName": "HTTP Port Open To Internet", "severity": "MEDIUM", "line": 40, - "fileName": "positive2.yaml" + "fileName": "positive2.yaml", + "resourceType": "AWS::EC2::SecurityGroupIngress", + "resourceName": "DualStackSecurityGroup", + "searchKey": "Resources.IPv6Ingress2.Properties", + "searchValue": "", + "expectedValue": "'Resources.IPv6Ingress2.Properties' should not open the HTTP port (80)", + "actualValue": "'Resources.IPv6Ingress2.Properties' opens the HTTP port (80)", + "issueType": "IncorrectValue", + "similarityID": "f31606b62a2ce8d1bf82986d87fe5abccb61c9024f8ea0f255f40a2202b6e406", + "search_line": 40 }, { "queryName": "HTTP Port Open To Internet", "severity": "MEDIUM", "line": 49, - "fileName": "positive2.yaml" + "fileName": "positive2.yaml", + "resourceType": "AWS::EC2::SecurityGroupIngress", + "resourceName": "DualStackSecurityGroup", + "searchKey": "Resources.IPv6Ingress3.Properties", + "searchValue": "", + "expectedValue": "'Resources.IPv6Ingress3.Properties' should not open the HTTP port (80)", + "actualValue": "'Resources.IPv6Ingress3.Properties' opens the HTTP port (80)", + "issueType": "IncorrectValue", + "similarityID": "8b60b5ffc52fbc317dc08bb3398fd478dd8f4e8ee856c4d17a918b292724913f", + "search_line": 49 }, { "queryName": "HTTP Port Open To Internet", "severity": "MEDIUM", "line": 10, - "fileName": "positive3.json" + "fileName": "positive3.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "", + "expectedValue": "'Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]' should not open the HTTP port (80)", + "actualValue": "'Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]' opens the HTTP port (80)", + "issueType": "IncorrectValue", + "similarityID": "4aa8fa5227ff21554ae4f36a056f9915d8cc7bb28af786fd90312f169ae598ba", + "search_line": 10 }, { "queryName": "HTTP Port Open To Internet", "severity": "MEDIUM", "line": 25, - "fileName": "positive3.json" + "fileName": "positive3.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_2", + "searchKey": "Resources.Positive1IPv4_2.Properties.SecurityGroupIngress[0]", + "searchValue": "", + "expectedValue": "'Resources.Positive1IPv4_2.Properties.SecurityGroupIngress[0]' should not open the HTTP port (80)", + "actualValue": "'Resources.Positive1IPv4_2.Properties.SecurityGroupIngress[0]' opens the HTTP port (80)", + "issueType": "IncorrectValue", + "similarityID": "e3e5b836196d5f5342fab1683f5f8779dbe0717b039fec5046be9a4251974d00", + "search_line": 25 }, { "queryName": "HTTP Port Open To Internet", "severity": "MEDIUM", "line": 46, - "fileName": "positive3.json" + "fileName": "positive3.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1ArrayTestIPv4", + "searchKey": "Resources.Positive1ArrayTestIPv4.Properties.SecurityGroupIngress[1]", + "searchValue": "", + "expectedValue": "'Resources.Positive1ArrayTestIPv4.Properties.SecurityGroupIngress[1]' should not open the HTTP port (80)", + "actualValue": "'Resources.Positive1ArrayTestIPv4.Properties.SecurityGroupIngress[1]' opens the HTTP port (80)", + "issueType": "IncorrectValue", + "similarityID": "a392aef9e5ca018d13c246e34e20700e20d5831c047d3388a016d2a83a2c5eff", + "search_line": 46 }, { "queryName": "HTTP Port Open To Internet", "severity": "MEDIUM", "line": 61, - "fileName": "positive3.json" + "fileName": "positive3.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "", + "expectedValue": "'Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]' should not open the HTTP port (80)", + "actualValue": "'Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]' opens the HTTP port (80)", + "issueType": "IncorrectValue", + "similarityID": "b5911fb87af2223c044a32e2f3e95c66117467595965c38236049a9c1cd720e3", + "search_line": 61 }, { "queryName": "HTTP Port Open To Internet", "severity": "MEDIUM", "line": 76, - "fileName": "positive3.json" + "fileName": "positive3.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_2", + "searchKey": "Resources.Positive1IPv6_2.Properties.SecurityGroupIngress[0]", + "searchValue": "", + "expectedValue": "'Resources.Positive1IPv6_2.Properties.SecurityGroupIngress[0]' should not open the HTTP port (80)", + "actualValue": "'Resources.Positive1IPv6_2.Properties.SecurityGroupIngress[0]' opens the HTTP port (80)", + "issueType": "IncorrectValue", + "similarityID": "a567501419d20bbd410534c568759086feffb5027b3748b61c73a8c68fe47014", + "search_line": 76 }, { "queryName": "HTTP Port Open To Internet", "severity": "MEDIUM", "line": 97, - "fileName": "positive3.json" + "fileName": "positive3.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1ArrayTestIPv6", + "searchKey": "Resources.Positive1ArrayTestIPv6.Properties.SecurityGroupIngress[1]", + "searchValue": "", + "expectedValue": "'Resources.Positive1ArrayTestIPv6.Properties.SecurityGroupIngress[1]' should not open the HTTP port (80)", + "actualValue": "'Resources.Positive1ArrayTestIPv6.Properties.SecurityGroupIngress[1]' opens the HTTP port (80)", + "issueType": "IncorrectValue", + "similarityID": "5b81f8a81fb0019d91b8904acc97954c26ecf98632b0dd4a1b53950ccf02378c", + "search_line": 97 }, { "queryName": "HTTP Port Open To Internet", "severity": "MEDIUM", "line": 14, - "fileName": "positive4.json" + "fileName": "positive4.json", + "resourceType": "AWS::EC2::SecurityGroupIngress", + "resourceName": "DualStackSecurityGroup", + "searchKey": "Resources.IPv4Ingress1.Properties", + "searchValue": "", + "expectedValue": "'Resources.IPv4Ingress1.Properties' should not open the HTTP port (80)", + "actualValue": "'Resources.IPv4Ingress1.Properties' opens the HTTP port (80)", + "issueType": "IncorrectValue", + "similarityID": "4fd10e39367b117d71d24d61315c3809b358bbbe2f061f211f5af430f28ac15c", + "search_line": 14 }, { "queryName": "HTTP Port Open To Internet", "severity": "MEDIUM", "line": 26, - "fileName": "positive4.json" + "fileName": "positive4.json", + "resourceType": "AWS::EC2::SecurityGroupIngress", + "resourceName": "DualStackSecurityGroup", + "searchKey": "Resources.IPv4Ingress2.Properties", + "searchValue": "", + "expectedValue": "'Resources.IPv4Ingress2.Properties' should not open the HTTP port (80)", + "actualValue": "'Resources.IPv4Ingress2.Properties' opens the HTTP port (80)", + "issueType": "IncorrectValue", + "similarityID": "0f82f1b5735d1dccffb8b0672a89c436e53675620b13c3f83faaab23acee7acd", + "search_line": 26 }, { "queryName": "HTTP Port Open To Internet", "severity": "MEDIUM", "line": 38, - "fileName": "positive4.json" + "fileName": "positive4.json", + "resourceType": "AWS::EC2::SecurityGroupIngress", + "resourceName": "DualStackSecurityGroup", + "searchKey": "Resources.IPv6Ingress1.Properties", + "searchValue": "", + "expectedValue": "'Resources.IPv6Ingress1.Properties' should not open the HTTP port (80)", + "actualValue": "'Resources.IPv6Ingress1.Properties' opens the HTTP port (80)", + "issueType": "IncorrectValue", + "similarityID": "67eadb6a00fac10ea95c49c834f75ccff6ac644540497cad7839a7bcafd7c440", + "search_line": 38 }, { "queryName": "HTTP Port Open To Internet", "severity": "MEDIUM", "line": 50, - "fileName": "positive4.json" + "fileName": "positive4.json", + "resourceType": "AWS::EC2::SecurityGroupIngress", + "resourceName": "DualStackSecurityGroup", + "searchKey": "Resources.IPv6Ingress2.Properties", + "searchValue": "", + "expectedValue": "'Resources.IPv6Ingress2.Properties' should not open the HTTP port (80)", + "actualValue": "'Resources.IPv6Ingress2.Properties' opens the HTTP port (80)", + "issueType": "IncorrectValue", + "similarityID": "1a154b6dcf449b8cd9da0499e599499d0d0038ae0a681b18e102ae1c463f0949", + "search_line": 50 }, { "queryName": "HTTP Port Open To Internet", "severity": "MEDIUM", "line": 62, - "fileName": "positive4.json" + "fileName": "positive4.json", + "resourceType": "AWS::EC2::SecurityGroupIngress", + "resourceName": "DualStackSecurityGroup", + "searchKey": "Resources.IPv6Ingress3.Properties", + "searchValue": "", + "expectedValue": "'Resources.IPv6Ingress3.Properties' should not open the HTTP port (80)", + "actualValue": "'Resources.IPv6Ingress3.Properties' opens the HTTP port (80)", + "issueType": "IncorrectValue", + "similarityID": "e935e3117d1463ede14cce0e12d59035d94130e8d1f247a0fec0aec016385aac", + "search_line": 62 } ] diff --git a/assets/queries/cloudFormation/aws/iam_access_analyzer_not_enabled/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/iam_access_analyzer_not_enabled/test/positive_expected_result.json index c0896937034..1df5a620968 100644 --- a/assets/queries/cloudFormation/aws/iam_access_analyzer_not_enabled/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/iam_access_analyzer_not_enabled/test/positive_expected_result.json @@ -3,12 +3,30 @@ "queryName": "IAM Access Analyzer Not Enabled", "severity": "LOW", "line": 3, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "Resources", + "searchValue": "", + "expectedValue": "'AWS::AccessAnalyzer::Analyzer' should be set", + "actualValue": "'AWS::AccessAnalyzer::Analyzer' is undefined", + "issueType": "MissingAttribute", + "similarityID": "d9336bd1a54f7d1cefd4bb0f15cb59b8bdcc36a58baede0bf9fdb7186b7bac34", + "search_line": 3 }, { "queryName": "IAM Access Analyzer Not Enabled", "severity": "LOW", "line": 4, - "fileName": "positive2.json" + "fileName": "positive2.json", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "Resources", + "searchValue": "", + "expectedValue": "'AWS::AccessAnalyzer::Analyzer' should be set", + "actualValue": "'AWS::AccessAnalyzer::Analyzer' is undefined", + "issueType": "MissingAttribute", + "similarityID": "823cd320ba2249efda42bdf413dd69c3e9a54b491f081c917dc9625b90e62880", + "search_line": 4 } ] diff --git a/assets/queries/cloudFormation/aws/iam_database_auth_not_enabled/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/iam_database_auth_not_enabled/test/positive_expected_result.json index 9d7881e32ef..d8cca629acf 100644 --- a/assets/queries/cloudFormation/aws/iam_database_auth_not_enabled/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/iam_database_auth_not_enabled/test/positive_expected_result.json @@ -3,30 +3,75 @@ "queryName": "IAM Database Auth Not Enabled", "severity": "MEDIUM", "line": 19, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::RDS::DBInstance", + "resourceName": "MyDBSmall", + "searchKey": "Resources.MyDBSmall.Properties.EnableIAMDatabaseAuthentication", + "searchValue": "", + "expectedValue": "Resources.MyDBSmall.Properties.EnableIAMDatabaseAuthentication should be true", + "actualValue": "Resources.MyDBSmall.Properties.EnableIAMDatabaseAuthentication is false", + "issueType": "IncorrectValue", + "similarityID": "80d838822b2adab2a5a2c1b509a79d67c0c94c87d0d729311f25206d370fed29", + "search_line": -1 }, { "queryName": "IAM Database Auth Not Enabled", "severity": "MEDIUM", "line": 31, - "fileName": "positive2.json" + "fileName": "positive2.json", + "resourceType": "AWS::RDS::DBInstance", + "resourceName": "MyDBSmall", + "searchKey": "Resources.MyDBSmall.Properties.EnableIAMDatabaseAuthentication", + "searchValue": "", + "expectedValue": "Resources.MyDBSmall.Properties.EnableIAMDatabaseAuthentication should be true", + "actualValue": "Resources.MyDBSmall.Properties.EnableIAMDatabaseAuthentication is false", + "issueType": "IncorrectValue", + "similarityID": "a14b915c51387c227288efb7ae06ad2ddbed9c03eff0ca523b6bc3225e3ed6bc", + "search_line": -1 }, { "queryName": "IAM Database Auth Not Enabled", "severity": "MEDIUM", "line": 13, - "fileName": "positive3.yaml" + "fileName": "positive3.yaml", + "resourceType": "AWS::RDS::DBInstance", + "resourceName": "MyDBSmall", + "searchKey": "Resources.MyDBSmall.Properties", + "searchValue": "", + "expectedValue": "Resources.MyDBSmall.Properties.EnableIAMDatabaseAuthentication should be defined", + "actualValue": "Resources.MyDBSmall.Properties.EnableIAMDatabaseAuthentication is not defined", + "issueType": "MissingAttribute", + "similarityID": "d610df1e9875ddbb1527f5fdc419bd5cc68f1a30b95e9065764234dabf92a99b", + "search_line": -1 }, { "queryName": "IAM Database Auth Not Enabled", "severity": "MEDIUM", "line": 18, - "fileName": "positive4.json" + "fileName": "positive4.json", + "resourceType": "AWS::RDS::DBInstance", + "resourceName": "MyDBSmall", + "searchKey": "Resources.MyDBSmall.Properties", + "searchValue": "", + "expectedValue": "Resources.MyDBSmall.Properties.EnableIAMDatabaseAuthentication should be defined", + "actualValue": "Resources.MyDBSmall.Properties.EnableIAMDatabaseAuthentication is not defined", + "issueType": "MissingAttribute", + "similarityID": "f5fdd52c6e07a3cb77f657f2d4c1fdbe6b00d90496f906ec6fcdd8962d38994b", + "search_line": -1 }, { "queryName": "IAM Database Auth Not Enabled", "severity": "MEDIUM", "line": 19, - "fileName": "positive5.yaml" + "fileName": "positive5.yaml", + "resourceType": "AWS::RDS::DBInstance", + "resourceName": "MyDBSmall", + "searchKey": "Resources.MyDBSmall.Properties.EnableIAMDatabaseAuthentication", + "searchValue": "", + "expectedValue": "Resources.MyDBSmall.Properties.EnableIAMDatabaseAuthentication should be true", + "actualValue": "Resources.MyDBSmall.Properties.EnableIAMDatabaseAuthentication is false", + "issueType": "IncorrectValue", + "similarityID": "6633e5f1ececec22052aad1a9b6c37ce608529fb487efa835f1ccf38d47f0a41", + "search_line": -1 } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/iam_db_cluster_auth_not_enabled/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/iam_db_cluster_auth_not_enabled/test/positive_expected_result.json index 2f42addade3..96ee17690ed 100644 --- a/assets/queries/cloudFormation/aws/iam_db_cluster_auth_not_enabled/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/iam_db_cluster_auth_not_enabled/test/positive_expected_result.json @@ -3,216 +3,540 @@ "queryName": "IAM DB Cluster Auth Not Enabled", "severity": "MEDIUM", "line": 15, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::RDS::DBCluster", + "resourceName": "sample", + "searchKey": "Resources.sample.Properties.EnableIAMDatabaseAuthentication", + "searchValue": "", + "expectedValue": "'Resources.sample.Properties.EnableIAMDatabaseAuthentication' should be defined to true", + "actualValue": "'Resources.sample.Properties.EnableIAMDatabaseAuthentication' is defined to false", + "issueType": "IncorrectValue", + "similarityID": "9d968e8ceb5b9460952bf1794094f8af1369f609db2269de1268ba1f1aa952a0", + "search_line": 15 }, { "queryName": "IAM DB Cluster Auth Not Enabled", "severity": "MEDIUM", "line": 21, - "fileName": "positive2.json" + "fileName": "positive2.json", + "resourceType": "AWS::RDS::DBCluster", + "resourceName": "sample", + "searchKey": "Resources.sample.Properties.EnableIAMDatabaseAuthentication", + "searchValue": "", + "expectedValue": "'Resources.sample.Properties.EnableIAMDatabaseAuthentication' should be defined to true", + "actualValue": "'Resources.sample.Properties.EnableIAMDatabaseAuthentication' is defined to false", + "issueType": "IncorrectValue", + "similarityID": "e5d6743000def497111f33e2e86d464c67aac15be866e2e2641ff36449b38b9e", + "search_line": 21 }, { "queryName": "IAM DB Cluster Auth Not Enabled", "severity": "MEDIUM", "line": 5, - "fileName": "positive3.yaml" + "fileName": "positive3.yaml", + "resourceType": "AWS::RDS::DBCluster", + "resourceName": "sample", + "searchKey": "Resources.sample.Properties", + "searchValue": "", + "expectedValue": "'Resources.sample.Properties.EnableIAMDatabaseAuthentication' should be defined (disabled by default)", + "actualValue": "'Resources.sample.Properties.EnableIAMDatabaseAuthentication' is not defined (disabled by default)", + "issueType": "MissingAttribute", + "similarityID": "d4e49bdd07e2cd7f61d666373485161a423de8635d8aaf34be9e9e428d0875f4", + "search_line": 5 }, { "queryName": "IAM DB Cluster Auth Not Enabled", "severity": "MEDIUM", "line": 6, - "fileName": "positive4.json" + "fileName": "positive4.json", + "resourceType": "AWS::RDS::DBCluster", + "resourceName": "sample", + "searchKey": "Resources.sample.Properties", + "searchValue": "", + "expectedValue": "'Resources.sample.Properties.EnableIAMDatabaseAuthentication' should be defined (disabled by default)", + "actualValue": "'Resources.sample.Properties.EnableIAMDatabaseAuthentication' is not defined (disabled by default)", + "issueType": "MissingAttribute", + "similarityID": "645e16716cce62ffec8d3d2d31b623cd59d7159f925877e26489b4ae1870ab5f", + "search_line": 6 }, { "queryName": "IAM DB Cluster Auth Not Enabled", "severity": "MEDIUM", "line": 15, - "fileName": "positive5.yaml" + "fileName": "positive5.yaml", + "resourceType": "AWS::RDS::DBCluster", + "resourceName": "sample", + "searchKey": "Resources.sample.Properties.EnableIAMDatabaseAuthentication", + "searchValue": "", + "expectedValue": "'Resources.sample.Properties.EnableIAMDatabaseAuthentication' should be defined to true", + "actualValue": "'Resources.sample.Properties.EnableIAMDatabaseAuthentication' is defined to false", + "issueType": "IncorrectValue", + "similarityID": "33ec6b83cb8e3127e2c3a01f2cd3a7e74f69c8b099fbdffa0c41a0ab450a0f36", + "search_line": 15 }, { "queryName": "IAM DB Cluster Auth Not Enabled", "severity": "MEDIUM", "line": 21, - "fileName": "positive6.json" + "fileName": "positive6.json", + "resourceType": "AWS::RDS::DBCluster", + "resourceName": "sample", + "searchKey": "Resources.sample.Properties.EnableIAMDatabaseAuthentication", + "searchValue": "", + "expectedValue": "'Resources.sample.Properties.EnableIAMDatabaseAuthentication' should be defined to true", + "actualValue": "'Resources.sample.Properties.EnableIAMDatabaseAuthentication' is defined to false", + "issueType": "IncorrectValue", + "similarityID": "7f2967ee49d9704782f3cadc9c68cb8ae8ff9edc130280ece6b0aef579a7f686", + "search_line": 21 }, { "queryName": "IAM DB Cluster Auth Not Enabled", "severity": "MEDIUM", "line": 14, - "fileName": "positive7.yaml" + "fileName": "positive7.yaml", + "resourceType": "AWS::RDS::DBCluster", + "resourceName": "sample", + "searchKey": "Resources.sample.Properties.EnableIAMDatabaseAuthentication", + "searchValue": "", + "expectedValue": "'Resources.sample.Properties.EnableIAMDatabaseAuthentication' should be defined to true", + "actualValue": "'Resources.sample.Properties.EnableIAMDatabaseAuthentication' is defined to false", + "issueType": "IncorrectValue", + "similarityID": "623924b8d33ce9edc44c4a4299729843559c3abe91f7b62d4e23164e1d4c5a0e", + "search_line": 14 }, { "queryName": "IAM DB Cluster Auth Not Enabled", "severity": "MEDIUM", "line": 22, - "fileName": "positive8.json" + "fileName": "positive8.json", + "resourceType": "AWS::RDS::DBCluster", + "resourceName": "sample", + "searchKey": "Resources.sample.Properties.EnableIAMDatabaseAuthentication", + "searchValue": "", + "expectedValue": "'Resources.sample.Properties.EnableIAMDatabaseAuthentication' should be defined to true", + "actualValue": "'Resources.sample.Properties.EnableIAMDatabaseAuthentication' is defined to false", + "issueType": "IncorrectValue", + "similarityID": "f4445c85d12361c866bdf265e40b545e9af997fdb3499788130ae5a0a49fa649", + "search_line": 22 }, { "queryName": "IAM DB Cluster Auth Not Enabled", "severity": "MEDIUM", "line": 14, - "fileName": "positive9.yaml" + "fileName": "positive9.yaml", + "resourceType": "AWS::RDS::DBCluster", + "resourceName": "sample", + "searchKey": "Resources.sample.Properties.EnableIAMDatabaseAuthentication", + "searchValue": "", + "expectedValue": "'Resources.sample.Properties.EnableIAMDatabaseAuthentication' should be defined to true", + "actualValue": "'Resources.sample.Properties.EnableIAMDatabaseAuthentication' is defined to false", + "issueType": "IncorrectValue", + "similarityID": "a1c5185212695badd9906de62e0b493be9c3e8c4735a5b59e800ff7778bc2c61", + "search_line": 14 }, { "queryName": "IAM DB Cluster Auth Not Enabled", "severity": "MEDIUM", "line": 22, - "fileName": "positive10.json" + "fileName": "positive10.json", + "resourceType": "AWS::RDS::DBCluster", + "resourceName": "sample", + "searchKey": "Resources.sample.Properties.EnableIAMDatabaseAuthentication", + "searchValue": "", + "expectedValue": "'Resources.sample.Properties.EnableIAMDatabaseAuthentication' should be defined to true", + "actualValue": "'Resources.sample.Properties.EnableIAMDatabaseAuthentication' is defined to false", + "issueType": "IncorrectValue", + "similarityID": "635e59d0a8d59a71b790e358583ca93a91822127dafdca1b1d30dda47875a198", + "search_line": 22 }, { "queryName": "IAM DB Cluster Auth Not Enabled", "severity": "MEDIUM", "line": 5, - "fileName": "positive11.yaml" + "fileName": "positive11.yaml", + "resourceType": "AWS::RDS::DBCluster", + "resourceName": "sample", + "searchKey": "Resources.sample.Properties", + "searchValue": "", + "expectedValue": "'Resources.sample.Properties.EnableIAMDatabaseAuthentication' should be defined (disabled by default)", + "actualValue": "'Resources.sample.Properties.EnableIAMDatabaseAuthentication' is not defined (disabled by default)", + "issueType": "MissingAttribute", + "similarityID": "53ae48165e70e4e16a8f4c7a91daea89a55206c5644cbb0769de7123d9b3f9fb", + "search_line": 5 }, { "queryName": "IAM DB Cluster Auth Not Enabled", "severity": "MEDIUM", "line": 6, - "fileName": "positive12.json" + "fileName": "positive12.json", + "resourceType": "AWS::RDS::DBCluster", + "resourceName": "sample", + "searchKey": "Resources.sample.Properties", + "searchValue": "", + "expectedValue": "'Resources.sample.Properties.EnableIAMDatabaseAuthentication' should be defined (disabled by default)", + "actualValue": "'Resources.sample.Properties.EnableIAMDatabaseAuthentication' is not defined (disabled by default)", + "issueType": "MissingAttribute", + "similarityID": "ad6367f8a950f246276e17f7b336e0a356ab257f90f53b063e743681bc659086", + "search_line": 6 }, { "queryName": "IAM DB Cluster Auth Not Enabled", "severity": "MEDIUM", "line": 14, - "fileName": "positive13.yaml" + "fileName": "positive13.yaml", + "resourceType": "AWS::RDS::DBCluster", + "resourceName": "sample", + "searchKey": "Resources.sample.Properties.EnableIAMDatabaseAuthentication", + "searchValue": "", + "expectedValue": "'Resources.sample.Properties.EnableIAMDatabaseAuthentication' should be defined to true", + "actualValue": "'Resources.sample.Properties.EnableIAMDatabaseAuthentication' is defined to false", + "issueType": "IncorrectValue", + "similarityID": "6737343db7bbd3eff59b4df840ab2314b95af8b22c13c6e1f21e8348e6dd9763", + "search_line": 14 }, { "queryName": "IAM DB Cluster Auth Not Enabled", "severity": "MEDIUM", "line": 22, - "fileName": "positive14.json" + "fileName": "positive14.json", + "resourceType": "AWS::RDS::DBCluster", + "resourceName": "sample", + "searchKey": "Resources.sample.Properties.EnableIAMDatabaseAuthentication", + "searchValue": "", + "expectedValue": "'Resources.sample.Properties.EnableIAMDatabaseAuthentication' should be defined to true", + "actualValue": "'Resources.sample.Properties.EnableIAMDatabaseAuthentication' is defined to false", + "issueType": "IncorrectValue", + "similarityID": "0fb9da3de9a0a60a23ec9f315c7a2c9289d37b60b5f4071efa4367099e208e70", + "search_line": 22 }, { "queryName": "IAM DB Cluster Auth Not Enabled", "severity": "MEDIUM", "line": 14, - "fileName": "positive15.yaml" + "fileName": "positive15.yaml", + "resourceType": "AWS::RDS::DBCluster", + "resourceName": "sample", + "searchKey": "Resources.sample.Properties.EnableIAMDatabaseAuthentication", + "searchValue": "", + "expectedValue": "'Resources.sample.Properties.EnableIAMDatabaseAuthentication' should be defined to true", + "actualValue": "'Resources.sample.Properties.EnableIAMDatabaseAuthentication' is defined to false", + "issueType": "IncorrectValue", + "similarityID": "8a9c68d0cde10053a5052daabe394b7df5ffb33eb6e2367995bcc0a7a07234d7", + "search_line": 14 }, { "queryName": "IAM DB Cluster Auth Not Enabled", "severity": "MEDIUM", "line": 22, - "fileName": "positive16.json" + "fileName": "positive16.json", + "resourceType": "AWS::RDS::DBCluster", + "resourceName": "sample", + "searchKey": "Resources.sample.Properties.EnableIAMDatabaseAuthentication", + "searchValue": "", + "expectedValue": "'Resources.sample.Properties.EnableIAMDatabaseAuthentication' should be defined to true", + "actualValue": "'Resources.sample.Properties.EnableIAMDatabaseAuthentication' is defined to false", + "issueType": "IncorrectValue", + "similarityID": "7c741e33f0a22719706da98603fd019bca17f4f0a23892966c230256bf701f27", + "search_line": 22 }, { "queryName": "IAM DB Cluster Auth Not Enabled", "severity": "MEDIUM", "line": 5, - "fileName": "positive17.yaml" + "fileName": "positive17.yaml", + "resourceType": "AWS::RDS::DBCluster", + "resourceName": "sample", + "searchKey": "Resources.sample.Properties", + "searchValue": "", + "expectedValue": "'Resources.sample.Properties.EnableIAMDatabaseAuthentication' should be defined (disabled by default)", + "actualValue": "'Resources.sample.Properties.EnableIAMDatabaseAuthentication' is not defined (disabled by default)", + "issueType": "MissingAttribute", + "similarityID": "e9aacc566125ec71f730b21deffb0ede6630e78e8aa542544b00183ca1892c80", + "search_line": 5 }, { "queryName": "IAM DB Cluster Auth Not Enabled", "severity": "MEDIUM", "line": 6, - "fileName": "positive18.json" + "fileName": "positive18.json", + "resourceType": "AWS::RDS::DBCluster", + "resourceName": "sample", + "searchKey": "Resources.sample.Properties", + "searchValue": "", + "expectedValue": "'Resources.sample.Properties.EnableIAMDatabaseAuthentication' should be defined (disabled by default)", + "actualValue": "'Resources.sample.Properties.EnableIAMDatabaseAuthentication' is not defined (disabled by default)", + "issueType": "MissingAttribute", + "similarityID": "b533d516b6e355edae29452b0c37bc42891177a05b597f12093bcf60c89f036f", + "search_line": 6 }, { "queryName": "IAM DB Cluster Auth Not Enabled", "severity": "MEDIUM", "line": 5, - "fileName": "positive19.yaml" + "fileName": "positive19.yaml", + "resourceType": "AWS::RDS::DBCluster", + "resourceName": "PostgresDBCluster", + "searchKey": "Resources.PostgresDBCluster.Properties", + "searchValue": "", + "expectedValue": "'Resources.PostgresDBCluster.Properties.EnableIAMDatabaseAuthentication' should be defined (disabled by default)", + "actualValue": "'Resources.PostgresDBCluster.Properties.EnableIAMDatabaseAuthentication' is not defined (disabled by default)", + "issueType": "MissingAttribute", + "similarityID": "3483d0fabdd2a637ca5486de49b4f11df6c62812b391d7a4d8b8e5c7931ee870", + "search_line": 5 }, { "queryName": "IAM DB Cluster Auth Not Enabled", "severity": "MEDIUM", "line": 6, - "fileName": "positive20.json" + "fileName": "positive20.json", + "resourceType": "AWS::RDS::DBCluster", + "resourceName": "PostgresDBCluster", + "searchKey": "Resources.PostgresDBCluster.Properties", + "searchValue": "", + "expectedValue": "'Resources.PostgresDBCluster.Properties.EnableIAMDatabaseAuthentication' should be defined (disabled by default)", + "actualValue": "'Resources.PostgresDBCluster.Properties.EnableIAMDatabaseAuthentication' is not defined (disabled by default)", + "issueType": "MissingAttribute", + "similarityID": "4ec1b39a81fed51d8e47654e8f342a61e793c200863f257e030d86b883b50b55", + "search_line": 6 }, { "queryName": "IAM DB Cluster Auth Not Enabled", "severity": "MEDIUM", "line": 5, - "fileName": "positive21.yaml" + "fileName": "positive21.yaml", + "resourceType": "AWS::RDS::DBCluster", + "resourceName": "PostgresDBCluster", + "searchKey": "Resources.PostgresDBCluster.Properties", + "searchValue": "", + "expectedValue": "'Resources.PostgresDBCluster.Properties.EnableIAMDatabaseAuthentication' should be defined (disabled by default)", + "actualValue": "'Resources.PostgresDBCluster.Properties.EnableIAMDatabaseAuthentication' is not defined (disabled by default)", + "issueType": "MissingAttribute", + "similarityID": "46a6847fae494c1f7b0f7bbe0c543a830a83d95829723c62686f41ddb713b252", + "search_line": 5 }, { "queryName": "IAM DB Cluster Auth Not Enabled", "severity": "MEDIUM", "line": 6, - "fileName": "positive22.json" + "fileName": "positive22.json", + "resourceType": "AWS::RDS::DBCluster", + "resourceName": "PostgresDBCluster", + "searchKey": "Resources.PostgresDBCluster.Properties", + "searchValue": "", + "expectedValue": "'Resources.PostgresDBCluster.Properties.EnableIAMDatabaseAuthentication' should be defined (disabled by default)", + "actualValue": "'Resources.PostgresDBCluster.Properties.EnableIAMDatabaseAuthentication' is not defined (disabled by default)", + "issueType": "MissingAttribute", + "similarityID": "5c53984ce89e5381324b9a675d0a2c031562563442ab3d9b3029daa97ee2e3d1", + "search_line": 6 }, { "queryName": "IAM DB Cluster Auth Not Enabled", "severity": "MEDIUM", "line": 15, - "fileName": "positive23.yaml" + "fileName": "positive23.yaml", + "resourceType": "AWS::RDS::DBCluster", + "resourceName": "PostgresDBCluster", + "searchKey": "Resources.PostgresDBCluster.Properties.EnableIAMDatabaseAuthentication", + "searchValue": "", + "expectedValue": "'Resources.PostgresDBCluster.Properties.EnableIAMDatabaseAuthentication' should be defined to true", + "actualValue": "'Resources.PostgresDBCluster.Properties.EnableIAMDatabaseAuthentication' is defined to false", + "issueType": "IncorrectValue", + "similarityID": "da81c0178ffcc3d57737d9e6b8b74254d44a8fded250faffa1dc4494b9da6b18", + "search_line": 15 }, { "queryName": "IAM DB Cluster Auth Not Enabled", "severity": "MEDIUM", "line": 21, - "fileName": "positive24.json" + "fileName": "positive24.json", + "resourceType": "AWS::RDS::DBCluster", + "resourceName": "PostgresDBCluster", + "searchKey": "Resources.PostgresDBCluster.Properties.EnableIAMDatabaseAuthentication", + "searchValue": "", + "expectedValue": "'Resources.PostgresDBCluster.Properties.EnableIAMDatabaseAuthentication' should be defined to true", + "actualValue": "'Resources.PostgresDBCluster.Properties.EnableIAMDatabaseAuthentication' is defined to false", + "issueType": "IncorrectValue", + "similarityID": "002f43e1c8198fb4e14341a063024e48d655b1dbf7587475f8f515271adcda9f", + "search_line": 21 }, { "queryName": "IAM DB Cluster Auth Not Enabled", "severity": "MEDIUM", "line": 15, - "fileName": "positive25.yaml" + "fileName": "positive25.yaml", + "resourceType": "AWS::RDS::DBCluster", + "resourceName": "PostgresDBCluster", + "searchKey": "Resources.PostgresDBCluster.Properties.EnableIAMDatabaseAuthentication", + "searchValue": "", + "expectedValue": "'Resources.PostgresDBCluster.Properties.EnableIAMDatabaseAuthentication' should be defined to true", + "actualValue": "'Resources.PostgresDBCluster.Properties.EnableIAMDatabaseAuthentication' is defined to false", + "issueType": "IncorrectValue", + "similarityID": "e2303513370adf1e410a76bc37a443231c0de71941860a8718c0dfa528436973", + "search_line": 15 }, { "queryName": "IAM DB Cluster Auth Not Enabled", "severity": "MEDIUM", "line": 21, - "fileName": "positive26.json" + "fileName": "positive26.json", + "resourceType": "AWS::RDS::DBCluster", + "resourceName": "PostgresDBCluster", + "searchKey": "Resources.PostgresDBCluster.Properties.EnableIAMDatabaseAuthentication", + "searchValue": "", + "expectedValue": "'Resources.PostgresDBCluster.Properties.EnableIAMDatabaseAuthentication' should be defined to true", + "actualValue": "'Resources.PostgresDBCluster.Properties.EnableIAMDatabaseAuthentication' is defined to false", + "issueType": "IncorrectValue", + "similarityID": "cf43c1327cb0af81dae1e66e16273d60a7e48ccb155eb82484bed4205e7e988d", + "search_line": 21 }, { "queryName": "IAM DB Cluster Auth Not Enabled", "severity": "MEDIUM", "line": 14, - "fileName": "positive27.yaml" + "fileName": "positive27.yaml", + "resourceType": "AWS::RDS::DBCluster", + "resourceName": "PostgresDBCluster", + "searchKey": "Resources.PostgresDBCluster.Properties.EnableIAMDatabaseAuthentication", + "searchValue": "", + "expectedValue": "'Resources.PostgresDBCluster.Properties.EnableIAMDatabaseAuthentication' should be defined to true", + "actualValue": "'Resources.PostgresDBCluster.Properties.EnableIAMDatabaseAuthentication' is defined to false", + "issueType": "IncorrectValue", + "similarityID": "675f064257e38562b1aac8950aa43fec95003acaf59a9f1d693ce40e0a4c9b3f", + "search_line": 14 }, { "queryName": "IAM DB Cluster Auth Not Enabled", "severity": "MEDIUM", "line": 20, - "fileName": "positive28.json" + "fileName": "positive28.json", + "resourceType": "AWS::RDS::DBCluster", + "resourceName": "PostgresDBCluster", + "searchKey": "Resources.PostgresDBCluster.Properties.EnableIAMDatabaseAuthentication", + "searchValue": "", + "expectedValue": "'Resources.PostgresDBCluster.Properties.EnableIAMDatabaseAuthentication' should be defined to true", + "actualValue": "'Resources.PostgresDBCluster.Properties.EnableIAMDatabaseAuthentication' is defined to false", + "issueType": "IncorrectValue", + "similarityID": "13a4d93e6435e2da33c7b7df35c9b52ffd92ac47494fbfe255084d0a9817d185", + "search_line": 20 }, { "queryName": "IAM DB Cluster Auth Not Enabled", "severity": "MEDIUM", "line": 14, - "fileName": "positive29.yaml" + "fileName": "positive29.yaml", + "resourceType": "AWS::RDS::DBCluster", + "resourceName": "PostgresDBCluster", + "searchKey": "Resources.PostgresDBCluster.Properties.EnableIAMDatabaseAuthentication", + "searchValue": "", + "expectedValue": "'Resources.PostgresDBCluster.Properties.EnableIAMDatabaseAuthentication' should be defined to true", + "actualValue": "'Resources.PostgresDBCluster.Properties.EnableIAMDatabaseAuthentication' is defined to false", + "issueType": "IncorrectValue", + "similarityID": "12172db01fdc5b88cc0f2bfbf13ef40ed4e0160ed182668627e32433bbf5d18c", + "search_line": 14 }, { "queryName": "IAM DB Cluster Auth Not Enabled", "severity": "MEDIUM", "line": 20, - "fileName": "positive30.json" + "fileName": "positive30.json", + "resourceType": "AWS::RDS::DBCluster", + "resourceName": "PostgresDBCluster", + "searchKey": "Resources.PostgresDBCluster.Properties.EnableIAMDatabaseAuthentication", + "searchValue": "", + "expectedValue": "'Resources.PostgresDBCluster.Properties.EnableIAMDatabaseAuthentication' should be defined to true", + "actualValue": "'Resources.PostgresDBCluster.Properties.EnableIAMDatabaseAuthentication' is defined to false", + "issueType": "IncorrectValue", + "similarityID": "dd9c053efaf04b5065cdc4c0e6e1fef651c4e6ccc7a73f2aa9c0255283a4d33e", + "search_line": 20 }, { "queryName": "IAM DB Cluster Auth Not Enabled", "severity": "MEDIUM", "line": 15, - "fileName": "positive31.yaml" + "fileName": "positive31.yaml", + "resourceType": "AWS::RDS::DBCluster", + "resourceName": "sample", + "searchKey": "Resources.sample.Properties.EnableIAMDatabaseAuthentication", + "searchValue": "", + "expectedValue": "'Resources.sample.Properties.EnableIAMDatabaseAuthentication' should be defined to true", + "actualValue": "'Resources.sample.Properties.EnableIAMDatabaseAuthentication' is defined to false", + "issueType": "IncorrectValue", + "similarityID": "159d2d2d5437cee54f4de30dd43bdda1139fc58c82572f6312ad8a40adb59a6f", + "search_line": 15 }, { "queryName": "IAM DB Cluster Auth Not Enabled", "severity": "MEDIUM", "line": 23, - "fileName": "positive32.json" + "fileName": "positive32.json", + "resourceType": "AWS::RDS::DBCluster", + "resourceName": "sample", + "searchKey": "Resources.sample.Properties.EnableIAMDatabaseAuthentication", + "searchValue": "", + "expectedValue": "'Resources.sample.Properties.EnableIAMDatabaseAuthentication' should be defined to true", + "actualValue": "'Resources.sample.Properties.EnableIAMDatabaseAuthentication' is defined to false", + "issueType": "IncorrectValue", + "similarityID": "a4e17d5342348f72d847f489e119466c05dd195bbe8f3961f39bcd81ad80301e", + "search_line": 23 }, { "queryName": "IAM DB Cluster Auth Not Enabled", "severity": "MEDIUM", "line": 15, - "fileName": "positive33.yaml" + "fileName": "positive33.yaml", + "resourceType": "AWS::RDS::DBCluster", + "resourceName": "sample", + "searchKey": "Resources.sample.Properties.EnableIAMDatabaseAuthentication", + "searchValue": "", + "expectedValue": "'Resources.sample.Properties.EnableIAMDatabaseAuthentication' should be defined to true", + "actualValue": "'Resources.sample.Properties.EnableIAMDatabaseAuthentication' is defined to false", + "issueType": "IncorrectValue", + "similarityID": "0ebaa35fdac0292b6bd90675cbae3744fc651a7a9359df6d221a397625cf13f9", + "search_line": 15 }, { "queryName": "IAM DB Cluster Auth Not Enabled", "severity": "MEDIUM", "line": 23, - "fileName": "positive34.json" + "fileName": "positive34.json", + "resourceType": "AWS::RDS::DBCluster", + "resourceName": "sample", + "searchKey": "Resources.sample.Properties.EnableIAMDatabaseAuthentication", + "searchValue": "", + "expectedValue": "'Resources.sample.Properties.EnableIAMDatabaseAuthentication' should be defined to true", + "actualValue": "'Resources.sample.Properties.EnableIAMDatabaseAuthentication' is defined to false", + "issueType": "IncorrectValue", + "similarityID": "5dcb7b05d06292078947bd7673d50e3b7970eb8439327be721ca417a9fe00269", + "search_line": 23 }, { "queryName": "IAM DB Cluster Auth Not Enabled", "severity": "MEDIUM", "line": 5, - "fileName": "positive35.yaml" + "fileName": "positive35.yaml", + "resourceType": "AWS::RDS::DBCluster", + "resourceName": "sample", + "searchKey": "Resources.sample.Properties", + "searchValue": "", + "expectedValue": "'Resources.sample.Properties.EnableIAMDatabaseAuthentication' should be defined (disabled by default)", + "actualValue": "'Resources.sample.Properties.EnableIAMDatabaseAuthentication' is not defined (disabled by default)", + "issueType": "MissingAttribute", + "similarityID": "51ef71cfa3431230958d4142ea3a8ba3572c33b8f232f6811e43148e7e8bfd1e", + "search_line": 5 }, { "queryName": "IAM DB Cluster Auth Not Enabled", "severity": "MEDIUM", "line": 6, - "fileName": "positive36.json" + "fileName": "positive36.json", + "resourceType": "AWS::RDS::DBCluster", + "resourceName": "sample", + "searchKey": "Resources.sample.Properties", + "searchValue": "", + "expectedValue": "'Resources.sample.Properties.EnableIAMDatabaseAuthentication' should be defined (disabled by default)", + "actualValue": "'Resources.sample.Properties.EnableIAMDatabaseAuthentication' is not defined (disabled by default)", + "issueType": "MissingAttribute", + "similarityID": "38535ae65331d3959c4ff814a06db50792927421fc74ac64bad802c7bdc6f175", + "search_line": 6 } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/iam_group_without_users/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/iam_group_without_users/test/positive_expected_result.json index f5bbc9440fb..3fc84d13d82 100644 --- a/assets/queries/cloudFormation/aws/iam_group_without_users/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/iam_group_without_users/test/positive_expected_result.json @@ -3,12 +3,30 @@ "queryName": "IAM Group Without Users", "severity": "MEDIUM", "line": 4, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::IAM::Group", + "resourceName": "myuseeer", + "searchKey": "Resources.myuseeer", + "searchValue": "", + "expectedValue": "Resources.myuseeer has at least one user", + "actualValue": "Resources.myuseeer does not have at least one user", + "issueType": "IncorrectValue", + "similarityID": "d17678e9e3b873176112b4d1caccb8ade66aeb4869fa16b38089a3ba189980c6", + "search_line": -1 }, { "queryName": "IAM Group Without Users", "severity": "MEDIUM", "line": 5, - "fileName": "positive2.json" + "fileName": "positive2.json", + "resourceType": "AWS::IAM::Group", + "resourceName": "myuseeer2", + "searchKey": "Resources.myuseeer2", + "searchValue": "", + "expectedValue": "Resources.myuseeer2 has at least one user", + "actualValue": "Resources.myuseeer2 does not have at least one user", + "issueType": "IncorrectValue", + "similarityID": "9ff3aa1766978959f12a90bc72e722a204a7dc90590278db4b796dcf15d1a831", + "search_line": -1 } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/iam_groups_inline_policies/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/iam_groups_inline_policies/test/positive_expected_result.json index 66be9a07df7..423b966ff57 100644 --- a/assets/queries/cloudFormation/aws/iam_groups_inline_policies/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/iam_groups_inline_policies/test/positive_expected_result.json @@ -3,12 +3,30 @@ "queryName": "IAM Group Inline Policies", "severity": "MEDIUM", "line": 10, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::IAM::Group", + "resourceName": "myuser", + "searchKey": "Resources.myuser.Properties.Policies", + "searchValue": "", + "expectedValue": "'Resources.Properties.Policies' should be undefined or empty", + "actualValue": "'Resources.Properties.Policies' is not empty", + "issueType": "IncorrectValue", + "similarityID": "5a27a108e41b0d6e8161a20d14707db8578dc06094464295de27f65db95de41d", + "search_line": -1 }, { "queryName": "IAM Group Inline Policies", "severity": "MEDIUM", "line": 12, - "fileName": "positive2.json" + "fileName": "positive2.json", + "resourceType": "AWS::IAM::Group", + "resourceName": "myuser", + "searchKey": "Resources.myuser.Properties.Policies", + "searchValue": "", + "expectedValue": "'Resources.Properties.Policies' should be undefined or empty", + "actualValue": "'Resources.Properties.Policies' is not empty", + "issueType": "IncorrectValue", + "similarityID": "e85351b8a2f495bf260da4d62670e0a6b48d632d21c339ee16007fbc41383f4d", + "search_line": -1 } ] diff --git a/assets/queries/cloudFormation/aws/iam_managed_policy_applied_to_a_user/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/iam_managed_policy_applied_to_a_user/test/positive_expected_result.json index 3dff9f858cc..2df5c6fa19a 100644 --- a/assets/queries/cloudFormation/aws/iam_managed_policy_applied_to_a_user/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/iam_managed_policy_applied_to_a_user/test/positive_expected_result.json @@ -3,12 +3,30 @@ "queryName": "IAM Managed Policy Applied to a User", "severity": "MEDIUM", "line": 10, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::IAM::ManagedPolicy", + "resourceName": "CreateTestDBPolicy", + "searchKey": "Resources.CreateTestDBPolicy.Properties.Users", + "searchValue": "", + "expectedValue": "Resources.CreateTestDBPolicy is assigned to a set of users", + "actualValue": "Resources.CreateTestDBPolicy should be assigned to a set of groups", + "issueType": "IncorrectValue", + "similarityID": "bd47994a730800e678cd751b9aef3a8a9dff6e96fa354cd341330416dbb637e1", + "search_line": -1 }, { "queryName": "IAM Managed Policy Applied to a User", "severity": "MEDIUM", "line": 11, - "fileName": "positive2.json" + "fileName": "positive2.json", + "resourceType": "AWS::IAM::ManagedPolicy", + "resourceName": "CreateTestDBPolicy", + "searchKey": "Resources.CreateTestDBPolicy.Properties.Users", + "searchValue": "", + "expectedValue": "Resources.CreateTestDBPolicy is assigned to a set of users", + "actualValue": "Resources.CreateTestDBPolicy should be assigned to a set of groups", + "issueType": "IncorrectValue", + "similarityID": "6fd2bb9fb971ae7fd137cf8320bbffa2abff7a5eec6967bb9a64223bb0d94bbe", + "search_line": -1 } ] diff --git a/assets/queries/cloudFormation/aws/iam_password_without_minimum_length/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/iam_password_without_minimum_length/test/positive_expected_result.json index a5765e9f98e..33b716bcd18 100644 --- a/assets/queries/cloudFormation/aws/iam_password_without_minimum_length/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/iam_password_without_minimum_length/test/positive_expected_result.json @@ -3,12 +3,30 @@ "queryName": "IAM Password Without Minimum Length", "severity": "LOW", "line": 9, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::IAM::User", + "resourceName": "myuser", + "searchKey": "Resources.myuser.Properties.LoginProfile.Password", + "searchValue": "", + "expectedValue": "'Resources.Properties.LoginProfile.Password' has a minimum length of 14", + "actualValue": "'Resources.Properties.LoginProfile.Password' doesn't have a minimum length of 14", + "issueType": "IncorrectValue", + "similarityID": "1b7276fa4386172ff972583841214e991ff901de47851a24f9ffda40be308170", + "search_line": -1 }, { "queryName": "IAM Password Without Minimum Length", "severity": "LOW", "line": 10, - "fileName": "positive2.json" + "fileName": "positive2.json", + "resourceType": "AWS::IAM::User", + "resourceName": "myuser", + "searchKey": "Resources.myuser.Properties.LoginProfile.Password", + "searchValue": "", + "expectedValue": "'Resources.Properties.LoginProfile.Password' has a minimum length of 14", + "actualValue": "'Resources.Properties.LoginProfile.Password' doesn't have a minimum length of 14", + "issueType": "IncorrectValue", + "similarityID": "84b38ed47bee07e3cc1ebd3d77943d77c8bff6660314b5e1609fa1ab51fa3be3", + "search_line": -1 } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/iam_policies_attached_to_user/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/iam_policies_attached_to_user/test/positive_expected_result.json index 69799f5eb6f..270b921af06 100644 --- a/assets/queries/cloudFormation/aws/iam_policies_attached_to_user/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/iam_policies_attached_to_user/test/positive_expected_result.json @@ -2,25 +2,61 @@ { "queryName": "IAM Policies Attached To User", "severity": "MEDIUM", - "line": 14, - "fileName": "positive1.yaml" + "line": 10, + "fileName": "positive1.yaml", + "resourceType": "AWS::IAM::User", + "resourceName": "myuser", + "searchKey": "Resources.myuser.Properties.ManagedPoliciesArns", + "searchValue": "", + "expectedValue": "'Resources.myuser.Properties.ManagedPoliciesArns' is undefined or empty", + "actualValue": "'Resources.myuser.Properties.ManagedPoliciesArns' is not empty", + "issueType": "IncorrectValue", + "similarityID": "a9c1df5ecb98a248719f4fbb5cb719f0265d9c1883b1aaa5a6f27f845462ee58", + "search_line": -1 }, { "queryName": "IAM Policies Attached To User", "severity": "MEDIUM", - "line": 10, - "fileName": "positive1.yaml" + "line": 14, + "fileName": "positive1.yaml", + "resourceType": "AWS::IAM::User", + "resourceName": "myuser", + "searchKey": "Resources.myuser.Properties.Policies", + "searchValue": "", + "expectedValue": "'Resources.myuser.Properties.Policies' should be undefined or empty", + "actualValue": "'Resources.myuser.Properties.Policies' is not empty", + "issueType": "IncorrectValue", + "similarityID": "1f7843989f90cae834b1304e8feafd7af93929ceaad93235781d4ff062f996e7", + "search_line": -1 }, { "queryName": "IAM Policies Attached To User", "severity": "MEDIUM", - "line": 14, - "fileName": "positive2.json" + "line": 10, + "fileName": "positive2.json", + "resourceType": "AWS::IAM::User", + "resourceName": "myuser", + "searchKey": "Resources.myuser.Properties.ManagedPoliciesArns", + "searchValue": "", + "expectedValue": "'Resources.myuser.Properties.ManagedPoliciesArns' is undefined or empty", + "actualValue": "'Resources.myuser.Properties.ManagedPoliciesArns' is not empty", + "issueType": "IncorrectValue", + "similarityID": "d4626351e72322f8585eda50063db7a158c8bb6fc624e497435a6472fd790c61", + "search_line": -1 }, { + "queryName": "IAM Policies Attached To User", "severity": "MEDIUM", - "line": 10, + "line": 14, "fileName": "positive2.json", - "queryName": "IAM Policies Attached To User" + "resourceType": "AWS::IAM::User", + "resourceName": "myuser", + "searchKey": "Resources.myuser.Properties.Policies", + "searchValue": "", + "expectedValue": "'Resources.myuser.Properties.Policies' should be undefined or empty", + "actualValue": "'Resources.myuser.Properties.Policies' is not empty", + "issueType": "IncorrectValue", + "similarityID": "b115059c017d3487e9a5e5557e94814e33907ae72f954401e1a94182ed998db6", + "search_line": -1 } ] diff --git a/assets/queries/cloudFormation/aws/iam_policies_with_full_privileges/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/iam_policies_with_full_privileges/test/positive_expected_result.json index 19b16708d30..8b3c43470f2 100644 --- a/assets/queries/cloudFormation/aws/iam_policies_with_full_privileges/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/iam_policies_with_full_privileges/test/positive_expected_result.json @@ -3,24 +3,60 @@ "queryName": "IAM Policies With Full Privileges", "severity": "MEDIUM", "line": 8, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::IAM::Policy", + "resourceName": "mygrouppolicy", + "searchKey": "Resources.mypolicy.Properties.PolicyDocument", + "searchValue": "", + "expectedValue": "'Resources.Properties.PolicyDocument.Statement' shouldn't contain '*'", + "actualValue": "'Resources.Properties.PolicyDocument.Statement' contains '*'", + "issueType": "IncorrectValue", + "similarityID": "3ef1fdd9ef7c32df611b4a9263e2010baf1d60735d237c446c71b9bb5deaa38b", + "search_line": -1 }, { "queryName": "IAM Policies With Full Privileges", "severity": "MEDIUM", "line": 21, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::IAM::Policy", + "resourceName": "mygrouppolicy", + "searchKey": "Resources.mypolicy2.Properties.PolicyDocument", + "searchValue": "", + "expectedValue": "'Resources.Properties.PolicyDocument.Statement' shouldn't contain '*'", + "actualValue": "'Resources.Properties.PolicyDocument.Statement' contains '*'", + "issueType": "IncorrectValue", + "similarityID": "d1b20b8b342dd30544727a9ac1c44537603d1f0ee23b450d8acedd4dc0668368", + "search_line": -1 }, { "queryName": "IAM Policies With Full Privileges", "severity": "MEDIUM", "line": 9, - "fileName": "positive2.json" + "fileName": "positive2.json", + "resourceType": "AWS::IAM::Policy", + "resourceName": "mygrouppolicy", + "searchKey": "Resources.mypolicy.Properties.PolicyDocument", + "searchValue": "", + "expectedValue": "'Resources.Properties.PolicyDocument.Statement' shouldn't contain '*'", + "actualValue": "'Resources.Properties.PolicyDocument.Statement' contains '*'", + "issueType": "IncorrectValue", + "similarityID": "94ba689558b7028ce9c044ca41019d66d94717d8f4b9adbec62c7ac47bc36803", + "search_line": -1 }, { "queryName": "IAM Policies With Full Privileges", "severity": "MEDIUM", "line": 31, - "fileName": "positive2.json" + "fileName": "positive2.json", + "resourceType": "AWS::IAM::Policy", + "resourceName": "mygrouppolicy", + "searchKey": "Resources.mypolicy2.Properties.PolicyDocument", + "searchValue": "", + "expectedValue": "'Resources.Properties.PolicyDocument.Statement' shouldn't contain '*'", + "actualValue": "'Resources.Properties.PolicyDocument.Statement' contains '*'", + "issueType": "IncorrectValue", + "similarityID": "9a1b094ee1eaec354c71d861548414c7e62787bdbe66bce4c3402f01c711ad1b", + "search_line": -1 } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/iam_policies_without_groups/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/iam_policies_without_groups/test/positive_expected_result.json index 8ef4a853721..d355fd732a8 100644 --- a/assets/queries/cloudFormation/aws/iam_policies_without_groups/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/iam_policies_without_groups/test/positive_expected_result.json @@ -1,14 +1,32 @@ [ { - "fileName": "positive1.yaml", "queryName": "IAM Policies Without Groups", "severity": "LOW", - "line": 25 + "line": 25, + "fileName": "positive1.yaml", + "resourceType": "AWS::IAM::Policy", + "resourceName": "myuser", + "searchKey": "Resources.myuser.Properties.Policies.Users", + "searchValue": "", + "expectedValue": "'Resources.Properties.Policies.Users should be replaced by Groups", + "actualValue": "'Resources.Properties.Policies.Users' is not the correct definition.", + "issueType": "IncorrectValue", + "similarityID": "11234c6f3166c79adce559fd6caf857c47311205b910eda3191aa87a7eb1550f", + "search_line": -1 }, { "queryName": "IAM Policies Without Groups", "severity": "LOW", "line": 38, - "fileName": "positive2.json" + "fileName": "positive2.json", + "resourceType": "AWS::IAM::Policy", + "resourceName": "myuser", + "searchKey": "Resources.myuser.Properties.Policies.Users", + "searchValue": "", + "expectedValue": "'Resources.Properties.Policies.Users should be replaced by Groups", + "actualValue": "'Resources.Properties.Policies.Users' is not the correct definition.", + "issueType": "IncorrectValue", + "similarityID": "92ddb3f7ac2d7ef5874ee1dfa3edf476627335b17c370e47940995110e7bb565", + "search_line": -1 } ] diff --git a/assets/queries/cloudFormation/aws/iam_policy_allows_for_data_exfiltration/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/iam_policy_allows_for_data_exfiltration/test/positive_expected_result.json index 8401007eb80..97f70bfd3b6 100644 --- a/assets/queries/cloudFormation/aws/iam_policy_allows_for_data_exfiltration/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/iam_policy_allows_for_data_exfiltration/test/positive_expected_result.json @@ -3,72 +3,180 @@ "queryName": "IAM policy allows for data exfiltration", "severity": "MEDIUM", "line": 14, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::IAM::User", + "resourceName": "CFNUser", + "searchKey": "Resources.CFNUser.Properties.Policies.0.PolicyDocument.Statement.0.Action", + "searchValue": "", + "expectedValue": "'Resources.CFNUser.Properties.Policies[0].PolicyDocument.Statement[0].Action' shouldn't contain ilegal actions", + "actualValue": "'Resources.CFNUser.Properties.Policies[0].PolicyDocument.Statement[0].Action' contains [*]", + "issueType": "IncorrectValue", + "similarityID": "d47865da23987a185f51db95eca127566f9e90aecc9a7cb42476b753cd8b2af5", + "search_line": 14 }, { "queryName": "IAM policy allows for data exfiltration", "severity": "MEDIUM", "line": 12, - "fileName": "positive2.yaml" + "fileName": "positive2.yaml", + "resourceType": "AWS::IAM::Group", + "resourceName": "RootGroup", + "searchKey": "Resources.RootGroup.Properties.Policies.0.PolicyDocument.Statement.0.Action", + "searchValue": "", + "expectedValue": "'Resources.RootGroup.Properties.Policies[0].PolicyDocument.Statement[0].Action' shouldn't contain ilegal actions", + "actualValue": "'Resources.RootGroup.Properties.Policies[0].PolicyDocument.Statement[0].Action' contains [ssm:GetParameter]", + "issueType": "IncorrectValue", + "similarityID": "b6011ad33dd9afdec6e00aa7f918d89cc9df2d7b6a47d0cb79d5d7d3cd859e73", + "search_line": 12 }, { "queryName": "IAM policy allows for data exfiltration", "severity": "MEDIUM", "line": 11, - "fileName": "positive3.yaml" + "fileName": "positive3.yaml", + "resourceType": "AWS::IAM::Policy", + "resourceName": "CFNUsers", + "searchKey": "Resources.MyPolicy.Properties.PolicyDocument.Statement.0.Action", + "searchValue": "", + "expectedValue": "'Resources.MyPolicy.Properties.PolicyDocument.Statement[0].Action' shouldn't contain ilegal actions", + "actualValue": "'Resources.MyPolicy.Properties.PolicyDocument.Statement[0].Action' contains [ssm:GetParameters]", + "issueType": "IncorrectValue", + "similarityID": "00153f33a8f5fe240f05fdfd0515051318da708bb2255f07e7647eb98591f284", + "search_line": 11 }, { "queryName": "IAM policy allows for data exfiltration", "severity": "MEDIUM", "line": 12, - "fileName": "positive4.yaml" + "fileName": "positive4.yaml", + "resourceType": "AWS::IAM::Role", + "resourceName": "RootRole", + "searchKey": "Resources.RootRole.Properties.Policies.0.PolicyDocument.Statement.0.Action", + "searchValue": "", + "expectedValue": "'Resources.RootRole.Properties.Policies[0].PolicyDocument.Statement[0].Action' shouldn't contain ilegal actions", + "actualValue": "'Resources.RootRole.Properties.Policies[0].PolicyDocument.Statement[0].Action' contains [ssm:GetParametersByPath]", + "issueType": "IncorrectValue", + "similarityID": "57f91ae69dd0161014dfff61a07167c879ab4378409703a44febec739aa46d43", + "search_line": 12 }, { "queryName": "IAM policy allows for data exfiltration", "severity": "MEDIUM", "line": 9, - "fileName": "positive5.yaml" + "fileName": "positive5.yaml", + "resourceType": "AWS::IAM::ManagedPolicy", + "resourceName": "CreateTestDBPolicy", + "searchKey": "Resources.CreateTestDBPolicy.Properties.PolicyDocument.Statement.0.Action", + "searchValue": "", + "expectedValue": "'Resources.CreateTestDBPolicy.Properties.PolicyDocument.Statement[0].Action' shouldn't contain ilegal actions", + "actualValue": "'Resources.CreateTestDBPolicy.Properties.PolicyDocument.Statement[0].Action' contains [s3:*]", + "issueType": "IncorrectValue", + "similarityID": "09161871497c98e5b6c66591ab368836e44957756f8705a75617e4b63fd69b80", + "search_line": 9 }, { "queryName": "IAM policy allows for data exfiltration", "severity": "MEDIUM", "line": 18, - "fileName": "positive6.json" + "fileName": "positive6.json", + "resourceType": "AWS::IAM::User", + "resourceName": "CFNUser", + "searchKey": "Resources.CFNUser.Properties.Policies.0.PolicyDocument.Statement.0.Action", + "searchValue": "", + "expectedValue": "'Resources.CFNUser.Properties.Policies[0].PolicyDocument.Statement[0].Action' shouldn't contain ilegal actions", + "actualValue": "'Resources.CFNUser.Properties.Policies[0].PolicyDocument.Statement[0].Action' contains [*]", + "issueType": "IncorrectValue", + "similarityID": "c5384af2ac5fcab90a4b73ce69d0b3dbf5bc1305f295fafea53ba783fa6961e0", + "search_line": 18 }, { "queryName": "IAM policy allows for data exfiltration", "severity": "MEDIUM", "line": 15, - "fileName": "positive7.json" + "fileName": "positive7.json", + "resourceType": "AWS::IAM::Group", + "resourceName": "RootGroup", + "searchKey": "Resources.RootGroup.Properties.Policies.0.PolicyDocument.Statement.0.Action", + "searchValue": "", + "expectedValue": "'Resources.RootGroup.Properties.Policies[0].PolicyDocument.Statement[0].Action' shouldn't contain ilegal actions", + "actualValue": "'Resources.RootGroup.Properties.Policies[0].PolicyDocument.Statement[0].Action' contains [s3:GetObject]", + "issueType": "IncorrectValue", + "similarityID": "703603a590e74742997aa0b5bbcba9383d7a12172e0ff3e840149b024298f0ce", + "search_line": 15 }, { "queryName": "IAM policy allows for data exfiltration", "severity": "MEDIUM", "line": 13, - "fileName": "positive8.json" + "fileName": "positive8.json", + "resourceType": "AWS::IAM::Policy", + "resourceName": "CFNUsers", + "searchKey": "Resources.MyPolicy.Properties.PolicyDocument.Statement.0.Action", + "searchValue": "", + "expectedValue": "'Resources.MyPolicy.Properties.PolicyDocument.Statement[0].Action' shouldn't contain ilegal actions", + "actualValue": "'Resources.MyPolicy.Properties.PolicyDocument.Statement[0].Action' contains [secretsmanager:GetSecretValue]", + "issueType": "IncorrectValue", + "similarityID": "f858da98b1fe014f4f6872da4846b2dda9bc58cee0c0b810d5c5b7166e9c6bcf", + "search_line": 13 }, { "queryName": "IAM policy allows for data exfiltration", "severity": "MEDIUM", "line": 15, - "fileName": "positive9.json" + "fileName": "positive9.json", + "resourceType": "AWS::IAM::Role", + "resourceName": "RootRole", + "searchKey": "Resources.RootRole.Properties.Policies.0.PolicyDocument.Statement.0.Action", + "searchValue": "", + "expectedValue": "'Resources.RootRole.Properties.Policies[0].PolicyDocument.Statement[0].Action' shouldn't contain ilegal actions", + "actualValue": "'Resources.RootRole.Properties.Policies[0].PolicyDocument.Statement[0].Action' contains [s3:GetObject, ssm:GetParameter, s3:*]", + "issueType": "IncorrectValue", + "similarityID": "5810fe36d8ee7eeb02f23da22775503c90a45be8c623a7b160c3dfc091998f65", + "search_line": 15 }, { "queryName": "IAM policy allows for data exfiltration", "severity": "MEDIUM", "line": 11, - "fileName": "positive10.json" + "fileName": "positive10.json", + "resourceType": "AWS::IAM::ManagedPolicy", + "resourceName": "CreateTestDBPolicy", + "searchKey": "Resources.CreateTestDBPolicy.Properties.PolicyDocument.Statement.0.Action", + "searchValue": "", + "expectedValue": "'Resources.CreateTestDBPolicy.Properties.PolicyDocument.Statement[0].Action' shouldn't contain ilegal actions", + "actualValue": "'Resources.CreateTestDBPolicy.Properties.PolicyDocument.Statement[0].Action' contains [s3:GetObject, ssm:GetParameter, s3:*]", + "issueType": "IncorrectValue", + "similarityID": "7582f9a4dd3c5ecd8f8486557e10abd766310c1f997f22482d317d7f38d244e0", + "search_line": 11 }, { "queryName": "IAM policy allows for data exfiltration", "severity": "MEDIUM", "line": 11, - "fileName": "positive11.json" + "fileName": "positive11.json", + "resourceType": "AWS::IAM::ManagedPolicy", + "resourceName": "CreateTestDBPolicy", + "searchKey": "Resources.CreateTestDBPolicy.Properties.PolicyDocument.Statement.0.Action", + "searchValue": "", + "expectedValue": "'Resources.CreateTestDBPolicy.Properties.PolicyDocument.Statement[0].Action' shouldn't contain ilegal actions", + "actualValue": "'Resources.CreateTestDBPolicy.Properties.PolicyDocument.Statement[0].Action' contains [s3:*]", + "issueType": "IncorrectValue", + "similarityID": "c4a04d7c12dbde4dcb83364d8b17406f72f156977475843b6f25b7a1d387df6a", + "search_line": 11 }, { "queryName": "IAM policy allows for data exfiltration", "severity": "MEDIUM", "line": 13, - "fileName": "positive12.json" + "fileName": "positive12.json", + "resourceType": "AWS::IAM::Policy", + "resourceName": "CFNUsers", + "searchKey": "Resources.MyPolicy.Properties.PolicyDocument.Statement.0.Action", + "searchValue": "", + "expectedValue": "'Resources.MyPolicy.Properties.PolicyDocument.Statement[0].Action' shouldn't contain ilegal actions", + "actualValue": "'Resources.MyPolicy.Properties.PolicyDocument.Statement[0].Action' contains [secretsmanager:GetSecretValue]", + "issueType": "IncorrectValue", + "similarityID": "2d56cb82ba0c850e8c48552b9b34e18bd0e2509d134f11df784ef58d64adfb13", + "search_line": 13 } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/iam_policy_grants_assumerole_permission_across_all_services/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/iam_policy_grants_assumerole_permission_across_all_services/test/positive_expected_result.json index f40195f228b..dc823f1c228 100644 --- a/assets/queries/cloudFormation/aws/iam_policy_grants_assumerole_permission_across_all_services/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/iam_policy_grants_assumerole_permission_across_all_services/test/positive_expected_result.json @@ -3,12 +3,30 @@ "queryName": "IAM Policy Grants 'AssumeRole' Permission Across All Services", "severity": "MEDIUM", "line": 8, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::IAM::Policy", + "resourceName": "mygrouppolicy", + "searchKey": "Resources.mypolicy.Properties.PolicyDocument", + "searchValue": "", + "expectedValue": "'Resources.mypolicy.Properties.PolicyDocument.Statement' with AssumeRole action should not grant access in all services ('*')", + "actualValue": "'Resources.mypolicy.Properties.PolicyDocument.Statement' with AssumeRole action is granting access in all services ('*')", + "issueType": "IncorrectValue", + "similarityID": "fd94c430f81ce17bc36e0250cd5e6521b11135f0cded842bc724aca9fd260803", + "search_line": -1 }, { "queryName": "IAM Policy Grants 'AssumeRole' Permission Across All Services", "severity": "MEDIUM", "line": 8, - "fileName": "positive2.json" + "fileName": "positive2.json", + "resourceType": "AWS::IAM::Policy", + "resourceName": "mygrouppolicy", + "searchKey": "Resources.mypolicy.Properties.PolicyDocument", + "searchValue": "", + "expectedValue": "'Resources.mypolicy.Properties.PolicyDocument.Statement' with AssumeRole action should not grant access in all services ('*')", + "actualValue": "'Resources.mypolicy.Properties.PolicyDocument.Statement' with AssumeRole action is granting access in all services ('*')", + "issueType": "IncorrectValue", + "similarityID": "bb88ebfbeecb647d9690f07cb1de7bc48fefcb05387d7434da0519c3845d65ea", + "search_line": -1 } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/iam_policy_grants_full_permissions/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/iam_policy_grants_full_permissions/test/positive_expected_result.json index 6a9932378db..251efd5f3fb 100644 --- a/assets/queries/cloudFormation/aws/iam_policy_grants_full_permissions/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/iam_policy_grants_full_permissions/test/positive_expected_result.json @@ -3,24 +3,60 @@ "queryName": "IAM Policy Grants Full Permissions", "severity": "HIGH", "line": 8, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::IAM::Policy", + "resourceName": "mygrouppolicy", + "searchKey": "Resources.mypolicy.Properties.PolicyDocument", + "searchValue": "", + "expectedValue": "'PolicyDocument.Statement.Resource' and 'PolicyDocument.Statement.Action' should not equal to '*'", + "actualValue": "'PolicyDocument.Statement.Resource' and 'PolicyDocument.Statement.Action' are equal to '*'", + "issueType": "IncorrectValue", + "similarityID": "811944ab87d92b36a5e031a74187a969782a558429b177e7455b3f48603f36fd", + "search_line": -1 }, { "queryName": "IAM Policy Grants Full Permissions", "severity": "HIGH", "line": 21, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::IAM::Policy", + "resourceName": "mygrouppolicy", + "searchKey": "Resources.mypolicy2.Properties.PolicyDocument", + "searchValue": "", + "expectedValue": "'PolicyDocument.Statement.Resource' and 'PolicyDocument.Statement.Action' should not equal to '*'", + "actualValue": "'PolicyDocument.Statement.Resource' and 'PolicyDocument.Statement.Action' are equal to '*'", + "issueType": "IncorrectValue", + "similarityID": "52e44ae5217bdecad501335d1a9aa8747d82eed0873a6ada3e2593ff28699b0e", + "search_line": -1 }, { "queryName": "IAM Policy Grants Full Permissions", "severity": "HIGH", - "line": 29, - "fileName": "positive2.json" + "line": 9, + "fileName": "positive2.json", + "resourceType": "AWS::IAM::Policy", + "resourceName": "mygrouppolicy", + "searchKey": "Resources.mypolicy2.Properties.PolicyDocument", + "searchValue": "", + "expectedValue": "'PolicyDocument.Statement.Resource' and 'PolicyDocument.Statement.Action' should not equal to '*'", + "actualValue": "'PolicyDocument.Statement.Resource' and 'PolicyDocument.Statement.Action' are equal to '*'", + "issueType": "IncorrectValue", + "similarityID": "a9b96aeb41f3623308fa96eb364ff5b9f01c53038af83e406b2064aa5008900e", + "search_line": -1 }, { "queryName": "IAM Policy Grants Full Permissions", "severity": "HIGH", - "line": 9, - "fileName": "positive2.json" + "line": 29, + "fileName": "positive2.json", + "resourceType": "AWS::IAM::Policy", + "resourceName": "mygrouppolicy", + "searchKey": "Resources.mypolicy.Properties.PolicyDocument", + "searchValue": "", + "expectedValue": "'PolicyDocument.Statement.Resource' and 'PolicyDocument.Statement.Action' should not equal to '*'", + "actualValue": "'PolicyDocument.Statement.Resource' and 'PolicyDocument.Statement.Action' are equal to '*'", + "issueType": "IncorrectValue", + "similarityID": "d27d97e3dfcef04b74f4c28aaedd1e24760927ab71b2e5d8c30442ef1eb4df4b", + "search_line": -1 } ] diff --git a/assets/queries/cloudFormation/aws/iam_policy_on_user/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/iam_policy_on_user/test/positive_expected_result.json index 21015b58d99..69ff69a5885 100644 --- a/assets/queries/cloudFormation/aws/iam_policy_on_user/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/iam_policy_on_user/test/positive_expected_result.json @@ -3,12 +3,30 @@ "queryName": "IAM Policy On User", "severity": "MEDIUM", "line": 11, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::IAM::Policy", + "resourceName": "BadPolicy", + "searchKey": "Resources.BadPolicy.Properties.Users", + "searchValue": "", + "expectedValue": "Resources.BadPolicy is assigned to a set of users", + "actualValue": "Resources.BadPolicy should be assigned to a set of groups", + "issueType": "IncorrectValue", + "similarityID": "d0339a42d1a5701629297032daad4f7cb13f107bb5182d545c435a1943216f98", + "search_line": -1 }, { + "queryName": "IAM Policy On User", "severity": "MEDIUM", "line": 12, "fileName": "positive2.json", - "queryName": "IAM Policy On User" + "resourceType": "AWS::IAM::Policy", + "resourceName": "BadPolicy", + "searchKey": "Resources.BadPolicy.Properties.Users", + "searchValue": "", + "expectedValue": "Resources.BadPolicy is assigned to a set of users", + "actualValue": "Resources.BadPolicy should be assigned to a set of groups", + "issueType": "IncorrectValue", + "similarityID": "117cd322bdf17f2b8950d4f64db7362ab30b8b4d502c0a035f2820c354334efc", + "search_line": -1 } ] diff --git a/assets/queries/cloudFormation/aws/iam_role_allows_all_principals_to_assume/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/iam_role_allows_all_principals_to_assume/test/positive_expected_result.json index 2781e221e62..87609c88e64 100644 --- a/assets/queries/cloudFormation/aws/iam_role_allows_all_principals_to_assume/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/iam_role_allows_all_principals_to_assume/test/positive_expected_result.json @@ -3,12 +3,30 @@ "queryName": "IAM Role Allows All Principals To Assume", "severity": "MEDIUM", "line": 6, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::IAM::Role", + "resourceName": "RootRole", + "searchKey": "Resources.RootRole.Properties.AssumeRolePolicyDocument", + "searchValue": "", + "expectedValue": "Resources.RootRole.Properties.AssumeRolePolicyDocument.Statement.Principal.AWS should not contain ':root'", + "actualValue": "Resources.RootRole.Properties.AssumeRolePolicyDocument.Statement.Principal.AWS contains ':root'", + "issueType": "IncorrectValue", + "similarityID": "948e314a1119934a67d46c44ce8c96d1f91f1fe640d5ce7a9ce1e73017b94d6c", + "search_line": 6 }, { "queryName": "IAM Role Allows All Principals To Assume", "severity": "MEDIUM", "line": 7, - "fileName": "positive2.json" + "fileName": "positive2.json", + "resourceType": "AWS::IAM::Role", + "resourceName": "RootRole", + "searchKey": "Resources.RootRole.Properties.AssumeRolePolicyDocument", + "searchValue": "", + "expectedValue": "Resources.RootRole.Properties.AssumeRolePolicyDocument.Statement.Principal.AWS should not contain ':root'", + "actualValue": "Resources.RootRole.Properties.AssumeRolePolicyDocument.Statement.Principal.AWS contains ':root'", + "issueType": "IncorrectValue", + "similarityID": "dff558d87f86586dc7b1aa2a2cfad54462caf2b3fc4135c794750111529cdb96", + "search_line": 7 } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/iam_user_login_profile_password_is_in_plaintext/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/iam_user_login_profile_password_is_in_plaintext/test/positive_expected_result.json index 8b39e8ea169..64a30de34f9 100644 --- a/assets/queries/cloudFormation/aws/iam_user_login_profile_password_is_in_plaintext/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/iam_user_login_profile_password_is_in_plaintext/test/positive_expected_result.json @@ -1,14 +1,32 @@ [ { + "queryName": "IAM User LoginProfile Password Is In Plaintext", "severity": "HIGH", "line": 9, "fileName": "positive1.yaml", - "queryName": "IAM User LoginProfile Password Is In Plaintext" + "resourceType": "AWS::IAM::User", + "resourceName": "myuser", + "searchKey": "Resources.myuser.Properties.LoginProfile.Password", + "searchValue": "", + "expectedValue": "'Resources.myuser.Properties.LoginProfile.Password' should be a ref to a secretsmanager value", + "actualValue": "'Resources.myuser.Properties.LoginProfile.Password' is a string literal", + "issueType": "IncorrectValue", + "similarityID": "903c378ac9e178e1f7842ccfbf2fbbb45e2b3196159f7c4a6482455998ca733b", + "search_line": -1 }, { "queryName": "IAM User LoginProfile Password Is In Plaintext", "severity": "HIGH", "line": 9, - "fileName": "positive2.json" + "fileName": "positive2.json", + "resourceType": "AWS::IAM::User", + "resourceName": "myuser", + "searchKey": "Resources.myuser.Properties.LoginProfile.Password", + "searchValue": "", + "expectedValue": "'Resources.myuser.Properties.LoginProfile.Password' should be a ref to a secretsmanager value", + "actualValue": "'Resources.myuser.Properties.LoginProfile.Password' is a string literal", + "issueType": "IncorrectValue", + "similarityID": "f35f1f839febfe4e38f47e90d1015ba28e94494330f0570e6f03da53716f8183", + "search_line": -1 } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/iam_user_too_many_access_keys/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/iam_user_too_many_access_keys/test/positive_expected_result.json index 1ed53278e90..f18328b1b94 100644 --- a/assets/queries/cloudFormation/aws/iam_user_too_many_access_keys/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/iam_user_too_many_access_keys/test/positive_expected_result.json @@ -2,25 +2,61 @@ { "queryName": "IAM User Has Too Many Access Keys", "severity": "MEDIUM", - "line": 14, - "fileName": "positive1.yaml" - }, - { "line": 10, "fileName": "positive1.yaml", - "queryName": "IAM User Has Too Many Access Keys", - "severity": "MEDIUM" + "resourceType": "AWS::IAM::AccessKey", + "resourceName": "firstKey", + "searchKey": "Resources.firstKey", + "searchValue": "", + "expectedValue": "'Resources.firstKey' is the only AccessKey of user 'myuser'", + "actualValue": "'Resources.firstKey' is not the only AccessKey of user 'myuser'", + "issueType": "IncorrectValue", + "similarityID": "6c0fb7b14f82776c08b0f16921e2c2fe80171385651c893d7d4f1562cc1872e2", + "search_line": -1 }, { "queryName": "IAM User Has Too Many Access Keys", "severity": "MEDIUM", - "line": 20, - "fileName": "positive2.json" + "line": 14, + "fileName": "positive1.yaml", + "resourceType": "AWS::IAM::AccessKey", + "resourceName": "secondKey", + "searchKey": "Resources.secondKey", + "searchValue": "", + "expectedValue": "'Resources.secondKey' is the only AccessKey of user 'myuser'", + "actualValue": "'Resources.secondKey' is not the only AccessKey of user 'myuser'", + "issueType": "IncorrectValue", + "similarityID": "8a002ac02d9fa884176b533f4c63212477c536f94cfc2855a10d58beffd32888", + "search_line": -1 }, { "queryName": "IAM User Has Too Many Access Keys", "severity": "MEDIUM", "line": 5, - "fileName": "positive2.json" + "fileName": "positive2.json", + "resourceType": "AWS::IAM::AccessKey", + "resourceName": "secondKey", + "searchKey": "Resources.secondKey", + "searchValue": "", + "expectedValue": "'Resources.secondKey' is the only AccessKey of user 'myuser'", + "actualValue": "'Resources.secondKey' is not the only AccessKey of user 'myuser'", + "issueType": "IncorrectValue", + "similarityID": "ccb7d7e2eadde9ad7afc7a6e30bcd4d72851fdc3c37ce228f90b030a3e8077a7", + "search_line": -1 + }, + { + "queryName": "IAM User Has Too Many Access Keys", + "severity": "MEDIUM", + "line": 20, + "fileName": "positive2.json", + "resourceType": "AWS::IAM::AccessKey", + "resourceName": "firstKey", + "searchKey": "Resources.firstKey", + "searchValue": "", + "expectedValue": "'Resources.firstKey' is the only AccessKey of user 'myuser'", + "actualValue": "'Resources.firstKey' is not the only AccessKey of user 'myuser'", + "issueType": "IncorrectValue", + "similarityID": "9ff62e52952319e42a13f7e51caed1a8facb866eff2930c92d4f1e841bf5fc09", + "search_line": -1 } ] diff --git a/assets/queries/cloudFormation/aws/iam_user_with_no_group/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/iam_user_with_no_group/test/positive_expected_result.json index 83c4042d6dc..eeccbfeb4e9 100644 --- a/assets/queries/cloudFormation/aws/iam_user_with_no_group/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/iam_user_with_no_group/test/positive_expected_result.json @@ -1,26 +1,62 @@ [ { + "queryName": "IAM User With No Group", "severity": "LOW", "line": 6, "fileName": "positive1.yaml", - "queryName": "IAM User With No Group" + "resourceType": "AWS::IAM::User", + "resourceName": "TestUser", + "searchKey": "Resources.MyUser.Properties", + "searchValue": "", + "expectedValue": "'Resources.Properties should contain Groups", + "actualValue": "'Resources.Properties' does not contain Groups", + "issueType": "MissingAttribute", + "similarityID": "b9a1326bd5d11d2f24d67e75ea8aed68724b840f1e9a54247fe51288218b9f98", + "search_line": -1 }, { - "fileName": "positive2.yaml", "queryName": "IAM User With No Group", "severity": "LOW", - "line": 7 + "line": 7, + "fileName": "positive2.yaml", + "resourceType": "AWS::IAM::User", + "resourceName": "TestUser", + "searchKey": "Resources.emptyGroup.Properties.Groups", + "searchValue": "", + "expectedValue": "'Resources.Properties.Groups' should contain groups", + "actualValue": "'Resources.Properties.Groups' is empty", + "issueType": "IncorrectValue", + "similarityID": "3a1c2da8779126c51e51d0e2887671f7cc2da510d5d30fae2c7f69c67d3aade2", + "search_line": -1 }, { "queryName": "IAM User With No Group", "severity": "LOW", "line": 5, - "fileName": "positive3.json" + "fileName": "positive3.json", + "resourceType": "AWS::IAM::User", + "resourceName": "TestUser", + "searchKey": "Resources.MyUser.Properties", + "searchValue": "", + "expectedValue": "'Resources.Properties should contain Groups", + "actualValue": "'Resources.Properties' does not contain Groups", + "issueType": "MissingAttribute", + "similarityID": "bbf6d4f2efd6508466d1e3acc4cdaf6264cbce71ebdfdb68542ac8a48d3337ac", + "search_line": -1 }, { "queryName": "IAM User With No Group", "severity": "LOW", "line": 8, - "fileName": "positive4.json" + "fileName": "positive4.json", + "resourceType": "AWS::IAM::User", + "resourceName": "TestUser", + "searchKey": "Resources.emptyGroup.Properties.Groups", + "searchValue": "", + "expectedValue": "'Resources.Properties.Groups' should contain groups", + "actualValue": "'Resources.Properties.Groups' is empty", + "issueType": "IncorrectValue", + "similarityID": "d18882d12cc0bff491990bf185481796d175b4368816f16091578f08ba7ba511", + "search_line": -1 } ] diff --git a/assets/queries/cloudFormation/aws/inline_policies_are_attached_to_ecs_service/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/inline_policies_are_attached_to_ecs_service/test/positive_expected_result.json index 00a1ef6c9c0..3b8025462b2 100644 --- a/assets/queries/cloudFormation/aws/inline_policies_are_attached_to_ecs_service/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/inline_policies_are_attached_to_ecs_service/test/positive_expected_result.json @@ -3,12 +3,30 @@ "queryName": "Inline Policies Are Attached To ECS Service", "severity": "LOW", "line": 7, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::ECS::Service", + "resourceName": "InlinePolicy", + "searchKey": "Resources.InlinePolicy.Properties.Role", + "searchValue": "", + "expectedValue": "'Resources.InlinePolicy.Properties.Role' should not refer an inline IAM Policy", + "actualValue": "'Resources.InlinePolicy.Properties.Role' refers to inline IAM Policy 'IAMPolicy'", + "issueType": "IncorrectValue", + "similarityID": "d16b0fce835eb14b5a0d76105f998573a56a159f5e2c5c643c0b3e7849fab6da", + "search_line": -1 }, { "queryName": "Inline Policies Are Attached To ECS Service", "severity": "LOW", "line": 9, - "fileName": "positive2.json" + "fileName": "positive2.json", + "resourceType": "AWS::ECS::Service", + "resourceName": "InlinePolicy", + "searchKey": "Resources.InlinePolicy.Properties.Role", + "searchValue": "", + "expectedValue": "'Resources.InlinePolicy.Properties.Role' should not refer an inline IAM Policy", + "actualValue": "'Resources.InlinePolicy.Properties.Role' refers to inline IAM Policy 'IAMPolicy'", + "issueType": "IncorrectValue", + "similarityID": "6076372f03c7944938453bcc7efabc333b6ebbfc0151227dd1bf60976281ee9d", + "search_line": -1 } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/instance_uses_metadata_service_IMDSv1/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/instance_uses_metadata_service_IMDSv1/test/positive_expected_result.json index 9b1a06da1f5..9a2b913cb61 100644 --- a/assets/queries/cloudFormation/aws/instance_uses_metadata_service_IMDSv1/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/instance_uses_metadata_service_IMDSv1/test/positive_expected_result.json @@ -1,122 +1,302 @@ [ - { - "queryName": "Instance Uses Metadata Service IMDSv1", - "severity": "LOW", - "line": 7, - "fileName": "positive1.yaml" - }, - { - "queryName": "Instance Uses Metadata Service IMDSv1", - "severity": "LOW", - "line": 15, - "fileName": "positive1.yaml" - }, - { - "queryName": "Instance Uses Metadata Service IMDSv1", - "severity": "LOW", - "line": 7, - "fileName": "positive2.json" - }, - { - "queryName": "Instance Uses Metadata Service IMDSv1", - "severity": "LOW", - "line": 16, - "fileName": "positive2.json" - }, - { - "queryName": "Instance Uses Metadata Service IMDSv1", - "severity": "LOW", - "line": 11, - "fileName": "positive3.yaml" - }, - { - "queryName": "Instance Uses Metadata Service IMDSv1", - "severity": "LOW", - "line": 23, - "fileName": "positive3.yaml" - }, - { - "queryName": "Instance Uses Metadata Service IMDSv1", - "severity": "LOW", - "line": 11, - "fileName": "positive4.json" - }, - { - "queryName": "Instance Uses Metadata Service IMDSv1", - "severity": "LOW", - "line": 25, - "fileName": "positive4.json" - }, - { - "queryName": "Instance Uses Metadata Service IMDSv1", - "severity": "LOW", - "line": 12, - "fileName": "positive5.yaml" - }, - { - "queryName": "Instance Uses Metadata Service IMDSv1", - "severity": "LOW", - "line": 25, - "fileName": "positive5.yaml" - }, - { - "queryName": "Instance Uses Metadata Service IMDSv1", - "severity": "LOW", - "line": 12, - "fileName": "positive6.json" - }, - { - "queryName": "Instance Uses Metadata Service IMDSv1", - "severity": "LOW", - "line": 27, - "fileName": "positive6.json" - }, - { - "queryName": "Instance Uses Metadata Service IMDSv1", - "severity": "LOW", - "line": 10, - "fileName": "positive7.yaml" - }, - { - "queryName": "Instance Uses Metadata Service IMDSv1", - "severity": "LOW", - "line": 21, - "fileName": "positive7.yaml" - }, - { - "queryName": "Instance Uses Metadata Service IMDSv1", - "severity": "LOW", - "line": 10, - "fileName": "positive8.json" - }, - { - "queryName": "Instance Uses Metadata Service IMDSv1", - "severity": "LOW", - "line": 23, - "fileName": "positive8.json" - }, - { - "queryName": "Instance Uses Metadata Service IMDSv1", - "severity": "LOW", - "line": 10, - "fileName": "positive9.yaml" - }, - { - "queryName": "Instance Uses Metadata Service IMDSv1", - "severity": "LOW", - "line": 22, - "fileName": "positive9.yaml" - }, - { - "queryName": "Instance Uses Metadata Service IMDSv1", - "severity": "LOW", - "line": 10, - "fileName": "positive10.json" - }, - { - "queryName": "Instance Uses Metadata Service IMDSv1", - "severity": "LOW", - "line": 24, - "fileName": "positive10.json" - } + { + "queryName": "Instance Uses Metadata Service IMDSv1", + "severity": "LOW", + "line": 7, + "fileName": "positive1.yaml", + "resourceType": "AWS::EC2::Instance", + "resourceName": "MyEC2Instance", + "searchKey": "Resources.MyEC2Instance.Properties", + "searchValue": "", + "expectedValue": "'Resources.MyEC2Instance.Properties.MetadataOptions' should be defined with 'HttpTokens' field set to 'required'", + "actualValue": "'Resources.MyEC2Instance.Properties.MetadataOptions' is not defined", + "issueType": "MissingAttribute", + "similarityID": "0f2b37d2bf348b2c4c19319da31a59ae5bb4a066b03bb50030294893bd59917b", + "search_line": 7 + }, + { + "queryName": "Instance Uses Metadata Service IMDSv1", + "severity": "LOW", + "line": 15, + "fileName": "positive1.yaml", + "resourceType": "AWS::EC2::LaunchTemplate", + "resourceName": "MyLaunchTemplate", + "searchKey": "Resources.MyLaunchTemplate.Properties.LaunchTemplateData", + "searchValue": "", + "expectedValue": "'Resources.MyLaunchTemplate.Properties.LaunchTemplateData.MetadataOptions' should be defined with 'HttpTokens' field set to 'required'", + "actualValue": "'Resources.MyLaunchTemplate.Properties.LaunchTemplateData.MetadataOptions' is not defined", + "issueType": "MissingAttribute", + "similarityID": "1a5869e87af8d9fd0090b5eabf4bc84dbb6d4711db2b87f7f5709d1ac37dd3c6", + "search_line": 15 + }, + { + "queryName": "Instance Uses Metadata Service IMDSv1", + "severity": "LOW", + "line": 7, + "fileName": "positive2.json", + "resourceType": "AWS::EC2::Instance", + "resourceName": "MyEC2Instance", + "searchKey": "Resources.MyEC2Instance.Properties", + "searchValue": "", + "expectedValue": "'Resources.MyEC2Instance.Properties.MetadataOptions' should be defined with 'HttpTokens' field set to 'required'", + "actualValue": "'Resources.MyEC2Instance.Properties.MetadataOptions' is not defined", + "issueType": "MissingAttribute", + "similarityID": "863e19865e97e0ecb00be27cc9f738fe433f1e9dbb8e6a3cd12c21b9d11b2bee", + "search_line": 7 + }, + { + "queryName": "Instance Uses Metadata Service IMDSv1", + "severity": "LOW", + "line": 16, + "fileName": "positive2.json", + "resourceType": "AWS::EC2::LaunchTemplate", + "resourceName": "MyLaunchTemplate", + "searchKey": "Resources.MyLaunchTemplate.Properties.LaunchTemplateData", + "searchValue": "", + "expectedValue": "'Resources.MyLaunchTemplate.Properties.LaunchTemplateData.MetadataOptions' should be defined with 'HttpTokens' field set to 'required'", + "actualValue": "'Resources.MyLaunchTemplate.Properties.LaunchTemplateData.MetadataOptions' is not defined", + "issueType": "MissingAttribute", + "similarityID": "59e5f5406d1b7eda80192a51872fc011e4c5e6a6742588e5b8d70d73fdb6f1d9", + "search_line": 16 + }, + { + "queryName": "Instance Uses Metadata Service IMDSv1", + "severity": "LOW", + "line": 11, + "fileName": "positive3.yaml", + "resourceType": "AWS::EC2::Instance", + "resourceName": "MyEC2Instance", + "searchKey": "Resources.MyEC2Instance.Properties.MetadataOptions.HttpTokens", + "searchValue": "", + "expectedValue": "'Resources.MyEC2Instance.Properties.MetadataOptions.HttpTokens' should be defined to 'required'", + "actualValue": "'Resources.MyEC2Instance.Properties.MetadataOptions.HttpTokens' is not defined to 'required'", + "issueType": "IncorrectValue", + "similarityID": "c141878278d00248b1a44ecb5b1919c2d3147de7d853766ee8af8c1950403d8b", + "search_line": 11 + }, + { + "queryName": "Instance Uses Metadata Service IMDSv1", + "severity": "LOW", + "line": 23, + "fileName": "positive3.yaml", + "resourceType": "AWS::EC2::LaunchTemplate", + "resourceName": "MyLaunchTemplate", + "searchKey": "Resources.MyLaunchTemplate.Properties.LaunchTemplateData.MetadataOptions.HttpTokens", + "searchValue": "", + "expectedValue": "'Resources.MyLaunchTemplate.Properties.LaunchTemplateData.MetadataOptions.HttpTokens' should be defined to 'required'", + "actualValue": "'Resources.MyLaunchTemplate.Properties.LaunchTemplateData.MetadataOptions.HttpTokens' is not defined to 'required'", + "issueType": "IncorrectValue", + "similarityID": "47d8be2dd0707fa5313ddaf854847bd94d5741a0182460a84c45b0867d184ba3", + "search_line": 23 + }, + { + "queryName": "Instance Uses Metadata Service IMDSv1", + "severity": "LOW", + "line": 11, + "fileName": "positive4.json", + "resourceType": "AWS::EC2::Instance", + "resourceName": "MyEC2Instance", + "searchKey": "Resources.MyEC2Instance.Properties.MetadataOptions.HttpTokens", + "searchValue": "", + "expectedValue": "'Resources.MyEC2Instance.Properties.MetadataOptions.HttpTokens' should be defined to 'required'", + "actualValue": "'Resources.MyEC2Instance.Properties.MetadataOptions.HttpTokens' is not defined to 'required'", + "issueType": "IncorrectValue", + "similarityID": "8aaa2fd3a84853a76f176914fcd222d55b02558ea4fa703084de32d1b2d1c1ca", + "search_line": 11 + }, + { + "queryName": "Instance Uses Metadata Service IMDSv1", + "severity": "LOW", + "line": 25, + "fileName": "positive4.json", + "resourceType": "AWS::EC2::LaunchTemplate", + "resourceName": "MyLaunchTemplate", + "searchKey": "Resources.MyLaunchTemplate.Properties.LaunchTemplateData.MetadataOptions.HttpTokens", + "searchValue": "", + "expectedValue": "'Resources.MyLaunchTemplate.Properties.LaunchTemplateData.MetadataOptions.HttpTokens' should be defined to 'required'", + "actualValue": "'Resources.MyLaunchTemplate.Properties.LaunchTemplateData.MetadataOptions.HttpTokens' is not defined to 'required'", + "issueType": "IncorrectValue", + "similarityID": "a1df2308091cc9850f408a37952e5bb87bd72b6258ce39422ee6f16dc7e3dcf9", + "search_line": 25 + }, + { + "queryName": "Instance Uses Metadata Service IMDSv1", + "severity": "LOW", + "line": 12, + "fileName": "positive5.yaml", + "resourceType": "AWS::EC2::Instance", + "resourceName": "MyEC2Instance", + "searchKey": "Resources.MyEC2Instance.Properties.MetadataOptions.HttpTokens", + "searchValue": "", + "expectedValue": "'Resources.MyEC2Instance.Properties.MetadataOptions.HttpTokens' should be defined to 'required'", + "actualValue": "'Resources.MyEC2Instance.Properties.MetadataOptions.HttpTokens' is not defined to 'required'", + "issueType": "IncorrectValue", + "similarityID": "37d221acd1b21e558706ed770dd8981fda2825547b20a4bd140f72086787363f", + "search_line": 12 + }, + { + "queryName": "Instance Uses Metadata Service IMDSv1", + "severity": "LOW", + "line": 25, + "fileName": "positive5.yaml", + "resourceType": "AWS::EC2::LaunchTemplate", + "resourceName": "MyLaunchTemplate", + "searchKey": "Resources.MyLaunchTemplate.Properties.LaunchTemplateData.MetadataOptions.HttpTokens", + "searchValue": "", + "expectedValue": "'Resources.MyLaunchTemplate.Properties.LaunchTemplateData.MetadataOptions.HttpTokens' should be defined to 'required'", + "actualValue": "'Resources.MyLaunchTemplate.Properties.LaunchTemplateData.MetadataOptions.HttpTokens' is not defined to 'required'", + "issueType": "IncorrectValue", + "similarityID": "7fbfcbeba1cd5f4b007be82de2b8145895616b549aa628eba5b34cfff3902dd9", + "search_line": 25 + }, + { + "queryName": "Instance Uses Metadata Service IMDSv1", + "severity": "LOW", + "line": 12, + "fileName": "positive6.json", + "resourceType": "AWS::EC2::Instance", + "resourceName": "MyEC2Instance", + "searchKey": "Resources.MyEC2Instance.Properties.MetadataOptions.HttpTokens", + "searchValue": "", + "expectedValue": "'Resources.MyEC2Instance.Properties.MetadataOptions.HttpTokens' should be defined to 'required'", + "actualValue": "'Resources.MyEC2Instance.Properties.MetadataOptions.HttpTokens' is not defined to 'required'", + "issueType": "IncorrectValue", + "similarityID": "f5ad31ceb10b2c26e8e25cc0f587cadff5a750d0eb458c5796cddfcf349a492c", + "search_line": 12 + }, + { + "queryName": "Instance Uses Metadata Service IMDSv1", + "severity": "LOW", + "line": 27, + "fileName": "positive6.json", + "resourceType": "AWS::EC2::LaunchTemplate", + "resourceName": "MyLaunchTemplate", + "searchKey": "Resources.MyLaunchTemplate.Properties.LaunchTemplateData.MetadataOptions.HttpTokens", + "searchValue": "", + "expectedValue": "'Resources.MyLaunchTemplate.Properties.LaunchTemplateData.MetadataOptions.HttpTokens' should be defined to 'required'", + "actualValue": "'Resources.MyLaunchTemplate.Properties.LaunchTemplateData.MetadataOptions.HttpTokens' is not defined to 'required'", + "issueType": "IncorrectValue", + "similarityID": "ed09712169d1647c7b9ec9eb5367307df1d78976e30cb99934f40e654cb46fde", + "search_line": 27 + }, + { + "queryName": "Instance Uses Metadata Service IMDSv1", + "severity": "LOW", + "line": 10, + "fileName": "positive7.yaml", + "resourceType": "AWS::EC2::Instance", + "resourceName": "MyEC2Instance", + "searchKey": "Resources.MyEC2Instance.Properties.MetadataOptions", + "searchValue": "", + "expectedValue": "'Resources.MyEC2Instance.Properties.MetadataOptions.HttpTokens' should be defined to 'required'", + "actualValue": "'Resources.MyEC2Instance.Properties.MetadataOptions.HttpTokens' is not defined", + "issueType": "MissingAttribute", + "similarityID": "b9fb2c6dd09da737309bae284487906fc66d4bebc7a9a19e580bea40e954883c", + "search_line": 10 + }, + { + "queryName": "Instance Uses Metadata Service IMDSv1", + "severity": "LOW", + "line": 21, + "fileName": "positive7.yaml", + "resourceType": "AWS::EC2::LaunchTemplate", + "resourceName": "MyLaunchTemplate", + "searchKey": "Resources.MyLaunchTemplate.Properties.LaunchTemplateData.MetadataOptions", + "searchValue": "", + "expectedValue": "'Resources.MyLaunchTemplate.Properties.LaunchTemplateData.MetadataOptions.HttpTokens' should be defined to 'required'", + "actualValue": "'Resources.MyLaunchTemplate.Properties.LaunchTemplateData.MetadataOptions.HttpTokens' is not defined", + "issueType": "MissingAttribute", + "similarityID": "f5d18d4942295aeff6161ab649398a5f6c363f06f9f3bdc452c374bb7015bec0", + "search_line": 21 + }, + { + "queryName": "Instance Uses Metadata Service IMDSv1", + "severity": "LOW", + "line": 10, + "fileName": "positive8.json", + "resourceType": "AWS::EC2::Instance", + "resourceName": "MyEC2Instance", + "searchKey": "Resources.MyEC2Instance.Properties.MetadataOptions", + "searchValue": "", + "expectedValue": "'Resources.MyEC2Instance.Properties.MetadataOptions.HttpTokens' should be defined to 'required'", + "actualValue": "'Resources.MyEC2Instance.Properties.MetadataOptions.HttpTokens' is not defined", + "issueType": "MissingAttribute", + "similarityID": "d7d2cc30509db87a9b53b557b8dc6962904ce5f7be85c78b754b0cb1d6cc2fb1", + "search_line": 10 + }, + { + "queryName": "Instance Uses Metadata Service IMDSv1", + "severity": "LOW", + "line": 23, + "fileName": "positive8.json", + "resourceType": "AWS::EC2::LaunchTemplate", + "resourceName": "MyLaunchTemplate", + "searchKey": "Resources.MyLaunchTemplate.Properties.LaunchTemplateData.MetadataOptions", + "searchValue": "", + "expectedValue": "'Resources.MyLaunchTemplate.Properties.LaunchTemplateData.MetadataOptions.HttpTokens' should be defined to 'required'", + "actualValue": "'Resources.MyLaunchTemplate.Properties.LaunchTemplateData.MetadataOptions.HttpTokens' is not defined", + "issueType": "MissingAttribute", + "similarityID": "fe6d6754e82fce0747a185c6a049d47bdda4ffdc82d248759e20bc456ef656dc", + "search_line": 23 + }, + { + "queryName": "Instance Uses Metadata Service IMDSv1", + "severity": "LOW", + "line": 10, + "fileName": "positive9.yaml", + "resourceType": "AWS::EC2::Instance", + "resourceName": "MyEC2Instance", + "searchKey": "Resources.MyEC2Instance.Properties.MetadataOptions", + "searchValue": "", + "expectedValue": "'Resources.MyEC2Instance.Properties.MetadataOptions.HttpTokens' should be defined to 'required'", + "actualValue": "'Resources.MyEC2Instance.Properties.MetadataOptions.HttpTokens' is not defined", + "issueType": "MissingAttribute", + "similarityID": "c9074534290d1f8b1f7b5c22356b992f709b332c5cd307b0b330bf189355a229", + "search_line": 10 + }, + { + "queryName": "Instance Uses Metadata Service IMDSv1", + "severity": "LOW", + "line": 22, + "fileName": "positive9.yaml", + "resourceType": "AWS::EC2::LaunchTemplate", + "resourceName": "MyLaunchTemplate", + "searchKey": "Resources.MyLaunchTemplate.Properties.LaunchTemplateData.MetadataOptions", + "searchValue": "", + "expectedValue": "'Resources.MyLaunchTemplate.Properties.LaunchTemplateData.MetadataOptions.HttpTokens' should be defined to 'required'", + "actualValue": "'Resources.MyLaunchTemplate.Properties.LaunchTemplateData.MetadataOptions.HttpTokens' is not defined", + "issueType": "MissingAttribute", + "similarityID": "5947684014707564b07d60288075370985284424cc86a6b52762fe33d1431db8", + "search_line": 22 + }, + { + "queryName": "Instance Uses Metadata Service IMDSv1", + "severity": "LOW", + "line": 10, + "fileName": "positive10.json", + "resourceType": "AWS::EC2::Instance", + "resourceName": "MyEC2Instance", + "searchKey": "Resources.MyEC2Instance.Properties.MetadataOptions", + "searchValue": "", + "expectedValue": "'Resources.MyEC2Instance.Properties.MetadataOptions.HttpTokens' should be defined to 'required'", + "actualValue": "'Resources.MyEC2Instance.Properties.MetadataOptions.HttpTokens' is not defined", + "issueType": "MissingAttribute", + "similarityID": "a2b10e9a39c643b4a4c845d907921a3d9a85761ee9c4403659f88aa6bfa08278", + "search_line": 10 + }, + { + "queryName": "Instance Uses Metadata Service IMDSv1", + "severity": "LOW", + "line": 24, + "fileName": "positive10.json", + "resourceType": "AWS::EC2::LaunchTemplate", + "resourceName": "MyLaunchTemplate", + "searchKey": "Resources.MyLaunchTemplate.Properties.LaunchTemplateData.MetadataOptions", + "searchValue": "", + "expectedValue": "'Resources.MyLaunchTemplate.Properties.LaunchTemplateData.MetadataOptions.HttpTokens' should be defined to 'required'", + "actualValue": "'Resources.MyLaunchTemplate.Properties.LaunchTemplateData.MetadataOptions.HttpTokens' is not defined", + "issueType": "MissingAttribute", + "similarityID": "5748b12f774bd7f65a8acf8144bc8ed1db36951adc86701950f6b2c667abec30", + "search_line": 24 + } ] diff --git a/assets/queries/cloudFormation/aws/instance_with_no_vpc/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/instance_with_no_vpc/test/positive_expected_result.json index 3def28cba7c..7f998332f33 100644 --- a/assets/queries/cloudFormation/aws/instance_with_no_vpc/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/instance_with_no_vpc/test/positive_expected_result.json @@ -1,26 +1,62 @@ [ { + "queryName": "Instance With No VPC", + "severity": "LOW", "line": 21, "fileName": "positive1.yaml", - "queryName": "Instance With No VPC", - "severity": "LOW" + "resourceType": "AWS::EC2::Subnet", + "resourceName": "${AWS::StackName}-Public-A", + "searchKey": "Resources.PublicSubnetA.Properties", + "searchValue": "", + "expectedValue": "Resources.PublicSubnetA.Properties.VpcId should be defined", + "actualValue": "Resources.PublicSubnetA.Properties.VpcId is undefined", + "issueType": "MissingAttribute", + "similarityID": "25d0b1c150779082b4c4cc79ddc1b5425692f3a40f2af499296ed453f8153326", + "search_line": -1 }, { "queryName": "Instance With No VPC", "severity": "LOW", "line": 4, - "fileName": "positive2.yaml" + "fileName": "positive2.yaml", + "resourceType": "AWS::EC2::Instance", + "resourceName": "Ec2Instance-02", + "searchKey": "Resources.Ec2Instance-02.Properties", + "searchValue": "", + "expectedValue": "Resources.Ec2Instance-02.Properties.NetworkInterfaces should be defined", + "actualValue": "Resources.Ec2Instance-02.Properties.NetworkInterfaces is undefined", + "issueType": "MissingAttribute", + "similarityID": "38ef4731b3531b3e464f774029f6ef70282f579a24d03254b59e8445a21e3d58", + "search_line": -1 }, { "queryName": "Instance With No VPC", "severity": "LOW", "line": 35, - "fileName": "positive3.json" + "fileName": "positive3.json", + "resourceType": "AWS::EC2::Subnet", + "resourceName": "${AWS::StackName}-Public-A", + "searchKey": "Resources.PublicSubnetA.Properties", + "searchValue": "", + "expectedValue": "Resources.PublicSubnetA.Properties.VpcId should be defined", + "actualValue": "Resources.PublicSubnetA.Properties.VpcId is undefined", + "issueType": "MissingAttribute", + "similarityID": "0630bbeaaf9a65cb32296f0680900cfb9878c45cd191aaa11eb594020729edd8", + "search_line": -1 }, { - "fileName": "positive4.json", "queryName": "Instance With No VPC", "severity": "LOW", - "line": 5 + "line": 5, + "fileName": "positive4.json", + "resourceType": "AWS::EC2::Instance", + "resourceName": "Ec2Instance-02", + "searchKey": "Resources.Ec2Instance-02.Properties", + "searchValue": "", + "expectedValue": "Resources.Ec2Instance-02.Properties.NetworkInterfaces should be defined", + "actualValue": "Resources.Ec2Instance-02.Properties.NetworkInterfaces is undefined", + "issueType": "MissingAttribute", + "similarityID": "94f42ca9577530a33256158a1c35108353cc30adfc262a1218a413ad7f88da10", + "search_line": -1 } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/iot_policy_allows_action_as_wildcard/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/iot_policy_allows_action_as_wildcard/test/positive_expected_result.json index b87c98cc150..add8f2f6ffc 100644 --- a/assets/queries/cloudFormation/aws/iot_policy_allows_action_as_wildcard/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/iot_policy_allows_action_as_wildcard/test/positive_expected_result.json @@ -3,12 +3,30 @@ "queryName": "IoT Policy Allows Action as Wildcard", "severity": "MEDIUM", "line": 7, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::IoT::Policy", + "resourceName": "PolicyName", + "searchKey": "Resources.IoTPolicy.Properties.PolicyDocument", + "searchValue": "", + "expectedValue": "Resources.IoTPolicy.Properties.PolicyDocument.Statement.Action should not be '*'", + "actualValue": "Resources.IoTPolicy.Properties.PolicyDocument.Statement.Action is '*'", + "issueType": "IncorrectValue", + "similarityID": "6ce497718f163204b763466825f4bbcec176b13cb4a7b8f0eb7d964217ec4eb8", + "search_line": -1 }, { "queryName": "IoT Policy Allows Action as Wildcard", "severity": "MEDIUM", "line": 6, - "fileName": "positive2.json" + "fileName": "positive2.json", + "resourceType": "AWS::IoT::Policy", + "resourceName": "PolicyName", + "searchKey": "Resources.IoTPolicy.Properties.PolicyDocument", + "searchValue": "", + "expectedValue": "Resources.IoTPolicy.Properties.PolicyDocument.Statement.Action should not be '*'", + "actualValue": "Resources.IoTPolicy.Properties.PolicyDocument.Statement.Action is '*'", + "issueType": "IncorrectValue", + "similarityID": "0b926cd28799830d01ae5e7ea0de2fdbfb9d01d087274d03d5de286baeb184d8", + "search_line": -1 } ] diff --git a/assets/queries/cloudFormation/aws/iot_policy_allows_wildcard_resource/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/iot_policy_allows_wildcard_resource/test/positive_expected_result.json index f424cf92b1d..a140faea793 100644 --- a/assets/queries/cloudFormation/aws/iot_policy_allows_wildcard_resource/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/iot_policy_allows_wildcard_resource/test/positive_expected_result.json @@ -3,12 +3,30 @@ "queryName": "IoT Policy Allows Wildcard Resource", "severity": "MEDIUM", "line": 7, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::IoT::Policy", + "resourceName": "PolicyName", + "searchKey": "Resources.IoTPolicy.Properties.PolicyDocument", + "searchValue": "", + "expectedValue": "Resources.IoTPolicy.Properties.PolicyDocument.Statement.Resource should not be '*'", + "actualValue": "Resources.IoTPolicy.Properties.PolicyDocument.Statement.Recource is '*'", + "issueType": "IncorrectValue", + "similarityID": "8ebce63d085e7e81bc2ae9b94c7bf32e8779c1dfb5be87a79aa04b8dfd1876ac", + "search_line": -1 }, { "queryName": "IoT Policy Allows Wildcard Resource", "severity": "MEDIUM", "line": 7, - "fileName": "positive2.json" + "fileName": "positive2.json", + "resourceType": "AWS::IoT::Policy", + "resourceName": "PolicyName", + "searchKey": "Resources.IoTPolicy.Properties.PolicyDocument", + "searchValue": "", + "expectedValue": "Resources.IoTPolicy.Properties.PolicyDocument.Statement.Resource should not be '*'", + "actualValue": "Resources.IoTPolicy.Properties.PolicyDocument.Statement.Recource is '*'", + "issueType": "IncorrectValue", + "similarityID": "b57e08a746265ccb157dff14c636c8c45f5f9ae8867200dca4269d861116b644", + "search_line": -1 } ] diff --git a/assets/queries/cloudFormation/aws/kinesis_sse_not_configured/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/kinesis_sse_not_configured/test/positive_expected_result.json index ff15c193abc..4767ec2787e 100644 --- a/assets/queries/cloudFormation/aws/kinesis_sse_not_configured/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/kinesis_sse_not_configured/test/positive_expected_result.json @@ -2,37 +2,91 @@ { "queryName": "Kinesis SSE Not Configured", "severity": "HIGH", - "line": 26, - "fileName": "positive1.yaml" + "line": 8, + "fileName": "positive1.yaml", + "resourceType": "AWS::Kinesis::Stream", + "resourceName": "EventStream", + "searchKey": "Resources.EventStream1.Properties.StreamEncryption", + "searchValue": "KeyId", + "expectedValue": "Resources.EventStream1.Properties.StreamEncryption.KeyId should be set", + "actualValue": "Resources.EventStream1.Properties.StreamEncryption.KeyId is undefined", + "issueType": "MissingAttribute", + "similarityID": "6538cc667696cf1ae0578371cd59dc0390c9f08d3925c8cad5b099d869655c61", + "search_line": 8 }, { "queryName": "Kinesis SSE Not Configured", "severity": "HIGH", "line": 19, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::Kinesis::Stream", + "resourceName": "EventStream", + "searchKey": "Resources.EventStream2.Properties.StreamEncryption", + "searchValue": "EncryptionType", + "expectedValue": "Resources.EventStream2.Properties.StreamEncryption.EncryptionType should be set", + "actualValue": "Resources.EventStream2.Properties.StreamEncryption.EncryptionType is undefined", + "issueType": "MissingAttribute", + "similarityID": "47a8ecfe59c12a725852e17225e54c2e3a5f4ca29283a9107841d238706017fd", + "search_line": 19 }, { "queryName": "Kinesis SSE Not Configured", "severity": "HIGH", - "line": 8, - "fileName": "positive1.yaml" + "line": 26, + "fileName": "positive1.yaml", + "resourceType": "AWS::Kinesis::Stream", + "resourceName": "EventStream", + "searchKey": "Resources.EventStream3.Properties", + "searchValue": "", + "expectedValue": "Resources.EventStream3.Properties.StreamEncryption should be set", + "actualValue": "Resources.EventStream3.Properties.StreamEncryption is undefined", + "issueType": "MissingAttribute", + "similarityID": "4de465a52b1f869b82e695482d0eddade708d989df327a42f8ab2cd8db9b8a94", + "search_line": 26 }, { "queryName": "Kinesis SSE Not Configured", "severity": "HIGH", - "line": 39, - "fileName": "positive2.json" + "line": 9, + "fileName": "positive2.json", + "resourceType": "AWS::Kinesis::Stream", + "resourceName": "EventStream", + "searchKey": "Resources.EventStream1.Properties.StreamEncryption", + "searchValue": "KeyId", + "expectedValue": "Resources.EventStream1.Properties.StreamEncryption.KeyId should be set", + "actualValue": "Resources.EventStream1.Properties.StreamEncryption.KeyId is undefined", + "issueType": "MissingAttribute", + "similarityID": "7a74dbdf9412e68bc29aa18d23eee57be964c2d130c7928bd0956cef8374273a", + "search_line": 9 }, { "queryName": "Kinesis SSE Not Configured", "severity": "HIGH", "line": 26, - "fileName": "positive2.json" + "fileName": "positive2.json", + "resourceType": "AWS::Kinesis::Stream", + "resourceName": "EventStream", + "searchKey": "Resources.EventStream2.Properties.StreamEncryption", + "searchValue": "EncryptionType", + "expectedValue": "Resources.EventStream2.Properties.StreamEncryption.EncryptionType should be set", + "actualValue": "Resources.EventStream2.Properties.StreamEncryption.EncryptionType is undefined", + "issueType": "MissingAttribute", + "similarityID": "6040a8e607c4ca41a01e4c02442b31dccaa9c694f31dc29db5fdac77869236f1", + "search_line": 26 }, { "queryName": "Kinesis SSE Not Configured", "severity": "HIGH", - "line": 9, - "fileName": "positive2.json" + "line": 39, + "fileName": "positive2.json", + "resourceType": "AWS::Kinesis::Stream", + "resourceName": "EventStream", + "searchKey": "Resources.EventStream3.Properties", + "searchValue": "", + "expectedValue": "Resources.EventStream3.Properties.StreamEncryption should be set", + "actualValue": "Resources.EventStream3.Properties.StreamEncryption is undefined", + "issueType": "MissingAttribute", + "similarityID": "9a7125d9cc3f420b427a5db4180c71cc5df13168dc75ab9f3ae3dad477e9f204", + "search_line": 39 } ] diff --git a/assets/queries/cloudFormation/aws/kms_allows_wildcard_principal/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/kms_allows_wildcard_principal/test/positive_expected_result.json index e65793703d9..2180c29d924 100644 --- a/assets/queries/cloudFormation/aws/kms_allows_wildcard_principal/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/kms_allows_wildcard_principal/test/positive_expected_result.json @@ -3,12 +3,30 @@ "queryName": "KMS Allows Wildcard Principal", "severity": "MEDIUM", "line": 8, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::KMS::Key", + "resourceName": "myKey", + "searchKey": "Resources.myKey.Properties.KeyPolicy", + "searchValue": "", + "expectedValue": "Resources.myKey.Properties.KeyPolicy.Statement should not be '*'", + "actualValue": "Resources.myKey.Properties.KeyPolicy.Statement is '*'", + "issueType": "IncorrectValue", + "similarityID": "bc031d71db7656988a804f0295d4f22321c91ac0aff80b4ffcd60471bb4c82bd", + "search_line": -1 }, { "queryName": "KMS Allows Wildcard Principal", "severity": "MEDIUM", "line": 8, - "fileName": "positive2.json" + "fileName": "positive2.json", + "resourceType": "AWS::KMS::Key", + "resourceName": "myKey", + "searchKey": "Resources.myKey.Properties.KeyPolicy", + "searchValue": "", + "expectedValue": "Resources.myKey.Properties.KeyPolicy.Statement should not be '*'", + "actualValue": "Resources.myKey.Properties.KeyPolicy.Statement is '*'", + "issueType": "IncorrectValue", + "similarityID": "6eab8bcd3ab3d2243b9c238f06b34cfa8a0b861e51b8067cf4cd236f6ed08e8a", + "search_line": -1 } ] diff --git a/assets/queries/cloudFormation/aws/kms_enable_key_rotation_disabled/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/kms_enable_key_rotation_disabled/test/positive_expected_result.json index 4482b431b9a..331c2f19aa6 100644 --- a/assets/queries/cloudFormation/aws/kms_enable_key_rotation_disabled/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/kms_enable_key_rotation_disabled/test/positive_expected_result.json @@ -3,36 +3,90 @@ "queryName": "KMS Key Rotation Disabled", "severity": "MEDIUM", "line": 8, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::KMS::Key", + "resourceName": "myKey", + "searchKey": "Resources.myKey.Properties.EnableKeyRotation", + "searchValue": "", + "expectedValue": "Resources.myKey.Properties.EnableKeyRotation should not be 'true'", + "actualValue": "Resources.myKey.Properties.EnableKeyRotation is true", + "issueType": "IncorrectValue", + "similarityID": "52a0a31d85304d618135c1243dad869f5b88765bce124fbcdf2c56b6778100bf", + "search_line": -1 }, { "queryName": "KMS Key Rotation Disabled", "severity": "MEDIUM", "line": 51, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::KMS::Key", + "resourceName": "myKey2", + "searchKey": "Resources.myKey2.Properties.EnableKeyRotation", + "searchValue": "", + "expectedValue": "Resources.myKey2.Properties.EnableKeyRotation should be defined", + "actualValue": "Resources.myKey2.Properties.EnableKeyRotation is undefined", + "issueType": "MissingAttribute", + "similarityID": "29547734daf54c0d0dd68d2c0a754f6956dd4fe112a245d584831b25ee3023a1", + "search_line": -1 }, { "queryName": "KMS Key Rotation Disabled", "severity": "MEDIUM", "line": 60, - "fileName": "positive2.json" + "fileName": "positive2.json", + "resourceType": "AWS::KMS::Key", + "resourceName": "myKey", + "searchKey": "Resources.myKey.Properties.EnableKeyRotation", + "searchValue": "", + "expectedValue": "Resources.myKey.Properties.EnableKeyRotation should not be 'true'", + "actualValue": "Resources.myKey.Properties.EnableKeyRotation is true", + "issueType": "IncorrectValue", + "similarityID": "f6a8e89b4a6bcc9b59857f928b67358d45cd0215fc919c9f4893390e2760c33d", + "search_line": -1 }, { "queryName": "KMS Key Rotation Disabled", "severity": "MEDIUM", "line": 65, - "fileName": "positive2.json" + "fileName": "positive2.json", + "resourceType": "AWS::KMS::Key", + "resourceName": "myKey2", + "searchKey": "Resources.myKey2.Properties.EnableKeyRotation", + "searchValue": "", + "expectedValue": "Resources.myKey2.Properties.EnableKeyRotation should be defined", + "actualValue": "Resources.myKey2.Properties.EnableKeyRotation is undefined", + "issueType": "MissingAttribute", + "similarityID": "b4faa3e5d59498e009768b7c907abd07aac2e8eaa87ce078ccc938edb87132e0", + "search_line": -1 }, { "queryName": "KMS Key Rotation Disabled", "severity": "MEDIUM", "line": 8, - "fileName": "positive3.yaml" + "fileName": "positive3.yaml", + "resourceType": "AWS::KMS::Key", + "resourceName": "myKey", + "searchKey": "Resources.myKey.Properties.EnableKeyRotation", + "searchValue": "", + "expectedValue": "Resources.myKey.Properties.EnableKeyRotation should not be 'true'", + "actualValue": "Resources.myKey.Properties.EnableKeyRotation is true", + "issueType": "IncorrectValue", + "similarityID": "d1b4db31c6429f4a1145ba6bfe04f8307004ec6b329919e951df55316e87eb67", + "search_line": -1 }, { "queryName": "KMS Key Rotation Disabled", "severity": "MEDIUM", "line": 51, - "fileName": "positive3.yaml" + "fileName": "positive3.yaml", + "resourceType": "AWS::KMS::Key", + "resourceName": "myKey2", + "searchKey": "Resources.myKey2.Properties.EnableKeyRotation", + "searchValue": "", + "expectedValue": "Resources.myKey2.Properties.EnableKeyRotation should be defined", + "actualValue": "Resources.myKey2.Properties.EnableKeyRotation is undefined", + "issueType": "MissingAttribute", + "similarityID": "c67ba650b60ccbf72764dda36f866820b4fdc579dd6375c374fbc2c812459a1c", + "search_line": -1 } ] diff --git a/assets/queries/cloudFormation/aws/kms_key_with_full_permissions/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/kms_key_with_full_permissions/test/positive_expected_result.json index 93317fe9f38..30fdbb8ee22 100644 --- a/assets/queries/cloudFormation/aws/kms_key_with_full_permissions/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/kms_key_with_full_permissions/test/positive_expected_result.json @@ -2,25 +2,61 @@ { "queryName": "KMS Key With Vulnerable Policy", "severity": "HIGH", - "line": 9, - "fileName": "positive.json" + "line": 5, + "fileName": "positive2.json", + "resourceType": "AWS::KMS::Key", + "resourceName": "RSASigningKey2", + "searchKey": "Resources.RSASigningKey2.Properties", + "searchValue": "", + "expectedValue": "Resources.RSASigningKey2.Properties.KeyPolicy should be defined and not null", + "actualValue": "Resources.RSASigningKey2.Properties.KeyPolicy is undefined or null", + "issueType": "MissingAttribute", + "similarityID": "4c090a8abee42be187bf11858e1e1be48715921ae8cee470b3d70b820a9f3b87", + "search_line": -1 }, { "queryName": "KMS Key With Vulnerable Policy", "severity": "HIGH", - "line": 8, - "fileName": "positive.yaml" + "line": 4, + "fileName": "positive2.yaml", + "resourceType": "AWS::KMS::Key", + "resourceName": "RSASigningKey2", + "searchKey": "Resources.RSASigningKey2.Properties", + "searchValue": "", + "expectedValue": "Resources.RSASigningKey2.Properties.KeyPolicy should be defined and not null", + "actualValue": "Resources.RSASigningKey2.Properties.KeyPolicy is undefined or null", + "issueType": "MissingAttribute", + "similarityID": "bc11615e1791c6d9e4d822cb8ab98c1ed37d77aa187b1df76f155d307094e57a", + "search_line": -1 }, { "queryName": "KMS Key With Vulnerable Policy", "severity": "HIGH", - "line": 5, - "fileName": "positive2.json" + "line": 9, + "fileName": "positive.json", + "resourceType": "AWS::KMS::Key", + "resourceName": "RSASigningKey", + "searchKey": "Resources.RSASigningKey.Properties.KeyPolicy", + "searchValue": "", + "expectedValue": "Resources.RSASigningKey.Properties.KeyPolicy.Statement should not have wildcard in 'Action' and 'Principal'", + "actualValue": "Resources.RSASigningKey.Properties.KeyPolicy.Statement has wildcard in 'Action' and 'Principal'", + "issueType": "IncorrectValue", + "similarityID": "3a5551593bbb57279a3d36566482a5e653f2474d11568395f8ccbe311488df96", + "search_line": -1 }, { "queryName": "KMS Key With Vulnerable Policy", "severity": "HIGH", - "line": 4, - "fileName": "positive2.yaml" + "line": 8, + "fileName": "positive.yaml", + "resourceType": "AWS::KMS::Key", + "resourceName": "RSASigningKey", + "searchKey": "Resources.RSASigningKey.Properties.KeyPolicy", + "searchValue": "", + "expectedValue": "Resources.RSASigningKey.Properties.KeyPolicy.Statement should not have wildcard in 'Action' and 'Principal'", + "actualValue": "Resources.RSASigningKey.Properties.KeyPolicy.Statement has wildcard in 'Action' and 'Principal'", + "issueType": "IncorrectValue", + "similarityID": "40df512915d87f5aa67a9db9b5526a41869021c7d87da734012b4430145a55bf", + "search_line": -1 } ] diff --git a/assets/queries/cloudFormation/aws/lambda_function_without_dead_letter_queue/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/lambda_function_without_dead_letter_queue/test/positive_expected_result.json index dbc5630f0cc..2bb22dc8a8e 100644 --- a/assets/queries/cloudFormation/aws/lambda_function_without_dead_letter_queue/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/lambda_function_without_dead_letter_queue/test/positive_expected_result.json @@ -3,18 +3,45 @@ "queryName": "Lambda Function Without Dead Letter Queue", "severity": "LOW", "line": 6, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::Lambda::Function", + "resourceName": "Function", + "searchKey": "Resources.Function.Properties", + "searchValue": "", + "expectedValue": "'Resources.Function.Properties.DeadLetterConfig' should be defined and not null", + "actualValue": "'Resources.Function.Properties.DeadLetterConfig' is undefined or null", + "issueType": "MissingAttribute", + "similarityID": "0293ee21702ccd64a319bc8b9d3b07f928cb46829671de1db3aeac9a3fd8a25a", + "search_line": 6 }, { "queryName": "Lambda Function Without Dead Letter Queue", "severity": "LOW", "line": 6, - "fileName": "positive2.yaml" + "fileName": "positive2.yaml", + "resourceType": "AWS::Lambda::Function", + "resourceName": "Function2", + "searchKey": "Resources.Function2.Properties", + "searchValue": "", + "expectedValue": "'Resources.Function2.Properties.DeadLetterConfig' should be defined and not null", + "actualValue": "'Resources.Function2.Properties.DeadLetterConfig' is undefined or null", + "issueType": "MissingAttribute", + "similarityID": "8265d76b01a9d75626a364d5618dfa8aa529df21e1be1aa20a3b6ee31600d6a6", + "search_line": 6 }, { "queryName": "Lambda Function Without Dead Letter Queue", "severity": "LOW", "line": 27, - "fileName": "positive2.yaml" + "fileName": "positive2.yaml", + "resourceType": "AWS::Lambda::Function", + "resourceName": "Function2", + "searchKey": "Resources.Function2.Properties.DeadLetterConfig", + "searchValue": "", + "expectedValue": "'Resources.Function2.Properties.DeadLetterConfig.TargetArn' should be defined and not null", + "actualValue": "'Resources.Function2.Properties.DeadLetterConfig.TargetArn' is undefined or null", + "issueType": "MissingAttribute", + "similarityID": "c202d72fb590c06f5ec4b6f9b65afdcc6956683dfbbf932d426be94498fabc4b", + "search_line": 27 } ] diff --git a/assets/queries/cloudFormation/aws/lambda_function_without_tags/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/lambda_function_without_tags/test/positive_expected_result.json index 544806fff4a..f6f00f2f15b 100644 --- a/assets/queries/cloudFormation/aws/lambda_function_without_tags/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/lambda_function_without_tags/test/positive_expected_result.json @@ -3,12 +3,30 @@ "queryName": "Lambda Function Without Tags", "severity": "LOW", "line": 52, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::Lambda::Function", + "resourceName": "AppendItemToListFunction", + "searchKey": "Resources.AppendItemToListFunction.Properties", + "searchValue": "", + "expectedValue": "'Resources.AppendItemToListFunction.Properties.Tags' should be defined", + "actualValue": "'Resources.AppendItemToListFunction.Properties.Tags' is undefined", + "issueType": "MissingAttribute", + "similarityID": "5bcd4558d53cf4751be42eae39550ca9be4b5c880775eae66e46ba87da26ab97", + "search_line": -1 }, { - "fileName": "positive2.json", "queryName": "Lambda Function Without Tags", "severity": "LOW", - "line": 75 + "line": 75, + "fileName": "positive2.json", + "resourceType": "AWS::Lambda::Function", + "resourceName": "AppendItemToListFunction", + "searchKey": "Resources.AppendItemToListFunction.Properties", + "searchValue": "", + "expectedValue": "'Resources.AppendItemToListFunction.Properties.Tags' should be defined", + "actualValue": "'Resources.AppendItemToListFunction.Properties.Tags' is undefined", + "issueType": "MissingAttribute", + "similarityID": "6f2bff70341c7f8733593400f9f9fead24d9d00e7b85712480f99e5227dbd08a", + "search_line": -1 } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/lambda_functions_with_full_privileges/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/lambda_functions_with_full_privileges/test/positive_expected_result.json index d6b555c562e..8b1de02e0d1 100644 --- a/assets/queries/cloudFormation/aws/lambda_functions_with_full_privileges/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/lambda_functions_with_full_privileges/test/positive_expected_result.json @@ -3,12 +3,30 @@ "queryName": "Lambda Functions With Full Privileges", "severity": "HIGH", "line": 76, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::Lambda::Function", + "resourceName": "AppendItemToListFunction", + "searchKey": "Resources.LambdaExecutionRole.Properties.Policies.PolicyDocument", + "searchValue": "AppendItemToListFunction", + "expectedValue": "Resources.LambdaExecutionRole.Properties.Policies[root].PolicyDocument should not give admin privileges to Resources.AppendItemToListFunction ", + "actualValue": "Resources.LambdaExecutionRole.Properties.Policies[root].PolicyDocument gives admin privileges to Resources.AppendItemToListFunction ", + "issueType": "IncorrectValue", + "similarityID": "091609324540d23952213df9cb2fde6a0c5fc9eb1b4ff557be832ee4bdbf0397", + "search_line": 76 }, { + "queryName": "Lambda Functions With Full Privileges", "severity": "HIGH", "line": 101, "fileName": "positive2.json", - "queryName": "Lambda Functions With Full Privileges" + "resourceType": "AWS::Lambda::Function", + "resourceName": "AppendItemToListFunction", + "searchKey": "Resources.LambdaExecutionRole.Properties.Policies.PolicyDocument", + "searchValue": "AppendItemToListFunction", + "expectedValue": "Resources.LambdaExecutionRole.Properties.Policies[root].PolicyDocument should not give admin privileges to Resources.AppendItemToListFunction ", + "actualValue": "Resources.LambdaExecutionRole.Properties.Policies[root].PolicyDocument gives admin privileges to Resources.AppendItemToListFunction ", + "issueType": "IncorrectValue", + "similarityID": "c08191aaf204ba9828c99d8a451d58f2a7d40b92f745761060e91a13ce155a05", + "search_line": 101 } ] diff --git a/assets/queries/cloudFormation/aws/lambda_functions_without_unique_iam_roles/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/lambda_functions_without_unique_iam_roles/test/positive_expected_result.json index ca510107e97..a8929a07a64 100644 --- a/assets/queries/cloudFormation/aws/lambda_functions_without_unique_iam_roles/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/lambda_functions_without_unique_iam_roles/test/positive_expected_result.json @@ -1,26 +1,62 @@ [ { + "queryName": "Lambda Functions Without Unique IAM Roles", "severity": "HIGH", "line": 8, "fileName": "positive1.yaml", - "queryName": "Lambda Functions Without Unique IAM Roles" + "resourceType": "AWS::Lambda::Function", + "resourceName": "Primer01", + "searchKey": "Resources.Primer01.Properties.Role", + "searchValue": "", + "expectedValue": "Each AWS Lambda Function has a unique role", + "actualValue": "Resource.Primer01.Properties.Role is assigned to another funtion", + "issueType": "IncorrectValue", + "similarityID": "691beb5c09232edeea6b84223a99f75c24a141eff0b72c34c6efd9cfc6928b8a", + "search_line": -1 }, { + "queryName": "Lambda Functions Without Unique IAM Roles", "severity": "HIGH", "line": 41, "fileName": "positive1.yaml", - "queryName": "Lambda Functions Without Unique IAM Roles" + "resourceType": "AWS::Lambda::Function", + "resourceName": "Primer02", + "searchKey": "Resources.Primer02.Properties.Role", + "searchValue": "", + "expectedValue": "Each AWS Lambda Function has a unique role", + "actualValue": "Resource.Primer02.Properties.Role is assigned to another funtion", + "issueType": "IncorrectValue", + "similarityID": "412c51ae9c53cfdc6e7aa90b5fc66381d9ebd1fd9c88c76837172fed29e6e3d4", + "search_line": -1 }, { + "queryName": "Lambda Functions Without Unique IAM Roles", + "severity": "HIGH", "line": 7, "fileName": "positive2.json", - "queryName": "Lambda Functions Without Unique IAM Roles", - "severity": "HIGH" + "resourceType": "AWS::Lambda::Function", + "resourceName": "Primer01", + "searchKey": "Resources.Primer01.Properties.Role", + "searchValue": "", + "expectedValue": "Each AWS Lambda Function has a unique role", + "actualValue": "Resource.Primer01.Properties.Role is assigned to another funtion", + "issueType": "IncorrectValue", + "similarityID": "a0eb9ad0269c9741ed5c0020f14fecb0140f1140d4730ecf05192d5decc18907", + "search_line": -1 }, { - "fileName": "positive2.json", "queryName": "Lambda Functions Without Unique IAM Roles", "severity": "HIGH", - "line": 24 + "line": 24, + "fileName": "positive2.json", + "resourceType": "AWS::Lambda::Function", + "resourceName": "Primer02", + "searchKey": "Resources.Primer02.Properties.Role", + "searchValue": "", + "expectedValue": "Each AWS Lambda Function has a unique role", + "actualValue": "Resource.Primer02.Properties.Role is assigned to another funtion", + "issueType": "IncorrectValue", + "similarityID": "a76e930cade3bc68ac3c00e593e08d784e35848866730fd58e78221eb8718f12", + "search_line": -1 } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/lambda_functions_without_x-ray_tracing/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/lambda_functions_without_x-ray_tracing/test/positive_expected_result.json index a6e44bfe9dd..9ffc1376fba 100644 --- a/assets/queries/cloudFormation/aws/lambda_functions_without_x-ray_tracing/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/lambda_functions_without_x-ray_tracing/test/positive_expected_result.json @@ -1,26 +1,62 @@ [ { + "queryName": "Lambda Functions Without X-Ray Tracing", + "severity": "LOW", "line": 37, "fileName": "positive1.yaml", - "queryName": "Lambda Functions Without X-Ray Tracing", - "severity": "LOW" + "resourceType": "AWS::Lambda::Function", + "resourceName": "primer", + "searchKey": "Resources.primer.Properties.TracingConfig.Mode", + "searchValue": "", + "expectedValue": "TracingConfig.Mode should be set to 'Active'", + "actualValue": "TracingConfig.Mode is set to 'PassThrough'", + "issueType": "IncorrectValue", + "similarityID": "da9bb1b2a4bc3bc8c2d07eb22ab52dc29a1da230ebd4217520b503c663828dc1", + "search_line": -1 }, { "queryName": "Lambda Functions Without X-Ray Tracing", "severity": "LOW", "line": 4, - "fileName": "positive2.yaml" + "fileName": "positive2.yaml", + "resourceType": "AWS::Lambda::Function", + "resourceName": "Function", + "searchKey": "Resources.Function.Properties", + "searchValue": "", + "expectedValue": "Property 'TracingConfig' should be defined", + "actualValue": "Property 'TracingConfig' is undefined", + "issueType": "MissingAttribute", + "similarityID": "0f5993b849e6187c6ca415b089aa86db5d8667e33f6396092a842867f22adcf1", + "search_line": -1 }, { "queryName": "Lambda Functions Without X-Ray Tracing", "severity": "LOW", "line": 16, - "fileName": "positive3.json" + "fileName": "positive3.json", + "resourceType": "AWS::Lambda::Function", + "resourceName": "primer", + "searchKey": "Resources.primer.Properties.TracingConfig.Mode", + "searchValue": "", + "expectedValue": "TracingConfig.Mode should be set to 'Active'", + "actualValue": "TracingConfig.Mode is set to 'PassThrough'", + "issueType": "IncorrectValue", + "similarityID": "11bd81156bfb50f14506941300da7a175d5033c9fd6ad08b587bc3ba9da9e925", + "search_line": -1 }, { "queryName": "Lambda Functions Without X-Ray Tracing", "severity": "LOW", "line": 4, - "fileName": "positive4.json" + "fileName": "positive4.json", + "resourceType": "AWS::Lambda::Function", + "resourceName": "Function", + "searchKey": "Resources.Function.Properties", + "searchValue": "", + "expectedValue": "Property 'TracingConfig' should be defined", + "actualValue": "Property 'TracingConfig' is undefined", + "issueType": "MissingAttribute", + "similarityID": "6dbd587675c1f5138ee568ab3d305eeae77da37c2e5be10c3469112b2e493a3d", + "search_line": -1 } ] diff --git a/assets/queries/cloudFormation/aws/lambda_permission_misconfigured/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/lambda_permission_misconfigured/test/positive_expected_result.json index f513240e9e9..a74ccdad27a 100644 --- a/assets/queries/cloudFormation/aws/lambda_permission_misconfigured/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/lambda_permission_misconfigured/test/positive_expected_result.json @@ -3,12 +3,30 @@ "queryName": "Lambda Permission Misconfigured", "severity": "LOW", "line": 6, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::Lambda::Permission", + "resourceName": "s3Permission", + "searchKey": "Resources.s3Permission.Properties.Action", + "searchValue": "", + "expectedValue": "'Resources.s3Permission.Properties.Action' should be lambda:InvokeFunction ", + "actualValue": "'Resources.s3Permission.Properties.Action' is not lambda:InvokeFunction", + "issueType": "IncorrectValue", + "similarityID": "d9c32db1774355d73800756ffc97b31fad163ad9fa46e44c7ad2c9226a4058cf", + "search_line": -1 }, { + "queryName": "Lambda Permission Misconfigured", + "severity": "LOW", "line": 8, "fileName": "positive2.json", - "queryName": "Lambda Permission Misconfigured", - "severity": "LOW" + "resourceType": "AWS::Lambda::Permission", + "resourceName": "s3Permission", + "searchKey": "Resources.s3Permission.Properties.Action", + "searchValue": "", + "expectedValue": "'Resources.s3Permission.Properties.Action' should be lambda:InvokeFunction ", + "actualValue": "'Resources.s3Permission.Properties.Action' is not lambda:InvokeFunction", + "issueType": "IncorrectValue", + "similarityID": "daea3b3465327d5f88ee567a2e6186d5ad7c452b48957b1c027b368a4a6de4c0", + "search_line": -1 } ] diff --git a/assets/queries/cloudFormation/aws/lambda_permission_principal_is_wildcard/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/lambda_permission_principal_is_wildcard/test/positive_expected_result.json index 29464280e4e..53b2d2d7213 100644 --- a/assets/queries/cloudFormation/aws/lambda_permission_principal_is_wildcard/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/lambda_permission_principal_is_wildcard/test/positive_expected_result.json @@ -1,14 +1,32 @@ [ { + "queryName": "Lambda Permission Principal Is Wildcard", + "severity": "MEDIUM", "line": 9, "fileName": "positive1.yaml", - "queryName": "Lambda Permission Principal Is Wildcard", - "severity": "MEDIUM" + "resourceType": "AWS::Lambda::Permission", + "resourceName": "s3Permission", + "searchKey": "Resources.s3Permission.Properties.Principal", + "searchValue": "", + "expectedValue": "Resources.s3Permission.Properties.Principal should not be wildcard", + "actualValue": "Resources.s3Permission.Properties.Principal is wildcard", + "issueType": "IncorrectValue", + "similarityID": "d39a774849e2fcefc42bb906e5732fe2f0e13c7dda73518eac296f099c6ea43f", + "search_line": -1 }, { + "queryName": "Lambda Permission Principal Is Wildcard", "severity": "MEDIUM", "line": 10, "fileName": "positive2.json", - "queryName": "Lambda Permission Principal Is Wildcard" + "resourceType": "AWS::Lambda::Permission", + "resourceName": "s3Permission", + "searchKey": "Resources.s3Permission.Properties.Principal", + "searchValue": "", + "expectedValue": "Resources.s3Permission.Properties.Principal should not be wildcard", + "actualValue": "Resources.s3Permission.Properties.Principal is wildcard", + "issueType": "IncorrectValue", + "similarityID": "b4c3c6bf24a191f5490cb520b419f2c658243965be54f8f7f0520a7f7a1b46fc", + "search_line": -1 } ] diff --git a/assets/queries/cloudFormation/aws/low_rds_backup_retention_period/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/low_rds_backup_retention_period/test/positive_expected_result.json index 623b33cff0b..726840fb25b 100644 --- a/assets/queries/cloudFormation/aws/low_rds_backup_retention_period/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/low_rds_backup_retention_period/test/positive_expected_result.json @@ -1,50 +1,122 @@ [ { + "queryName": "Low RDS Backup Retention Period", + "severity": "LOW", "line": 52, "fileName": "positive1.yaml", - "queryName": "Low RDS Backup Retention Period", - "severity": "LOW" + "resourceType": "AWS::RDS::DBCluster", + "resourceName": "DatabaseCluster", + "searchKey": "Resources.DatabaseCluster.Properties.BackupRetentionPeriod", + "searchValue": "", + "expectedValue": "The RDS DBCluster 'DatabaseCluster' resource should have backup retention period of at least 7 days", + "actualValue": "The RDS DBCluster 'DatabaseCluster' resource has backup retention period of '%!s(int=3)' which is less than the minimum of 7 days", + "issueType": "IncorrectValue", + "similarityID": "9659c144d049140a188d0c8c966585a7612bf8f1da6d71834e566ba4d2af4499", + "search_line": -1 }, { - "fileName": "positive4.yaml", "queryName": "Low RDS Backup Retention Period", "severity": "LOW", - "line": 43 + "line": 35, + "fileName": "positive2.yaml", + "resourceType": "AWS::RDS::DBInstance", + "resourceName": "MyDBSmall", + "searchKey": "Resources.MyDBSmall.Properties.BackupRetentionPeriod", + "searchValue": "", + "expectedValue": "The RDS DBInstance 'MyDBSmall' resource should have backup retention period of at least 7 days", + "actualValue": "The RDS DBCluster 'MyDBSmall' resource has backup retention period of '%!s(int=6)' which is less than the minimum of 7 days, and no RDS Cluster are defined", + "issueType": "IncorrectValue", + "similarityID": "50905c0e2b61c62afff537dc4362315a65b8e810ec4d4cd5d9025c6e67ef9962", + "search_line": -1 }, { "queryName": "Low RDS Backup Retention Period", "severity": "LOW", "line": 22, - "fileName": "positive3.yaml" + "fileName": "positive3.yaml", + "resourceType": "AWS::RDS::DBInstance", + "resourceName": "MyDB", + "searchKey": "Resources.MyDB.Properties", + "searchValue": "", + "expectedValue": "The RDS DBInstance 'MyDB' resource should have backup retention period of at least 7 days", + "actualValue": "The RDS DBInstance 'MyDB' resource doesn't define a backup retention period and no RDS Cluster are defined", + "issueType": "IncorrectValue", + "similarityID": "95c9854cc62b9a446a569952a5e5417724c8d597401213a23934da978299a74f", + "search_line": -1 }, { "queryName": "Low RDS Backup Retention Period", "severity": "LOW", - "line": 35, - "fileName": "positive2.yaml" + "line": 43, + "fileName": "positive4.yaml", + "resourceType": "AWS::RDS::DBCluster", + "resourceName": "BadDatabaseCluster", + "searchKey": "Resources.BadDatabaseCluster.Properties", + "searchValue": "", + "expectedValue": "The RDS DBCluster 'BadDatabaseCluster' resource should have backup retention period of at least 7 days", + "actualValue": "The RDS DBCluster 'BadDatabaseCluster' resource doesn't define a backup retention period", + "issueType": "MissingAttribute", + "similarityID": "61b4aff48115302508a3e9982faa77ec4d393f8430b325b7cc56473410027874", + "search_line": -1 }, { "queryName": "Low RDS Backup Retention Period", "severity": "LOW", "line": 113, - "fileName": "positive5.json" + "fileName": "positive5.json", + "resourceType": "AWS::RDS::DBCluster", + "resourceName": "DatabaseCluster", + "searchKey": "Resources.DatabaseCluster.Properties.BackupRetentionPeriod", + "searchValue": "", + "expectedValue": "The RDS DBCluster 'DatabaseCluster' resource should have backup retention period of at least 7 days", + "actualValue": "The RDS DBCluster 'DatabaseCluster' resource has backup retention period of '%!s(int=3)' which is less than the minimum of 7 days", + "issueType": "IncorrectValue", + "similarityID": "fc07629472dacc751300b2863251b11f088689468b1b1719551fbf18398c21c3", + "search_line": -1 }, { "queryName": "Low RDS Backup Retention Period", "severity": "LOW", "line": 55, - "fileName": "positive6.json" + "fileName": "positive6.json", + "resourceType": "AWS::RDS::DBInstance", + "resourceName": "MyDBSmall", + "searchKey": "Resources.MyDBSmall.Properties.BackupRetentionPeriod", + "searchValue": "", + "expectedValue": "The RDS DBInstance 'MyDBSmall' resource should have backup retention period of at least 7 days", + "actualValue": "The RDS DBCluster 'MyDBSmall' resource has backup retention period of '%!s(int=6)' which is less than the minimum of 7 days, and no RDS Cluster are defined", + "issueType": "IncorrectValue", + "similarityID": "58da2b4cd05af6af623770cf306e49d65ad1690bc219a12f81aab76774df9b62", + "search_line": -1 }, { "queryName": "Low RDS Backup Retention Period", "severity": "LOW", "line": 26, - "fileName": "positive7.json" + "fileName": "positive7.json", + "resourceType": "AWS::RDS::DBInstance", + "resourceName": "MyDB", + "searchKey": "Resources.MyDB.Properties", + "searchValue": "", + "expectedValue": "The RDS DBInstance 'MyDB' resource should have backup retention period of at least 7 days", + "actualValue": "The RDS DBInstance 'MyDB' resource doesn't define a backup retention period and no RDS Cluster are defined", + "issueType": "IncorrectValue", + "similarityID": "f37b9258488f5bdaf73020b9054775f8e11e16dbf82938aadd233fddf243d357", + "search_line": -1 }, { "queryName": "Low RDS Backup Retention Period", "severity": "LOW", "line": 54, - "fileName": "positive8.json" + "fileName": "positive8.json", + "resourceType": "AWS::RDS::DBCluster", + "resourceName": "BadDatabaseCluster", + "searchKey": "Resources.BadDatabaseCluster.Properties", + "searchValue": "", + "expectedValue": "The RDS DBCluster 'BadDatabaseCluster' resource should have backup retention period of at least 7 days", + "actualValue": "The RDS DBCluster 'BadDatabaseCluster' resource doesn't define a backup retention period", + "issueType": "MissingAttribute", + "similarityID": "0246bed67a93954ebf1bf95705c6053c1d3ad3839ecee50b95b3295ed4d85b05", + "search_line": -1 } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/mq_broker_is_publicly_accessible/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/mq_broker_is_publicly_accessible/test/positive_expected_result.json index 501f3544d25..ef2c7de62ca 100644 --- a/assets/queries/cloudFormation/aws/mq_broker_is_publicly_accessible/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/mq_broker_is_publicly_accessible/test/positive_expected_result.json @@ -3,18 +3,45 @@ "queryName": "MQ Broker Is Publicly Accessible", "severity": "HIGH", "line": 15, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::AmazonMQ::Broker", + "resourceName": "MyBasicBroker", + "searchKey": "Resources.BasicBroker.Properties.PubliclyAccessible", + "searchValue": "", + "expectedValue": "Resources.BasicBroker.Properties.PubliclyAccessible should be set to false or undefined", + "actualValue": "Resources.BasicBroker.Properties.PubliclyAccessible is true", + "issueType": "IncorrectValue", + "similarityID": "e1322a5a7dc72fa5713b556fdcc748f15bed504e74e1b1a75d95ea46eb26c14f", + "search_line": -1 }, { "queryName": "MQ Broker Is Publicly Accessible", "severity": "HIGH", "line": 31, - "fileName": "positive2.json" + "fileName": "positive2.json", + "resourceType": "AWS::AmazonMQ::Broker", + "resourceName": "MyBasicBroker", + "searchKey": "Resources.BasicBroker2.Properties.PubliclyAccessible", + "searchValue": "", + "expectedValue": "Resources.BasicBroker2.Properties.PubliclyAccessible should be set to false or undefined", + "actualValue": "Resources.BasicBroker2.Properties.PubliclyAccessible is true", + "issueType": "IncorrectValue", + "similarityID": "b51010fb75381fe55e3708a3222236c9a2a001a0834827dfa2d3a6f13f93462f", + "search_line": -1 }, { "queryName": "MQ Broker Is Publicly Accessible", "severity": "HIGH", "line": 15, - "fileName": "positive3.yaml" + "fileName": "positive3.yaml", + "resourceType": "AWS::AmazonMQ::Broker", + "resourceName": "MyBasicBroker", + "searchKey": "Resources.BasicBroker.Properties.PubliclyAccessible", + "searchValue": "", + "expectedValue": "Resources.BasicBroker.Properties.PubliclyAccessible should be set to false or undefined", + "actualValue": "Resources.BasicBroker.Properties.PubliclyAccessible is true", + "issueType": "IncorrectValue", + "similarityID": "d280a6252f3b9c4bc90a93d2ae137f22481cb2131e4f9c2eb4dc3810d6eb2ea6", + "search_line": -1 } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/mq_broker_logging_disabled/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/mq_broker_logging_disabled/test/positive_expected_result.json index 6445a0adcc4..6d9c6b109b3 100644 --- a/assets/queries/cloudFormation/aws/mq_broker_logging_disabled/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/mq_broker_logging_disabled/test/positive_expected_result.json @@ -3,90 +3,225 @@ "queryName": "MQ Broker Logging Disabled", "severity": "MEDIUM", "line": 22, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::AmazonMQ::Broker", + "resourceName": "MyBasicBroker", + "searchKey": "Resources.BasicBroker3.Properties.Logs", + "searchValue": "", + "expectedValue": "Resources.BasicBroker3.Properties.Logs.Audit should be set", + "actualValue": "Resources.BasicBroker3.Properties.Logs.Audit is undefined", + "issueType": "MissingAttribute", + "similarityID": "03305ef421fcf0efac1b35e379adf830a59b63ae2a13f7218e164ea45e8f3965", + "search_line": -1 }, { "queryName": "MQ Broker Logging Disabled", "severity": "MEDIUM", "line": 42, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::AmazonMQ::Broker", + "resourceName": "MyBasicBroker", + "searchKey": "Resources.BasicBroker4.Properties.Logs", + "searchValue": "", + "expectedValue": "Resources.BasicBroker4.Properties.Logs.General should be set", + "actualValue": "Resources.BasicBroker4.Properties.Logs.General is undefined", + "issueType": "MissingAttribute", + "similarityID": "6f81a5f30ba822376a8ac9256bfe9b330c3b7f77ec4d4da32c35a206af2ca771", + "search_line": -1 }, { "queryName": "MQ Broker Logging Disabled", "severity": "MEDIUM", "line": 63, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::AmazonMQ::Broker", + "resourceName": "MyBasicBroker", + "searchKey": "Resources.BasicBroker5.Properties.Logs.General", + "searchValue": "", + "expectedValue": "Resources.BasicBroker5.Properties.Logs.General is true", + "actualValue": "Resources.BasicBroker5.Properties.Logs.General is false", + "issueType": "IncorrectValue", + "similarityID": "7a72060503b61670161cbef61670273b522bbda8926b3f71a16bd3aa77e2fa7d", + "search_line": -1 }, { "queryName": "MQ Broker Logging Disabled", "severity": "MEDIUM", "line": 84, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::AmazonMQ::Broker", + "resourceName": "MyBasicBroker", + "searchKey": "Resources.BasicBroker6.Properties.Logs.Audit", + "searchValue": "", + "expectedValue": "Resources.BasicBroker6.Properties.Logs.Audit is true", + "actualValue": "Resources.BasicBroker6.Properties.Logs.Audit is false", + "issueType": "IncorrectValue", + "similarityID": "666a2d44d7b92ea732965d25ca0fc4519ce77ad9c17d534b6f81b46367575046", + "search_line": -1 }, { "queryName": "MQ Broker Logging Disabled", "severity": "MEDIUM", "line": 88, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::AmazonMQ::Broker", + "resourceName": "MyBasicBroker", + "searchKey": "Resources.BasicBroker7.Properties", + "searchValue": "", + "expectedValue": "Resources.BasicBroker7.Properties.Logs should be set", + "actualValue": "Resources.BasicBroker7.Properties.Logs is undefined", + "issueType": "MissingAttribute", + "similarityID": "4a1b39870931c5c98f97d23236ea9861cb2fec02eb9ad9f1dc8c10ab84eeb259", + "search_line": -1 }, { "queryName": "MQ Broker Logging Disabled", "severity": "MEDIUM", "line": 28, - "fileName": "positive2.json" + "fileName": "positive2.json", + "resourceType": "AWS::AmazonMQ::Broker", + "resourceName": "MyBasicBroker", + "searchKey": "Resources.BasicBroker8.Properties.Logs", + "searchValue": "", + "expectedValue": "Resources.BasicBroker8.Properties.Logs.Audit should be set", + "actualValue": "Resources.BasicBroker8.Properties.Logs.Audit is undefined", + "issueType": "MissingAttribute", + "similarityID": "c6a066bf874605b4ed8c51ba3bb42fe77c36f03bbb32971affd3f09f79e9872f", + "search_line": -1 }, { "queryName": "MQ Broker Logging Disabled", "severity": "MEDIUM", "line": 56, - "fileName": "positive2.json" + "fileName": "positive2.json", + "resourceType": "AWS::AmazonMQ::Broker", + "resourceName": "MyBasicBroker", + "searchKey": "Resources.BasicBroker9.Properties.Logs", + "searchValue": "", + "expectedValue": "Resources.BasicBroker9.Properties.Logs.General should be set", + "actualValue": "Resources.BasicBroker9.Properties.Logs.General is undefined", + "issueType": "MissingAttribute", + "similarityID": "8e853ef8ba49667918c58d6fcf8ee8ab8e4f64e11bbc3086db8060b034623d56", + "search_line": -1 }, { "queryName": "MQ Broker Logging Disabled", "severity": "MEDIUM", "line": 85, - "fileName": "positive2.json" + "fileName": "positive2.json", + "resourceType": "AWS::AmazonMQ::Broker", + "resourceName": "MyBasicBroker", + "searchKey": "Resources.BasicBroker10.Properties.Logs.General", + "searchValue": "", + "expectedValue": "Resources.BasicBroker10.Properties.Logs.General is true", + "actualValue": "Resources.BasicBroker10.Properties.Logs.General is false", + "issueType": "IncorrectValue", + "similarityID": "610d0beb6c130c28634c19aa7c9b3d253e0fa8b7ad7f2689fabe8467aa15f96b", + "search_line": -1 }, { "queryName": "MQ Broker Logging Disabled", "severity": "MEDIUM", "line": 115, - "fileName": "positive2.json" + "fileName": "positive2.json", + "resourceType": "AWS::AmazonMQ::Broker", + "resourceName": "MyBasicBroker", + "searchKey": "Resources.BasicBroker11.Properties.Logs.Audit", + "searchValue": "", + "expectedValue": "Resources.BasicBroker11.Properties.Logs.Audit is true", + "actualValue": "Resources.BasicBroker11.Properties.Logs.Audit is false", + "issueType": "IncorrectValue", + "similarityID": "3d519aaffcc7f1dab1524085ffee92f58d72757ae0821caa9f60b18a38ba293e", + "search_line": -1 }, { "queryName": "MQ Broker Logging Disabled", "severity": "MEDIUM", "line": 121, - "fileName": "positive2.json" + "fileName": "positive2.json", + "resourceType": "AWS::AmazonMQ::Broker", + "resourceName": "MyBasicBroker", + "searchKey": "Resources.BasicBroker12.Properties", + "searchValue": "", + "expectedValue": "Resources.BasicBroker12.Properties.Logs should be set", + "actualValue": "Resources.BasicBroker12.Properties.Logs is undefined", + "issueType": "MissingAttribute", + "similarityID": "481bd56a9e399f4e63b5f98d55e4bbdda4744ef8e565a0daf7f53dc1ba6c7e08", + "search_line": -1 }, { "queryName": "MQ Broker Logging Disabled", "severity": "MEDIUM", "line": 22, - "fileName": "positive3.yaml" + "fileName": "positive3.yaml", + "resourceType": "AWS::AmazonMQ::Broker", + "resourceName": "MyBasicBroker", + "searchKey": "Resources.BasicBroker3.Properties.Logs", + "searchValue": "", + "expectedValue": "Resources.BasicBroker3.Properties.Logs.Audit should be set", + "actualValue": "Resources.BasicBroker3.Properties.Logs.Audit is undefined", + "issueType": "MissingAttribute", + "similarityID": "6ed6a4b2f7b0064d40fc79bdc95ac35c5abae413606f9bc53a01eb402014821e", + "search_line": -1 }, { "queryName": "MQ Broker Logging Disabled", "severity": "MEDIUM", "line": 42, - "fileName": "positive3.yaml" + "fileName": "positive3.yaml", + "resourceType": "AWS::AmazonMQ::Broker", + "resourceName": "MyBasicBroker", + "searchKey": "Resources.BasicBroker4.Properties.Logs", + "searchValue": "", + "expectedValue": "Resources.BasicBroker4.Properties.Logs.General should be set", + "actualValue": "Resources.BasicBroker4.Properties.Logs.General is undefined", + "issueType": "MissingAttribute", + "similarityID": "4b31e16c052ebfc41ee8376579aa3e6feb0daf7d6c107dfb3991b453e7c2874d", + "search_line": -1 }, { "queryName": "MQ Broker Logging Disabled", "severity": "MEDIUM", "line": 63, - "fileName": "positive3.yaml" + "fileName": "positive3.yaml", + "resourceType": "AWS::AmazonMQ::Broker", + "resourceName": "MyBasicBroker", + "searchKey": "Resources.BasicBroker5.Properties.Logs.General", + "searchValue": "", + "expectedValue": "Resources.BasicBroker5.Properties.Logs.General is true", + "actualValue": "Resources.BasicBroker5.Properties.Logs.General is false", + "issueType": "IncorrectValue", + "similarityID": "95496d5131c2a8e02c52d16d9f5fc02ea9580b05342762c674ffb2e9b367c31d", + "search_line": -1 }, { "queryName": "MQ Broker Logging Disabled", "severity": "MEDIUM", "line": 84, - "fileName": "positive3.yaml" + "fileName": "positive3.yaml", + "resourceType": "AWS::AmazonMQ::Broker", + "resourceName": "MyBasicBroker", + "searchKey": "Resources.BasicBroker6.Properties.Logs.Audit", + "searchValue": "", + "expectedValue": "Resources.BasicBroker6.Properties.Logs.Audit is true", + "actualValue": "Resources.BasicBroker6.Properties.Logs.Audit is false", + "issueType": "IncorrectValue", + "similarityID": "19fab6327fc1681fcabb2e95df587fb27d293d8f833f22ab19eb6c603b07169a", + "search_line": -1 }, { "queryName": "MQ Broker Logging Disabled", "severity": "MEDIUM", "line": 88, - "fileName": "positive3.yaml" + "fileName": "positive3.yaml", + "resourceType": "AWS::AmazonMQ::Broker", + "resourceName": "MyBasicBroker", + "searchKey": "Resources.BasicBroker7.Properties", + "searchValue": "", + "expectedValue": "Resources.BasicBroker7.Properties.Logs should be set", + "actualValue": "Resources.BasicBroker7.Properties.Logs is undefined", + "issueType": "MissingAttribute", + "similarityID": "69d5c3e413199220d4d03a00fc97ab51296eaf66563c5066844d16684c2bb681", + "search_line": -1 } ] diff --git a/assets/queries/cloudFormation/aws/msk_broker_is_publicly_accessible/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/msk_broker_is_publicly_accessible/test/positive_expected_result.json index fcc5009075f..156383c6d5c 100644 --- a/assets/queries/cloudFormation/aws/msk_broker_is_publicly_accessible/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/msk_broker_is_publicly_accessible/test/positive_expected_result.json @@ -3,12 +3,30 @@ "queryName": "MSK Broker Is Publicly Accessible", "severity": "HIGH", "line": 18, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::MSK::Cluster", + "resourceName": "ClusterWithRequiredProperties", + "searchKey": "Resources.TestCluster.Properties.BrokerNodeGroupInfo.ConnectivityInfo.PublicAccess.Type", + "searchValue": "", + "expectedValue": "Resources.TestCluster.Properties.BrokerNodeGroupInfo.ConnectivityInfo.PublicAccess.Type should be set to 'DISABLED' or undefined", + "actualValue": "Resources.TestCluster.Properties.BrokerNodeGroupInfo.ConnectivityInfo.PublicAccess.Type is set to 'SERVICE_PROVIDED_EIPS'", + "issueType": "IncorrectValue", + "similarityID": "5cdd79b4f7b74ade4c3639241ebf501e22c2bb090d2e9af5d15a024848ca6a60", + "search_line": 18 }, { "queryName": "MSK Broker Is Publicly Accessible", "severity": "HIGH", "line": 15, - "fileName": "positive2.json" + "fileName": "positive2.json", + "resourceType": "AWS::MSK::Cluster", + "resourceName": "ClusterWithRequiredProperties", + "searchKey": "Resources.TestCluster.Properties.BrokerNodeGroupInfo.ConnectivityInfo.PublicAccess.Type", + "searchValue": "", + "expectedValue": "Resources.TestCluster.Properties.BrokerNodeGroupInfo.ConnectivityInfo.PublicAccess.Type should be set to 'DISABLED' or undefined", + "actualValue": "Resources.TestCluster.Properties.BrokerNodeGroupInfo.ConnectivityInfo.PublicAccess.Type is set to 'SERVICE_PROVIDED_EIPS'", + "issueType": "IncorrectValue", + "similarityID": "9e10f6da05758474e65811c1b6edcad19a8b03a2556dc19e1b37fe64b291877b", + "search_line": 15 } ] diff --git a/assets/queries/cloudFormation/aws/msk_cluster_encryption_disabled/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/msk_cluster_encryption_disabled/test/positive_expected_result.json index 22713f3e118..96d1df663b8 100644 --- a/assets/queries/cloudFormation/aws/msk_cluster_encryption_disabled/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/msk_cluster_encryption_disabled/test/positive_expected_result.json @@ -1,38 +1,92 @@ [ { + "queryName": "MSK Cluster Encryption Disabled", "severity": "HIGH", "line": 5, "fileName": "positive1.yaml", - "queryName": "MSK Cluster Encryption Disabled" + "resourceType": "AWS::MSK::Cluster", + "resourceName": "ClusterWithAllProperties", + "searchKey": "Resources.TestCluster5.Properties", + "searchValue": "", + "expectedValue": "Resources.TestCluster5.Properties.EncryptionInfo should be defined", + "actualValue": "Resources.TestCluster5.Properties.EncryptionInfo is undefined", + "issueType": "MissingAttribute", + "similarityID": "96c2877a07e9f86274303e87260619c03693b35218cbf56f77a1df03b229b980", + "search_line": -1 }, { "queryName": "MSK Cluster Encryption Disabled", "severity": "HIGH", - "line": 6, - "fileName": "positive4.json" + "line": 14, + "fileName": "positive2.yaml", + "resourceType": "AWS::MSK::Cluster", + "resourceName": "ClusterWithAllProperties", + "searchKey": "Resources.TestCluster6.Properties.EncryptionInfo.EncryptionInTransit.ClientBroker", + "searchValue": "", + "expectedValue": "Resources.TestCluster6.Properties.EncryptionInfo.EncryptionInTransit.ClientBroker is 'TLS'", + "actualValue": "Resources.TestCluster6.Properties.EncryptionInfo.EncryptionInTransit.ClientBroker is not 'TLS'", + "issueType": "IncorrectValue", + "similarityID": "5e80a6a818ee2a5181906fbdeb5504d0377c57f996f13d67311bbd94542de454", + "search_line": -1 }, { "queryName": "MSK Cluster Encryption Disabled", "severity": "HIGH", "line": 14, - "fileName": "positive2.yaml" + "fileName": "positive3.yaml", + "resourceType": "AWS::MSK::Cluster", + "resourceName": "ClusterWithAllProperties", + "searchKey": "Resources.TestCluster7.Properties.EncryptionInfo.EncryptionInTransit.InCluster", + "searchValue": "", + "expectedValue": "Resources.TestCluster7.Properties.EncryptionInfo.EncryptionInTransit.InCluster is 'true'", + "actualValue": "Resources.TestCluster7.Properties.EncryptionInfo.EncryptionInTransit.InCluster is 'false'", + "issueType": "IncorrectValue", + "similarityID": "fd4cdc394cc25db553755768bb944eb5159cf1fda8b86c63eeda853a585f0d04", + "search_line": -1 }, { "queryName": "MSK Cluster Encryption Disabled", "severity": "HIGH", - "line": 16, - "fileName": "positive5.json" + "line": 6, + "fileName": "positive4.json", + "resourceType": "AWS::MSK::Cluster", + "resourceName": "ClusterWithAllProperties", + "searchKey": "Resources.TestCluster8.Properties", + "searchValue": "", + "expectedValue": "Resources.TestCluster8.Properties.EncryptionInfo should be defined", + "actualValue": "Resources.TestCluster8.Properties.EncryptionInfo is undefined", + "issueType": "MissingAttribute", + "similarityID": "599740764c27d331fa47bbe516eba5c93bcd0c748d09e767751096bc1fa45979", + "search_line": -1 }, { "queryName": "MSK Cluster Encryption Disabled", "severity": "HIGH", - "line": 14, - "fileName": "positive3.yaml" + "line": 16, + "fileName": "positive5.json", + "resourceType": "AWS::MSK::Cluster", + "resourceName": "ClusterWithAllProperties", + "searchKey": "Resources.TestCluster9.Properties.EncryptionInfo.EncryptionInTransit.ClientBroker", + "searchValue": "", + "expectedValue": "Resources.TestCluster9.Properties.EncryptionInfo.EncryptionInTransit.ClientBroker is 'TLS'", + "actualValue": "Resources.TestCluster9.Properties.EncryptionInfo.EncryptionInTransit.ClientBroker is not 'TLS'", + "issueType": "IncorrectValue", + "similarityID": "3a25911f079e6fca8fd8e3347ec207619edcc23bdfa42d18f83b31b2770bf46e", + "search_line": -1 }, { "queryName": "MSK Cluster Encryption Disabled", "severity": "HIGH", "line": 16, - "fileName": "positive6.json" + "fileName": "positive6.json", + "resourceType": "AWS::MSK::Cluster", + "resourceName": "ClusterWithAllProperties", + "searchKey": "Resources.TestCluster10.Properties.EncryptionInfo.EncryptionInTransit.InCluster", + "searchValue": "", + "expectedValue": "Resources.TestCluster10.Properties.EncryptionInfo.EncryptionInTransit.InCluster is 'true'", + "actualValue": "Resources.TestCluster10.Properties.EncryptionInfo.EncryptionInTransit.InCluster is 'false'", + "issueType": "IncorrectValue", + "similarityID": "75b7b5eefb5472daa92a175bf4163bef558f1bbb9421ba7a98a7f70b03418f3e", + "search_line": -1 } ] diff --git a/assets/queries/cloudFormation/aws/msk_cluster_logging_disabled/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/msk_cluster_logging_disabled/test/positive_expected_result.json index 18936d80396..c59caff5b54 100644 --- a/assets/queries/cloudFormation/aws/msk_cluster_logging_disabled/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/msk_cluster_logging_disabled/test/positive_expected_result.json @@ -3,78 +3,195 @@ "queryName": "MSK Cluster Logging Disabled", "severity": "MEDIUM", "line": 6, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::MSK::Cluster", + "resourceName": "ClusterWithRequiredProperties", + "searchKey": "Resources.TestCluster5.Properties", + "searchValue": "", + "expectedValue": "Resources.TestCluster5.Properties.LoggingInfo should be defined", + "actualValue": "Resources.TestCluster5.Properties.LoggingInfo is undefined", + "issueType": "MissingAttribute", + "similarityID": "e4830937078aab159214a828500a2040c5b44200dccd9fbd6203214d631db18d", + "search_line": -1 }, { "queryName": "MSK Cluster Logging Disabled", "severity": "MEDIUM", "line": 12, - "fileName": "positive2.yaml" + "fileName": "positive2.yaml", + "resourceType": "AWS::MSK::Cluster", + "resourceName": "ClusterWithRequiredProperties", + "searchKey": "Resources.TestCluster6.Properties.LoggingInfo.BrokerLogs.CloudWatchLogs.Enabled", + "searchValue": "", + "expectedValue": "Resources.TestCluster6.Properties.LoggingInfo.BrokerLogs is enabled", + "actualValue": "Resources.TestCluster6.Properties.LoggingInfo.BrokerLogs is disabled", + "issueType": "IncorrectValue", + "similarityID": "3b47fa04fd5f3bf8a7170055d2dc35c928657484ed784077857bb382779be403", + "search_line": -1 }, { "queryName": "MSK Cluster Logging Disabled", "severity": "MEDIUM", "line": 15, - "fileName": "positive2.yaml" + "fileName": "positive2.yaml", + "resourceType": "AWS::MSK::Cluster", + "resourceName": "ClusterWithRequiredProperties", + "searchKey": "Resources.TestCluster6.Properties.LoggingInfo.BrokerLogs.Firehose.Enabled", + "searchValue": "", + "expectedValue": "Resources.TestCluster6.Properties.LoggingInfo.BrokerLogs is enabled", + "actualValue": "Resources.TestCluster6.Properties.LoggingInfo.BrokerLogs is disabled", + "issueType": "IncorrectValue", + "similarityID": "dce1a88f43ca9c2ac7d4cd152099de09833231d22ddbc77fadd0aebacee14e8a", + "search_line": -1 }, { "queryName": "MSK Cluster Logging Disabled", "severity": "MEDIUM", "line": 18, - "fileName": "positive2.yaml" + "fileName": "positive2.yaml", + "resourceType": "AWS::MSK::Cluster", + "resourceName": "ClusterWithRequiredProperties", + "searchKey": "Resources.TestCluster6.Properties.LoggingInfo.BrokerLogs.S3.Enabled", + "searchValue": "", + "expectedValue": "Resources.TestCluster6.Properties.LoggingInfo.BrokerLogs is enabled", + "actualValue": "Resources.TestCluster6.Properties.LoggingInfo.BrokerLogs is disabled", + "issueType": "IncorrectValue", + "similarityID": "2f50b92d9b5827f1e36f214320b4704b745894030e337edd9a1fab93cbb9638f", + "search_line": -1 }, { "queryName": "MSK Cluster Logging Disabled", "severity": "MEDIUM", "line": 12, - "fileName": "positive3.yaml" + "fileName": "positive3.yaml", + "resourceType": "AWS::MSK::Cluster", + "resourceName": "ClusterWithRequiredProperties", + "searchKey": "Resources.TestCluster7.Properties.LoggingInfo.BrokerLogs.CloudWatchLogs.Enabled", + "searchValue": "", + "expectedValue": "Resources.TestCluster7.Properties.LoggingInfo.BrokerLogs is enabled", + "actualValue": "Resources.TestCluster7.Properties.LoggingInfo.BrokerLogs is disabled", + "issueType": "IncorrectValue", + "similarityID": "b15277145103896c8dbd162057c06e35dc35043696663864e8ba2c96197c570c", + "search_line": -1 }, { "queryName": "MSK Cluster Logging Disabled", "severity": "MEDIUM", "line": 7, - "fileName": "positive4.json" + "fileName": "positive4.json", + "resourceType": "AWS::MSK::Cluster", + "resourceName": "ClusterWithRequiredProperties", + "searchKey": "Resources.TestCluster8.Properties", + "searchValue": "", + "expectedValue": "Resources.TestCluster8.Properties.LoggingInfo should be defined", + "actualValue": "Resources.TestCluster8.Properties.LoggingInfo is undefined", + "issueType": "MissingAttribute", + "similarityID": "e6dcb0ff0f1bdce1d411af2f910faf2ed94df31f9ec0e3c2ec45da9a2a40a754", + "search_line": -1 }, { "queryName": "MSK Cluster Logging Disabled", "severity": "MEDIUM", "line": 13, - "fileName": "positive5.json" + "fileName": "positive5.json", + "resourceType": "AWS::MSK::Cluster", + "resourceName": "ClusterWithRequiredProperties", + "searchKey": "Resources.TestCluster9.Properties.LoggingInfo.BrokerLogs.CloudWatchLogs.Enabled", + "searchValue": "", + "expectedValue": "Resources.TestCluster9.Properties.LoggingInfo.BrokerLogs is enabled", + "actualValue": "Resources.TestCluster9.Properties.LoggingInfo.BrokerLogs is disabled", + "issueType": "IncorrectValue", + "similarityID": "a2347aaaad12d0f6a84ce54f2f3d3879bbd474e324b4e92357fc1aa67f9b8dbb", + "search_line": -1 }, { "queryName": "MSK Cluster Logging Disabled", "severity": "MEDIUM", "line": 17, - "fileName": "positive5.json" + "fileName": "positive5.json", + "resourceType": "AWS::MSK::Cluster", + "resourceName": "ClusterWithRequiredProperties", + "searchKey": "Resources.TestCluster9.Properties.LoggingInfo.BrokerLogs.Firehose.Enabled", + "searchValue": "", + "expectedValue": "Resources.TestCluster9.Properties.LoggingInfo.BrokerLogs is enabled", + "actualValue": "Resources.TestCluster9.Properties.LoggingInfo.BrokerLogs is disabled", + "issueType": "IncorrectValue", + "similarityID": "0e3f8023109af81121b4e553af166b7c0f6b4b16853e8c2f20c707391897187f", + "search_line": -1 }, { "queryName": "MSK Cluster Logging Disabled", "severity": "MEDIUM", "line": 21, - "fileName": "positive5.json" + "fileName": "positive5.json", + "resourceType": "AWS::MSK::Cluster", + "resourceName": "ClusterWithRequiredProperties", + "searchKey": "Resources.TestCluster9.Properties.LoggingInfo.BrokerLogs.S3.Enabled", + "searchValue": "", + "expectedValue": "Resources.TestCluster9.Properties.LoggingInfo.BrokerLogs is enabled", + "actualValue": "Resources.TestCluster9.Properties.LoggingInfo.BrokerLogs is disabled", + "issueType": "IncorrectValue", + "similarityID": "ca490807a1889a7ce8470f7ee9a56a1667bf965bd92f6c3e45419b305f7ef997", + "search_line": -1 }, { "queryName": "MSK Cluster Logging Disabled", "severity": "MEDIUM", "line": 13, - "fileName": "positive6.json" + "fileName": "positive6.json", + "resourceType": "AWS::MSK::Cluster", + "resourceName": "ClusterWithRequiredProperties", + "searchKey": "Resources.TestCluster10.Properties.LoggingInfo.BrokerLogs.CloudWatchLogs.Enabled", + "searchValue": "", + "expectedValue": "Resources.TestCluster10.Properties.LoggingInfo.BrokerLogs is enabled", + "actualValue": "Resources.TestCluster10.Properties.LoggingInfo.BrokerLogs is disabled", + "issueType": "IncorrectValue", + "similarityID": "8c78182690f1959551a635043280289388c937267f17ecd000fb3b7fc0d61ac2", + "search_line": -1 }, { "queryName": "MSK Cluster Logging Disabled", "severity": "MEDIUM", "line": 12, - "fileName": "positive7.yaml" + "fileName": "positive7.yaml", + "resourceType": "AWS::MSK::Cluster", + "resourceName": "ClusterWithRequiredProperties", + "searchKey": "Resources.TestCluster6.Properties.LoggingInfo.BrokerLogs.CloudWatchLogs.Enabled", + "searchValue": "", + "expectedValue": "Resources.TestCluster6.Properties.LoggingInfo.BrokerLogs is enabled", + "actualValue": "Resources.TestCluster6.Properties.LoggingInfo.BrokerLogs is disabled", + "issueType": "IncorrectValue", + "similarityID": "7edf12731f31ef9c6b4ec611ed0f1d14e583666b1c788e1001c7a43a7e7c5828", + "search_line": -1 }, { "queryName": "MSK Cluster Logging Disabled", "severity": "MEDIUM", "line": 15, - "fileName": "positive7.yaml" + "fileName": "positive7.yaml", + "resourceType": "AWS::MSK::Cluster", + "resourceName": "ClusterWithRequiredProperties", + "searchKey": "Resources.TestCluster6.Properties.LoggingInfo.BrokerLogs.Firehose.Enabled", + "searchValue": "", + "expectedValue": "Resources.TestCluster6.Properties.LoggingInfo.BrokerLogs is enabled", + "actualValue": "Resources.TestCluster6.Properties.LoggingInfo.BrokerLogs is disabled", + "issueType": "IncorrectValue", + "similarityID": "ae8bddfd9241d516b73b6627676d781bf71a33a7b4e8ded94d3047c424eff83d", + "search_line": -1 }, { "queryName": "MSK Cluster Logging Disabled", "severity": "MEDIUM", "line": 18, - "fileName": "positive7.yaml" + "fileName": "positive7.yaml", + "resourceType": "AWS::MSK::Cluster", + "resourceName": "ClusterWithRequiredProperties", + "searchKey": "Resources.TestCluster6.Properties.LoggingInfo.BrokerLogs.S3.Enabled", + "searchValue": "", + "expectedValue": "Resources.TestCluster6.Properties.LoggingInfo.BrokerLogs is enabled", + "actualValue": "Resources.TestCluster6.Properties.LoggingInfo.BrokerLogs is disabled", + "issueType": "IncorrectValue", + "similarityID": "e4a87ea3f6e50de3127aea2513d5a1e9a685dcde1c0eda40d4391e63f95c0872", + "search_line": -1 } ] diff --git a/assets/queries/cloudFormation/aws/neptune_cluster_with_iam_database_authentication_disabled/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/neptune_cluster_with_iam_database_authentication_disabled/test/positive_expected_result.json index f51982aed87..46bad61b758 100644 --- a/assets/queries/cloudFormation/aws/neptune_cluster_with_iam_database_authentication_disabled/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/neptune_cluster_with_iam_database_authentication_disabled/test/positive_expected_result.json @@ -3,36 +3,90 @@ "queryName": "Neptune Cluster With IAM Database Authentication Disabled", "severity": "HIGH", "line": 7, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::Neptune::DBCluster", + "resourceName": "NeptuneDBCluster", + "searchKey": "Resources.NeptuneDBCluster.Properties.IamAuthEnabled", + "searchValue": "", + "expectedValue": "Resources.NeptuneDBCluster.Properties.IamAuthEnabled should be set to true", + "actualValue": "Resources.NeptuneDBCluster.Properties.IamAuthEnabled is set to false", + "issueType": "IncorrectValue", + "similarityID": "72c973ed31a4ae86d8074a0fd904ef745960e76f28ea44871c725c29061342b4", + "search_line": -1 }, { "queryName": "Neptune Cluster With IAM Database Authentication Disabled", "severity": "HIGH", "line": 12, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::Neptune::DBCluster", + "resourceName": "NeptuneDBCluster2", + "searchKey": "Resources.NeptuneDBCluster2.Properties.IamAuthEnabled", + "searchValue": "", + "expectedValue": "Resources.NeptuneDBCluster2.Properties.IamAuthEnabled should be set to true", + "actualValue": "Resources.NeptuneDBCluster2.Properties.IamAuthEnabled is set to false", + "issueType": "IncorrectValue", + "similarityID": "a62c7e424d8b89a56086132fb7a5c6bf3229e62e8458de3bc3cc2cb63827cd60", + "search_line": -1 }, { "queryName": "Neptune Cluster With IAM Database Authentication Disabled", "severity": "HIGH", "line": 8, - "fileName": "positive2.json" + "fileName": "positive2.json", + "resourceType": "AWS::Neptune::DBCluster", + "resourceName": "NeptuneDBCluster", + "searchKey": "Resources.NeptuneDBCluster.Properties.IamAuthEnabled", + "searchValue": "", + "expectedValue": "Resources.NeptuneDBCluster.Properties.IamAuthEnabled should be set to true", + "actualValue": "Resources.NeptuneDBCluster.Properties.IamAuthEnabled is set to false", + "issueType": "IncorrectValue", + "similarityID": "ddc4da400a31c7d584002f68095d8c3f4306d0c6b0883da0d1fc7e797f286dc3", + "search_line": -1 }, { "queryName": "Neptune Cluster With IAM Database Authentication Disabled", "severity": "HIGH", "line": 15, - "fileName": "positive2.json" + "fileName": "positive2.json", + "resourceType": "AWS::Neptune::DBCluster", + "resourceName": "NeptuneDBCluster2", + "searchKey": "Resources.NeptuneDBCluster2.Properties.IamAuthEnabled", + "searchValue": "", + "expectedValue": "Resources.NeptuneDBCluster2.Properties.IamAuthEnabled should be set to true", + "actualValue": "Resources.NeptuneDBCluster2.Properties.IamAuthEnabled is set to false", + "issueType": "IncorrectValue", + "similarityID": "f207a32ae85eba1f1c4bfb914e58e69831fa239e7521b2b9acfa2730ac6e606c", + "search_line": -1 }, { "queryName": "Neptune Cluster With IAM Database Authentication Disabled", "severity": "HIGH", "line": 7, - "fileName": "positive3.yaml" + "fileName": "positive3.yaml", + "resourceType": "AWS::Neptune::DBCluster", + "resourceName": "NeptuneDBCluster", + "searchKey": "Resources.NeptuneDBCluster.Properties.IamAuthEnabled", + "searchValue": "", + "expectedValue": "Resources.NeptuneDBCluster.Properties.IamAuthEnabled should be set to true", + "actualValue": "Resources.NeptuneDBCluster.Properties.IamAuthEnabled is set to false", + "issueType": "IncorrectValue", + "similarityID": "624661d8f9d584e52ef960fa1d28feb65e2cefd452d88672351e9187e8ad1865", + "search_line": -1 }, { "queryName": "Neptune Cluster With IAM Database Authentication Disabled", "severity": "HIGH", "line": 12, - "fileName": "positive3.yaml" + "fileName": "positive3.yaml", + "resourceType": "AWS::Neptune::DBCluster", + "resourceName": "NeptuneDBCluster2", + "searchKey": "Resources.NeptuneDBCluster2.Properties.IamAuthEnabled", + "searchValue": "", + "expectedValue": "Resources.NeptuneDBCluster2.Properties.IamAuthEnabled should be set to true", + "actualValue": "Resources.NeptuneDBCluster2.Properties.IamAuthEnabled is set to false", + "issueType": "IncorrectValue", + "similarityID": "0b1b8e15097f466ffb74a444a49633935e0928ff42bab8e38602004ff51479e4", + "search_line": -1 } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/neptune_database_cluster_encryption_disabled/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/neptune_database_cluster_encryption_disabled/test/positive_expected_result.json index 56c1ab81ab8..b41a5b10371 100644 --- a/assets/queries/cloudFormation/aws/neptune_database_cluster_encryption_disabled/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/neptune_database_cluster_encryption_disabled/test/positive_expected_result.json @@ -3,18 +3,45 @@ "queryName": "Neptune Database Cluster Encryption Disabled", "severity": "HIGH", "line": 27, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::Neptune::DBCluster", + "resourceName": "NeptuneDBCluster", + "searchKey": "Resources.NeptuneDBCluster.Properties.StorageEncrypted", + "searchValue": "", + "expectedValue": "Resources.NeptuneDBCluster.Properties.StorageEncrypted should be set to True", + "actualValue": "Resources.NeptuneDBCluster.Properties.StorageEncrypted is False", + "issueType": "IncorrectValue", + "similarityID": "b587d12db3e35ffe6457489e0acf0113341724c02c98255a9906e7c92ae37358", + "search_line": -1 }, { "queryName": "Neptune Database Cluster Encryption Disabled", "severity": "HIGH", "line": 21, - "fileName": "positive2.json" + "fileName": "positive2.json", + "resourceType": "AWS::Neptune::DBCluster", + "resourceName": "NeptuneDBCluster", + "searchKey": "Resources.NeptuneDBCluster.Properties.StorageEncrypted", + "searchValue": "", + "expectedValue": "Resources.NeptuneDBCluster.Properties.StorageEncrypted should be set to True", + "actualValue": "Resources.NeptuneDBCluster.Properties.StorageEncrypted is False", + "issueType": "IncorrectValue", + "similarityID": "be69063d462a8bea2bd9f70852560cb7709d7cea6df7442b3143a52cd27a6456", + "search_line": -1 }, { "queryName": "Neptune Database Cluster Encryption Disabled", "severity": "HIGH", "line": 27, - "fileName": "positive3.yaml" + "fileName": "positive3.yaml", + "resourceType": "AWS::Neptune::DBCluster", + "resourceName": "NeptuneDBCluster", + "searchKey": "Resources.NeptuneDBCluster.Properties.StorageEncrypted", + "searchValue": "", + "expectedValue": "Resources.NeptuneDBCluster.Properties.StorageEncrypted should be set to True", + "actualValue": "Resources.NeptuneDBCluster.Properties.StorageEncrypted is False", + "issueType": "IncorrectValue", + "similarityID": "70fe111308fc97b3b7e70c739a24283e62fb9d5029341808a12f80e8bd8b62c1", + "search_line": -1 } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/neptune_logging_is_disabled/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/neptune_logging_is_disabled/test/positive_expected_result.json index f6adaa3e926..6090db77543 100644 --- a/assets/queries/cloudFormation/aws/neptune_logging_is_disabled/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/neptune_logging_is_disabled/test/positive_expected_result.json @@ -3,48 +3,120 @@ "queryName": "Neptune Logging Is Disabled", "severity": "MEDIUM", "line": 6, - "filename": "positive1.json" + "fileName": "positive1.json", + "resourceType": "AWS::Neptune::DBCluster", + "resourceName": "Prod", + "searchKey": "Resources.Prod.Properties", + "searchValue": "", + "expectedValue": "'Resources.Prod.Properties' should have 'EnableCloudwatchLogsExports' enabled ", + "actualValue": "'Resources.Prod.Properties.EnableCloudwatchLogsExports' is undefined", + "issueType": "MissingAttribute", + "similarityID": "db8d0f431e8aefb791eaa02b04e4e93d1b34e18ff48b8d69a714395d81c44800", + "search_line": 6 }, { "queryName": "Neptune Logging Is Disabled", "severity": "MEDIUM", "line": 8, - "filename": "positive2.json" + "fileName": "positive2.json", + "resourceType": "AWS::Neptune::DBCluster", + "resourceName": "Prod", + "searchKey": "Resources.Prod.Properties.EnableCloudwatchLogsExports", + "searchValue": "", + "expectedValue": "'Resources.Prod.Properties.EnableCloudwatchLogsExports' should include 'audit'", + "actualValue": "'Resources.Prod.Properties.EnableCloudwatchLogsExports' does not include 'audit'", + "issueType": "MissingAttribute", + "similarityID": "87b3dabfdbd9bf4c2216caa2fa1c58a5e4825c3e20f9926ab1a180bcb7c4b3d6", + "search_line": 8 }, { "queryName": "Neptune Logging Is Disabled", "severity": "MEDIUM", "line": 8, - "filename": "positive3.json" + "fileName": "positive3.json", + "resourceType": "AWS::Neptune::DBCluster", + "resourceName": "Prod", + "searchKey": "Resources.Prod.Properties.EnableCloudwatchLogsExports", + "searchValue": "", + "expectedValue": "'Resources.Prod.Properties.EnableCloudwatchLogsExports' should include 'audit'", + "actualValue": "'Resources.Prod.Properties.EnableCloudwatchLogsExports' does not include 'audit'", + "issueType": "MissingAttribute", + "similarityID": "072f28266de1dd05843a8c034c0e27593cf6a8c075fff08f76c9f460656d885b", + "search_line": 8 }, { "queryName": "Neptune Logging Is Disabled", "severity": "MEDIUM", "line": 8, - "filename": "positive4.json" + "fileName": "positive4.json", + "resourceType": "AWS::Neptune::DBCluster", + "resourceName": "Prod", + "searchKey": "Resources.Prod.Properties.EnableCloudwatchLogsExports", + "searchValue": "", + "expectedValue": "'Resources.Prod.Properties.EnableCloudwatchLogsExports' should include 'audit'", + "actualValue": "'Resources.Prod.Properties.EnableCloudwatchLogsExports' does not include 'audit'", + "issueType": "MissingAttribute", + "similarityID": "aeac8bbc8fb7c7fcee25131465205b4bf9963f6b5bb2810496d297f0aff9a274", + "search_line": 8 }, { "queryName": "Neptune Logging Is Disabled", "severity": "MEDIUM", "line": 5, - "filename": "positive5.yaml" + "fileName": "positive5.yaml", + "resourceType": "AWS::Neptune::DBCluster", + "resourceName": "Prod", + "searchKey": "Resources.Prod.Properties", + "searchValue": "", + "expectedValue": "'Resources.Prod.Properties' should have 'EnableCloudwatchLogsExports' enabled ", + "actualValue": "'Resources.Prod.Properties.EnableCloudwatchLogsExports' is undefined", + "issueType": "MissingAttribute", + "similarityID": "f31e5f021222d631d8ed0e9d97ab6a84e8ae38d71477cd3ba955656a59bed918", + "search_line": 5 }, { "queryName": "Neptune Logging Is Disabled", "severity": "MEDIUM", "line": 7, - "filename": "positive6.yaml" + "fileName": "positive6.yaml", + "resourceType": "AWS::Neptune::DBCluster", + "resourceName": "Prod", + "searchKey": "Resources.Prod.Properties.EnableCloudwatchLogsExports", + "searchValue": "", + "expectedValue": "'Resources.Prod.Properties' should have 'EnableCloudwatchLogsExports' enabled ", + "actualValue": "'Resources.Prod.Properties.EnableCloudwatchLogsExports' is set to null", + "issueType": "IncorrectValue", + "similarityID": "83345b07ce8fb39f7314dc545e1356e494346d3708773e034417c331dd682f00", + "search_line": 7 }, { "queryName": "Neptune Logging Is Disabled", "severity": "MEDIUM", "line": 7, - "filename": "positive7.yaml" + "fileName": "positive7.yaml", + "resourceType": "AWS::Neptune::DBCluster", + "resourceName": "Prod", + "searchKey": "Resources.Prod.Properties.EnableCloudwatchLogsExports", + "searchValue": "", + "expectedValue": "'Resources.Prod.Properties.EnableCloudwatchLogsExports' should include 'audit'", + "actualValue": "'Resources.Prod.Properties.EnableCloudwatchLogsExports' does not include 'audit'", + "issueType": "MissingAttribute", + "similarityID": "7a59804c366040f769e6027f66c8d2da1e7a39ba71399afd29270ff859a38351", + "search_line": 7 }, { "queryName": "Neptune Logging Is Disabled", "severity": "MEDIUM", "line": 7, - "filename": "positive8.yaml" + "fileName": "positive8.yaml", + "resourceType": "AWS::Neptune::DBCluster", + "resourceName": "Prod", + "searchKey": "Resources.Prod.Properties.EnableCloudwatchLogsExports", + "searchValue": "", + "expectedValue": "'Resources.Prod.Properties.EnableCloudwatchLogsExports' should include 'audit'", + "actualValue": "'Resources.Prod.Properties.EnableCloudwatchLogsExports' does not include 'audit'", + "issueType": "MissingAttribute", + "similarityID": "47ef2d35ff791fba85c901708c4af508cf8bf07b546a0d87767bada22383ebce", + "search_line": 7 } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/public_lambda_via_api_gateway/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/public_lambda_via_api_gateway/test/positive_expected_result.json index 9432662c2fc..7fa247020fe 100644 --- a/assets/queries/cloudFormation/aws/public_lambda_via_api_gateway/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/public_lambda_via_api_gateway/test/positive_expected_result.json @@ -1,14 +1,32 @@ [ { + "queryName": "Public Lambda via API Gateway", + "severity": "MEDIUM", "line": 11, "fileName": "positive1.yaml", - "queryName": "Public Lambda via API Gateway", - "severity": "MEDIUM" + "resourceType": "AWS::Lambda::Permission", + "resourceName": "s3Permission3", + "searchKey": "Resources.s3Permission3.Properties.SourceArn", + "searchValue": "", + "expectedValue": "Resources.s3Permission3.Properties.SourceArn should not equal to '/*/*'", + "actualValue": "Resources.s3Permission3.Properties.SourceArn is equal to '/*/*' or contains '/*/*'", + "issueType": "IncorrectValue", + "similarityID": "1c926f7ba93eaf4827a5127c57b4e3d851a11c774d72c6329a1d5ae5fdcf58de", + "search_line": -1 }, { + "queryName": "Public Lambda via API Gateway", + "severity": "MEDIUM", "line": 18, "fileName": "positive2.json", - "queryName": "Public Lambda via API Gateway", - "severity": "MEDIUM" + "resourceType": "AWS::Lambda::Permission", + "resourceName": "s3Permission", + "searchKey": "Resources.s3Permission.Properties.SourceArn", + "searchValue": "", + "expectedValue": "Resources.s3Permission.Properties.SourceArn should not equal to '/*/*'", + "actualValue": "Resources.s3Permission.Properties.SourceArn is equal to '/*/*' or contains '/*/*'", + "issueType": "IncorrectValue", + "similarityID": "6e88f8ea10441ccd63c7340c563b1410832eae1f5d0b3536744f9827a15e2790", + "search_line": -1 } ] diff --git a/assets/queries/cloudFormation/aws/rds_associated_with_public_subnet/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/rds_associated_with_public_subnet/test/positive_expected_result.json index 7f80c9865ef..4a3a217a06f 100644 --- a/assets/queries/cloudFormation/aws/rds_associated_with_public_subnet/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/rds_associated_with_public_subnet/test/positive_expected_result.json @@ -3,12 +3,30 @@ "queryName": "RDS Associated with Public Subnet", "severity": "CRITICAL", "line": 12, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::RDS::DBInstance", + "resourceName": "Positive1", + "searchKey": "Resources.Positive1.Properties.DBSubnetGroupName", + "searchValue": "", + "expectedValue": "RDS should not be running in a public subnet", + "actualValue": "RDS is running in a public subnet", + "issueType": "IncorrectValue", + "similarityID": "7bc66f990ad5d44c55428ef6fc43d19f2c1abbfa7260543215ef90ae9a777582", + "search_line": 12 }, { "queryName": "RDS Associated with Public Subnet", "severity": "CRITICAL", "line": 9, - "fileName": "positive2.json" + "fileName": "positive2.json", + "resourceType": "AWS::RDS::DBInstance", + "resourceName": "Positive1", + "searchKey": "Resources.Positive1.Properties.DBSubnetGroupName", + "searchValue": "", + "expectedValue": "RDS should not be running in a public subnet", + "actualValue": "RDS is running in a public subnet", + "issueType": "IncorrectValue", + "similarityID": "883035a880abe00bcf557968ba577e9178215a8242da441f0bed060bfe91c15c", + "search_line": 9 } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/rds_db_instance_publicly_accessible/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/rds_db_instance_publicly_accessible/test/positive_expected_result.json index 8ab4a9e49bc..a457a3c8c44 100644 --- a/assets/queries/cloudFormation/aws/rds_db_instance_publicly_accessible/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/rds_db_instance_publicly_accessible/test/positive_expected_result.json @@ -3,18 +3,45 @@ "queryName": "RDS DB Instance Publicly Accessible", "severity": "CRITICAL", "line": 69, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::RDS::DBInstance", + "resourceName": "DBName", + "searchKey": "Resources.MyDB.Properties.PubliclyAccessible", + "searchValue": "", + "expectedValue": "'Resources.MyDB.Properties.PubliclyAccessible' should be set to false", + "actualValue": "'Resources.MyDB.Properties.PubliclyAccessible' is set to true", + "issueType": "IncorrectValue", + "similarityID": "981256c2b0d633fd322d83980c71e6e8a04b69cdae5dc584f182633b0221f832", + "search_line": 69 }, { "queryName": "RDS DB Instance Publicly Accessible", "severity": "CRITICAL", "line": 61, - "fileName": "positive2.json" + "fileName": "positive2.json", + "resourceType": "AWS::RDS::DBInstance", + "resourceName": "DBName", + "searchKey": "Resources.MyDB.Properties.PubliclyAccessible", + "searchValue": "", + "expectedValue": "'Resources.MyDB.Properties.PubliclyAccessible' should be set to false", + "actualValue": "'Resources.MyDB.Properties.PubliclyAccessible' is set to true", + "issueType": "IncorrectValue", + "similarityID": "38d6383e7102091c8d62889f5957ad80de583767d29cfa3077295f413a0f15ba", + "search_line": 61 }, { "queryName": "RDS DB Instance Publicly Accessible", "severity": "CRITICAL", "line": 69, - "fileName": "positive3.yaml" + "fileName": "positive3.yaml", + "resourceType": "AWS::RDS::DBInstance", + "resourceName": "DBName", + "searchKey": "Resources.MyDB.Properties.PubliclyAccessible", + "searchValue": "", + "expectedValue": "'Resources.MyDB.Properties.PubliclyAccessible' should be set to false", + "actualValue": "'Resources.MyDB.Properties.PubliclyAccessible' is set to true", + "issueType": "IncorrectValue", + "similarityID": "3dfaa65927629327c0bf68bef7dfca61c88b4e4b9c59c738d57195df24e1e9e3", + "search_line": 69 } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/rds_db_instance_with_deletion_protection_disabled/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/rds_db_instance_with_deletion_protection_disabled/test/positive_expected_result.json index af7ef58369f..d0b85e3ef8d 100644 --- a/assets/queries/cloudFormation/aws/rds_db_instance_with_deletion_protection_disabled/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/rds_db_instance_with_deletion_protection_disabled/test/positive_expected_result.json @@ -3,30 +3,75 @@ "queryName": "RDS DB Instance With Deletion Protection Disabled", "severity": "LOW", "line": 34, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::RDS::DBInstance", + "resourceName": "MyDBSmall", + "searchKey": "Resources.MyDBSmall.Properties.DeletionProtection", + "searchValue": "", + "expectedValue": "Resources.MyDBSmall.Properties.DeletionProtection should be set to true", + "actualValue": "Resources.MyDBSmall.Properties.DeletionProtection is set to false", + "issueType": "IncorrectValue", + "similarityID": "8bbb6da736c91605fdf8c1d94455f8c1d4ea0ed186902c9390d298c7ea962884", + "search_line": -1 }, { "queryName": "RDS DB Instance With Deletion Protection Disabled", "severity": "LOW", "line": 30, - "fileName": "positive2.yaml" + "fileName": "positive2.yaml", + "resourceType": "AWS::RDS::DBInstance", + "resourceName": "MyDBSmall1", + "searchKey": "Resources.MyDBSmall1.Properties", + "searchValue": "", + "expectedValue": "Resources.MyDBSmall1.Properties.DeletionProtection should be defined", + "actualValue": "Resources.MyDBSmall1.Properties.DeletionProtection is undefined", + "issueType": "MissingAttribute", + "similarityID": "a4e54570f4eab1192bacbd6cbebf21c74aabc2d8ebe4c5caec3a1cefb57fd5bb", + "search_line": -1 }, { "queryName": "RDS DB Instance With Deletion Protection Disabled", "severity": "LOW", "line": 49, - "fileName": "positive3.json" + "fileName": "positive3.json", + "resourceType": "AWS::RDS::DBInstance", + "resourceName": "MyDBSmall", + "searchKey": "Resources.MyDBSmall.Properties.DeletionProtection", + "searchValue": "", + "expectedValue": "Resources.MyDBSmall.Properties.DeletionProtection should be set to true", + "actualValue": "Resources.MyDBSmall.Properties.DeletionProtection is set to false", + "issueType": "IncorrectValue", + "similarityID": "c5e952339a2dae6222d4488e7bfcce3acd33688ac5296d05787d53691edbdebb", + "search_line": -1 }, { "queryName": "RDS DB Instance With Deletion Protection Disabled", "severity": "LOW", "line": 45, - "fileName": "positive4.json" + "fileName": "positive4.json", + "resourceType": "AWS::RDS::DBInstance", + "resourceName": "MyDBSmall1", + "searchKey": "Resources.MyDBSmall1.Properties", + "searchValue": "", + "expectedValue": "Resources.MyDBSmall1.Properties.DeletionProtection should be defined", + "actualValue": "Resources.MyDBSmall1.Properties.DeletionProtection is undefined", + "issueType": "MissingAttribute", + "similarityID": "949dea03b6a976a7e7e99d72bf2265fd303c35ff3472387b7026269fd042a614", + "search_line": -1 }, { "queryName": "RDS DB Instance With Deletion Protection Disabled", "severity": "LOW", "line": 34, - "fileName": "positive5.yaml" + "fileName": "positive5.yaml", + "resourceType": "AWS::RDS::DBInstance", + "resourceName": "MyDBSmall", + "searchKey": "Resources.MyDBSmall.Properties.DeletionProtection", + "searchValue": "", + "expectedValue": "Resources.MyDBSmall.Properties.DeletionProtection should be set to true", + "actualValue": "Resources.MyDBSmall.Properties.DeletionProtection is set to false", + "issueType": "IncorrectValue", + "similarityID": "f90038d6f552557f9a12cbf28a1bcf0ca51d8d8a0105344bf8bd01809ec7c160", + "search_line": -1 } ] diff --git a/assets/queries/cloudFormation/aws/rds_multi_az_deployment_disabled/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/rds_multi_az_deployment_disabled/test/positive_expected_result.json index 4787fe06159..a2b32601b17 100644 --- a/assets/queries/cloudFormation/aws/rds_multi_az_deployment_disabled/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/rds_multi_az_deployment_disabled/test/positive_expected_result.json @@ -3,30 +3,75 @@ "queryName": "RDS Multi-AZ Deployment Disabled", "severity": "MEDIUM", "line": 128, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::RDS::DBInstance", + "resourceName": "", + "searchKey": "Resources.MasterDB.Properties.MultiAZ", + "searchValue": "", + "expectedValue": "The RDS DBInstance 'MasterDB' should have Multi-Availability Zone enabled", + "actualValue": "The RDS DBInstance 'MasterDB' has MultiAZ value set to false", + "issueType": "IncorrectValue", + "similarityID": "1b7f99873bd906f713356af5c90dd789e6bc0c8533e8a8d7d3ad81382ccea18a", + "search_line": -1 }, { + "queryName": "RDS Multi-AZ Deployment Disabled", + "severity": "MEDIUM", "line": 148, "fileName": "positive1.yaml", - "queryName": "RDS Multi-AZ Deployment Disabled", - "severity": "MEDIUM" + "resourceType": "AWS::RDS::DBInstance", + "resourceName": "Read Replica Database", + "searchKey": "Resources.ReplicaDB.Properties", + "searchValue": "", + "expectedValue": "The RDS DBInstance 'ReplicaDB' should have Multi-Availability Zone enabled", + "actualValue": "The RDS DBInstance 'ReplicaDB' MultiAZ property is undefined and by default disabled", + "issueType": "MissingAttribute", + "similarityID": "92072662106a1da93ec4f6950b4fe1f028b86c31dbe2619a47113a84f69ccb18", + "search_line": -1 }, { + "queryName": "RDS Multi-AZ Deployment Disabled", "severity": "MEDIUM", "line": 89, "fileName": "positive2.json", - "queryName": "RDS Multi-AZ Deployment Disabled" + "resourceType": "AWS::RDS::DBInstance", + "resourceName": "", + "searchKey": "Resources.MasterDB.Properties.MultiAZ", + "searchValue": "", + "expectedValue": "The RDS DBInstance 'MasterDB' should have Multi-Availability Zone enabled", + "actualValue": "The RDS DBInstance 'MasterDB' has MultiAZ value set to false", + "issueType": "IncorrectValue", + "similarityID": "3da38d5490851da09c357d0ed850866e644ca33ebe71f9e188987f1739dd1c44", + "search_line": -1 }, { + "queryName": "RDS Multi-AZ Deployment Disabled", + "severity": "MEDIUM", "line": 124, "fileName": "positive2.json", - "queryName": "RDS Multi-AZ Deployment Disabled", - "severity": "MEDIUM" + "resourceType": "AWS::RDS::DBInstance", + "resourceName": "Read Replica Database", + "searchKey": "Resources.ReplicaDB.Properties", + "searchValue": "", + "expectedValue": "The RDS DBInstance 'ReplicaDB' should have Multi-Availability Zone enabled", + "actualValue": "The RDS DBInstance 'ReplicaDB' MultiAZ property is undefined and by default disabled", + "issueType": "MissingAttribute", + "similarityID": "3372b23b99a3e919dc29f2d381032864eb0c05e1cccc005fa53c44374b044906", + "search_line": -1 }, { "queryName": "RDS Multi-AZ Deployment Disabled", "severity": "MEDIUM", "line": 128, - "fileName": "positive3.yaml" + "fileName": "positive3.yaml", + "resourceType": "AWS::RDS::DBInstance", + "resourceName": "", + "searchKey": "Resources.MasterDB.Properties.MultiAZ", + "searchValue": "", + "expectedValue": "The RDS DBInstance 'MasterDB' should have Multi-Availability Zone enabled", + "actualValue": "The RDS DBInstance 'MasterDB' has MultiAZ value set to false", + "issueType": "IncorrectValue", + "similarityID": "4f724ec87fd877ec84b4aaf8aca8262b5cdc4a83d670abf05f4050c4845f1656", + "search_line": -1 } ] diff --git a/assets/queries/cloudFormation/aws/rds_storage_encryption_disabled/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/rds_storage_encryption_disabled/test/positive_expected_result.json index b91a1a46a5a..41f645bce4d 100644 --- a/assets/queries/cloudFormation/aws/rds_storage_encryption_disabled/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/rds_storage_encryption_disabled/test/positive_expected_result.json @@ -3,36 +3,90 @@ "queryName": "RDS Storage Encryption Disabled", "severity": "HIGH", "line": 12, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::RDS::DBCluster", + "resourceName": "RDSCluster", + "searchKey": "Resources.RDSCluster.Properties.StorageEncrypted", + "searchValue": "", + "expectedValue": "Resources.RDSCluster.Properties.StorageEncrypted should be set to true", + "actualValue": "Resources.RDSCluster.Properties.StorageEncrypted is false", + "issueType": "IncorrectValue", + "similarityID": "713398b4f4d47110fcd7005898362a978f6a8daa3808a55d16fb878540764f2f", + "search_line": -1 }, { "queryName": "RDS Storage Encryption Disabled", "severity": "HIGH", "line": 5, - "fileName": "positive2.yaml" + "fileName": "positive2.yaml", + "resourceType": "AWS::RDS::DBCluster", + "resourceName": "RDSCluster1", + "searchKey": "Resources.RDSCluster1.Properties", + "searchValue": "", + "expectedValue": "Resources.RDSCluster1.Properties.StorageEncrypted should be defined", + "actualValue": "Resources.RDSCluster1.Properties.StorageEncrypted is undefined", + "issueType": "MissingAttribute", + "similarityID": "ba5b954159812ec1dfa69f1420a0f80f364b41ebf7abf05317eca596cca0d4a4", + "search_line": -1 }, { "queryName": "RDS Storage Encryption Disabled", "severity": "HIGH", "line": 9, - "fileName": "positive3.json" + "fileName": "positive3.json", + "resourceType": "AWS::RDS::DBCluster", + "resourceName": "RDSCluster", + "searchKey": "Resources.RDSCluster.Properties.StorageEncrypted", + "searchValue": "", + "expectedValue": "Resources.RDSCluster.Properties.StorageEncrypted should be set to true", + "actualValue": "Resources.RDSCluster.Properties.StorageEncrypted is false", + "issueType": "IncorrectValue", + "similarityID": "8920a528c036f6dd145ca6402aa5cb75a16fbb04561bcabbad6a07fb1c7680fd", + "search_line": -1 }, { "queryName": "RDS Storage Encryption Disabled", "severity": "HIGH", "line": 59, - "fileName": "positive4.json" + "fileName": "positive4.json", + "resourceType": "AWS::RDS::DBCluster", + "resourceName": "RDSCluster1", + "searchKey": "Resources.RDSCluster1.Properties", + "searchValue": "", + "expectedValue": "Resources.RDSCluster1.Properties.StorageEncrypted should be defined", + "actualValue": "Resources.RDSCluster1.Properties.StorageEncrypted is undefined", + "issueType": "MissingAttribute", + "similarityID": "24077dfdcc33eda2b04c1f3207afa44f1b591881040991380dce9ad355a3b8b5", + "search_line": -1 }, { "queryName": "RDS Storage Encryption Disabled", "severity": "HIGH", "line": 5, - "fileName": "positive5.yaml" + "fileName": "positive5.yaml", + "resourceType": "AWS::RDS::DBCluster", + "resourceName": "NoEncryption", + "searchKey": "Resources.NoEncryption.Properties", + "searchValue": "", + "expectedValue": "Resources.NoEncryption.Properties.StorageEncrypted should be defined", + "actualValue": "Resources.NoEncryption.Properties.StorageEncrypted is undefined", + "issueType": "MissingAttribute", + "similarityID": "8afc92749918b877505b93f9677c8e35b7bc503055703703af307b8fae0a3c56", + "search_line": -1 }, { "queryName": "RDS Storage Encryption Disabled", "severity": "HIGH", "line": 12, - "fileName": "positive6.yaml" + "fileName": "positive6.yaml", + "resourceType": "AWS::RDS::DBCluster", + "resourceName": "RDSCluster", + "searchKey": "Resources.RDSCluster.Properties.StorageEncrypted", + "searchValue": "", + "expectedValue": "Resources.RDSCluster.Properties.StorageEncrypted should be set to true", + "actualValue": "Resources.RDSCluster.Properties.StorageEncrypted is false", + "issueType": "IncorrectValue", + "similarityID": "7c5ddb21884d458bc019fc8f7fd89e72a1e204bbc36f12d99d85d0774d2e1578", + "search_line": -1 } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/rds_storage_not_encrypted/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/rds_storage_not_encrypted/test/positive_expected_result.json index 0e49ea3c58c..3c0dd04214d 100644 --- a/assets/queries/cloudFormation/aws/rds_storage_not_encrypted/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/rds_storage_not_encrypted/test/positive_expected_result.json @@ -3,30 +3,75 @@ "queryName": "RDS Storage Not Encrypted", "severity": "HIGH", "line": 35, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::RDS::DBInstance", + "resourceName": "MyDBSmall", + "searchKey": "Resources.MyDBSmall.Properties.StorageEncrypted", + "searchValue": "", + "expectedValue": "Resources.MyDBSmall.Properties.StorageEncrypted should be set to true", + "actualValue": "Resources.MyDBSmall.Properties.StorageEncrypted is set to false", + "issueType": "IncorrectValue", + "similarityID": "6c8b34945512efc348e205941ea71c24f073ba59c72d2105bbb10389c7c73bb8", + "search_line": -1 }, { "queryName": "RDS Storage Not Encrypted", "severity": "HIGH", "line": 30, - "fileName": "positive2.yaml" + "fileName": "positive2.yaml", + "resourceType": "AWS::RDS::DBInstance", + "resourceName": "MyDBSmall2", + "searchKey": "Resources.MyDBSmall2.Properties", + "searchValue": "", + "expectedValue": "Resources.MyDBSmall2.Properties.StorageEncrypted should be defined and set to true", + "actualValue": "Resources.MyDBSmall2.Properties.StorageEncrypted is undefined", + "issueType": "MissingAttribute", + "similarityID": "b5dd52a8a8fe4b33b9b69e01a93cf4bae1a6d8d1c2e52f92fc7cda5506a7906f", + "search_line": -1 }, { "queryName": "RDS Storage Not Encrypted", "severity": "HIGH", "line": 50, - "fileName": "positive3.json" + "fileName": "positive3.json", + "resourceType": "AWS::RDS::DBInstance", + "resourceName": "MyDBSmall", + "searchKey": "Resources.MyDBSmall.Properties.StorageEncrypted", + "searchValue": "", + "expectedValue": "Resources.MyDBSmall.Properties.StorageEncrypted should be set to true", + "actualValue": "Resources.MyDBSmall.Properties.StorageEncrypted is set to false", + "issueType": "IncorrectValue", + "similarityID": "0b95218b4707cb7475e0172582b9b1b71ecdb6669ac9e31528b99fef1af200ef", + "search_line": -1 }, { "queryName": "RDS Storage Not Encrypted", "severity": "HIGH", "line": 45, - "fileName": "positive4.json" + "fileName": "positive4.json", + "resourceType": "AWS::RDS::DBInstance", + "resourceName": "MyDBSmall2", + "searchKey": "Resources.MyDBSmall2.Properties", + "searchValue": "", + "expectedValue": "Resources.MyDBSmall2.Properties.StorageEncrypted should be defined and set to true", + "actualValue": "Resources.MyDBSmall2.Properties.StorageEncrypted is undefined", + "issueType": "MissingAttribute", + "similarityID": "c726befc34dcf76049af2252cb7e923c9ee8bc329d2c25fcc8974b8901fe162f", + "search_line": -1 }, { "queryName": "RDS Storage Not Encrypted", "severity": "HIGH", "line": 35, - "fileName": "positive5.yaml" + "fileName": "positive5.yaml", + "resourceType": "AWS::RDS::DBInstance", + "resourceName": "MyDBSmall", + "searchKey": "Resources.MyDBSmall.Properties.StorageEncrypted", + "searchValue": "", + "expectedValue": "Resources.MyDBSmall.Properties.StorageEncrypted should be set to true", + "actualValue": "Resources.MyDBSmall.Properties.StorageEncrypted is set to false", + "issueType": "IncorrectValue", + "similarityID": "f4f1e109282672a0e320c21c02c0bceeef7735d6e01c66152923c51a38ae924f", + "search_line": -1 } ] diff --git a/assets/queries/cloudFormation/aws/rds_using_default_port/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/rds_using_default_port/test/positive_expected_result.json index ac7552bddb2..cc1a2c5332f 100644 --- a/assets/queries/cloudFormation/aws/rds_using_default_port/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/rds_using_default_port/test/positive_expected_result.json @@ -3,24 +3,60 @@ "queryName": "RDS Using Default Port", "severity": "LOW", "line": 15, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::RDS::DBInstance", + "resourceName": "MyDB", + "searchKey": "Resources.MyDB.Properties.Port", + "searchValue": "", + "expectedValue": "'Resources.MyDB.Properties.Port' should not be set to 1521", + "actualValue": "'Resources.MyDB.Properties.Port' is set to 1521", + "issueType": "IncorrectValue", + "similarityID": "3a758ad71f2e7bf8c99e9862b441b9f18dfe79fbf20147f443ce9978aae9ba52", + "search_line": 15 }, { "queryName": "RDS Using Default Port", "severity": "LOW", "line": 21, - "fileName": "positive2.json" + "fileName": "positive2.json", + "resourceType": "AWS::RDS::DBInstance", + "resourceName": "MyDB", + "searchKey": "Resources.MyDB.Properties.Port", + "searchValue": "", + "expectedValue": "'Resources.MyDB.Properties.Port' should not be set to 1521", + "actualValue": "'Resources.MyDB.Properties.Port' is set to 1521", + "issueType": "IncorrectValue", + "similarityID": "c437f08ebb62944e6903566a61c960a7d4ff16d040dc29640ce310392f3101e3", + "search_line": 21 }, { "queryName": "RDS Using Default Port", "severity": "LOW", "line": 15, - "fileName": "positive3.yaml" + "fileName": "positive3.yaml", + "resourceType": "AWS::RDS::DBInstance", + "resourceName": "MyDB", + "searchKey": "Resources.MyDB.Properties.Port", + "searchValue": "", + "expectedValue": "'Resources.MyDB.Properties.Port' should not be set to 3306", + "actualValue": "'Resources.MyDB.Properties.Port' is set to 3306", + "issueType": "IncorrectValue", + "similarityID": "ad11986f8d07c34b09aeeb54c8beab14abac1f7631c37eea879e0e0b031a3729", + "search_line": 15 }, { "queryName": "RDS Using Default Port", "severity": "LOW", "line": 21, - "fileName": "positive4.json" + "fileName": "positive4.json", + "resourceType": "AWS::RDS::DBInstance", + "resourceName": "MyDB", + "searchKey": "Resources.MyDB.Properties.Port", + "searchValue": "", + "expectedValue": "'Resources.MyDB.Properties.Port' should not be set to 3306", + "actualValue": "'Resources.MyDB.Properties.Port' is set to 3306", + "issueType": "IncorrectValue", + "similarityID": "4a73748f9df321718f1b49c5c337dfe938cc36f0c67dc6f40a4e187acaf7c847", + "search_line": 21 } ] diff --git a/assets/queries/cloudFormation/aws/rds_with_backup_disabled/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/rds_with_backup_disabled/test/positive_expected_result.json index 18cc5f8c4ec..647d0e51e8c 100644 --- a/assets/queries/cloudFormation/aws/rds_with_backup_disabled/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/rds_with_backup_disabled/test/positive_expected_result.json @@ -1,14 +1,32 @@ [ { - "fileName": "positive1.yaml", "queryName": "RDS With Backup Disabled", "severity": "MEDIUM", - "line": 14 + "line": 14, + "fileName": "positive1.yaml", + "resourceType": "AWS::RDS::DBInstance", + "resourceName": "MyDB", + "searchKey": "Resources.MyDB.Properties.BackupRetentionPeriod", + "searchValue": "", + "expectedValue": "'Resources.MyDB.Properties.BackupRetentionPeriod' should not equal to zero", + "actualValue": "'Resources.MyDB.Properties.BackupRetentionPeriod' is equal to zero", + "issueType": "IncorrectValue", + "similarityID": "fcd855f03b90c1a528c9010d0665f32ecba7b221818bb29a5e16464f90901236", + "search_line": -1 }, { "queryName": "RDS With Backup Disabled", "severity": "MEDIUM", "line": 6, - "fileName": "positive2.json" + "fileName": "positive2.json", + "resourceType": "AWS::RDS::DBInstance", + "resourceName": "MyDB", + "searchKey": "Resources.MyDB.Properties.BackupRetentionPeriod", + "searchValue": "", + "expectedValue": "'Resources.MyDB.Properties.BackupRetentionPeriod' should not equal to zero", + "actualValue": "'Resources.MyDB.Properties.BackupRetentionPeriod' is equal to zero", + "issueType": "IncorrectValue", + "similarityID": "9cff00dbc551759fc0bff601a4b5fd0ce81ba9914d4f6a6fc534ef8e8e2ebf76", + "search_line": -1 } ] diff --git a/assets/queries/cloudFormation/aws/redshift_cluster_logging_disabled/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/redshift_cluster_logging_disabled/test/positive_expected_result.json index e1389be7964..3e939588cbe 100644 --- a/assets/queries/cloudFormation/aws/redshift_cluster_logging_disabled/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/redshift_cluster_logging_disabled/test/positive_expected_result.json @@ -3,12 +3,30 @@ "queryName": "Redshift Cluster Logging Disabled", "severity": "MEDIUM", "line": 6, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::Redshift::Cluster", + "resourceName": "${DatabaseName}", + "searchKey": "Resources.RedshiftCluster3.Properties", + "searchValue": "", + "expectedValue": "Resources.RedshiftCluster3.Properties.LoggingProperties should be set", + "actualValue": "Resources.RedshiftCluster3.Properties.LoggingProperties is undefined", + "issueType": "MissingAttribute", + "similarityID": "d24fe38da8f2c4d6e4e0bc73fa311802d9b88cb9fee34b616f964a9b27c9d885", + "search_line": -1 }, { - "fileName": "positive2.json", "queryName": "Redshift Cluster Logging Disabled", "severity": "MEDIUM", - "line": 6 + "line": 6, + "fileName": "positive2.json", + "resourceType": "AWS::Redshift::Cluster", + "resourceName": "${DatabaseName}", + "searchKey": "Resources.RedshiftCluster4.Properties", + "searchValue": "", + "expectedValue": "Resources.RedshiftCluster4.Properties.LoggingProperties should be set", + "actualValue": "Resources.RedshiftCluster4.Properties.LoggingProperties is undefined", + "issueType": "MissingAttribute", + "similarityID": "055d4aa60497f5732a1a1475c15524ab1bda64feb2e37e5fee5b96438c46e909", + "search_line": -1 } ] diff --git a/assets/queries/cloudFormation/aws/redshift_cluster_without_kms_cmk/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/redshift_cluster_without_kms_cmk/test/positive_expected_result.json index bcfc24fec54..f8195aa968f 100644 --- a/assets/queries/cloudFormation/aws/redshift_cluster_without_kms_cmk/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/redshift_cluster_without_kms_cmk/test/positive_expected_result.json @@ -3,12 +3,30 @@ "queryName": "Redshift Cluster Without KMS CMK", "severity": "MEDIUM", "line": 6, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::Redshift::Cluster", + "resourceName": "${DatabaseName}", + "searchKey": "Resources.RedshiftCluster.Properties", + "searchValue": "", + "expectedValue": "Resources.RedshiftCluster.Properties.KmsKeyId should be set", + "actualValue": "Resources.RedshiftCluster.Properties.KmsKeyId is undefined", + "issueType": "MissingAttribute", + "similarityID": "a7576a4d3842eb0f59956c59f1998c7dcf4a54b3a1892fd35a99e3f48c46568f", + "search_line": -1 }, { - "fileName": "positive2.json", "queryName": "Redshift Cluster Without KMS CMK", "severity": "MEDIUM", - "line": 12 + "line": 12, + "fileName": "positive2.json", + "resourceType": "AWS::Redshift::Cluster", + "resourceName": "${DatabaseName}", + "searchKey": "Resources.RedshiftCluster.Properties", + "searchValue": "", + "expectedValue": "Resources.RedshiftCluster.Properties.KmsKeyId should be set", + "actualValue": "Resources.RedshiftCluster.Properties.KmsKeyId is undefined", + "issueType": "MissingAttribute", + "similarityID": "87dca7688ca262b9e242ff00d7f3aa287b3517496e4c3e4350d9741559c4772a", + "search_line": -1 } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/redshift_cluster_without_vpc/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/redshift_cluster_without_vpc/test/positive_expected_result.json index 9499674a8e3..feb9f887296 100644 --- a/assets/queries/cloudFormation/aws/redshift_cluster_without_vpc/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/redshift_cluster_without_vpc/test/positive_expected_result.json @@ -3,72 +3,180 @@ "queryName": "Redshift Cluster Without VPC", "severity": "LOW", "line": 5, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::Redshift::Cluster", + "resourceName": "mydb", + "searchKey": "Resources.RedshiftCluster.Properties", + "searchValue": "", + "expectedValue": "Resources.RedshiftCluster.Properties should have VpcSecurityGroupIds and ClusterSubnetGroupName fields defined", + "actualValue": "Resources.RedshiftCluster.Properties does not define VpcSecurityGroupIds or ClusterSubnetGroupName", + "issueType": "MissingAttribute", + "similarityID": "92b9b8b8ec6935bf2411c51d3a556bb5ffb070f8592c2e5d3d3c80e48310673f", + "search_line": 5 }, { "queryName": "Redshift Cluster Without VPC", "severity": "LOW", "line": 5, - "fileName": "positive2.yaml" + "fileName": "positive2.yaml", + "resourceType": "AWS::Redshift::Cluster", + "resourceName": "mydb", + "searchKey": "Resources.RedshiftCluster.Properties", + "searchValue": "", + "expectedValue": "Resources.RedshiftCluster.Properties should have VpcSecurityGroupIds and ClusterSubnetGroupName fields defined", + "actualValue": "Resources.RedshiftCluster.Properties does not define VpcSecurityGroupIds", + "issueType": "MissingAttribute", + "similarityID": "b537545ed8f4419da10fdd48a3c3a6d793e8720b1732688a1f2e00d25fedf66f", + "search_line": 5 }, { "queryName": "Redshift Cluster Without VPC", "severity": "LOW", "line": 5, - "fileName": "positive3.yaml" + "fileName": "positive3.yaml", + "resourceType": "AWS::Redshift::Cluster", + "resourceName": "mydb", + "searchKey": "Resources.RedshiftCluster.Properties", + "searchValue": "", + "expectedValue": "Resources.RedshiftCluster.Properties should have VpcSecurityGroupIds and ClusterSubnetGroupName fields defined", + "actualValue": "Resources.RedshiftCluster.Properties does not define ClusterSubnetGroupName", + "issueType": "MissingAttribute", + "similarityID": "956098e0dd59df08d89e614dfd10c795ae27215db03f1470b6f52832b56fc0ba", + "search_line": 5 }, { "queryName": "Redshift Cluster Without VPC", "severity": "LOW", "line": 5, - "fileName": "positive4.yaml" + "fileName": "positive4.yaml", + "resourceType": "AWS::Redshift::Cluster", + "resourceName": "mydb", + "searchKey": "Resources.RedshiftCluster.Properties", + "searchValue": "", + "expectedValue": "Resources.RedshiftCluster.Properties VpcSecurityGroupIds and ClusterSubnetGroupName fields should have valid references", + "actualValue": "Resources.RedshiftCluster.Properties VpcSecurityGroupIds and ClusterSubnetGroupName fields have invalid references", + "issueType": "IncorrectValue", + "similarityID": "66018802a119a64a7028a2a0a0e16876da72e5d73edf040aae9f6a5501777c54", + "search_line": 5 }, { "queryName": "Redshift Cluster Without VPC", "severity": "LOW", "line": 19, - "fileName": "positive5.yaml" + "fileName": "positive5.yaml", + "resourceType": "AWS::Redshift::Cluster", + "resourceName": "mydb", + "searchKey": "Resources.RedshiftCluster.Properties.VpcSecurityGroupIds", + "searchValue": "", + "expectedValue": "Resources.RedshiftCluster.Properties VpcSecurityGroupIds and ClusterSubnetGroupName fields should have valid references", + "actualValue": "Resources.RedshiftCluster.Properties VpcSecurityGroupIds field has an invalid reference", + "issueType": "IncorrectValue", + "similarityID": "05b0ed191c397549f83f55bb5d862b731da2b32e979ac3f8b343cda7639df80e", + "search_line": 19 }, { "queryName": "Redshift Cluster Without VPC", "severity": "LOW", "line": 18, - "fileName": "positive6.yaml" + "fileName": "positive6.yaml", + "resourceType": "AWS::Redshift::Cluster", + "resourceName": "mydb", + "searchKey": "Resources.RedshiftCluster.Properties.ClusterSubnetGroupName", + "searchValue": "", + "expectedValue": "Resources.RedshiftCluster.Properties VpcSecurityGroupIds and ClusterSubnetGroupName fields should have valid references", + "actualValue": "Resources.RedshiftCluster.Properties ClusterSubnetGroupName field has an invalid reference", + "issueType": "IncorrectValue", + "similarityID": "8cdaa3abbb29e0d54826460d237dafb9b7abbf90288860ca7a2ff657683d9178", + "search_line": 18 }, { "queryName": "Redshift Cluster Without VPC", "severity": "LOW", "line": 6, - "fileName": "positive7.json" + "fileName": "positive7.json", + "resourceType": "AWS::Redshift::Cluster", + "resourceName": "mydb", + "searchKey": "Resources.RedshiftCluster.Properties", + "searchValue": "", + "expectedValue": "Resources.RedshiftCluster.Properties should have VpcSecurityGroupIds and ClusterSubnetGroupName fields defined", + "actualValue": "Resources.RedshiftCluster.Properties does not define VpcSecurityGroupIds or ClusterSubnetGroupName", + "issueType": "MissingAttribute", + "similarityID": "25102b4d38f1141403c127e2dcb19fc68039f76c3134419a534fb84208fcc10e", + "search_line": 6 }, { "queryName": "Redshift Cluster Without VPC", "severity": "LOW", "line": 6, - "fileName": "positive8.json" + "fileName": "positive8.json", + "resourceType": "AWS::Redshift::Cluster", + "resourceName": "mydb", + "searchKey": "Resources.RedshiftCluster.Properties", + "searchValue": "", + "expectedValue": "Resources.RedshiftCluster.Properties should have VpcSecurityGroupIds and ClusterSubnetGroupName fields defined", + "actualValue": "Resources.RedshiftCluster.Properties does not define VpcSecurityGroupIds", + "issueType": "MissingAttribute", + "similarityID": "3d6fb3f7f5c4c2b9301fd6403e7aaa48af0733d3e76a74096bec2ce67db6634d", + "search_line": 6 }, { "queryName": "Redshift Cluster Without VPC", "severity": "LOW", "line": 6, - "fileName": "positive9.json" + "fileName": "positive9.json", + "resourceType": "AWS::Redshift::Cluster", + "resourceName": "mydb", + "searchKey": "Resources.RedshiftCluster.Properties", + "searchValue": "", + "expectedValue": "Resources.RedshiftCluster.Properties should have VpcSecurityGroupIds and ClusterSubnetGroupName fields defined", + "actualValue": "Resources.RedshiftCluster.Properties does not define ClusterSubnetGroupName", + "issueType": "MissingAttribute", + "similarityID": "482ce5d3df9f7ccfb99e8737284ab465bd64c2edca77e792845ba535dc862a5e", + "search_line": 6 }, { "queryName": "Redshift Cluster Without VPC", "severity": "LOW", "line": 6, - "fileName": "positive10.json" + "fileName": "positive10.json", + "resourceType": "AWS::Redshift::Cluster", + "resourceName": "mydb", + "searchKey": "Resources.RedshiftCluster.Properties", + "searchValue": "", + "expectedValue": "Resources.RedshiftCluster.Properties VpcSecurityGroupIds and ClusterSubnetGroupName fields should have valid references", + "actualValue": "Resources.RedshiftCluster.Properties VpcSecurityGroupIds and ClusterSubnetGroupName fields have invalid references", + "issueType": "IncorrectValue", + "similarityID": "b5376a59d3047fd3a1d6b583c6195866fe0406cb82c997769f3a193ea91c8c58", + "search_line": 6 }, { "queryName": "Redshift Cluster Without VPC", "severity": "LOW", "line": 26, - "fileName": "positive11.json" + "fileName": "positive11.json", + "resourceType": "AWS::Redshift::Cluster", + "resourceName": "mydb", + "searchKey": "Resources.RedshiftCluster.Properties.VpcSecurityGroupIds", + "searchValue": "", + "expectedValue": "Resources.RedshiftCluster.Properties VpcSecurityGroupIds and ClusterSubnetGroupName fields should have valid references", + "actualValue": "Resources.RedshiftCluster.Properties VpcSecurityGroupIds field has an invalid reference", + "issueType": "IncorrectValue", + "similarityID": "0975d057691acffe0f52126d7d0ef3ca98c13f026d7fd0d467d528291b854345", + "search_line": 26 }, { "queryName": "Redshift Cluster Without VPC", "severity": "LOW", "line": 24, - "fileName": "positive12.json" + "fileName": "positive12.json", + "resourceType": "AWS::Redshift::Cluster", + "resourceName": "mydb", + "searchKey": "Resources.RedshiftCluster.Properties.ClusterSubnetGroupName", + "searchValue": "", + "expectedValue": "Resources.RedshiftCluster.Properties VpcSecurityGroupIds and ClusterSubnetGroupName fields should have valid references", + "actualValue": "Resources.RedshiftCluster.Properties ClusterSubnetGroupName field has an invalid reference", + "issueType": "IncorrectValue", + "similarityID": "4b70acb7ddb2c1fc5c8747ffddb790e6765634f4e909c1e01cc06e4898de55ac", + "search_line": 24 } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/redshift_not_encrypted/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/redshift_not_encrypted/test/positive_expected_result.json index 8c7b0132cf5..e401883ec61 100644 --- a/assets/queries/cloudFormation/aws/redshift_not_encrypted/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/redshift_not_encrypted/test/positive_expected_result.json @@ -3,30 +3,75 @@ "queryName": "Redshift Not Encrypted", "severity": "HIGH", "line": 6, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::Redshift::Cluster", + "resourceName": "${DatabaseName}", + "searchKey": "Resources.RedshiftCluster.Properties", + "searchValue": "", + "expectedValue": "Resources.RedshiftCluster.Properties.Encrypted should be set", + "actualValue": "Resources.RedshiftCluster.Properties.Encrypted is undefined", + "issueType": "MissingAttribute", + "similarityID": "a7a21edce00350ef91dca9e43e1148870421d06d5aab0635f3ea2c9d68f8f7e6", + "search_line": -1 }, { "queryName": "Redshift Not Encrypted", "severity": "HIGH", "line": 21, - "fileName": "positive2.yaml" + "fileName": "positive2.yaml", + "resourceType": "AWS::Redshift::Cluster", + "resourceName": "${DatabaseName}", + "searchKey": "Resources.RedshiftCluster2.Properties.Encrypted", + "searchValue": "", + "expectedValue": "Resources.RedshiftCluster2.Properties.Encrypted should be set to true", + "actualValue": "Resources.RedshiftCluster2.Properties.Encryped is set to false", + "issueType": "IncorrectValue", + "similarityID": "2a7443e101cbe76c3a19760f0435422c4646b4e61ea06829e9458fe08cb582d6", + "search_line": -1 }, { "queryName": "Redshift Not Encrypted", "severity": "HIGH", "line": 7, - "fileName": "positive3.json" + "fileName": "positive3.json", + "resourceType": "AWS::Redshift::Cluster", + "resourceName": "${DatabaseName}", + "searchKey": "Resources.RedshiftCluster.Properties", + "searchValue": "", + "expectedValue": "Resources.RedshiftCluster.Properties.Encrypted should be set", + "actualValue": "Resources.RedshiftCluster.Properties.Encrypted is undefined", + "issueType": "MissingAttribute", + "similarityID": "f5af65311f59c2acf296f68cb260b3b541e9f88c93d7422bbcc5410ef389e556", + "search_line": -1 }, { "queryName": "Redshift Not Encrypted", "severity": "HIGH", "line": 32, - "fileName": "positive4.json" + "fileName": "positive4.json", + "resourceType": "AWS::Redshift::Cluster", + "resourceName": "${DatabaseName}", + "searchKey": "Resources.RedshiftCluster2.Properties.Encrypted", + "searchValue": "", + "expectedValue": "Resources.RedshiftCluster2.Properties.Encrypted should be set to true", + "actualValue": "Resources.RedshiftCluster2.Properties.Encryped is set to false", + "issueType": "IncorrectValue", + "similarityID": "2af08d87759d36d5bf6289ce9eb853f18a2bbe3a2654c7a96838dc1a3593a718", + "search_line": -1 }, { "queryName": "Redshift Not Encrypted", "severity": "HIGH", "line": 6, - "fileName": "positive5.yaml" + "fileName": "positive5.yaml", + "resourceType": "AWS::Redshift::Cluster", + "resourceName": "${DatabaseName}", + "searchKey": "Resources.RedshiftCluster.Properties", + "searchValue": "", + "expectedValue": "Resources.RedshiftCluster.Properties.Encrypted should be set", + "actualValue": "Resources.RedshiftCluster.Properties.Encrypted is undefined", + "issueType": "MissingAttribute", + "similarityID": "b230bbae454c87b7a67024b7dcda3b81eb795a574ee7c31539a5420bfb685a76", + "search_line": -1 } ] diff --git a/assets/queries/cloudFormation/aws/redshift_publicly_accessible/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/redshift_publicly_accessible/test/positive_expected_result.json index cb018261b8d..e59a2e5a613 100644 --- a/assets/queries/cloudFormation/aws/redshift_publicly_accessible/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/redshift_publicly_accessible/test/positive_expected_result.json @@ -3,36 +3,90 @@ "queryName": "Redshift Publicly Accessible", "severity": "HIGH", "line": 4, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::Redshift::Cluster", + "resourceName": "mydb", + "searchKey": "Resources.myCluster.Properties", + "searchValue": "", + "expectedValue": "'Resources.myCluster.Properties.PubliclyAccessible' should be defined", + "actualValue": "'Resources.myCluster.Properties.PubliclyAccessible' is not defined", + "issueType": "MissingAttribute", + "similarityID": "e3defb030710b31be650c91b71add37b7c4797c0819c63144a725660f9e6c536", + "search_line": -1 }, { "queryName": "Redshift Publicly Accessible", "severity": "HIGH", "line": 17, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::Redshift::Cluster", + "resourceName": "mydb", + "searchKey": "Resources.myCluster2.Properties.PubliclyAccessible", + "searchValue": "", + "expectedValue": "'Resources.myCluster2.Properties.PubliclyAccessible' should be set to false", + "actualValue": "'Resources.myCluster2.Properties.PubliclyAccessible' is true", + "issueType": "IncorrectValue", + "similarityID": "854eac397d1a55393999432ca4116a8f9d4ef58cdaa999b42f27bd99181d9cab", + "search_line": -1 }, { "queryName": "Redshift Publicly Accessible", "severity": "HIGH", "line": 5, - "fileName": "positive2.json" + "fileName": "positive2.json", + "resourceType": "AWS::Redshift::Cluster", + "resourceName": "mydb", + "searchKey": "Resources.myCluster.Properties", + "searchValue": "", + "expectedValue": "'Resources.myCluster.Properties.PubliclyAccessible' should be defined", + "actualValue": "'Resources.myCluster.Properties.PubliclyAccessible' is not defined", + "issueType": "MissingAttribute", + "similarityID": "3b47611df0edcc7d2e5acb64e0f7018cb966c129ecf3adf73c99ed0f4d9e21c4", + "search_line": -1 }, { "queryName": "Redshift Publicly Accessible", "severity": "HIGH", "line": 30, - "fileName": "positive2.json" + "fileName": "positive2.json", + "resourceType": "AWS::Redshift::Cluster", + "resourceName": "mydb", + "searchKey": "Resources.myCluster2.Properties.PubliclyAccessible", + "searchValue": "", + "expectedValue": "'Resources.myCluster2.Properties.PubliclyAccessible' should be set to false", + "actualValue": "'Resources.myCluster2.Properties.PubliclyAccessible' is true", + "issueType": "IncorrectValue", + "similarityID": "442e5796680681d7b82d4466e9bb366ca943309313246674a86e14eee72e8439", + "search_line": -1 }, { "queryName": "Redshift Publicly Accessible", "severity": "HIGH", "line": 4, - "fileName": "positive3.yaml" + "fileName": "positive3.yaml", + "resourceType": "AWS::Redshift::Cluster", + "resourceName": "mydb", + "searchKey": "Resources.myCluster.Properties", + "searchValue": "", + "expectedValue": "'Resources.myCluster.Properties.PubliclyAccessible' should be defined", + "actualValue": "'Resources.myCluster.Properties.PubliclyAccessible' is not defined", + "issueType": "MissingAttribute", + "similarityID": "1b009e5b88a257e9448ace1b47f397c6dea036098d8b42d048fa3af9837aed52", + "search_line": -1 }, { "queryName": "Redshift Publicly Accessible", "severity": "HIGH", "line": 17, - "fileName": "positive3.yaml" + "fileName": "positive3.yaml", + "resourceType": "AWS::Redshift::Cluster", + "resourceName": "mydb", + "searchKey": "Resources.myCluster2.Properties.PubliclyAccessible", + "searchValue": "", + "expectedValue": "'Resources.myCluster2.Properties.PubliclyAccessible' should be set to false", + "actualValue": "'Resources.myCluster2.Properties.PubliclyAccessible' is true", + "issueType": "IncorrectValue", + "similarityID": "b3ea346bbdc43482817b5631b069645c027a3cd5bd2364306445df94348e6718", + "search_line": -1 } ] diff --git a/assets/queries/cloudFormation/aws/redshift_using_default_port/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/redshift_using_default_port/test/positive_expected_result.json index f79909eda69..677138bad82 100644 --- a/assets/queries/cloudFormation/aws/redshift_using_default_port/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/redshift_using_default_port/test/positive_expected_result.json @@ -3,24 +3,60 @@ "queryName": "Redshift Using Default Port", "severity": "LOW", "line": 4, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::Redshift::Cluster", + "resourceName": "mydb", + "searchKey": "Resources.myCluster.Properties", + "searchValue": "", + "expectedValue": "'Resources.myCluster.Properties.Port' should be defined", + "actualValue": "'Resources.myCluster.Properties.Port' is not defined", + "issueType": "MissingAttribute", + "similarityID": "611df69a0ace3462dc70f836fb88a1a43889d3823ce0d4d0c4b69185e7014447", + "search_line": 4 }, { "queryName": "Redshift Using Default Port", "severity": "LOW", "line": 28, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::Redshift::Cluster", + "resourceName": "mydb", + "searchKey": "Resources.myCluster2.Properties.Port", + "searchValue": "", + "expectedValue": "'Resources.myCluster2.Properties.Port' should not be set to 5439", + "actualValue": "'Resources.myCluster2.Properties.Port' is set to 5439", + "issueType": "IncorrectValue", + "similarityID": "984e579619c28aaad8ef82d44871d268eecbef7d3f44f7a6e16a02d0c5653b7a", + "search_line": 28 }, { "queryName": "Redshift Using Default Port", "severity": "LOW", "line": 5, - "fileName": "positive2.json" + "fileName": "positive2.json", + "resourceType": "AWS::Redshift::Cluster", + "resourceName": "mydb", + "searchKey": "Resources.myCluster.Properties", + "searchValue": "", + "expectedValue": "'Resources.myCluster.Properties.Port' should be defined", + "actualValue": "'Resources.myCluster.Properties.Port' is not defined", + "issueType": "MissingAttribute", + "similarityID": "bdadec8880f83b2adddfba5ab216f82d550634959de68394ebbffef133661c3e", + "search_line": 5 }, { "queryName": "Redshift Using Default Port", "severity": "LOW", "line": 39, - "fileName": "positive2.json" + "fileName": "positive2.json", + "resourceType": "AWS::Redshift::Cluster", + "resourceName": "mydb", + "searchKey": "Resources.myCluster2.Properties.Port", + "searchValue": "", + "expectedValue": "'Resources.myCluster2.Properties.Port' should not be set to 5439", + "actualValue": "'Resources.myCluster2.Properties.Port' is set to 5439", + "issueType": "IncorrectValue", + "similarityID": "c11603c54afeed7024802ec7b56910c259e1f0086bae290ba880d754a0561aa2", + "search_line": 39 } ] diff --git a/assets/queries/cloudFormation/aws/refresh_token_is_exposed/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/refresh_token_is_exposed/test/positive_expected_result.json index 7bd2a1e12fc..a203b9de386 100644 --- a/assets/queries/cloudFormation/aws/refresh_token_is_exposed/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/refresh_token_is_exposed/test/positive_expected_result.json @@ -3,12 +3,30 @@ "queryName": "RefreshToken Is Exposed", "severity": "HIGH", "line": 18, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "Alexa::ASK::Skill", + "resourceName": "MySkill", + "searchKey": "Resources.MySkill.Properties.AuthenticationConfiguration.RefreshToken", + "searchValue": "", + "expectedValue": "'Resources.MySkill.Properties.RefreshToken' starts with '{{resolve:secretsmanager:' or starts with '{{resolve:ssm-secure:'", + "actualValue": "'Resources.MySkill.Properties.RefreshToken' does not start with '{{resolve:secretsmanager:' or with '{{resolve:ssm-secure:'", + "issueType": "IncorrectValue", + "similarityID": "7e56a15ec72f9293d99e250f79308c8ea786d9a226501c365a4d0838865c7dcf", + "search_line": -1 }, { - "fileName": "positive2.json", "queryName": "RefreshToken Is Exposed", "severity": "HIGH", - "line": 26 + "line": 26, + "fileName": "positive2.json", + "resourceType": "Alexa::ASK::Skill", + "resourceName": "MySkill", + "searchKey": "Resources.MySkill.Properties.AuthenticationConfiguration.RefreshToken", + "searchValue": "", + "expectedValue": "'Resources.MySkill.Properties.RefreshToken' starts with '{{resolve:secretsmanager:' or starts with '{{resolve:ssm-secure:'", + "actualValue": "'Resources.MySkill.Properties.RefreshToken' does not start with '{{resolve:secretsmanager:' or with '{{resolve:ssm-secure:'", + "issueType": "IncorrectValue", + "similarityID": "fe706aab04b5bd61d9f55b19259f4e8198c44bd34f6339ce03947a6bd3ad01e7", + "search_line": -1 } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/remote_desktop_port_open_to_internet/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/remote_desktop_port_open_to_internet/test/positive_expected_result.json index 20adaa883d4..b8e9dcc624a 100644 --- a/assets/queries/cloudFormation/aws/remote_desktop_port_open_to_internet/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/remote_desktop_port_open_to_internet/test/positive_expected_result.json @@ -3,132 +3,330 @@ "queryName": "Remote Desktop Port Open To Internet", "severity": "HIGH", "line": 10, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "", + "expectedValue": "'Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]' should not open the remote desktop port (3389)", + "actualValue": "'Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]' opens the remote desktop port (3389)", + "issueType": "IncorrectValue", + "similarityID": "42c181b3e6f793fa1d655d5993ef8e0f3c45d5179b0820f0516342eb2e2d0bf3", + "search_line": 10 }, { "queryName": "Remote Desktop Port Open To Internet", "severity": "HIGH", "line": 22, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_2", + "searchKey": "Resources.Positive1IPv4_2.Properties.SecurityGroupIngress[0]", + "searchValue": "", + "expectedValue": "'Resources.Positive1IPv4_2.Properties.SecurityGroupIngress[0]' should not open the remote desktop port (3389)", + "actualValue": "'Resources.Positive1IPv4_2.Properties.SecurityGroupIngress[0]' opens the remote desktop port (3389)", + "issueType": "IncorrectValue", + "similarityID": "55c9c0079503f16bab12c1be6c6e4b98cd976f3a88cdae83d8ec43db109a9779", + "search_line": 22 }, { "queryName": "Remote Desktop Port Open To Internet", "severity": "HIGH", "line": 38, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1ArrayTestIPv4", + "searchKey": "Resources.Positive1ArrayTestIPv4.Properties.SecurityGroupIngress[1]", + "searchValue": "", + "expectedValue": "'Resources.Positive1ArrayTestIPv4.Properties.SecurityGroupIngress[1]' should not open the remote desktop port (3389)", + "actualValue": "'Resources.Positive1ArrayTestIPv4.Properties.SecurityGroupIngress[1]' opens the remote desktop port (3389)", + "issueType": "IncorrectValue", + "similarityID": "daa1a104d045223fab99614731646fa65086882b0fbeaa420e03661c5dc032ae", + "search_line": 38 }, { "queryName": "Remote Desktop Port Open To Internet", "severity": "HIGH", "line": 51, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "", + "expectedValue": "'Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]' should not open the remote desktop port (3389)", + "actualValue": "'Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]' opens the remote desktop port (3389)", + "issueType": "IncorrectValue", + "similarityID": "f8565605ca22312ed4c53210f195b8b3177b4023251d6464df79275212991fba", + "search_line": 51 }, { "queryName": "Remote Desktop Port Open To Internet", "severity": "HIGH", "line": 63, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_2", + "searchKey": "Resources.Positive1IPv6_2.Properties.SecurityGroupIngress[0]", + "searchValue": "", + "expectedValue": "'Resources.Positive1IPv6_2.Properties.SecurityGroupIngress[0]' should not open the remote desktop port (3389)", + "actualValue": "'Resources.Positive1IPv6_2.Properties.SecurityGroupIngress[0]' opens the remote desktop port (3389)", + "issueType": "IncorrectValue", + "similarityID": "5c8214d40af85536854b729d62df724a63cc01d054c80cc60bf69dee2eed2745", + "search_line": 63 }, { "queryName": "Remote Desktop Port Open To Internet", "severity": "HIGH", "line": 79, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1ArrayTestIPv6", + "searchKey": "Resources.Positive1ArrayTestIPv6.Properties.SecurityGroupIngress[1]", + "searchValue": "", + "expectedValue": "'Resources.Positive1ArrayTestIPv6.Properties.SecurityGroupIngress[1]' should not open the remote desktop port (3389)", + "actualValue": "'Resources.Positive1ArrayTestIPv6.Properties.SecurityGroupIngress[1]' opens the remote desktop port (3389)", + "issueType": "IncorrectValue", + "similarityID": "85a392733ff98733941c59ca5f11abedca6dbfb5f9a47a2ef18bbdd751a3e561", + "search_line": 79 }, { "queryName": "Remote Desktop Port Open To Internet", "severity": "HIGH", "line": 12, - "fileName": "positive2.yaml" + "fileName": "positive2.yaml", + "resourceType": "AWS::EC2::SecurityGroupIngress", + "resourceName": "DualStackSecurityGroup", + "searchKey": "Resources.IPv4Ingress1.Properties", + "searchValue": "", + "expectedValue": "'Resources.IPv4Ingress1.Properties' should not open the remote desktop port (3389)", + "actualValue": "'Resources.IPv4Ingress1.Properties' opens the remote desktop port (3389)", + "issueType": "IncorrectValue", + "similarityID": "6d4d932fc2d3b4a0e361752cff1ea4f8f92bf763be650fa08d27f1c3482990b6", + "search_line": 12 }, { "queryName": "Remote Desktop Port Open To Internet", "severity": "HIGH", "line": 21, - "fileName": "positive2.yaml" + "fileName": "positive2.yaml", + "resourceType": "AWS::EC2::SecurityGroupIngress", + "resourceName": "DualStackSecurityGroup", + "searchKey": "Resources.IPv4Ingress2.Properties", + "searchValue": "", + "expectedValue": "'Resources.IPv4Ingress2.Properties' should not open the remote desktop port (3389)", + "actualValue": "'Resources.IPv4Ingress2.Properties' opens the remote desktop port (3389)", + "issueType": "IncorrectValue", + "similarityID": "4cbf26494af7461e379ec5ac201a6f72f8436a521b8360e227d2c1050ab46e4a", + "search_line": 21 }, { "queryName": "Remote Desktop Port Open To Internet", "severity": "HIGH", "line": 31, - "fileName": "positive2.yaml" + "fileName": "positive2.yaml", + "resourceType": "AWS::EC2::SecurityGroupIngress", + "resourceName": "DualStackSecurityGroup", + "searchKey": "Resources.IPv6Ingress1.Properties", + "searchValue": "", + "expectedValue": "'Resources.IPv6Ingress1.Properties' should not open the remote desktop port (3389)", + "actualValue": "'Resources.IPv6Ingress1.Properties' opens the remote desktop port (3389)", + "issueType": "IncorrectValue", + "similarityID": "b30711c8513a3b2bbf88c5b801a38f6e096af3211827232b2521c8a1e4cc99ab", + "search_line": 31 }, { "queryName": "Remote Desktop Port Open To Internet", "severity": "HIGH", "line": 40, - "fileName": "positive2.yaml" + "fileName": "positive2.yaml", + "resourceType": "AWS::EC2::SecurityGroupIngress", + "resourceName": "DualStackSecurityGroup", + "searchKey": "Resources.IPv6Ingress2.Properties", + "searchValue": "", + "expectedValue": "'Resources.IPv6Ingress2.Properties' should not open the remote desktop port (3389)", + "actualValue": "'Resources.IPv6Ingress2.Properties' opens the remote desktop port (3389)", + "issueType": "IncorrectValue", + "similarityID": "c9fc213f3a656b3f45d43bc902acc819cc330db53b20f3f0b6a93f400f1dc112", + "search_line": 40 }, { "queryName": "Remote Desktop Port Open To Internet", "severity": "HIGH", "line": 49, - "fileName": "positive2.yaml" + "fileName": "positive2.yaml", + "resourceType": "AWS::EC2::SecurityGroupIngress", + "resourceName": "DualStackSecurityGroup", + "searchKey": "Resources.IPv6Ingress3.Properties", + "searchValue": "", + "expectedValue": "'Resources.IPv6Ingress3.Properties' should not open the remote desktop port (3389)", + "actualValue": "'Resources.IPv6Ingress3.Properties' opens the remote desktop port (3389)", + "issueType": "IncorrectValue", + "similarityID": "7dad35e1b8ca8def31ec5a013ee400f48fbebc9f342b70b297e9277892681189", + "search_line": 49 }, { "queryName": "Remote Desktop Port Open To Internet", "severity": "HIGH", "line": 10, - "fileName": "positive3.json" + "fileName": "positive3.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "", + "expectedValue": "'Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]' should not open the remote desktop port (3389)", + "actualValue": "'Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]' opens the remote desktop port (3389)", + "issueType": "IncorrectValue", + "similarityID": "0008517ce58ddb4ceab403175bbf67d3dc59f34bd3e5a70a96f87793c5082e47", + "search_line": 10 }, { "queryName": "Remote Desktop Port Open To Internet", "severity": "HIGH", "line": 25, - "fileName": "positive3.json" + "fileName": "positive3.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_2", + "searchKey": "Resources.Positive1IPv4_2.Properties.SecurityGroupIngress[0]", + "searchValue": "", + "expectedValue": "'Resources.Positive1IPv4_2.Properties.SecurityGroupIngress[0]' should not open the remote desktop port (3389)", + "actualValue": "'Resources.Positive1IPv4_2.Properties.SecurityGroupIngress[0]' opens the remote desktop port (3389)", + "issueType": "IncorrectValue", + "similarityID": "fae2de184c4240a91760a250031cf0ba310543b9b501338d9bf7c9e44ff00a1c", + "search_line": 25 }, { "queryName": "Remote Desktop Port Open To Internet", "severity": "HIGH", "line": 46, - "fileName": "positive3.json" + "fileName": "positive3.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1ArrayTestIPv4", + "searchKey": "Resources.Positive1ArrayTestIPv4.Properties.SecurityGroupIngress[1]", + "searchValue": "", + "expectedValue": "'Resources.Positive1ArrayTestIPv4.Properties.SecurityGroupIngress[1]' should not open the remote desktop port (3389)", + "actualValue": "'Resources.Positive1ArrayTestIPv4.Properties.SecurityGroupIngress[1]' opens the remote desktop port (3389)", + "issueType": "IncorrectValue", + "similarityID": "e9d256a4fedecd94d0f6a612f41a35b0810b1179049fb0bd24bc6feebe9559c3", + "search_line": 46 }, { "queryName": "Remote Desktop Port Open To Internet", "severity": "HIGH", "line": 61, - "fileName": "positive3.json" + "fileName": "positive3.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "", + "expectedValue": "'Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]' should not open the remote desktop port (3389)", + "actualValue": "'Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]' opens the remote desktop port (3389)", + "issueType": "IncorrectValue", + "similarityID": "b0095a7e5d8b3e4ad7f5473b3a853cc00b9167e504b4a37d81040e108a3b8bdf", + "search_line": 61 }, { "queryName": "Remote Desktop Port Open To Internet", "severity": "HIGH", "line": 76, - "fileName": "positive3.json" + "fileName": "positive3.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_2", + "searchKey": "Resources.Positive1IPv6_2.Properties.SecurityGroupIngress[0]", + "searchValue": "", + "expectedValue": "'Resources.Positive1IPv6_2.Properties.SecurityGroupIngress[0]' should not open the remote desktop port (3389)", + "actualValue": "'Resources.Positive1IPv6_2.Properties.SecurityGroupIngress[0]' opens the remote desktop port (3389)", + "issueType": "IncorrectValue", + "similarityID": "4eea0f7cfde51d1d272bc3250518712a5a9323546a338c54d865047a68e8c8a4", + "search_line": 76 }, { "queryName": "Remote Desktop Port Open To Internet", "severity": "HIGH", "line": 97, - "fileName": "positive3.json" + "fileName": "positive3.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1ArrayTestIPv6", + "searchKey": "Resources.Positive1ArrayTestIPv6.Properties.SecurityGroupIngress[1]", + "searchValue": "", + "expectedValue": "'Resources.Positive1ArrayTestIPv6.Properties.SecurityGroupIngress[1]' should not open the remote desktop port (3389)", + "actualValue": "'Resources.Positive1ArrayTestIPv6.Properties.SecurityGroupIngress[1]' opens the remote desktop port (3389)", + "issueType": "IncorrectValue", + "similarityID": "c3ed43560c0a67ad5d840969bf1df47e559ed3be3323aa5574da2f03a7d714d1", + "search_line": 97 }, { "queryName": "Remote Desktop Port Open To Internet", "severity": "HIGH", "line": 14, - "fileName": "positive4.json" + "fileName": "positive4.json", + "resourceType": "AWS::EC2::SecurityGroupIngress", + "resourceName": "DualStackSecurityGroup", + "searchKey": "Resources.IPv4Ingress1.Properties", + "searchValue": "", + "expectedValue": "'Resources.IPv4Ingress1.Properties' should not open the remote desktop port (3389)", + "actualValue": "'Resources.IPv4Ingress1.Properties' opens the remote desktop port (3389)", + "issueType": "IncorrectValue", + "similarityID": "a7476de4c10e01b0be60c1609e7281855aba737e466bb6009b89c441be05d532", + "search_line": 14 }, { "queryName": "Remote Desktop Port Open To Internet", "severity": "HIGH", "line": 26, - "fileName": "positive4.json" + "fileName": "positive4.json", + "resourceType": "AWS::EC2::SecurityGroupIngress", + "resourceName": "DualStackSecurityGroup", + "searchKey": "Resources.IPv4Ingress2.Properties", + "searchValue": "", + "expectedValue": "'Resources.IPv4Ingress2.Properties' should not open the remote desktop port (3389)", + "actualValue": "'Resources.IPv4Ingress2.Properties' opens the remote desktop port (3389)", + "issueType": "IncorrectValue", + "similarityID": "9ef6d0997e01a4d67745c70bd82a4e3e5169fb6290e6444d11f66df795ab1f3a", + "search_line": 26 }, { "queryName": "Remote Desktop Port Open To Internet", "severity": "HIGH", "line": 38, - "fileName": "positive4.json" + "fileName": "positive4.json", + "resourceType": "AWS::EC2::SecurityGroupIngress", + "resourceName": "DualStackSecurityGroup", + "searchKey": "Resources.IPv6Ingress1.Properties", + "searchValue": "", + "expectedValue": "'Resources.IPv6Ingress1.Properties' should not open the remote desktop port (3389)", + "actualValue": "'Resources.IPv6Ingress1.Properties' opens the remote desktop port (3389)", + "issueType": "IncorrectValue", + "similarityID": "10b4761dd6785c0c7b4f12963085ef56b2ab373a7c680e78fd15b0f9280a2e30", + "search_line": 38 }, { "queryName": "Remote Desktop Port Open To Internet", "severity": "HIGH", "line": 50, - "fileName": "positive4.json" + "fileName": "positive4.json", + "resourceType": "AWS::EC2::SecurityGroupIngress", + "resourceName": "DualStackSecurityGroup", + "searchKey": "Resources.IPv6Ingress2.Properties", + "searchValue": "", + "expectedValue": "'Resources.IPv6Ingress2.Properties' should not open the remote desktop port (3389)", + "actualValue": "'Resources.IPv6Ingress2.Properties' opens the remote desktop port (3389)", + "issueType": "IncorrectValue", + "similarityID": "bd80a2ac978e3c17d6adc1f7c944d06155b02e717d933085a3a21527605240b9", + "search_line": 50 }, { "queryName": "Remote Desktop Port Open To Internet", "severity": "HIGH", "line": 62, - "fileName": "positive4.json" + "fileName": "positive4.json", + "resourceType": "AWS::EC2::SecurityGroupIngress", + "resourceName": "DualStackSecurityGroup", + "searchKey": "Resources.IPv6Ingress3.Properties", + "searchValue": "", + "expectedValue": "'Resources.IPv6Ingress3.Properties' should not open the remote desktop port (3389)", + "actualValue": "'Resources.IPv6Ingress3.Properties' opens the remote desktop port (3389)", + "issueType": "IncorrectValue", + "similarityID": "a3a68d41116bced7410fdaf191b9676bb64c179fc2ab93033fb5b6b5d2fb9975", + "search_line": 62 } ] diff --git a/assets/queries/cloudFormation/aws/root_account_has_active_access_keys/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/root_account_has_active_access_keys/test/positive_expected_result.json index 61430847f89..e8531dbf804 100644 --- a/assets/queries/cloudFormation/aws/root_account_has_active_access_keys/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/root_account_has_active_access_keys/test/positive_expected_result.json @@ -3,12 +3,30 @@ "queryName": "Root Account Has Active Access Keys", "severity": "HIGH", "line": 6, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::IAM::AccessKey", + "resourceName": "CFNKeys", + "searchKey": "Resources.CFNKeys.Properties.UserName", + "searchValue": "", + "expectedValue": "'Resources.CFNKeys.Properties.UserName' should not be asssociated to root account.", + "actualValue": "'Resources.CFNKeys.Properties.UserName' is asssociated to root account.", + "issueType": "IncorrectValue", + "similarityID": "03553e4b754447331b7c90eec2725062b3d158c2b471321dcce091dc4d7d59e5", + "search_line": -1 }, { "queryName": "Root Account Has Active Access Keys", "severity": "HIGH", "line": 7, - "fileName": "positive2.json" + "fileName": "positive2.json", + "resourceType": "AWS::IAM::AccessKey", + "resourceName": "CFNKeys", + "searchKey": "Resources.CFNKeys.Properties.UserName", + "searchValue": "", + "expectedValue": "'Resources.CFNKeys.Properties.UserName' should not be asssociated to root account.", + "actualValue": "'Resources.CFNKeys.Properties.UserName' is asssociated to root account.", + "issueType": "IncorrectValue", + "similarityID": "351162c7ac5c50b102e782c3ebccdf7e1a743d2fdf5b53a613f94c8da4c4a6b1", + "search_line": -1 } ] diff --git a/assets/queries/cloudFormation/aws/route53_record_undefined/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/route53_record_undefined/test/positive_expected_result.json index 0e67938f892..1a07782dbd5 100644 --- a/assets/queries/cloudFormation/aws/route53_record_undefined/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/route53_record_undefined/test/positive_expected_result.json @@ -3,12 +3,30 @@ "queryName": "Route53 Record Undefined", "severity": "HIGH", "line": 4, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::Route53::HostedZone", + "resourceName": "HostedZone", + "searchKey": "Resources.HostedZone", + "searchValue": "", + "expectedValue": "Resources.HostedZone has RecordSet", + "actualValue": "Resources.HostedZone doesn't have RecordSet", + "issueType": "MissingAttribute", + "similarityID": "3200f8242793ca1ef2554cce4da7e29ef65c81687f348e92580863c136acaa5b", + "search_line": -1 }, { "queryName": "Route53 Record Undefined", "severity": "HIGH", "line": 5, - "fileName": "positive2.json" + "fileName": "positive2.json", + "resourceType": "AWS::Route53::HostedZone", + "resourceName": "HostedZone", + "searchKey": "Resources.HostedZone", + "searchValue": "", + "expectedValue": "Resources.HostedZone has RecordSet", + "actualValue": "Resources.HostedZone doesn't have RecordSet", + "issueType": "MissingAttribute", + "similarityID": "4463b91cafa0a6f4fdd07863ff092abc383d3dfb980ef96daad457e0825f213a", + "search_line": -1 } ] diff --git a/assets/queries/cloudFormation/aws/routertable_with_default_routing/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/routertable_with_default_routing/test/positive_expected_result.json index 04d3a665aad..27c23a67736 100644 --- a/assets/queries/cloudFormation/aws/routertable_with_default_routing/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/routertable_with_default_routing/test/positive_expected_result.json @@ -1,38 +1,92 @@ [ { + "queryName": "RouterTable with Default Routing", "severity": "LOW", "line": 54, "fileName": "positive1.yaml", - "queryName": "RouterTable with Default Routing" + "resourceType": "AWS::EC2::Route", + "resourceName": "PublicRoute1", + "searchKey": "Resources.PublicRoute1.Properties.DestinationCidrBlock", + "searchValue": "", + "expectedValue": "Resources.PublicRoute1.Properties.DestinationCidrBlock should be different from the default value", + "actualValue": "Resources.PublicRoute1.Properties.DestinationCidrBlock is 0.0.0.0/0", + "issueType": "IncorrectValue", + "similarityID": "eb5bd5f029b12d20d5b38cdb9a30036176c954dc4492ec9f4c89e2a1f48af53a", + "search_line": -1 }, { "queryName": "RouterTable with Default Routing", "severity": "LOW", - "line": 66, - "fileName": "positive1.yaml" + "line": 61, + "fileName": "positive1.yaml", + "resourceType": "AWS::EC2::Route", + "resourceName": "PublicRoute2", + "searchKey": "Resources.PublicRoute2.Properties.DestinationIpv6CidrBlock", + "searchValue": "", + "expectedValue": "Resources.PublicRoute2.Properties.DestinationIpv6CidrBlock should be different from the default value", + "actualValue": "Resources.PublicRoute2.Properties.DestinationIpv6CidrBlock is ::/0", + "issueType": "IncorrectValue", + "similarityID": "0dde5d6a785df848a4ead547ec61f4fc9cc0c3d78d223d006129ebb9e2243eb0", + "search_line": -1 }, { "queryName": "RouterTable with Default Routing", "severity": "LOW", - "line": 61, - "fileName": "positive1.yaml" + "line": 66, + "fileName": "positive1.yaml", + "resourceType": "AWS::EC2::Route", + "resourceName": "PublicRoute3", + "searchKey": "Resources.PublicRoute3.Properties", + "searchValue": "", + "expectedValue": "Resources.PublicRoute3.Properties.NatGatewayId should be defined", + "actualValue": "Resources.PublicRoute3.Properties.NatGatewayId is undefined", + "issueType": "MissingAttribute", + "similarityID": "a26f5565d3ce130e0fabaf1ff090899b13e6ffc82931d7269a71152a55c2a300", + "search_line": -1 }, { + "queryName": "RouterTable with Default Routing", "severity": "LOW", "line": 37, "fileName": "positive2.json", - "queryName": "RouterTable with Default Routing" + "resourceType": "AWS::EC2::Route", + "resourceName": "PublicRoute1", + "searchKey": "Resources.PublicRoute1.Properties.DestinationCidrBlock", + "searchValue": "", + "expectedValue": "Resources.PublicRoute1.Properties.DestinationCidrBlock should be different from the default value", + "actualValue": "Resources.PublicRoute1.Properties.DestinationCidrBlock is 0.0.0.0/0", + "issueType": "IncorrectValue", + "similarityID": "4959c886457fa94f6d5236d039847483108acbde4f7c8230d1fab644613f0212", + "search_line": -1 }, { - "line": 108, - "fileName": "positive2.json", "queryName": "RouterTable with Default Routing", - "severity": "LOW" + "severity": "LOW", + "line": 43, + "fileName": "positive2.json", + "resourceType": "AWS::EC2::Route", + "resourceName": "PublicRoute3", + "searchKey": "Resources.PublicRoute3.Properties", + "searchValue": "", + "expectedValue": "Resources.PublicRoute3.Properties.NatGatewayId should be defined", + "actualValue": "Resources.PublicRoute3.Properties.NatGatewayId is undefined", + "issueType": "MissingAttribute", + "similarityID": "13a875a2fe10c8de17a89e8e85a7858f282a29de4961f1c29112eb893fb20c1d", + "search_line": -1 }, { "queryName": "RouterTable with Default Routing", "severity": "LOW", - "line": 43, - "fileName": "positive2.json" + "line": 108, + "fileName": "positive2.json", + "resourceType": "AWS::EC2::Route", + "resourceName": "PublicRoute2", + "searchKey": "Resources.PublicRoute2.Properties.DestinationIpv6CidrBlock", + "searchValue": "", + "expectedValue": "Resources.PublicRoute2.Properties.DestinationIpv6CidrBlock should be different from the default value", + "actualValue": "Resources.PublicRoute2.Properties.DestinationIpv6CidrBlock is ::/0", + "issueType": "IncorrectValue", + "similarityID": "f2176d202bdbb6f2c4d3a5517ecdacc4d04833b64b0dced54847e94891995337", + "search_line": -1 } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/s3_bucket_access_to_any_principal/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/s3_bucket_access_to_any_principal/test/positive_expected_result.json index 7a2db579caf..35b66fbc9cf 100644 --- a/assets/queries/cloudFormation/aws/s3_bucket_access_to_any_principal/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/s3_bucket_access_to_any_principal/test/positive_expected_result.json @@ -3,30 +3,75 @@ "queryName": "S3 Bucket Access to Any Principal", "severity": "CRITICAL", "line": 2, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::S3::Bucket", + "resourceName": "Bucket", + "searchKey": "Resources.Bucket", + "searchValue": "", + "expectedValue": "associated Bucket Policy should not allow access to any principal", + "actualValue": "associated Bucket Policy allows access to any principal", + "issueType": "IncorrectValue", + "similarityID": "083b5523b7b89038d62eda8348d9ee383c3e5891c54e8d01890a0ab082c98d6b", + "search_line": -1 }, { "queryName": "S3 Bucket Access to Any Principal", "severity": "CRITICAL", "line": 27, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::S3::Bucket", + "resourceName": "Bucket2", + "searchKey": "Resources.Bucket2", + "searchValue": "", + "expectedValue": "associated Bucket Policy should not allow access to any principal", + "actualValue": "associated Bucket Policy allows access to any principal", + "issueType": "IncorrectValue", + "similarityID": "9322b21f294d9fce9407178602b64e0522aa20c7e6cf908d46de67995dc9253b", + "search_line": -1 }, { "queryName": "S3 Bucket Access to Any Principal", "severity": "CRITICAL", "line": 3, - "fileName": "positive2.json" + "fileName": "positive2.json", + "resourceType": "AWS::S3::Bucket", + "resourceName": "Bucket", + "searchKey": "Resources.Bucket", + "searchValue": "", + "expectedValue": "associated Bucket Policy should not allow access to any principal", + "actualValue": "associated Bucket Policy allows access to any principal", + "issueType": "IncorrectValue", + "similarityID": "a0f13fa2b3313aa6b8536d105b4a9dab2b5820406fc486bc1f22b8dc46d51615", + "search_line": -1 }, { "queryName": "S3 Bucket Access to Any Principal", "severity": "CRITICAL", "line": 42, - "fileName": "positive2.json" + "fileName": "positive2.json", + "resourceType": "AWS::S3::Bucket", + "resourceName": "Bucket2", + "searchKey": "Resources.Bucket2", + "searchValue": "", + "expectedValue": "associated Bucket Policy should not allow access to any principal", + "actualValue": "associated Bucket Policy allows access to any principal", + "issueType": "IncorrectValue", + "similarityID": "94b92ee450ecb1ea3a8a780c43ba785d224bceb2ca72c83427712a87862643dc", + "search_line": -1 }, { "queryName": "S3 Bucket Access to Any Principal", "severity": "CRITICAL", "line": 3, - "fileName": "positive3.yaml" + "fileName": "positive3.yaml", + "resourceType": "AWS::S3::Bucket", + "resourceName": "S3BucketName", + "searchKey": "Resources.SWBS3Bucket", + "searchValue": "", + "expectedValue": "associated Bucket Policy should not allow access to any principal", + "actualValue": "associated Bucket Policy allows access to any principal", + "issueType": "IncorrectValue", + "similarityID": "c95952a37a1d6748dce58a1e1db33e88cec5941af016a0c70704075f4d294842", + "search_line": -1 } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/s3_bucket_acl_allows_read_or_write_to_all_users/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/s3_bucket_acl_allows_read_or_write_to_all_users/test/positive_expected_result.json index 8b30d277c16..026a6c7a361 100644 --- a/assets/queries/cloudFormation/aws/s3_bucket_acl_allows_read_or_write_to_all_users/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/s3_bucket_acl_allows_read_or_write_to_all_users/test/positive_expected_result.json @@ -3,48 +3,120 @@ "queryName": "S3 Bucket ACL Allows Read Or Write to All Users", "severity": "CRITICAL", "line": 7, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::S3::Bucket", + "resourceName": "jenkins-artifacts", + "searchKey": "Resources.JenkinsArtifacts01.AccessControl", + "searchValue": "", + "expectedValue": "S3 bucket should not have a public readable and writeble ACL", + "actualValue": "S3 bucket named 'jenkins-artifacts' has ACL set to 'PublicReadWrite'", + "issueType": "IncorrectValue", + "similarityID": "fcc596357deb658fe77293c46717ad42fb3cbfd473049c5876742342fcc0e2e4", + "search_line": -1 }, { "queryName": "S3 Bucket ACL Allows Read Or Write to All Users", "severity": "CRITICAL", "line": 7, - "fileName": "positive2.yaml" + "fileName": "positive2.yaml", + "resourceType": "AWS::S3::Bucket", + "resourceName": "public-read-static-page01", + "searchKey": "Resources.StaticPage01.AccessControl", + "searchValue": "", + "expectedValue": "S3 bucket should not have a public readable and writeble ACL", + "actualValue": "S3 bucket named 'public-read-static-page01' has ACL set to 'PublicReadWrite'", + "issueType": "IncorrectValue", + "similarityID": "c2f5937524b4ac5517f0861cd76787c02d1888555b649aa8e67b216cfbb7f824", + "search_line": -1 }, { - "fileName": "positive3.yaml", "queryName": "S3 Bucket ACL Allows Read Or Write to All Users", "severity": "CRITICAL", - "line": 7 + "line": 7, + "fileName": "positive3.yaml", + "resourceType": "AWS::S3::Bucket", + "resourceName": "jenkins-artifacts-block-public", + "searchKey": "Resources.JenkinsArtifacts02.AccessControl", + "searchValue": "", + "expectedValue": "S3 bucket should not have a public readable and writeble ACL", + "actualValue": "S3 bucket named 'jenkins-artifacts-block-public' has ACL set to 'PublicReadWrite'", + "issueType": "IncorrectValue", + "similarityID": "c512d5825de78f84dcc1e4ca84076861a853df9a32a6a8ab46b03ba74f0b6e83", + "search_line": -1 }, { "queryName": "S3 Bucket ACL Allows Read Or Write to All Users", "severity": "CRITICAL", "line": 7, - "fileName": "positive4.yaml" + "fileName": "positive4.yaml", + "resourceType": "AWS::S3::Bucket", + "resourceName": "S3BucketForWebsiteContent", + "searchKey": "Resources.S3BucketForWebsiteContent.AccessControl", + "searchValue": "", + "expectedValue": "S3 bucket should not have a public readable and writeble ACL", + "actualValue": "S3 bucket named 'undefined' has ACL set to 'PublicReadWrite'", + "issueType": "IncorrectValue", + "similarityID": "2567c143f839cc173103c5d29acb1906c39237619bbc1bc6080b7a4ce9a9114f", + "search_line": -1 }, { "queryName": "S3 Bucket ACL Allows Read Or Write to All Users", "severity": "CRITICAL", "line": 13, - "fileName": "positive5.json" + "fileName": "positive5.json", + "resourceType": "AWS::S3::Bucket", + "resourceName": "jenkins-artifacts", + "searchKey": "Resources.JenkinsArtifacts01.AccessControl", + "searchValue": "", + "expectedValue": "S3 bucket should not have a public readable and writeble ACL", + "actualValue": "S3 bucket named 'jenkins-artifacts' has ACL set to 'PublicReadWrite'", + "issueType": "IncorrectValue", + "similarityID": "f370adae4091082dd61c877ce2dbfd393480b92127506f5d478d3c01cc9650df", + "search_line": -1 }, { "queryName": "S3 Bucket ACL Allows Read Or Write to All Users", "severity": "CRITICAL", "line": 8, - "fileName": "positive6.json" + "fileName": "positive6.json", + "resourceType": "AWS::S3::Bucket", + "resourceName": "public-read-static-page01", + "searchKey": "Resources.StaticPage01.AccessControl", + "searchValue": "", + "expectedValue": "S3 bucket should not have a public readable and writeble ACL", + "actualValue": "S3 bucket named 'public-read-static-page01' has ACL set to 'PublicReadWrite'", + "issueType": "IncorrectValue", + "similarityID": "96a8e497e53e7a3b3ebba54ef3b096b1eb1ad78e9343b5da617215a5f3b82950", + "search_line": -1 }, { "queryName": "S3 Bucket ACL Allows Read Or Write to All Users", "severity": "CRITICAL", "line": 8, - "fileName": "positive7.json" + "fileName": "positive7.json", + "resourceType": "AWS::S3::Bucket", + "resourceName": "jenkins-artifacts-block-public", + "searchKey": "Resources.JenkinsArtifacts02.AccessControl", + "searchValue": "", + "expectedValue": "S3 bucket should not have a public readable and writeble ACL", + "actualValue": "S3 bucket named 'jenkins-artifacts-block-public' has ACL set to 'PublicReadWrite'", + "issueType": "IncorrectValue", + "similarityID": "cec8b2f61108a680f10c457f6578f4837e3e79b9b690570d90d07ff50fe55675", + "search_line": -1 }, { "queryName": "S3 Bucket ACL Allows Read Or Write to All Users", "severity": "CRITICAL", "line": 8, - "fileName": "positive8.json" + "fileName": "positive8.json", + "resourceType": "AWS::S3::Bucket", + "resourceName": "S3BucketForWebsiteContent", + "searchKey": "Resources.S3BucketForWebsiteContent.AccessControl", + "searchValue": "", + "expectedValue": "S3 bucket should not have a public readable and writeble ACL", + "actualValue": "S3 bucket named 'undefined' has ACL set to 'PublicReadWrite'", + "issueType": "IncorrectValue", + "similarityID": "d183cbc01e4e98ca2f553e332873050aa4b52626ac3c2b489ccaaf587315078e", + "search_line": -1 } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/s3_bucket_acl_allows_read_to_all_users/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/s3_bucket_acl_allows_read_to_all_users/test/positive_expected_result.json index 68cd8230646..f4070fb18dd 100644 --- a/assets/queries/cloudFormation/aws/s3_bucket_acl_allows_read_to_all_users/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/s3_bucket_acl_allows_read_to_all_users/test/positive_expected_result.json @@ -3,48 +3,120 @@ "queryName": "S3 Bucket ACL Allows Read to All Users", "severity": "HIGH", "line": 7, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::S3::Bucket", + "resourceName": "jenkins-artifacts", + "searchKey": "Resources.JenkinsArtifacts01.Properties.AccessControl", + "searchValue": "", + "expectedValue": "S3 bucket should not have a public readable ACL", + "actualValue": "S3 bucket 'JenkinsArtifacts01' has ACL set to 'PublicRead'", + "issueType": "IncorrectValue", + "similarityID": "99d1913b8b5d328c0ac1fc90adbd9bee4c40996fb69b8aa4f5dcdd8e06c03642", + "search_line": -1 }, { "queryName": "S3 Bucket ACL Allows Read to All Users", "severity": "HIGH", "line": 7, - "fileName": "positive2.yaml" + "fileName": "positive2.yaml", + "resourceType": "AWS::S3::Bucket", + "resourceName": "public-read-static-page01", + "searchKey": "Resources.StaticPage01.Properties.AccessControl", + "searchValue": "", + "expectedValue": "S3 bucket should not have a public readable ACL", + "actualValue": "S3 bucket 'StaticPage01' has ACL set to 'PublicRead'", + "issueType": "IncorrectValue", + "similarityID": "6030417a2cda6c5ceebe63867ba2c9f56dfdf365dc1ab60a780a7b48791b4059", + "search_line": -1 }, { "queryName": "S3 Bucket ACL Allows Read to All Users", "severity": "HIGH", "line": 7, - "fileName": "positive3.yaml" + "fileName": "positive3.yaml", + "resourceType": "AWS::S3::Bucket", + "resourceName": "jenkins-artifacts-block-public", + "searchKey": "Resources.JenkinsArtifacts02.Properties.AccessControl", + "searchValue": "", + "expectedValue": "S3 bucket should not have a public readable ACL", + "actualValue": "S3 bucket 'JenkinsArtifacts02' has ACL set to 'PublicRead'", + "issueType": "IncorrectValue", + "similarityID": "fdc7b6dc6b7f176a1ecb2bbf13a0c643664478c95d4ea5afba3497da109412c8", + "search_line": -1 }, { "queryName": "S3 Bucket ACL Allows Read to All Users", "severity": "HIGH", "line": 7, - "fileName": "positive4.yaml" + "fileName": "positive4.yaml", + "resourceType": "AWS::S3::Bucket", + "resourceName": "S3BucketForWebsiteContent", + "searchKey": "Resources.S3BucketForWebsiteContent.Properties.AccessControl", + "searchValue": "", + "expectedValue": "S3 bucket should not have a public readable ACL", + "actualValue": "S3 bucket 'S3BucketForWebsiteContent' has ACL set to 'PublicRead'", + "issueType": "IncorrectValue", + "similarityID": "eaca3898ee891f2db5cf5d3c7c4c5429f1eadc19c961bf08f92271120d046682", + "search_line": -1 }, { "queryName": "S3 Bucket ACL Allows Read to All Users", "severity": "HIGH", "line": 13, - "fileName": "positive5.json" + "fileName": "positive5.json", + "resourceType": "AWS::S3::Bucket", + "resourceName": "jenkins-artifacts", + "searchKey": "Resources.JenkinsArtifacts01.Properties.AccessControl", + "searchValue": "", + "expectedValue": "S3 bucket should not have a public readable ACL", + "actualValue": "S3 bucket 'JenkinsArtifacts01' has ACL set to 'PublicRead'", + "issueType": "IncorrectValue", + "similarityID": "342a0a355a496693077f18f25c48543b77b87e4c302b013971bd3c4c5e1560cb", + "search_line": -1 }, { "queryName": "S3 Bucket ACL Allows Read to All Users", "severity": "HIGH", "line": 7, - "fileName": "positive6.json" + "fileName": "positive6.json", + "resourceType": "AWS::S3::Bucket", + "resourceName": "public-read-static-page01", + "searchKey": "Resources.StaticPage01.Properties.AccessControl", + "searchValue": "", + "expectedValue": "S3 bucket should not have a public readable ACL", + "actualValue": "S3 bucket 'StaticPage01' has ACL set to 'PublicRead'", + "issueType": "IncorrectValue", + "similarityID": "519b039b91a52b70d319f926e4077925706daeca69891495a3d53bf2dd22dd51", + "search_line": -1 }, { "queryName": "S3 Bucket ACL Allows Read to All Users", "severity": "HIGH", "line": 8, - "fileName": "positive7.json" + "fileName": "positive7.json", + "resourceType": "AWS::S3::Bucket", + "resourceName": "jenkins-artifacts-block-public", + "searchKey": "Resources.JenkinsArtifacts02.Properties.AccessControl", + "searchValue": "", + "expectedValue": "S3 bucket should not have a public readable ACL", + "actualValue": "S3 bucket 'JenkinsArtifacts02' has ACL set to 'PublicRead'", + "issueType": "IncorrectValue", + "similarityID": "b7fdc20c28344171029bcb9f6d4d34ae272d5b37648f603e66617ee89d1f0d67", + "search_line": -1 }, { "queryName": "S3 Bucket ACL Allows Read to All Users", "severity": "HIGH", "line": 8, - "fileName": "positive8.json" + "fileName": "positive8.json", + "resourceType": "AWS::S3::Bucket", + "resourceName": "S3BucketForWebsiteContent", + "searchKey": "Resources.S3BucketForWebsiteContent.Properties.AccessControl", + "searchValue": "", + "expectedValue": "S3 bucket should not have a public readable ACL", + "actualValue": "S3 bucket 'S3BucketForWebsiteContent' has ACL set to 'PublicRead'", + "issueType": "IncorrectValue", + "similarityID": "333741c4fdf7ca88e469dc295818b05e98970099c44a2134b7dfa6b561cac546", + "search_line": -1 } ] diff --git a/assets/queries/cloudFormation/aws/s3_bucket_acl_allows_read_to_any_authenticated_user/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/s3_bucket_acl_allows_read_to_any_authenticated_user/test/positive_expected_result.json index 6aeccfaae0e..9ead96565e7 100644 --- a/assets/queries/cloudFormation/aws/s3_bucket_acl_allows_read_to_any_authenticated_user/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/s3_bucket_acl_allows_read_to_any_authenticated_user/test/positive_expected_result.json @@ -3,48 +3,120 @@ "queryName": "S3 Bucket ACL Allows Read to Any Authenticated User", "severity": "HIGH", "line": 7, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::S3::Bucket", + "resourceName": "jenkins-artifacts", + "searchKey": "Resources.JenkinsArtifacts01.Properties.AccessControl", + "searchValue": "", + "expectedValue": "S3 bucket ACL shouldn't allow read operations from any authenticated user", + "actualValue": "S3 bucket named 'jenkins-artifacts' has ACL set to 'AuthenticatedRead'", + "issueType": "IncorrectValue", + "similarityID": "120e3a6d78d35075cf8fb24ce4118de2f93230272b364d5b2ed5027bb8752eed", + "search_line": -1 }, { "queryName": "S3 Bucket ACL Allows Read to Any Authenticated User", "severity": "HIGH", "line": 7, - "fileName": "positive2.yaml" + "fileName": "positive2.yaml", + "resourceType": "AWS::S3::Bucket", + "resourceName": "public-read-static-page01", + "searchKey": "Resources.StaticPage01.Properties.AccessControl", + "searchValue": "", + "expectedValue": "S3 bucket ACL shouldn't allow read operations from any authenticated user", + "actualValue": "S3 bucket named 'public-read-static-page01' has ACL set to 'AuthenticatedRead'", + "issueType": "IncorrectValue", + "similarityID": "020fb35b991e5590d867b3d1ec1d02ca81ea531f7bc3ef8f299c22c3b0747210", + "search_line": -1 }, { "queryName": "S3 Bucket ACL Allows Read to Any Authenticated User", "severity": "HIGH", "line": 7, - "fileName": "positive3.yaml" + "fileName": "positive3.yaml", + "resourceType": "AWS::S3::Bucket", + "resourceName": "jenkins-artifacts-block-public", + "searchKey": "Resources.JenkinsArtifacts02.Properties.AccessControl", + "searchValue": "", + "expectedValue": "S3 bucket ACL shouldn't allow read operations from any authenticated user", + "actualValue": "S3 bucket named 'jenkins-artifacts-block-public' has ACL set to 'AuthenticatedRead'", + "issueType": "IncorrectValue", + "similarityID": "44ebd00fc10ac67c1c823715ceec6e148a9e17206fd2d4aafe54e1d986452168", + "search_line": -1 }, { "queryName": "S3 Bucket ACL Allows Read to Any Authenticated User", "severity": "HIGH", "line": 7, - "fileName": "positive4.yaml" + "fileName": "positive4.yaml", + "resourceType": "AWS::S3::Bucket", + "resourceName": "S3BucketForWebsiteContent", + "searchKey": "Resources.S3BucketForWebsiteContent.Properties.AccessControl", + "searchValue": "", + "expectedValue": "S3 bucket ACL shouldn't allow read operations from any authenticated user", + "actualValue": "S3 bucket named 'undefined' has ACL set to 'AuthenticatedRead'", + "issueType": "IncorrectValue", + "similarityID": "cb36020c5e0e5f798876c712bfa201e0064d08de8bb9918c1e347ffe4e396160", + "search_line": -1 }, { "queryName": "S3 Bucket ACL Allows Read to Any Authenticated User", "severity": "HIGH", "line": 7, - "fileName": "positive5.json" + "fileName": "positive5.json", + "resourceType": "AWS::S3::Bucket", + "resourceName": "jenkins-artifacts", + "searchKey": "Resources.JenkinsArtifacts01.Properties.AccessControl", + "searchValue": "", + "expectedValue": "S3 bucket ACL shouldn't allow read operations from any authenticated user", + "actualValue": "S3 bucket named 'jenkins-artifacts' has ACL set to 'AuthenticatedRead'", + "issueType": "IncorrectValue", + "similarityID": "7a43577577a634944ffb7f8edef538a4df4ee1d31404b530b98c6775159a444f", + "search_line": -1 }, { "queryName": "S3 Bucket ACL Allows Read to Any Authenticated User", "severity": "HIGH", "line": 7, - "fileName": "positive6.json" + "fileName": "positive6.json", + "resourceType": "AWS::S3::Bucket", + "resourceName": "public-read-static-page01", + "searchKey": "Resources.StaticPage01.Properties.AccessControl", + "searchValue": "", + "expectedValue": "S3 bucket ACL shouldn't allow read operations from any authenticated user", + "actualValue": "S3 bucket named 'public-read-static-page01' has ACL set to 'AuthenticatedRead'", + "issueType": "IncorrectValue", + "similarityID": "c1bafaa1b3badedd98c3855befd87bf104cd6043b2bd4bbb622a1c9e3e49bb0c", + "search_line": -1 }, { "queryName": "S3 Bucket ACL Allows Read to Any Authenticated User", "severity": "HIGH", "line": 20, - "fileName": "positive7.json" + "fileName": "positive7.json", + "resourceType": "AWS::S3::Bucket", + "resourceName": "jenkins-artifacts-block-public", + "searchKey": "Resources.JenkinsArtifacts02.Properties.AccessControl", + "searchValue": "", + "expectedValue": "S3 bucket ACL shouldn't allow read operations from any authenticated user", + "actualValue": "S3 bucket named 'jenkins-artifacts-block-public' has ACL set to 'AuthenticatedRead'", + "issueType": "IncorrectValue", + "similarityID": "3754b7b900066355c273d793777af29e0e24a216007d0b2c19342d70d70b4640", + "search_line": -1 }, { "queryName": "S3 Bucket ACL Allows Read to Any Authenticated User", "severity": "HIGH", "line": 7, - "fileName": "positive8.json" + "fileName": "positive8.json", + "resourceType": "AWS::S3::Bucket", + "resourceName": "S3BucketForWebsiteContent", + "searchKey": "Resources.S3BucketForWebsiteContent.Properties.AccessControl", + "searchValue": "", + "expectedValue": "S3 bucket ACL shouldn't allow read operations from any authenticated user", + "actualValue": "S3 bucket named 'undefined' has ACL set to 'AuthenticatedRead'", + "issueType": "IncorrectValue", + "similarityID": "bbf970ce9f2c44dc23194a902e474671dffd0bf67740b5ae804910b8b1225824", + "search_line": -1 } ] diff --git a/assets/queries/cloudFormation/aws/s3_bucket_allows_delete_actions_from_all_principals/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/s3_bucket_allows_delete_actions_from_all_principals/test/positive_expected_result.json index e1a3f16266e..7fa22867087 100644 --- a/assets/queries/cloudFormation/aws/s3_bucket_allows_delete_actions_from_all_principals/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/s3_bucket_allows_delete_actions_from_all_principals/test/positive_expected_result.json @@ -3,24 +3,60 @@ "queryName": "S3 Bucket Allows Delete Action From All Principals", "severity": "CRITICAL", "line": 7, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::S3::BucketPolicy", + "resourceName": "SampleBucketPolicy3", + "searchKey": "Resources.SampleBucketPolicy3.Properties.PolicyDocument", + "searchValue": "", + "expectedValue": "Resources.SampleBucketPolicy3.Properties.PolicyDocument.Statement should not allow a 'Delete' action from all principals", + "actualValue": "Resources.SampleBucketPolicy3.Properties.PolicyDocument.Statement allows a 'Delete' action from all principals", + "issueType": "IncorrectValue", + "similarityID": "f577a2dc331724fa5358971e8e7facc15d08283fce5eb30f27e0fa47935c8d4b", + "search_line": 7 }, { "queryName": "S3 Bucket Allows Delete Action From All Principals", "severity": "CRITICAL", "line": 22, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::S3::BucketPolicy", + "resourceName": "SampleBucketPolicy4", + "searchKey": "Resources.SampleBucketPolicy4.Properties.PolicyDocument", + "searchValue": "", + "expectedValue": "Resources.SampleBucketPolicy4.Properties.PolicyDocument.Statement should not allow a 'Delete' action from all principals", + "actualValue": "Resources.SampleBucketPolicy4.Properties.PolicyDocument.Statement allows a 'Delete' action from all principals", + "issueType": "IncorrectValue", + "similarityID": "c846aca457c5d5b96425bf0f0c39a27cf725a279af6e7b01685aeeebbe7547f5", + "search_line": 22 }, { "queryName": "S3 Bucket Allows Delete Action From All Principals", "severity": "CRITICAL", "line": 9, - "fileName": "positive2.json" + "fileName": "positive2.json", + "resourceType": "AWS::S3::BucketPolicy", + "resourceName": "SampleBucketPolicy5", + "searchKey": "Resources.SampleBucketPolicy5.Properties.PolicyDocument", + "searchValue": "", + "expectedValue": "Resources.SampleBucketPolicy5.Properties.PolicyDocument.Statement should not allow a 'Delete' action from all principals", + "actualValue": "Resources.SampleBucketPolicy5.Properties.PolicyDocument.Statement allows a 'Delete' action from all principals", + "issueType": "IncorrectValue", + "similarityID": "0c9c803cc55cca611560816b4385a7d8426af3098b892b33fc136e02756e8051", + "search_line": 9 }, { "queryName": "S3 Bucket Allows Delete Action From All Principals", "severity": "CRITICAL", "line": 35, - "fileName": "positive2.json" + "fileName": "positive2.json", + "resourceType": "AWS::S3::BucketPolicy", + "resourceName": "SampleBucketPolicy6", + "searchKey": "Resources.SampleBucketPolicy6.Properties.PolicyDocument", + "searchValue": "", + "expectedValue": "Resources.SampleBucketPolicy6.Properties.PolicyDocument.Statement should not allow a 'Delete' action from all principals", + "actualValue": "Resources.SampleBucketPolicy6.Properties.PolicyDocument.Statement allows a 'Delete' action from all principals", + "issueType": "IncorrectValue", + "similarityID": "bf7356d3872ed2f0fabeaab497092069c0c5851b185df78a9bce05c93c98c352", + "search_line": 35 } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/s3_bucket_allows_get_actions_from_all_principals/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/s3_bucket_allows_get_actions_from_all_principals/test/positive_expected_result.json index caffaf97c5f..fe8dc40aee5 100644 --- a/assets/queries/cloudFormation/aws/s3_bucket_allows_get_actions_from_all_principals/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/s3_bucket_allows_get_actions_from_all_principals/test/positive_expected_result.json @@ -3,24 +3,60 @@ "queryName": "S3 Bucket Allows Get Action From All Principals", "severity": "HIGH", "line": 7, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::S3::BucketPolicy", + "resourceName": "SampleBucketPolicy3", + "searchKey": "Resources.SampleBucketPolicy3.Properties.PolicyDocument", + "searchValue": "", + "expectedValue": "Resources.SampleBucketPolicy3.Properties.PolicyDocument.Statement should not allow a 'Get' action from all principals", + "actualValue": "Resources.SampleBucketPolicy3.Properties.PolicyDocument.Statement allows a 'Get' action from all principals", + "issueType": "IncorrectValue", + "similarityID": "eb638d861afd430b928d9c515adba5ac89cbd0c495893f83c44dd644ce62a60d", + "search_line": 7 }, { "queryName": "S3 Bucket Allows Get Action From All Principals", "severity": "HIGH", "line": 22, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::S3::BucketPolicy", + "resourceName": "SampleBucketPolicy4", + "searchKey": "Resources.SampleBucketPolicy4.Properties.PolicyDocument", + "searchValue": "", + "expectedValue": "Resources.SampleBucketPolicy4.Properties.PolicyDocument.Statement should not allow a 'Get' action from all principals", + "actualValue": "Resources.SampleBucketPolicy4.Properties.PolicyDocument.Statement allows a 'Get' action from all principals", + "issueType": "IncorrectValue", + "similarityID": "2361484aee5dc1990c8c91c79d5b4e1c125751abb0a3346e57c38efcbc405964", + "search_line": 22 }, { "queryName": "S3 Bucket Allows Get Action From All Principals", "severity": "HIGH", "line": 9, - "fileName": "positive2.json" + "fileName": "positive2.json", + "resourceType": "AWS::S3::BucketPolicy", + "resourceName": "SampleBucketPolicy5", + "searchKey": "Resources.SampleBucketPolicy5.Properties.PolicyDocument", + "searchValue": "", + "expectedValue": "Resources.SampleBucketPolicy5.Properties.PolicyDocument.Statement should not allow a 'Get' action from all principals", + "actualValue": "Resources.SampleBucketPolicy5.Properties.PolicyDocument.Statement allows a 'Get' action from all principals", + "issueType": "IncorrectValue", + "similarityID": "6e680867693e96fea51bc021219bda80ebb56fa728154b6afd3971f25283ef26", + "search_line": 9 }, { "queryName": "S3 Bucket Allows Get Action From All Principals", "severity": "HIGH", "line": 35, - "fileName": "positive2.json" + "fileName": "positive2.json", + "resourceType": "AWS::S3::BucketPolicy", + "resourceName": "SampleBucketPolicy6", + "searchKey": "Resources.SampleBucketPolicy6.Properties.PolicyDocument", + "searchValue": "", + "expectedValue": "Resources.SampleBucketPolicy6.Properties.PolicyDocument.Statement should not allow a 'Get' action from all principals", + "actualValue": "Resources.SampleBucketPolicy6.Properties.PolicyDocument.Statement allows a 'Get' action from all principals", + "issueType": "IncorrectValue", + "similarityID": "0876c4448549e0da120b02e1f9e0c9c3b8a11a13201c7070053f5bb5fa2e43b6", + "search_line": 35 } ] diff --git a/assets/queries/cloudFormation/aws/s3_bucket_allows_list_actions_from_all_principals/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/s3_bucket_allows_list_actions_from_all_principals/test/positive_expected_result.json index 9233283aae5..a977da1a003 100644 --- a/assets/queries/cloudFormation/aws/s3_bucket_allows_list_actions_from_all_principals/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/s3_bucket_allows_list_actions_from_all_principals/test/positive_expected_result.json @@ -3,24 +3,60 @@ "queryName": "S3 Bucket Allows List Action From All Principals", "severity": "HIGH", "line": 7, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::S3::BucketPolicy", + "resourceName": "SampleBucketPolicy3", + "searchKey": "Resources.SampleBucketPolicy3.Properties.PolicyDocument", + "searchValue": "", + "expectedValue": "Resources.SampleBucketPolicy3.Properties.PolicyDocument.Statement should not allow a 'List' action from all principals", + "actualValue": "Resources.SampleBucketPolicy3.Properties.PolicyDocument.Statement allows a 'List' action from all principals", + "issueType": "IncorrectValue", + "similarityID": "9a452bcbf8951754ce79fa3101622bf72e4ca7d70a035da6427b082819221f0a", + "search_line": 7 }, { "queryName": "S3 Bucket Allows List Action From All Principals", "severity": "HIGH", "line": 22, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::S3::BucketPolicy", + "resourceName": "SampleBucketPolicy4", + "searchKey": "Resources.SampleBucketPolicy4.Properties.PolicyDocument", + "searchValue": "", + "expectedValue": "Resources.SampleBucketPolicy4.Properties.PolicyDocument.Statement should not allow a 'List' action from all principals", + "actualValue": "Resources.SampleBucketPolicy4.Properties.PolicyDocument.Statement allows a 'List' action from all principals", + "issueType": "IncorrectValue", + "similarityID": "704fe3e4e160f10b58dc4f1ba9f64e66edad53ef7c50648db9968ff53d3b10c8", + "search_line": 22 }, { "queryName": "S3 Bucket Allows List Action From All Principals", "severity": "HIGH", "line": 9, - "fileName": "positive2.json" + "fileName": "positive2.json", + "resourceType": "AWS::S3::BucketPolicy", + "resourceName": "SampleBucketPolicy5", + "searchKey": "Resources.SampleBucketPolicy5.Properties.PolicyDocument", + "searchValue": "", + "expectedValue": "Resources.SampleBucketPolicy5.Properties.PolicyDocument.Statement should not allow a 'List' action from all principals", + "actualValue": "Resources.SampleBucketPolicy5.Properties.PolicyDocument.Statement allows a 'List' action from all principals", + "issueType": "IncorrectValue", + "similarityID": "9a629413469f8481d1502bcc6722bc77d1dd1babfc2fb0902e3c8fd42647b09a", + "search_line": 9 }, { "queryName": "S3 Bucket Allows List Action From All Principals", "severity": "HIGH", "line": 35, - "fileName": "positive2.json" + "fileName": "positive2.json", + "resourceType": "AWS::S3::BucketPolicy", + "resourceName": "SampleBucketPolicy6", + "searchKey": "Resources.SampleBucketPolicy6.Properties.PolicyDocument", + "searchValue": "", + "expectedValue": "Resources.SampleBucketPolicy6.Properties.PolicyDocument.Statement should not allow a 'List' action from all principals", + "actualValue": "Resources.SampleBucketPolicy6.Properties.PolicyDocument.Statement allows a 'List' action from all principals", + "issueType": "IncorrectValue", + "similarityID": "7c68019d1603dea913b19226db491d8da6ccde3abdb1282144e085a1f7890550", + "search_line": 35 } ] diff --git a/assets/queries/cloudFormation/aws/s3_bucket_allows_public_acl/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/s3_bucket_allows_public_acl/test/positive_expected_result.json index b40c557aff1..6e8ec5899dd 100644 --- a/assets/queries/cloudFormation/aws/s3_bucket_allows_public_acl/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/s3_bucket_allows_public_acl/test/positive_expected_result.json @@ -3,42 +3,105 @@ "queryName": "S3 Bucket Allows Public ACL", "severity": "MEDIUM", "line": 4, - "filename": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::S3::Bucket", + "resourceName": "Bucket11", + "searchKey": "Resources.Bucket11.Properties", + "searchValue": "", + "expectedValue": "'PublicAccessBlockConfiguration' should be defined%!(EXTRA string=Bucket11)", + "actualValue": "'PublicAccessBlockConfiguration' is not defined%!(EXTRA string=Bucket11)", + "issueType": "MissingAttribute", + "similarityID": "ccf9aa01e09a12bb1bc9365d09c107a8127bb79eab4071a373328b3d3b8f2cba", + "search_line": 4 }, { "queryName": "S3 Bucket Allows Public ACL", "severity": "MEDIUM", "line": 10, - "filename": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::S3::Bucket", + "resourceName": "Bucket12", + "searchKey": "Resources.Bucket12.Properties.PublicAccessBlockConfiguration", + "searchValue": "", + "expectedValue": "'BlockPublicAcls' should be defined and set to true in the 'PublicAccessBlockConfiguration'%!(EXTRA string=Bucket12)", + "actualValue": "'BlockPublicAcls' is not defined in the 'PublicAccessBlockConfiguration'%!(EXTRA string=Bucket12)", + "issueType": "MissingAttribute", + "similarityID": "ae651e308d159df3db4f9c39cf8e1c02d646451afb4130f71212eff8e9ed4109", + "search_line": 10 }, { "queryName": "S3 Bucket Allows Public ACL", "severity": "MEDIUM", "line": 20, - "filename": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::S3::Bucket", + "resourceName": "Bucket13", + "searchKey": "Resources.Bucket13.Properties.PublicAccessBlockConfiguration.BlockPublicAcls", + "searchValue": "", + "expectedValue": "'BlockPublicAcls' should be set to true%!(EXTRA string=Bucket13)", + "actualValue": "'BlockPublicAcls' is set to false%!(EXTRA string=Bucket13)", + "issueType": "IncorrectValue", + "similarityID": "6a2858caceadf5b8cf520c452a2bc532b644af005026b75803d7970f720e8bf8", + "search_line": 20 }, { "queryName": "S3 Bucket Allows Public ACL", "severity": "MEDIUM", "line": 7, - "filename": "positive2.json" + "fileName": "positive2.json", + "resourceType": "AWS::S3::Bucket", + "resourceName": "Bucket1", + "searchKey": "Resources.Bucket1.Properties.PublicAccessBlockConfiguration.BlockPublicAcls", + "searchValue": "", + "expectedValue": "'BlockPublicAcls' should be set to true%!(EXTRA string=Bucket1)", + "actualValue": "'BlockPublicAcls' is set to false%!(EXTRA string=Bucket1)", + "issueType": "IncorrectValue", + "similarityID": "03a0e1396758b689ab5f9f793095a508ab56077c9bd439709715f8e008cc3cc1", + "search_line": 7 }, { "queryName": "S3 Bucket Allows Public ACL", "severity": "MEDIUM", "line": 4, - "filename": "positive3.yaml" + "fileName": "positive3.yaml", + "resourceType": "AWS::S3::Bucket", + "resourceName": "Bucket11", + "searchKey": "Resources.Bucket11.Properties", + "searchValue": "", + "expectedValue": "'PublicAccessBlockConfiguration' should be defined%!(EXTRA string=Bucket11)", + "actualValue": "'PublicAccessBlockConfiguration' is not defined%!(EXTRA string=Bucket11)", + "issueType": "MissingAttribute", + "similarityID": "8bc35bcd595a3a636cc0f77060d2eb28272011ac39c7bb2d45cf14a661049d61", + "search_line": 4 }, { "queryName": "S3 Bucket Allows Public ACL", "severity": "MEDIUM", "line": 10, - "filename": "positive3.yaml" + "fileName": "positive3.yaml", + "resourceType": "AWS::S3::Bucket", + "resourceName": "Bucket12", + "searchKey": "Resources.Bucket12.Properties.PublicAccessBlockConfiguration", + "searchValue": "", + "expectedValue": "'BlockPublicAcls' should be defined and set to true in the 'PublicAccessBlockConfiguration'%!(EXTRA string=Bucket12)", + "actualValue": "'BlockPublicAcls' is not defined in the 'PublicAccessBlockConfiguration'%!(EXTRA string=Bucket12)", + "issueType": "MissingAttribute", + "similarityID": "a27672f761abad0564204c25a385709ad859bc2e48720177ad04abd7ab1121e8", + "search_line": 10 }, { "queryName": "S3 Bucket Allows Public ACL", "severity": "MEDIUM", "line": 20, - "filename": "positive3.yaml" + "fileName": "positive3.yaml", + "resourceType": "AWS::S3::Bucket", + "resourceName": "Bucket13", + "searchKey": "Resources.Bucket13.Properties.PublicAccessBlockConfiguration.BlockPublicAcls", + "searchValue": "", + "expectedValue": "'BlockPublicAcls' should be set to true%!(EXTRA string=Bucket13)", + "actualValue": "'BlockPublicAcls' is set to false%!(EXTRA string=Bucket13)", + "issueType": "IncorrectValue", + "similarityID": "69b12205bccff5ffe103f3f7a2cced778b3d578ebd494331c86b57f6a6869dd5", + "search_line": 20 } ] diff --git a/assets/queries/cloudFormation/aws/s3_bucket_allows_put_actions_from_all_principals/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/s3_bucket_allows_put_actions_from_all_principals/test/positive_expected_result.json index f503b3c7a06..d026a7cba18 100644 --- a/assets/queries/cloudFormation/aws/s3_bucket_allows_put_actions_from_all_principals/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/s3_bucket_allows_put_actions_from_all_principals/test/positive_expected_result.json @@ -3,24 +3,60 @@ "queryName": "S3 Bucket Allows Put Action From All Principals", "severity": "CRITICAL", "line": 7, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::S3::BucketPolicy", + "resourceName": "SampleBucketPolicy3", + "searchKey": "Resources.SampleBucketPolicy3.Properties.PolicyDocument", + "searchValue": "", + "expectedValue": "Resources.SampleBucketPolicy3.Properties.PolicyDocument.Statement should not allow a 'Put' action from all principals", + "actualValue": "Resources.SampleBucketPolicy3.Properties.PolicyDocument.Statement allows a 'Put' action from all principals", + "issueType": "IncorrectValue", + "similarityID": "7ec3b2d9aebbb4aab2d09158d7bd23366c115bd6c5e39d65f65d1ff9071276df", + "search_line": 7 }, { "queryName": "S3 Bucket Allows Put Action From All Principals", "severity": "CRITICAL", "line": 22, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::S3::BucketPolicy", + "resourceName": "SampleBucketPolicy4", + "searchKey": "Resources.SampleBucketPolicy4.Properties.PolicyDocument", + "searchValue": "", + "expectedValue": "Resources.SampleBucketPolicy4.Properties.PolicyDocument.Statement should not allow a 'Put' action from all principals", + "actualValue": "Resources.SampleBucketPolicy4.Properties.PolicyDocument.Statement allows a 'Put' action from all principals", + "issueType": "IncorrectValue", + "similarityID": "653c96dcbeb39b54eff981331a4b30541a0dcea058b96e001532812cd41ba555", + "search_line": 22 }, { "queryName": "S3 Bucket Allows Put Action From All Principals", "severity": "CRITICAL", "line": 9, - "fileName": "positive2.json" + "fileName": "positive2.json", + "resourceType": "AWS::S3::BucketPolicy", + "resourceName": "SampleBucketPolicy5", + "searchKey": "Resources.SampleBucketPolicy5.Properties.PolicyDocument", + "searchValue": "", + "expectedValue": "Resources.SampleBucketPolicy5.Properties.PolicyDocument.Statement should not allow a 'Put' action from all principals", + "actualValue": "Resources.SampleBucketPolicy5.Properties.PolicyDocument.Statement allows a 'Put' action from all principals", + "issueType": "IncorrectValue", + "similarityID": "012853553403ac2890d63c8ca76c213fc99205b28d5afb5e1200e37a6f1baebe", + "search_line": 9 }, { "queryName": "S3 Bucket Allows Put Action From All Principals", "severity": "CRITICAL", "line": 35, - "fileName": "positive2.json" + "fileName": "positive2.json", + "resourceType": "AWS::S3::BucketPolicy", + "resourceName": "SampleBucketPolicy6", + "searchKey": "Resources.SampleBucketPolicy6.Properties.PolicyDocument", + "searchValue": "", + "expectedValue": "Resources.SampleBucketPolicy6.Properties.PolicyDocument.Statement should not allow a 'Put' action from all principals", + "actualValue": "Resources.SampleBucketPolicy6.Properties.PolicyDocument.Statement allows a 'Put' action from all principals", + "issueType": "IncorrectValue", + "similarityID": "102abbd7ef8f66f8d86dd911b215e0b1101ade42e0ef88dd7e81122fa9de76f7", + "search_line": 35 } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/s3_bucket_allows_restore_actions_from_all_principals/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/s3_bucket_allows_restore_actions_from_all_principals/test/positive_expected_result.json index a0cfdc7977d..17b41c34110 100644 --- a/assets/queries/cloudFormation/aws/s3_bucket_allows_restore_actions_from_all_principals/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/s3_bucket_allows_restore_actions_from_all_principals/test/positive_expected_result.json @@ -3,24 +3,60 @@ "queryName": "S3 Bucket Allows Restore Actions From All Principals", "severity": "HIGH", "line": 7, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::S3::BucketPolicy", + "resourceName": "SampleBucketPolicy3", + "searchKey": "Resources.SampleBucketPolicy3.Properties.PolicyDocument", + "searchValue": "", + "expectedValue": "Resources.SampleBucketPolicy3.Properties.PolicyDocument.Statement should not allow a 'Restore' action from all principals", + "actualValue": "Resources.SampleBucketPolicy3.Properties.PolicyDocument.Statement allows a 'Restore' action from all principals", + "issueType": "IncorrectValue", + "similarityID": "36d5dc4aaebbb032df36a95ea83339a41f08d80b45e741d55c06e2368a1807ca", + "search_line": 7 }, { "queryName": "S3 Bucket Allows Restore Actions From All Principals", "severity": "HIGH", "line": 22, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::S3::BucketPolicy", + "resourceName": "SampleBucketPolicy4", + "searchKey": "Resources.SampleBucketPolicy4.Properties.PolicyDocument", + "searchValue": "", + "expectedValue": "Resources.SampleBucketPolicy4.Properties.PolicyDocument.Statement should not allow a 'Restore' action from all principals", + "actualValue": "Resources.SampleBucketPolicy4.Properties.PolicyDocument.Statement allows a 'Restore' action from all principals", + "issueType": "IncorrectValue", + "similarityID": "134529dccb8b6ebf2a7473fb5420b2ae28fc4a4346bd7e4ae8968342a7f5f8fa", + "search_line": 22 }, { "queryName": "S3 Bucket Allows Restore Actions From All Principals", "severity": "HIGH", "line": 9, - "fileName": "positive2.json" + "fileName": "positive2.json", + "resourceType": "AWS::S3::BucketPolicy", + "resourceName": "SampleBucketPolicy5", + "searchKey": "Resources.SampleBucketPolicy5.Properties.PolicyDocument", + "searchValue": "", + "expectedValue": "Resources.SampleBucketPolicy5.Properties.PolicyDocument.Statement should not allow a 'Restore' action from all principals", + "actualValue": "Resources.SampleBucketPolicy5.Properties.PolicyDocument.Statement allows a 'Restore' action from all principals", + "issueType": "IncorrectValue", + "similarityID": "b1e54cdcb6a2eb87054c9aabd911952f00caf287a2b6a83826a87e3f6e891a33", + "search_line": 9 }, { "queryName": "S3 Bucket Allows Restore Actions From All Principals", "severity": "HIGH", "line": 35, - "fileName": "positive2.json" + "fileName": "positive2.json", + "resourceType": "AWS::S3::BucketPolicy", + "resourceName": "SampleBucketPolicy6", + "searchKey": "Resources.SampleBucketPolicy6.Properties.PolicyDocument", + "searchValue": "", + "expectedValue": "Resources.SampleBucketPolicy6.Properties.PolicyDocument.Statement should not allow a 'Restore' action from all principals", + "actualValue": "Resources.SampleBucketPolicy6.Properties.PolicyDocument.Statement allows a 'Restore' action from all principals", + "issueType": "IncorrectValue", + "similarityID": "753e8e98611841daf5106a6cb05e3120e0304d92c53a8c2b77c981dcbb12b368", + "search_line": 35 } ] diff --git a/assets/queries/cloudFormation/aws/s3_bucket_cloudtrail_logging_disabled/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/s3_bucket_cloudtrail_logging_disabled/test/positive_expected_result.json index d1c0f50951b..283e828cba9 100644 --- a/assets/queries/cloudFormation/aws/s3_bucket_cloudtrail_logging_disabled/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/s3_bucket_cloudtrail_logging_disabled/test/positive_expected_result.json @@ -1,14 +1,32 @@ [ { + "queryName": "S3 Bucket CloudTrail Logging Disabled", "severity": "MEDIUM", "line": 7, "fileName": "positive1.yaml", - "queryName": "S3 Bucket CloudTrail Logging Disabled" + "resourceType": "AWS::S3::Bucket", + "resourceName": "mybucketVulnerable", + "searchKey": "Resources.mybucketVulnerable.Properties", + "searchValue": "", + "expectedValue": "S3 bucket 'mybucketVulnerable' should have logging enabled", + "actualValue": "S3 bucket 'mybucketVulnerable' doesn't have logging enabled", + "issueType": "MissingAttribute", + "similarityID": "a79b84a2df283ef3ab2a11604ec63a0fdaf44166138b424138ea9c747e7d2336", + "search_line": -1 }, { "queryName": "S3 Bucket CloudTrail Logging Disabled", "severity": "MEDIUM", "line": 67, - "fileName": "positive2.json" + "fileName": "positive2.json", + "resourceType": "AWS::S3::Bucket", + "resourceName": "mybucketVulnerable", + "searchKey": "Resources.mybucketVulnerable.Properties", + "searchValue": "", + "expectedValue": "S3 bucket 'mybucketVulnerable' should have logging enabled", + "actualValue": "S3 bucket 'mybucketVulnerable' doesn't have logging enabled", + "issueType": "MissingAttribute", + "similarityID": "8c79c2de09453c7f9eb1b91b0ebc8d201110c4d3adf6bbe6e4a83d9d9702524b", + "search_line": -1 } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/s3_bucket_logging_disabled/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/s3_bucket_logging_disabled/test/positive_expected_result.json index eeab2cbf1b4..573f58a64a2 100644 --- a/assets/queries/cloudFormation/aws/s3_bucket_logging_disabled/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/s3_bucket_logging_disabled/test/positive_expected_result.json @@ -3,12 +3,30 @@ "queryName": "S3 Bucket Logging Disabled", "severity": "MEDIUM", "line": 7, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::S3::Bucket", + "resourceName": "mybucket", + "searchKey": "Resources.mybucket.Properties", + "searchValue": "", + "expectedValue": "'Resources.mybucket.Properties' should have property 'LoggingConfiguration'", + "actualValue": "'Resources.mybucket.Properties' doesn't have property 'LoggingConfiguration'", + "issueType": "MissingAttribute", + "similarityID": "69e07186c3b36f0cc894deda662aaa9d39fdd3fc3705ac17a92b3278043cfe69", + "search_line": -1 }, { + "queryName": "S3 Bucket Logging Disabled", + "severity": "MEDIUM", "line": 113, "fileName": "positive2.json", - "queryName": "S3 Bucket Logging Disabled", - "severity": "MEDIUM" + "resourceType": "AWS::S3::Bucket", + "resourceName": "mybucket", + "searchKey": "Resources.mybucket.Properties", + "searchValue": "", + "expectedValue": "'Resources.mybucket.Properties' should have property 'LoggingConfiguration'", + "actualValue": "'Resources.mybucket.Properties' doesn't have property 'LoggingConfiguration'", + "issueType": "MissingAttribute", + "similarityID": "a476bba3227e688a0f8e71d8457741356eade888facab9142a24f21d1646dfbf", + "search_line": -1 } ] diff --git a/assets/queries/cloudFormation/aws/s3_bucket_should_have_bucket_policy/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/s3_bucket_should_have_bucket_policy/test/positive_expected_result.json index 66e29ec3c19..0bed7f02d52 100644 --- a/assets/queries/cloudFormation/aws/s3_bucket_should_have_bucket_policy/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/s3_bucket_should_have_bucket_policy/test/positive_expected_result.json @@ -3,48 +3,120 @@ "queryName": "S3 Bucket Should Have Bucket Policy", "severity": "LOW", "line": 4, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::S3::Bucket", + "resourceName": "docexamplebucket1", + "searchKey": "Resources.S3Bucket3", + "searchValue": "", + "expectedValue": "'Resources.S3Bucket3.Properties.BucketName' or 'Resources.[S3Bucket3]' should be associated with an 'AWS::S3::BucketPolicy'", + "actualValue": "'Resources.S3Bucket3.Properties.BucketName' or 'Resources.[S3Bucket3]' is not associated with an 'AWS::S3::BucketPolicy'", + "issueType": "IncorrectValue", + "similarityID": "4a8d8f147c87d590e25fbb99ef9af7ee6b57d8fbd23f671fd7b1da445de5af69", + "search_line": 4 }, { "queryName": "S3 Bucket Should Have Bucket Policy", "severity": "LOW", "line": 31, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::S3::Bucket", + "resourceName": "S3Bucket", + "searchKey": "Resources.S3Bucket", + "searchValue": "", + "expectedValue": "'Resources.S3Bucket.Properties.BucketName' or 'Resources.[S3Bucket]' should be associated with an 'AWS::S3::BucketPolicy'", + "actualValue": "'Resources.S3Bucket.Properties.BucketName' or 'Resources.[S3Bucket]' is not associated with an 'AWS::S3::BucketPolicy'", + "issueType": "IncorrectValue", + "similarityID": "79cc1c415c7bd6b370108aec739fed6e2cff611177194205b8b240d4c294e920", + "search_line": 31 }, { "queryName": "S3 Bucket Should Have Bucket Policy", "severity": "LOW", "line": 56, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::S3::Bucket", + "resourceName": "docexamplebucket5", + "searchKey": "Resources.S3Bucket7", + "searchValue": "", + "expectedValue": "'Resources.S3Bucket7.Properties.BucketName' or 'Resources.[S3Bucket7]' should be associated with an 'AWS::S3::BucketPolicy'", + "actualValue": "'Resources.S3Bucket7.Properties.BucketName' or 'Resources.[S3Bucket7]' is not associated with an 'AWS::S3::BucketPolicy'", + "issueType": "IncorrectValue", + "similarityID": "a8c44e98d5477b07b49877a6ea1908f9f742ef98cc0e001152dfb44424993972", + "search_line": 56 }, { "queryName": "S3 Bucket Should Have Bucket Policy", "severity": "LOW", "line": 42, - "fileName": "positive2.json" + "fileName": "positive2.json", + "resourceType": "AWS::S3::Bucket", + "resourceName": "docexamplebucket1", + "searchKey": "Resources.S3Bucket3", + "searchValue": "", + "expectedValue": "'Resources.S3Bucket3.Properties.BucketName' or 'Resources.[S3Bucket3]' should be associated with an 'AWS::S3::BucketPolicy'", + "actualValue": "'Resources.S3Bucket3.Properties.BucketName' or 'Resources.[S3Bucket3]' is not associated with an 'AWS::S3::BucketPolicy'", + "issueType": "IncorrectValue", + "similarityID": "7f2b3181ac74526c8578a85237cf3232cd1d13e43a64c659a9a9c6f08f42fca0", + "search_line": 42 }, { "queryName": "S3 Bucket Should Have Bucket Policy", "severity": "LOW", "line": 88, - "fileName": "positive2.json" + "fileName": "positive2.json", + "resourceType": "AWS::S3::Bucket", + "resourceName": "S3Bucket", + "searchKey": "Resources.S3Bucket", + "searchValue": "", + "expectedValue": "'Resources.S3Bucket.Properties.BucketName' or 'Resources.[S3Bucket]' should be associated with an 'AWS::S3::BucketPolicy'", + "actualValue": "'Resources.S3Bucket.Properties.BucketName' or 'Resources.[S3Bucket]' is not associated with an 'AWS::S3::BucketPolicy'", + "issueType": "IncorrectValue", + "similarityID": "f6d7a6c576af02737034ee074e226b6346650a3a2824b8f275f8275f3c105b81", + "search_line": 88 }, { "queryName": "S3 Bucket Should Have Bucket Policy", "severity": "LOW", "line": 130, - "fileName": "positive2.json" + "fileName": "positive2.json", + "resourceType": "AWS::S3::Bucket", + "resourceName": "docexamplebucket5", + "searchKey": "Resources.S3Bucket7", + "searchValue": "", + "expectedValue": "'Resources.S3Bucket7.Properties.BucketName' or 'Resources.[S3Bucket7]' should be associated with an 'AWS::S3::BucketPolicy'", + "actualValue": "'Resources.S3Bucket7.Properties.BucketName' or 'Resources.[S3Bucket7]' is not associated with an 'AWS::S3::BucketPolicy'", + "issueType": "IncorrectValue", + "similarityID": "79dce9683416e5815daf42a2ce1f467528bbed267ec26b47d81b45a6d40aca3c", + "search_line": 130 }, { "queryName": "S3 Bucket Should Have Bucket Policy", "severity": "LOW", "line": 4, - "fileName": "positive3.yaml" + "fileName": "positive3.yaml", + "resourceType": "AWS::S3::Bucket", + "resourceName": "MyS3Bucket2", + "searchKey": "Resources.MyS3Bucket2", + "searchValue": "", + "expectedValue": "'Resources.MyS3Bucket2.Properties.BucketName' or 'Resources.[MyS3Bucket2]' should be associated with an 'AWS::S3::BucketPolicy'", + "actualValue": "'Resources.MyS3Bucket2.Properties.BucketName' or 'Resources.[MyS3Bucket2]' is not associated with an 'AWS::S3::BucketPolicy'", + "issueType": "IncorrectValue", + "similarityID": "a64a85ab880d302b81ae418b7919a929ea126ff4d4f8672ab4ff592e92fa50a9", + "search_line": 4 }, { "queryName": "S3 Bucket Should Have Bucket Policy", "severity": "LOW", "line": 5, - "fileName": "positive4.json" + "fileName": "positive4.json", + "resourceType": "AWS::S3::Bucket", + "resourceName": "MyS3Bucket2", + "searchKey": "Resources.MyS3Bucket2", + "searchValue": "", + "expectedValue": "'Resources.MyS3Bucket2.Properties.BucketName' or 'Resources.[MyS3Bucket2]' should be associated with an 'AWS::S3::BucketPolicy'", + "actualValue": "'Resources.MyS3Bucket2.Properties.BucketName' or 'Resources.[MyS3Bucket2]' is not associated with an 'AWS::S3::BucketPolicy'", + "issueType": "IncorrectValue", + "similarityID": "fe05f9fc7686ad04949e06a1c032c36afa8c8835500c50181566ce854d21369b", + "search_line": 5 } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/s3_bucket_with_all_permissions/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/s3_bucket_with_all_permissions/test/positive_expected_result.json index 932ba9931df..5454c0cffd7 100644 --- a/assets/queries/cloudFormation/aws/s3_bucket_with_all_permissions/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/s3_bucket_with_all_permissions/test/positive_expected_result.json @@ -3,12 +3,30 @@ "queryName": "S3 Bucket With All Permissions", "severity": "CRITICAL", "line": 7, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::S3::BucketPolicy", + "resourceName": "SampleBucketPolicy3", + "searchKey": "Resources.SampleBucketPolicy3.Properties.PolicyDocument", + "searchValue": "", + "expectedValue": "Resources.SampleBucketPolicy3.Properties.PolicyDocument.Statement should not allow all actions from all principals", + "actualValue": "Resources.SampleBucketPolicy3.Properties.PolicyDocument.Statement allows all actions from all principals", + "issueType": "IncorrectValue", + "similarityID": "53ea4a79f92c248441aeb1ceb8d3dd4b42bdb4e8f04a8d065a64edfaacce5cb3", + "search_line": 7 }, { "queryName": "S3 Bucket With All Permissions", "severity": "CRITICAL", "line": 9, - "fileName": "positive2.json" + "fileName": "positive2.json", + "resourceType": "AWS::S3::BucketPolicy", + "resourceName": "SampleBucketPolicy4", + "searchKey": "Resources.SampleBucketPolicy4.Properties.PolicyDocument", + "searchValue": "", + "expectedValue": "Resources.SampleBucketPolicy4.Properties.PolicyDocument.Statement should not allow all actions from all principals", + "actualValue": "Resources.SampleBucketPolicy4.Properties.PolicyDocument.Statement allows all actions from all principals", + "issueType": "IncorrectValue", + "similarityID": "b0574b3235792b8836c3f1dfd41e6d020295a9eee9e5534cc25ff157bd512b62", + "search_line": 9 } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/s3_bucket_with_public_policy/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/s3_bucket_with_public_policy/test/positive_expected_result.json index c72d95ef9a2..998bc95550a 100755 --- a/assets/queries/cloudFormation/aws/s3_bucket_with_public_policy/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/s3_bucket_with_public_policy/test/positive_expected_result.json @@ -3,42 +3,105 @@ "queryName": "S3 Bucket Allows Public Policy", "severity": "HIGH", "line": 4, - "filename": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::S3::Bucket", + "resourceName": "Bucket11", + "searchKey": "Resources.Bucket11.Properties", + "searchValue": "", + "expectedValue": "'PublicAccessBlockConfiguration' should be defined%!(EXTRA string=Bucket11)", + "actualValue": "'PublicAccessBlockConfiguration' is not defined%!(EXTRA string=Bucket11)", + "issueType": "MissingAttribute", + "similarityID": "a136f92e0c5f9ef129fabf376c28e7ae21bd3c12b919c244a0f02085ffc9f4df", + "search_line": 4 }, { "queryName": "S3 Bucket Allows Public Policy", "severity": "HIGH", "line": 10, - "filename": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::S3::Bucket", + "resourceName": "Bucket12", + "searchKey": "Resources.Bucket12.Properties.PublicAccessBlockConfiguration", + "searchValue": "", + "expectedValue": "'BlockPublicPolicy' should be defined and set to true in the 'PublicAccessBlockConfiguration'%!(EXTRA string=Bucket12)", + "actualValue": "'BlockPublicPolicy' is not defined in the 'PublicAccessBlockConfiguration'%!(EXTRA string=Bucket12)", + "issueType": "MissingAttribute", + "similarityID": "50ab5ef793a38d9a019713787c8bd2988651d9fe49c1985b8d178e9f77584291", + "search_line": 10 }, { "queryName": "S3 Bucket Allows Public Policy", "severity": "HIGH", "line": 19, - "filename": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::S3::Bucket", + "resourceName": "Bucket13", + "searchKey": "Resources.Bucket13.Properties.PublicAccessBlockConfiguration.BlockPublicPolicy", + "searchValue": "", + "expectedValue": "'BlockPublicPolicy' should be set to true%!(EXTRA string=Bucket13)", + "actualValue": "'BlockPublicPolicy' is set to false%!(EXTRA string=Bucket13)", + "issueType": "IncorrectValue", + "similarityID": "c57af5e40265e074f282596563caf87c61bc074ee9cbe8509d1e1a3d2a2ecbb9", + "search_line": 19 }, { "queryName": "S3 Bucket Allows Public Policy", "severity": "HIGH", "line": 8, - "filename": "positive2.json" + "fileName": "positive2.json", + "resourceType": "AWS::S3::Bucket", + "resourceName": "Bucket1", + "searchKey": "Resources.Bucket1.Properties.PublicAccessBlockConfiguration.BlockPublicPolicy", + "searchValue": "", + "expectedValue": "'BlockPublicPolicy' should be set to true%!(EXTRA string=Bucket1)", + "actualValue": "'BlockPublicPolicy' is set to false%!(EXTRA string=Bucket1)", + "issueType": "IncorrectValue", + "similarityID": "2e2ebe3ca3fe65be22013d622d5e2bc7624cb6c76136ef574e2d8acd00eaf23d", + "search_line": 8 }, { "queryName": "S3 Bucket Allows Public Policy", "severity": "HIGH", "line": 4, - "filename": "positive3.yaml" + "fileName": "positive3.yaml", + "resourceType": "AWS::S3::Bucket", + "resourceName": "Bucket11", + "searchKey": "Resources.Bucket11.Properties", + "searchValue": "", + "expectedValue": "'PublicAccessBlockConfiguration' should be defined%!(EXTRA string=Bucket11)", + "actualValue": "'PublicAccessBlockConfiguration' is not defined%!(EXTRA string=Bucket11)", + "issueType": "MissingAttribute", + "similarityID": "9f100471450ed684a020a6bdbdf1806cac1e2eabffd90b6201dadb8248d61234", + "search_line": 4 }, { "queryName": "S3 Bucket Allows Public Policy", "severity": "HIGH", "line": 10, - "filename": "positive3.yaml" + "fileName": "positive3.yaml", + "resourceType": "AWS::S3::Bucket", + "resourceName": "Bucket12", + "searchKey": "Resources.Bucket12.Properties.PublicAccessBlockConfiguration", + "searchValue": "", + "expectedValue": "'BlockPublicPolicy' should be defined and set to true in the 'PublicAccessBlockConfiguration'%!(EXTRA string=Bucket12)", + "actualValue": "'BlockPublicPolicy' is not defined in the 'PublicAccessBlockConfiguration'%!(EXTRA string=Bucket12)", + "issueType": "MissingAttribute", + "similarityID": "b35544afee489c87f03b087bb3d42d4b86fb4eccffcd66002c0363fe4f906a8c", + "search_line": 10 }, { "queryName": "S3 Bucket Allows Public Policy", "severity": "HIGH", "line": 19, - "filename": "positive3.yaml" + "fileName": "positive3.yaml", + "resourceType": "AWS::S3::Bucket", + "resourceName": "Bucket13", + "searchKey": "Resources.Bucket13.Properties.PublicAccessBlockConfiguration.BlockPublicPolicy", + "searchValue": "", + "expectedValue": "'BlockPublicPolicy' should be set to true%!(EXTRA string=Bucket13)", + "actualValue": "'BlockPublicPolicy' is set to false%!(EXTRA string=Bucket13)", + "issueType": "IncorrectValue", + "similarityID": "34cc147d877d89f29d5cb1d11f4eef722c7c7303d758165b1a8ebd6cb859c9e9", + "search_line": 19 } ] diff --git a/assets/queries/cloudFormation/aws/s3_bucket_with_unsecured_cors_rule/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/s3_bucket_with_unsecured_cors_rule/test/positive_expected_result.json index 11bf64846bd..934f58308e2 100644 --- a/assets/queries/cloudFormation/aws/s3_bucket_with_unsecured_cors_rule/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/s3_bucket_with_unsecured_cors_rule/test/positive_expected_result.json @@ -3,12 +3,30 @@ "queryName": "S3 Bucket With Unsecured CORS Rule", "severity": "MEDIUM", "line": 9, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::S3::Bucket", + "resourceName": "S3Bucket", + "searchKey": "Resources.S3Bucket.Properties.CorsConfiguration.CorsRules", + "searchValue": "", + "expectedValue": "Resources.S3Bucket.Properties.CorsConfiguration.CorsRules[0] should not allow all methods, all headers or several origins", + "actualValue": "Resources.S3Bucket.Properties.CorsConfiguration.CorsRules[0] allows all methods, all headers or several origins", + "issueType": "IncorrectValue", + "similarityID": "2549fde51b787ebbdc715aea66b189333f93c56cca84da25ffa6278f0158d20f", + "search_line": 9 }, { "queryName": "S3 Bucket With Unsecured CORS Rule", "severity": "MEDIUM", "line": 14, - "fileName": "positive2.json" + "fileName": "positive2.json", + "resourceType": "AWS::S3::Bucket", + "resourceName": "S3Bucket", + "searchKey": "Resources.S3Bucket.Properties.CorsConfiguration.CorsRules", + "searchValue": "", + "expectedValue": "Resources.S3Bucket.Properties.CorsConfiguration.CorsRules[0] should not allow all methods, all headers or several origins", + "actualValue": "Resources.S3Bucket.Properties.CorsConfiguration.CorsRules[0] allows all methods, all headers or several origins", + "issueType": "IncorrectValue", + "similarityID": "00f6d77b083230ee9c7d68bc821ba50127e93dd97f1a4708e1e384312ff6e2ab", + "search_line": 14 } ] diff --git a/assets/queries/cloudFormation/aws/s3_bucket_without_ignore_public_acl/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/s3_bucket_without_ignore_public_acl/test/positive_expected_result.json index aac17c770d3..2a583a1eb6e 100755 --- a/assets/queries/cloudFormation/aws/s3_bucket_without_ignore_public_acl/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/s3_bucket_without_ignore_public_acl/test/positive_expected_result.json @@ -3,42 +3,105 @@ "queryName": "S3 Bucket Without Ignore Public ACL", "severity": "MEDIUM", "line": 4, - "filename": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::S3::Bucket", + "resourceName": "Bucket11", + "searchKey": "Resources.Bucket11.Properties", + "searchValue": "", + "expectedValue": "'PublicAccessBlockConfiguration' should be defined%!(EXTRA string=Bucket11)", + "actualValue": "'PublicAccessBlockConfiguration' is not defined%!(EXTRA string=Bucket11)", + "issueType": "MissingAttribute", + "similarityID": "65873559b51fee1a0ccbba1688b24d0a4aeb3d96f46d41e89e17be25e4c106e7", + "search_line": 4 }, { "queryName": "S3 Bucket Without Ignore Public ACL", "severity": "MEDIUM", "line": 10, - "filename": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::S3::Bucket", + "resourceName": "Bucket12", + "searchKey": "Resources.Bucket12.Properties.PublicAccessBlockConfiguration", + "searchValue": "", + "expectedValue": "'IgnorePublicAcls' should be defined and set to true in the 'PublicAccessBlockConfiguration'%!(EXTRA string=Bucket12)", + "actualValue": "'IgnorePublicAcls' is not defined in the 'PublicAccessBlockConfiguration'%!(EXTRA string=Bucket12)", + "issueType": "MissingAttribute", + "similarityID": "207b65d00a698a21d0e9514e0ced41e3a99aa79b5d525eeb47924042e69096f7", + "search_line": 10 }, { "queryName": "S3 Bucket Without Ignore Public ACL", "severity": "MEDIUM", "line": 21, - "filename": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::S3::Bucket", + "resourceName": "Bucket13", + "searchKey": "Resources.Bucket13.Properties.PublicAccessBlockConfiguration.IgnorePublicAcls", + "searchValue": "", + "expectedValue": "'IgnorePublicAcls' should be set to true%!(EXTRA string=Bucket13)", + "actualValue": "'IgnorePublicAcls' is set to false%!(EXTRA string=Bucket13)", + "issueType": "IncorrectValue", + "similarityID": "b9450c0f730a23824504ea8a125fe3e1f89bfefe55bce6146efe8360830db8ee", + "search_line": 21 }, { "queryName": "S3 Bucket Without Ignore Public ACL", "severity": "MEDIUM", "line": 9, - "filename": "positive2.json" + "fileName": "positive2.json", + "resourceType": "AWS::S3::Bucket", + "resourceName": "Bucket1", + "searchKey": "Resources.Bucket1.Properties.PublicAccessBlockConfiguration.IgnorePublicAcls", + "searchValue": "", + "expectedValue": "'IgnorePublicAcls' should be set to true%!(EXTRA string=Bucket1)", + "actualValue": "'IgnorePublicAcls' is set to false%!(EXTRA string=Bucket1)", + "issueType": "IncorrectValue", + "similarityID": "134e83958f884b92b1c482507b2bfa75eb29d1720a07a162f65270ba7812ba3c", + "search_line": 9 }, { "queryName": "S3 Bucket Without Ignore Public ACL", "severity": "MEDIUM", "line": 4, - "filename": "positive3.yaml" + "fileName": "positive3.yaml", + "resourceType": "AWS::S3::Bucket", + "resourceName": "Bucket11", + "searchKey": "Resources.Bucket11.Properties", + "searchValue": "", + "expectedValue": "'PublicAccessBlockConfiguration' should be defined%!(EXTRA string=Bucket11)", + "actualValue": "'PublicAccessBlockConfiguration' is not defined%!(EXTRA string=Bucket11)", + "issueType": "MissingAttribute", + "similarityID": "a60560ac8d0b2e30b6a8d9937c5550bbece99e41a13c8f350ae54b903205f879", + "search_line": 4 }, { "queryName": "S3 Bucket Without Ignore Public ACL", "severity": "MEDIUM", "line": 10, - "filename": "positive3.yaml" + "fileName": "positive3.yaml", + "resourceType": "AWS::S3::Bucket", + "resourceName": "Bucket12", + "searchKey": "Resources.Bucket12.Properties.PublicAccessBlockConfiguration", + "searchValue": "", + "expectedValue": "'IgnorePublicAcls' should be defined and set to true in the 'PublicAccessBlockConfiguration'%!(EXTRA string=Bucket12)", + "actualValue": "'IgnorePublicAcls' is not defined in the 'PublicAccessBlockConfiguration'%!(EXTRA string=Bucket12)", + "issueType": "MissingAttribute", + "similarityID": "4d1cdb18299a8b1708444c2a07f91b00dc6c7be14405499f32d79d37507e083b", + "search_line": 10 }, { "queryName": "S3 Bucket Without Ignore Public ACL", "severity": "MEDIUM", "line": 21, - "filename": "positive3.yaml" + "fileName": "positive3.yaml", + "resourceType": "AWS::S3::Bucket", + "resourceName": "Bucket13", + "searchKey": "Resources.Bucket13.Properties.PublicAccessBlockConfiguration.IgnorePublicAcls", + "searchValue": "", + "expectedValue": "'IgnorePublicAcls' should be set to true%!(EXTRA string=Bucket13)", + "actualValue": "'IgnorePublicAcls' is set to false%!(EXTRA string=Bucket13)", + "issueType": "IncorrectValue", + "similarityID": "ab2c74b37b274342d8489b2e10dee59c9bb6412ec10aeaf154352d8311e38912", + "search_line": 21 } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/s3_bucket_without_restriction_of_public_bucket/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/s3_bucket_without_restriction_of_public_bucket/test/positive_expected_result.json index 5f10f50b495..76320cd917b 100755 --- a/assets/queries/cloudFormation/aws/s3_bucket_without_restriction_of_public_bucket/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/s3_bucket_without_restriction_of_public_bucket/test/positive_expected_result.json @@ -3,42 +3,105 @@ "queryName": "S3 Bucket Without Restriction Of Public Bucket", "severity": "MEDIUM", "line": 4, - "filename": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::S3::Bucket", + "resourceName": "Bucket11", + "searchKey": "Resources.Bucket11.Properties", + "searchValue": "", + "expectedValue": "'PublicAccessBlockConfiguration' should be defined%!(EXTRA string=Bucket11)", + "actualValue": "'PublicAccessBlockConfiguration' is not defined%!(EXTRA string=Bucket11)", + "issueType": "MissingAttribute", + "similarityID": "657ce8a447da016b3e52ad6e76da581a61a444736595e36d083b90555c72131c", + "search_line": 4 }, { "queryName": "S3 Bucket Without Restriction Of Public Bucket", "severity": "MEDIUM", "line": 10, - "filename": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::S3::Bucket", + "resourceName": "Bucket12", + "searchKey": "Resources.Bucket12.Properties.PublicAccessBlockConfiguration", + "searchValue": "", + "expectedValue": "'RestrictPublicBuckets' should be defined and set to true in the 'PublicAccessBlockConfiguration'%!(EXTRA string=Bucket12)", + "actualValue": "'RestrictPublicBuckets' is not defined in the 'PublicAccessBlockConfiguration'%!(EXTRA string=Bucket12)", + "issueType": "MissingAttribute", + "similarityID": "b03e64ec149d38a6d9488b906d6561f06feee5bf646d85aadedc63eda508c9dc", + "search_line": 10 }, { "queryName": "S3 Bucket Without Restriction Of Public Bucket", "severity": "MEDIUM", "line": 21, - "filename": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::S3::Bucket", + "resourceName": "Bucket13", + "searchKey": "Resources.Bucket13.Properties.PublicAccessBlockConfiguration.RestrictPublicBuckets", + "searchValue": "", + "expectedValue": "'RestrictPublicBuckets' should be set to true%!(EXTRA string=Bucket13)", + "actualValue": "'RestrictPublicBuckets' is set to false%!(EXTRA string=Bucket13)", + "issueType": "IncorrectValue", + "similarityID": "bf6a847c333dc95cd0770e578430a20a3943289b4081d1c2b4e3864118af3a93", + "search_line": 21 }, { "queryName": "S3 Bucket Without Restriction Of Public Bucket", "severity": "MEDIUM", "line": 10, - "filename": "positive2.json" + "fileName": "positive2.json", + "resourceType": "AWS::S3::Bucket", + "resourceName": "Bucket1", + "searchKey": "Resources.Bucket1.Properties.PublicAccessBlockConfiguration.RestrictPublicBuckets", + "searchValue": "", + "expectedValue": "'RestrictPublicBuckets' should be set to true%!(EXTRA string=Bucket1)", + "actualValue": "'RestrictPublicBuckets' is set to false%!(EXTRA string=Bucket1)", + "issueType": "IncorrectValue", + "similarityID": "19ac6251b5e61cadc53bf7543c47fff589a1eae89ee0855876fadf0de931a952", + "search_line": 10 }, { "queryName": "S3 Bucket Without Restriction Of Public Bucket", "severity": "MEDIUM", "line": 4, - "filename": "positive3.yaml" + "fileName": "positive3.yaml", + "resourceType": "AWS::S3::Bucket", + "resourceName": "Bucket11", + "searchKey": "Resources.Bucket11.Properties", + "searchValue": "", + "expectedValue": "'PublicAccessBlockConfiguration' should be defined%!(EXTRA string=Bucket11)", + "actualValue": "'PublicAccessBlockConfiguration' is not defined%!(EXTRA string=Bucket11)", + "issueType": "MissingAttribute", + "similarityID": "8b6e98ccb6c863aaafb3a805f9203ee0e42e6453f4bd4870a3e3c79c11a796df", + "search_line": 4 }, { "queryName": "S3 Bucket Without Restriction Of Public Bucket", "severity": "MEDIUM", "line": 10, - "filename": "positive3.yaml" + "fileName": "positive3.yaml", + "resourceType": "AWS::S3::Bucket", + "resourceName": "Bucket12", + "searchKey": "Resources.Bucket12.Properties.PublicAccessBlockConfiguration", + "searchValue": "", + "expectedValue": "'RestrictPublicBuckets' should be defined and set to true in the 'PublicAccessBlockConfiguration'%!(EXTRA string=Bucket12)", + "actualValue": "'RestrictPublicBuckets' is not defined in the 'PublicAccessBlockConfiguration'%!(EXTRA string=Bucket12)", + "issueType": "MissingAttribute", + "similarityID": "bcc7c17c8187564e7affe6ff4f3811c1910ce31765ca5510361aa5cc02ab55b7", + "search_line": 10 }, { "queryName": "S3 Bucket Without Restriction Of Public Bucket", "severity": "MEDIUM", "line": 21, - "filename": "positive3.yaml" + "fileName": "positive3.yaml", + "resourceType": "AWS::S3::Bucket", + "resourceName": "Bucket13", + "searchKey": "Resources.Bucket13.Properties.PublicAccessBlockConfiguration.RestrictPublicBuckets", + "searchValue": "", + "expectedValue": "'RestrictPublicBuckets' should be set to true%!(EXTRA string=Bucket13)", + "actualValue": "'RestrictPublicBuckets' is set to false%!(EXTRA string=Bucket13)", + "issueType": "IncorrectValue", + "similarityID": "4b0dbdd938ce4cb6d5e450bb0f852d18d829727dbd12561a9ca1535686c6fe85", + "search_line": 21 } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/s3_bucket_without_server_side_encryption/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/s3_bucket_without_server_side_encryption/test/positive_expected_result.json index 7ff543522df..2dd7f995a5c 100644 --- a/assets/queries/cloudFormation/aws/s3_bucket_without_server_side_encryption/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/s3_bucket_without_server_side_encryption/test/positive_expected_result.json @@ -3,12 +3,30 @@ "queryName": "S3 Bucket Without Server-side-encryption", "severity": "HIGH", "line": 7, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::S3::Bucket", + "resourceName": "", + "searchKey": "Resources.S3Bucket.Properties", + "searchValue": "", + "expectedValue": "Resources.S3Bucket.Properties.BucketEncryption.ServerSideEncryptionConfiguration should be defined and not empty", + "actualValue": "Resources.S3Bucket.Properties.BucketEncryption.ServerSideEncryptionConfiguration is undefined or empty", + "issueType": "MissingAttribute", + "similarityID": "a513c7bef8f525fc53441666528f158b77332e0efb76d4b401463260ab987d74", + "search_line": -1 }, { + "queryName": "S3 Bucket Without Server-side-encryption", "severity": "HIGH", "line": 5, "fileName": "positive2.json", - "queryName": "S3 Bucket Without Server-side-encryption" + "resourceType": "AWS::S3::Bucket", + "resourceName": "", + "searchKey": "Resources.S3Bucket.Properties", + "searchValue": "", + "expectedValue": "Resources.S3Bucket.Properties.BucketEncryption.ServerSideEncryptionConfiguration should be defined and not empty", + "actualValue": "Resources.S3Bucket.Properties.BucketEncryption.ServerSideEncryptionConfiguration is undefined or empty", + "issueType": "MissingAttribute", + "similarityID": "8802395aa679de33f5bd67a39eb5a0ccf89ef50af4bd833b8c0522e4415583e5", + "search_line": -1 } ] diff --git a/assets/queries/cloudFormation/aws/s3_bucket_without_ssl_in_write_actions/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/s3_bucket_without_ssl_in_write_actions/test/positive_expected_result.json index e068512fc2a..238f859c8d6 100644 --- a/assets/queries/cloudFormation/aws/s3_bucket_without_ssl_in_write_actions/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/s3_bucket_without_ssl_in_write_actions/test/positive_expected_result.json @@ -3,78 +3,195 @@ "queryName": "S3 Bucket Without SSL In Write Actions", "severity": "MEDIUM", "line": 3, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::S3::Bucket", + "resourceName": "S3Bucket", + "searchKey": "Resources.S3Bucket", + "searchValue": "", + "expectedValue": "Resources.S3Bucket bucket has a policy that enforces SSL", + "actualValue": "Resources.S3Bucket bucket doesn't have a policy or has a policy that doesn't enforce SSL", + "issueType": "IncorrectValue", + "similarityID": "ac9f349989054615f667366e9a98b9bd8134ff0f798648e7a7a1e412b5bb3c19", + "search_line": 3 }, { "queryName": "S3 Bucket Without SSL In Write Actions", "severity": "MEDIUM", "line": 3, - "fileName": "positive2.yaml" + "fileName": "positive2.yaml", + "resourceType": "AWS::S3::Bucket", + "resourceName": "S3Bucket2", + "searchKey": "Resources.S3Bucket2", + "searchValue": "", + "expectedValue": "Resources.S3Bucket2 bucket has a policy that enforces SSL", + "actualValue": "Resources.S3Bucket2 bucket doesn't have a policy or has a policy that doesn't enforce SSL", + "issueType": "IncorrectValue", + "similarityID": "862da21f85aea4ed6b844fefa1cf6c745e86dfaa29c45501e07418888eeee591", + "search_line": 3 }, { "queryName": "S3 Bucket Without SSL In Write Actions", "severity": "MEDIUM", "line": 3, - "fileName": "positive3.yaml" + "fileName": "positive3.yaml", + "resourceType": "AWS::S3::Bucket", + "resourceName": "S3Bucket3", + "searchKey": "Resources.S3Bucket3", + "searchValue": "", + "expectedValue": "Resources.S3Bucket3 bucket has a policy that enforces SSL", + "actualValue": "Resources.S3Bucket3 bucket doesn't have a policy or has a policy that doesn't enforce SSL", + "issueType": "IncorrectValue", + "similarityID": "aff2aec34130aed162c79610eb8568fa0048bb0eabc5c679044eb74305db770c", + "search_line": 3 }, { "queryName": "S3 Bucket Without SSL In Write Actions", "severity": "MEDIUM", "line": 12, - "fileName": "positive3.yaml" + "fileName": "positive3.yaml", + "resourceType": "AWS::S3::Bucket", + "resourceName": "S3Bucket4", + "searchKey": "Resources.S3Bucket4", + "searchValue": "", + "expectedValue": "Resources.S3Bucket4 bucket has a policy that enforces SSL", + "actualValue": "Resources.S3Bucket4 bucket doesn't have a policy", + "issueType": "MissingAttribute", + "similarityID": "5f13bc533e9b52b9d2e3e2b79f77096fea31edd767a7e0ff3d828f7dc57d6244", + "search_line": 12 }, { - "fileName": "positive4.yaml", "queryName": "S3 Bucket Without SSL In Write Actions", "severity": "MEDIUM", - "line": 3 + "line": 3, + "fileName": "positive4.yaml", + "resourceType": "AWS::S3::Bucket", + "resourceName": "S3Bucket5", + "searchKey": "Resources.S3Bucket5", + "searchValue": "", + "expectedValue": "Resources.S3Bucket5 bucket has a policy that enforces SSL", + "actualValue": "Resources.S3Bucket5 bucket doesn't have a policy", + "issueType": "MissingAttribute", + "similarityID": "22214daf905fcd7944b3822b869326fccd58a1ce7bbfb9ca8cb655192f42b5e5", + "search_line": 3 }, { "queryName": "S3 Bucket Without SSL In Write Actions", "severity": "MEDIUM", "line": 12, - "fileName": "positive4.yaml" + "fileName": "positive4.yaml", + "resourceType": "AWS::S3::Bucket", + "resourceName": "S3Bucket6", + "searchKey": "Resources.S3Bucket6", + "searchValue": "", + "expectedValue": "Resources.S3Bucket6 bucket has a policy that enforces SSL", + "actualValue": "Resources.S3Bucket6 bucket doesn't have a policy", + "issueType": "MissingAttribute", + "similarityID": "fb97541f04e72c16e78b618de4c2ee26d078bf6d27604847b628f28fc0368f10", + "search_line": 12 }, { - "fileName": "positive5.json", "queryName": "S3 Bucket Without SSL In Write Actions", "severity": "MEDIUM", - "line": 30 + "line": 30, + "fileName": "positive5.json", + "resourceType": "AWS::S3::Bucket", + "resourceName": "S3Bucket", + "searchKey": "Resources.S3Bucket", + "searchValue": "", + "expectedValue": "Resources.S3Bucket bucket has a policy that enforces SSL", + "actualValue": "Resources.S3Bucket bucket doesn't have a policy or has a policy that doesn't enforce SSL", + "issueType": "IncorrectValue", + "similarityID": "86915829374739000f5d88b2336bd2b7478f215a6b0010fdefeadd9a0edc725b", + "search_line": 30 }, { "queryName": "S3 Bucket Without SSL In Write Actions", "severity": "MEDIUM", "line": 4, - "fileName": "positive6.json" + "fileName": "positive6.json", + "resourceType": "AWS::S3::Bucket", + "resourceName": "S3Bucket2", + "searchKey": "Resources.S3Bucket2", + "searchValue": "", + "expectedValue": "Resources.S3Bucket2 bucket has a policy that enforces SSL", + "actualValue": "Resources.S3Bucket2 bucket doesn't have a policy or has a policy that doesn't enforce SSL", + "issueType": "IncorrectValue", + "similarityID": "4d98939d6f4564dac778bfaf9773ed89c66fa571318e5646ddbe4e540c67a60f", + "search_line": 4 }, { "queryName": "S3 Bucket Without SSL In Write Actions", "severity": "MEDIUM", "line": 47, - "fileName": "positive7.json" + "fileName": "positive7.json", + "resourceType": "AWS::S3::Bucket", + "resourceName": "S3Bucket4", + "searchKey": "Resources.S3Bucket4", + "searchValue": "", + "expectedValue": "Resources.S3Bucket4 bucket has a policy that enforces SSL", + "actualValue": "Resources.S3Bucket4 bucket doesn't have a policy", + "issueType": "MissingAttribute", + "similarityID": "c9ddc2641ba01e84823f5e1a6e2317dd1562025ed14d29da11be666d6acd0c31", + "search_line": 47 }, { "queryName": "S3 Bucket Without SSL In Write Actions", "severity": "MEDIUM", "line": 4, - "fileName": "positive8.json" + "fileName": "positive8.json", + "resourceType": "AWS::S3::Bucket", + "resourceName": "S3Bucket5", + "searchKey": "Resources.S3Bucket5", + "searchValue": "", + "expectedValue": "Resources.S3Bucket5 bucket has a policy that enforces SSL", + "actualValue": "Resources.S3Bucket5 bucket doesn't have a policy", + "issueType": "MissingAttribute", + "similarityID": "7ef307bd5813ee6a59dae02f9746b72b29c1453b21669e675f642fa6734b5666", + "search_line": 4 }, { "queryName": "S3 Bucket Without SSL In Write Actions", "severity": "MEDIUM", "line": 15, - "fileName": "positive8.json" + "fileName": "positive8.json", + "resourceType": "AWS::S3::Bucket", + "resourceName": "S3Bucket6", + "searchKey": "Resources.S3Bucket6", + "searchValue": "", + "expectedValue": "Resources.S3Bucket6 bucket has a policy that enforces SSL", + "actualValue": "Resources.S3Bucket6 bucket doesn't have a policy", + "issueType": "MissingAttribute", + "similarityID": "db93e56ab070c7e0eadadfc7ebb07b08aa84106cf00f68359b204ece6654ec75", + "search_line": 15 }, { "queryName": "S3 Bucket Without SSL In Write Actions", "severity": "MEDIUM", "line": 3, - "fileName": "positive9.yaml" + "fileName": "positive9.yaml", + "resourceType": "AWS::S3::Bucket", + "resourceName": "S3Bucket33,", + "searchKey": "Resources.S3Bucket33", + "searchValue": "", + "expectedValue": "Resources.S3Bucket33 bucket has a policy that enforces SSL", + "actualValue": "Resources.S3Bucket33 bucket doesn't have a policy or has a policy that doesn't enforce SSL", + "issueType": "IncorrectValue", + "similarityID": "4204902f5d1240888c5db3ebcc78c43218aef3669df3f4fea14f00d713fe824e", + "search_line": 3 }, { "queryName": "S3 Bucket Without SSL In Write Actions", "severity": "MEDIUM", "line": 34, - "fileName": "positive10.json" + "fileName": "positive10.json", + "resourceType": "AWS::S3::Bucket", + "resourceName": "S3Bucket33", + "searchKey": "Resources.S3Bucket33", + "searchValue": "", + "expectedValue": "Resources.S3Bucket33 bucket has a policy that enforces SSL", + "actualValue": "Resources.S3Bucket33 bucket doesn't have a policy or has a policy that doesn't enforce SSL", + "issueType": "IncorrectValue", + "similarityID": "a99c81b862da3c2d85642134be7f311d1258b5a08b248d96c382f4db2997facb", + "search_line": 34 } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/s3_bucket_without_versioning/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/s3_bucket_without_versioning/test/positive_expected_result.json index a47eadc1a3a..cb5eb915d0c 100644 --- a/assets/queries/cloudFormation/aws/s3_bucket_without_versioning/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/s3_bucket_without_versioning/test/positive_expected_result.json @@ -3,24 +3,60 @@ "queryName": "S3 Bucket Without Versioning", "severity": "MEDIUM", "line": 5, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::S3::Bucket", + "resourceName": "RecordServiceS3Bucket", + "searchKey": "Resources.RecordServiceS3Bucket.Properties", + "searchValue": "", + "expectedValue": "Resources.RecordServiceS3Bucket.Properties.VersioningConfiguration should be defined", + "actualValue": "Resources.RecordServiceS3Bucket.Properties.VersioningConfiguration is undefined", + "issueType": "MissingAttribute", + "similarityID": "e15b005081ed7039f501209c357ab18603152078525bdc964ea9408a9871f3ba", + "search_line": -1 }, { "queryName": "S3 Bucket Without Versioning", "severity": "MEDIUM", "line": 27, - "fileName": "positive2.yaml" + "fileName": "positive2.yaml", + "resourceType": "AWS::S3::Bucket", + "resourceName": "RecordServiceS3Bucket2", + "searchKey": "Resources.RecordServiceS3Bucket2.Properties.VersioningConfiguration.Status", + "searchValue": "", + "expectedValue": "Resources.RecordServiceS3Bucket2.Properties.VersioningConfiguration.Status should be set to Enabled", + "actualValue": "Resources.RecordServiceS3Bucket2.Properties.VersioningConfiguration.Status is set to Suspended", + "issueType": "IncorrectValue", + "similarityID": "59b90bc24eccddd323980891cecbfabecb4762f5cce41ca89a8b8ae9b25080e3", + "search_line": -1 }, { "queryName": "S3 Bucket Without Versioning", "severity": "MEDIUM", "line": 4, - "fileName": "positive3.json" + "fileName": "positive3.json", + "resourceType": "AWS::S3::Bucket", + "resourceName": "RecordServiceS3Bucket", + "searchKey": "Resources.RecordServiceS3Bucket.Properties", + "searchValue": "", + "expectedValue": "Resources.RecordServiceS3Bucket.Properties.VersioningConfiguration should be defined", + "actualValue": "Resources.RecordServiceS3Bucket.Properties.VersioningConfiguration is undefined", + "issueType": "MissingAttribute", + "similarityID": "9f902e7a61fd11a2e9c7136e6fb3ca3e548469efb729bf1b1244c84817a5b571", + "search_line": -1 }, { "queryName": "S3 Bucket Without Versioning", "severity": "MEDIUM", "line": 48, - "fileName": "positive4.json" + "fileName": "positive4.json", + "resourceType": "AWS::S3::Bucket", + "resourceName": "RecordServiceS3Bucket2", + "searchKey": "Resources.RecordServiceS3Bucket2.Properties.VersioningConfiguration.Status", + "searchValue": "", + "expectedValue": "Resources.RecordServiceS3Bucket2.Properties.VersioningConfiguration.Status should be set to Enabled", + "actualValue": "Resources.RecordServiceS3Bucket2.Properties.VersioningConfiguration.Status is set to Suspended", + "issueType": "IncorrectValue", + "similarityID": "eea039f6e9d10ed9f89f9646ef8a5f9b5abfab1f5d9977348719d24f3d16f65a", + "search_line": -1 } ] diff --git a/assets/queries/cloudFormation/aws/s3_static_website_host_enabled/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/s3_static_website_host_enabled/test/positive_expected_result.json index 01c68fb878f..77b4ce4cd5d 100644 --- a/assets/queries/cloudFormation/aws/s3_static_website_host_enabled/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/s3_static_website_host_enabled/test/positive_expected_result.json @@ -3,12 +3,30 @@ "queryName": "S3 Static Website Host Enabled", "severity": "HIGH", "line": 6, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::S3::Bucket", + "resourceName": "Bucket2", + "searchKey": "Resources.Bucket2.Properties", + "searchValue": "", + "expectedValue": "'Resources.Bucket2.Properties.WebsiteConfiguration' should not be defined", + "actualValue": "'Resources.Bucket2.Properties.WebsiteConfiguration' is defined", + "issueType": "IncorrectValue", + "similarityID": "e5e1824938d898a0160a3efa94a2f0b3a73718c0afc8dfed4ddfd54bcbed8e67", + "search_line": 6 }, { "queryName": "S3 Static Website Host Enabled", "severity": "HIGH", "line": 7, - "fileName": "positive2.json" + "fileName": "positive2.json", + "resourceType": "AWS::S3::Bucket", + "resourceName": "Bucket2", + "searchKey": "Resources.Bucket2.Properties", + "searchValue": "", + "expectedValue": "'Resources.Bucket2.Properties.WebsiteConfiguration' should not be defined", + "actualValue": "'Resources.Bucket2.Properties.WebsiteConfiguration' is defined", + "issueType": "IncorrectValue", + "similarityID": "085d742555eb2beec513f4f573022a2a9effeff4d3c906a9c009d43ad39c5479", + "search_line": 7 } ] diff --git a/assets/queries/cloudFormation/aws/sagemaker_data_encryption_disabled/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/sagemaker_data_encryption_disabled/test/positive_expected_result.json index b23d6d572be..d1df4e10dfd 100644 --- a/assets/queries/cloudFormation/aws/sagemaker_data_encryption_disabled/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/sagemaker_data_encryption_disabled/test/positive_expected_result.json @@ -3,24 +3,60 @@ "queryName": "SageMaker Data Encryption Disabled", "severity": "HIGH", "line": 6, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::SageMaker::NotebookInstance", + "resourceName": "BasicNotebookInstance", + "searchKey": "Resources.BasicNotebookInstance.Properties", + "searchValue": "", + "expectedValue": "'Resources.BasicNotebookInstance.Properties.KmsKeyId' should be defined", + "actualValue": "'Resources.BasicNotebookInstance.Properties.KmsKeyId' is not defined", + "issueType": "MissingAttribute", + "similarityID": "b1f358c3d5e166866ded8b51c3974a56a2aad00a73ccf0dfea3dbff2f315141b", + "search_line": -1 }, { + "queryName": "SageMaker Data Encryption Disabled", + "severity": "HIGH", "line": 20, "fileName": "positive1.yaml", - "queryName": "SageMaker Data Encryption Disabled", - "severity": "HIGH" + "resourceType": "AWS::SageMaker::NotebookInstance", + "resourceName": "BasicNotebookInstance3", + "searchKey": "Resources.BasicNotebookInstance3.Properties.KmsKeyId", + "searchValue": "", + "expectedValue": "'Resources.BasicNotebookInstance3.Properties.KmsKeyId' should not be empty", + "actualValue": "'Resources.BasicNotebookInstance3.Properties.KmsKeyId' is empty", + "issueType": "IncorrectValue", + "similarityID": "3f42860ef6d431a531e4080a7ad28fb27d6bb0471fa8e7c5cb8583f7a1916244", + "search_line": -1 }, { "queryName": "SageMaker Data Encryption Disabled", "severity": "HIGH", - "line": 59, - "fileName": "positive2.json" - }, - { "line": 16, "fileName": "positive2.json", + "resourceType": "AWS::SageMaker::NotebookInstance", + "resourceName": "BasicNotebookInstance3", + "searchKey": "Resources.BasicNotebookInstance3.Properties.KmsKeyId", + "searchValue": "", + "expectedValue": "'Resources.BasicNotebookInstance3.Properties.KmsKeyId' should not be empty", + "actualValue": "'Resources.BasicNotebookInstance3.Properties.KmsKeyId' is empty", + "issueType": "IncorrectValue", + "similarityID": "5e70fc8452b39fcb2954940387f64f542244d9cdeec2508093fa61f30ea583f6", + "search_line": -1 + }, + { "queryName": "SageMaker Data Encryption Disabled", - "severity": "HIGH" + "severity": "HIGH", + "line": 59, + "fileName": "positive2.json", + "resourceType": "AWS::SageMaker::NotebookInstance", + "resourceName": "BasicNotebookInstance", + "searchKey": "Resources.BasicNotebookInstance.Properties", + "searchValue": "", + "expectedValue": "'Resources.BasicNotebookInstance.Properties.KmsKeyId' should be defined", + "actualValue": "'Resources.BasicNotebookInstance.Properties.KmsKeyId' is not defined", + "issueType": "MissingAttribute", + "similarityID": "62e2d7bb8f41a9a482245c48df6ce4bea8a5c841579f0815bf8eba8978f8c9d2", + "search_line": -1 } ] diff --git a/assets/queries/cloudFormation/aws/sagemaker_enabling_internet_access/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/sagemaker_enabling_internet_access/test/positive_expected_result.json index 414d8795ebf..9a6a67cbcce 100644 --- a/assets/queries/cloudFormation/aws/sagemaker_enabling_internet_access/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/sagemaker_enabling_internet_access/test/positive_expected_result.json @@ -3,12 +3,30 @@ "queryName": "SageMaker Enabling Internet Access", "severity": "MEDIUM", "line": 7, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::SageMaker::NotebookInstance", + "resourceName": "Notebook", + "searchKey": "Resources.Notebook.Properties.DirectInternetAccess", + "searchValue": "", + "expectedValue": "Resources.Notebook.Properties.DirectInternetAccess is enabled", + "actualValue": "Resources.Notebook.Properties.DirectInternetAccess is disabled", + "issueType": "IncorrectValue", + "similarityID": "166efddf4e3c2e77e3b5db545490537e61f076c7b1c56073a3d5b27900e98b17", + "search_line": -1 }, { "queryName": "SageMaker Enabling Internet Access", "severity": "MEDIUM", "line": 8, - "fileName": "positive2.json" + "fileName": "positive2.json", + "resourceType": "AWS::SageMaker::NotebookInstance", + "resourceName": "Notebook", + "searchKey": "Resources.Notebook.Properties.DirectInternetAccess", + "searchValue": "", + "expectedValue": "Resources.Notebook.Properties.DirectInternetAccess is enabled", + "actualValue": "Resources.Notebook.Properties.DirectInternetAccess is disabled", + "issueType": "IncorrectValue", + "similarityID": "b8053e86ae4980aae5f743d0cfbd4e02cab37c62d2aad20da8331387d4601198", + "search_line": -1 } ] diff --git a/assets/queries/cloudFormation/aws/sagemaker_endpoint_config_should_specify_kms_key_id_attribute/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/sagemaker_endpoint_config_should_specify_kms_key_id_attribute/test/positive_expected_result.json index e7602850e63..277d03fddfa 100644 --- a/assets/queries/cloudFormation/aws/sagemaker_endpoint_config_should_specify_kms_key_id_attribute/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/sagemaker_endpoint_config_should_specify_kms_key_id_attribute/test/positive_expected_result.json @@ -3,12 +3,30 @@ "queryName": "SageMaker EndPoint Config Should Specify KmsKeyId Attribute", "severity": "MEDIUM", "line": 28, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::SageMaker::EndpointConfig", + "resourceName": "EndpointConfig", + "searchKey": "Resources.EndpointConfig.Properties", + "searchValue": "", + "expectedValue": "Resources.EndpointConfig.Properties.KmsKeyId should be defined", + "actualValue": "Resources.EndpointConfig.Properties.KmsKeyId is undefined", + "issueType": "MissingAttribute", + "similarityID": "51192be9742a6a3ad3f6d48b984f1cec80dfad30a77567f65ee9b6bd0ae97d9d", + "search_line": -1 }, { "queryName": "SageMaker EndPoint Config Should Specify KmsKeyId Attribute", "severity": "MEDIUM", "line": 40, - "fileName": "positive2.json" + "fileName": "positive2.json", + "resourceType": "AWS::SageMaker::EndpointConfig", + "resourceName": "EndpointConfig", + "searchKey": "Resources.EndpointConfig.Properties", + "searchValue": "", + "expectedValue": "Resources.EndpointConfig.Properties.KmsKeyId should be defined", + "actualValue": "Resources.EndpointConfig.Properties.KmsKeyId is undefined", + "issueType": "MissingAttribute", + "similarityID": "07cb51710d5687a0cd449e17c694d32d8809b00896f7868d9d1d104f490fd47d", + "search_line": -1 } ] diff --git a/assets/queries/cloudFormation/aws/sagemaker_notebook_not_placed_in_vpc/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/sagemaker_notebook_not_placed_in_vpc/test/positive_expected_result.json index 30ff20916eb..7c6c7800d92 100644 --- a/assets/queries/cloudFormation/aws/sagemaker_notebook_not_placed_in_vpc/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/sagemaker_notebook_not_placed_in_vpc/test/positive_expected_result.json @@ -3,12 +3,30 @@ "queryName": "SageMaker Notebook Not Placed In VPC", "severity": "MEDIUM", "line": 7, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::SageMaker::NotebookInstance", + "resourceName": "NotebookInstanceName", + "searchKey": "Resources.NotebookInstance.Properties.SubnetId", + "searchValue": "", + "expectedValue": "Resources.NotebookInstance.Properties.SubnetId should be defined", + "actualValue": "Resources.NotebookInstance.Properties.SubnetId is not defined", + "issueType": "MissingAttribute", + "similarityID": "8a8a76569c62584161c47859f727a98751e74c1972097bd55821ec8eca0781bb", + "search_line": -1 }, { "queryName": "SageMaker Notebook Not Placed In VPC", "severity": "MEDIUM", "line": 27, - "fileName": "positive2.json" + "fileName": "positive2.json", + "resourceType": "AWS::SageMaker::NotebookInstance", + "resourceName": "NotebookInstanceName", + "searchKey": "Resources.NotebookInstance.Properties.SubnetId", + "searchValue": "", + "expectedValue": "Resources.NotebookInstance.Properties.SubnetId should be defined", + "actualValue": "Resources.NotebookInstance.Properties.SubnetId is not defined", + "issueType": "MissingAttribute", + "similarityID": "c4fd52bc1f73da2b6fecdc635c7108b792df9cd2b3e580dfbcb8a95311b6fa7f", + "search_line": -1 } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/sdb_domain_declared_as_a_resource/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/sdb_domain_declared_as_a_resource/test/positive_expected_result.json index 9e98e5e61e7..3d32df571c9 100644 --- a/assets/queries/cloudFormation/aws/sdb_domain_declared_as_a_resource/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/sdb_domain_declared_as_a_resource/test/positive_expected_result.json @@ -1,14 +1,32 @@ [ { + "queryName": "SDB Domain Declared As A Resource", + "severity": "LOW", "line": 8, "fileName": "positive1.yaml", - "queryName": "SDB Domain Declared As A Resource", - "severity": "LOW" + "resourceType": "AWS::SDB::Domain", + "resourceName": "SBDDomain", + "searchKey": "Resources.SBDDomain", + "searchValue": "", + "expectedValue": "Resources.SBDDomain should not be defined", + "actualValue": "Resources.SBDDomain is defined", + "issueType": "MissingAttribute", + "similarityID": "30260e86070720d7fbaa638096aa10b21488f7aad700736643bd3b662e19d70d", + "search_line": -1 }, { "queryName": "SDB Domain Declared As A Resource", "severity": "LOW", "line": 11, - "fileName": "positive2.json" + "fileName": "positive2.json", + "resourceType": "AWS::SDB::Domain", + "resourceName": "SBDDomain", + "searchKey": "Resources.SBDDomain", + "searchValue": "", + "expectedValue": "Resources.SBDDomain should not be defined", + "actualValue": "Resources.SBDDomain is defined", + "issueType": "MissingAttribute", + "similarityID": "0321665a74c259cc5408ee99c65427440be4944b611307abe3da252cbeed08d2", + "search_line": -1 } ] diff --git a/assets/queries/cloudFormation/aws/secrets_manager_should_specify_kms_key_id/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/secrets_manager_should_specify_kms_key_id/test/positive_expected_result.json index d5e3ef62efc..1131905e711 100644 --- a/assets/queries/cloudFormation/aws/secrets_manager_should_specify_kms_key_id/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/secrets_manager_should_specify_kms_key_id/test/positive_expected_result.json @@ -1,14 +1,32 @@ [ { + "queryName": "Secrets Manager Should Specify KmsKeyId", "severity": "LOW", "line": 6, "fileName": "positive1.yaml", - "queryName": "Secrets Manager Should Specify KmsKeyId" + "resourceType": "AWS::SecretsManager::Secret", + "resourceName": "String", + "searchKey": "Resources.SecretsManagerSecret.Properties", + "searchValue": "", + "expectedValue": "Resources.SecretsManagerSecret.Properties.KmsKeyId should be defined", + "actualValue": "Resources.SecretsManagerSecret.Properties.KmsKeyId is undefined", + "issueType": "MissingAttribute", + "similarityID": "b67876551a7535d835bf3d6a225026c1f5ac452b7c2b1cb9a0207b6a9a365b59", + "search_line": -1 }, { + "queryName": "Secrets Manager Should Specify KmsKeyId", + "severity": "LOW", "line": 7, "fileName": "positive2.json", - "queryName": "Secrets Manager Should Specify KmsKeyId", - "severity": "LOW" + "resourceType": "AWS::SecretsManager::Secret", + "resourceName": "String", + "searchKey": "Resources.SecretsManagerSecret.Properties", + "searchValue": "", + "expectedValue": "Resources.SecretsManagerSecret.Properties.KmsKeyId should be defined", + "actualValue": "Resources.SecretsManagerSecret.Properties.KmsKeyId is undefined", + "issueType": "MissingAttribute", + "similarityID": "d86595daf88e56f10a778ab1e3a92d4aa715a63cbf13bc9f4074a1bf9f68bb07", + "search_line": -1 } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/secretsmanager_secret_without_kms/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/secretsmanager_secret_without_kms/test/positive_expected_result.json index 4bc0a101074..4548cb61de7 100644 --- a/assets/queries/cloudFormation/aws/secretsmanager_secret_without_kms/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/secretsmanager_secret_without_kms/test/positive_expected_result.json @@ -1,26 +1,62 @@ [ { + "queryName": "Secretsmanager Secret Without KMS", "severity": "MEDIUM", "line": 5, - "queryName": "Secretsmanager Secret Without KMS", - "fileName": "positive1.json" + "fileName": "positive1.json", + "resourceType": "AWS::SecretsManager::Secret", + "resourceName": "MySecret", + "searchKey": "Resources.MySecret.Properties", + "searchValue": "", + "expectedValue": "'Resources.MySecret.Properties.KmsKeyId' should be defined and not null", + "actualValue": "'Resources.MySecret.Properties.KmsKeyId' is undefined or null", + "issueType": "MissingAttribute", + "similarityID": "9d4d12a6b5672e88e7cc7e6c5d0f96f07a323a5f96080802692f97f42b178e59", + "search_line": 5 }, { + "queryName": "Secretsmanager Secret Without KMS", "severity": "MEDIUM", "line": 4, - "queryName": "Secretsmanager Secret Without KMS", - "fileName": "positive2.yaml" + "fileName": "positive2.yaml", + "resourceType": "AWS::SecretsManager::Secret", + "resourceName": "MySecret", + "searchKey": "Resources.MySecret.Properties", + "searchValue": "", + "expectedValue": "'Resources.MySecret.Properties.KmsKeyId' should be defined and not null", + "actualValue": "'Resources.MySecret.Properties.KmsKeyId' is undefined or null", + "issueType": "MissingAttribute", + "similarityID": "cdba9f5f35d4e45fb338f35b108460500b09dd4a652d03443cb32f99b3304f3d", + "search_line": 4 }, { + "queryName": "Secretsmanager Secret Without KMS", "severity": "MEDIUM", "line": 8, - "queryName": "Secretsmanager Secret Without KMS", - "fileName": "positive3.json" + "fileName": "positive3.json", + "resourceType": "AWS::SecretsManager::Secret", + "resourceName": "MySecretForAppB", + "searchKey": "Resources.MySecretB.Properties.KmsKeyId", + "searchValue": "", + "expectedValue": "'Resources.MySecretB.Properties.KmsKeyId' should be defined and not null", + "actualValue": "'Resources.MySecretB.Properties.KmsKeyId' is undefined or null", + "issueType": "IncorrectValue", + "similarityID": "dbe4de605f120f7aef8c465ba1f1b32b7273b49a15bae80f26af29b4f4bbd7a6", + "search_line": 8 }, { + "queryName": "Secretsmanager Secret Without KMS", "severity": "MEDIUM", "line": 7, - "queryName": "Secretsmanager Secret Without KMS", - "fileName": "positive4.yaml" + "fileName": "positive4.yaml", + "resourceType": "AWS::SecretsManager::Secret", + "resourceName": "MySecretForAppB", + "searchKey": "Resources.MySecretB.Properties.KmsKeyId", + "searchValue": "", + "expectedValue": "'Resources.MySecretB.Properties.KmsKeyId' should be defined and not null", + "actualValue": "'Resources.MySecretB.Properties.KmsKeyId' is undefined or null", + "issueType": "IncorrectValue", + "similarityID": "cfdb76ebbbdba53d46a1c5a30dbd6df23031c3bb59c1e9513c9bee0520ff6ef4", + "search_line": 7 } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/secure_ciphers_disabled/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/secure_ciphers_disabled/test/positive_expected_result.json index 818af741276..5976cc59611 100644 --- a/assets/queries/cloudFormation/aws/secure_ciphers_disabled/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/secure_ciphers_disabled/test/positive_expected_result.json @@ -3,18 +3,45 @@ "queryName": "Secure Ciphers Disabled", "severity": "MEDIUM", "line": 26, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::CloudFront::Distribution", + "resourceName": "cloudfrontdistribution", + "searchKey": "Resources.cloudfrontdistribution.Properties.ViewerCertificate.MinimumProtocolVersion", + "searchValue": "", + "expectedValue": "Resources.cloudfrontdistribution.Properties.ViewerCertificate.MinimumProtocolVersion is TLSv1.1 or TLSv1.2", + "actualValue": "Resources.cloudfrontdistribution.Properties.ViewerCertificate.MinimumProtocolVersion isn't TLSv1.1 or TLSv1.2", + "issueType": "IncorrectValue", + "similarityID": "c103fa2d5b0e993d1ffe85c5123d74dae548f2666647781506bfc763aeff6fb3", + "search_line": -1 }, { "queryName": "Secure Ciphers Disabled", "severity": "MEDIUM", "line": 44, - "fileName": "positive2.json" + "fileName": "positive2.json", + "resourceType": "AWS::CloudFront::Distribution", + "resourceName": "cloudfrontdistribution", + "searchKey": "Resources.cloudfrontdistribution.Properties.ViewerCertificate.MinimumProtocolVersion", + "searchValue": "", + "expectedValue": "Resources.cloudfrontdistribution.Properties.ViewerCertificate.MinimumProtocolVersion is TLSv1.1 or TLSv1.2", + "actualValue": "Resources.cloudfrontdistribution.Properties.ViewerCertificate.MinimumProtocolVersion isn't TLSv1.1 or TLSv1.2", + "issueType": "IncorrectValue", + "similarityID": "fd13fdf9ecf8fa83527fa74e2e3ae17ec185da73b537044ef0ea0486f60ada86", + "search_line": -1 }, { "queryName": "Secure Ciphers Disabled", "severity": "MEDIUM", "line": 26, - "fileName": "positive3.yaml" + "fileName": "positive3.yaml", + "resourceType": "AWS::CloudFront::Distribution", + "resourceName": "cloudfrontdistribution", + "searchKey": "Resources.cloudfrontdistribution.Properties.ViewerCertificate.MinimumProtocolVersion", + "searchValue": "", + "expectedValue": "Resources.cloudfrontdistribution.Properties.ViewerCertificate.MinimumProtocolVersion is TLSv1.1 or TLSv1.2", + "actualValue": "Resources.cloudfrontdistribution.Properties.ViewerCertificate.MinimumProtocolVersion isn't TLSv1.1 or TLSv1.2", + "issueType": "IncorrectValue", + "similarityID": "91fcb02b5c34d9e263ac3f8eed5a475d3103691ef4dd652b7d9cdd0da7238359", + "search_line": -1 } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/security_group_egress_cidr_open_to_world/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/security_group_egress_cidr_open_to_world/test/positive_expected_result.json index 74022745366..1971228ccd8 100644 --- a/assets/queries/cloudFormation/aws/security_group_egress_cidr_open_to_world/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/security_group_egress_cidr_open_to_world/test/positive_expected_result.json @@ -3,24 +3,60 @@ "queryName": "Security Group Egress CIDR Open To World", "severity": "MEDIUM", "line": 19, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "InstanceSecurityGroup", + "searchKey": "Resources.InstanceSecurityGroup.Properties.SecurityGroupEgress[0].CidrIp", + "searchValue": "", + "expectedValue": "Resources.InstanceSecurityGroup.Properties.SecurityGroupEgress[0].CidrIp should not be open to the world", + "actualValue": "Resources.InstanceSecurityGroup.Properties.SecurityGroupEgress[0].CidrIp is open to the world", + "issueType": "IncorrectValue", + "similarityID": "fb827e2fe935941ec659ebf1f5f1face1253cb3ee85ab68d06025fcebdff0c61", + "search_line": 19 }, { "queryName": "Security Group Egress CIDR Open To World", "severity": "MEDIUM", "line": 27, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroupEgress", + "resourceName": "OutboundRule", + "searchKey": "Resources.OutboundRule.Properties.CidrIpv6", + "searchValue": "", + "expectedValue": "Resources.OutboundRule.Properties.CidrIpv6 should not be open to the world", + "actualValue": "Resources.OutboundRule.Properties.CidrIpv6 is open to the world", + "issueType": "IncorrectValue", + "similarityID": "b0ebc7048fe8a308d4b0b336197614abadc6081c5b8aefbccf57c3d74ee93d16", + "search_line": 27 }, { "queryName": "Security Group Egress CIDR Open To World", "severity": "MEDIUM", "line": 17, - "fileName": "positive2.json" + "fileName": "positive2.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "InstanceSecurityGroup", + "searchKey": "Resources.InstanceSecurityGroup.Properties.SecurityGroupEgress[0].CidrIp", + "searchValue": "", + "expectedValue": "Resources.InstanceSecurityGroup.Properties.SecurityGroupEgress[0].CidrIp should not be open to the world", + "actualValue": "Resources.InstanceSecurityGroup.Properties.SecurityGroupEgress[0].CidrIp is open to the world", + "issueType": "IncorrectValue", + "similarityID": "b2128129e8227a692f40dbc33ef392f2fc097fd1475ec28aa7d7c6e1aecfbea2", + "search_line": 17 }, { "queryName": "Security Group Egress CIDR Open To World", "severity": "MEDIUM", "line": 34, - "fileName": "positive2.json" + "fileName": "positive2.json", + "resourceType": "AWS::EC2::SecurityGroupEgress", + "resourceName": "OutboundRule", + "searchKey": "Resources.OutboundRule.Properties.CidrIpv6", + "searchValue": "", + "expectedValue": "Resources.OutboundRule.Properties.CidrIpv6 should not be open to the world", + "actualValue": "Resources.OutboundRule.Properties.CidrIpv6 is open to the world", + "issueType": "IncorrectValue", + "similarityID": "f89e8819a2e8a4c8846379f9c03939ebb08bb0ba9427c4df652406cedd8d37ee", + "search_line": 34 } ] diff --git a/assets/queries/cloudFormation/aws/security_group_egress_with_all_protocols/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/security_group_egress_with_all_protocols/test/positive_expected_result.json index 7a4d708f261..0b477429578 100644 --- a/assets/queries/cloudFormation/aws/security_group_egress_with_all_protocols/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/security_group_egress_with_all_protocols/test/positive_expected_result.json @@ -3,24 +3,60 @@ "queryName": "Security Group Egress With All Protocols", "severity": "MEDIUM", "line": 14, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "InstanceSecurityGroup", + "searchKey": "Resources.InstanceSecurityGroup.Properties.SecurityGroupEgress.IpProtocol", + "searchValue": "", + "expectedValue": "Resources.InstanceSecurityGroup.Properties.SecurityGroupEgress[0].IpProtocol should not be set to '-1'", + "actualValue": "Resources.InstanceSecurityGroup.Properties.SecurityGroupEgress[0].IpProtocol is set to '-1'", + "issueType": "IncorrectValue", + "similarityID": "d4dd96740bb0f01eaa5f1bfae110ae1fac7b66074fa93ba84981e55739c714bb", + "search_line": 14 }, { "queryName": "Security Group Egress With All Protocols", "severity": "MEDIUM", "line": 21, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroupEgress", + "resourceName": "OutboundRule", + "searchKey": "Resources.OutboundRule.Properties.IpProtocol", + "searchValue": "", + "expectedValue": "Resources.OutboundRule.Properties.IpProtocol should not be set to '-1'", + "actualValue": "Resources.OutboundRule.Properties.IpProtocol is set to '-1'", + "issueType": "IncorrectValue", + "similarityID": "c54b54f34aa7a23fab74fd202bb2335899705a98be6384b34f7df7f2722f442d", + "search_line": 21 }, { - "fileName": "positive2.json", "queryName": "Security Group Egress With All Protocols", "severity": "MEDIUM", - "line": 43 + "line": 21, + "fileName": "positive2.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "InstanceSecurityGroup", + "searchKey": "Resources.InstanceSecurityGroup.Properties.SecurityGroupEgress.IpProtocol", + "searchValue": "", + "expectedValue": "Resources.InstanceSecurityGroup.Properties.SecurityGroupEgress[0].IpProtocol should not be set to '-1'", + "actualValue": "Resources.InstanceSecurityGroup.Properties.SecurityGroupEgress[0].IpProtocol is set to '-1'", + "issueType": "IncorrectValue", + "similarityID": "91c8b4a30143f3c569d6252cef06eb9d7eb10fa6887308fce3791e0d68cd53d3", + "search_line": 21 }, { "queryName": "Security Group Egress With All Protocols", "severity": "MEDIUM", - "line": 21, - "fileName": "positive2.json" + "line": 43, + "fileName": "positive2.json", + "resourceType": "AWS::EC2::SecurityGroupEgress", + "resourceName": "OutboundRule", + "searchKey": "Resources.OutboundRule.Properties.IpProtocol", + "searchValue": "", + "expectedValue": "Resources.OutboundRule.Properties.IpProtocol should not be set to '-1'", + "actualValue": "Resources.OutboundRule.Properties.IpProtocol is set to '-1'", + "issueType": "IncorrectValue", + "similarityID": "081eeecbaf79f7a8114e4cfb085e6660afbcc172230654a06823b2797de2fe0a", + "search_line": 43 } ] diff --git a/assets/queries/cloudFormation/aws/security_group_egress_with_port_range/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/security_group_egress_with_port_range/test/positive_expected_result.json index 07c66a046af..d57420e5b27 100644 --- a/assets/queries/cloudFormation/aws/security_group_egress_with_port_range/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/security_group_egress_with_port_range/test/positive_expected_result.json @@ -3,24 +3,60 @@ "queryName": "Security Group Egress With Port Range", "severity": "MEDIUM", "line": 15, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "InstanceSecurityGroup", + "searchKey": "Resources.InstanceSecurityGroup.Properties.SecurityGroupEgress[0]", + "searchValue": "", + "expectedValue": "Resources.InstanceSecurityGroup.Properties.SecurityGroupEgress[0].FromPort should equal to Resources.InstanceSecurityGroup.Properties.SecurityGroupEgress[0].ToPort", + "actualValue": "Resources.InstanceSecurityGroup.Properties.SecurityGroupEgress[0].FromPort is not equal to Resources.InstanceSecurityGroup.Properties.SecurityGroupEgress[0].ToPort", + "issueType": "IncorrectValue", + "similarityID": "4d91984e3c39f54ecd19bf0f6f4c2fd6d2903bfe12d4e094e8d65ac94e758591", + "search_line": 15 }, { "queryName": "Security Group Egress With Port Range", "severity": "MEDIUM", "line": 22, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroupEgress", + "resourceName": "OutboundRule", + "searchKey": "Resources.OutboundRule.Properties", + "searchValue": "", + "expectedValue": "Resources.OutboundRule.Properties.FromPort should equal to Resources.OutboundRule.Properties.ToPort", + "actualValue": "Resources.OutboundRule.Properties.FromPort is not equal to Resources.OutboundRule.Properties.ToPort", + "issueType": "IncorrectValue", + "similarityID": "040a1d7a174c0a50caa9ed4186661f918773c4f273c8d01801dd26fdab815291", + "search_line": 22 }, { "queryName": "Security Group Egress With Port Range", "severity": "MEDIUM", "line": 21, - "fileName": "positive2.json" + "fileName": "positive2.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "InstanceSecurityGroup", + "searchKey": "Resources.InstanceSecurityGroup.Properties.SecurityGroupEgress[0]", + "searchValue": "", + "expectedValue": "Resources.InstanceSecurityGroup.Properties.SecurityGroupEgress[0].FromPort should equal to Resources.InstanceSecurityGroup.Properties.SecurityGroupEgress[0].ToPort", + "actualValue": "Resources.InstanceSecurityGroup.Properties.SecurityGroupEgress[0].FromPort is not equal to Resources.InstanceSecurityGroup.Properties.SecurityGroupEgress[0].ToPort", + "issueType": "IncorrectValue", + "similarityID": "000b5072849bd09c1fedfa3d97c59bfa16a1388587e49368d9bd32a89c94a60f", + "search_line": 21 }, { "queryName": "Security Group Egress With Port Range", "severity": "MEDIUM", "line": 32, - "fileName": "positive2.json" + "fileName": "positive2.json", + "resourceType": "AWS::EC2::SecurityGroupEgress", + "resourceName": "OutboundRule", + "searchKey": "Resources.OutboundRule.Properties", + "searchValue": "", + "expectedValue": "Resources.OutboundRule.Properties.FromPort should equal to Resources.OutboundRule.Properties.ToPort", + "actualValue": "Resources.OutboundRule.Properties.FromPort is not equal to Resources.OutboundRule.Properties.ToPort", + "issueType": "IncorrectValue", + "similarityID": "1280a1b0f98ae454960d53d6cd05a4fa5ceb045e0e87f0e08e8471bb0436b7d9", + "search_line": 32 } ] diff --git a/assets/queries/cloudFormation/aws/security_group_ingress_has_cidr_not_recommended/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/security_group_ingress_has_cidr_not_recommended/test/positive_expected_result.json index e41f59b8056..f882d39d810 100644 --- a/assets/queries/cloudFormation/aws/security_group_ingress_has_cidr_not_recommended/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/security_group_ingress_has_cidr_not_recommended/test/positive_expected_result.json @@ -1,26 +1,62 @@ [ { + "queryName": "Security Group Ingress Has CIDR Not Recommended", "severity": "LOW", "line": 13, "fileName": "positive1.yaml", - "queryName": "Security Group Ingress Has CIDR Not Recommended" + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "InstanceSecurityGroup", + "searchKey": "Resources.InstanceSecurityGroup.Properties.SecurityGroupIngress.CidrIp", + "searchValue": "", + "expectedValue": "Resources.InstanceSecurityGroup.Properties.SecurityGroupIngress[0].CidrIp should not be /32", + "actualValue": "Resources.InstanceSecurityGroup.Properties.SecurityGroupIngress[0].CidrIp is /32", + "issueType": "IncorrectValue", + "similarityID": "12e9c1913f4661617fcbec075a7727467cc86de32ade2c13ceb3852b0976720e", + "search_line": 13 }, { "queryName": "Security Group Ingress Has CIDR Not Recommended", "severity": "LOW", "line": 43, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroupIngress", + "resourceName": "InboundRule", + "searchKey": "Resources.InboundRule.Properties.CidrIpv6", + "searchValue": "", + "expectedValue": "Resources.InboundRule.Properties.CidrIpv6 should not be /128", + "actualValue": "Resources.InboundRule.Properties.CidrIpv6 is /128", + "issueType": "IncorrectValue", + "similarityID": "e24f97da936a7b0e8c7b26e579d8f9a02123066a406c533e7017ac712fa3a1b7", + "search_line": 43 }, { + "queryName": "Security Group Ingress Has CIDR Not Recommended", "severity": "LOW", "line": 44, "fileName": "positive2.json", - "queryName": "Security Group Ingress Has CIDR Not Recommended" + "resourceType": "AWS::EC2::SecurityGroupIngress", + "resourceName": "InboundRule", + "searchKey": "Resources.InboundRule.Properties.CidrIpv6", + "searchValue": "", + "expectedValue": "Resources.InboundRule.Properties.CidrIpv6 should not be /128", + "actualValue": "Resources.InboundRule.Properties.CidrIpv6 is /128", + "issueType": "IncorrectValue", + "similarityID": "712cd58dc821dead349d2d0a44c43c548085d4b0fff028e8fe803af4232940b2", + "search_line": 44 }, { "queryName": "Security Group Ingress Has CIDR Not Recommended", "severity": "LOW", "line": 69, - "fileName": "positive2.json" + "fileName": "positive2.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "InstanceSecurityGroup", + "searchKey": "Resources.InstanceSecurityGroup.Properties.SecurityGroupIngress.CidrIp", + "searchValue": "", + "expectedValue": "Resources.InstanceSecurityGroup.Properties.SecurityGroupIngress[0].CidrIp should not be /32", + "actualValue": "Resources.InstanceSecurityGroup.Properties.SecurityGroupIngress[0].CidrIp is /32", + "issueType": "IncorrectValue", + "similarityID": "0481e48eb235c37904900e4214ae61063ffe8589442402a61f7ba221803122ca", + "search_line": 69 } ] diff --git a/assets/queries/cloudFormation/aws/security_group_ingress_with_all_protocols/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/security_group_ingress_with_all_protocols/test/positive_expected_result.json index 038c167f50c..e4d4b3cd4c6 100644 --- a/assets/queries/cloudFormation/aws/security_group_ingress_with_all_protocols/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/security_group_ingress_with_all_protocols/test/positive_expected_result.json @@ -3,24 +3,60 @@ "queryName": "Security Group Ingress With All Protocols", "severity": "MEDIUM", "line": 9, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "InstanceSecurityGroup", + "searchKey": "Resources.InstanceSecurityGroup.Properties.SecurityGroupIngress.IpProtocol", + "searchValue": "", + "expectedValue": "Resources.InstanceSecurityGroup.Properties.SecurityGroupIngress[0].IpProtocol should not be set to '-1'", + "actualValue": "Resources.InstanceSecurityGroup.Properties.SecurityGroupIngress[0].IpProtocol is set to '-1'", + "issueType": "IncorrectValue", + "similarityID": "e348281a01cca45197b2aee8f718ac49e9b334c349395ccd5270c3526c308824", + "search_line": 9 }, { - "fileName": "positive1.yaml", "queryName": "Security Group Ingress With All Protocols", "severity": "MEDIUM", - "line": 35 + "line": 35, + "fileName": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroupIngress", + "resourceName": "InboundRule", + "searchKey": "Resources.InboundRule.Properties.IpProtocol", + "searchValue": "", + "expectedValue": "Resources.InboundRule.Properties.IpProtocol should not be set to '-1'", + "actualValue": "Resources.InboundRule.Properties.IpProtocol is set to '-1'", + "issueType": "IncorrectValue", + "similarityID": "ebef8a4b66a6085a7c4981399c654ab24438d153871fa14561acef9f14414cae", + "search_line": 35 }, { "queryName": "Security Group Ingress With All Protocols", "severity": "MEDIUM", - "line": 51, - "fileName": "positive2.json" + "line": 11, + "fileName": "positive2.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "InstanceSecurityGroup", + "searchKey": "Resources.InstanceSecurityGroup.Properties.SecurityGroupIngress.IpProtocol", + "searchValue": "", + "expectedValue": "Resources.InstanceSecurityGroup.Properties.SecurityGroupIngress[0].IpProtocol should not be set to '-1'", + "actualValue": "Resources.InstanceSecurityGroup.Properties.SecurityGroupIngress[0].IpProtocol is set to '-1'", + "issueType": "IncorrectValue", + "similarityID": "f8924f856ce2de90595dfe398db3c7ecb2637f9beb0c624f6bcf90d584883ff9", + "search_line": 11 }, { "queryName": "Security Group Ingress With All Protocols", "severity": "MEDIUM", - "line": 11, - "fileName": "positive2.json" + "line": 51, + "fileName": "positive2.json", + "resourceType": "AWS::EC2::SecurityGroupIngress", + "resourceName": "InboundRule", + "searchKey": "Resources.InboundRule.Properties.IpProtocol", + "searchValue": "", + "expectedValue": "Resources.InboundRule.Properties.IpProtocol should not be set to '-1'", + "actualValue": "Resources.InboundRule.Properties.IpProtocol is set to '-1'", + "issueType": "IncorrectValue", + "similarityID": "0588c5da78d9a01ccb7884da59eb118fc28639dfeb0f995521ae926dd0ea873f", + "search_line": 51 } ] diff --git a/assets/queries/cloudFormation/aws/security_group_ingress_with_port_range/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/security_group_ingress_with_port_range/test/positive_expected_result.json index 70c0666415a..34409004a1f 100644 --- a/assets/queries/cloudFormation/aws/security_group_ingress_with_port_range/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/security_group_ingress_with_port_range/test/positive_expected_result.json @@ -1,26 +1,62 @@ [ { + "queryName": "Security Group Ingress With Port Range", "severity": "MEDIUM", "line": 9, "fileName": "positive1.yaml", - "queryName": "Security Group Ingress With Port Range" + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "InstanceSecurityGroup", + "searchKey": "Resources.InstanceSecurityGroup.Properties.SecurityGroupIngress", + "searchValue": "", + "expectedValue": "Resources.InstanceSecurityGroup.Properties.SecurityGroupIngress[0].FromPort should equal to Resources.InstanceSecurityGroup.Properties.SecurityGroupIngress[0].ToPort", + "actualValue": "Resources.InstanceSecurityGroup.Properties.SecurityGroupIngress[0].FromPort is not equal to Resources.InstanceSecurityGroup.Properties.SecurityGroupIngress[0].ToPort", + "issueType": "IncorrectValue", + "similarityID": "ec9d819008be7c3737aa05967a7d8e6f21b84f1d0631db2bd8f4f9e35017f92b", + "search_line": 9 }, { "queryName": "Security Group Ingress With Port Range", "severity": "MEDIUM", "line": 37, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroupIngress", + "resourceName": "InboundRule", + "searchKey": "Resources.InboundRule.Properties", + "searchValue": "", + "expectedValue": "Resources.InboundRule.Properties.FromPort should equal to Resources.InboundRule.Properties.ToPort", + "actualValue": "Resources.InboundRule.Properties.FromPort is not equal to Resources.InboundRule.Properties.ToPort", + "issueType": "IncorrectValue", + "similarityID": "d7de98ed1e9687fb8c5cbdabdfc50b0737f7b19e214af98b45e1ac8891d6c1f0", + "search_line": 37 }, { + "queryName": "Security Group Ingress With Port Range", "severity": "MEDIUM", - "line": 53, + "line": 11, "fileName": "positive2.json", - "queryName": "Security Group Ingress With Port Range" + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "InstanceSecurityGroup", + "searchKey": "Resources.InstanceSecurityGroup.Properties.SecurityGroupIngress", + "searchValue": "", + "expectedValue": "Resources.InstanceSecurityGroup.Properties.SecurityGroupIngress[0].FromPort should equal to Resources.InstanceSecurityGroup.Properties.SecurityGroupIngress[0].ToPort", + "actualValue": "Resources.InstanceSecurityGroup.Properties.SecurityGroupIngress[0].FromPort is not equal to Resources.InstanceSecurityGroup.Properties.SecurityGroupIngress[0].ToPort", + "issueType": "IncorrectValue", + "similarityID": "404e91d41510cd37c8df31e2c718f91c481f020e2269530399f242ad72a8d9d3", + "search_line": 11 }, { - "fileName": "positive2.json", "queryName": "Security Group Ingress With Port Range", "severity": "MEDIUM", - "line": 11 + "line": 53, + "fileName": "positive2.json", + "resourceType": "AWS::EC2::SecurityGroupIngress", + "resourceName": "InboundRule", + "searchKey": "Resources.InboundRule.Properties", + "searchValue": "", + "expectedValue": "Resources.InboundRule.Properties.FromPort should equal to Resources.InboundRule.Properties.ToPort", + "actualValue": "Resources.InboundRule.Properties.FromPort is not equal to Resources.InboundRule.Properties.ToPort", + "issueType": "IncorrectValue", + "similarityID": "ca2d767cfc83abeef28b19db1fdf381201bcd9c212b3b1c04fe8a3ca9284dab3", + "search_line": 53 } ] diff --git a/assets/queries/cloudFormation/aws/security_group_rule_without_description/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/security_group_rule_without_description/test/positive_expected_result.json index 640f5f33e9e..f9bd3915938 100644 --- a/assets/queries/cloudFormation/aws/security_group_rule_without_description/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/security_group_rule_without_description/test/positive_expected_result.json @@ -3,72 +3,180 @@ "queryName": "Security Group Rule Without Description", "severity": "INFO", "line": 4, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "InstanceSecurityGroup", + "searchKey": "Resources.InstanceSecurityGroup.Properties", + "searchValue": "", + "expectedValue": "Resources.InstanceSecurityGroup.Properties.GroupDescription should be set", + "actualValue": "Resources.InstanceSecurityGroup.Properties.GroupDescription is undefined", + "issueType": "MissingAttribute", + "similarityID": "79803d8cefdd01201275e0b5806e85bc1708dc3ceb3cf55dc7cd03dd56507e36", + "search_line": 4 }, { "queryName": "Security Group Rule Without Description", "severity": "INFO", "line": 8, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "InstanceSecurityGroup", + "searchKey": "Resources.InstanceSecurityGroup.Properties.SecurityGroupIngress", + "searchValue": "", + "expectedValue": "Resources.InstanceSecurityGroup.Properties.SecurityGroupIngress[0].Description should be set", + "actualValue": "Resources.InstanceSecurityGroup.Properties.SecurityGroupIngress[0].Description is undefined", + "issueType": "MissingAttribute", + "similarityID": "2c31d01ea13a3b2365593e38e6a82691c71955bfb19ceae90f95dfafc5a7afa8", + "search_line": 8 }, { "queryName": "Security Group Rule Without Description", "severity": "INFO", "line": 13, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "InstanceSecurityGroup", + "searchKey": "Resources.InstanceSecurityGroup.Properties.SecurityGroupEgress", + "searchValue": "", + "expectedValue": "Resources.InstanceSecurityGroup.Properties.SecurityGroupEgress[0].Description should be set", + "actualValue": "Resources.InstanceSecurityGroup.Properties.SecurityGroupEgress[0].Description is undefined", + "issueType": "MissingAttribute", + "similarityID": "9e4efcde90690ca5b93d00902d4a994340975fbc9443bce9cf147d1b99ef3e91", + "search_line": 13 }, { "queryName": "Security Group Rule Without Description", "severity": "INFO", "line": 19, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroupEgress", + "resourceName": "OutboundRule", + "searchKey": "Resources.OutboundRule.Properties", + "searchValue": "", + "expectedValue": "Resources.OutboundRule.Properties.Description should be set", + "actualValue": "Resources.OutboundRule.Properties.Description is undefined", + "issueType": "MissingAttribute", + "similarityID": "88bf60f1391e178e94c09c33fcddc71c2984403a38b389ea2e3336124913f0f0", + "search_line": 19 }, { "queryName": "Security Group Rule Without Description", "severity": "INFO", "line": 33, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroupIngress", + "resourceName": "InboundRule", + "searchKey": "Resources.InboundRule.Properties", + "searchValue": "", + "expectedValue": "Resources.InboundRule.Properties.Description should be set", + "actualValue": "Resources.InboundRule.Properties.Description is undefined", + "issueType": "MissingAttribute", + "similarityID": "3583059dc382b3ccecab61fe3dffb583e32a26f38d1a75e1a46d8107d2238dc1", + "search_line": 33 }, { "queryName": "Security Group Rule Without Description", "severity": "INFO", "line": 47, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::RDS::DBSecurityGroup", + "resourceName": "LegacySecurityGroup", + "searchKey": "Resources.LegacySecurityGroup.Properties", + "searchValue": "", + "expectedValue": "Resources.LegacySecurityGroup.Properties.GroupDescription should be set", + "actualValue": "Resources.LegacySecurityGroup.Properties.GroupDescription is undefined", + "issueType": "MissingAttribute", + "similarityID": "a4495c7a7e7ddd0cd8659ac3eb58142712ddb7546a30f3c81308ed9448301c8f", + "search_line": 47 }, { "queryName": "Security Group Rule Without Description", "severity": "INFO", "line": 5, - "fileName": "positive2.json" + "fileName": "positive2.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "InstanceSecurityGroup", + "searchKey": "Resources.InstanceSecurityGroup.Properties", + "searchValue": "", + "expectedValue": "Resources.InstanceSecurityGroup.Properties.GroupDescription should be set", + "actualValue": "Resources.InstanceSecurityGroup.Properties.GroupDescription is undefined", + "issueType": "MissingAttribute", + "similarityID": "2a8e521154e6d09a5baa254bd34f04ab0417ab821468c3663eeded86300cb505", + "search_line": 5 }, { "queryName": "Security Group Rule Without Description", "severity": "INFO", "line": 11, - "fileName": "positive2.json" + "fileName": "positive2.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "InstanceSecurityGroup", + "searchKey": "Resources.InstanceSecurityGroup.Properties.SecurityGroupIngress", + "searchValue": "", + "expectedValue": "Resources.InstanceSecurityGroup.Properties.SecurityGroupIngress[0].Description should be set", + "actualValue": "Resources.InstanceSecurityGroup.Properties.SecurityGroupIngress[0].Description is undefined", + "issueType": "MissingAttribute", + "similarityID": "ac8598d1a9a09e39f407d2c503e286b83330d7f217dd184ee0b4ba7fa0a79030", + "search_line": 11 }, { "queryName": "Security Group Rule Without Description", "severity": "INFO", "line": 19, - "fileName": "positive2.json" + "fileName": "positive2.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "InstanceSecurityGroup", + "searchKey": "Resources.InstanceSecurityGroup.Properties.SecurityGroupEgress", + "searchValue": "", + "expectedValue": "Resources.InstanceSecurityGroup.Properties.SecurityGroupEgress[0].Description should be set", + "actualValue": "Resources.InstanceSecurityGroup.Properties.SecurityGroupEgress[0].Description is undefined", + "issueType": "MissingAttribute", + "similarityID": "7780ade76495377d5b6b309c1376a439ce51af6d0933791712bc66cb2dbd3c9a", + "search_line": 19 }, { "queryName": "Security Group Rule Without Description", "severity": "INFO", "line": 29, - "fileName": "positive2.json" + "fileName": "positive2.json", + "resourceType": "AWS::EC2::SecurityGroupEgress", + "resourceName": "OutboundRule", + "searchKey": "Resources.OutboundRule.Properties", + "searchValue": "", + "expectedValue": "Resources.OutboundRule.Properties.Description should be set", + "actualValue": "Resources.OutboundRule.Properties.Description is undefined", + "issueType": "MissingAttribute", + "similarityID": "aa4e54468800923e52c2b2600e28c03a86dba9e3a91a8ab18001921589e9c735", + "search_line": 29 }, { "queryName": "Security Group Rule Without Description", "severity": "INFO", "line": 49, - "fileName": "positive2.json" + "fileName": "positive2.json", + "resourceType": "AWS::EC2::SecurityGroupIngress", + "resourceName": "InboundRule", + "searchKey": "Resources.InboundRule.Properties", + "searchValue": "", + "expectedValue": "Resources.InboundRule.Properties.Description should be set", + "actualValue": "Resources.InboundRule.Properties.Description is undefined", + "issueType": "MissingAttribute", + "similarityID": "0359905080be1aa26737867e365a36c00372143708782e3b35b0a0f9cec35ac1", + "search_line": 49 }, { "queryName": "Security Group Rule Without Description", "severity": "INFO", "line": 69, - "fileName": "positive2.json" + "fileName": "positive2.json", + "resourceType": "AWS::RDS::DBSecurityGroup", + "resourceName": "LegacySecurityGroup", + "searchKey": "Resources.LegacySecurityGroup.Properties", + "searchValue": "", + "expectedValue": "Resources.LegacySecurityGroup.Properties.GroupDescription should be set", + "actualValue": "Resources.LegacySecurityGroup.Properties.GroupDescription is undefined", + "issueType": "MissingAttribute", + "similarityID": "fc4c2bd631131bb276c80d845c085bab3414112fe7d045e9e2a6dbe93275433a", + "search_line": 69 } ] diff --git a/assets/queries/cloudFormation/aws/security_groups_allows_unrestricted_outbound_traffic/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/security_groups_allows_unrestricted_outbound_traffic/test/positive_expected_result.json index 443ab39a1fd..cde156b7200 100644 --- a/assets/queries/cloudFormation/aws/security_groups_allows_unrestricted_outbound_traffic/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/security_groups_allows_unrestricted_outbound_traffic/test/positive_expected_result.json @@ -3,60 +3,150 @@ "queryName": "Security Groups Allows Unrestricted Outbound Traffic", "severity": "MEDIUM", "line": 8, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1_security_group", + "searchKey": "Resources.Positive1_security_group.Properties.SecurityGroupEgress[0]", + "searchValue": "", + "expectedValue": "'Resources.Positive1_security_group.Properties.SecurityGroupEgress[0]' should not have IpProtocol set to '-1' and CidrIp set to '0.0.0.0/0' simultaneously", + "actualValue": "'Resources.Positive1_security_group.Properties.SecurityGroupEgress[0]' has IpProtocol set to '-1' and CidrIp set to '0.0.0.0/0'.", + "issueType": "IncorrectValue", + "similarityID": "b9de57964f29ba3863e6947dc45f974e6a0974ae41d5b66d9ca83e3b3b5abb7c", + "search_line": 8 }, { "queryName": "Security Groups Allows Unrestricted Outbound Traffic", "severity": "MEDIUM", "line": 16, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroupEgress", + "resourceName": "Positive1_security_group", + "searchKey": "Resources.Positive1_egress_ipv4.Properties", + "searchValue": "", + "expectedValue": "'Resources.Positive1_egress_ipv4.Properties' should not have IpProtocol set to '-1' and CidrIp set to '0.0.0.0/0' simultaneously", + "actualValue": "'Resources.Positive1_egress_ipv4.Properties' has IpProtocol set to '-1' and CidrIp set to '0.0.0.0/0'.", + "issueType": "IncorrectValue", + "similarityID": "bdf59ba236cb3529561f0df8fcab0d035193f8d7555b27a8a2dd7072793a2db4", + "search_line": 16 }, { "queryName": "Security Groups Allows Unrestricted Outbound Traffic", "severity": "MEDIUM", "line": 26, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroupEgress", + "resourceName": "Positive1_security_group", + "searchKey": "Resources.Positive1_egress_ipv6.Properties", + "searchValue": "", + "expectedValue": "'Resources.Positive1_egress_ipv6.Properties' should not have IpProtocol set to '-1' and CidrIpv6 set to '::/0' simultaneously", + "actualValue": "'Resources.Positive1_egress_ipv6.Properties' has IpProtocol set to '-1' and CidrIpv6 set to '::/0'.", + "issueType": "IncorrectValue", + "similarityID": "ec6f59b47a31a1ddafd6b5e3569d24f6163eac54aa9c2a2721a9e755c081858b", + "search_line": 26 }, { "queryName": "Security Groups Allows Unrestricted Outbound Traffic", "severity": "MEDIUM", "line": 8, - "fileName": "positive2.yaml" + "fileName": "positive2.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive2_security_group", + "searchKey": "Resources.Positive2_security_group.Properties.SecurityGroupEgress[0]", + "searchValue": "", + "expectedValue": "'Resources.Positive2_security_group.Properties.SecurityGroupEgress[0]' should not have IpProtocol set to '-1' and CidrIpv6 set to '::/0' simultaneously", + "actualValue": "'Resources.Positive2_security_group.Properties.SecurityGroupEgress[0]' has IpProtocol set to '-1' and CidrIpv6 set to '::/0'.", + "issueType": "IncorrectValue", + "similarityID": "ff8fc4e43e3cb60a737d6eb5931b45b8cd236f723a1fcdc12584255813dbad40", + "search_line": 8 }, { "queryName": "Security Groups Allows Unrestricted Outbound Traffic", "severity": "MEDIUM", "line": 16, - "fileName": "positive2.yaml" + "fileName": "positive2.yaml", + "resourceType": "AWS::EC2::SecurityGroupEgress", + "resourceName": "Positive2_security_group", + "searchKey": "Resources.Positive2_egress_ipv6.Properties", + "searchValue": "", + "expectedValue": "'Resources.Positive2_egress_ipv6.Properties' should not have IpProtocol set to '-1' and CidrIpv6 set to '0:0:0:0:0:0:0:0/0' simultaneously", + "actualValue": "'Resources.Positive2_egress_ipv6.Properties' has IpProtocol set to '-1' and CidrIpv6 set to '0:0:0:0:0:0:0:0/0'.", + "issueType": "IncorrectValue", + "similarityID": "0ac7eddb9351e7d83406f72e7f40e519640a9c2fecbfc8a332d7e818f38b3401", + "search_line": 16 }, { "queryName": "Security Groups Allows Unrestricted Outbound Traffic", "severity": "MEDIUM", "line": 12, - "fileName": "positive3.json" + "fileName": "positive3.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive3_security_group", + "searchKey": "Resources.Positive3_security_group.Properties.SecurityGroupEgress[0]", + "searchValue": "", + "expectedValue": "'Resources.Positive3_security_group.Properties.SecurityGroupEgress[0]' should not have IpProtocol set to '-1' and CidrIp set to '0.0.0.0/0' simultaneously", + "actualValue": "'Resources.Positive3_security_group.Properties.SecurityGroupEgress[0]' has IpProtocol set to '-1' and CidrIp set to '0.0.0.0/0'.", + "issueType": "IncorrectValue", + "similarityID": "962846eaaf7cc4c4179343033d2a665546b5cd5918f3e07b09694c41f7f05d8a", + "search_line": 12 }, { "queryName": "Security Groups Allows Unrestricted Outbound Traffic", "severity": "MEDIUM", "line": 22, - "fileName": "positive3.json" + "fileName": "positive3.json", + "resourceType": "AWS::EC2::SecurityGroupEgress", + "resourceName": "Positive3_security_group", + "searchKey": "Resources.Positive3_egress_ipv4.Properties", + "searchValue": "", + "expectedValue": "'Resources.Positive3_egress_ipv4.Properties' should not have IpProtocol set to '-1' and CidrIp set to '0.0.0.0/0' simultaneously", + "actualValue": "'Resources.Positive3_egress_ipv4.Properties' has IpProtocol set to '-1' and CidrIp set to '0.0.0.0/0'.", + "issueType": "IncorrectValue", + "similarityID": "f72ba15775de02628906d103869aeeaac308fee06a66994539e4d62050ddd269", + "search_line": 22 }, { "queryName": "Security Groups Allows Unrestricted Outbound Traffic", "severity": "MEDIUM", "line": 34, - "fileName": "positive3.json" + "fileName": "positive3.json", + "resourceType": "AWS::EC2::SecurityGroupEgress", + "resourceName": "Positive3_security_group", + "searchKey": "Resources.Positive3_egress_ipv6.Properties", + "searchValue": "", + "expectedValue": "'Resources.Positive3_egress_ipv6.Properties' should not have IpProtocol set to '-1' and CidrIpv6 set to '::/0' simultaneously", + "actualValue": "'Resources.Positive3_egress_ipv6.Properties' has IpProtocol set to '-1' and CidrIpv6 set to '::/0'.", + "issueType": "IncorrectValue", + "similarityID": "e628dab44ff2e283ac3c7c294cda9dc0446482b5b571e90124367273f8842c45", + "search_line": 34 }, { "queryName": "Security Groups Allows Unrestricted Outbound Traffic", "severity": "MEDIUM", "line": 12, - "fileName": "positive4.json" + "fileName": "positive4.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive4_security_group", + "searchKey": "Resources.Positive4_security_group.Properties.SecurityGroupEgress[0]", + "searchValue": "", + "expectedValue": "'Resources.Positive4_security_group.Properties.SecurityGroupEgress[0]' should not have IpProtocol set to '-1' and CidrIpv6 set to '::/0' simultaneously", + "actualValue": "'Resources.Positive4_security_group.Properties.SecurityGroupEgress[0]' has IpProtocol set to '-1' and CidrIpv6 set to '::/0'.", + "issueType": "IncorrectValue", + "similarityID": "fb2adae4978a5708a46e48d83fd6893c62129191a41db139b68d279994994f26", + "search_line": 12 }, { "queryName": "Security Groups Allows Unrestricted Outbound Traffic", "severity": "MEDIUM", "line": 22, - "fileName": "positive4.json" + "fileName": "positive4.json", + "resourceType": "AWS::EC2::SecurityGroupEgress", + "resourceName": "Positive4_security_group", + "searchKey": "Resources.Positive4_egress_ipv6.Properties", + "searchValue": "", + "expectedValue": "'Resources.Positive4_egress_ipv6.Properties' should not have IpProtocol set to '-1' and CidrIpv6 set to '0:0:0:0:0:0:0:0/0' simultaneously", + "actualValue": "'Resources.Positive4_egress_ipv6.Properties' has IpProtocol set to '-1' and CidrIpv6 set to '0:0:0:0:0:0:0:0/0'.", + "issueType": "IncorrectValue", + "similarityID": "d3dc3083d4e379549df0f8d15a19e4051d5176640073192326af8d5aa982adee", + "search_line": 22 } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/security_groups_unrestricted_access_to_rdp/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/security_groups_unrestricted_access_to_rdp/test/positive_expected_result.json index 1e1b42c1df2..e36c80d4821 100644 --- a/assets/queries/cloudFormation/aws/security_groups_unrestricted_access_to_rdp/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/security_groups_unrestricted_access_to_rdp/test/positive_expected_result.json @@ -3,12 +3,30 @@ "queryName": "Security Group Unrestricted Access To RDP", "severity": "HIGH", "line": 15, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "InstanceSecurityGroup", + "searchKey": "Resources.InstanceSecurityGroup.Properties.SecurityGroupIngress", + "searchValue": "", + "expectedValue": "None of the Resources.InstanceSecurityGroup.Properties.SecurityGroupIngress should have port 3389", + "actualValue": "One of the Resources.InstanceSecurityGroup.Properties.SecurityGroupIngress has port 3389", + "issueType": "IncorrectValue", + "similarityID": "c04c1aecfb02424c178e8604e11875d5bc152bd3eefb68f1b7d8b799cce2dced", + "search_line": -1 }, { "queryName": "Security Group Unrestricted Access To RDP", "severity": "HIGH", "line": 10, - "fileName": "positive2.json" + "fileName": "positive2.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "InstanceSecurityGroup", + "searchKey": "Resources.InstanceSecurityGroup.Properties.SecurityGroupIngress", + "searchValue": "", + "expectedValue": "None of the Resources.InstanceSecurityGroup.Properties.SecurityGroupIngress should have port 3389", + "actualValue": "One of the Resources.InstanceSecurityGroup.Properties.SecurityGroupIngress has port 3389", + "issueType": "IncorrectValue", + "similarityID": "2248f801ebdc22a79586add5aa77330989c867d5951f80a5df95a5c34c00ee16", + "search_line": -1 } ] diff --git a/assets/queries/cloudFormation/aws/security_groups_with_exhibited_admin_ports/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/security_groups_with_exhibited_admin_ports/test/positive_expected_result.json index 3369c2f16fa..54606471927 100644 --- a/assets/queries/cloudFormation/aws/security_groups_with_exhibited_admin_ports/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/security_groups_with_exhibited_admin_ports/test/positive_expected_result.json @@ -3,96 +3,240 @@ "queryName": "Security Groups With Exposed Admin Ports", "severity": "HIGH", "line": 8, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1_security_group", + "searchKey": "Resources.Positive1_security_group.Properties.SecurityGroupIngress[0]", + "searchValue": "", + "expectedValue": "No exposed ingress rule should contain admin ports: 20, 21, 22, 23, 115, 137, 138, 139, 2049 or 3389", + "actualValue": "'Resources.Positive1_security_group.Properties.SecurityGroupIngress[0]' is exposed and contains port(s): 20, 21, 22, 23, 115, 137, 138, 139, 2049, 3389", + "issueType": "IncorrectValue", + "similarityID": "bd09491d3cde8748f59b8e5f6b236874875a12cf1fd7471755aabb0a7c5d8e74", + "search_line": 8 }, { "queryName": "Security Groups With Exposed Admin Ports", "severity": "HIGH", "line": 16, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroupIngress", + "resourceName": "Positive1_security_group", + "searchKey": "Resources.Positive1_ingress_ipv4.Properties", + "searchValue": "", + "expectedValue": "No exposed ingress rule should contain admin ports: 20, 21, 22, 23, 115, 137, 138, 139, 2049 or 3389", + "actualValue": "'Resources.Positive1_ingress_ipv4.Properties' is exposed and contains port(s): 20, 21, 22, 23", + "issueType": "IncorrectValue", + "similarityID": "5f5cc3c4c6061197ab3bfc18d9a39ef5a42ba740c209b89756d72e1b865b6aec", + "search_line": 16 }, { "queryName": "Security Groups With Exposed Admin Ports", "severity": "HIGH", "line": 26, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroupIngress", + "resourceName": "Positive1_security_group", + "searchKey": "Resources.Positive1_ingress_ipv6.Properties", + "searchValue": "", + "expectedValue": "No exposed ingress rule should contain admin ports: 20, 21, 22, 23, 115, 137, 138, 139, 2049 or 3389", + "actualValue": "'Resources.Positive1_ingress_ipv6.Properties' is exposed and contains port(s): 2049", + "issueType": "IncorrectValue", + "similarityID": "c0d9734a9c20a9abb43d3d8aba0bcd14027e784592aeb9630c9284d4429b80e9", + "search_line": 26 }, { "queryName": "Security Groups With Exposed Admin Ports", "severity": "HIGH", "line": 8, - "fileName": "positive2.yaml" + "fileName": "positive2.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive2_security_group", + "searchKey": "Resources.Positive2_security_group.Properties.SecurityGroupIngress[0]", + "searchValue": "", + "expectedValue": "No exposed ingress rule should contain admin ports: 20, 21, 22, 23, 115, 137, 138, 139, 2049 or 3389", + "actualValue": "'Resources.Positive2_security_group.Properties.SecurityGroupIngress[0]' is exposed and contains port(s): 20, 21, 22, 23", + "issueType": "IncorrectValue", + "similarityID": "1004439fd09e5fb43a8af32942271eba55b29c1268b3cb7bdee409bc796d93e2", + "search_line": 8 }, { "queryName": "Security Groups With Exposed Admin Ports", "severity": "HIGH", "line": 12, - "fileName": "positive2.yaml" + "fileName": "positive2.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive2_security_group", + "searchKey": "Resources.Positive2_security_group.Properties.SecurityGroupIngress[1]", + "searchValue": "", + "expectedValue": "No exposed ingress rule should contain admin ports: 20, 21, 22, 23, 115, 137, 138, 139, 2049 or 3389", + "actualValue": "'Resources.Positive2_security_group.Properties.SecurityGroupIngress[1]' is exposed and contains port(s): 20, 21, 22, 23", + "issueType": "IncorrectValue", + "similarityID": "833a020443f7aeae53b22b08192eb7fc3ac3a856aeb878bfbfae8f7498b20ee2", + "search_line": 12 }, { "queryName": "Security Groups With Exposed Admin Ports", "severity": "HIGH", "line": 16, - "fileName": "positive2.yaml" + "fileName": "positive2.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive2_security_group", + "searchKey": "Resources.Positive2_security_group.Properties.SecurityGroupIngress[2]", + "searchValue": "", + "expectedValue": "No exposed ingress rule should contain admin ports: 20, 21, 22, 23, 115, 137, 138, 139, 2049 or 3389", + "actualValue": "'Resources.Positive2_security_group.Properties.SecurityGroupIngress[2]' is exposed and contains port(s): 20, 21, 22, 23, 115, 137, 138, 139, 2049, 3389", + "issueType": "IncorrectValue", + "similarityID": "1d5a27724f41b47fdc6369b3e771e20aa9479cfd87bc56af2d8df8c0dc78c85e", + "search_line": 16 }, { "queryName": "Security Groups With Exposed Admin Ports", "severity": "HIGH", "line": 24, - "fileName": "positive2.yaml" + "fileName": "positive2.yaml", + "resourceType": "AWS::EC2::SecurityGroupIngress", + "resourceName": "Positive2_security_group", + "searchKey": "Resources.Positive2_ingress_ipv4.Properties", + "searchValue": "", + "expectedValue": "No exposed ingress rule should contain admin ports: 20, 21, 22, 23, 115, 137, 138, 139, 2049 or 3389", + "actualValue": "'Resources.Positive2_ingress_ipv4.Properties' is exposed and contains port(s): 20, 21, 22, 23, 115, 137, 138, 139, 2049, 3389", + "issueType": "IncorrectValue", + "similarityID": "e76d378b70345d63749ed3c6bb2e31fcf5af383f5ac98773e234d8960a829085", + "search_line": 24 }, { "queryName": "Security Groups With Exposed Admin Ports", "severity": "HIGH", "line": 34, - "fileName": "positive2.yaml" + "fileName": "positive2.yaml", + "resourceType": "AWS::EC2::SecurityGroupIngress", + "resourceName": "Positive2_security_group", + "searchKey": "Resources.Positive1_ingress_ipv6.Properties", + "searchValue": "", + "expectedValue": "No exposed ingress rule should contain admin ports: 20, 21, 22, 23, 115, 137, 138, 139, 2049 or 3389", + "actualValue": "'Resources.Positive1_ingress_ipv6.Properties' is exposed and contains port(s): 20, 21, 22, 23, 115, 137, 138, 139, 2049, 3389", + "issueType": "IncorrectValue", + "similarityID": "995e82b6989f1b3cd3863f2712a3f631599ef5b617a20dfb97d27d6a02966fab", + "search_line": 34 }, { "queryName": "Security Groups With Exposed Admin Ports", "severity": "HIGH", "line": 12, - "fileName": "positive3.json" + "fileName": "positive3.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1_security_group", + "searchKey": "Resources.Positive1_security_group.Properties.SecurityGroupIngress[0]", + "searchValue": "", + "expectedValue": "No exposed ingress rule should contain admin ports: 20, 21, 22, 23, 115, 137, 138, 139, 2049 or 3389", + "actualValue": "'Resources.Positive1_security_group.Properties.SecurityGroupIngress[0]' is exposed and contains port(s): 20, 21, 22, 23, 115, 137, 138, 139, 2049, 3389", + "issueType": "IncorrectValue", + "similarityID": "09c801d808256d10644a2c36bcaaad78dc778a2bbff48dbc56c6f9c5a9d07ef7", + "search_line": 12 }, { "queryName": "Security Groups With Exposed Admin Ports", "severity": "HIGH", "line": 22, - "fileName": "positive3.json" + "fileName": "positive3.json", + "resourceType": "AWS::EC2::SecurityGroupIngress", + "resourceName": "Positive1_security_group", + "searchKey": "Resources.Positive1_ingress_ipv4.Properties", + "searchValue": "", + "expectedValue": "No exposed ingress rule should contain admin ports: 20, 21, 22, 23, 115, 137, 138, 139, 2049 or 3389", + "actualValue": "'Resources.Positive1_ingress_ipv4.Properties' is exposed and contains port(s): 20, 21, 22, 23", + "issueType": "IncorrectValue", + "similarityID": "a979484e5f10ade8a44cbb41df9b12b060b307e437fc8b4adccc16265c69c69b", + "search_line": 22 }, { "queryName": "Security Groups With Exposed Admin Ports", "severity": "HIGH", "line": 34, - "fileName": "positive3.json" + "fileName": "positive3.json", + "resourceType": "AWS::EC2::SecurityGroupIngress", + "resourceName": "Positive1_security_group", + "searchKey": "Resources.Positive1_ingress_ipv6.Properties", + "searchValue": "", + "expectedValue": "No exposed ingress rule should contain admin ports: 20, 21, 22, 23, 115, 137, 138, 139, 2049 or 3389", + "actualValue": "'Resources.Positive1_ingress_ipv6.Properties' is exposed and contains port(s): 2049", + "issueType": "IncorrectValue", + "similarityID": "42a66179c2ddc2a85ceeb5b5db75347751f6e4d31abebffa8a4e86c388a83a99", + "search_line": 34 }, { "queryName": "Security Groups With Exposed Admin Ports", "severity": "HIGH", "line": 12, - "fileName": "positive4.json" + "fileName": "positive4.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive2_security_group", + "searchKey": "Resources.Positive2_security_group.Properties.SecurityGroupIngress[0]", + "searchValue": "", + "expectedValue": "No exposed ingress rule should contain admin ports: 20, 21, 22, 23, 115, 137, 138, 139, 2049 or 3389", + "actualValue": "'Resources.Positive2_security_group.Properties.SecurityGroupIngress[0]' is exposed and contains port(s): 20, 21, 22, 23", + "issueType": "IncorrectValue", + "similarityID": "2d780cff3a9020bd918b68e76460c830b38e9ef7f372b53e775a712106f1c44b", + "search_line": 12 }, { "queryName": "Security Groups With Exposed Admin Ports", "severity": "HIGH", "line": 18, - "fileName": "positive4.json" + "fileName": "positive4.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive2_security_group", + "searchKey": "Resources.Positive2_security_group.Properties.SecurityGroupIngress[1]", + "searchValue": "", + "expectedValue": "No exposed ingress rule should contain admin ports: 20, 21, 22, 23, 115, 137, 138, 139, 2049 or 3389", + "actualValue": "'Resources.Positive2_security_group.Properties.SecurityGroupIngress[1]' is exposed and contains port(s): 20, 21, 22, 23", + "issueType": "IncorrectValue", + "similarityID": "62c23c654c2858364bcdf4cac341bdb571d9c7cc7b86c18ebcef4f3818ad7a6d", + "search_line": 18 }, { "queryName": "Security Groups With Exposed Admin Ports", "severity": "HIGH", "line": 24, - "fileName": "positive4.json" + "fileName": "positive4.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive2_security_group", + "searchKey": "Resources.Positive2_security_group.Properties.SecurityGroupIngress[2]", + "searchValue": "", + "expectedValue": "No exposed ingress rule should contain admin ports: 20, 21, 22, 23, 115, 137, 138, 139, 2049 or 3389", + "actualValue": "'Resources.Positive2_security_group.Properties.SecurityGroupIngress[2]' is exposed and contains port(s): 20, 21, 22, 23, 115, 137, 138, 139, 2049, 3389", + "issueType": "IncorrectValue", + "similarityID": "1be9c9ea75e59df0f11a68723b452092a7ebf221e28d4899658a91fd3057bcd8", + "search_line": 24 }, { "queryName": "Security Groups With Exposed Admin Ports", "severity": "HIGH", "line": 34, - "fileName": "positive4.json" + "fileName": "positive4.json", + "resourceType": "AWS::EC2::SecurityGroupIngress", + "resourceName": "Positive2_security_group", + "searchKey": "Resources.Positive2_ingress_ipv4.Properties", + "searchValue": "", + "expectedValue": "No exposed ingress rule should contain admin ports: 20, 21, 22, 23, 115, 137, 138, 139, 2049 or 3389", + "actualValue": "'Resources.Positive2_ingress_ipv4.Properties' is exposed and contains port(s): 20, 21, 22, 23, 115, 137, 138, 139, 2049, 3389", + "issueType": "IncorrectValue", + "similarityID": "4a6cb70718ed670b7b43efe8be39d2c4f657100110b46554dede2543d506a116", + "search_line": 34 }, { "queryName": "Security Groups With Exposed Admin Ports", "severity": "HIGH", "line": 46, - "fileName": "positive4.json" + "fileName": "positive4.json", + "resourceType": "AWS::EC2::SecurityGroupIngress", + "resourceName": "Positive2_security_group", + "searchKey": "Resources.Positive1_ingress_ipv6.Properties", + "searchValue": "", + "expectedValue": "No exposed ingress rule should contain admin ports: 20, 21, 22, 23, 115, 137, 138, 139, 2049 or 3389", + "actualValue": "'Resources.Positive1_ingress_ipv6.Properties' is exposed and contains port(s): 20, 21, 22, 23, 115, 137, 138, 139, 2049, 3389", + "issueType": "IncorrectValue", + "similarityID": "015959636b4aacd7efc25441a313e1199ba47c97f1c6375b594bbac535b62ee0", + "search_line": 46 } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/security_groups_with_meta_ip/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/security_groups_with_meta_ip/test/positive_expected_result.json index 33ac5943cde..58f21142b29 100644 --- a/assets/queries/cloudFormation/aws/security_groups_with_meta_ip/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/security_groups_with_meta_ip/test/positive_expected_result.json @@ -3,96 +3,240 @@ "queryName": "Security Groups With Meta IP", "severity": "HIGH", "line": 12, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1_security_group_1", + "searchKey": "Resources.Positive1_security_group_1.Properties.SecurityGroupIngress[0].CidrIp", + "searchValue": "", + "expectedValue": "No ingress should have a 'CidrIp' set to '0.0.0.0/0' with 'IpProtocol' set to '-1'.", + "actualValue": "'Resources.Positive1_security_group_1.Properties.SecurityGroupIngress[0].CidrIp' has CidrIp equal to 0.0.0.0/0 with 'IpProtocol' set to '-1'.", + "issueType": "IncorrectValue", + "similarityID": "e9990e92357c38a7a42022210d152725108f9a09ceae6f32e2851b6cd9330bdc", + "search_line": 12 }, { "queryName": "Security Groups With Meta IP", "severity": "HIGH", "line": 16, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1_security_group_1", + "searchKey": "Resources.Positive1_security_group_1.Properties.SecurityGroupIngress[1].CidrIpv6", + "searchValue": "", + "expectedValue": "No ingress should have a 'CidrIpv6' set to '::/0' with 'IpProtocol' set to '-1'.", + "actualValue": "'Resources.Positive1_security_group_1.Properties.SecurityGroupIngress[1].CidrIpv6' has CidrIpv6 equal to ::/0 with 'IpProtocol' set to '-1'.", + "issueType": "IncorrectValue", + "similarityID": "c895b7b4f333d19a4e0be383608dfe55319879febba73febf43af9e4a472003e", + "search_line": 16 }, { "queryName": "Security Groups With Meta IP", "severity": "HIGH", "line": 26, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroupIngress", + "resourceName": "Positive1_security_group_1", + "searchKey": "Resources.Positive1_ingress_ipv4_1.Properties.CidrIp", + "searchValue": "", + "expectedValue": "No ingress should have a 'CidrIp' set to '0.0.0.0/0' with 'IpProtocol' set to '-1'.", + "actualValue": "'Resources.Positive1_ingress_ipv4_1.Properties.CidrIp' has CidrIp equal to 0.0.0.0/0 with 'IpProtocol' set to '-1'.", + "issueType": "IncorrectValue", + "similarityID": "b66bd3319bde93fb3756e00d19bc708a8f78043008e8044c13dc6efff1fe68f0", + "search_line": 26 }, { "queryName": "Security Groups With Meta IP", "severity": "HIGH", "line": 36, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroupIngress", + "resourceName": "Positive1_security_group_1", + "searchKey": "Resources.Positive1_ingress_ipv6_1.Properties.CidrIpv6", + "searchValue": "", + "expectedValue": "No ingress should have a 'CidrIpv6' set to '::/0' with 'IpProtocol' set to '-1'.", + "actualValue": "'Resources.Positive1_ingress_ipv6_1.Properties.CidrIpv6' has CidrIpv6 equal to ::/0 with 'IpProtocol' set to '-1'.", + "issueType": "IncorrectValue", + "similarityID": "890603ae7aee30e5fe296227d34d737688dfabd2f719639aa362cd1291e44e36", + "search_line": 36 }, { "queryName": "Security Groups With Meta IP", "severity": "HIGH", "line": 48, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1_security_group_2", + "searchKey": "Resources.Positive1_security_group_2.Properties.SecurityGroupIngress[0].CidrIp", + "searchValue": "", + "expectedValue": "No ingress should have a 'CidrIp' set to '0.0.0.0/0' with all 65535 ports open.", + "actualValue": "'Resources.Positive1_security_group_2.Properties.SecurityGroupIngress[0].CidrIp' has CidrIp equal to 0.0.0.0/0 with all 65535 ports open.", + "issueType": "IncorrectValue", + "similarityID": "5b66433c5f26a5afbcb8f11585e7972655fbb4f32a4ad7594d76a6938b8e6f07", + "search_line": 48 }, { "queryName": "Security Groups With Meta IP", "severity": "HIGH", "line": 52, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1_security_group_2", + "searchKey": "Resources.Positive1_security_group_2.Properties.SecurityGroupIngress[1].CidrIpv6", + "searchValue": "", + "expectedValue": "No ingress should have a 'CidrIpv6' set to '::/0' with all 65535 ports open.", + "actualValue": "'Resources.Positive1_security_group_2.Properties.SecurityGroupIngress[1].CidrIpv6' has CidrIpv6 equal to ::/0 with all 65535 ports open.", + "issueType": "IncorrectValue", + "similarityID": "968853b7f7d88a2b9f739d894875228adf7904df4441fe96dd3d990f4d5a6018", + "search_line": 52 }, { "queryName": "Security Groups With Meta IP", "severity": "HIGH", "line": 62, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroupIngress", + "resourceName": "Positive1_security_group_2", + "searchKey": "Resources.Positive1_ingress_ipv4_2.Properties.CidrIp", + "searchValue": "", + "expectedValue": "No ingress should have a 'CidrIp' set to '0.0.0.0/0' with all 65535 ports open.", + "actualValue": "'Resources.Positive1_ingress_ipv4_2.Properties.CidrIp' has CidrIp equal to 0.0.0.0/0 with all 65535 ports open.", + "issueType": "IncorrectValue", + "similarityID": "ae70b1958b236a777e0efb464ba993058992f911c5c148ebf43058254e3c2ca1", + "search_line": 62 }, { "queryName": "Security Groups With Meta IP", "severity": "HIGH", "line": 72, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroupIngress", + "resourceName": "Positive1_security_group_2", + "searchKey": "Resources.Positive1_ingress_ipv6_2.Properties.CidrIpv6", + "searchValue": "", + "expectedValue": "No ingress should have a 'CidrIpv6' set to '::/0' with all 65535 ports open.", + "actualValue": "'Resources.Positive1_ingress_ipv6_2.Properties.CidrIpv6' has CidrIpv6 equal to ::/0 with all 65535 ports open.", + "issueType": "IncorrectValue", + "similarityID": "ae7a29c93b3025329e65da8e2fe9b0cbc40d5fa47c0d18504d2217eea84472fe", + "search_line": 72 }, { "queryName": "Security Groups With Meta IP", "severity": "HIGH", "line": 13, - "fileName": "positive2.json" + "fileName": "positive2.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1_security_group_1", + "searchKey": "Resources.Positive1_security_group_1.Properties.SecurityGroupIngress[0].CidrIp", + "searchValue": "", + "expectedValue": "No ingress should have a 'CidrIp' set to '0.0.0.0/0' with 'IpProtocol' set to '-1'.", + "actualValue": "'Resources.Positive1_security_group_1.Properties.SecurityGroupIngress[0].CidrIp' has CidrIp equal to 0.0.0.0/0 with 'IpProtocol' set to '-1'.", + "issueType": "IncorrectValue", + "similarityID": "52c2e6b133d9e556f35c6d1446462e808a172566731e76429af84e0c1344d646", + "search_line": 13 }, { "queryName": "Security Groups With Meta IP", "severity": "HIGH", "line": 19, - "fileName": "positive2.json" + "fileName": "positive2.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1_security_group_1", + "searchKey": "Resources.Positive1_security_group_1.Properties.SecurityGroupIngress[1].CidrIpv6", + "searchValue": "", + "expectedValue": "No ingress should have a 'CidrIpv6' set to '::/0' with 'IpProtocol' set to '-1'.", + "actualValue": "'Resources.Positive1_security_group_1.Properties.SecurityGroupIngress[1].CidrIpv6' has CidrIpv6 equal to ::/0 with 'IpProtocol' set to '-1'.", + "issueType": "IncorrectValue", + "similarityID": "8eead1b2d9f2a75756081fca25a024e861d02c18113c4acf03bddaf95d5a5801", + "search_line": 19 }, { "queryName": "Security Groups With Meta IP", "severity": "HIGH", "line": 31, - "fileName": "positive2.json" + "fileName": "positive2.json", + "resourceType": "AWS::EC2::SecurityGroupIngress", + "resourceName": "Positive1_security_group_1", + "searchKey": "Resources.Positive1_ingress_ipv4_1.Properties.CidrIp", + "searchValue": "", + "expectedValue": "No ingress should have a 'CidrIp' set to '0.0.0.0/0' with 'IpProtocol' set to '-1'.", + "actualValue": "'Resources.Positive1_ingress_ipv4_1.Properties.CidrIp' has CidrIp equal to 0.0.0.0/0 with 'IpProtocol' set to '-1'.", + "issueType": "IncorrectValue", + "similarityID": "2cfdbfd38b9d6e1eafbc7313756eb7d0d6b0a037954e200886093eb0e63cd32b", + "search_line": 31 }, { "queryName": "Security Groups With Meta IP", "severity": "HIGH", "line": 41, - "fileName": "positive2.json" + "fileName": "positive2.json", + "resourceType": "AWS::EC2::SecurityGroupIngress", + "resourceName": "Positive1_security_group_1", + "searchKey": "Resources.Positive1_ingress_ipv6_1.Properties.CidrIpv6", + "searchValue": "", + "expectedValue": "No ingress should have a 'CidrIpv6' set to '::/0' with 'IpProtocol' set to '-1'.", + "actualValue": "'Resources.Positive1_ingress_ipv6_1.Properties.CidrIpv6' has CidrIpv6 equal to ::/0 with 'IpProtocol' set to '-1'.", + "issueType": "IncorrectValue", + "similarityID": "052fbcf2db1c754802bf1ba3dc1db052090ee725abc9c6372686267519914cca", + "search_line": 41 }, { "queryName": "Security Groups With Meta IP", "severity": "HIGH", "line": 54, - "fileName": "positive2.json" + "fileName": "positive2.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1_security_group_2", + "searchKey": "Resources.Positive1_security_group_2.Properties.SecurityGroupIngress[0].CidrIp", + "searchValue": "", + "expectedValue": "No ingress should have a 'CidrIp' set to '0.0.0.0/0' with all 65535 ports open.", + "actualValue": "'Resources.Positive1_security_group_2.Properties.SecurityGroupIngress[0].CidrIp' has CidrIp equal to 0.0.0.0/0 with all 65535 ports open.", + "issueType": "IncorrectValue", + "similarityID": "cccc0470b137b2658b4b51c19a8881ea67f298a7da5a32fcb96a72bbe28c2251", + "search_line": 54 }, { "queryName": "Security Groups With Meta IP", "severity": "HIGH", "line": 60, - "fileName": "positive2.json" + "fileName": "positive2.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1_security_group_2", + "searchKey": "Resources.Positive1_security_group_2.Properties.SecurityGroupIngress[1].CidrIpv6", + "searchValue": "", + "expectedValue": "No ingress should have a 'CidrIpv6' set to '::/0' with all 65535 ports open.", + "actualValue": "'Resources.Positive1_security_group_2.Properties.SecurityGroupIngress[1].CidrIpv6' has CidrIpv6 equal to ::/0 with all 65535 ports open.", + "issueType": "IncorrectValue", + "similarityID": "2c8e476ad91c11c0e5dbc5de1919b6b624218f95721900ec23c012880acaf0fc", + "search_line": 60 }, { "queryName": "Security Groups With Meta IP", "severity": "HIGH", "line": 72, - "fileName": "positive2.json" + "fileName": "positive2.json", + "resourceType": "AWS::EC2::SecurityGroupIngress", + "resourceName": "Positive1_security_group_2", + "searchKey": "Resources.Positive1_ingress_ipv4_2.Properties.CidrIp", + "searchValue": "", + "expectedValue": "No ingress should have a 'CidrIp' set to '0.0.0.0/0' with all 65535 ports open.", + "actualValue": "'Resources.Positive1_ingress_ipv4_2.Properties.CidrIp' has CidrIp equal to 0.0.0.0/0 with all 65535 ports open.", + "issueType": "IncorrectValue", + "similarityID": "5494c00123ac97e8ffb402af55998e9e1553be827b239c3cb3a196b8996542f6", + "search_line": 72 }, { "queryName": "Security Groups With Meta IP", "severity": "HIGH", "line": 82, - "fileName": "positive2.json" + "fileName": "positive2.json", + "resourceType": "AWS::EC2::SecurityGroupIngress", + "resourceName": "Positive1_security_group_2", + "searchKey": "Resources.Positive1_ingress_ipv6_2.Properties.CidrIpv6", + "searchValue": "", + "expectedValue": "No ingress should have a 'CidrIpv6' set to '::/0' with all 65535 ports open.", + "actualValue": "'Resources.Positive1_ingress_ipv6_2.Properties.CidrIpv6' has CidrIpv6 equal to ::/0 with all 65535 ports open.", + "issueType": "IncorrectValue", + "similarityID": "5a5e173f4492834ed8ce6c8bfca61006381d8b3f577565f8faf26be90dbbc03e", + "search_line": 82 } ] diff --git a/assets/queries/cloudFormation/aws/security_groups_with_unrestricted_access_to_ssh/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/security_groups_with_unrestricted_access_to_ssh/test/positive_expected_result.json index 31a2b146d4f..1ca835669c3 100644 --- a/assets/queries/cloudFormation/aws/security_groups_with_unrestricted_access_to_ssh/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/security_groups_with_unrestricted_access_to_ssh/test/positive_expected_result.json @@ -3,132 +3,330 @@ "queryName": "Security Group With Unrestricted Access To SSH", "severity": "MEDIUM", "line": 10, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "", + "expectedValue": "'Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]' should not open the SSH port (22)", + "actualValue": "'Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]' opens the SSH port (22)", + "issueType": "IncorrectValue", + "similarityID": "629609afcb7b971e3cda3b368c150d52eb0493570eb581e5934e2be5572f195a", + "search_line": 10 }, { "queryName": "Security Group With Unrestricted Access To SSH", "severity": "MEDIUM", "line": 22, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_2", + "searchKey": "Resources.Positive1IPv4_2.Properties.SecurityGroupIngress[0]", + "searchValue": "", + "expectedValue": "'Resources.Positive1IPv4_2.Properties.SecurityGroupIngress[0]' should not open the SSH port (22)", + "actualValue": "'Resources.Positive1IPv4_2.Properties.SecurityGroupIngress[0]' opens the SSH port (22)", + "issueType": "IncorrectValue", + "similarityID": "89bdd752d525c9bfb90265729f5aa3742255f6a6e404262d8b8ec7ab625d9b4c", + "search_line": 22 }, { "queryName": "Security Group With Unrestricted Access To SSH", "severity": "MEDIUM", "line": 38, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1ArrayTestIPv4", + "searchKey": "Resources.Positive1ArrayTestIPv4.Properties.SecurityGroupIngress[1]", + "searchValue": "", + "expectedValue": "'Resources.Positive1ArrayTestIPv4.Properties.SecurityGroupIngress[1]' should not open the SSH port (22)", + "actualValue": "'Resources.Positive1ArrayTestIPv4.Properties.SecurityGroupIngress[1]' opens the SSH port (22)", + "issueType": "IncorrectValue", + "similarityID": "0d7356acd0ea17d37de48773f9d5a58e442e2ad349634d77987d1c0ac28e26be", + "search_line": 38 }, { "queryName": "Security Group With Unrestricted Access To SSH", "severity": "MEDIUM", "line": 51, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "", + "expectedValue": "'Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]' should not open the SSH port (22)", + "actualValue": "'Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]' opens the SSH port (22)", + "issueType": "IncorrectValue", + "similarityID": "cbcb9e6471cebf29ab0e02b99f1ddc80b3ca5c7d309facaf42f29e32d33106fa", + "search_line": 51 }, { "queryName": "Security Group With Unrestricted Access To SSH", "severity": "MEDIUM", "line": 63, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_2", + "searchKey": "Resources.Positive1IPv6_2.Properties.SecurityGroupIngress[0]", + "searchValue": "", + "expectedValue": "'Resources.Positive1IPv6_2.Properties.SecurityGroupIngress[0]' should not open the SSH port (22)", + "actualValue": "'Resources.Positive1IPv6_2.Properties.SecurityGroupIngress[0]' opens the SSH port (22)", + "issueType": "IncorrectValue", + "similarityID": "c56c095f89a418b3dc4b7649dce66ef640d3c224a498e4e0ce7925e46b315bbc", + "search_line": 63 }, { "queryName": "Security Group With Unrestricted Access To SSH", "severity": "MEDIUM", "line": 79, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1ArrayTestIPv6", + "searchKey": "Resources.Positive1ArrayTestIPv6.Properties.SecurityGroupIngress[1]", + "searchValue": "", + "expectedValue": "'Resources.Positive1ArrayTestIPv6.Properties.SecurityGroupIngress[1]' should not open the SSH port (22)", + "actualValue": "'Resources.Positive1ArrayTestIPv6.Properties.SecurityGroupIngress[1]' opens the SSH port (22)", + "issueType": "IncorrectValue", + "similarityID": "6534c2854ae91f3ad64ee93929547bdc6bbc20b45f884a27f1f56e9e8acab93d", + "search_line": 79 }, { "queryName": "Security Group With Unrestricted Access To SSH", "severity": "MEDIUM", "line": 12, - "fileName": "positive2.yaml" + "fileName": "positive2.yaml", + "resourceType": "AWS::EC2::SecurityGroupIngress", + "resourceName": "DualStackSecurityGroup", + "searchKey": "Resources.IPv4Ingress1.Properties", + "searchValue": "", + "expectedValue": "'Resources.IPv4Ingress1.Properties' should not open the SSH port (22)", + "actualValue": "'Resources.IPv4Ingress1.Properties' opens the SSH port (22)", + "issueType": "IncorrectValue", + "similarityID": "51a0b883f23caeecbea33ba8c968e8fe92884644c7edb66d4e475c94bc6a6dc4", + "search_line": 12 }, { "queryName": "Security Group With Unrestricted Access To SSH", "severity": "MEDIUM", "line": 21, - "fileName": "positive2.yaml" + "fileName": "positive2.yaml", + "resourceType": "AWS::EC2::SecurityGroupIngress", + "resourceName": "DualStackSecurityGroup", + "searchKey": "Resources.IPv4Ingress2.Properties", + "searchValue": "", + "expectedValue": "'Resources.IPv4Ingress2.Properties' should not open the SSH port (22)", + "actualValue": "'Resources.IPv4Ingress2.Properties' opens the SSH port (22)", + "issueType": "IncorrectValue", + "similarityID": "f1d7ee8809b4ceb6db8d0443048200cc389f94e7d18678038c7362c2df6855a9", + "search_line": 21 }, { "queryName": "Security Group With Unrestricted Access To SSH", "severity": "MEDIUM", "line": 31, - "fileName": "positive2.yaml" + "fileName": "positive2.yaml", + "resourceType": "AWS::EC2::SecurityGroupIngress", + "resourceName": "DualStackSecurityGroup", + "searchKey": "Resources.IPv6Ingress1.Properties", + "searchValue": "", + "expectedValue": "'Resources.IPv6Ingress1.Properties' should not open the SSH port (22)", + "actualValue": "'Resources.IPv6Ingress1.Properties' opens the SSH port (22)", + "issueType": "IncorrectValue", + "similarityID": "106fa8cb0776f6f0f19df9f44f3d95122f80d25f1a88a47a30f8dea0600413df", + "search_line": 31 }, { "queryName": "Security Group With Unrestricted Access To SSH", "severity": "MEDIUM", "line": 40, - "fileName": "positive2.yaml" + "fileName": "positive2.yaml", + "resourceType": "AWS::EC2::SecurityGroupIngress", + "resourceName": "DualStackSecurityGroup", + "searchKey": "Resources.IPv6Ingress2.Properties", + "searchValue": "", + "expectedValue": "'Resources.IPv6Ingress2.Properties' should not open the SSH port (22)", + "actualValue": "'Resources.IPv6Ingress2.Properties' opens the SSH port (22)", + "issueType": "IncorrectValue", + "similarityID": "5202a9f26eddb0d4b3fd0577b07a849f761753ff6af35304c68b1dd6b1208da6", + "search_line": 40 }, { "queryName": "Security Group With Unrestricted Access To SSH", "severity": "MEDIUM", "line": 49, - "fileName": "positive2.yaml" + "fileName": "positive2.yaml", + "resourceType": "AWS::EC2::SecurityGroupIngress", + "resourceName": "DualStackSecurityGroup", + "searchKey": "Resources.IPv6Ingress3.Properties", + "searchValue": "", + "expectedValue": "'Resources.IPv6Ingress3.Properties' should not open the SSH port (22)", + "actualValue": "'Resources.IPv6Ingress3.Properties' opens the SSH port (22)", + "issueType": "IncorrectValue", + "similarityID": "a1c5c95edaaeaa86efa66c32b40a2c50b4c0809e761b61f90f4122d163ae2080", + "search_line": 49 }, { "queryName": "Security Group With Unrestricted Access To SSH", "severity": "MEDIUM", "line": 10, - "fileName": "positive3.json" + "fileName": "positive3.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_1", + "searchKey": "Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]", + "searchValue": "", + "expectedValue": "'Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]' should not open the SSH port (22)", + "actualValue": "'Resources.Positive1IPv4_1.Properties.SecurityGroupIngress[0]' opens the SSH port (22)", + "issueType": "IncorrectValue", + "similarityID": "80c0aee11392569da9b8e6bbccef8b4c27346dae1f2a887e407fa70bf8f421b8", + "search_line": 10 }, { "queryName": "Security Group With Unrestricted Access To SSH", "severity": "MEDIUM", "line": 25, - "fileName": "positive3.json" + "fileName": "positive3.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4_2", + "searchKey": "Resources.Positive1IPv4_2.Properties.SecurityGroupIngress[0]", + "searchValue": "", + "expectedValue": "'Resources.Positive1IPv4_2.Properties.SecurityGroupIngress[0]' should not open the SSH port (22)", + "actualValue": "'Resources.Positive1IPv4_2.Properties.SecurityGroupIngress[0]' opens the SSH port (22)", + "issueType": "IncorrectValue", + "similarityID": "7e65d0610285931b8818636277907c34e9ab9cb692b0e036c37cc1aba9d9aad8", + "search_line": 25 }, { "queryName": "Security Group With Unrestricted Access To SSH", "severity": "MEDIUM", "line": 46, - "fileName": "positive3.json" + "fileName": "positive3.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1ArrayTestIPv4", + "searchKey": "Resources.Positive1ArrayTestIPv4.Properties.SecurityGroupIngress[1]", + "searchValue": "", + "expectedValue": "'Resources.Positive1ArrayTestIPv4.Properties.SecurityGroupIngress[1]' should not open the SSH port (22)", + "actualValue": "'Resources.Positive1ArrayTestIPv4.Properties.SecurityGroupIngress[1]' opens the SSH port (22)", + "issueType": "IncorrectValue", + "similarityID": "d379ec7f6d07ac9c582cc05346c48482557a0867eb9b18872f6a5c80f0ef7426", + "search_line": 46 }, { "queryName": "Security Group With Unrestricted Access To SSH", "severity": "MEDIUM", "line": 61, - "fileName": "positive3.json" + "fileName": "positive3.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_1", + "searchKey": "Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]", + "searchValue": "", + "expectedValue": "'Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]' should not open the SSH port (22)", + "actualValue": "'Resources.Positive1IPv6_1.Properties.SecurityGroupIngress[0]' opens the SSH port (22)", + "issueType": "IncorrectValue", + "similarityID": "882d013aae2b5581fe61a7572d7de175e52f89fb62a3579ed4c7e6b28bc22dba", + "search_line": 61 }, { "queryName": "Security Group With Unrestricted Access To SSH", "severity": "MEDIUM", "line": 76, - "fileName": "positive3.json" + "fileName": "positive3.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6_2", + "searchKey": "Resources.Positive1IPv6_2.Properties.SecurityGroupIngress[0]", + "searchValue": "", + "expectedValue": "'Resources.Positive1IPv6_2.Properties.SecurityGroupIngress[0]' should not open the SSH port (22)", + "actualValue": "'Resources.Positive1IPv6_2.Properties.SecurityGroupIngress[0]' opens the SSH port (22)", + "issueType": "IncorrectValue", + "similarityID": "7864eba057e87859be94d83104f9784bcc1add5edadaa54aa5090920643f5d68", + "search_line": 76 }, { "queryName": "Security Group With Unrestricted Access To SSH", "severity": "MEDIUM", "line": 97, - "fileName": "positive3.json" + "fileName": "positive3.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1ArrayTestIPv6", + "searchKey": "Resources.Positive1ArrayTestIPv6.Properties.SecurityGroupIngress[1]", + "searchValue": "", + "expectedValue": "'Resources.Positive1ArrayTestIPv6.Properties.SecurityGroupIngress[1]' should not open the SSH port (22)", + "actualValue": "'Resources.Positive1ArrayTestIPv6.Properties.SecurityGroupIngress[1]' opens the SSH port (22)", + "issueType": "IncorrectValue", + "similarityID": "78257a6f1156b4ef16a7d8cb2b7b30c0a266d09af7cfa548e0aa23aef2c8085b", + "search_line": 97 }, { "queryName": "Security Group With Unrestricted Access To SSH", "severity": "MEDIUM", "line": 14, - "fileName": "positive4.json" + "fileName": "positive4.json", + "resourceType": "AWS::EC2::SecurityGroupIngress", + "resourceName": "DualStackSecurityGroup", + "searchKey": "Resources.IPv4Ingress1.Properties", + "searchValue": "", + "expectedValue": "'Resources.IPv4Ingress1.Properties' should not open the SSH port (22)", + "actualValue": "'Resources.IPv4Ingress1.Properties' opens the SSH port (22)", + "issueType": "IncorrectValue", + "similarityID": "705a218499e5ddf13220812de3fb502c81b34a60247bf1b9393ffdc0724e8b9b", + "search_line": 14 }, { "queryName": "Security Group With Unrestricted Access To SSH", "severity": "MEDIUM", "line": 26, - "fileName": "positive4.json" + "fileName": "positive4.json", + "resourceType": "AWS::EC2::SecurityGroupIngress", + "resourceName": "DualStackSecurityGroup", + "searchKey": "Resources.IPv4Ingress2.Properties", + "searchValue": "", + "expectedValue": "'Resources.IPv4Ingress2.Properties' should not open the SSH port (22)", + "actualValue": "'Resources.IPv4Ingress2.Properties' opens the SSH port (22)", + "issueType": "IncorrectValue", + "similarityID": "f4b93f9afd20b04097761dd87f56c1390fdeacdea5e42350796ddb7f3b966945", + "search_line": 26 }, { "queryName": "Security Group With Unrestricted Access To SSH", "severity": "MEDIUM", "line": 38, - "fileName": "positive4.json" + "fileName": "positive4.json", + "resourceType": "AWS::EC2::SecurityGroupIngress", + "resourceName": "DualStackSecurityGroup", + "searchKey": "Resources.IPv6Ingress1.Properties", + "searchValue": "", + "expectedValue": "'Resources.IPv6Ingress1.Properties' should not open the SSH port (22)", + "actualValue": "'Resources.IPv6Ingress1.Properties' opens the SSH port (22)", + "issueType": "IncorrectValue", + "similarityID": "b8bb7294a0499aca5a524a5dccc70c23ced3b591d5a846d60b57387f63d9ad7e", + "search_line": 38 }, { "queryName": "Security Group With Unrestricted Access To SSH", "severity": "MEDIUM", "line": 50, - "fileName": "positive4.json" + "fileName": "positive4.json", + "resourceType": "AWS::EC2::SecurityGroupIngress", + "resourceName": "DualStackSecurityGroup", + "searchKey": "Resources.IPv6Ingress2.Properties", + "searchValue": "", + "expectedValue": "'Resources.IPv6Ingress2.Properties' should not open the SSH port (22)", + "actualValue": "'Resources.IPv6Ingress2.Properties' opens the SSH port (22)", + "issueType": "IncorrectValue", + "similarityID": "7f170b4917addc9ba4dcc6a150200983bf66fd391a07f8b3720b741e4a11eacc", + "search_line": 50 }, { "queryName": "Security Group With Unrestricted Access To SSH", "severity": "MEDIUM", "line": 62, - "fileName": "positive4.json" + "fileName": "positive4.json", + "resourceType": "AWS::EC2::SecurityGroupIngress", + "resourceName": "DualStackSecurityGroup", + "searchKey": "Resources.IPv6Ingress3.Properties", + "searchValue": "", + "expectedValue": "'Resources.IPv6Ingress3.Properties' should not open the SSH port (22)", + "actualValue": "'Resources.IPv6Ingress3.Properties' opens the SSH port (22)", + "issueType": "IncorrectValue", + "similarityID": "827f246d059f0e44e1babc405bddf82aa9c841c265ec88a194c329420fea47b1", + "search_line": 62 } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/security_groups_without_vpc_attached/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/security_groups_without_vpc_attached/test/positive_expected_result.json index ef3f5cfa119..e9bf746a5c8 100644 --- a/assets/queries/cloudFormation/aws/security_groups_without_vpc_attached/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/security_groups_without_vpc_attached/test/positive_expected_result.json @@ -3,12 +3,30 @@ "queryName": "Security Groups Without VPC Attached", "severity": "LOW", "line": 16, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "My Group Name", + "searchKey": "Resources.InstanceSecurityGroup.Properties.VpcId.Ref", + "searchValue": "", + "expectedValue": "Resources.InstanceSecurityGroup.Properties.VpcId.Ref should be defined", + "actualValue": "Resources.InstanceSecurityGroup.Properties.VpcId.Ref is undefined", + "issueType": "MissingAttribute", + "similarityID": "bf01f68f48b6e21be75e794e87b9c268fd98663163f0c0b61677fc2421ef99ce", + "search_line": -1 }, { "queryName": "Security Groups Without VPC Attached", "severity": "LOW", "line": 22, - "fileName": "positive2.json" + "fileName": "positive2.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "My Group Name", + "searchKey": "Resources.InstanceSecurityGroup.Properties.VpcId.Ref", + "searchValue": "", + "expectedValue": "Resources.InstanceSecurityGroup.Properties.VpcId.Ref should be defined", + "actualValue": "Resources.InstanceSecurityGroup.Properties.VpcId.Ref is undefined", + "issueType": "MissingAttribute", + "similarityID": "22703a9d636747bc8d49d180ae520c558bf0e036888e0d4f0b9af32c77a4d309", + "search_line": -1 } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/shield_advanced_not_in_use/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/shield_advanced_not_in_use/test/positive_expected_result.json index e146f915889..4faf0ac9d22 100644 --- a/assets/queries/cloudFormation/aws/shield_advanced_not_in_use/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/shield_advanced_not_in_use/test/positive_expected_result.json @@ -3,12 +3,30 @@ "queryName": "Shield Advanced Not In Use", "severity": "LOW", "line": 2, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::Route53::HostedZone", + "resourceName": "HostedZone", + "searchKey": "Resources.HostedZone", + "searchValue": "", + "expectedValue": "Resources.HostedZone has shield advanced associated", + "actualValue": "Resources.HostedZone does not have shield advanced associated", + "issueType": "MissingAttribute", + "similarityID": "33f56597433e88e396f6c2b8fbb71ad45b4425387c0736eb2b2bebf0f610d8cf", + "search_line": -1 }, { "queryName": "Shield Advanced Not In Use", "severity": "LOW", "line": 3, - "fileName": "positive2.json" + "fileName": "positive2.json", + "resourceType": "AWS::Route53::HostedZone", + "resourceName": "HostedZone", + "searchKey": "Resources.HostedZone", + "searchValue": "", + "expectedValue": "Resources.HostedZone has shield advanced associated", + "actualValue": "Resources.HostedZone does not have shield advanced associated", + "issueType": "MissingAttribute", + "similarityID": "bd2d722f3b7ed06d1464d3833a3ee458027ba7dec79fd2b16de451252fa79a07", + "search_line": -1 } ] diff --git a/assets/queries/cloudFormation/aws/sns_topic_is_publicly_accessible/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/sns_topic_is_publicly_accessible/test/positive_expected_result.json index 1d2f4f047b0..c5069bfdb46 100644 --- a/assets/queries/cloudFormation/aws/sns_topic_is_publicly_accessible/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/sns_topic_is_publicly_accessible/test/positive_expected_result.json @@ -3,24 +3,60 @@ "queryName": "SNS Topic is Publicly Accessible", "severity": "CRITICAL", "line": 7, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::SNS::TopicPolicy", + "resourceName": "snsPolicy", + "searchKey": "Resources.snsPolicy.Properties.PolicyDocument", + "searchValue": "", + "expectedValue": "Resources.snsPolicy.Properties.PolicyDocument.Statement shouldn't contain '*' for an AWS Principal", + "actualValue": "Resources.snsPolicy.Properties.PolicyDocument.Statement contains '*' in an AWS Principal", + "issueType": "IncorrectValue", + "similarityID": "7b52b45c8d619e3b53dd7ce107cc865b54899bbd75e429327732ad2bfd97e39e", + "search_line": 7 }, { "queryName": "SNS Topic is Publicly Accessible", "severity": "CRITICAL", "line": 7, - "fileName": "positive2.yaml" + "fileName": "positive2.yaml", + "resourceType": "AWS::SNS::TopicPolicy", + "resourceName": "snsPolicy", + "searchKey": "Resources.snsPolicy.Properties.PolicyDocument", + "searchValue": "", + "expectedValue": "Resources.snsPolicy.Properties.PolicyDocument.Statement shouldn't contain '*' for an AWS Principal", + "actualValue": "Resources.snsPolicy.Properties.PolicyDocument.Statement contains '*' in an AWS Principal", + "issueType": "IncorrectValue", + "similarityID": "896e32ac0bb04e176241c80dea59d361e17bfb3a93d025133da7b5486210cd99", + "search_line": 7 }, { "queryName": "SNS Topic is Publicly Accessible", "severity": "CRITICAL", "line": 8, - "fileName": "positive3.json" + "fileName": "positive3.json", + "resourceType": "AWS::SNS::TopicPolicy", + "resourceName": "mysnspolicy0", + "searchKey": "Resources.mysnspolicy0.Properties.PolicyDocument", + "searchValue": "", + "expectedValue": "Resources.mysnspolicy0.Properties.PolicyDocument.Statement shouldn't contain '*' for an AWS Principal", + "actualValue": "Resources.mysnspolicy0.Properties.PolicyDocument.Statement contains '*' in an AWS Principal", + "issueType": "IncorrectValue", + "similarityID": "2cad517ef475fcadff86153283207ce476f1b76da920dea6337621a95ac8d14f", + "search_line": 8 }, { "queryName": "SNS Topic is Publicly Accessible", "severity": "CRITICAL", "line": 8, - "fileName": "positive4.json" + "fileName": "positive4.json", + "resourceType": "AWS::SNS::TopicPolicy", + "resourceName": "snsPolicy", + "searchKey": "Resources.snsPolicy.Properties.PolicyDocument", + "searchValue": "", + "expectedValue": "Resources.snsPolicy.Properties.PolicyDocument.Statement shouldn't contain '*' for an AWS Principal", + "actualValue": "Resources.snsPolicy.Properties.PolicyDocument.Statement contains '*' in an AWS Principal", + "issueType": "IncorrectValue", + "similarityID": "03f1ad193c7e0b51920a73691286385dceec0bb6c2b74e421b76cb8d8dda5e9a", + "search_line": 8 } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/sns_topic_publicity_has_allow_and_not_action_simultaneously/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/sns_topic_publicity_has_allow_and_not_action_simultaneously/test/positive_expected_result.json index 5441937d0bb..3e1fc87a31d 100644 --- a/assets/queries/cloudFormation/aws/sns_topic_publicity_has_allow_and_not_action_simultaneously/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/sns_topic_publicity_has_allow_and_not_action_simultaneously/test/positive_expected_result.json @@ -3,12 +3,30 @@ "queryName": "SNS Topic Publicity Has Allow and NotAction Simultaneously", "severity": "MEDIUM", "line": 7, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::SNS::TopicPolicy", + "resourceName": "mysnspolicy", + "searchKey": "Resources.mysnspolicy.Properties.PolicyDocument", + "searchValue": "", + "expectedValue": "Resources.mysnspolicy.Properties.PolicyDocument.Statement has Effect 'Allow' and Action", + "actualValue": "Resources.mysnspolicy.Properties.PolicyDocument.Statement has Effect 'Allow' and NotAction", + "issueType": "IncorrectValue", + "similarityID": "630d0dd1f0b9316d558da723aca74347c805a2f20643736dde433c60e1285c15", + "search_line": -1 }, { "queryName": "SNS Topic Publicity Has Allow and NotAction Simultaneously", "severity": "MEDIUM", "line": 8, - "fileName": "positive2.json" + "fileName": "positive2.json", + "resourceType": "AWS::SNS::TopicPolicy", + "resourceName": "mysnspolicy", + "searchKey": "Resources.mysnspolicy.Properties.PolicyDocument", + "searchValue": "", + "expectedValue": "Resources.mysnspolicy.Properties.PolicyDocument.Statement has Effect 'Allow' and Action", + "actualValue": "Resources.mysnspolicy.Properties.PolicyDocument.Statement has Effect 'Allow' and NotAction", + "issueType": "IncorrectValue", + "similarityID": "ec6f4880cbb881e7bebaa79da62bc3450b15a2f5f8d81a16721ef06320305d71", + "search_line": -1 } ] diff --git a/assets/queries/cloudFormation/aws/sns_topic_without_kms_master_key_id/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/sns_topic_without_kms_master_key_id/test/positive_expected_result.json index 295f0751270..d824448a72d 100644 --- a/assets/queries/cloudFormation/aws/sns_topic_without_kms_master_key_id/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/sns_topic_without_kms_master_key_id/test/positive_expected_result.json @@ -1,14 +1,32 @@ [ { + "queryName": "SNS Topic Without KmsMasterKeyId", + "severity": "LOW", "line": 5, "fileName": "positive1.yaml", - "queryName": "SNS Topic Without KmsMasterKeyId", - "severity": "LOW" + "resourceType": "AWS::SNS::Topic", + "resourceName": "SampleTopic", + "searchKey": "Resources.MySNSTopic.Properties", + "searchValue": "", + "expectedValue": "Resources.MySNSTopic.Properties.KmsMasterKeyId should be defined", + "actualValue": "Resources.MySNSTopic.Properties.KmsMasterKeyId is undefined", + "issueType": "MissingAttribute", + "similarityID": "4d7523515bc53c5f011e1b9e4f55885dd837047b245d790dfc760730e9443ede", + "search_line": -1 }, { - "fileName": "positive2.json", "queryName": "SNS Topic Without KmsMasterKeyId", "severity": "LOW", - "line": 6 + "line": 6, + "fileName": "positive2.json", + "resourceType": "AWS::SNS::Topic", + "resourceName": "SampleTopic", + "searchKey": "Resources.MySNSTopic.Properties", + "searchValue": "", + "expectedValue": "Resources.MySNSTopic.Properties.KmsMasterKeyId should be defined", + "actualValue": "Resources.MySNSTopic.Properties.KmsMasterKeyId is undefined", + "issueType": "MissingAttribute", + "similarityID": "12d4381c00e4829a0e9af369a7cee6c98d75f36f3e37bee8fcecc875fe50f1cc", + "search_line": -1 } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/sqs_policy_with_public_access/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/sqs_policy_with_public_access/test/positive_expected_result.json index 130e5bdfa5f..99b0806d682 100644 --- a/assets/queries/cloudFormation/aws/sqs_policy_with_public_access/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/sqs_policy_with_public_access/test/positive_expected_result.json @@ -2,25 +2,61 @@ { "queryName": "SQS Policy With Public Access", "severity": "MEDIUM", + "line": 7, "fileName": "positive1.yaml", - "line": 7 + "resourceType": "AWS::SQS::QueuePolicy", + "resourceName": "SampleSQSPolicy", + "searchKey": "Resources.SampleSQSPolicy.Properties.PolicyDocument", + "searchValue": "", + "expectedValue": "Resources.SampleSQSPolicy.Properties.PolicyDocument.Statement.Principal should not have wildcards when Effect=Allow and Action contains one of [SQS:AddPermission, SQS:CreateQueue, SQS:DeleteQueue, SQS:RemovePermission, SQS:TagQueue, SQS:UnTagQueue]", + "actualValue": "Resources.SampleSQSPolicy.Properties.PolicyDocument.Statement.Principal has wildcards, Effect is Allow and Action contains SQS:CreateQueue", + "issueType": "IncorrectValue", + "similarityID": "d1bd58571404e665bab7c639828aa37f9e032c174009ffcf75886e9837115cbf", + "search_line": -1 }, { "queryName": "SQS Policy With Public Access", "severity": "MEDIUM", + "line": 7, "fileName": "positive2.yaml", - "line": 7 + "resourceType": "AWS::SQS::QueuePolicy", + "resourceName": "SampleSQSPolicy", + "searchKey": "Resources.SampleSQSPolicy.Properties.PolicyDocument", + "searchValue": "", + "expectedValue": "Resources.SampleSQSPolicy.Properties.PolicyDocument.Statement.Principal should not have wildcards when Effect=Allow and Action contains one of [SQS:AddPermission, SQS:CreateQueue, SQS:DeleteQueue, SQS:RemovePermission, SQS:TagQueue, SQS:UnTagQueue]", + "actualValue": "Resources.SampleSQSPolicy.Properties.PolicyDocument.Statement.Principal has wildcards, Effect is Allow and Action contains SQS:AddPermission", + "issueType": "IncorrectValue", + "similarityID": "20375be5a5d77a9752c50822b74baa0a0d15a92d799816b25d5cc2244a168118", + "search_line": -1 }, { "queryName": "SQS Policy With Public Access", "severity": "MEDIUM", + "line": 9, "fileName": "positive3.json", - "line": 9 + "resourceType": "AWS::SQS::QueuePolicy", + "resourceName": "SampleSQSPolicy", + "searchKey": "Resources.SampleSQSPolicy.Properties.PolicyDocument", + "searchValue": "", + "expectedValue": "Resources.SampleSQSPolicy.Properties.PolicyDocument.Statement.Principal should not have wildcards when Effect=Allow and Action contains one of [SQS:AddPermission, SQS:CreateQueue, SQS:DeleteQueue, SQS:RemovePermission, SQS:TagQueue, SQS:UnTagQueue]", + "actualValue": "Resources.SampleSQSPolicy.Properties.PolicyDocument.Statement.Principal has wildcards, Effect is Allow and Action contains SQS:CreateQueue", + "issueType": "IncorrectValue", + "similarityID": "e09a7995b9aa654252cad654b2b9b7d0d020c0777dad2fb87a937a3b46e498b1", + "search_line": -1 }, { "queryName": "SQS Policy With Public Access", "severity": "MEDIUM", + "line": 9, "fileName": "positive4.json", - "line": 9 + "resourceType": "AWS::SQS::QueuePolicy", + "resourceName": "SampleSQSPolicy", + "searchKey": "Resources.SampleSQSPolicy.Properties.PolicyDocument", + "searchValue": "", + "expectedValue": "Resources.SampleSQSPolicy.Properties.PolicyDocument.Statement.Principal should not have wildcards when Effect=Allow and Action contains one of [SQS:AddPermission, SQS:CreateQueue, SQS:DeleteQueue, SQS:RemovePermission, SQS:TagQueue, SQS:UnTagQueue]", + "actualValue": "Resources.SampleSQSPolicy.Properties.PolicyDocument.Statement.Principal has wildcards, Effect is Allow and Action contains SQS:AddPermission", + "issueType": "IncorrectValue", + "similarityID": "f0eb8b157ec2ea4a8aa2bacdca2eb96208d144c1ea67e375c19715c9ed79a925", + "search_line": -1 } ] diff --git a/assets/queries/cloudFormation/aws/sqs_with_sse_disabled/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/sqs_with_sse_disabled/test/positive_expected_result.json index daedbd3605d..0e3a7791a6d 100644 --- a/assets/queries/cloudFormation/aws/sqs_with_sse_disabled/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/sqs_with_sse_disabled/test/positive_expected_result.json @@ -3,24 +3,60 @@ "queryName": "SQS With SSE Disabled", "severity": "MEDIUM", "line": 4, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::SQS::Queue", + "resourceName": "SampleQueue", + "searchKey": "Resources.MyQueue.Properties", + "searchValue": "", + "expectedValue": "Resources.MyQueue.Properties.KmsMasterKeyId should be set or SqsManagedSseEnabled set to true", + "actualValue": "Resources.MyQueue.Properties.KmsMasterKeyId is undefined and SqsManagedSseEnabled not enabled", + "issueType": "MissingAttribute", + "similarityID": "cccd85e4b016f77f7bc9eed3b1df1738b3bbc389d96271584bc196139d63a331", + "search_line": -1 }, { "queryName": "SQS With SSE Disabled", "severity": "MEDIUM", "line": 8, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::SQS::Queue", + "resourceName": "SampleQueue", + "searchKey": "Resources.MyQueue2.Properties", + "searchValue": "", + "expectedValue": "Resources.MyQueue2.Properties.KmsMasterKeyId should be set or SqsManagedSseEnabled set to true", + "actualValue": "Resources.MyQueue2.Properties.KmsMasterKeyId is undefined and SqsManagedSseEnabled not enabled", + "issueType": "MissingAttribute", + "similarityID": "5195eeea5216bb488934d49cce5a85b860f5b73c4841dfbae6b77512446ae529", + "search_line": -1 }, { "queryName": "SQS With SSE Disabled", "severity": "MEDIUM", "line": 5, - "fileName": "positive2.json" + "fileName": "positive2.json", + "resourceType": "AWS::SQS::Queue", + "resourceName": "SampleQueue", + "searchKey": "Resources.MyQueue.Properties", + "searchValue": "", + "expectedValue": "Resources.MyQueue.Properties.KmsMasterKeyId should be set or SqsManagedSseEnabled set to true", + "actualValue": "Resources.MyQueue.Properties.KmsMasterKeyId is undefined and SqsManagedSseEnabled not enabled", + "issueType": "MissingAttribute", + "similarityID": "592fb1cac02e3510154c3d5c97e12adac5fe394021022f0fe3407e3bcac04fbb", + "search_line": -1 }, { "queryName": "SQS With SSE Disabled", "severity": "MEDIUM", "line": 11, - "fileName": "positive2.json" + "fileName": "positive2.json", + "resourceType": "AWS::SQS::Queue", + "resourceName": "SampleQueue", + "searchKey": "Resources.MyQueue2.Properties", + "searchValue": "", + "expectedValue": "Resources.MyQueue2.Properties.KmsMasterKeyId should be set or SqsManagedSseEnabled set to true", + "actualValue": "Resources.MyQueue2.Properties.KmsMasterKeyId is undefined and SqsManagedSseEnabled not enabled", + "issueType": "MissingAttribute", + "similarityID": "689f0a6da857d2e41a4a633955ed6247d949e4227a5ad42ad0c7d7f4938bb1d5", + "search_line": -1 } ] diff --git a/assets/queries/cloudFormation/aws/stack_notifications_disabled/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/stack_notifications_disabled/test/positive_expected_result.json index 9d68ba1ee6c..d50216d3c4e 100644 --- a/assets/queries/cloudFormation/aws/stack_notifications_disabled/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/stack_notifications_disabled/test/positive_expected_result.json @@ -3,12 +3,30 @@ "queryName": "Stack Notifications Disabled", "severity": "LOW", "line": 5, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::CloudFormation::Stack", + "resourceName": "myStackWithParams", + "searchKey": "Resources.myStackWithParams.Properties", + "searchValue": "", + "expectedValue": "Resources.myStackWithParams.Properties.NotificationARNs should be set", + "actualValue": "Resources.myStackWithParams.Properties.NotificationARNs is undefined", + "issueType": "MissingAttribute", + "similarityID": "69d865834264c7fc7ab4a904d6693f1bcc9f1af1f9ac1cd122f62512ff5d84a5", + "search_line": -1 }, { "queryName": "Stack Notifications Disabled", "severity": "LOW", "line": 6, - "fileName": "positive2.json" + "fileName": "positive2.json", + "resourceType": "AWS::CloudFormation::Stack", + "resourceName": "myStackWithParams", + "searchKey": "Resources.myStackWithParams.Properties", + "searchValue": "", + "expectedValue": "Resources.myStackWithParams.Properties.NotificationARNs should be set", + "actualValue": "Resources.myStackWithParams.Properties.NotificationARNs is undefined", + "issueType": "MissingAttribute", + "similarityID": "f41700b6369c839cee72a4c24bd47a9635cf7e5badedadf7e1d814663ac6f17d", + "search_line": -1 } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/stack_retention_disabled/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/stack_retention_disabled/test/positive_expected_result.json index f49d35cf0ce..81523f201c6 100644 --- a/assets/queries/cloudFormation/aws/stack_retention_disabled/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/stack_retention_disabled/test/positive_expected_result.json @@ -3,90 +3,225 @@ "queryName": "Stack Retention Disabled", "severity": "MEDIUM", "line": 11, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::CloudFormation::StackSet", + "resourceName": "some_stack_name", + "searchKey": "Resources.stackset3.Properties.AutoDeployment.RetainStacksOnAccountRemoval", + "searchValue": "", + "expectedValue": "Resources.stackset3.Properties.AutoDeployment.RetainStacksOnAccountRemoval is true", + "actualValue": "Resources.stackset3.Properties.AutoDeployment.RetainStacksOnAccountRemoval is false", + "issueType": "IncorrectValue", + "similarityID": "96158f2780d78465caae3c603ed4e2c473106ff89daaf27012ed20a1093e961b", + "search_line": -1 }, { "queryName": "Stack Retention Disabled", "severity": "MEDIUM", "line": 18, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::CloudFormation::StackSet", + "resourceName": "some_stack_name", + "searchKey": "Resources.stackset4.Properties.AutoDeployment", + "searchValue": "", + "expectedValue": "Resources.stackset4.Properties.AutoDeployment.RetainStacksOnAccountRemoval should be set", + "actualValue": "Resources.stackset4.Properties.AutoDeployment.RetainStacksOnAccountRemoval is undefined", + "issueType": "MissingAttribute", + "similarityID": "2ba9dc9d2e1db3df9d85a1423a590d806003435e80ff91d8bf365d09fe5ff10b", + "search_line": -1 }, { "queryName": "Stack Retention Disabled", "severity": "MEDIUM", "line": 27, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::CloudFormation::StackSet", + "resourceName": "some_stack_name", + "searchKey": "Resources.stackset5.Properties.AutoDeployment.Enabled", + "searchValue": "", + "expectedValue": "Resources.stackset5.Properties.AutoDeployment.Enabled is true", + "actualValue": "Resources.stackset5.Properties.AutoDeployment.Enabled is false", + "issueType": "IncorrectValue", + "similarityID": "aa550454b66e5da34223bf5e320aa96ce6c77e484eaf34e1a46f44f0fde729b9", + "search_line": -1 }, { "queryName": "Stack Retention Disabled", "severity": "MEDIUM", "line": 35, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::CloudFormation::StackSet", + "resourceName": "some_stack_name", + "searchKey": "Resources.stackset6.Properties.AutoDeployment", + "searchValue": "", + "expectedValue": "Resources.stackset6.Properties.AutoDeployment.Enabled should be set", + "actualValue": "Resources.stackset6.Properties.AutoDeployment.Enabled is undefined", + "issueType": "MissingAttribute", + "similarityID": "2f03f4ac5e10d3d8be09364ad390a1b3b0cd75849e79cc991761fd8f997383ba", + "search_line": -1 }, { "queryName": "Stack Retention Disabled", "severity": "MEDIUM", "line": 39, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::CloudFormation::StackSet", + "resourceName": "some_stack_name", + "searchKey": "Resources.stackset7.Properties", + "searchValue": "", + "expectedValue": "Resources.stackset7.Properties.AutoDeployment should be set", + "actualValue": "Resources.stackset7.Properties.AutoDeployment is undefined", + "issueType": "MissingAttribute", + "similarityID": "5f094479b8e3df581e9d115143b7b3022a799149815bfd8be252e7f3f13ac51a", + "search_line": -1 }, { "queryName": "Stack Retention Disabled", "severity": "MEDIUM", "line": 12, - "fileName": "positive2.json" + "fileName": "positive2.json", + "resourceType": "AWS::CloudFormation::StackSet", + "resourceName": "some_stack_name", + "searchKey": "Resources.stackset8.Properties.AutoDeployment.RetainStacksOnAccountRemoval", + "searchValue": "", + "expectedValue": "Resources.stackset8.Properties.AutoDeployment.RetainStacksOnAccountRemoval is true", + "actualValue": "Resources.stackset8.Properties.AutoDeployment.RetainStacksOnAccountRemoval is false", + "issueType": "IncorrectValue", + "similarityID": "8a74f1c1f0083d5eea0a0317b0b92c7de654d92b16fe607266a0aa5ad3c52165", + "search_line": -1 }, { "queryName": "Stack Retention Disabled", "severity": "MEDIUM", "line": 22, - "fileName": "positive2.json" + "fileName": "positive2.json", + "resourceType": "AWS::CloudFormation::StackSet", + "resourceName": "some_stack_name", + "searchKey": "Resources.stackset9.Properties.AutoDeployment", + "searchValue": "", + "expectedValue": "Resources.stackset9.Properties.AutoDeployment.RetainStacksOnAccountRemoval should be set", + "actualValue": "Resources.stackset9.Properties.AutoDeployment.RetainStacksOnAccountRemoval is undefined", + "issueType": "MissingAttribute", + "similarityID": "450654535b11c1b060b5e2d9fc3265269a97bea84960aa33a2c379869943b6e7", + "search_line": -1 }, { "queryName": "Stack Retention Disabled", "severity": "MEDIUM", "line": 34, - "fileName": "positive2.json" + "fileName": "positive2.json", + "resourceType": "AWS::CloudFormation::StackSet", + "resourceName": "some_stack_name", + "searchKey": "Resources.stackset10.Properties.AutoDeployment.Enabled", + "searchValue": "", + "expectedValue": "Resources.stackset10.Properties.AutoDeployment.Enabled is true", + "actualValue": "Resources.stackset10.Properties.AutoDeployment.Enabled is false", + "issueType": "IncorrectValue", + "similarityID": "3d305d7a41501bfbf1e1d880e68220742cb78cfc8f99d3057ee62a860f7eef8a", + "search_line": -1 }, { "queryName": "Stack Retention Disabled", "severity": "MEDIUM", "line": 45, - "fileName": "positive2.json" + "fileName": "positive2.json", + "resourceType": "AWS::CloudFormation::StackSet", + "resourceName": "some_stack_name", + "searchKey": "Resources.stackset11.Properties.AutoDeployment", + "searchValue": "", + "expectedValue": "Resources.stackset11.Properties.AutoDeployment.Enabled should be set", + "actualValue": "Resources.stackset11.Properties.AutoDeployment.Enabled is undefined", + "issueType": "MissingAttribute", + "similarityID": "72b4f9102b35d228c0b2f385f3bd35a7dc0415e6477dc502d21ad5c0e51f5581", + "search_line": -1 }, { "queryName": "Stack Retention Disabled", "severity": "MEDIUM", "line": 52, - "fileName": "positive2.json" + "fileName": "positive2.json", + "resourceType": "AWS::CloudFormation::StackSet", + "resourceName": "some_stack_name", + "searchKey": "Resources.stackset12.Properties", + "searchValue": "", + "expectedValue": "Resources.stackset12.Properties.AutoDeployment should be set", + "actualValue": "Resources.stackset12.Properties.AutoDeployment is undefined", + "issueType": "MissingAttribute", + "similarityID": "dc4df7c16a776cb3c2335213e31c7956c4f3f1cb73531dafa0c51bcd574f2b82", + "search_line": -1 }, { "queryName": "Stack Retention Disabled", "severity": "MEDIUM", "line": 11, - "fileName": "positive3.yaml" + "fileName": "positive3.yaml", + "resourceType": "AWS::CloudFormation::StackSet", + "resourceName": "some_stack_name", + "searchKey": "Resources.stackset3.Properties.AutoDeployment.RetainStacksOnAccountRemoval", + "searchValue": "", + "expectedValue": "Resources.stackset3.Properties.AutoDeployment.RetainStacksOnAccountRemoval is true", + "actualValue": "Resources.stackset3.Properties.AutoDeployment.RetainStacksOnAccountRemoval is false", + "issueType": "IncorrectValue", + "similarityID": "a40717428d2510bec44d6529072d2824c6de88e0627764456124667ed1441b55", + "search_line": -1 }, { "queryName": "Stack Retention Disabled", "severity": "MEDIUM", "line": 18, - "fileName": "positive3.yaml" + "fileName": "positive3.yaml", + "resourceType": "AWS::CloudFormation::StackSet", + "resourceName": "some_stack_name", + "searchKey": "Resources.stackset4.Properties.AutoDeployment", + "searchValue": "", + "expectedValue": "Resources.stackset4.Properties.AutoDeployment.RetainStacksOnAccountRemoval should be set", + "actualValue": "Resources.stackset4.Properties.AutoDeployment.RetainStacksOnAccountRemoval is undefined", + "issueType": "MissingAttribute", + "similarityID": "b731db97ef9c83628d446674750ad0774caab0065904077cdac837c2f4d0546c", + "search_line": -1 }, { "queryName": "Stack Retention Disabled", "severity": "MEDIUM", "line": 27, - "fileName": "positive3.yaml" + "fileName": "positive3.yaml", + "resourceType": "AWS::CloudFormation::StackSet", + "resourceName": "some_stack_name", + "searchKey": "Resources.stackset5.Properties.AutoDeployment.Enabled", + "searchValue": "", + "expectedValue": "Resources.stackset5.Properties.AutoDeployment.Enabled is true", + "actualValue": "Resources.stackset5.Properties.AutoDeployment.Enabled is false", + "issueType": "IncorrectValue", + "similarityID": "a093d25fc4237b48d18de5fb789d13b9226fda29411ed3a967915980fc022fb4", + "search_line": -1 }, { "queryName": "Stack Retention Disabled", "severity": "MEDIUM", "line": 35, - "fileName": "positive3.yaml" + "fileName": "positive3.yaml", + "resourceType": "AWS::CloudFormation::StackSet", + "resourceName": "some_stack_name", + "searchKey": "Resources.stackset6.Properties.AutoDeployment", + "searchValue": "", + "expectedValue": "Resources.stackset6.Properties.AutoDeployment.Enabled should be set", + "actualValue": "Resources.stackset6.Properties.AutoDeployment.Enabled is undefined", + "issueType": "MissingAttribute", + "similarityID": "9ab1903de7d6a2935c147e8695455334d2932bb9dc395293d7ffb2a9e11f51dc", + "search_line": -1 }, { "queryName": "Stack Retention Disabled", "severity": "MEDIUM", "line": 39, - "fileName": "positive3.yaml" + "fileName": "positive3.yaml", + "resourceType": "AWS::CloudFormation::StackSet", + "resourceName": "some_stack_name", + "searchKey": "Resources.stackset7.Properties", + "searchValue": "", + "expectedValue": "Resources.stackset7.Properties.AutoDeployment should be set", + "actualValue": "Resources.stackset7.Properties.AutoDeployment is undefined", + "issueType": "MissingAttribute", + "similarityID": "c98a8adf759dd2c94cba633d2a75eb1b9c607b901d8acec55541804779be2885", + "search_line": -1 } ] diff --git a/assets/queries/cloudFormation/aws/support_has_no_role_associated/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/support_has_no_role_associated/test/positive_expected_result.json index 782cd903677..797fa3c3f7f 100644 --- a/assets/queries/cloudFormation/aws/support_has_no_role_associated/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/support_has_no_role_associated/test/positive_expected_result.json @@ -1,38 +1,92 @@ [ { + "queryName": "Support Has No Role Associated", + "severity": "LOW", "line": 4, "fileName": "positive1.yaml", - "queryName": "Support Has No Role Associated", - "severity": "LOW" + "resourceType": "AWS::IAM::Policy", + "resourceName": "AWSSupportAccess", + "searchKey": "Resources.noRoles", + "searchValue": "", + "expectedValue": "'Resources.noRoles.Roles' should be set", + "actualValue": "'Resources.noRoles.Roles' is undefined", + "issueType": "IncorrectValue", + "similarityID": "5d7e6f2c85f734f517ee167a8ab1f40433dfe86e41f8bb411c7c1a5bab24765f", + "search_line": -1 }, { "queryName": "Support Has No Role Associated", "severity": "LOW", "line": 16, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::IAM::Policy", + "resourceName": "AWSSupportAccess", + "searchKey": "Resources.noUsers", + "searchValue": "", + "expectedValue": "'Resources.noUsers.Users' should be set", + "actualValue": "'Resources.noUsers.Users' is undefined", + "issueType": "IncorrectValue", + "similarityID": "5039d592793e50520903df921ff45d664cf5b64b6982ca6eca9fb4c506e4ff9f", + "search_line": -1 }, { "queryName": "Support Has No Role Associated", "severity": "LOW", "line": 28, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::IAM::Policy", + "resourceName": "AWSSupportAccess", + "searchKey": "Resources.noGroups", + "searchValue": "", + "expectedValue": "'Resources.noGroups.Groups' should be set", + "actualValue": "'Resources.noGroups.Groups' is undefined", + "issueType": "IncorrectValue", + "similarityID": "b5ea2bf675e66eafe80f4ab3e9c6ea00a144a0cbf8480afbdd76064765c26447", + "search_line": -1 }, { "queryName": "Support Has No Role Associated", "severity": "LOW", "line": 5, - "fileName": "positive2.json" + "fileName": "positive2.json", + "resourceType": "AWS::IAM::Policy", + "resourceName": "AWSSupportAccess", + "searchKey": "Resources.noRoles", + "searchValue": "", + "expectedValue": "'Resources.noRoles.Roles' should be set", + "actualValue": "'Resources.noRoles.Roles' is undefined", + "issueType": "IncorrectValue", + "similarityID": "1e800b4cae23081127784d326f74b379f18f192ca1c3c36732c21ab23059ee51", + "search_line": -1 }, { "queryName": "Support Has No Role Associated", "severity": "LOW", "line": 29, - "fileName": "positive2.json" + "fileName": "positive2.json", + "resourceType": "AWS::IAM::Policy", + "resourceName": "AWSSupportAccess", + "searchKey": "Resources.noUsers", + "searchValue": "", + "expectedValue": "'Resources.noUsers.Users' should be set", + "actualValue": "'Resources.noUsers.Users' is undefined", + "issueType": "IncorrectValue", + "similarityID": "2803373f5969d31b17eaf6759ea163d527675bf96b6e63566b1bce5a1bfc8305", + "search_line": -1 }, { "queryName": "Support Has No Role Associated", "severity": "LOW", "line": 53, - "fileName": "positive2.json" + "fileName": "positive2.json", + "resourceType": "AWS::IAM::Policy", + "resourceName": "AWSSupportAccess", + "searchKey": "Resources.noGroups", + "searchValue": "", + "expectedValue": "'Resources.noGroups.Groups' should be set", + "actualValue": "'Resources.noGroups.Groups' is undefined", + "issueType": "IncorrectValue", + "similarityID": "670b830d82ea59c2822c91ea524301898ef45ff770fd201d1d503cac9f7939c3", + "search_line": -1 } ] diff --git a/assets/queries/cloudFormation/aws/tags_not_copied_to_rds_cluster_snapshot/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/tags_not_copied_to_rds_cluster_snapshot/test/positive_expected_result.json index 822c2cc2526..9fe17a5536c 100644 --- a/assets/queries/cloudFormation/aws/tags_not_copied_to_rds_cluster_snapshot/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/tags_not_copied_to_rds_cluster_snapshot/test/positive_expected_result.json @@ -1,74 +1,182 @@ [ - { - "queryName": "Tags Not Copied to RDS Cluster Snapshot", - "severity": "LOW", - "line": 12, - "fileName": "positive1.json" - }, - { - "queryName": "Tags Not Copied to RDS Cluster Snapshot", - "severity": "LOW", - "line": 21, - "fileName": "positive1.json" - }, - { - "queryName": "Tags Not Copied to RDS Cluster Snapshot", - "severity": "LOW", - "line": 12, - "fileName": "positive2.yaml" - }, - { - "queryName": "Tags Not Copied to RDS Cluster Snapshot", - "severity": "LOW", - "line": 19, - "fileName": "positive2.yaml" - }, - { - "queryName": "Tags Not Copied to RDS Cluster Snapshot", - "severity": "LOW", - "line": 12, - "fileName": "positive3.json" - }, - { - "queryName": "Tags Not Copied to RDS Cluster Snapshot", - "severity": "LOW", - "line": 21, - "fileName": "positive3.json" - }, - { - "queryName": "Tags Not Copied to RDS Cluster Snapshot", - "severity": "LOW", - "line": 12, - "fileName": "positive4.yaml" - }, - { - "queryName": "Tags Not Copied to RDS Cluster Snapshot", - "severity": "LOW", - "line": 19, - "fileName": "positive4.yaml" - }, - { - "queryName": "Tags Not Copied to RDS Cluster Snapshot", - "severity": "LOW", - "line": 7, - "fileName": "positive5.json" - }, - { - "queryName": "Tags Not Copied to RDS Cluster Snapshot", - "severity": "LOW", - "line": 17, - "fileName": "positive5.json" - }, - { - "queryName": "Tags Not Copied to RDS Cluster Snapshot", - "severity": "LOW", - "line": 7, - "fileName": "positive6.yaml" - }, - { - "queryName": "Tags Not Copied to RDS Cluster Snapshot", - "severity": "LOW", - "line": 15, - "fileName": "positive6.yaml" - } -] \ No newline at end of file + { + "queryName": "Tags Not Copied to RDS Cluster Snapshot", + "severity": "LOW", + "line": 12, + "fileName": "positive1.json", + "resourceType": "AWS::RDS::DBInstance", + "resourceName": "MyDBInstance", + "searchKey": "Resources.MyDBInstance.Properties.CopyTagsToSnapshot", + "searchValue": "", + "expectedValue": "'Resources.MyDBInstance.Properties.CopyTagsToSnapshot' should be set to true", + "actualValue": "'Resources.MyDBInstance.Properties.CopyTagsToSnapshot' is set to false", + "issueType": "IncorrectValue", + "similarityID": "a993d5d435a928e1b5d706552f5e222c8a81831739adf7f001dc86a3d55cf920", + "search_line": 12 + }, + { + "queryName": "Tags Not Copied to RDS Cluster Snapshot", + "severity": "LOW", + "line": 21, + "fileName": "positive1.json", + "resourceType": "AWS::RDS::DBCluster", + "resourceName": "MyDBCluster", + "searchKey": "Resources.MyDBCluster.Properties.CopyTagsToSnapshot", + "searchValue": "", + "expectedValue": "'Resources.MyDBCluster.Properties.CopyTagsToSnapshot' should be set to true", + "actualValue": "'Resources.MyDBCluster.Properties.CopyTagsToSnapshot' is set to false", + "issueType": "IncorrectValue", + "similarityID": "5c4652aaa9a5339104a4a9220ad83eed3c8910bed749d4af847e0065b44c970a", + "search_line": 21 + }, + { + "queryName": "Tags Not Copied to RDS Cluster Snapshot", + "severity": "LOW", + "line": 12, + "fileName": "positive2.yaml", + "resourceType": "AWS::RDS::DBInstance", + "resourceName": "MyDBInstance", + "searchKey": "Resources.MyDBInstance.Properties.CopyTagsToSnapshot", + "searchValue": "", + "expectedValue": "'Resources.MyDBInstance.Properties.CopyTagsToSnapshot' should be set to true", + "actualValue": "'Resources.MyDBInstance.Properties.CopyTagsToSnapshot' is set to false", + "issueType": "IncorrectValue", + "similarityID": "71c356ff9abc154c57ee0049b119ccd96f6768e0ea727f3ca59d8087f98ffbfe", + "search_line": 12 + }, + { + "queryName": "Tags Not Copied to RDS Cluster Snapshot", + "severity": "LOW", + "line": 19, + "fileName": "positive2.yaml", + "resourceType": "AWS::RDS::DBCluster", + "resourceName": "MyDBCluster", + "searchKey": "Resources.MyDBCluster.Properties.CopyTagsToSnapshot", + "searchValue": "", + "expectedValue": "'Resources.MyDBCluster.Properties.CopyTagsToSnapshot' should be set to true", + "actualValue": "'Resources.MyDBCluster.Properties.CopyTagsToSnapshot' is set to false", + "issueType": "IncorrectValue", + "similarityID": "eb8f3bde11268ac875d5169d9a9e16c0e39cfe07ef66da7c239e4f6bdcf5f1f0", + "search_line": 19 + }, + { + "queryName": "Tags Not Copied to RDS Cluster Snapshot", + "severity": "LOW", + "line": 12, + "fileName": "positive3.json", + "resourceType": "AWS::RDS::DBInstance", + "resourceName": "MyDBInstance", + "searchKey": "Resources.MyDBInstance.Properties.CopyTagsToSnapshot", + "searchValue": "", + "expectedValue": "'Resources.MyDBInstance.Properties.CopyTagsToSnapshot' should be set to true", + "actualValue": "'Resources.MyDBInstance.Properties.CopyTagsToSnapshot' is set to false", + "issueType": "IncorrectValue", + "similarityID": "2c1f298c69a156d04b477fc3274079d8f6c21f5a2c50872ef0c572ba529683de", + "search_line": 12 + }, + { + "queryName": "Tags Not Copied to RDS Cluster Snapshot", + "severity": "LOW", + "line": 21, + "fileName": "positive3.json", + "resourceType": "AWS::RDS::DBCluster", + "resourceName": "MyDBCluster", + "searchKey": "Resources.MyDBCluster.Properties.CopyTagsToSnapshot", + "searchValue": "", + "expectedValue": "'Resources.MyDBCluster.Properties.CopyTagsToSnapshot' should be set to true", + "actualValue": "'Resources.MyDBCluster.Properties.CopyTagsToSnapshot' is set to false", + "issueType": "IncorrectValue", + "similarityID": "30f4f640a52a2880f9c0ba34733df1fddee8f98932c0e182ca8acd85a6f80c59", + "search_line": 21 + }, + { + "queryName": "Tags Not Copied to RDS Cluster Snapshot", + "severity": "LOW", + "line": 12, + "fileName": "positive4.yaml", + "resourceType": "AWS::RDS::DBInstance", + "resourceName": "MyDBInstance", + "searchKey": "Resources.MyDBInstance.Properties.CopyTagsToSnapshot", + "searchValue": "", + "expectedValue": "'Resources.MyDBInstance.Properties.CopyTagsToSnapshot' should be set to true", + "actualValue": "'Resources.MyDBInstance.Properties.CopyTagsToSnapshot' is set to false", + "issueType": "IncorrectValue", + "similarityID": "dcc4b1efa8dc55b94c6b24bdd01bb134fcf75f6ecb5d5259f8e2de0c60bcde9e", + "search_line": 12 + }, + { + "queryName": "Tags Not Copied to RDS Cluster Snapshot", + "severity": "LOW", + "line": 19, + "fileName": "positive4.yaml", + "resourceType": "AWS::RDS::DBCluster", + "resourceName": "MyDBCluster", + "searchKey": "Resources.MyDBCluster.Properties.CopyTagsToSnapshot", + "searchValue": "", + "expectedValue": "'Resources.MyDBCluster.Properties.CopyTagsToSnapshot' should be set to true", + "actualValue": "'Resources.MyDBCluster.Properties.CopyTagsToSnapshot' is set to false", + "issueType": "IncorrectValue", + "similarityID": "8ea9021d7ae850ac05fdbff4073d1ad4f61d736afaff9bbebab0fa23fdb904b1", + "search_line": 19 + }, + { + "queryName": "Tags Not Copied to RDS Cluster Snapshot", + "severity": "LOW", + "line": 7, + "fileName": "positive5.json", + "resourceType": "AWS::RDS::DBInstance", + "resourceName": "MyDBInstance", + "searchKey": "Resources.MyDBInstance.Properties", + "searchValue": "", + "expectedValue": "'Resources.MyDBInstance.Properties.CopyTagsToSnapshot' should be set to true", + "actualValue": "'Resources.MyDBInstance.Properties.CopyTagsToSnapshot' is not defined", + "issueType": "MissingAttribute", + "similarityID": "6fea5ee076a40bddac4da7cb3d14bc79b667541c1e4abc52db54b04bafe0fada", + "search_line": 7 + }, + { + "queryName": "Tags Not Copied to RDS Cluster Snapshot", + "severity": "LOW", + "line": 17, + "fileName": "positive5.json", + "resourceType": "AWS::RDS::DBCluster", + "resourceName": "MyDBCluster", + "searchKey": "Resources.MyDBCluster.Properties", + "searchValue": "", + "expectedValue": "'Resources.MyDBCluster.Properties.CopyTagsToSnapshot' should be set to true", + "actualValue": "'Resources.MyDBCluster.Properties.CopyTagsToSnapshot' is not defined", + "issueType": "MissingAttribute", + "similarityID": "24596309da3af3b1bba07d783ff1d222f82ae2f4861c5b4ab5f84270b65843a0", + "search_line": 17 + }, + { + "queryName": "Tags Not Copied to RDS Cluster Snapshot", + "severity": "LOW", + "line": 7, + "fileName": "positive6.yaml", + "resourceType": "AWS::RDS::DBInstance", + "resourceName": "MyDBInstance", + "searchKey": "Resources.MyDBInstance.Properties", + "searchValue": "", + "expectedValue": "'Resources.MyDBInstance.Properties.CopyTagsToSnapshot' should be set to true", + "actualValue": "'Resources.MyDBInstance.Properties.CopyTagsToSnapshot' is not defined", + "issueType": "MissingAttribute", + "similarityID": "96dd2cceac882f3ac14ea0902e547122f88c643b54ca439105b8c216837a53af", + "search_line": 7 + }, + { + "queryName": "Tags Not Copied to RDS Cluster Snapshot", + "severity": "LOW", + "line": 15, + "fileName": "positive6.yaml", + "resourceType": "AWS::RDS::DBCluster", + "resourceName": "MyDBCluster", + "searchKey": "Resources.MyDBCluster.Properties", + "searchValue": "", + "expectedValue": "'Resources.MyDBCluster.Properties.CopyTagsToSnapshot' should be set to true", + "actualValue": "'Resources.MyDBCluster.Properties.CopyTagsToSnapshot' is not defined", + "issueType": "MissingAttribute", + "similarityID": "9ce6bc8dd384288638d66569c5dfe7801fe02ef4d64a2967da3acaabb9270ab7", + "search_line": 15 + } +] diff --git a/assets/queries/cloudFormation/aws/tcp_or_udp_protocol_network_acl_entry_allows_all_ports/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/tcp_or_udp_protocol_network_acl_entry_allows_all_ports/test/positive_expected_result.json index 084553f4de3..c3de081a81f 100644 --- a/assets/queries/cloudFormation/aws/tcp_or_udp_protocol_network_acl_entry_allows_all_ports/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/tcp_or_udp_protocol_network_acl_entry_allows_all_ports/test/positive_expected_result.json @@ -1,50 +1,122 @@ [ { - "fileName": "positive1.yaml", "queryName": "TCP UDP Protocol Network ACL Entry Allows All Ports", "severity": "MEDIUM", - "line": 33 - }, - { "line": 18, "fileName": "positive1.yaml", - "queryName": "TCP UDP Protocol Network ACL Entry Allows All Ports", - "severity": "MEDIUM" + "resourceType": "AWS::EC2::NetworkAclEntry", + "resourceName": "InboundRule2", + "searchKey": "Resources.InboundRule2.Properties.PortRange", + "searchValue": "", + "expectedValue": "Resources.InboundRule2.Properties.PortRange.To should be set", + "actualValue": "Resources.InboundRule2.Properties.PortRange.To is undefined", + "issueType": "MissingAttribute", + "similarityID": "9a79577448b61292a14b47992e8af039473bf546b415598ba1388190b38edffb", + "search_line": -1 }, { "queryName": "TCP UDP Protocol Network ACL Entry Allows All Ports", "severity": "MEDIUM", "line": 29, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::EC2::NetworkAclEntry", + "resourceName": "InboundRule3", + "searchKey": "Resources.InboundRule3.Properties.PortRange", + "searchValue": "", + "expectedValue": "Resources.InboundRule3.Properties.PortRange.From should be set", + "actualValue": "Resources.InboundRule3.Properties.PortRange.From is undefined", + "issueType": "MissingAttribute", + "similarityID": "afcfd46de277de8932c36043842e0c54807028907a5c04487cf3cc13b53883ef", + "search_line": -1 }, { "queryName": "TCP UDP Protocol Network ACL Entry Allows All Ports", "severity": "MEDIUM", - "line": 49, - "fileName": "positive1.yaml" + "line": 33, + "fileName": "positive1.yaml", + "resourceType": "AWS::EC2::NetworkAclEntry", + "resourceName": "InboundRule4", + "searchKey": "Resources.InboundRule4.Properties", + "searchValue": "", + "expectedValue": "Resources.InboundRule4.Properties.PortRange should be set", + "actualValue": "Resources.InboundRule4.Properties.PortRange is undefined", + "issueType": "MissingAttribute", + "similarityID": "2cf01a154f93093503a760de6214c62c00814215231d30b698a076463f8235d1", + "search_line": -1 }, { + "queryName": "TCP UDP Protocol Network ACL Entry Allows All Ports", "severity": "MEDIUM", - "line": 47, - "fileName": "positive2.json", - "queryName": "TCP UDP Protocol Network ACL Entry Allows All Ports" + "line": 49, + "fileName": "positive1.yaml", + "resourceType": "AWS::EC2::NetworkAclEntry", + "resourceName": "InboundRule5", + "searchKey": "Resources.InboundRule5.Properties.PortRange", + "searchValue": "", + "expectedValue": "Resources.InboundRule5.Properties.PortRange should not allow all ports", + "actualValue": "Resources.InboundRule5.Properties.PortRange allows all ports", + "issueType": "MissingAttribute", + "similarityID": "aa65c58228687d179efd1f2b948e7539ae9805fd20e5acbbbff58eb9cc0ce535", + "search_line": -1 }, { + "queryName": "TCP UDP Protocol Network ACL Entry Allows All Ports", "severity": "MEDIUM", "line": 21, "fileName": "positive2.json", - "queryName": "TCP UDP Protocol Network ACL Entry Allows All Ports" + "resourceType": "AWS::EC2::NetworkAclEntry", + "resourceName": "InboundRule2", + "searchKey": "Resources.InboundRule2.Properties.PortRange", + "searchValue": "", + "expectedValue": "Resources.InboundRule2.Properties.PortRange.To should be set", + "actualValue": "Resources.InboundRule2.Properties.PortRange.To is undefined", + "issueType": "MissingAttribute", + "similarityID": "7f8516668357414a28b76f7e71b334bd9e4697b12459bed208661b95bb7d284a", + "search_line": -1 }, { "queryName": "TCP UDP Protocol Network ACL Entry Allows All Ports", "severity": "MEDIUM", "line": 40, - "fileName": "positive2.json" + "fileName": "positive2.json", + "resourceType": "AWS::EC2::NetworkAclEntry", + "resourceName": "InboundRule3", + "searchKey": "Resources.InboundRule3.Properties.PortRange", + "searchValue": "", + "expectedValue": "Resources.InboundRule3.Properties.PortRange.From should be set", + "actualValue": "Resources.InboundRule3.Properties.PortRange.From is undefined", + "issueType": "MissingAttribute", + "similarityID": "93dac5b5aeed76cee84e133a469c7e66a8187751b77f42d8f55ffe471f355833", + "search_line": -1 + }, + { + "queryName": "TCP UDP Protocol Network ACL Entry Allows All Ports", + "severity": "MEDIUM", + "line": 47, + "fileName": "positive2.json", + "resourceType": "AWS::EC2::NetworkAclEntry", + "resourceName": "InboundRule4", + "searchKey": "Resources.InboundRule4.Properties", + "searchValue": "", + "expectedValue": "Resources.InboundRule4.Properties.PortRange should be set", + "actualValue": "Resources.InboundRule4.Properties.PortRange is undefined", + "issueType": "MissingAttribute", + "similarityID": "d3a1c3289a7de50e4f4679d075fd8b7d7be697a35e05caabb2977df0d75bba2e", + "search_line": -1 }, { "queryName": "TCP UDP Protocol Network ACL Entry Allows All Ports", "severity": "MEDIUM", "line": 61, - "fileName": "positive2.json" + "fileName": "positive2.json", + "resourceType": "AWS::EC2::NetworkAclEntry", + "resourceName": "InboundRule5", + "searchKey": "Resources.InboundRule5.Properties.PortRange", + "searchValue": "", + "expectedValue": "Resources.InboundRule5.Properties.PortRange should not allow all ports", + "actualValue": "Resources.InboundRule5.Properties.PortRange allows all ports", + "issueType": "MissingAttribute", + "similarityID": "6cf244909eca1ea3e497a75fbb109e34aedefc71568a963e30a63a2a17ecc4ee", + "search_line": -1 } ] diff --git a/assets/queries/cloudFormation/aws/unknown_port_exposed_to_internet/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/unknown_port_exposed_to_internet/test/positive_expected_result.json index 277b995e388..4cc16a08f7a 100644 --- a/assets/queries/cloudFormation/aws/unknown_port_exposed_to_internet/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/unknown_port_exposed_to_internet/test/positive_expected_result.json @@ -3,96 +3,240 @@ "queryName": "Unknown Port Exposed To Internet", "severity": "HIGH", "line": 10, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4", + "searchKey": "Resources.Positive1IPv4.Properties.SecurityGroupIngress[0]", + "searchValue": "", + "expectedValue": "'Resources.Positive1IPv4.Properties.SecurityGroupIngress[0]' should not open unknown ports to the Internet", + "actualValue": "'Resources.Positive1IPv4.Properties.SecurityGroupIngress[0]' opens unknown ports to the Internet", + "issueType": "IncorrectValue", + "similarityID": "bd2eb38dab188ff990bbc9854d49b3d2b7025f0cb723d44c925761f23aa3351e", + "search_line": 10 }, { "queryName": "Unknown Port Exposed To Internet", "severity": "HIGH", "line": 14, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4", + "searchKey": "Resources.Positive1IPv4.Properties.SecurityGroupIngress[1]", + "searchValue": "", + "expectedValue": "'Resources.Positive1IPv4.Properties.SecurityGroupIngress[1]' should not open unknown ports to the Internet", + "actualValue": "'Resources.Positive1IPv4.Properties.SecurityGroupIngress[1]' opens unknown ports to the Internet", + "issueType": "IncorrectValue", + "similarityID": "1b9347386f43a30b0c30376a7d3649355ae5899ebeb2a80c7636444835bd29ff", + "search_line": 14 }, { "queryName": "Unknown Port Exposed To Internet", "severity": "HIGH", "line": 21, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroupIngress", + "resourceName": "Positive1IPv4", + "searchKey": "Resources.IPv4Ingress1.Properties", + "searchValue": "", + "expectedValue": "'Resources.IPv4Ingress1.Properties' should not open unknown ports to the Internet", + "actualValue": "'Resources.IPv4Ingress1.Properties' opens unknown ports to the Internet", + "issueType": "IncorrectValue", + "similarityID": "e169b0c29566e9dfd3766a43e33e29d083dabe2c01ccc5c917d492233ecd367b", + "search_line": 21 }, { "queryName": "Unknown Port Exposed To Internet", "severity": "HIGH", "line": 30, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroupIngress", + "resourceName": "Positive1IPv4", + "searchKey": "Resources.IPv4Ingress2.Properties", + "searchValue": "", + "expectedValue": "'Resources.IPv4Ingress2.Properties' should not open unknown ports to the Internet", + "actualValue": "'Resources.IPv4Ingress2.Properties' opens unknown ports to the Internet", + "issueType": "IncorrectValue", + "similarityID": "ed7fecef2cb52de364695666688a89dd8c7775442de991ab02654ef9823e423d", + "search_line": 30 }, { "queryName": "Unknown Port Exposed To Internet", "severity": "HIGH", "line": 45, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6", + "searchKey": "Resources.Positive1IPv6.Properties.SecurityGroupIngress[0]", + "searchValue": "", + "expectedValue": "'Resources.Positive1IPv6.Properties.SecurityGroupIngress[0]' should not open unknown ports to the Internet", + "actualValue": "'Resources.Positive1IPv6.Properties.SecurityGroupIngress[0]' opens unknown ports to the Internet", + "issueType": "IncorrectValue", + "similarityID": "9d6174ee1fda44a7a46bea167d410e2be5fa96c85421e5cf633e886e4c4bbd7e", + "search_line": 45 }, { "queryName": "Unknown Port Exposed To Internet", "severity": "HIGH", "line": 49, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6", + "searchKey": "Resources.Positive1IPv6.Properties.SecurityGroupIngress[1]", + "searchValue": "", + "expectedValue": "'Resources.Positive1IPv6.Properties.SecurityGroupIngress[1]' should not open unknown ports to the Internet", + "actualValue": "'Resources.Positive1IPv6.Properties.SecurityGroupIngress[1]' opens unknown ports to the Internet", + "issueType": "IncorrectValue", + "similarityID": "2158756327794fed3696e7b50837ecef91bc0b94518baef05b8e71b605dddeba", + "search_line": 49 }, { "queryName": "Unknown Port Exposed To Internet", "severity": "HIGH", "line": 56, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroupIngress", + "resourceName": "Positive1IPv6", + "searchKey": "Resources.IPv6Ingress1.Properties", + "searchValue": "", + "expectedValue": "'Resources.IPv6Ingress1.Properties' should not open unknown ports to the Internet", + "actualValue": "'Resources.IPv6Ingress1.Properties' opens unknown ports to the Internet", + "issueType": "IncorrectValue", + "similarityID": "3c1eb933f30b0958f42f657aa75e07099b5e2f9e9b2fe18c0787113f36bbb6de", + "search_line": 56 }, { "queryName": "Unknown Port Exposed To Internet", "severity": "HIGH", "line": 65, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroupIngress", + "resourceName": "Positive1IPv6", + "searchKey": "Resources.IPv6Ingress2.Properties", + "searchValue": "", + "expectedValue": "'Resources.IPv6Ingress2.Properties' should not open unknown ports to the Internet", + "actualValue": "'Resources.IPv6Ingress2.Properties' opens unknown ports to the Internet", + "issueType": "IncorrectValue", + "similarityID": "b87bbe9a74a85be1e4e2a3ebc5942284c244b66cfaebdbe31f2e7f33bb0aaf7b", + "search_line": 65 }, { "queryName": "Unknown Port Exposed To Internet", "severity": "HIGH", "line": 10, - "fileName": "positive2.json" + "fileName": "positive2.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4", + "searchKey": "Resources.Positive1IPv4.Properties.SecurityGroupIngress[0]", + "searchValue": "", + "expectedValue": "'Resources.Positive1IPv4.Properties.SecurityGroupIngress[0]' should not open unknown ports to the Internet", + "actualValue": "'Resources.Positive1IPv4.Properties.SecurityGroupIngress[0]' opens unknown ports to the Internet", + "issueType": "IncorrectValue", + "similarityID": "64f628902df354e1e2f97def4ac826a71bdeeeb626bd011d3b4ff1ab82c08e10", + "search_line": 10 }, { "queryName": "Unknown Port Exposed To Internet", "severity": "HIGH", "line": 16, - "fileName": "positive2.json" + "fileName": "positive2.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv4", + "searchKey": "Resources.Positive1IPv4.Properties.SecurityGroupIngress[1]", + "searchValue": "", + "expectedValue": "'Resources.Positive1IPv4.Properties.SecurityGroupIngress[1]' should not open unknown ports to the Internet", + "actualValue": "'Resources.Positive1IPv4.Properties.SecurityGroupIngress[1]' opens unknown ports to the Internet", + "issueType": "IncorrectValue", + "similarityID": "00769de6ab3ee9098b6b3b40cf5c7104c8dfc3c70b3f8cfda2cd4387ca107d5d", + "search_line": 16 }, { "queryName": "Unknown Port Exposed To Internet", "severity": "HIGH", "line": 26, - "fileName": "positive2.json" + "fileName": "positive2.json", + "resourceType": "AWS::EC2::SecurityGroupIngress", + "resourceName": "Positive1IPv4", + "searchKey": "Resources.IPv4Ingress1.Properties", + "searchValue": "", + "expectedValue": "'Resources.IPv4Ingress1.Properties' should not open unknown ports to the Internet", + "actualValue": "'Resources.IPv4Ingress1.Properties' opens unknown ports to the Internet", + "issueType": "IncorrectValue", + "similarityID": "3fa35d1889113e62d5d5b5710b719480cf48e1b6124286adceabcb9ae79ec30a", + "search_line": 26 }, { "queryName": "Unknown Port Exposed To Internet", "severity": "HIGH", "line": 36, - "fileName": "positive2.json" + "fileName": "positive2.json", + "resourceType": "AWS::EC2::SecurityGroupIngress", + "resourceName": "Positive1IPv4", + "searchKey": "Resources.IPv4Ingress2.Properties", + "searchValue": "", + "expectedValue": "'Resources.IPv4Ingress2.Properties' should not open unknown ports to the Internet", + "actualValue": "'Resources.IPv4Ingress2.Properties' opens unknown ports to the Internet", + "issueType": "IncorrectValue", + "similarityID": "1f471bf8c6f1cfceb5ae8550b013fc42ca60362c4bf604f7e67b4cc588628a9a", + "search_line": 36 }, { "queryName": "Unknown Port Exposed To Internet", "severity": "HIGH", "line": 51, - "fileName": "positive2.json" + "fileName": "positive2.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6", + "searchKey": "Resources.Positive1IPv6.Properties.SecurityGroupIngress[0]", + "searchValue": "", + "expectedValue": "'Resources.Positive1IPv6.Properties.SecurityGroupIngress[0]' should not open unknown ports to the Internet", + "actualValue": "'Resources.Positive1IPv6.Properties.SecurityGroupIngress[0]' opens unknown ports to the Internet", + "issueType": "IncorrectValue", + "similarityID": "17ba21d5d8bb6738e9e88f6b3210e9d052cdb076fcdc81d30aa432ee61fb82ef", + "search_line": 51 }, { "queryName": "Unknown Port Exposed To Internet", "severity": "HIGH", "line": 57, - "fileName": "positive2.json" + "fileName": "positive2.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "Positive1IPv6", + "searchKey": "Resources.Positive1IPv6.Properties.SecurityGroupIngress[1]", + "searchValue": "", + "expectedValue": "'Resources.Positive1IPv6.Properties.SecurityGroupIngress[1]' should not open unknown ports to the Internet", + "actualValue": "'Resources.Positive1IPv6.Properties.SecurityGroupIngress[1]' opens unknown ports to the Internet", + "issueType": "IncorrectValue", + "similarityID": "b8d82ba053ff57b7e3788d8a8b28682bc629df0b6b44356b1dc3b3cf90f79663", + "search_line": 57 }, { "queryName": "Unknown Port Exposed To Internet", "severity": "HIGH", "line": 67, - "fileName": "positive2.json" + "fileName": "positive2.json", + "resourceType": "AWS::EC2::SecurityGroupIngress", + "resourceName": "Positive1IPv6", + "searchKey": "Resources.IPv6Ingress1.Properties", + "searchValue": "", + "expectedValue": "'Resources.IPv6Ingress1.Properties' should not open unknown ports to the Internet", + "actualValue": "'Resources.IPv6Ingress1.Properties' opens unknown ports to the Internet", + "issueType": "IncorrectValue", + "similarityID": "2e7b385d7b91c815b086363868b5c987b1455868639abecf4b40e1b05796bfd1", + "search_line": 67 }, { "queryName": "Unknown Port Exposed To Internet", "severity": "HIGH", "line": 77, - "fileName": "positive2.json" + "fileName": "positive2.json", + "resourceType": "AWS::EC2::SecurityGroupIngress", + "resourceName": "Positive1IPv6", + "searchKey": "Resources.IPv6Ingress2.Properties", + "searchValue": "", + "expectedValue": "'Resources.IPv6Ingress2.Properties' should not open unknown ports to the Internet", + "actualValue": "'Resources.IPv6Ingress2.Properties' opens unknown ports to the Internet", + "issueType": "IncorrectValue", + "similarityID": "bf88917b0f2b32bc81be4bd31c46ad9bf235764de11cef37395b6a090f5e23a4", + "search_line": 77 } ] diff --git a/assets/queries/cloudFormation/aws/unrestricted_security_group_ingress/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/unrestricted_security_group_ingress/test/positive_expected_result.json index 8436a1ff378..acde50f3d5a 100644 --- a/assets/queries/cloudFormation/aws/unrestricted_security_group_ingress/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/unrestricted_security_group_ingress/test/positive_expected_result.json @@ -3,24 +3,60 @@ "queryName": "Unrestricted Security Group Ingress", "severity": "HIGH", "line": 13, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "InstanceSecurityGroup", + "searchKey": "Resources.InstanceSecurityGroup.Properties.SecurityGroupIngress", + "searchValue": "", + "expectedValue": "Resources.InstanceSecurityGroup.Properties.SecurityGroupIngress[0].CidrIp should not be open to the world (0.0.0.0/0)", + "actualValue": "Resources.InstanceSecurityGroup.Properties.SecurityGroupIngress[0].CidrIp is open to the world (0.0.0.0/0)", + "issueType": "IncorrectValue", + "similarityID": "b9e8d03be203917c136f7aeff74964cef427d229aa33f9a6014bcdcabd8da137", + "search_line": 13 }, { "queryName": "Unrestricted Security Group Ingress", "severity": "HIGH", "line": 43, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::EC2::SecurityGroupIngress", + "resourceName": "InboundRule", + "searchKey": "Resources.InboundRule.Properties.CidrIpv6", + "searchValue": "", + "expectedValue": "Resources.InboundRule.Properties.CidrIpv6 should not be open to the world (::/0)", + "actualValue": "Resources.InboundRule.Properties.CidrIpv6 is open to the world (::/0)", + "issueType": "IncorrectValue", + "similarityID": "347f4388ad33447529b7a23d5b2a8e00baa367791c06089491bb1e2f46ce00d4", + "search_line": 43 }, { "queryName": "Unrestricted Security Group Ingress", "severity": "HIGH", "line": 30, - "fileName": "positive2.json" + "fileName": "positive2.json", + "resourceType": "AWS::EC2::SecurityGroupIngress", + "resourceName": "InboundRule", + "searchKey": "Resources.InboundRule.Properties.CidrIpv6", + "searchValue": "", + "expectedValue": "Resources.InboundRule.Properties.CidrIpv6 should not be open to the world (::/0)", + "actualValue": "Resources.InboundRule.Properties.CidrIpv6 is open to the world (::/0)", + "issueType": "IncorrectValue", + "similarityID": "7ffd2272d19e58f036498fb8532fadcc2bfd157d2c0958ba021078954677efa3", + "search_line": 30 }, { "queryName": "Unrestricted Security Group Ingress", "severity": "HIGH", "line": 56, - "fileName": "positive2.json" + "fileName": "positive2.json", + "resourceType": "AWS::EC2::SecurityGroup", + "resourceName": "InstanceSecurityGroup", + "searchKey": "Resources.InstanceSecurityGroup.Properties.SecurityGroupIngress", + "searchValue": "", + "expectedValue": "Resources.InstanceSecurityGroup.Properties.SecurityGroupIngress[0].CidrIp should not be open to the world (0.0.0.0/0)", + "actualValue": "Resources.InstanceSecurityGroup.Properties.SecurityGroupIngress[0].CidrIp is open to the world (0.0.0.0/0)", + "issueType": "IncorrectValue", + "similarityID": "ff165d95cbdd16b95e486856710dd2d3aa4bcac6a74c8ec5bbd6c07ee6b5f0a7", + "search_line": 56 } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/unscanned_ecr_image/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/unscanned_ecr_image/test/positive_expected_result.json index ea5c7178c23..5b736bd324b 100644 --- a/assets/queries/cloudFormation/aws/unscanned_ecr_image/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/unscanned_ecr_image/test/positive_expected_result.json @@ -3,24 +3,60 @@ "queryName": "Unscanned ECR Image", "severity": "LOW", "line": 5, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::ECR::Repository", + "resourceName": "test-repository", + "searchKey": "Resources.MyRepository3.Properties", + "searchValue": "", + "expectedValue": "Resources.MyRepository3.Properties.ImageScanningConfiguration should be defined", + "actualValue": "Resources.MyRepository3.Properties.ImageScanningConfiguration is undefined", + "issueType": "MissingAttribute", + "similarityID": "e1d1b2627dd32126097d3d43d45b82faadd4bffc94b76b41b68e9335295a216d", + "search_line": -1 }, { "queryName": "Unscanned ECR Image", "severity": "LOW", "line": 8, - "fileName": "positive2.yaml" + "fileName": "positive2.yaml", + "resourceType": "AWS::ECR::Repository", + "resourceName": "test-repository", + "searchKey": "Resources.MyRepository4.Properties.ImageScanningConfiguration.ScanOnPush", + "searchValue": "", + "expectedValue": "Resources.MyRepository4.Properties.ImageScanningConfiguration.ScanOnPush should be set to true", + "actualValue": "Resources.MyRepository4.Properties.ImageScanningConfiguration.ScanOnPush is set to false", + "issueType": "IncorrectValue", + "similarityID": "9080cf733d25d2640fc8399bdc2eea3dccdcdb589154de8c646580d14bc019a6", + "search_line": -1 }, { "queryName": "Unscanned ECR Image", "severity": "LOW", "line": 6, - "fileName": "positive3.json" + "fileName": "positive3.json", + "resourceType": "AWS::ECR::Repository", + "resourceName": "test-repository", + "searchKey": "Resources.MyRepository5.Properties", + "searchValue": "", + "expectedValue": "Resources.MyRepository5.Properties.ImageScanningConfiguration should be defined", + "actualValue": "Resources.MyRepository5.Properties.ImageScanningConfiguration is undefined", + "issueType": "MissingAttribute", + "similarityID": "3363ae4796cb541f133cc5132fd214a8d202e022ff635940134635a98d20463c", + "search_line": -1 }, { "queryName": "Unscanned ECR Image", "severity": "LOW", "line": 9, - "fileName": "positive4.json" + "fileName": "positive4.json", + "resourceType": "AWS::ECR::Repository", + "resourceName": "test-repository", + "searchKey": "Resources.MyRepository6.Properties.ImageScanningConfiguration.ScanOnPush", + "searchValue": "", + "expectedValue": "Resources.MyRepository6.Properties.ImageScanningConfiguration.ScanOnPush should be set to true", + "actualValue": "Resources.MyRepository6.Properties.ImageScanningConfiguration.ScanOnPush is set to false", + "issueType": "IncorrectValue", + "similarityID": "df3701027a5c0cefe20d2ec975411a46a17354eed89070836fa20ce5733c28ea", + "search_line": -1 } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/user_data_contains_encoded_private_key/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/user_data_contains_encoded_private_key/test/positive_expected_result.json index 951303e8652..f4984cfc0ab 100644 --- a/assets/queries/cloudFormation/aws/user_data_contains_encoded_private_key/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/user_data_contains_encoded_private_key/test/positive_expected_result.json @@ -1,14 +1,32 @@ [ - { - "queryName": "User Data Contains Encoded Private Key", - "severity": "HIGH", - "line": 12, - "fileName": "positive.json" - }, { - "queryName": "User Data Contains Encoded Private Key", - "severity": "HIGH", - "line": 13, - "fileName": "positive.yaml" - } + "queryName": "User Data Contains Encoded Private Key", + "severity": "HIGH", + "line": 12, + "fileName": "positive.json", + "resourceType": "AWS::AutoScaling::LaunchConfiguration", + "resourceName": "myLaunchConfig3", + "searchKey": "Resources.myLaunchConfig3.Properties.UserData", + "searchValue": "", + "expectedValue": "'Resources.myLaunchConfig3.Properties.UserData' shouldn't contain RSA Private Key", + "actualValue": "'Resources.myLaunchConfig3.Properties.UserData' contains RSA Private Key", + "issueType": "IncorrectValue", + "similarityID": "c9cac3779b52b7efaacfe43cb672f6d7e63590e1b4a3b267d59e84787cc9d8b1", + "search_line": -1 + }, + { + "queryName": "User Data Contains Encoded Private Key", + "severity": "HIGH", + "line": 13, + "fileName": "positive.yaml", + "resourceType": "AWS::AutoScaling::LaunchConfiguration", + "resourceName": "myLaunchConfig4", + "searchKey": "Resources.myLaunchConfig4.Properties.UserData", + "searchValue": "", + "expectedValue": "'Resources.myLaunchConfig4.Properties.UserData' shouldn't contain RSA Private Key", + "actualValue": "'Resources.myLaunchConfig4.Properties.UserData' contains RSA Private Key", + "issueType": "IncorrectValue", + "similarityID": "2fa85244d7341334e96a8d44aac71061b87c7c8edab736bf868e8ff079f26f1a", + "search_line": -1 + } ] diff --git a/assets/queries/cloudFormation/aws/user_iam_missing_password_reset_required/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/user_iam_missing_password_reset_required/test/positive_expected_result.json index 9bb7a0524e4..62fcbd37cd2 100644 --- a/assets/queries/cloudFormation/aws/user_iam_missing_password_reset_required/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/user_iam_missing_password_reset_required/test/positive_expected_result.json @@ -3,42 +3,105 @@ "queryName": "IAM User Without Password Reset", "severity": "MEDIUM", "line": 10, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::IAM::User", + "resourceName": "myuser", + "searchKey": "Resources.myuser.Properties.LoginProfile.PasswordResetRequired", + "searchValue": "", + "expectedValue": "'Resources.myuser.Properties.LoginProfile.PasswordResetRequired' should be configured as true", + "actualValue": "'Resources.myuser.Properties.LoginProfile.PasswordResetRequired' is configured as false", + "issueType": "IncorrectValue", + "similarityID": "576195591b068ad30964cd6f403766b279ab0c2c2bb61dd637f7156effdb659f", + "search_line": -1 }, { "queryName": "IAM User Without Password Reset", "severity": "MEDIUM", "line": 8, - "fileName": "positive2.yaml" + "fileName": "positive2.yaml", + "resourceType": "AWS::IAM::User", + "resourceName": "newuser", + "searchKey": "Resources.newuser.Properties.LoginProfile", + "searchValue": "", + "expectedValue": "'Resources.newuser.Properties.LoginProfile' should also include PasswordResetRequired property set to true", + "actualValue": "'Resources.newuser.Properties.LoginProfile' contains only Password property", + "issueType": "MissingAttribute", + "similarityID": "ebcb377acbeea095c36f3427a49c73bd8922dac6fbe10f548df0d1f585846003", + "search_line": -1 }, { "queryName": "IAM User Without Password Reset", "severity": "MEDIUM", "line": 6, - "fileName": "positive3.yaml" + "fileName": "positive3.yaml", + "resourceType": "AWS::IAM::User", + "resourceName": "topuser", + "searchKey": "Resources.topuser.Properties", + "searchValue": "", + "expectedValue": "'Resources.topuser.Properties' should be configured with LoginProfile with PasswordResetRequired property set to true", + "actualValue": "'Resources.topuser.Properties' does not include LoginProfile", + "issueType": "MissingAttribute", + "similarityID": "fe089cdff11a40c0306bdf0be63f2e1c4f364671ea4f33914a85caa564216428", + "search_line": -1 }, { "queryName": "IAM User Without Password Reset", "severity": "MEDIUM", "line": 38, - "fileName": "positive4.json" + "fileName": "positive4.json", + "resourceType": "AWS::IAM::User", + "resourceName": "myuser", + "searchKey": "Resources.myuser.Properties.LoginProfile.PasswordResetRequired", + "searchValue": "", + "expectedValue": "'Resources.myuser.Properties.LoginProfile.PasswordResetRequired' should be configured as true", + "actualValue": "'Resources.myuser.Properties.LoginProfile.PasswordResetRequired' is configured as false", + "issueType": "IncorrectValue", + "similarityID": "b96e74542d30a8d319bea0e8bc048eb091efd336c41953eb246fd641743c7866", + "search_line": -1 }, { "queryName": "IAM User Without Password Reset", "severity": "MEDIUM", "line": 9, - "fileName": "positive5.json" + "fileName": "positive5.json", + "resourceType": "AWS::IAM::User", + "resourceName": "newuser", + "searchKey": "Resources.newuser.Properties.LoginProfile", + "searchValue": "", + "expectedValue": "'Resources.newuser.Properties.LoginProfile' should also include PasswordResetRequired property set to true", + "actualValue": "'Resources.newuser.Properties.LoginProfile' contains only Password property", + "issueType": "MissingAttribute", + "similarityID": "1ee952d64c8f77813f8e19666a2586e22216700a944989297b47ed3292be7466", + "search_line": -1 }, { "queryName": "IAM User Without Password Reset", "severity": "MEDIUM", "line": 7, - "fileName": "positive6.json" + "fileName": "positive6.json", + "resourceType": "AWS::IAM::User", + "resourceName": "topuser", + "searchKey": "Resources.topuser.Properties", + "searchValue": "", + "expectedValue": "'Resources.topuser.Properties' should be configured with LoginProfile with PasswordResetRequired property set to true", + "actualValue": "'Resources.topuser.Properties' does not include LoginProfile", + "issueType": "MissingAttribute", + "similarityID": "d2e42f0d5e396c2f77fac84af9d7022d9849f1dff27b42f14fdbe8d28943667f", + "search_line": -1 }, { "queryName": "IAM User Without Password Reset", "severity": "MEDIUM", "line": 10, - "fileName": "positive7.yaml" + "fileName": "positive7.yaml", + "resourceType": "AWS::IAM::User", + "resourceName": "myuser", + "searchKey": "Resources.myuser.Properties.LoginProfile.PasswordResetRequired", + "searchValue": "", + "expectedValue": "'Resources.myuser.Properties.LoginProfile.PasswordResetRequired' should be configured as true", + "actualValue": "'Resources.myuser.Properties.LoginProfile.PasswordResetRequired' is configured as false", + "issueType": "IncorrectValue", + "similarityID": "7af34ef5dd3d5d2dbd655e4fdee8865f450cea1ca08393ba8c0198b8bee46070", + "search_line": -1 } ] diff --git a/assets/queries/cloudFormation/aws/vpc_attached_with_too_many_gateways/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/vpc_attached_with_too_many_gateways/test/positive_expected_result.json index c61700e6a95..332ed0e2401 100644 --- a/assets/queries/cloudFormation/aws/vpc_attached_with_too_many_gateways/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/vpc_attached_with_too_many_gateways/test/positive_expected_result.json @@ -1,14 +1,32 @@ [ { + "queryName": "VPC Attached With Too Many Gateways", + "severity": "LOW", "line": 3, "fileName": "positive1.yaml", - "queryName": "VPC Attached With Too Many Gateways", - "severity": "LOW" + "resourceType": "AWS::EC2::VPC", + "resourceName": "myVPC", + "searchKey": "Resources.myVPC", + "searchValue": "", + "expectedValue": "'Resources.myVPC' should not be attached with a number of gateways close to or out of limit (>3)", + "actualValue": "'Resources.myVPC' is attached with a number of gateways close to or out of limit (>3)", + "issueType": "IncorrectValue", + "similarityID": "d6abdcd3dc2f905c1d81bfa2f4bdb193bc84485f3a8f7cc23c6569a788816d4a", + "search_line": -1 }, { + "queryName": "VPC Attached With Too Many Gateways", "severity": "LOW", "line": 7, "fileName": "positive2.json", - "queryName": "VPC Attached With Too Many Gateways" + "resourceType": "AWS::EC2::VPC", + "resourceName": "myVPC", + "searchKey": "Resources.myVPC", + "searchValue": "", + "expectedValue": "'Resources.myVPC' should not be attached with a number of gateways close to or out of limit (>3)", + "actualValue": "'Resources.myVPC' is attached with a number of gateways close to or out of limit (>3)", + "issueType": "IncorrectValue", + "similarityID": "684412983fe6187ba5724aa7a20ece0113e35f019518a2c19e2b6e90c18023db", + "search_line": -1 } ] diff --git a/assets/queries/cloudFormation/aws/vpc_flowlogs_disabled/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/vpc_flowlogs_disabled/test/positive_expected_result.json index bfe28c75d9c..b6f8aa23d29 100644 --- a/assets/queries/cloudFormation/aws/vpc_flowlogs_disabled/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/vpc_flowlogs_disabled/test/positive_expected_result.json @@ -3,12 +3,30 @@ "queryName": "VPC FlowLogs Disabled", "severity": "MEDIUM", "line": 34, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::EC2::VPC", + "resourceName": "10.${ClassB}.0.0/16", + "searchKey": "Resources.MyVPC", + "searchValue": "", + "expectedValue": "Resources.MyVPC has a FlowLogs resource associated", + "actualValue": "Resources.MyVPC doesn't have a FlowLogs resource associated", + "issueType": "MissingAttribute", + "similarityID": "c0b27a6b70f2a8bf840aed7ffec9be5ffbddf4b1b25cb635fd3f54f653d648f4", + "search_line": -1 }, { "queryName": "VPC FlowLogs Disabled", "severity": "MEDIUM", "line": 52, - "fileName": "positive2.json" + "fileName": "positive2.json", + "resourceType": "AWS::EC2::VPC", + "resourceName": "10.${ClassB}.0.0/16", + "searchKey": "Resources.MyVPC", + "searchValue": "", + "expectedValue": "Resources.MyVPC has a FlowLogs resource associated", + "actualValue": "Resources.MyVPC doesn't have a FlowLogs resource associated", + "issueType": "MissingAttribute", + "similarityID": "1df9dd048090dcf82b1e2aea0b099eb4ecb49a922402b56802e32550e91d5794", + "search_line": -1 } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/vpc_without_attached_subnet/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/vpc_without_attached_subnet/test/positive_expected_result.json index f18094de1e3..2784dec4350 100644 --- a/assets/queries/cloudFormation/aws/vpc_without_attached_subnet/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/vpc_without_attached_subnet/test/positive_expected_result.json @@ -1,14 +1,32 @@ [ { + "queryName": "VPC Without Attached Subnet", "severity": "LOW", "line": 3, "fileName": "positive1.yaml", - "queryName": "VPC Without Attached Subnet" + "resourceType": "AWS::EC2::VPC", + "resourceName": "myVPC_1", + "searchKey": "Resources.myVPC_1", + "searchValue": "", + "expectedValue": "'Resources.myVPC_1' should be attached to resources", + "actualValue": "'Resources.myVPC_1' is not attached to resources", + "issueType": "MissingAttribute", + "similarityID": "fdc2b2e013ec6d338eafb31611dc06a8a0a7e095d4872788cda1f846e3917b35", + "search_line": -1 }, { + "queryName": "VPC Without Attached Subnet", "severity": "LOW", "line": 4, "fileName": "positive2.json", - "queryName": "VPC Without Attached Subnet" + "resourceType": "AWS::EC2::VPC", + "resourceName": "myVPC_1", + "searchKey": "Resources.myVPC_1", + "searchValue": "", + "expectedValue": "'Resources.myVPC_1' should be attached to resources", + "actualValue": "'Resources.myVPC_1' is not attached to resources", + "issueType": "MissingAttribute", + "similarityID": "df19f49391f626e4d676c659b9a070bf5c89e3fe0e32de01450efa5c3debe651", + "search_line": -1 } ] diff --git a/assets/queries/cloudFormation/aws/vpc_without_network_firewall/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/vpc_without_network_firewall/test/positive_expected_result.json index b950d374c71..fbee1c5ef78 100644 --- a/assets/queries/cloudFormation/aws/vpc_without_network_firewall/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/vpc_without_network_firewall/test/positive_expected_result.json @@ -3,12 +3,30 @@ "queryName": "VPC Without Network Firewall", "severity": "MEDIUM", "line": 3, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::EC2::VPC", + "resourceName": "myVPC11", + "searchKey": "Resources.myVPC11", + "searchValue": "", + "expectedValue": "'Resources.myVPC11' should be associated with a AWS Network Firewall", + "actualValue": "'Resources.myVPC11' is not associated with a AWS Network Firewall", + "issueType": "MissingAttribute", + "similarityID": "6757fb66334fb46667b68781952e35321337427859143d96315e170f3b14030f", + "search_line": 3 }, { "queryName": "VPC Without Network Firewall", "severity": "MEDIUM", "line": 21, - "fileName": "positive2.json" + "fileName": "positive2.json", + "resourceType": "AWS::EC2::VPC", + "resourceName": "myVPC11", + "searchKey": "Resources.myVPC11", + "searchValue": "", + "expectedValue": "'Resources.myVPC11' should be associated with a AWS Network Firewall", + "actualValue": "'Resources.myVPC11' is not associated with a AWS Network Firewall", + "issueType": "MissingAttribute", + "similarityID": "66d7e1e9b3b1d4d558eb705e13ace2fd1a655b287e85cc058d79b5e7aa3261a3", + "search_line": 21 } ] diff --git a/assets/queries/cloudFormation/aws/vulnerable_default_ssl_certificate/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/vulnerable_default_ssl_certificate/test/positive_expected_result.json index efa932ba894..2cfc5911d0a 100644 --- a/assets/queries/cloudFormation/aws/vulnerable_default_ssl_certificate/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/vulnerable_default_ssl_certificate/test/positive_expected_result.json @@ -3,36 +3,90 @@ "queryName": "Vulnerable Default SSL Certificate", "severity": "MEDIUM", "line": 7, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::CloudFront::Distribution", + "resourceName": "myDistribution", + "searchKey": "Resources.myDistribution.Properties.DistributionConfig.ViewerCertificate", + "searchValue": "MinimumProtocolVersion", + "expectedValue": "Resources.myDistribution.Properties.DistributionConfig.ViewerCertificate.MinimumProtocolVersion should be defined", + "actualValue": "Resources.myDistribution.Properties.DistributionConfig.ViewerCertificate.MinimumProtocolVersion is not defined", + "issueType": "MissingAttribute", + "similarityID": "16714fcc8f9e61fc26569db11915f8a83dc1a2fb294b5cd08f710c53acfa5b70", + "search_line": 7 }, { "queryName": "Vulnerable Default SSL Certificate", "severity": "MEDIUM", "line": 7, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::CloudFront::Distribution", + "resourceName": "myDistribution", + "searchKey": "Resources.myDistribution.Properties.DistributionConfig.ViewerCertificate", + "searchValue": "SslSupportMethod", + "expectedValue": "Resources.myDistribution.Properties.DistributionConfig.ViewerCertificate.SslSupportMethod should be defined", + "actualValue": "Resources.myDistribution.Properties.DistributionConfig.ViewerCertificate.SslSupportMethod is not defined", + "issueType": "MissingAttribute", + "similarityID": "66e58fa67ef0e628d11904197084675f05267aeeac468669696b4ae5ee0ee243", + "search_line": 7 }, { "queryName": "Vulnerable Default SSL Certificate", "severity": "MEDIUM", "line": 8, - "fileName": "positive2.yaml" + "fileName": "positive2.yaml", + "resourceType": "AWS::CloudFront::Distribution", + "resourceName": "myDistribution", + "searchKey": "Resources.myDistribution.Properties.DistributionConfig.CloudfrontDefaultCertificate", + "searchValue": "", + "expectedValue": "Resources.myDistribution.Properties.DistributionConfig.ViewerCertificate.CloudfrontDefaultCertificate should be set to 'false' or not defined.", + "actualValue": "Resources.myDistribution.Properties.DistributionConfig.ViewerCertificate.CloudfrontDefaultCertificate is 'true'.", + "issueType": "IncorrectValue", + "similarityID": "52af9092f82eaddb96e8672d05407e6dd3b877d9c617f56068cacb347109b1b3", + "search_line": 8 }, { "queryName": "Vulnerable Default SSL Certificate", "severity": "MEDIUM", "line": 8, - "fileName": "positive3.json" + "fileName": "positive3.json", + "resourceType": "AWS::CloudFront::Distribution", + "resourceName": "myDistribution", + "searchKey": "Resources.myDistribution.Properties.DistributionConfig.ViewerCertificate", + "searchValue": "MinimumProtocolVersion", + "expectedValue": "Resources.myDistribution.Properties.DistributionConfig.ViewerCertificate.MinimumProtocolVersion should be defined", + "actualValue": "Resources.myDistribution.Properties.DistributionConfig.ViewerCertificate.MinimumProtocolVersion is not defined", + "issueType": "MissingAttribute", + "similarityID": "dff706779d3b340038f916bad0a95f4fd1b15a6f95d6d09a14784a690b5d8a35", + "search_line": 8 }, { "queryName": "Vulnerable Default SSL Certificate", "severity": "MEDIUM", "line": 8, - "fileName": "positive3.json" + "fileName": "positive3.json", + "resourceType": "AWS::CloudFront::Distribution", + "resourceName": "myDistribution", + "searchKey": "Resources.myDistribution.Properties.DistributionConfig.ViewerCertificate", + "searchValue": "SslSupportMethod", + "expectedValue": "Resources.myDistribution.Properties.DistributionConfig.ViewerCertificate.SslSupportMethod should be defined", + "actualValue": "Resources.myDistribution.Properties.DistributionConfig.ViewerCertificate.SslSupportMethod is not defined", + "issueType": "MissingAttribute", + "similarityID": "16d71caf5fd048bad1425e263c265bd9a892375e890cb0c57bf63a075378fd83", + "search_line": 8 }, { "queryName": "Vulnerable Default SSL Certificate", "severity": "MEDIUM", "line": 9, - "fileName": "positive4.json" + "fileName": "positive4.json", + "resourceType": "AWS::CloudFront::Distribution", + "resourceName": "myDistribution", + "searchKey": "Resources.myDistribution.Properties.DistributionConfig.CloudfrontDefaultCertificate", + "searchValue": "", + "expectedValue": "Resources.myDistribution.Properties.DistributionConfig.ViewerCertificate.CloudfrontDefaultCertificate should be set to 'false' or not defined.", + "actualValue": "Resources.myDistribution.Properties.DistributionConfig.ViewerCertificate.CloudfrontDefaultCertificate is 'true'.", + "issueType": "IncorrectValue", + "similarityID": "8238f84dad4ea683d9452981cf4b5508635a0c2bbe7c9a8cb4e3d6e4cb42dd49", + "search_line": 9 } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws/webacl_allow_defaultaction/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/webacl_allow_defaultaction/test/positive_expected_result.json index 9261cd50989..8b6de6867b8 100644 --- a/assets/queries/cloudFormation/aws/webacl_allow_defaultaction/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/webacl_allow_defaultaction/test/positive_expected_result.json @@ -3,12 +3,30 @@ "queryName": "Permissive Web ACL Default Action", "severity": "HIGH", "line": 8, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::WAF::WebACL", + "resourceName": "WebACL to with three rules", + "searchKey": "Resources.MyWebACL.Properties.DefaultAction.Type", + "searchValue": "", + "expectedValue": "Resources.MyWebACL.Properties.DefaultAction.Type should not be ALLOW", + "actualValue": "Resources.MyWebACL.Properties.DefaultAction.Type is set to ALLOW", + "issueType": "IncorrectValue", + "similarityID": "59a6689c3e60504ff30de1a575996ed9e1e41e61fa6e2877e8facdaf5780453f", + "search_line": -1 }, { - "fileName": "positive2.json", "queryName": "Permissive Web ACL Default Action", "severity": "HIGH", - "line": 8 + "line": 8, + "fileName": "positive2.json", + "resourceType": "AWS::WAF::WebACL", + "resourceName": "WebACL to with three rules", + "searchKey": "Resources.MyWebACL.Properties.DefaultAction.Type", + "searchValue": "", + "expectedValue": "Resources.MyWebACL.Properties.DefaultAction.Type should not be ALLOW", + "actualValue": "Resources.MyWebACL.Properties.DefaultAction.Type is set to ALLOW", + "issueType": "IncorrectValue", + "similarityID": "29ad1ad49dcc4e6ddc3e35075ffdc7d95f7db199acf555f16ca82635c8a8d265", + "search_line": -1 } ] diff --git a/assets/queries/cloudFormation/aws/wildcard_in_acm_certificate_domain_name/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/wildcard_in_acm_certificate_domain_name/test/positive_expected_result.json index a71ab61a364..aa8c8a9b028 100644 --- a/assets/queries/cloudFormation/aws/wildcard_in_acm_certificate_domain_name/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/wildcard_in_acm_certificate_domain_name/test/positive_expected_result.json @@ -3,12 +3,30 @@ "queryName": "Wildcard In ACM Certificate Domain Name", "severity": "LOW", "line": 16, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::CertificateManager::Certificate", + "resourceName": "Certificate", + "searchKey": "Resources.Certificate.Properties.DomainName", + "searchValue": "", + "expectedValue": "'Resources.Certificate.Properties.DomainName' should not contain '*'", + "actualValue": "'Resources.Certificate.Properties.DomainName' contains '*'", + "issueType": "IncorrectValue", + "similarityID": "4d2b93612ed107c21064eb65d328e86b00ac264a6cdc518a0fb7e9f9f7b55c33", + "search_line": -1 }, { + "queryName": "Wildcard In ACM Certificate Domain Name", + "severity": "LOW", "line": 19, "fileName": "positive2.json", - "queryName": "Wildcard In ACM Certificate Domain Name", - "severity": "LOW" + "resourceType": "AWS::CertificateManager::Certificate", + "resourceName": "Certificate", + "searchKey": "Resources.Certificate.Properties.DomainName", + "searchValue": "", + "expectedValue": "'Resources.Certificate.Properties.DomainName' should not contain '*'", + "actualValue": "'Resources.Certificate.Properties.DomainName' contains '*'", + "issueType": "IncorrectValue", + "similarityID": "0002cecf0373d7a5fb17bd0355f5daab7fb7cc8d7312240aa5a93d567d78689e", + "search_line": -1 } ] diff --git a/assets/queries/cloudFormation/aws/workspace_without_encryption/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/workspace_without_encryption/test/positive_expected_result.json index 492408cd150..53ed7afe8c3 100644 --- a/assets/queries/cloudFormation/aws/workspace_without_encryption/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/workspace_without_encryption/test/positive_expected_result.json @@ -2,25 +2,61 @@ { "queryName": "Workspace Without Encryption", "severity": "HIGH", - "line": 14, - "fileName": "positive2.yaml" + "line": 4, + "fileName": "positive1.yaml", + "resourceType": "AWS::WorkSpaces::Workspace", + "resourceName": "MyWorkSpace", + "searchKey": "Resources.MyWorkSpace.Properties", + "searchValue": "", + "expectedValue": "Resources.MyWorkSpace.Properties should have the property UserVolumeEncryptionEnabled set to true", + "actualValue": "Resources.MyWorkSpace.Properties does not have the UserVolumeEncryptionEnabled property set", + "issueType": "MissingAttribute", + "similarityID": "fbe4c60832e05acf8b3810b740716f3ccb17b209c4c669e6ab02b82cdde31d68", + "search_line": -1 }, { "queryName": "Workspace Without Encryption", "severity": "HIGH", - "line": 4, - "fileName": "positive1.yaml" + "line": 14, + "fileName": "positive2.yaml", + "resourceType": "AWS::WorkSpaces::Workspace", + "resourceName": "MyWorkSpace2", + "searchKey": "Resources.MyWorkSpace2.Properties.UserVolumeEncryptionEnabled", + "searchValue": "", + "expectedValue": "Resources.MyWorkSpace2.Properties.UserVolumeEncryptionEnabled should be set to true", + "actualValue": "Resources.MyWorkSpace2.Properties.UserVolumeEncryptionEnabled is not set to true", + "issueType": "IncorrectValue", + "similarityID": "f2f86868bcab7b15675494cb266928910772126c1c1c920e2c2715d36f3a44cd", + "search_line": -1 }, { "queryName": "Workspace Without Encryption", "severity": "HIGH", "line": 5, - "fileName": "positive3.json" + "fileName": "positive3.json", + "resourceType": "AWS::WorkSpaces::Workspace", + "resourceName": "MyWorkSpace", + "searchKey": "Resources.MyWorkSpace.Properties", + "searchValue": "", + "expectedValue": "Resources.MyWorkSpace.Properties should have the property UserVolumeEncryptionEnabled set to true", + "actualValue": "Resources.MyWorkSpace.Properties does not have the UserVolumeEncryptionEnabled property set", + "issueType": "MissingAttribute", + "similarityID": "5901d3593de308e76196adf27fca3204927ed949872c632b1036030082d50e9c", + "search_line": -1 }, { "queryName": "Workspace Without Encryption", "severity": "HIGH", "line": 17, - "fileName": "positive4.json" + "fileName": "positive4.json", + "resourceType": "AWS::WorkSpaces::Workspace", + "resourceName": "MyWorkSpace2", + "searchKey": "Resources.MyWorkSpace2.Properties.UserVolumeEncryptionEnabled", + "searchValue": "", + "expectedValue": "Resources.MyWorkSpace2.Properties.UserVolumeEncryptionEnabled should be set to true", + "actualValue": "Resources.MyWorkSpace2.Properties.UserVolumeEncryptionEnabled is not set to true", + "issueType": "IncorrectValue", + "similarityID": "e3100dcdbb5b418f84bcfbaf16983fe13638c745284b9dc66e51f7a241ef7a1f", + "search_line": -1 } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws_bom/cassandra/test/positive_expected_result.json b/assets/queries/cloudFormation/aws_bom/cassandra/test/positive_expected_result.json index 9a4886944cb..d852797004c 100644 --- a/assets/queries/cloudFormation/aws_bom/cassandra/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws_bom/cassandra/test/positive_expected_result.json @@ -3,12 +3,30 @@ "queryName": "BOM - AWS Cassandra", "severity": "TRACE", "line": 3, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "Resources.myNewTable1", + "searchValue": "", + "expectedValue": "", + "actualValue": "", + "issueType": "BillOfMaterials", + "similarityID": "801a9235121ea5973e415504bac2a9d5b39bfad88fb033b770ef0c94e4dbd414", + "search_line": 3 }, { "queryName": "BOM - AWS Cassandra", "severity": "TRACE", "line": 3, - "fileName": "positive2.yaml" + "fileName": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "Resources.myNewTable2", + "searchValue": "", + "expectedValue": "", + "actualValue": "", + "issueType": "BillOfMaterials", + "similarityID": "8459d041b7efedce897313593e643e1d6a5528356a001a5808959928bccc8067", + "search_line": 3 } ] diff --git a/assets/queries/cloudFormation/aws_bom/dynamo/test/positive_expected_result.json b/assets/queries/cloudFormation/aws_bom/dynamo/test/positive_expected_result.json index 76e5be3bb50..8f3762df456 100644 --- a/assets/queries/cloudFormation/aws_bom/dynamo/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws_bom/dynamo/test/positive_expected_result.json @@ -3,30 +3,75 @@ "queryName": "BOM - AWS DynamoDB", "severity": "TRACE", "line": 27, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "Resources.DynamoDBOnDemandTable2", + "searchValue": "", + "expectedValue": "", + "actualValue": "", + "issueType": "BillOfMaterials", + "similarityID": "e75c193d393c1f5c0355309adb259fd64f28baa86e47f1598034fb23fc644e62", + "search_line": 27 }, { "queryName": "BOM - AWS DynamoDB", "severity": "TRACE", "line": 27, - "fileName": "positive2.yaml" + "fileName": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "Resources.DynamoDBOnDemandTable2", + "searchValue": "", + "expectedValue": "", + "actualValue": "", + "issueType": "BillOfMaterials", + "similarityID": "c4b9a4dfb321fb6d1097d7ecc6e8f7f31333f4793d8150d3a7d46df52594825b", + "search_line": 27 }, { "queryName": "BOM - AWS DynamoDB", "severity": "TRACE", "line": 27, - "fileName": "positive3.yaml" + "fileName": "positive3.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "Resources.DynamoDBOnDemandTable2", + "searchValue": "", + "expectedValue": "", + "actualValue": "", + "issueType": "BillOfMaterials", + "similarityID": "9f4e6815e2196ef0d5cfd0cc46e57b36f8c7a86fffffe3c7e41448765063f6d2", + "search_line": 27 }, { "queryName": "BOM - AWS DynamoDB", "severity": "TRACE", "line": 3, - "fileName": "positive4.yaml" + "fileName": "positive4.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "Resources.DynamoDBOnDemandTable2", + "searchValue": "", + "expectedValue": "", + "actualValue": "", + "issueType": "BillOfMaterials", + "similarityID": "38e663c3bd7d3877a23a4373e791f511f0244966b3d735e82658ad1209788306", + "search_line": 3 }, { "queryName": "BOM - AWS DynamoDB", "severity": "TRACE", "line": 27, - "fileName": "positive5.yaml" + "fileName": "positive5.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "Resources.DynamoDBOnDemandTable2", + "searchValue": "", + "expectedValue": "", + "actualValue": "", + "issueType": "BillOfMaterials", + "similarityID": "7826f7e588275f0791d24f9791d4f2bc3ca54ae85627eaea7e73da1d534657d0", + "search_line": 27 } ] diff --git a/assets/queries/cloudFormation/aws_bom/ebs/test/positive_expected_result.json b/assets/queries/cloudFormation/aws_bom/ebs/test/positive_expected_result.json index 66e4e4b2449..9c4ea87f56c 100644 --- a/assets/queries/cloudFormation/aws_bom/ebs/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws_bom/ebs/test/positive_expected_result.json @@ -3,36 +3,90 @@ "queryName": "BOM - AWS EBS", "severity": "TRACE", "line": 4, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "Resources.NewVolume", + "searchValue": "", + "expectedValue": "", + "actualValue": "", + "issueType": "BillOfMaterials", + "similarityID": "4ce5abb875cda696fae4284ecd5ba62ac2fd4c7d10948e6b219ae0a8f8dad49e", + "search_line": 4 }, { "queryName": "BOM - AWS EBS", "severity": "TRACE", "line": 5, - "fileName": "positive2.json" + "fileName": "positive2.json", + "resourceType": "", + "resourceName": "", + "searchKey": "Resources.NewVolume", + "searchValue": "", + "expectedValue": "", + "actualValue": "", + "issueType": "BillOfMaterials", + "similarityID": "d8a4d26dfcc2e71a6a21fc56f846a6d266289b88087a0372332f4d3cafdcd5b8", + "search_line": 5 }, { "queryName": "BOM - AWS EBS", "severity": "TRACE", "line": 4, - "fileName": "positive3.yaml" + "fileName": "positive3.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "Resources.NewVolume", + "searchValue": "", + "expectedValue": "", + "actualValue": "", + "issueType": "BillOfMaterials", + "similarityID": "285213d6da72f24033d1f5ba53a98214fd9f6726290c6392da285b6cd572c7a1", + "search_line": 4 }, { "queryName": "BOM - AWS EBS", "severity": "TRACE", "line": 5, - "fileName": "positive4.json" + "fileName": "positive4.json", + "resourceType": "", + "resourceName": "", + "searchKey": "Resources.NewVolume", + "searchValue": "", + "expectedValue": "", + "actualValue": "", + "issueType": "BillOfMaterials", + "similarityID": "08e0b7a2f83d72abe04aa20adedcc4aba5d75b2915b100dfc1675d7e5bc7d728", + "search_line": 5 }, { "queryName": "BOM - AWS EBS", "severity": "TRACE", "line": 4, - "fileName": "positive5.yaml" + "fileName": "positive5.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "Resources.NewVolume", + "searchValue": "", + "expectedValue": "", + "actualValue": "", + "issueType": "BillOfMaterials", + "similarityID": "e23195636bdfa8956798ab6836c8cdcf8247ee156d4b059c56ec4fbaec58a440", + "search_line": 4 }, { "queryName": "BOM - AWS EBS", "severity": "TRACE", "line": 5, - "fileName": "positive6.json" + "fileName": "positive6.json", + "resourceType": "", + "resourceName": "", + "searchKey": "Resources.NewVolume", + "searchValue": "", + "expectedValue": "", + "actualValue": "", + "issueType": "BillOfMaterials", + "similarityID": "b5d72f9e20fee38f0578c34e786507134482275c407d64136058104a640205e3", + "search_line": 5 } ] diff --git a/assets/queries/cloudFormation/aws_bom/efs/test/positive_expected_result.json b/assets/queries/cloudFormation/aws_bom/efs/test/positive_expected_result.json index 5a8b206a58a..5bd99977624 100644 --- a/assets/queries/cloudFormation/aws_bom/efs/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws_bom/efs/test/positive_expected_result.json @@ -3,24 +3,60 @@ "queryName": "BOM - AWS EFS", "severity": "TRACE", "line": 4, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "Resources.FileSystemResource", + "searchValue": "", + "expectedValue": "", + "actualValue": "", + "issueType": "BillOfMaterials", + "similarityID": "af951e8e5af038270bede70ee43979e390751208d0c1d1fecb81a0daa9aba768", + "search_line": 4 }, { "queryName": "BOM - AWS EFS", "severity": "TRACE", "line": 4, - "fileName": "positive2.json" + "fileName": "positive2.json", + "resourceType": "", + "resourceName": "", + "searchKey": "Resources.FileSystemResource", + "searchValue": "", + "expectedValue": "", + "actualValue": "", + "issueType": "BillOfMaterials", + "similarityID": "281d6dc7bf72ca31cd66458bf94794080bf6652ec4008b2575bae2d9fb83ad3f", + "search_line": 4 }, { "queryName": "BOM - AWS EFS", "severity": "TRACE", "line": 4, - "fileName": "positive3.yaml" + "fileName": "positive3.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "Resources.FileSystemResource", + "searchValue": "", + "expectedValue": "", + "actualValue": "", + "issueType": "BillOfMaterials", + "similarityID": "83a72f83d55f2156c4460a9a6cfe9793351271aa569c545883ef0f62f5a5812a", + "search_line": 4 }, { "queryName": "BOM - AWS EFS", "severity": "TRACE", "line": 4, - "fileName": "positive4.json" + "fileName": "positive4.json", + "resourceType": "", + "resourceName": "", + "searchKey": "Resources.FileSystemResource", + "searchValue": "", + "expectedValue": "", + "actualValue": "", + "issueType": "BillOfMaterials", + "similarityID": "5a4bb3ec29536ca9e4e0c26c709e1917085de2e85ae6d9bc1435a0b434c171b0", + "search_line": 4 } ] diff --git a/assets/queries/cloudFormation/aws_bom/elasticache/test/positive_expected_result.json b/assets/queries/cloudFormation/aws_bom/elasticache/test/positive_expected_result.json index 1b8078706e0..771f20b9693 100644 --- a/assets/queries/cloudFormation/aws_bom/elasticache/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws_bom/elasticache/test/positive_expected_result.json @@ -3,18 +3,45 @@ "queryName": "BOM - AWS Elasticache", "severity": "TRACE", "line": 2, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "Resources.ElasticacheCluster", + "searchValue": "", + "expectedValue": "", + "actualValue": "", + "issueType": "BillOfMaterials", + "similarityID": "17275acc97a95d1eece69329241b6a38acbba3faa481c5e44aef5569578737bc", + "search_line": 2 }, { "queryName": "BOM - AWS Elasticache", "severity": "TRACE", "line": 3, - "fileName": "positive2.json" + "fileName": "positive2.json", + "resourceType": "", + "resourceName": "", + "searchKey": "Resources.ElasticacheCluster", + "searchValue": "", + "expectedValue": "", + "actualValue": "", + "issueType": "BillOfMaterials", + "similarityID": "aa37cf454d48c04ba499445093d2e142af7ea1b883a0ea41e553cacb9ca542fe", + "search_line": 3 }, { "queryName": "BOM - AWS Elasticache", "severity": "TRACE", "line": 2, - "fileName": "positive3.yaml" + "fileName": "positive3.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "Resources.ElasticacheCluster", + "searchValue": "", + "expectedValue": "", + "actualValue": "", + "issueType": "BillOfMaterials", + "similarityID": "20a20355276133529a52f07ae327f1815fca2bfb1b13806de4bb212da745be14", + "search_line": 2 } ] diff --git a/assets/queries/cloudFormation/aws_bom/kinesis/test/positive_expected_result.json b/assets/queries/cloudFormation/aws_bom/kinesis/test/positive_expected_result.json index d144cd06d85..5a33c8516cd 100644 --- a/assets/queries/cloudFormation/aws_bom/kinesis/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws_bom/kinesis/test/positive_expected_result.json @@ -3,12 +3,30 @@ "queryName": "BOM - AWS Kinesis", "severity": "TRACE", "line": 3, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "Resources.MyStream", + "searchValue": "", + "expectedValue": "", + "actualValue": "", + "issueType": "BillOfMaterials", + "similarityID": "c25ad46861b57058d59e58d5cb3ffcf38e529dd149bdc4ffccbda61756bc295c", + "search_line": 3 }, { "queryName": "BOM - AWS Kinesis", "severity": "TRACE", "line": 4, - "fileName": "positive2.json" + "fileName": "positive2.json", + "resourceType": "", + "resourceName": "", + "searchKey": "Resources.MyStream2", + "searchValue": "", + "expectedValue": "", + "actualValue": "", + "issueType": "BillOfMaterials", + "similarityID": "3982901c4665e84ddd5058875208c874d4b9e266f7f3731855f55e64c717aca4", + "search_line": 4 } ] diff --git a/assets/queries/cloudFormation/aws_bom/mq/test/positive_expected_result.json b/assets/queries/cloudFormation/aws_bom/mq/test/positive_expected_result.json index f2de8ddc34b..011f610d784 100644 --- a/assets/queries/cloudFormation/aws_bom/mq/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws_bom/mq/test/positive_expected_result.json @@ -3,18 +3,45 @@ "queryName": "BOM - AWS MQ", "severity": "TRACE", "line": 4, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "Resources.BasicBroker", + "searchValue": "", + "expectedValue": "", + "actualValue": "", + "issueType": "BillOfMaterials", + "similarityID": "a4189a1baec7afe82c8e86f1992b86bb975f300673399c8f3bb367fecb2da1d4", + "search_line": 4 }, { "queryName": "BOM - AWS MQ", "severity": "TRACE", "line": 5, - "fileName": "positive2.json" + "fileName": "positive2.json", + "resourceType": "", + "resourceName": "", + "searchKey": "Resources.BasicBroker2", + "searchValue": "", + "expectedValue": "", + "actualValue": "", + "issueType": "BillOfMaterials", + "similarityID": "aef0de655f32392203a97fd5c9b89b948e15e806863197233f0494bf288a92df", + "search_line": 5 }, { "queryName": "BOM - AWS MQ", "severity": "TRACE", "line": 4, - "fileName": "positive3.yaml" + "fileName": "positive3.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "Resources.BasicBroker", + "searchValue": "", + "expectedValue": "", + "actualValue": "", + "issueType": "BillOfMaterials", + "similarityID": "58865a9e0135afcb6b7339cff8643a5c235fe440fc9fe2beda8124cb603738ba", + "search_line": 4 } ] diff --git a/assets/queries/cloudFormation/aws_bom/msk/test/positive_expected_result.json b/assets/queries/cloudFormation/aws_bom/msk/test/positive_expected_result.json index 26872452549..8cedc67fe9e 100644 --- a/assets/queries/cloudFormation/aws_bom/msk/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws_bom/msk/test/positive_expected_result.json @@ -3,12 +3,30 @@ "queryName": "BOM - AWS MSK", "severity": "TRACE", "line": 3, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "Resources.TestCluster", + "searchValue": "", + "expectedValue": "", + "actualValue": "", + "issueType": "BillOfMaterials", + "similarityID": "de4068af8084505d0f869d243525eb0d57ea1cadcb1e7e1b3f31b899d9b56c13", + "search_line": 3 }, { "queryName": "BOM - AWS MSK", "severity": "TRACE", "line": 4, - "fileName": "positive2.json" + "fileName": "positive2.json", + "resourceType": "", + "resourceName": "", + "searchKey": "Resources.TestCluster3", + "searchValue": "", + "expectedValue": "", + "actualValue": "", + "issueType": "BillOfMaterials", + "similarityID": "d6bcb825498f3c195f63b57d9b2ccc2f3914ea3224007f15351511e25cedb74a", + "search_line": 4 } ] diff --git a/assets/queries/cloudFormation/aws_bom/rds/test/positive_expected_result.json b/assets/queries/cloudFormation/aws_bom/rds/test/positive_expected_result.json index 31443e3f791..25e42893ba1 100644 --- a/assets/queries/cloudFormation/aws_bom/rds/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws_bom/rds/test/positive_expected_result.json @@ -3,54 +3,135 @@ "queryName": "BOM - AWS RDS", "severity": "TRACE", "line": 4, - "fileName": "positive1.json" + "fileName": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "Resources.DBInstanceSample1", + "searchValue": "", + "expectedValue": "", + "actualValue": "", + "issueType": "BillOfMaterials", + "similarityID": "5a64a3152e10b179c0d3f4236df76f1e38e45119dd90ae349f23802d49698bbb", + "search_line": 4 }, { "queryName": "BOM - AWS RDS", "severity": "TRACE", "line": 4, - "fileName": "positive2.json" + "fileName": "positive2.json", + "resourceType": "", + "resourceName": "", + "searchKey": "Resources.DBInstanceSample2", + "searchValue": "", + "expectedValue": "", + "actualValue": "", + "issueType": "BillOfMaterials", + "similarityID": "4da4d91cf1046065aac13db51cbc39881037d9ae5cc17db21adf67c6068bede1", + "search_line": 4 }, { "queryName": "BOM - AWS RDS", "severity": "TRACE", "line": 14, - "fileName": "positive2.json" + "fileName": "positive2.json", + "resourceType": "", + "resourceName": "", + "searchKey": "Resources.DBInstanceRefSample2", + "searchValue": "", + "expectedValue": "", + "actualValue": "", + "issueType": "BillOfMaterials", + "similarityID": "12a491d965ff77729bf9c0a8362c9b296f71bc3ed18ab160731ec3df24413403", + "search_line": 14 }, { "queryName": "BOM - AWS RDS", "severity": "TRACE", "line": 4, - "fileName": "positive3.json" + "fileName": "positive3.json", + "resourceType": "", + "resourceName": "", + "searchKey": "Resources.DBInstanceSample3", + "searchValue": "", + "expectedValue": "", + "actualValue": "", + "issueType": "BillOfMaterials", + "similarityID": "b706c97b89caded4680ba44449bb7b8782968ee8fa027cc3f3dac2d505e14c7f", + "search_line": 4 }, { "queryName": "BOM - AWS RDS", "severity": "TRACE", "line": 14, - "fileName": "positive3.json" + "fileName": "positive3.json", + "resourceType": "", + "resourceName": "", + "searchKey": "Resources.DBInstanceRefSample3", + "searchValue": "", + "expectedValue": "", + "actualValue": "", + "issueType": "BillOfMaterials", + "similarityID": "4a7eed5521687a5a61722ef4b57a4e8946eb0042da16b9a2557e203b85cd3f0f", + "search_line": 14 }, { "queryName": "BOM - AWS RDS", "severity": "TRACE", "line": 3, - "fileName": "positive4.yaml" + "fileName": "positive4.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "Resources.DBInstanceSample4", + "searchValue": "", + "expectedValue": "", + "actualValue": "", + "issueType": "BillOfMaterials", + "similarityID": "06de62a877d55094a17e7fe792d4b598484768ec6bb488591e69e2388e80d2d7", + "search_line": 3 }, { "queryName": "BOM - AWS RDS", "severity": "TRACE", "line": 3, - "fileName": "positive5.yaml" + "fileName": "positive5.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "Resources.DBInstanceSample5", + "searchValue": "", + "expectedValue": "", + "actualValue": "", + "issueType": "BillOfMaterials", + "similarityID": "9d96278e8c3b54635d9e5a5263d3f8be1c86843358e01a4d7048b6abb795bbb0", + "search_line": 3 }, { "queryName": "BOM - AWS RDS", "severity": "TRACE", "line": 3, - "fileName": "positive6.yaml" + "fileName": "positive6.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "Resources.DBInstanceSample6", + "searchValue": "", + "expectedValue": "", + "actualValue": "", + "issueType": "BillOfMaterials", + "similarityID": "7e0b0e307a1e63e438af56353550e4db75f5e8c883e4c606e1909063f5c57f64", + "search_line": 3 }, { "queryName": "BOM - AWS RDS", "severity": "TRACE", "line": 3, - "fileName": "positive7.yaml" + "fileName": "positive7.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "Resources.DBInstanceSample5", + "searchValue": "", + "expectedValue": "", + "actualValue": "", + "issueType": "BillOfMaterials", + "similarityID": "afc0b196398f0c986aa985ff1694492388b8222692f054c3c8c287bdc399cbf7", + "search_line": 3 } ] diff --git a/assets/queries/cloudFormation/aws_bom/s3_bucket/test/positive_expected_result.json b/assets/queries/cloudFormation/aws_bom/s3_bucket/test/positive_expected_result.json index 4552773fb76..fb6f8fffe2d 100644 --- a/assets/queries/cloudFormation/aws_bom/s3_bucket/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws_bom/s3_bucket/test/positive_expected_result.json @@ -3,12 +3,30 @@ "queryName": "BOM - AWS S3 Buckets", "severity": "TRACE", "line": 4, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "Resources.MyBucket", + "searchValue": "", + "expectedValue": "", + "actualValue": "", + "issueType": "BillOfMaterials", + "similarityID": "786203e616ce98f7c27822924a72559a34c61b7115e59c7884652e8b621b2ac3", + "search_line": 4 }, { "queryName": "BOM - AWS S3 Buckets", "severity": "TRACE", "line": 5, - "fileName": "positive2.json" + "fileName": "positive2.json", + "resourceType": "", + "resourceName": "", + "searchKey": "Resources.JenkinsArtifacts03", + "searchValue": "", + "expectedValue": "", + "actualValue": "", + "issueType": "BillOfMaterials", + "similarityID": "b76d1c235e0399cdece96e2e93c7188983cb0f48a9551f790d13925ee4bf76ab", + "search_line": 5 } ] diff --git a/assets/queries/cloudFormation/aws_bom/sns/test/positive_expected_result.json b/assets/queries/cloudFormation/aws_bom/sns/test/positive_expected_result.json index f0fefd2b232..97e9a83c740 100644 --- a/assets/queries/cloudFormation/aws_bom/sns/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws_bom/sns/test/positive_expected_result.json @@ -3,12 +3,30 @@ "queryName": "BOM - AWS SNS", "severity": "TRACE", "line": 4, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "Resources.SnsTopic", + "searchValue": "", + "expectedValue": "", + "actualValue": "", + "issueType": "BillOfMaterials", + "similarityID": "0202fe9140b4ba9f0adab818d4331e6ae6410641111969ec3894cdbd3b831bd4", + "search_line": 4 }, { "queryName": "BOM - AWS SNS", "severity": "TRACE", "line": 5, - "fileName": "positive2.json" + "fileName": "positive2.json", + "resourceType": "", + "resourceName": "", + "searchKey": "Resources.SnsTopic", + "searchValue": "", + "expectedValue": "", + "actualValue": "", + "issueType": "BillOfMaterials", + "similarityID": "92abb3f85a19d4bd22d56502f02c37348cf0a74819a97070f8516b338f70d058", + "search_line": 5 } ] diff --git a/assets/queries/cloudFormation/aws_bom/sqs/test/positive_expected_result.json b/assets/queries/cloudFormation/aws_bom/sqs/test/positive_expected_result.json index d6f7e4b7816..8625c0f5ff3 100644 --- a/assets/queries/cloudFormation/aws_bom/sqs/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws_bom/sqs/test/positive_expected_result.json @@ -3,12 +3,30 @@ "queryName": "BOM - AWS SQS", "severity": "TRACE", "line": 2, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "Resources.MyQueue", + "searchValue": "", + "expectedValue": "", + "actualValue": "", + "issueType": "BillOfMaterials", + "similarityID": "590fc5b46f19d1aefd1af1436500975dd8acf2b17ab03a7f1a845cf3de5d404a", + "search_line": 2 }, { "queryName": "BOM - AWS SQS", "severity": "TRACE", "line": 3, - "fileName": "positive2.json" + "fileName": "positive2.json", + "resourceType": "", + "resourceName": "", + "searchKey": "Resources.MyQueue", + "searchValue": "", + "expectedValue": "", + "actualValue": "", + "issueType": "BillOfMaterials", + "similarityID": "9dcfa763fdb87129844b1ea2f8aca7d85576b8f68cc2a06b2e6cb9186afbb682", + "search_line": 3 } ] diff --git a/assets/queries/cloudFormation/aws_sam/serverless_api_access_logging_setting_undefined/test/positive_expected_result.json b/assets/queries/cloudFormation/aws_sam/serverless_api_access_logging_setting_undefined/test/positive_expected_result.json index 8501c081577..7b9c04e8eb7 100644 --- a/assets/queries/cloudFormation/aws_sam/serverless_api_access_logging_setting_undefined/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws_sam/serverless_api_access_logging_setting_undefined/test/positive_expected_result.json @@ -3,12 +3,30 @@ "queryName": "Serverless API Access Logging Setting Undefined", "severity": "MEDIUM", "line": 7, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::Serverless::Api", + "resourceName": "ApiGatewayApi", + "searchKey": "Resources.ApiGatewayApi.Properties", + "searchValue": "", + "expectedValue": "Resources.ApiGatewayApi.Properties.%!d(string=AccessLogSetting) should be defined and not null", + "actualValue": "Resources.ApiGatewayApi.Properties.%!d(string=AccessLogSetting) is undefined or null", + "issueType": "MissingAttribute", + "similarityID": "70dc59fba5472fe8e0ec774e6ca4f36c1c52e4c5cb00754abe41f4c5da19fa90", + "search_line": 7 }, { "queryName": "Serverless API Access Logging Setting Undefined", "severity": "MEDIUM", "line": 7, - "fileName": "positive2.yaml" + "fileName": "positive2.yaml", + "resourceType": "AWS::Serverless::HttpApi", + "resourceName": "HttpApi", + "searchKey": "Resources.HttpApi.Properties", + "searchValue": "", + "expectedValue": "Resources.HttpApi.Properties.%!d(string=AccessLogSettings) should be defined and not null", + "actualValue": "Resources.HttpApi.Properties.%!d(string=AccessLogSettings) is undefined or null", + "issueType": "MissingAttribute", + "similarityID": "b580d25c1ae27da9af65acd355907b7e037b95cec4e4c34ca1ab587e709bb54b", + "search_line": 7 } ] diff --git a/assets/queries/cloudFormation/aws_sam/serverless_api_cache_cluster_disabled/test/positive_expected_result.json b/assets/queries/cloudFormation/aws_sam/serverless_api_cache_cluster_disabled/test/positive_expected_result.json index 16af5f0a76b..d1a6d5f062e 100644 --- a/assets/queries/cloudFormation/aws_sam/serverless_api_cache_cluster_disabled/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws_sam/serverless_api_cache_cluster_disabled/test/positive_expected_result.json @@ -3,18 +3,45 @@ "queryName": "Serverless API Cache Cluster Disabled", "severity": "LOW", "line": 7, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::Serverless::Api", + "resourceName": "ApiGatewayApi", + "searchKey": "Resources.ApiGatewayApi.Properties", + "searchValue": "", + "expectedValue": "Resources.ApiGatewayApi.Properties.CacheClusterEnabled should be defined and not null", + "actualValue": "Resources.ApiGatewayApi.Properties.CacheClusterEnabled is undefined or null", + "issueType": "MissingAttribute", + "similarityID": "83155008b5328f0da6baaecb7e7b5108d457b70d1d1df36975d0797ec79983c2", + "search_line": 7 }, { "queryName": "Serverless API Cache Cluster Disabled", "severity": "LOW", "line": 10, - "fileName": "positive2.yaml" + "fileName": "positive2.yaml", + "resourceType": "AWS::Serverless::Api", + "resourceName": "ApiGatewayApi2", + "searchKey": "Resources.ApiGatewayApi2.Properties.CacheClusterEnabled", + "searchValue": "", + "expectedValue": "Resources.ApiGatewayApi2.Properties.CacheClusterEnabled should be set to true", + "actualValue": "Resources.ApiGatewayApi2.Properties.CacheClusterEnabled is set to false", + "issueType": "IncorrectValue", + "similarityID": "4a378e2ca47245a0778b7eb07eb1ad3440909df22a88e8017f1650d51deb62a6", + "search_line": 10 }, { "queryName": "Serverless API Cache Cluster Disabled", "severity": "LOW", "line": 10, - "fileName": "positive3.yaml" + "fileName": "positive3.yaml", + "resourceType": "AWS::Serverless::Api", + "resourceName": "ApiGatewayApi2", + "searchKey": "Resources.ApiGatewayApi2.Properties.CacheClusterEnabled", + "searchValue": "", + "expectedValue": "Resources.ApiGatewayApi2.Properties.CacheClusterEnabled should be set to true", + "actualValue": "Resources.ApiGatewayApi2.Properties.CacheClusterEnabled is set to false", + "issueType": "IncorrectValue", + "similarityID": "06abb9fa893999afddb38f2ec1a6bacfea712bfa079387f1e5ac404969b361e9", + "search_line": 10 } ] diff --git a/assets/queries/cloudFormation/aws_sam/serverless_api_endpoint_config_not_private/test/positive_expected_result.json b/assets/queries/cloudFormation/aws_sam/serverless_api_endpoint_config_not_private/test/positive_expected_result.json index 66879c8a540..04fd5a0e707 100644 --- a/assets/queries/cloudFormation/aws_sam/serverless_api_endpoint_config_not_private/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws_sam/serverless_api_endpoint_config_not_private/test/positive_expected_result.json @@ -3,18 +3,45 @@ "queryName": "Serverless API Endpoint Config Not Private", "severity": "MEDIUM", "line": 7, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::Serverless::Api", + "resourceName": "ApiGatewayApi", + "searchKey": "Resources.ApiGatewayApi.Properties", + "searchValue": "", + "expectedValue": "'Resources.ApiGatewayApi.EndpointConfiguration' should be defined and not null", + "actualValue": "'Resources.ApiGatewayApi.EndpointConfiguration' is undefined or null", + "issueType": "MissingAttribute", + "similarityID": "c47c6f916e7769ad3d73efc717545a8c787485f6a2d88a3015ee65c3ee1ad51e", + "search_line": 7 }, { "queryName": "Serverless API Endpoint Config Not Private", "severity": "MEDIUM", "line": 11, - "fileName": "positive2.yaml" + "fileName": "positive2.yaml", + "resourceType": "AWS::Serverless::Api", + "resourceName": "ApiGatewayApi2", + "searchKey": "Resources.ApiGatewayApi2.Properties.EndpointConfiguration", + "searchValue": "", + "expectedValue": "'Resources.ApiGatewayApi2.EndpointConfiguration.Types' should be defined and not null", + "actualValue": "'Resources.ApiGatewayApi2.EndpointConfiguration.Types' is undefined or null", + "issueType": "MissingAttribute", + "similarityID": "dee5386863b1209d74fe435410a4b5b8d91b761da099b111e571414b3eb5f475", + "search_line": 11 }, { "queryName": "Serverless API Endpoint Config Not Private", "severity": "MEDIUM", "line": 12, - "fileName": "positive3.yaml" + "fileName": "positive3.yaml", + "resourceType": "AWS::Serverless::Api", + "resourceName": "ApiGatewayApi3", + "searchKey": "Resources.ApiGatewayApi3.Properties.EndpointConfiguration.Types", + "searchValue": "", + "expectedValue": "'Resources.ApiGatewayApi3.EndpointConfiguration.Types' should contain 'PRIVATE'", + "actualValue": "'Resources.ApiGatewayApi3.EndpointConfiguration.Types' does not contain 'PRIVATE'", + "issueType": "IncorrectValue", + "similarityID": "5714aa60d09e56969be9131f04d27447ef101546a8b02d68068dd18aa5aa3d97", + "search_line": 12 } ] diff --git a/assets/queries/cloudFormation/aws_sam/serverless_api_without_content_encoding/test/positive_expected_result.json b/assets/queries/cloudFormation/aws_sam/serverless_api_without_content_encoding/test/positive_expected_result.json index 7c2c2079915..5c5323fdd46 100644 --- a/assets/queries/cloudFormation/aws_sam/serverless_api_without_content_encoding/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws_sam/serverless_api_without_content_encoding/test/positive_expected_result.json @@ -3,18 +3,45 @@ "queryName": "Serverless API Without Content Encoding", "severity": "LOW", "line": 7, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::Serverless::Api", + "resourceName": "ApiGatewayApi", + "searchKey": "Resources.ApiGatewayApi.Properties", + "searchValue": "", + "expectedValue": "Resources.ApiGatewayApi.Properties.MinimumCompressionSize should be defined and not null", + "actualValue": "Resources.ApiGatewayApi.Properties.MinimumCompressionSize is not defined or null", + "issueType": "MissingAttribute", + "similarityID": "1b40443a642282d4b556811a088fa53e36f2a9231242daca25bebd0df6691996", + "search_line": 7 }, { "queryName": "Serverless API Without Content Encoding", "severity": "LOW", "line": 19, - "fileName": "positive2.yaml" + "fileName": "positive2.yaml", + "resourceType": "AWS::Serverless::Api", + "resourceName": "ApiGatewayApi2", + "searchKey": "Resources.ApiGatewayApi2.Properties.MinimumCompressionSize", + "searchValue": "", + "expectedValue": "Resources.ApiGatewayApi2.Properties.MinimumCompressionSize should be greater than -1 and smaller than 10485760", + "actualValue": "Resources.ApiGatewayApi2.Properties.MinimumCompressionSize is set but smaller than 0 or greater than 10485759", + "issueType": "IncorrectValue", + "similarityID": "4272cb40c750addfd4e6a682df901e6d6ad796bf2c0527ef13e8e8f6f0cbe5c7", + "search_line": 19 }, { "queryName": "Serverless API Without Content Encoding", "severity": "LOW", "line": 19, - "fileName": "positive3.yaml" + "fileName": "positive3.yaml", + "resourceType": "AWS::Serverless::Api", + "resourceName": "ApiGatewayApi3", + "searchKey": "Resources.ApiGatewayApi3.Properties.MinimumCompressionSize", + "searchValue": "", + "expectedValue": "Resources.ApiGatewayApi3.Properties.MinimumCompressionSize should be greater than -1 and smaller than 10485760", + "actualValue": "Resources.ApiGatewayApi3.Properties.MinimumCompressionSize is set but smaller than 0 or greater than 10485759", + "issueType": "IncorrectValue", + "similarityID": "2684fd9594eeebbdc55b3e530b4c98eecf40a3f93dc9214aa0014a6b342a40e1", + "search_line": 19 } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws_sam/serverless_api_xray_tracing_disabled/test/positive_expected_result.json b/assets/queries/cloudFormation/aws_sam/serverless_api_xray_tracing_disabled/test/positive_expected_result.json index 9b3580ba2f5..abcfd7380d3 100644 --- a/assets/queries/cloudFormation/aws_sam/serverless_api_xray_tracing_disabled/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws_sam/serverless_api_xray_tracing_disabled/test/positive_expected_result.json @@ -3,18 +3,45 @@ "queryName": "Serverless API X-Ray Tracing Disabled", "severity": "MEDIUM", "line": 7, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::Serverless::Api", + "resourceName": "ApiGatewayApi", + "searchKey": "Resources.ApiGatewayApi.Properties", + "searchValue": "", + "expectedValue": "Resources.ApiGatewayApi.Properties.TracingEnabled should be defined and not null", + "actualValue": "Resources.ApiGatewayApi.Properties.TracingEnabled is undefined or null", + "issueType": "MissingAttribute", + "similarityID": "2de43656bc5fce3b68ce1ff5140aa4da32c80462ec9295afb46624fc1fb520f8", + "search_line": 7 }, { "queryName": "Serverless API X-Ray Tracing Disabled", "severity": "MEDIUM", "line": 9, - "fileName": "positive2.yaml" + "fileName": "positive2.yaml", + "resourceType": "AWS::Serverless::Api", + "resourceName": "ApiGatewayApi2", + "searchKey": "Resources.ApiGatewayApi2.Properties.TracingEnabled", + "searchValue": "", + "expectedValue": "Resources.ApiGatewayApi2.Properties.TracingEnabled should be set to true", + "actualValue": "Resources.ApiGatewayApi2.Properties.TracingEnabled is set to false", + "issueType": "IncorrectValue", + "similarityID": "b6f8879f06c199b7c70140216da7cef8e535dcdcda19dc45d44937b02d5c1566", + "search_line": 9 }, { "queryName": "Serverless API X-Ray Tracing Disabled", "severity": "MEDIUM", "line": 9, - "fileName": "positive3.yaml" + "fileName": "positive3.yaml", + "resourceType": "AWS::Serverless::Api", + "resourceName": "ApiGatewayApi2", + "searchKey": "Resources.ApiGatewayApi2.Properties.TracingEnabled", + "searchValue": "", + "expectedValue": "Resources.ApiGatewayApi2.Properties.TracingEnabled should be set to true", + "actualValue": "Resources.ApiGatewayApi2.Properties.TracingEnabled is set to false", + "issueType": "IncorrectValue", + "similarityID": "f370d7fea53d7fe20bb9eca75d33e6af7208cb5b68ce406e8af953d57ac7c1bf", + "search_line": 9 } ] diff --git a/assets/queries/cloudFormation/aws_sam/serverless_function_environment_variables_not_encrypted/test/positive_expected_result.json b/assets/queries/cloudFormation/aws_sam/serverless_function_environment_variables_not_encrypted/test/positive_expected_result.json index 90ecf9fd811..1614296df84 100644 --- a/assets/queries/cloudFormation/aws_sam/serverless_function_environment_variables_not_encrypted/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws_sam/serverless_function_environment_variables_not_encrypted/test/positive_expected_result.json @@ -3,6 +3,15 @@ "queryName": "Serverless Function Environment Variables Not Encrypted", "severity": "MEDIUM", "line": 7, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::Serverless::Function", + "resourceName": "Function", + "searchKey": "Resources.Function.Properties", + "searchValue": "", + "expectedValue": "'Resources.Function.Properties.KmsKeyArn' should be defined and not null", + "actualValue": "'Resources.Function.Properties.KmsKeyArn' is undefined or null", + "issueType": "MissingAttribute", + "similarityID": "a583be9e24108ff188498d3dc740138ce5f71f1cc6bdf35cb11f7d171dcbeb03", + "search_line": 7 } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws_sam/serverless_function_without_dead_letter_queue/test/positive_expected_result.json b/assets/queries/cloudFormation/aws_sam/serverless_function_without_dead_letter_queue/test/positive_expected_result.json index 80a3a4a0aca..d0b7b8d8b99 100644 --- a/assets/queries/cloudFormation/aws_sam/serverless_function_without_dead_letter_queue/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws_sam/serverless_function_without_dead_letter_queue/test/positive_expected_result.json @@ -3,6 +3,15 @@ "queryName": "Serverless Function Without Dead Letter Queue", "severity": "LOW", "line": 7, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::Serverless::Function", + "resourceName": "Function", + "searchKey": "Resources.Function.Properties", + "searchValue": "", + "expectedValue": "'Resources.Function.Properties.DeadLetterConfig' should be defined and not null", + "actualValue": "'Resources.Function.Properties.DeadLetterConfig' is undefined or null", + "issueType": "MissingAttribute", + "similarityID": "ed69ed7ca08f29652dd8c22efcb423698a08260ea2ef9b23914e90acd360f3c4", + "search_line": 7 } ] diff --git a/assets/queries/cloudFormation/aws_sam/serverless_function_without_tags/test/positive_expected_result.json b/assets/queries/cloudFormation/aws_sam/serverless_function_without_tags/test/positive_expected_result.json index 52d67c40a52..18531676e07 100644 --- a/assets/queries/cloudFormation/aws_sam/serverless_function_without_tags/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws_sam/serverless_function_without_tags/test/positive_expected_result.json @@ -3,6 +3,15 @@ "queryName": "Serverless Function Without Tags", "severity": "LOW", "line": 7, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::Serverless::Function", + "resourceName": "Function", + "searchKey": "Resources.Function.Properties", + "searchValue": "", + "expectedValue": "'Resources.Function.Properties.Tags' should be defined and not null", + "actualValue": "'Resources.Function.Properties.Tags' is undefined or null", + "issueType": "MissingAttribute", + "similarityID": "3d6c1ad3527c52ddc39e2a67195e7d153eadcfcf2d25fc816d63805d39e51ee6", + "search_line": 7 } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws_sam/serverless_function_without_unique_iam_role/test/positive_expected_result.json b/assets/queries/cloudFormation/aws_sam/serverless_function_without_unique_iam_role/test/positive_expected_result.json index 97fa6f898f5..dbf531f4030 100644 --- a/assets/queries/cloudFormation/aws_sam/serverless_function_without_unique_iam_role/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws_sam/serverless_function_without_unique_iam_role/test/positive_expected_result.json @@ -3,24 +3,60 @@ "queryName": "Serverless Function Without Unique IAM Role", "severity": "HIGH", "line": 19, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::Serverless::Function", + "resourceName": "Function1", + "searchKey": "Resources.Function1.Properties.Role", + "searchValue": "", + "expectedValue": "Resource.Function1.Properties.Role is only assigned to the function in question", + "actualValue": "Resource.Function1.Properties.Role is assigned to another funtion", + "issueType": "IncorrectValue", + "similarityID": "aa2984c7d2c51060eb3d36370ae7054e7ecabb38d52fbf364e65f2a8e55486b7", + "search_line": 19 }, { "queryName": "Serverless Function Without Unique IAM Role", "severity": "HIGH", "line": 34, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::Serverless::Function", + "resourceName": "Function2", + "searchKey": "Resources.Function2.Properties.Role", + "searchValue": "", + "expectedValue": "Resource.Function2.Properties.Role is only assigned to the function in question", + "actualValue": "Resource.Function2.Properties.Role is assigned to another funtion", + "issueType": "IncorrectValue", + "similarityID": "17ca7325208618cd6edb12e35fab3ba86d6d271c80bb58fbbaea373bdf00d223", + "search_line": 34 }, { "queryName": "Serverless Function Without Unique IAM Role", "severity": "HIGH", "line": 19, - "fileName": "positive2.yaml" + "fileName": "positive2.yaml", + "resourceType": "AWS::Serverless::Function", + "resourceName": "Function1", + "searchKey": "Resources.Function1.Properties.Role", + "searchValue": "", + "expectedValue": "Resource.Function1.Properties.Role is only assigned to the function in question", + "actualValue": "Resource.Function1.Properties.Role is assigned to another funtion", + "issueType": "IncorrectValue", + "similarityID": "aed69469b6b9d7e2055f791d709f94340be5618714255a123954bb8c2d3037bc", + "search_line": 19 }, { "queryName": "Serverless Function Without Unique IAM Role", "severity": "HIGH", "line": 34, - "fileName": "positive2.yaml" + "fileName": "positive2.yaml", + "resourceType": "AWS::Serverless::Function", + "resourceName": "Function2", + "searchKey": "Resources.Function2.Properties.Role", + "searchValue": "", + "expectedValue": "Resource.Function2.Properties.Role is only assigned to the function in question", + "actualValue": "Resource.Function2.Properties.Role is assigned to another funtion", + "issueType": "IncorrectValue", + "similarityID": "ac2ce5d704d75b3ca6a3dcfa12e9d18f44fb6adb524492234559b5f4e7f74770", + "search_line": 34 } -] \ No newline at end of file +] diff --git a/assets/queries/cloudFormation/aws_sam/serverless_function_without_x-ray_tracing/test/positive_expected_result.json b/assets/queries/cloudFormation/aws_sam/serverless_function_without_x-ray_tracing/test/positive_expected_result.json index 14dd9db9ab2..92bae018517 100644 --- a/assets/queries/cloudFormation/aws_sam/serverless_function_without_x-ray_tracing/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws_sam/serverless_function_without_x-ray_tracing/test/positive_expected_result.json @@ -3,12 +3,30 @@ "queryName": "Serverless Function Without X-Ray Tracing", "severity": "LOW", "line": 7, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "AWS::Serverless::Function", + "resourceName": "Function1", + "searchKey": "Resources.Function1.Properties", + "searchValue": "", + "expectedValue": "Property 'TracingConfig' should be defined and not null", + "actualValue": "Property 'TracingConfig' is undefined or null", + "issueType": "MissingAttribute", + "similarityID": "0c4886517c99c8b57eba99adb77209df6af7d6de31f36ddfdd2f37b5237110fa", + "search_line": 7 }, { "queryName": "Serverless Function Without X-Ray Tracing", "severity": "LOW", "line": 19, - "fileName": "positive2.yaml" + "fileName": "positive2.yaml", + "resourceType": "AWS::Serverless::Function", + "resourceName": "Function2", + "searchKey": "Resources.Function2.Properties.Tracing", + "searchValue": "", + "expectedValue": "'Tracing' should be set to 'Active'", + "actualValue": "'Tracing' is set to 'PassThrough'", + "issueType": "IncorrectValue", + "similarityID": "1b47115dd201c0875f1f7c05f6b2dd89091d8ff9f0dbc95ac72770f366319306", + "search_line": 19 } ] diff --git a/assets/queries/common/passwords_and_secrets/test/positive_expected_result.json b/assets/queries/common/passwords_and_secrets/test/positive_expected_result.json index e29ad869f20..ae71d01edc7 100644 --- a/assets/queries/common/passwords_and_secrets/test/positive_expected_result.json +++ b/assets/queries/common/passwords_and_secrets/test/positive_expected_result.json @@ -3,462 +3,1155 @@ "queryName": "Passwords And Secrets - Generic Password", "severity": "HIGH", "line": 8, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "", + "searchValue": "", + "expectedValue": "Hardcoded secret key should not appear in source", + "actualValue": "Hardcoded secret key appears in source", + "issueType": "RedundantAttribute", + "similarityID": "b602e62633130159f12e7766af20b35a87efdf836bcb644463f9d6da5844fb22", + "search_line": 0 }, { "queryName": "Passwords And Secrets - Generic Password", "severity": "HIGH", "line": 6, - "fileName": "positive2.yaml" + "fileName": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "", + "searchValue": "", + "expectedValue": "Hardcoded secret key should not appear in source", + "actualValue": "Hardcoded secret key appears in source", + "issueType": "RedundantAttribute", + "similarityID": "b2ee72647a9b21d1725b0a35c28a0326b6cac8b756fcf0d37d022f7c082c0fdf", + "search_line": 0 }, { "queryName": "Passwords And Secrets - Generic Password", "severity": "HIGH", "line": 7, - "fileName": "positive3.yaml" + "fileName": "positive3.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "", + "searchValue": "", + "expectedValue": "Hardcoded secret key should not appear in source", + "actualValue": "Hardcoded secret key appears in source", + "issueType": "RedundantAttribute", + "similarityID": "85922cc0db149f4ca453b83dc8d433577552269bce80e6c7c3e9e7853b16abe7", + "search_line": 0 }, { "queryName": "Passwords And Secrets - Generic Password", "severity": "HIGH", "line": 9, - "fileName": "positive4.tf" + "fileName": "positive4.tf", + "resourceType": "", + "resourceName": "", + "searchKey": "", + "searchValue": "", + "expectedValue": "Hardcoded secret key should not appear in source", + "actualValue": "Hardcoded secret key appears in source", + "issueType": "RedundantAttribute", + "similarityID": "c574a278c19956d6bd90c778fbf67ec788c8541868dceac32537defeed1e3ddc", + "search_line": 0 }, { "queryName": "Passwords And Secrets - Generic Secret", "severity": "HIGH", "line": 2, - "fileName": "positive5.tf" + "fileName": "positive5.tf", + "resourceType": "", + "resourceName": "", + "searchKey": "", + "searchValue": "", + "expectedValue": "Hardcoded secret key should not appear in source", + "actualValue": "Hardcoded secret key appears in source", + "issueType": "RedundantAttribute", + "similarityID": "6a8de8ca46e0d4ddbba7d5a2f7990a41c9beab1e01de09367e0ab8bceae32447", + "search_line": 0 }, { "queryName": "Passwords And Secrets - Generic Password", "severity": "HIGH", "line": 3, - "fileName": "positive6.dockerfile" + "fileName": "positive6.dockerfile", + "resourceType": "", + "resourceName": "", + "searchKey": "", + "searchValue": "", + "expectedValue": "Hardcoded secret key should not appear in source", + "actualValue": "Hardcoded secret key appears in source", + "issueType": "RedundantAttribute", + "similarityID": "d24afcc53d6911b4e68d34cc4062fc6c8e7c58706e3a795efb95e9e01ee87d74", + "search_line": 0 }, { "queryName": "Passwords And Secrets - Generic Password", "severity": "HIGH", "line": 7, - "fileName": "positive6.dockerfile" + "fileName": "positive6.dockerfile", + "resourceType": "", + "resourceName": "", + "searchKey": "", + "searchValue": "", + "expectedValue": "Hardcoded secret key should not appear in source", + "actualValue": "Hardcoded secret key appears in source", + "issueType": "RedundantAttribute", + "similarityID": "244303cd9aa52bc1ba7b0024ca62f9e690202691eea48f59bed6a8decc9af268", + "search_line": 0 }, { "queryName": "Passwords And Secrets - Generic Password", "severity": "HIGH", "line": 8, - "fileName": "positive7.tf" + "fileName": "positive7.tf", + "resourceType": "", + "resourceName": "", + "searchKey": "", + "searchValue": "", + "expectedValue": "Hardcoded secret key should not appear in source", + "actualValue": "Hardcoded secret key appears in source", + "issueType": "RedundantAttribute", + "similarityID": "050e56a6f87adbbcfa273f1193918f6fd335ab4f75bf577325514298106aee11", + "search_line": 0 }, { "queryName": "Passwords And Secrets - Generic Password", "severity": "HIGH", "line": 4, - "fileName": "positive8.json" + "fileName": "positive8.json", + "resourceType": "", + "resourceName": "", + "searchKey": "", + "searchValue": "", + "expectedValue": "Hardcoded secret key should not appear in source", + "actualValue": "Hardcoded secret key appears in source", + "issueType": "RedundantAttribute", + "similarityID": "8c3e8d66711a3161aba4b4958d621771ebbec3215e0e7f8047a00a599afdd8b8", + "search_line": 0 }, { "queryName": "Passwords And Secrets - Generic Password", "severity": "HIGH", - "line":7, - "fileName": "positive8.json" + "line": 7, + "fileName": "positive8.json", + "resourceType": "", + "resourceName": "", + "searchKey": "", + "searchValue": "", + "expectedValue": "Hardcoded secret key should not appear in source", + "actualValue": "Hardcoded secret key appears in source", + "issueType": "RedundantAttribute", + "similarityID": "a1db768c47ba92328f1fd45435344105fa7197412657ab10898abd3934a57785", + "search_line": 0 }, { "queryName": "Passwords And Secrets - Generic Password", "severity": "HIGH", "line": 8, - "fileName": "positive9.tf" + "fileName": "positive9.tf", + "resourceType": "", + "resourceName": "", + "searchKey": "", + "searchValue": "", + "expectedValue": "Hardcoded secret key should not appear in source", + "actualValue": "Hardcoded secret key appears in source", + "issueType": "RedundantAttribute", + "similarityID": "1ed168a68abd43b283fe01f8c5b7b80784ddd009a4c73e97b8a54238267d6190", + "search_line": 0 }, { "queryName": "Passwords And Secrets - Password in URL", "severity": "HIGH", "line": 7, - "fileName": "positive10.json" + "fileName": "positive10.json", + "resourceType": "", + "resourceName": "", + "searchKey": "", + "searchValue": "", + "expectedValue": "Hardcoded secret key should not appear in source", + "actualValue": "Hardcoded secret key appears in source", + "issueType": "RedundantAttribute", + "similarityID": "e287dddcdd80605670dde322c5ff742185b3fa8edb832db352de4802cd3a1041", + "search_line": 0 }, { "queryName": "Passwords And Secrets - Slack Webhook", "severity": "HIGH", "line": 17, - "fileName": "positive10.json" + "fileName": "positive10.json", + "resourceType": "", + "resourceName": "", + "searchKey": "", + "searchValue": "", + "expectedValue": "Hardcoded secret key should not appear in source", + "actualValue": "Hardcoded secret key appears in source", + "issueType": "RedundantAttribute", + "similarityID": "321350aa201469275871cb0cd5851e14e25b20c4e772fa69e45f06b7285319f5", + "search_line": 0 }, { "queryName": "Passwords And Secrets - MSTeams Webhook", "severity": "HIGH", "line": 27, - "fileName": "positive10.json" + "fileName": "positive10.json", + "resourceType": "", + "resourceName": "", + "searchKey": "", + "searchValue": "", + "expectedValue": "Hardcoded secret key should not appear in source", + "actualValue": "Hardcoded secret key appears in source", + "issueType": "RedundantAttribute", + "similarityID": "82f32474a36440cf4a55cbb062d686ce8a851c6c58dcc0b0d7e7e13301120aa1", + "search_line": 0 }, { "queryName": "Passwords And Secrets - Password in URL", "severity": "HIGH", "line": 7, - "fileName": "positive11.yaml" + "fileName": "positive11.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "", + "searchValue": "", + "expectedValue": "Hardcoded secret key should not appear in source", + "actualValue": "Hardcoded secret key appears in source", + "issueType": "RedundantAttribute", + "similarityID": "d5ead00875abbd306b75e102a0da784e1d5a64c17b967a530bd193943c03f513", + "search_line": 0 }, { "queryName": "Passwords And Secrets - Slack Webhook", "severity": "HIGH", "line": 9, - "fileName": "positive11.yaml" + "fileName": "positive11.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "", + "searchValue": "", + "expectedValue": "Hardcoded secret key should not appear in source", + "actualValue": "Hardcoded secret key appears in source", + "issueType": "RedundantAttribute", + "similarityID": "984165581b4e04ce044a332068cd534bea4ace294b5d77dc14500f3832710a60", + "search_line": 0 }, { "queryName": "Passwords And Secrets - MSTeams Webhook", "severity": "HIGH", "line": 11, - "fileName": "positive11.yaml" + "fileName": "positive11.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "", + "searchValue": "", + "expectedValue": "Hardcoded secret key should not appear in source", + "actualValue": "Hardcoded secret key appears in source", + "issueType": "RedundantAttribute", + "similarityID": "9dff803d9938bb62501b33138da625eccf3afad5444d664e2e95e0bec41e8da6", + "search_line": 0 }, { "queryName": "Passwords And Secrets - Generic Password", "severity": "HIGH", "line": 8, - "fileName": "positive12.json" + "fileName": "positive12.json", + "resourceType": "", + "resourceName": "", + "searchKey": "", + "searchValue": "", + "expectedValue": "Hardcoded secret key should not appear in source", + "actualValue": "Hardcoded secret key appears in source", + "issueType": "RedundantAttribute", + "similarityID": "65b5807079a99636c8080523ff9fd21ed0212d766ae340ccd6815eabb4565566", + "search_line": 0 }, { "queryName": "Passwords And Secrets - Password in URL", "severity": "HIGH", "line": 11, - "fileName": "positive12.json" + "fileName": "positive12.json", + "resourceType": "", + "resourceName": "", + "searchKey": "", + "searchValue": "", + "expectedValue": "Hardcoded secret key should not appear in source", + "actualValue": "Hardcoded secret key appears in source", + "issueType": "RedundantAttribute", + "similarityID": "14449ecad6a157738b15666b1de391c0a801046d93c087dde8fe635750ba3c12", + "search_line": 0 }, { "queryName": "Passwords And Secrets - Slack Webhook", "severity": "HIGH", "line": 15, - "fileName": "positive12.json" + "fileName": "positive12.json", + "resourceType": "", + "resourceName": "", + "searchKey": "", + "searchValue": "", + "expectedValue": "Hardcoded secret key should not appear in source", + "actualValue": "Hardcoded secret key appears in source", + "issueType": "RedundantAttribute", + "similarityID": "008a895aa3e7e7e47c2cd9b667e325a962c61735c5f6250f1d5fc0a522ea5f36", + "search_line": 0 }, { "queryName": "Passwords And Secrets - MSTeams Webhook", "severity": "HIGH", "line": 19, - "fileName": "positive12.json" + "fileName": "positive12.json", + "resourceType": "", + "resourceName": "", + "searchKey": "", + "searchValue": "", + "expectedValue": "Hardcoded secret key should not appear in source", + "actualValue": "Hardcoded secret key appears in source", + "issueType": "RedundantAttribute", + "similarityID": "562a2717c99fddf5e21a4403cdffd2ab2f445095aef34369298cf4312305c2b0", + "search_line": 0 }, { "queryName": "Passwords And Secrets - Asymmetric private key", "severity": "HIGH", "line": 6, - "fileName": "positive13.tf" + "fileName": "positive13.tf", + "resourceType": "", + "resourceName": "", + "searchKey": "", + "searchValue": "", + "expectedValue": "Hardcoded secret key should not appear in source", + "actualValue": "Hardcoded secret key appears in source", + "issueType": "RedundantAttribute", + "similarityID": "a8e9865c8a657b7b1f5b76ef8a139f75fde0e07f5e03e9c4a3b295c11f6b9e1c", + "search_line": 0 }, { "queryName": "Passwords And Secrets - AWS Access Key", "severity": "HIGH", "line": 17, - "fileName": "positive14.tf" + "fileName": "positive14.tf", + "resourceType": "", + "resourceName": "", + "searchKey": "", + "searchValue": "", + "expectedValue": "Hardcoded secret key should not appear in source", + "actualValue": "Hardcoded secret key appears in source", + "issueType": "RedundantAttribute", + "similarityID": "406841db8a503b95f1f54ab1fd3a9e4352abf60290e7c80635e47b995b7fc12a", + "search_line": 0 }, { "queryName": "Passwords And Secrets - AWS Secret Key", "severity": "HIGH", "line": 18, - "fileName": "positive14.tf" + "fileName": "positive14.tf", + "resourceType": "", + "resourceName": "", + "searchKey": "", + "searchValue": "", + "expectedValue": "Hardcoded secret key should not appear in source", + "actualValue": "Hardcoded secret key appears in source", + "issueType": "RedundantAttribute", + "similarityID": "3f7db4840cd8ce6288bd1550cf17496e4c66eaa5b92f80413f9423c32eb6d428", + "search_line": 0 }, { "queryName": "Passwords And Secrets - AWS Access Key", "severity": "HIGH", "line": 14, - "fileName": "positive15.tf" + "fileName": "positive15.tf", + "resourceType": "", + "resourceName": "", + "searchKey": "", + "searchValue": "", + "expectedValue": "Hardcoded secret key should not appear in source", + "actualValue": "Hardcoded secret key appears in source", + "issueType": "RedundantAttribute", + "similarityID": "e06d0fcc2b56cef035c16acea217bda94e4fd58b464a24278225492d51721d08", + "search_line": 0 }, { "queryName": "Passwords And Secrets - AWS Secret Key", "severity": "HIGH", "line": 15, - "fileName": "positive15.tf" + "fileName": "positive15.tf", + "resourceType": "", + "resourceName": "", + "searchKey": "", + "searchValue": "", + "expectedValue": "Hardcoded secret key should not appear in source", + "actualValue": "Hardcoded secret key appears in source", + "issueType": "RedundantAttribute", + "similarityID": "e2c4fa0f614a3482338bc9345f18cb8c5c30cb17a6570ec8b9196d25c8d58ddb", + "search_line": 0 }, { "queryName": "Passwords And Secrets - K8s Environment Variable Password", "severity": "HIGH", "line": 34, - "fileName": "positive16.yaml" + "fileName": "positive16.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "", + "searchValue": "", + "expectedValue": "Hardcoded secret key should not appear in source", + "actualValue": "Hardcoded secret key appears in source", + "issueType": "RedundantAttribute", + "similarityID": "b4fa819ac0f4a9bd0add0caa6ad50e5551abe8f72826ba1d01c5b44c486d1175", + "search_line": 0 }, { "queryName": "Passwords And Secrets - K8s Environment Variable Password", "severity": "HIGH", "line": 36, - "fileName": "positive16.yaml" + "fileName": "positive16.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "", + "searchValue": "", + "expectedValue": "Hardcoded secret key should not appear in source", + "actualValue": "Hardcoded secret key appears in source", + "issueType": "RedundantAttribute", + "similarityID": "18a6b28cc31369400eb84935e33a124ed212e3d055ee5a6d3106ac2fd33b721e", + "search_line": 0 }, { "queryName": "Passwords And Secrets - Generic Password", "severity": "HIGH", "line": 7, - "fileName": "positive17.tf" + "fileName": "positive17.tf", + "resourceType": "", + "resourceName": "", + "searchKey": "", + "searchValue": "", + "expectedValue": "Hardcoded secret key should not appear in source", + "actualValue": "Hardcoded secret key appears in source", + "issueType": "RedundantAttribute", + "similarityID": "b9d9dca972c82d2b99e3761dc034ce076424b73e2e16ad100fa1ffb381ee0a3e", + "search_line": 0 }, { "queryName": "Passwords And Secrets - Google OAuth", "severity": "HIGH", "line": 5, - "fileName": "positive18.tf" + "fileName": "positive18.tf", + "resourceType": "", + "resourceName": "", + "searchKey": "", + "searchValue": "", + "expectedValue": "Hardcoded secret key should not appear in source", + "actualValue": "Hardcoded secret key appears in source", + "issueType": "RedundantAttribute", + "similarityID": "21a6e10c0e0bd84ce972770131c512e348d048ab73ab4160656c78efe9a4a58b", + "search_line": 0 }, { "queryName": "Passwords And Secrets - Slack Token", "severity": "HIGH", "line": 2, - "fileName": "positive19.tf" + "fileName": "positive19.tf", + "resourceType": "", + "resourceName": "", + "searchKey": "", + "searchValue": "", + "expectedValue": "Hardcoded secret key should not appear in source", + "actualValue": "Hardcoded secret key appears in source", + "issueType": "RedundantAttribute", + "similarityID": "f0813cb5f5e5e824763221fe54ab04a9ea0223e8d69155e94dee7f7becf2eece", + "search_line": 0 }, { "queryName": "Passwords And Secrets - Stripe API Key", "severity": "HIGH", "line": 2, - "fileName": "positive20.tf" + "fileName": "positive20.tf", + "resourceType": "", + "resourceName": "", + "searchKey": "", + "searchValue": "", + "expectedValue": "Hardcoded secret key should not appear in source", + "actualValue": "Hardcoded secret key appears in source", + "issueType": "RedundantAttribute", + "similarityID": "8d575d4429a563d990e9d9f4ce487c17c5a84bc0cfbc119fc4df6b981438ec54", + "search_line": 0 }, { "queryName": "Passwords And Secrets - Google API Key", "severity": "HIGH", "line": 50, - "fileName": "positive21.tf" + "fileName": "positive21.tf", + "resourceType": "", + "resourceName": "", + "searchKey": "", + "searchValue": "", + "expectedValue": "Hardcoded secret key should not appear in source", + "actualValue": "Hardcoded secret key appears in source", + "issueType": "RedundantAttribute", + "similarityID": "892699f6ec28bb7e50476dd3743a09e3dee0f41cf62ff762098a1b6cca06cac2", + "search_line": 0 }, { "queryName": "Passwords And Secrets - Heroku API Key", "severity": "HIGH", "line": 3, - "fileName": "positive22.tf" + "fileName": "positive22.tf", + "resourceType": "", + "resourceName": "", + "searchKey": "", + "searchValue": "", + "expectedValue": "Hardcoded secret key should not appear in source", + "actualValue": "Hardcoded secret key appears in source", + "issueType": "RedundantAttribute", + "similarityID": "a859fd432362d005fa2cbdada378c54056f575b8c526ca4388f2af6fb5ab9428", + "search_line": 0 }, { "queryName": "Passwords And Secrets - Generic Token", "severity": "HIGH", "line": 3, - "fileName": "positive23.tf" + "fileName": "positive23.tf", + "resourceType": "", + "resourceName": "", + "searchKey": "", + "searchValue": "", + "expectedValue": "Hardcoded secret key should not appear in source", + "actualValue": "Hardcoded secret key appears in source", + "issueType": "RedundantAttribute", + "similarityID": "ac03f5d0442f3af6aaf8479c4d4f73a13728a079cb86677cfb36c1b9686049ca", + "search_line": 0 }, { "queryName": "Passwords And Secrets - Generic API Key", "severity": "HIGH", "line": 4, - "fileName": "positive24.tf" + "fileName": "positive24.tf", + "resourceType": "", + "resourceName": "", + "searchKey": "", + "searchValue": "", + "expectedValue": "Hardcoded secret key should not appear in source", + "actualValue": "Hardcoded secret key appears in source", + "issueType": "RedundantAttribute", + "similarityID": "b5bcd6a472abd5ad4624bebb5c9a6c86fb505bc508947a5a6d3ebe9cf6cffbfd", + "search_line": 0 }, { "queryName": "Passwords And Secrets - Square Access Token", "severity": "HIGH", "line": 3, - "fileName": "positive25.dockerfile" + "fileName": "positive25.dockerfile", + "resourceType": "", + "resourceName": "", + "searchKey": "", + "searchValue": "", + "expectedValue": "Hardcoded secret key should not appear in source", + "actualValue": "Hardcoded secret key appears in source", + "issueType": "RedundantAttribute", + "similarityID": "38bf5e85886458996a299b117b3c91cdc9dfef8974c132f105b9a7868e8c0e05", + "search_line": 0 }, { "queryName": "Passwords And Secrets - Picatic API Key", "severity": "HIGH", "line": 5, - "fileName": "positive25.dockerfile" + "fileName": "positive25.dockerfile", + "resourceType": "", + "resourceName": "", + "searchKey": "", + "searchValue": "", + "expectedValue": "Hardcoded secret key should not appear in source", + "actualValue": "Hardcoded secret key appears in source", + "issueType": "RedundantAttribute", + "similarityID": "ad35e8a359220d91b6ddf25cffe8b505c274d79e96e45fbfafa8d53b03afea2a", + "search_line": 0 }, { "queryName": "Passwords And Secrets - Amazon MWS Auth Token", "severity": "HIGH", "line": 7, - "fileName": "positive25.dockerfile" + "fileName": "positive25.dockerfile", + "resourceType": "", + "resourceName": "", + "searchKey": "", + "searchValue": "", + "expectedValue": "Hardcoded secret key should not appear in source", + "actualValue": "Hardcoded secret key appears in source", + "issueType": "RedundantAttribute", + "similarityID": "d61c6a21f0bf4d7d39973fc97851b5b42309c28ea2cf7807fe42928c4ef2228c", + "search_line": 0 }, { "queryName": "Passwords And Secrets - MailChimp API Key", "severity": "HIGH", "line": 9, - "fileName": "positive25.dockerfile" + "fileName": "positive25.dockerfile", + "resourceType": "", + "resourceName": "", + "searchKey": "", + "searchValue": "", + "expectedValue": "Hardcoded secret key should not appear in source", + "actualValue": "Hardcoded secret key appears in source", + "issueType": "RedundantAttribute", + "similarityID": "e06c89255831069d41ed9258154ae7c2fac4930ae7c82713915b9c902f25fb7a", + "search_line": 0 }, { "queryName": "Passwords And Secrets - SendGrid API Key", "severity": "HIGH", "line": 11, - "fileName": "positive25.dockerfile" + "fileName": "positive25.dockerfile", + "resourceType": "", + "resourceName": "", + "searchKey": "", + "searchValue": "", + "expectedValue": "Hardcoded secret key should not appear in source", + "actualValue": "Hardcoded secret key appears in source", + "issueType": "RedundantAttribute", + "similarityID": "a6c4d0a482557e087b818d0d3dcef75ad9a6a0169ffcd56276a62eab6275c9f4", + "search_line": 0 }, { "queryName": "Passwords And Secrets - Generic Private Key", "severity": "HIGH", "line": 9, - "fileName": "positive26.yaml" + "fileName": "positive26.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "", + "searchValue": "", + "expectedValue": "Hardcoded secret key should not appear in source", + "actualValue": "Hardcoded secret key appears in source", + "issueType": "RedundantAttribute", + "similarityID": "af776f06058cb11fb16d5a644fad5377156cf67c98d5b32a3bab0a6d3944bc68", + "search_line": 0 }, { "queryName": "Passwords And Secrets - Generic Token", "severity": "HIGH", "line": 5, - "fileName": "positive27.yaml" + "fileName": "positive27.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "", + "searchValue": "", + "expectedValue": "Hardcoded secret key should not appear in source", + "actualValue": "Hardcoded secret key appears in source", + "issueType": "RedundantAttribute", + "similarityID": "cc77d433953bfc1052595998a47568eb78df26cd979faad102393f6c167977b6", + "search_line": 0 }, { "queryName": "Passwords And Secrets - Generic Token", "severity": "HIGH", "line": 22, - "fileName": "positive27.yaml" + "fileName": "positive27.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "", + "searchValue": "", + "expectedValue": "Hardcoded secret key should not appear in source", + "actualValue": "Hardcoded secret key appears in source", + "issueType": "RedundantAttribute", + "similarityID": "f1659f87fc9da3845e4b28db8f6ebe45d0d60b3e7def183be8a8ed7ab2ad0ee7", + "search_line": 0 }, { "queryName": "Passwords And Secrets - Generic Token", "severity": "HIGH", "line": 5, - "fileName": "positive28.yaml" + "fileName": "positive28.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "", + "searchValue": "", + "expectedValue": "Hardcoded secret key should not appear in source", + "actualValue": "Hardcoded secret key appears in source", + "issueType": "RedundantAttribute", + "similarityID": "e7e8ef9989c1f44607ef8b85d50d80b9616a0671803fe9502674d3ae44ec0e76", + "search_line": 0 }, { "queryName": "Passwords And Secrets - Mailgun API Key", "severity": "HIGH", "line": 2, - "fileName": "positive29.tf" + "fileName": "positive29.tf", + "resourceType": "", + "resourceName": "", + "searchKey": "", + "searchValue": "", + "expectedValue": "Hardcoded secret key should not appear in source", + "actualValue": "Hardcoded secret key appears in source", + "issueType": "RedundantAttribute", + "similarityID": "c6db023b2d89a7786ddf62e1171142b0067c5921689dc22e2b75da324581f203", + "search_line": 0 }, { "queryName": "Passwords And Secrets - Stripe Restricted API Key", "severity": "HIGH", "line": 2, - "fileName": "positive30.tf" + "fileName": "positive30.tf", + "resourceType": "", + "resourceName": "", + "searchKey": "", + "searchValue": "", + "expectedValue": "Hardcoded secret key should not appear in source", + "actualValue": "Hardcoded secret key appears in source", + "issueType": "RedundantAttribute", + "similarityID": "d7fd38a8199fe4046c43cd8911dbd6793949e0de71603119b6248300fa8ada57", + "search_line": 0 }, { "queryName": "Passwords And Secrets - Twilio API Key", "severity": "HIGH", "line": 4, - "fileName": "positive31.yaml" + "fileName": "positive31.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "", + "searchValue": "", + "expectedValue": "Hardcoded secret key should not appear in source", + "actualValue": "Hardcoded secret key appears in source", + "issueType": "RedundantAttribute", + "similarityID": "3c0c37eeaeec3f2bb91f11c57a1eb11a93380d801986341e6adf4d66ad64f2d0", + "search_line": 0 }, { "queryName": "Passwords And Secrets - PayPal Braintree Access Token", "severity": "HIGH", "line": 4, - "fileName": "positive32.yaml" + "fileName": "positive32.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "", + "searchValue": "", + "expectedValue": "Hardcoded secret key should not appear in source", + "actualValue": "Hardcoded secret key appears in source", + "issueType": "RedundantAttribute", + "similarityID": "f44ae443c55a3cc9dc71a4a0679b03c4b8d9c633a9771ab351542b114754f745", + "search_line": 0 }, { "queryName": "Passwords And Secrets - Facebook Access Token", "severity": "HIGH", "line": 13, - "fileName": "positive33.yaml" + "fileName": "positive33.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "", + "searchValue": "", + "expectedValue": "Hardcoded secret key should not appear in source", + "actualValue": "Hardcoded secret key appears in source", + "issueType": "RedundantAttribute", + "similarityID": "d94aa3bdaf9a83d7e249b1e12e98635e5ffba17f8eb8716869612963bfee6441", + "search_line": 0 }, { "queryName": "Passwords And Secrets - Square OAuth Secret", "severity": "HIGH", "line": 13, - "fileName": "positive34.yaml" + "fileName": "positive34.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "", + "searchValue": "", + "expectedValue": "Hardcoded secret key should not appear in source", + "actualValue": "Hardcoded secret key appears in source", + "issueType": "RedundantAttribute", + "similarityID": "425dacd372b736aedc6f3419e5f3f1e9e12190f5a82eac9e4b4a5059194c910e", + "search_line": 0 }, { "queryName": "Passwords And Secrets - Google OAuth Access Token", "severity": "HIGH", "line": 13, - "fileName": "positive35.yaml" + "fileName": "positive35.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "", + "searchValue": "", + "expectedValue": "Hardcoded secret key should not appear in source", + "actualValue": "Hardcoded secret key appears in source", + "issueType": "RedundantAttribute", + "similarityID": "6d0bdc3b16fadba5422987d899957fdf7d551430dd1d773b25b23f6f0df0f6fa", + "search_line": 0 }, { "queryName": "Passwords And Secrets - Putty User Key File Content", "severity": "HIGH", "line": 5, - "fileName": "positive36.tf" + "fileName": "positive36.tf", + "resourceType": "", + "resourceName": "", + "searchKey": "", + "searchValue": "", + "expectedValue": "Hardcoded secret key should not appear in source", + "actualValue": "Hardcoded secret key appears in source", + "issueType": "RedundantAttribute", + "similarityID": "396f485877afd8643a5b2027e6d61ba78295473959117533c4650414c3eb898c", + "search_line": 0 }, { "queryName": "Passwords And Secrets - Generic Secret", "severity": "HIGH", "line": 14, - "fileName": "positive37.tf" + "fileName": "positive37.tf", + "resourceType": "", + "resourceName": "", + "searchKey": "", + "searchValue": "", + "expectedValue": "Hardcoded secret key should not appear in source", + "actualValue": "Hardcoded secret key appears in source", + "issueType": "RedundantAttribute", + "similarityID": "c5ebe1f797473eb5bdfa5fa059aaceb71adfc86d9fceaeefa2288457aab77031", + "search_line": 0 }, { "queryName": "Passwords And Secrets - CloudFormation Secret Template", "severity": "HIGH", "line": 16, - "fileName": "positive38.yaml" + "fileName": "positive38.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "", + "searchValue": "", + "expectedValue": "Hardcoded secret key should not appear in source", + "actualValue": "Hardcoded secret key appears in source", + "issueType": "RedundantAttribute", + "similarityID": "a804d6a9ed3d36795194c880ca8b509bb8c6cc58583c7f7270dcdf4d09badaef", + "search_line": 0 }, { "queryName": "Passwords And Secrets - Generic Secret", "severity": "HIGH", "line": 3, - "fileName": "positive39.tf" + "fileName": "positive39.tf", + "resourceType": "", + "resourceName": "", + "searchKey": "", + "searchValue": "", + "expectedValue": "Hardcoded secret key should not appear in source", + "actualValue": "Hardcoded secret key appears in source", + "issueType": "RedundantAttribute", + "similarityID": "57c95e3aaa8e65b81461fa4c4721646fdc55e7b2da31e7a24e5998394f07ce94", + "search_line": 0 }, { "queryName": "Passwords And Secrets - AWS Context-specific credential", "severity": "HIGH", "line": 14, - "fileName": "positive40.tf" + "fileName": "positive40.tf", + "resourceType": "", + "resourceName": "", + "searchKey": "", + "searchValue": "", + "expectedValue": "Hardcoded secret key should not appear in source", + "actualValue": "Hardcoded secret key appears in source", + "issueType": "RedundantAttribute", + "similarityID": "5fd45ae8101bb96fd01110f8d3bccd31d25c3936d3f6d96e8e3a2b198d7772c0", + "search_line": 0 }, { "queryName": "Passwords And Secrets - AWS Certificate", "severity": "HIGH", "line": 15, - "fileName": "positive40.tf" + "fileName": "positive40.tf", + "resourceType": "", + "resourceName": "", + "searchKey": "", + "searchValue": "", + "expectedValue": "Hardcoded secret key should not appear in source", + "actualValue": "Hardcoded secret key appears in source", + "issueType": "RedundantAttribute", + "similarityID": "440f21a5812412d187684bcf2ae816188ca53d12e3fb9d5415c419f198261fc0", + "search_line": 0 }, { "queryName": "Passwords And Secrets - Asymmetric private key", "severity": "HIGH", "line": 6, - "fileName": "positive41.tf" + "fileName": "positive41.tf", + "resourceType": "", + "resourceName": "", + "searchKey": "", + "searchValue": "", + "expectedValue": "Hardcoded secret key should not appear in source", + "actualValue": "Hardcoded secret key appears in source", + "issueType": "RedundantAttribute", + "similarityID": "0a0152404e48948911b03663209af500c077d7f9e508f7440d0f3e5bb5518645", + "search_line": 0 }, { "queryName": "Passwords And Secrets - Generic Access Key", "severity": "HIGH", "line": 7, - "fileName": "positive42.tf" + "fileName": "positive42.tf", + "resourceType": "", + "resourceName": "", + "searchKey": "", + "searchValue": "", + "expectedValue": "Hardcoded secret key should not appear in source", + "actualValue": "Hardcoded secret key appears in source", + "issueType": "RedundantAttribute", + "similarityID": "8dc854cc27bb5bae1459abec8748ba70bb11a8b9426149826dc9cd331da3a1a6", + "search_line": 0 }, { "queryName": "Passwords And Secrets - Generic Token", "severity": "HIGH", "line": 5, - "fileName": "positive43.yaml" + "fileName": "positive43.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "", + "searchValue": "", + "expectedValue": "Hardcoded secret key should not appear in source", + "actualValue": "Hardcoded secret key appears in source", + "issueType": "RedundantAttribute", + "similarityID": "637c10e98a5d4d14041ddc6fa9fc9d00d19e25118233595c94940489bae7c56c", + "search_line": 0 }, { "queryName": "Passwords And Secrets - Generic Secret", "severity": "HIGH", "line": 17, - "fileName": "positive44.yaml" + "fileName": "positive44.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "", + "searchValue": "", + "expectedValue": "Hardcoded secret key should not appear in source", + "actualValue": "Hardcoded secret key appears in source", + "issueType": "RedundantAttribute", + "similarityID": "f6e6424607774b443eb47181763cb2cf85a5cc1a9e1be7ece31da01233da58a1", + "search_line": 0 }, { "queryName": "Passwords And Secrets - Generic Password", "severity": "HIGH", "line": 9, - "fileName": "positive45.tf" + "fileName": "positive45.tf", + "resourceType": "", + "resourceName": "", + "searchKey": "", + "searchValue": "", + "expectedValue": "Hardcoded secret key should not appear in source", + "actualValue": "Hardcoded secret key appears in source", + "issueType": "RedundantAttribute", + "similarityID": "80d0011cde7f71550e8090b1e64a6831888b560a555107b3c682e545c49822b9", + "search_line": 0 }, { "queryName": "Passwords And Secrets - Generic Password", "severity": "HIGH", "line": 20, - "fileName": "positive46.yaml" + "fileName": "positive46.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "", + "searchValue": "", + "expectedValue": "Hardcoded secret key should not appear in source", + "actualValue": "Hardcoded secret key appears in source", + "issueType": "RedundantAttribute", + "similarityID": "9f493b467336508a461c1857b22ff686d4ad7df6fb33c13319ee5e67885edab6", + "search_line": 0 }, { "queryName": "Passwords And Secrets - Generic Password", "severity": "HIGH", "line": 21, - "fileName": "positive46.yaml" + "fileName": "positive46.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "", + "searchValue": "", + "expectedValue": "Hardcoded secret key should not appear in source", + "actualValue": "Hardcoded secret key appears in source", + "issueType": "RedundantAttribute", + "similarityID": "af34d0d054669aa5b7476a56372eb92ee9f26fc390d247a3574a2adbcc120fcd", + "search_line": 0 }, { "queryName": "Passwords And Secrets - Google OAuth", "severity": "HIGH", "line": 5, - "fileName": "positive47.tf" + "fileName": "positive47.tf", + "resourceType": "", + "resourceName": "", + "searchKey": "", + "searchValue": "", + "expectedValue": "Hardcoded secret key should not appear in source", + "actualValue": "Hardcoded secret key appears in source", + "issueType": "RedundantAttribute", + "similarityID": "b189fd4cc6ebf4958af4fd792a8758a6f24f5c5392534a518ec0ab6637d6fb95", + "search_line": 0 }, { "queryName": "Passwords And Secrets - Generic Secret", "severity": "HIGH", "line": 6, - "fileName": "positive47.tf" + "fileName": "positive47.tf", + "resourceType": "", + "resourceName": "", + "searchKey": "", + "searchValue": "", + "expectedValue": "Hardcoded secret key should not appear in source", + "actualValue": "Hardcoded secret key appears in source", + "issueType": "RedundantAttribute", + "similarityID": "37c220a3a4e5afcfbb643f6f146991badc8d1dd8f0ffe284035a191e841a3fd8", + "search_line": 0 }, { "queryName": "Passwords And Secrets - Generic Password", "severity": "HIGH", "line": 8, - "fileName": "positive48.tf" + "fileName": "positive48.tf", + "resourceType": "", + "resourceName": "", + "searchKey": "", + "searchValue": "", + "expectedValue": "Hardcoded secret key should not appear in source", + "actualValue": "Hardcoded secret key appears in source", + "issueType": "RedundantAttribute", + "similarityID": "769c8282e8474d2387cfaad88a05ce1b6b2e635866256d021fe7aceec99b01b6", + "search_line": 0 }, { "queryName": "Passwords And Secrets - Generic Private Key", "severity": "HIGH", "line": 7, - "fileName": "positive49.yml" + "fileName": "positive49.yml", + "resourceType": "", + "resourceName": "", + "searchKey": "", + "searchValue": "", + "expectedValue": "Hardcoded secret key should not appear in source", + "actualValue": "Hardcoded secret key appears in source", + "issueType": "RedundantAttribute", + "similarityID": "b381dfda5189364fe0f188aa4213279576b4eaaa7e982ac9567cdb22061ff63c", + "search_line": 0 }, { "queryName": "Passwords And Secrets - Generic Password on YAML files when value in tuple", "severity": "HIGH", "line": 56, - "fileName": "positive50.yaml" + "fileName": "positive50.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "", + "searchValue": "", + "expectedValue": "Hardcoded secret key should not appear in source", + "actualValue": "Hardcoded secret key appears in source", + "issueType": "RedundantAttribute", + "similarityID": "f68e715a0c38b74deeb703c98e9a4d04ee71b161cb60c8a0641f4a2cb0aa5681", + "search_line": 0 }, { "queryName": "Passwords And Secrets - Generic Password on YAML files when value in tuple", "severity": "HIGH", "line": 68, - "fileName": "positive50.yaml" + "fileName": "positive50.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "", + "searchValue": "", + "expectedValue": "Hardcoded secret key should not appear in source", + "actualValue": "Hardcoded secret key appears in source", + "issueType": "RedundantAttribute", + "similarityID": "53a95f3b8c6a112685334c8ba5d0cf5c54c5adccea46dfc05109339d4b63cda1", + "search_line": 0 }, { "queryName": "Passwords And Secrets - Dockerfile ENV hardcoded password with omitted equals", "severity": "HIGH", "line": 4, - "fileName": "positive51.dockerfile" + "fileName": "positive51.dockerfile", + "resourceType": "", + "resourceName": "", + "searchKey": "", + "searchValue": "", + "expectedValue": "Hardcoded secret key should not appear in source", + "actualValue": "Hardcoded secret key appears in source", + "issueType": "RedundantAttribute", + "similarityID": "46dd0051f58a49ac291100a6fadbe69c38371099948a399aeeabc77809622a01", + "search_line": 0 }, { "queryName": "Passwords And Secrets - Generic Password", "severity": "HIGH", "line": 4, - "fileName": "positive52.dockerfile" + "fileName": "positive52.dockerfile", + "resourceType": "", + "resourceName": "", + "searchKey": "", + "searchValue": "", + "expectedValue": "Hardcoded secret key should not appear in source", + "actualValue": "Hardcoded secret key appears in source", + "issueType": "RedundantAttribute", + "similarityID": "0cb848fbd7358cabb70a37087e3759cba5bb60d03a655fa58ef89356aaa60208", + "search_line": 0 }, { "queryName": "Passwords And Secrets - Generic Password", "severity": "HIGH", "line": 54, - "fileName": "positive53.json" + "fileName": "positive53.json", + "resourceType": "", + "resourceName": "", + "searchKey": "", + "searchValue": "", + "expectedValue": "Hardcoded secret key should not appear in source", + "actualValue": "Hardcoded secret key appears in source", + "issueType": "RedundantAttribute", + "similarityID": "f7c374c08ea07bd4aa28d526f4789bbc02dc183f4242d1373a26817f2e7d4815", + "search_line": 0 }, { "queryName": "Passwords And Secrets - Generic Password", "severity": "HIGH", "line": 8, - "fileName": "positive54.tf" + "fileName": "positive54.tf", + "resourceType": "", + "resourceName": "", + "searchKey": "", + "searchValue": "", + "expectedValue": "Hardcoded secret key should not appear in source", + "actualValue": "Hardcoded secret key appears in source", + "issueType": "RedundantAttribute", + "similarityID": "e13f66feca3938e2d38ce684b68259d4e87388ca572bdc1d79d3baa22c6e50a0", + "search_line": 0 }, { "queryName": "Passwords And Secrets - Generic Password", "severity": "HIGH", "line": 14, - "fileName": "positive54.tf" + "fileName": "positive54.tf", + "resourceType": "", + "resourceName": "", + "searchKey": "", + "searchValue": "", + "expectedValue": "Hardcoded secret key should not appear in source", + "actualValue": "Hardcoded secret key appears in source", + "issueType": "RedundantAttribute", + "similarityID": "bb84272cb0daf0f8e4330bb871be95a1b89c2b9031020cc9516e2c6b269ea7b5", + "search_line": 0 }, { "queryName": "Passwords And Secrets - Generic Secret", "severity": "HIGH", "line": 4, - "fileName": "positive55.json" + "fileName": "positive55.json", + "resourceType": "", + "resourceName": "", + "searchKey": "", + "searchValue": "", + "expectedValue": "Hardcoded secret key should not appear in source", + "actualValue": "Hardcoded secret key appears in source", + "issueType": "RedundantAttribute", + "similarityID": "efb7e998a12705ab78aea750f16c350584d583261b72cec0446aaeac505320de", + "search_line": 0 } -] \ No newline at end of file +] diff --git a/assets/queries/crossplane/aws/cloudfront_logging_disabled/test/positive_expected_result.json b/assets/queries/crossplane/aws/cloudfront_logging_disabled/test/positive_expected_result.json index d22a547d757..a26c9ef8f09 100644 --- a/assets/queries/crossplane/aws/cloudfront_logging_disabled/test/positive_expected_result.json +++ b/assets/queries/crossplane/aws/cloudfront_logging_disabled/test/positive_expected_result.json @@ -2,37 +2,91 @@ { "queryName": "CloudFront Logging Disabled", "severity": "MEDIUM", - "line": 12, - "fileName": "positive.yaml" + "line": 8, + "fileName": "positive2.yaml", + "resourceType": "Distribution", + "resourceName": "sample-distribution", + "searchKey": "metadata.name={{sample-distribution}}.spec.forProvider.distributionConfig", + "searchValue": "", + "expectedValue": "CloudFront logging enabled attribute should be defined and set to true", + "actualValue": "CloudFront logging is not defined", + "issueType": "MissingAttribute", + "similarityID": "8c9ae0a939f08c304ede760a69fb75834dc6f2bd6a1b8b169b61d689ad3bae60", + "search_line": 8 }, { "queryName": "CloudFront Logging Disabled", "severity": "MEDIUM", - "line": 50, - "fileName": "positive.yaml" + "line": 41, + "fileName": "positive2.yaml", + "resourceType": "Distribution", + "resourceName": "sample-distribution", + "searchKey": "spec.resources.base.metadata.name={{sample-distribution}}.spec.forProvider.distributionConfig", + "searchValue": "", + "expectedValue": "CloudFront logging enabled attribute should be defined and set to true", + "actualValue": "CloudFront logging is not defined", + "issueType": "MissingAttribute", + "similarityID": "0f19484366f5a483caf985f17e83a5a00f00742e0ead952f272abf6982aee741", + "search_line": 41 }, { "queryName": "CloudFront Logging Disabled", "severity": "MEDIUM", - "line": 8, - "fileName": "positive2.yaml" + "line": 11, + "fileName": "positive3.yaml", + "resourceType": "Distribution", + "resourceName": "sample-distribution", + "searchKey": "metadata.name={{sample-distribution}}.spec.forProvider.distributionConfig.logging", + "searchValue": "", + "expectedValue": "CloudFront logging enabled attribute should be defined and set to true", + "actualValue": "CloudFront enable is not defined", + "issueType": "MissingAttribute", + "similarityID": "ec7b6def43597594e5504b18f3425f0b2eeea00871014cd3e3c3739fb0de160e", + "search_line": 11 }, { "queryName": "CloudFront Logging Disabled", "severity": "MEDIUM", - "line": 41, - "fileName": "positive2.yaml" + "line": 47, + "fileName": "positive3.yaml", + "resourceType": "Distribution", + "resourceName": "sample-distribution", + "searchKey": "spec.resources.base.metadata.name={{sample-distribution}}.spec.forProvider.distributionConfig.logging", + "searchValue": "", + "expectedValue": "CloudFront logging enabled attribute should be defined and set to true", + "actualValue": "CloudFront enable is not defined", + "issueType": "MissingAttribute", + "similarityID": "22a2cd6ad23fa482e94f09485748c5e44249a99f18cda784f355f0050b3965b8", + "search_line": 47 }, { "queryName": "CloudFront Logging Disabled", "severity": "MEDIUM", - "line": 11, - "fileName": "positive3.yaml" + "line": 12, + "fileName": "positive.yaml", + "resourceType": "Distribution", + "resourceName": "sample-distribution", + "searchKey": "metadata.name={{sample-distribution}}.spec.forProvider.distributionConfig.logging.enabled", + "searchValue": "", + "expectedValue": "CloudFront logging enabled attribute should be set to true", + "actualValue": "CloudFront logging enabled attribute is set to false", + "issueType": "IncorrectValue", + "similarityID": "1639929d959902b6b4c0a8bb398f9ac70a46e6a1d06587a24dfb083a306e2770", + "search_line": 12 }, { "queryName": "CloudFront Logging Disabled", "severity": "MEDIUM", - "line": 47, - "fileName": "positive3.yaml" + "line": 50, + "fileName": "positive.yaml", + "resourceType": "Distribution", + "resourceName": "sample-distribution", + "searchKey": "spec.resources.base.metadata.name={{sample-distribution}}.spec.forProvider.distributionConfig.logging.enabled", + "searchValue": "", + "expectedValue": "CloudFront logging enabled attribute should be set to true", + "actualValue": "CloudFront logging enabled attribute is set to false", + "issueType": "IncorrectValue", + "similarityID": "1812b4bf58a2072fdde26f401ba8e1990ac46e333caa0d609b4caea71f08b758", + "search_line": 50 } ] diff --git a/assets/queries/crossplane/aws/cloudfront_without_minimum_protocol_tls_1.2/test/positive_expected_result.json b/assets/queries/crossplane/aws/cloudfront_without_minimum_protocol_tls_1.2/test/positive_expected_result.json index 7147bac5f34..49ea2dbb67e 100644 --- a/assets/queries/crossplane/aws/cloudfront_without_minimum_protocol_tls_1.2/test/positive_expected_result.json +++ b/assets/queries/crossplane/aws/cloudfront_without_minimum_protocol_tls_1.2/test/positive_expected_result.json @@ -2,37 +2,91 @@ { "queryName": "CloudFront Without Minimum Protocol TLS 1.2", "severity": "MEDIUM", - "line": 14, - "fileName": "positive.yaml" + "line": 8, + "fileName": "positive2.yaml", + "resourceType": "Distribution", + "resourceName": "sample-distribution", + "searchKey": "metadata.name={{sample-distribution}}.spec.forProvider.distributionConfig", + "searchValue": "", + "expectedValue": "'viewerCertificate.minimumProtocolVersion' should be defined and set to TLSv1.2_x", + "actualValue": "'viewerCertificate' is not defined", + "issueType": "MissingAttribute", + "similarityID": "e430b4bb9138125b7b168b71178a48977fc7de8340024544566beb6f01c39c38", + "search_line": 8 }, { "queryName": "CloudFront Without Minimum Protocol TLS 1.2", "severity": "MEDIUM", - "line": 54, - "fileName": "positive.yaml" + "line": 44, + "fileName": "positive2.yaml", + "resourceType": "Distribution", + "resourceName": "sample-distribution", + "searchKey": "spec.resources.base.metadata.name={{sample-distribution}}.spec.forProvider.distributionConfig", + "searchValue": "", + "expectedValue": "'viewerCertificate.minimumProtocolVersion' should be defined and set to TLSv1.2_x", + "actualValue": "'viewerCertificate' is not defined", + "issueType": "MissingAttribute", + "similarityID": "97fc465da574f3bb9275482b229e0062c781bb528d439030c2bed9b81031350b", + "search_line": 44 }, { "queryName": "CloudFront Without Minimum Protocol TLS 1.2", "severity": "MEDIUM", - "line": 8, - "fileName": "positive2.yaml" + "line": 11, + "fileName": "positive3.yaml", + "resourceType": "Distribution", + "resourceName": "sample-distribution", + "searchKey": "metadata.name={{sample-distribution}}.spec.forProvider.distributionConfig.viewerCertificate", + "searchValue": "", + "expectedValue": "'viewerCertificate.minimumProtocolVersion' should be defined and set to TLSv1.2_x", + "actualValue": "'minimumProtocolVersion' is not defined", + "issueType": "MissingAttribute", + "similarityID": "16f9565da4711b67fe14fbd0d997713562c5f8dde9de9f3b6cc4434fcc92acdd", + "search_line": 11 }, { "queryName": "CloudFront Without Minimum Protocol TLS 1.2", "severity": "MEDIUM", - "line": 44, - "fileName": "positive2.yaml" + "line": 50, + "fileName": "positive3.yaml", + "resourceType": "Distribution", + "resourceName": "sample-distribution", + "searchKey": "spec.resources.base.metadata.name={{sample-distribution}}.spec.forProvider.distributionConfig.viewerCertificate", + "searchValue": "", + "expectedValue": "'viewerCertificate.minimumProtocolVersion' should be defined and set to TLSv1.2_x", + "actualValue": "'minimumProtocolVersion' is not defined", + "issueType": "MissingAttribute", + "similarityID": "d213b7f9b40ca72832b848c245373ddd5ac1a4349907cef48445ac2a37982932", + "search_line": 50 }, { "queryName": "CloudFront Without Minimum Protocol TLS 1.2", "severity": "MEDIUM", - "line": 11, - "fileName": "positive3.yaml" + "line": 14, + "fileName": "positive.yaml", + "resourceType": "Distribution", + "resourceName": "sample-distribution", + "searchKey": "metadata.name={{sample-distribution}}.spec.forProvider.distributionConfig.viewerCertificate.minimumProtocolVersion", + "searchValue": "", + "expectedValue": "'viewerCertificate.minimumProtocolVersion' should be TLSv1.2_x", + "actualValue": "'viewerCertificate.minimumProtocolVersion' is TLSv1.1_2016", + "issueType": "IncorrectValue", + "similarityID": "aff59cc2654afd0780e238f37aa53ebc7c757780e7a4cbd776f95366e40fb1b1", + "search_line": 14 }, { "queryName": "CloudFront Without Minimum Protocol TLS 1.2", "severity": "MEDIUM", - "line": 50, - "fileName": "positive3.yaml" + "line": 54, + "fileName": "positive.yaml", + "resourceType": "Distribution", + "resourceName": "sample-distribution", + "searchKey": "spec.resources.base.metadata.name={{sample-distribution}}.spec.forProvider.distributionConfig.viewerCertificate.minimumProtocolVersion", + "searchValue": "", + "expectedValue": "'viewerCertificate.minimumProtocolVersion' should be TLSv1.2_x", + "actualValue": "'viewerCertificate.minimumProtocolVersion' is TLSv1.1_2016", + "issueType": "IncorrectValue", + "similarityID": "28c1c2a2e35f1cbedb358456c68ccce8f24aa55d138236323eb72a2afb1a0fb1", + "search_line": 54 } -] \ No newline at end of file +] diff --git a/assets/queries/crossplane/aws/cloudfront_without_waf/test/positive_expected_result.json b/assets/queries/crossplane/aws/cloudfront_without_waf/test/positive_expected_result.json index 89078c0250b..a4357af69cd 100644 --- a/assets/queries/crossplane/aws/cloudfront_without_waf/test/positive_expected_result.json +++ b/assets/queries/crossplane/aws/cloudfront_without_waf/test/positive_expected_result.json @@ -3,12 +3,30 @@ "queryName": "CloudFront Without WAF", "severity": "MEDIUM", "line": 8, - "fileName": "positive.yaml" + "fileName": "positive.yaml", + "resourceType": "Distribution", + "resourceName": "sample-distribution", + "searchKey": "metadata.name={{sample-distribution}}.spec.forProvider.distributionConfig", + "searchValue": "", + "expectedValue": "'webACLID' should be defined", + "actualValue": "'webACLID' is not defined", + "issueType": "MissingAttribute", + "similarityID": "ce7877ee3542f0d96c68fc4b11770e7d1d650e3ae891fabefe4a1381ac26898e", + "search_line": 8 }, { "queryName": "CloudFront Without WAF", "severity": "MEDIUM", "line": 48, - "fileName": "positive.yaml" + "fileName": "positive.yaml", + "resourceType": "Distribution", + "resourceName": "sample-distribution", + "searchKey": "spec.resources.base.metadata.name={{sample-distribution}}.spec.forProvider.distributionConfig", + "searchValue": "", + "expectedValue": "'webACLID' should be defined", + "actualValue": "'webACLID' is not defined", + "issueType": "MissingAttribute", + "similarityID": "0818d265173bca775ea7990c580ec4024f999a36447bccde4afc09b7beb3785a", + "search_line": 48 } -] \ No newline at end of file +] diff --git a/assets/queries/crossplane/aws/cloudwatch_without_retention_period_specified/test/positive_expected_result.json b/assets/queries/crossplane/aws/cloudwatch_without_retention_period_specified/test/positive_expected_result.json index 077082aa587..6b012a1afbc 100644 --- a/assets/queries/crossplane/aws/cloudwatch_without_retention_period_specified/test/positive_expected_result.json +++ b/assets/queries/crossplane/aws/cloudwatch_without_retention_period_specified/test/positive_expected_result.json @@ -2,25 +2,61 @@ { "queryName": "CloudWatch Without Retention Period Specified", "severity": "INFO", - "line": 9, - "fileName": "positive.yaml" + "line": 6, + "fileName": "positive2.yaml", + "resourceType": "LogGroup", + "resourceName": "lg-5", + "searchKey": "metadata.name={{lg-5}}.spec.forProvider", + "searchValue": "", + "expectedValue": "retentionInDays should be set to a valid value", + "actualValue": "retentionInDays is undefined", + "issueType": "MissingAttribute", + "similarityID": "90428ebcee471274964e1e429b2556628df3c652bc26abb1e4e878a3cb9eac7f", + "search_line": 6 }, { "queryName": "CloudWatch Without Retention Period Specified", "severity": "INFO", - "line": 38, - "fileName": "positive.yaml" + "line": 34, + "fileName": "positive2.yaml", + "resourceType": "LogGroup", + "resourceName": "lg-6", + "searchKey": "spec.resources.base.metadata.name={{lg-6}}.spec.forProvider", + "searchValue": "", + "expectedValue": "retentionInDays should be set to a valid value", + "actualValue": "retentionInDays is undefined", + "issueType": "MissingAttribute", + "similarityID": "75f677f7aa922e4cade5574b48c6edfd27248f0d5a8a0d40ec3295e57696d7b2", + "search_line": 34 }, { "queryName": "CloudWatch Without Retention Period Specified", "severity": "INFO", - "line": 6, - "fileName": "positive2.yaml" + "line": 9, + "fileName": "positive.yaml", + "resourceType": "LogGroup", + "resourceName": "lg-3", + "searchKey": "metadata.name={{lg-3}}.spec.forProvider.retentionInDays", + "searchValue": "", + "expectedValue": "retentionInDays should be set to a valid value", + "actualValue": "retentionInDays is set to a invalid value", + "issueType": "IncorrectValue", + "similarityID": "e20e0b25c2147241bd249382bdb5623bc206c2008edc935f6f91cb8d7aed0ed4", + "search_line": 9 }, { "queryName": "CloudWatch Without Retention Period Specified", "severity": "INFO", - "line": 34, - "fileName": "positive2.yaml" + "line": 38, + "fileName": "positive.yaml", + "resourceType": "LogGroup", + "resourceName": "lg-4", + "searchKey": "spec.resources.base.metadata.name={{lg-4}}.spec.forProvider.retentionInDays", + "searchValue": "", + "expectedValue": "retentionInDays should be set to a valid value", + "actualValue": "retentionInDays is set to a invalid value", + "issueType": "IncorrectValue", + "similarityID": "7e90d6737f906ce277ff27553bc6fc7d2e1a7a3dbeab66b05adcd7932f480e65", + "search_line": 38 } -] \ No newline at end of file +] diff --git a/assets/queries/crossplane/aws/db_instance_storage_not_encrypted/test/positive_expected_result.json b/assets/queries/crossplane/aws/db_instance_storage_not_encrypted/test/positive_expected_result.json index 0496d93bb96..188ade037cb 100644 --- a/assets/queries/crossplane/aws/db_instance_storage_not_encrypted/test/positive_expected_result.json +++ b/assets/queries/crossplane/aws/db_instance_storage_not_encrypted/test/positive_expected_result.json @@ -2,25 +2,61 @@ { "queryName": "DB Instance Storage Not Encrypted", "severity": "HIGH", - "line": 21, - "fileName": "positive.yaml" + "line": 6, + "fileName": "positive2.yaml", + "resourceType": "RDSInstance", + "resourceName": "rds5", + "searchKey": ".metadata.name={{rds5}}.spec.forProvider", + "searchValue": "", + "expectedValue": "storageEncrypted should be defined and set to true", + "actualValue": "storageEncrypted is not defined", + "issueType": "MissingAttribute", + "similarityID": "138f79a209ad322f6cb08b3f6cc9173bc60d7b65e573828f1a472c95767a6396", + "search_line": 6 }, { "queryName": "DB Instance Storage Not Encrypted", "severity": "HIGH", - "line": 63, - "fileName": "positive.yaml" + "line": 47, + "fileName": "positive2.yaml", + "resourceType": "RDSInstance", + "resourceName": "rds6", + "searchKey": "spec.resources.base..metadata.name={{rds6}}.spec.forProvider", + "searchValue": "", + "expectedValue": "storageEncrypted should be defined and set to true", + "actualValue": "storageEncrypted is not defined", + "issueType": "MissingAttribute", + "similarityID": "934b0b809d8b91c38ab598e6f9c7080cda883a4062785cb6d66483bce65f785b", + "search_line": 47 }, { "queryName": "DB Instance Storage Not Encrypted", "severity": "HIGH", - "line": 6, - "fileName": "positive2.yaml" + "line": 21, + "fileName": "positive.yaml", + "resourceType": "RDSInstance", + "resourceName": "rds3", + "searchKey": "metadata.name={{rds3}}.spec.forProvider.storageEncrypted", + "searchValue": "", + "expectedValue": "storageEncrypted should be set to true", + "actualValue": "storageEncrypted is set to false", + "issueType": "IncorrectValue", + "similarityID": "ff154841eb5e80a77a8676628d2e96d23d7e7e2341981ae73a521e185a7c3962", + "search_line": 21 }, { "queryName": "DB Instance Storage Not Encrypted", "severity": "HIGH", - "line": 47, - "fileName": "positive2.yaml" - } + "line": 63, + "fileName": "positive.yaml", + "resourceType": "RDSInstance", + "resourceName": "rds4", + "searchKey": "spec.resources.base.metadata.name={{rds4}}.spec.forProvider.storageEncrypted", + "searchValue": "", + "expectedValue": "storageEncrypted should be set to true", + "actualValue": "storageEncrypted is set to false", + "issueType": "IncorrectValue", + "similarityID": "75eda5b9cfeffb10409f292d89b9775f77b66e76b1b3a9535b1a461052bff1ac", + "search_line": 63 + } ] diff --git a/assets/queries/crossplane/aws/db_security_group_has_public_interface/test/positive_expected_result.json b/assets/queries/crossplane/aws/db_security_group_has_public_interface/test/positive_expected_result.json index 388655a694f..14ce7905aa4 100644 --- a/assets/queries/crossplane/aws/db_security_group_has_public_interface/test/positive_expected_result.json +++ b/assets/queries/crossplane/aws/db_security_group_has_public_interface/test/positive_expected_result.json @@ -3,12 +3,30 @@ "queryName": "DB Security Group Has Public Interface", "severity": "HIGH", "line": 17, - "fileName": "positive.yaml" + "fileName": "positive.yaml", + "resourceType": "SecurityGroup", + "resourceName": "ec2-rule2", + "searchKey": "metadata.name={{ec2-rule2}}.spec.forProvider.ingress.ipRanges.cidrIp={{0.0.0.0/0}}", + "searchValue": "", + "expectedValue": "ingress rule should not contain '0.0.0.0/0'", + "actualValue": "ingress rule contains '0.0.0.0/0'", + "issueType": "IncorrectValue", + "similarityID": "d6442b66ba25e6ddd9ccbf9095eed59d6afe4499eabaeb23e536c9498b58eab2", + "search_line": 17 }, { "queryName": "DB Security Group Has Public Interface", "severity": "HIGH", "line": 55, - "fileName": "positive.yaml" - } + "fileName": "positive.yaml", + "resourceType": "SecurityGroup", + "resourceName": "ec2-rule5", + "searchKey": "spec.resources.base.metadata.name={{ec2-rule5}}.spec.forProvider.ingress.ipRanges.cidrIp={{0.0.0.0/0}}", + "searchValue": "", + "expectedValue": "ingress rule should not contain '0.0.0.0/0'", + "actualValue": "ingress rule contains '0.0.0.0/0'", + "issueType": "IncorrectValue", + "similarityID": "15821ed74d67709039a59cbbef5e0eec66e130765b7a84e0f701e41a8a344050", + "search_line": 55 + } ] diff --git a/assets/queries/crossplane/aws/docdb_logging_disabled/test/positive_expected_result.json b/assets/queries/crossplane/aws/docdb_logging_disabled/test/positive_expected_result.json index c683dbe070f..0691455518f 100644 --- a/assets/queries/crossplane/aws/docdb_logging_disabled/test/positive_expected_result.json +++ b/assets/queries/crossplane/aws/docdb_logging_disabled/test/positive_expected_result.json @@ -3,18 +3,45 @@ "queryName": "DocDB Logging Is Disabled", "severity": "MEDIUM", "line": 6, - "filename": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "DBCluster", + "resourceName": "example-cluster-autogen-password", + "searchKey": "metadata.name={{example-cluster-autogen-password}}.spec.forProvider", + "searchValue": "", + "expectedValue": "DBCluster.enableCloudwatchLogsExports should be defined", + "actualValue": "DBCluster.enableCloudwatchLogsExports is undefined", + "issueType": "MissingAttribute", + "similarityID": "4f2aa8422793e870503917c8e4bfe916b14ea29b628341eaf48666cd01c76458", + "search_line": 6 }, { "queryName": "DocDB Logging Is Disabled", "severity": "MEDIUM", "line": 26, - "filename": "positive2.yaml" + "fileName": "positive2.yaml", + "resourceType": "DBCluster", + "resourceName": "example-cluster-autogen-password", + "searchKey": "metadata.name={{example-cluster-autogen-password}}.spec.forProvider.enableCloudwatchLogsExports", + "searchValue": "", + "expectedValue": "DBCluster.enableCloudwatchLogsExports should have all following values: audit, profiler", + "actualValue": "DBCluster.enableCloudwatchLogsExports has the following missing values: audit, profiler", + "issueType": "IncorrectValue", + "similarityID": "b219b9e0038478725917a0c2eb32ff214520940d6aba14a33acd9226e8d951f0", + "search_line": 26 }, { "queryName": "DocDB Logging Is Disabled", "severity": "MEDIUM", "line": 26, - "filename": "positive3.yaml" + "fileName": "positive3.yaml", + "resourceType": "DBCluster", + "resourceName": "example-cluster-autogen-password", + "searchKey": "metadata.name={{example-cluster-autogen-password}}.spec.forProvider.enableCloudwatchLogsExports", + "searchValue": "", + "expectedValue": "DBCluster.enableCloudwatchLogsExports should have all following values: audit, profiler", + "actualValue": "DBCluster.enableCloudwatchLogsExports has the following missing values: profiler", + "issueType": "IncorrectValue", + "similarityID": "2de4613e22fdfd350802f6311f59083dbdda4ff710ee618ae8c2f5261d67483a", + "search_line": 26 } -] \ No newline at end of file +] diff --git a/assets/queries/crossplane/aws/ecs_cluster_with_container_insights_disabled/test/positive_expected_result.json b/assets/queries/crossplane/aws/ecs_cluster_with_container_insights_disabled/test/positive_expected_result.json index 53fb9b09db0..58551c3897c 100644 --- a/assets/queries/crossplane/aws/ecs_cluster_with_container_insights_disabled/test/positive_expected_result.json +++ b/assets/queries/crossplane/aws/ecs_cluster_with_container_insights_disabled/test/positive_expected_result.json @@ -3,18 +3,45 @@ "queryName": "ECS Cluster with Container Insights Disabled", "severity": "LOW", "line": 6, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "Cluster", + "resourceName": "example", + "searchKey": "metadata.name={{example}}.spec.forProvider", + "searchValue": "", + "expectedValue": "Cluster.spec.forProvider.settings should be defined and have a ClusterSetting which name is 'containerInsights' with 'enabled' value", + "actualValue": "Cluster.spec.forProvider.settings is not defined", + "issueType": "MissingAttribute", + "similarityID": "8602de2d323091f7501e8d3ea1e03a02dca91281f972d5b6edf1dd5ca8b028c8", + "search_line": 6 }, { "queryName": "ECS Cluster with Container Insights Disabled", "severity": "LOW", "line": 8, - "fileName": "positive2.yaml" + "fileName": "positive2.yaml", + "resourceType": "Cluster", + "resourceName": "example", + "searchKey": "metadata.name={{example}}.spec.forProvider.settings", + "searchValue": "", + "expectedValue": "Cluster.spec.forProvider.settings should have a ClusterSetting which name is 'containerInsights' with 'enabled' value", + "actualValue": "Cluster.spec.forProvider.settings doesn't have a ClusterSetting which name is 'containerInsights' with 'enabled' value", + "issueType": "MissingAttribute", + "similarityID": "c4a97d50c76a6e27abce8035187f0f938bab8c019aee205e649127fafdb00444", + "search_line": 8 }, { "queryName": "ECS Cluster with Container Insights Disabled", "severity": "LOW", "line": 8, - "fileName": "positive3.yaml" - } + "fileName": "positive3.yaml", + "resourceType": "Cluster", + "resourceName": "example", + "searchKey": "metadata.name={{example}}.spec.forProvider.settings", + "searchValue": "", + "expectedValue": "Cluster.spec.forProvider.settings should have a ClusterSetting which name is 'containerInsights' with 'enabled' value", + "actualValue": "Cluster.spec.forProvider.settings doesn't have a ClusterSetting which name is 'containerInsights' with 'enabled' value", + "issueType": "MissingAttribute", + "similarityID": "41e4786107218dac2880f5b41297366c0f7288ddd2939b289ddd87aa5df1123a", + "search_line": 8 + } ] diff --git a/assets/queries/crossplane/aws/efs_not_encrypted/test/positive_expected_result.json b/assets/queries/crossplane/aws/efs_not_encrypted/test/positive_expected_result.json index b566c873588..64df23a5220 100644 --- a/assets/queries/crossplane/aws/efs_not_encrypted/test/positive_expected_result.json +++ b/assets/queries/crossplane/aws/efs_not_encrypted/test/positive_expected_result.json @@ -2,25 +2,61 @@ { "queryName": "EFS Not Encrypted", "severity": "HIGH", - "line": 8, - "fileName": "positive.yaml" + "line": 6, + "fileName": "positive2.yaml", + "resourceType": "FileSystem", + "resourceName": "example5", + "searchKey": "metadata.name={{example5}}.spec.forProvider", + "searchValue": "", + "expectedValue": "encrypted should be defined and set to true", + "actualValue": "encrypted is not defined", + "issueType": "MissingAttribute", + "similarityID": "6b86c6009de98b44d824d9bdb0a8e6b723c49204d20ea666d8181f230e90578b", + "search_line": 6 }, { "queryName": "EFS Not Encrypted", "severity": "HIGH", - "line": 38, - "fileName": "positive.yaml" + "line": 35, + "fileName": "positive2.yaml", + "resourceType": "FileSystem", + "resourceName": "example6", + "searchKey": "spec.resources.base.metadata.name={{example6}}.spec.forProvider", + "searchValue": "", + "expectedValue": "encrypted should be defined and set to true", + "actualValue": "encrypted is not defined", + "issueType": "MissingAttribute", + "similarityID": "6b818d6d8d87a3a55ae5c3ca6ab617b2f5af25c4ab963ef03898482846f7f4e5", + "search_line": 35 }, { "queryName": "EFS Not Encrypted", "severity": "HIGH", - "line": 6, - "fileName": "positive2.yaml" + "line": 8, + "fileName": "positive.yaml", + "resourceType": "FileSystem", + "resourceName": "example3", + "searchKey": "metadata.name={{example3}}.spec.forProvider.encrypted", + "searchValue": "", + "expectedValue": "encrypted should be set to true", + "actualValue": "encrypted is set to false", + "issueType": "IncorrectValue", + "similarityID": "0b5d9ba8642129f49b8680d1e9528090414d91dc7ca43675519d72aa995f8959", + "search_line": 8 }, { "queryName": "EFS Not Encrypted", "severity": "HIGH", - "line": 35, - "fileName": "positive2.yaml" - } + "line": 38, + "fileName": "positive.yaml", + "resourceType": "FileSystem", + "resourceName": "example4", + "searchKey": "spec.resources.base.metadata.name={{example4}}.spec.forProvider.encrypted", + "searchValue": "", + "expectedValue": "encrypted should be set to true", + "actualValue": "encrypted is set to false", + "issueType": "IncorrectValue", + "similarityID": "f41e25cb18f680aa965655d4f86c96636c5989f7ea270ee7878c2a16da97fe67", + "search_line": 38 + } ] diff --git a/assets/queries/crossplane/aws/efs_without_kms/test/positive_expected_result.json b/assets/queries/crossplane/aws/efs_without_kms/test/positive_expected_result.json index d4dd72b8200..4d513e383b5 100644 --- a/assets/queries/crossplane/aws/efs_without_kms/test/positive_expected_result.json +++ b/assets/queries/crossplane/aws/efs_without_kms/test/positive_expected_result.json @@ -3,12 +3,30 @@ "queryName": "EFS Without KMS", "severity": "LOW", "line": 6, - "fileName": "positive.yaml" + "fileName": "positive.yaml", + "resourceType": "FileSystem", + "resourceName": "example3", + "searchKey": "metadata.name={{example3}}.spec.forProvider", + "searchValue": "", + "expectedValue": "kmsKeyID should be defined", + "actualValue": "kmsKeyID is not defined", + "issueType": "MissingAttribute", + "similarityID": "dcc3cc9bb707ef9bb53faa05a0538c092b506d0a86fa67e4df9b6d2dfc2a43e8", + "search_line": 6 }, { "queryName": "EFS Without KMS", "severity": "LOW", "line": 36, - "fileName": "positive.yaml" + "fileName": "positive.yaml", + "resourceType": "FileSystem", + "resourceName": "example4", + "searchKey": "spec.resources.base.metadata.name={{example4}}.spec.forProvider", + "searchValue": "", + "expectedValue": "kmsKeyID should be defined", + "actualValue": "kmsKeyID is not defined", + "issueType": "MissingAttribute", + "similarityID": "32c130235c8152ad6c70c974c921c17f0350f9c42a51b9644d7a11bcb2abd9a8", + "search_line": 36 } -] \ No newline at end of file +] diff --git a/assets/queries/crossplane/aws/elb_using_weak_ciphers/test/positive_expected_result.json b/assets/queries/crossplane/aws/elb_using_weak_ciphers/test/positive_expected_result.json index 9839c2318a3..13535e341df 100644 --- a/assets/queries/crossplane/aws/elb_using_weak_ciphers/test/positive_expected_result.json +++ b/assets/queries/crossplane/aws/elb_using_weak_ciphers/test/positive_expected_result.json @@ -3,12 +3,30 @@ "queryName": "ELB Using Weak Ciphers", "severity": "HIGH", "line": 18, - "fileName": "positive.yaml" + "fileName": "positive.yaml", + "resourceType": "Listener", + "resourceName": "test-listener", + "searchKey": "metadata.name={{test-listener}}.spec.forProvider.sslPolicy", + "searchValue": "", + "expectedValue": "sslPolicy should use a secure protocol or cipher", + "actualValue": "sslPolicy is using a weak cipher", + "issueType": "IncorrectValue", + "similarityID": "95fbd261b4c3e7ab1af559b8087e3eacd803bc267dda798cd744800b6393fdc0", + "search_line": 18 }, { "queryName": "ELB Using Weak Ciphers", "severity": "HIGH", "line": 58, - "fileName": "positive.yaml" + "fileName": "positive.yaml", + "resourceType": "Listener", + "resourceName": "test-listener2", + "searchKey": "spec.resources.base.metadata.name={{test-listener2}}.spec.forProvider.sslPolicy", + "searchValue": "", + "expectedValue": "sslPolicy should use a secure protocol or cipher", + "actualValue": "sslPolicy is using a weak cipher", + "issueType": "IncorrectValue", + "similarityID": "a1e7ad5d205dab734c4ea5c38a66d2cadfb193b7941170a2666652dc8d53b105", + "search_line": 58 } ] diff --git a/assets/queries/crossplane/aws/neptune_database_cluster_encryption_disabled/test/positive_expected_result.json b/assets/queries/crossplane/aws/neptune_database_cluster_encryption_disabled/test/positive_expected_result.json index a9b0dca7046..6da7d1d0665 100644 --- a/assets/queries/crossplane/aws/neptune_database_cluster_encryption_disabled/test/positive_expected_result.json +++ b/assets/queries/crossplane/aws/neptune_database_cluster_encryption_disabled/test/positive_expected_result.json @@ -2,25 +2,61 @@ { "queryName": "Neptune Database Cluster Encryption Disabled", "severity": "HIGH", - "line": 6, - "fileName": "positive.yaml" + "line": 15, + "fileName": "positive2.yaml", + "resourceType": "DBCluster", + "resourceName": "sample-cluster3", + "searchKey": "metadata.name={{sample-cluster3}}.spec.forProvider.storageEncrypted", + "searchValue": "", + "expectedValue": "storageEncrypted should be defined and set to true", + "actualValue": "storageEncrypted is set to false", + "issueType": "IncorrectValue", + "similarityID": "2ed6a0402d627bd97155d97c38ef62d59ab55a816190ae52d34e26d8ef2e2bc1", + "search_line": 15 }, { "queryName": "Neptune Database Cluster Encryption Disabled", "severity": "HIGH", - "line": 40, - "fileName": "positive.yaml" + "line": 50, + "fileName": "positive2.yaml", + "resourceType": "DBCluster", + "resourceName": "sample-cluster4", + "searchKey": "spec.resources.base.metadata.name={{sample-cluster4}}.spec.forProvider.storageEncrypted", + "searchValue": "", + "expectedValue": "storageEncrypted should be defined and set to true", + "actualValue": "storageEncrypted is set to false", + "issueType": "IncorrectValue", + "similarityID": "475e4daa8c58ce8465b4f9b53b3acc1ed1c88e361f689a5f8737752f8a3b0eb7", + "search_line": 50 }, { "queryName": "Neptune Database Cluster Encryption Disabled", "severity": "HIGH", - "line": 15, - "fileName": "positive2.yaml" + "line": 6, + "fileName": "positive.yaml", + "resourceType": "DBCluster", + "resourceName": "sample-cluster3", + "searchKey": "metadata.name={{sample-cluster3}}.spec.forProvider", + "searchValue": "", + "expectedValue": "storageEncrypted should be defined and set to true", + "actualValue": "storageEncrypted is not defined", + "issueType": "MissingAttribute", + "similarityID": "8e40fb5c5183d151a9f634ebf8d8229c953f0abd59d1e4abc7a178697c4506a2", + "search_line": 6 }, { "queryName": "Neptune Database Cluster Encryption Disabled", "severity": "HIGH", - "line": 50, - "fileName": "positive2.yaml" + "line": 40, + "fileName": "positive.yaml", + "resourceType": "DBCluster", + "resourceName": "sample-cluster4", + "searchKey": "spec.resources.base.metadata.name={{sample-cluster4}}.spec.forProvider", + "searchValue": "", + "expectedValue": "storageEncrypted should be defined and set to true", + "actualValue": "storageEncrypted is not defined", + "issueType": "MissingAttribute", + "similarityID": "88bef55f96ed6a8884ed9b34b8215684027617002288fc210be12a100f23a412", + "search_line": 40 } -] \ No newline at end of file +] diff --git a/assets/queries/crossplane/aws/rds_db_instance_publicly_accessible/test/positive_expected_result.json b/assets/queries/crossplane/aws/rds_db_instance_publicly_accessible/test/positive_expected_result.json index e3a013bb08e..021664ac7da 100644 --- a/assets/queries/crossplane/aws/rds_db_instance_publicly_accessible/test/positive_expected_result.json +++ b/assets/queries/crossplane/aws/rds_db_instance_publicly_accessible/test/positive_expected_result.json @@ -3,12 +3,30 @@ "queryName": "RDS DB Instance Publicly Accessible", "severity": "CRITICAL", "line": 7, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "RDSInstance", + "resourceName": "sample-cluster3", + "searchKey": "metadata.name={{sample-cluster3}}.spec.forProvider.publiclyAccessible", + "searchValue": "", + "expectedValue": "publiclyAccessible should be set to false", + "actualValue": "publiclyAccessible is set to true", + "issueType": "MissingAttribute", + "similarityID": "0e911cf09a5d855e9c37d7243e33e6dd36e753c3b4aad6227c95bf70e3f478e3", + "search_line": -1 }, { "queryName": "RDS DB Instance Publicly Accessible", "severity": "CRITICAL", "line": 11, - "fileName": "positive2.yaml" + "fileName": "positive2.yaml", + "resourceType": "RDSInstance", + "resourceName": "my-rds-instance", + "searchKey": "metadata.name={{my-rds-instance}}.spec.forProvider.dbSubnetGroupName", + "searchValue": "", + "expectedValue": "dbSubnetGroupName' subnets not being part of a VPC that has an Internet gateway attached to it", + "actualValue": "dbSubnetGroupName' subnets are part of a VPC that has an Internet gateway attached to it", + "issueType": "MissingAttribute", + "similarityID": "f7d5a3d66ca07e0cd063cf02be176530bd83fde30e27f696034778241940cc13", + "search_line": -1 } ] diff --git a/assets/queries/crossplane/aws/sqs_with_sse_disabled/test/positive_expected_result.json b/assets/queries/crossplane/aws/sqs_with_sse_disabled/test/positive_expected_result.json index 3cfc042ed8d..6668254aabc 100644 --- a/assets/queries/crossplane/aws/sqs_with_sse_disabled/test/positive_expected_result.json +++ b/assets/queries/crossplane/aws/sqs_with_sse_disabled/test/positive_expected_result.json @@ -3,12 +3,30 @@ "queryName": "SQS With SSE Disabled", "severity": "MEDIUM", "line": 6, - "fileName": "positive.yaml" + "fileName": "positive.yaml", + "resourceType": "Queue", + "resourceName": "test-queue3", + "searchKey": "metadata.name={{test-queue3}}.spec.forProvider", + "searchValue": "", + "expectedValue": "kmsMasterKeyId should be defined", + "actualValue": "kmsMasterKeyId is not defined", + "issueType": "MissingAttribute", + "similarityID": "6530bd62c5833a1afa75a9185330b6e3c6aabe97ebde5dd1bdebba4d397e5e69", + "search_line": 6 }, { "queryName": "SQS With SSE Disabled", "severity": "MEDIUM", "line": 40, - "fileName": "positive.yaml" + "fileName": "positive.yaml", + "resourceType": "Queue", + "resourceName": "test-queue4", + "searchKey": "spec.resources.base.metadata.name={{test-queue4}}.spec.forProvider", + "searchValue": "", + "expectedValue": "kmsMasterKeyId should be defined", + "actualValue": "kmsMasterKeyId is not defined", + "issueType": "MissingAttribute", + "similarityID": "12a532cba54d9ca865bf6e8357d65baffac28b6d5b762bbb4e00c4a3f5e706b1", + "search_line": 40 } ] diff --git a/assets/queries/crossplane/azure/aks_rbac_disabled/test/positive_expected_result.json b/assets/queries/crossplane/azure/aks_rbac_disabled/test/positive_expected_result.json index 1c265a231ce..2df53207895 100644 --- a/assets/queries/crossplane/azure/aks_rbac_disabled/test/positive_expected_result.json +++ b/assets/queries/crossplane/azure/aks_rbac_disabled/test/positive_expected_result.json @@ -3,12 +3,30 @@ "queryName": "AKS RBAC Disabled", "severity": "MEDIUM", "line": 13, - "fileName": "positive.yaml" + "fileName": "positive.yaml", + "resourceType": "AKSCluster", + "resourceName": "anais-crossplane-demo", + "searchKey": "metadata.name={{anais-crossplane-demo}}.spec.disableRBAC", + "searchValue": "", + "expectedValue": "disableRBAC should be set to false", + "actualValue": "disableRBAC is set to true", + "issueType": "IncorrectValue", + "similarityID": "1d12b5bcaf4e3cb9089ef43aca6a3dc0bc460519f33031a2d5397e461b669428", + "search_line": 13 }, { "queryName": "AKS RBAC Disabled", "severity": "MEDIUM", "line": 40, - "fileName": "positive.yaml" + "fileName": "positive.yaml", + "resourceType": "AKSCluster", + "resourceName": "anais-crossplane-demo", + "searchKey": "spec.resources.base.metadata.name={{anais-crossplane-demo}}.spec.disableRBAC", + "searchValue": "", + "expectedValue": "disableRBAC should be set to false", + "actualValue": "disableRBAC is set to true", + "issueType": "IncorrectValue", + "similarityID": "7135551b97d537375c8c7ffeeef4b09d46edd7241209d6f4396f2f7008d39045", + "search_line": 40 } ] diff --git a/assets/queries/crossplane/azure/redis_cache_allows_non_ssl_connections/test/positive_expected_result.json b/assets/queries/crossplane/azure/redis_cache_allows_non_ssl_connections/test/positive_expected_result.json index 794ace29ea3..08e2446140d 100644 --- a/assets/queries/crossplane/azure/redis_cache_allows_non_ssl_connections/test/positive_expected_result.json +++ b/assets/queries/crossplane/azure/redis_cache_allows_non_ssl_connections/test/positive_expected_result.json @@ -3,6 +3,15 @@ "queryName": "Redis Cache Allows Non SSL Connections", "severity": "MEDIUM", "line": 14, - "fileName": "positive.yaml" + "fileName": "positive.yaml", + "resourceType": "Redis", + "resourceName": "azureRedis3", + "searchKey": "metadata.name={{azureRedis3}}.spec.forProvider.enableNonSslPort", + "searchValue": "", + "expectedValue": "enableNonSslPort should be set to false or undefined", + "actualValue": "enableNonSslPort is set to true", + "issueType": "IncorrectValue", + "similarityID": "ee1b3402911788a586c449f2adab4c5d183a9e8b396d7094d3858f4477f0d114", + "search_line": 14 } ] diff --git a/assets/queries/crossplane/gcp/cloud_storage_bucket_logging_not_enabled/test/positive_expected_result.json b/assets/queries/crossplane/gcp/cloud_storage_bucket_logging_not_enabled/test/positive_expected_result.json index 011456b8a0d..8063869c918 100644 --- a/assets/queries/crossplane/gcp/cloud_storage_bucket_logging_not_enabled/test/positive_expected_result.json +++ b/assets/queries/crossplane/gcp/cloud_storage_bucket_logging_not_enabled/test/positive_expected_result.json @@ -3,6 +3,15 @@ "queryName": "Cloud Storage Bucket Logging Not Enabled", "severity": "MEDIUM", "line": 5, - "fileName": "positive.yaml" + "fileName": "positive.yaml", + "resourceType": "Bucket", + "resourceName": "bucketSample", + "searchKey": "metadata.name={{bucketSample}}.spec", + "searchValue": "", + "expectedValue": "Bucket logging should be defined", + "actualValue": "Bucket logging is not defined", + "issueType": "MissingAttribute", + "similarityID": "cffc02a3c9c7912276e8aecb9709d9bb39a569239c1949c96271a21e7a095a02", + "search_line": 5 } -] \ No newline at end of file +] diff --git a/assets/queries/crossplane/gcp/google_container_node_pool_auto_repair_disabled/test/positive_expected_result.json b/assets/queries/crossplane/gcp/google_container_node_pool_auto_repair_disabled/test/positive_expected_result.json index 1c81ab5ef46..104ecabb9cb 100644 --- a/assets/queries/crossplane/gcp/google_container_node_pool_auto_repair_disabled/test/positive_expected_result.json +++ b/assets/queries/crossplane/gcp/google_container_node_pool_auto_repair_disabled/test/positive_expected_result.json @@ -3,12 +3,30 @@ "queryName": "Google Container Node Pool Auto Repair Disabled", "severity": "MEDIUM", "line": 6, - "fileName": "positive.yaml" + "fileName": "positive.yaml", + "resourceType": "NodePool", + "resourceName": "cluster-np", + "searchKey": "metadata.name={{cluster-np}}.spec.forProvider", + "searchValue": "", + "expectedValue": "management should be defined with autoRepair set to true", + "actualValue": "management is not defined", + "issueType": "MissingAttribute", + "similarityID": "f59015a3703008c2ca1139a6f01d5defc2f3699c3cb680227ab9c79137f30cac", + "search_line": 6 }, { "queryName": "Google Container Node Pool Auto Repair Disabled", "severity": "MEDIUM", "line": 27, - "fileName": "positive.yaml" + "fileName": "positive.yaml", + "resourceType": "NodePool", + "resourceName": "cluster-np", + "searchKey": "metadata.name={{cluster-np}}.spec.forProvider.management.autoRepair", + "searchValue": "", + "expectedValue": "autoRepair should be set to true", + "actualValue": "autoRepair is set to false", + "issueType": "IncorrectValue", + "similarityID": "52700d457adc710e6b2b04046e77d2c4989760b82e6aca224808864ba48734c6", + "search_line": 27 } ] diff --git a/assets/queries/dockerCompose/cgroup_not_default/test/positive_expected_result.json b/assets/queries/dockerCompose/cgroup_not_default/test/positive_expected_result.json index 9e2cf0047c4..9f401da5d1b 100644 --- a/assets/queries/dockerCompose/cgroup_not_default/test/positive_expected_result.json +++ b/assets/queries/dockerCompose/cgroup_not_default/test/positive_expected_result.json @@ -1,8 +1,17 @@ [ - { - "queryName": "Cgroup Not Default", - "severity": "MEDIUM", - "line": 9, - "filename": "positive1.yaml" - } + { + "queryName": "Cgroup Not Default", + "severity": "MEDIUM", + "line": 9, + "fileName": "positive1.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "services.iperfclient.cgroup_parent", + "searchValue": "", + "expectedValue": "Cgroup_parent should be undefined", + "actualValue": "Cgroup_parent is defined. Only use this when strictly required.", + "issueType": "IncorrectValue", + "similarityID": "00eaca59a0539a8b0ef408c8649ea13c9975e8bfac127eeb07d60aa295b92707", + "search_line": 9 + } ] diff --git a/assets/queries/dockerCompose/container_capabilities_unrestricted/test/positive_expected_result.json b/assets/queries/dockerCompose/container_capabilities_unrestricted/test/positive_expected_result.json index 476e375f089..8989412128f 100644 --- a/assets/queries/dockerCompose/container_capabilities_unrestricted/test/positive_expected_result.json +++ b/assets/queries/dockerCompose/container_capabilities_unrestricted/test/positive_expected_result.json @@ -2,31 +2,76 @@ { "queryName": "Container Capabilities Unrestricted", "severity": "MEDIUM", - "line": 13, - "filename": "positive1.yaml" + "line": 4, + "fileName": "positive1.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "services.webapp", + "searchValue": "", + "expectedValue": "Docker compose file to have 'cap_drop' attribute", + "actualValue": "Docker compose file doesn't have 'cap_drop' attribute. Make sure your container only has necessary capabilities.", + "issueType": "MissingAttribute", + "similarityID": "f74bf30f3a685f374076c5c40b2e0fa5e1fc1d36e1ed0aabc472da6f0e3c85f4", + "search_line": 4 }, { "queryName": "Container Capabilities Unrestricted", "severity": "MEDIUM", - "line": 4, - "filename": "positive1.yaml" + "line": 13, + "fileName": "positive1.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "services.webapp.cap_add", + "searchValue": "", + "expectedValue": "Make sure you only add the necessary capabilities to your container.", + "actualValue": "Docker compose file has 'cap_add' attribute.", + "issueType": "IncorrectValue", + "similarityID": "0dd9980fab4e7c6394406759ea745b9e552381637102a4b276d7972021206eff", + "search_line": 13 }, { "queryName": "Container Capabilities Unrestricted", "severity": "MEDIUM", "line": 13, - "filename": "positive2.yaml" + "fileName": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "services.webapp.cap_add", + "searchValue": "", + "expectedValue": "Make sure you only add the necessary capabilities to your container.", + "actualValue": "Docker compose file has 'cap_add' attribute.", + "issueType": "IncorrectValue", + "similarityID": "e8abdf77ccdf61985c7636b4134a0fc5c9698f6509f3edaf130bf792b4b7562c", + "search_line": 13 }, { "queryName": "Container Capabilities Unrestricted", "severity": "MEDIUM", "line": 13, - "filename": "positive3.yaml" + "fileName": "positive3.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "services.webapp.cap_add", + "searchValue": "", + "expectedValue": "Make sure you only add the necessary capabilities to your container.", + "actualValue": "Docker compose file has 'cap_add' attribute.", + "issueType": "IncorrectValue", + "similarityID": "0574d01a91cd3293a619da644af3fe3f4ff5e0397c69e13fde0356f0ecddd0f1", + "search_line": 13 }, { "queryName": "Container Capabilities Unrestricted", "severity": "MEDIUM", "line": 4, - "filename": "positive4.yaml" + "fileName": "positive4.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "services.webapp", + "searchValue": "", + "expectedValue": "Docker compose file to have 'cap_drop' attribute", + "actualValue": "Docker compose file doesn't have 'cap_drop' attribute. Make sure your container only has necessary capabilities.", + "issueType": "MissingAttribute", + "similarityID": "abfbf82f02e4f47f7b298ac15b7af8f5f7e855505937534c1fb4d1d4144db185", + "search_line": 4 } -] \ No newline at end of file +] diff --git a/assets/queries/dockerCompose/container_traffic_not_bound_to_host_interface/test/positive_expected_result.json b/assets/queries/dockerCompose/container_traffic_not_bound_to_host_interface/test/positive_expected_result.json index cda368e50d8..340add5ec53 100644 --- a/assets/queries/dockerCompose/container_traffic_not_bound_to_host_interface/test/positive_expected_result.json +++ b/assets/queries/dockerCompose/container_traffic_not_bound_to_host_interface/test/positive_expected_result.json @@ -3,18 +3,45 @@ "queryName": "Container Traffic Not Bound To Host Interface", "severity": "MEDIUM", "line": 11, - "filename": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "services.webapp.ports", + "searchValue": "", + "expectedValue": "Docker compose file to have 'ports' attribute bound to a specific host interface.", + "actualValue": "Docker compose file doesn't have 'ports' attribute bound to a specific host interface", + "issueType": "IncorrectValue", + "similarityID": "90206f3947dc15b18af97d3a1971a1d447cfab9decd33b4e75b2f891ffd8a349", + "search_line": 11 }, { "queryName": "Container Traffic Not Bound To Host Interface", "severity": "MEDIUM", "line": 11, - "filename": "positive2.yaml" + "fileName": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "services.webapp.ports", + "searchValue": "", + "expectedValue": "Docker compose file to have 'ports' attribute bound to a specific host interface.", + "actualValue": "Docker compose file doesn't have 'ports' attribute bound to a specific host interface", + "issueType": "IncorrectValue", + "similarityID": "347e40948e9b94f13139b1b9a8a22dcd99c2a9dda5ef62569af1f8216e0d68dd", + "search_line": 11 }, { "queryName": "Container Traffic Not Bound To Host Interface", "severity": "MEDIUM", "line": 11, - "filename": "positive3.yaml" + "fileName": "positive3.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "services.webapp.ports", + "searchValue": "", + "expectedValue": "Docker compose file to have 'ports' attribute bound to a specific host interface.", + "actualValue": "Docker compose file doesn't have 'ports' attribute bound to a specific host interface", + "issueType": "IncorrectValue", + "similarityID": "cf1593043de9298522ae13ec0f93db5dd1b584d223623dd798e6d7e3263c9594", + "search_line": 11 } ] diff --git a/assets/queries/dockerCompose/cpus_not_limited/test/positive_expected_result.json b/assets/queries/dockerCompose/cpus_not_limited/test/positive_expected_result.json index ba658c797a9..8282a3db858 100644 --- a/assets/queries/dockerCompose/cpus_not_limited/test/positive_expected_result.json +++ b/assets/queries/dockerCompose/cpus_not_limited/test/positive_expected_result.json @@ -3,36 +3,90 @@ "queryName": "Cpus Not Limited", "severity": "LOW", "line": 9, - "filename": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "services.zapzop.deploy.resources.limits", + "searchValue": "", + "expectedValue": "'deploy.resources.limits.cpus' should be defined", + "actualValue": "'deploy.resources.limits.cpus' is not defined", + "issueType": "MissingAttribute", + "similarityID": "4fb2fe485d164cfda1382717e4253023c924c879da77df642b663c5b25a4b435", + "search_line": 9 }, { "queryName": "Cpus Not Limited", "severity": "LOW", "line": 4, - "filename": "positive2.yaml" + "fileName": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "services.criwhat", + "searchValue": "", + "expectedValue": "For cpus priority should be declared.", + "actualValue": "There is no cpus priority declared.", + "issueType": "MissingAttribute", + "similarityID": "01e0f5ea29c9b5869f0a69c40b29a8bfccdf4c286bf81a64e362652168fe301a", + "search_line": 4 }, { "queryName": "Cpus Not Limited", "severity": "LOW", "line": 3, - "filename": "positive3.yaml" + "fileName": "positive3.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "services.zapzop", + "searchValue": "", + "expectedValue": "'deploy.resources.limits.cpus' should be defined", + "actualValue": "'deploy' is not defined", + "issueType": "MissingAttribute", + "similarityID": "e2a249f23dcada6fc9ee0595b186f3712f573f0aad91cb7fc48a6f97353ba765", + "search_line": 3 }, { "queryName": "Cpus Not Limited", "severity": "LOW", "line": 7, - "filename": "positive3.yaml" + "fileName": "positive3.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "services.zapzop.deploy", + "searchValue": "", + "expectedValue": "'deploy.resources' should be defined", + "actualValue": "'deploy.resources' is not defined", + "issueType": "MissingAttribute", + "similarityID": "411ff1d7fb0c8b91cef184449620032920cfa171133c99b2be56f2f19ced3442", + "search_line": 7 }, { "queryName": "Cpus Not Limited", "severity": "LOW", "line": 5, - "filename": "positive4.yaml" + "fileName": "positive4.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "services.redis.deploy", + "searchValue": "", + "expectedValue": "'deploy.resources' should be defined", + "actualValue": "'deploy.resources' is not defined", + "issueType": "MissingAttribute", + "similarityID": "e11fb7a793c40ac63373f7634b4ef19ef794208181ce97caeef16b5b2e084e27", + "search_line": 5 }, { "queryName": "Cpus Not Limited", "severity": "LOW", "line": 8, - "filename": "positive5.yaml" + "fileName": "positive5.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "services.zapzop.deploy.resources", + "searchValue": "", + "expectedValue": "'deploy.resources.limits' should be defined", + "actualValue": "'deploy.resources.limits' is not defined", + "issueType": "MissingAttribute", + "similarityID": "98429a58e19804dc5ed7858a77db86fa59a513944a41ad50436a20a3e26c47b4", + "search_line": 8 } ] diff --git a/assets/queries/dockerCompose/default_seccomp_profile_disabled/test/positive_expected_result.json b/assets/queries/dockerCompose/default_seccomp_profile_disabled/test/positive_expected_result.json index 29d6e88b80a..cfa01a68eef 100644 --- a/assets/queries/dockerCompose/default_seccomp_profile_disabled/test/positive_expected_result.json +++ b/assets/queries/dockerCompose/default_seccomp_profile_disabled/test/positive_expected_result.json @@ -1,14 +1,32 @@ [ - { - "queryName": "Default Seccomp Profile Disabled", - "severity": "MEDIUM", - "line": 13, - "filename": "positive1.yaml" - }, - { - "queryName": "Default Seccomp Profile Disabled", - "severity": "MEDIUM", - "line": 10, - "filename": "positive2.yaml" - } + { + "queryName": "Default Seccomp Profile Disabled", + "severity": "MEDIUM", + "line": 13, + "fileName": "positive1.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "services.demo.security_opt", + "searchValue": "", + "expectedValue": "Seccomp default profile to not be disabled.", + "actualValue": "Seccomp default profile is disabled.", + "issueType": "IncorrectValue", + "similarityID": "5e5b3f3bee5bc36f242bcdeca576d884f3fff99ac3a0f4037c407e2db1e85502", + "search_line": 13 + }, + { + "queryName": "Default Seccomp Profile Disabled", + "severity": "MEDIUM", + "line": 10, + "fileName": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "services.example.security_opt", + "searchValue": "", + "expectedValue": "Seccomp default profile to not be disabled.", + "actualValue": "Seccomp default profile is disabled.", + "issueType": "IncorrectValue", + "similarityID": "7acec50ea438a60d5de1dbc2d1117a87d18930530afc9a3c86439612fca532af", + "search_line": 10 + } ] diff --git a/assets/queries/dockerCompose/docker_socket_mounted_in_container/test/positive_expected_result.json b/assets/queries/dockerCompose/docker_socket_mounted_in_container/test/positive_expected_result.json index c078e90a7fb..fa3f657ab19 100644 --- a/assets/queries/dockerCompose/docker_socket_mounted_in_container/test/positive_expected_result.json +++ b/assets/queries/dockerCompose/docker_socket_mounted_in_container/test/positive_expected_result.json @@ -1,8 +1,17 @@ [ - { - "queryName": "Docker Socket Mounted In Container", - "severity": "HIGH", - "line": 9, - "filename": "positive1.yaml" - } + { + "queryName": "Docker Socket Mounted In Container", + "severity": "HIGH", + "line": 9, + "fileName": "positive1.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "services.service1.volumes", + "searchValue": "", + "expectedValue": "To not have docker socket named 'docker.sock' mounted in a volume", + "actualValue": "There is a docker socket named 'docker.sock' mounted in a volume", + "issueType": "IncorrectValue", + "similarityID": "bbb7781cc66360dc020635d3c8cc7f81b7b9d5746e41d86c7586f21c4c502032", + "search_line": 9 + } ] diff --git a/assets/queries/dockerCompose/healthcheck_not_set/test/positive_expected_result.json b/assets/queries/dockerCompose/healthcheck_not_set/test/positive_expected_result.json index 22272ad13eb..89b7794669a 100644 --- a/assets/queries/dockerCompose/healthcheck_not_set/test/positive_expected_result.json +++ b/assets/queries/dockerCompose/healthcheck_not_set/test/positive_expected_result.json @@ -1,20 +1,47 @@ [ - { - "queryName": "Healthcheck Not Set", - "severity": "MEDIUM", - "line": 4, - "filename": "positive1.yaml" - }, - { - "queryName": "Healthcheck Not Set", - "severity": "MEDIUM", - "line": 14, - "filename": "positive2.yaml" - }, - { - "queryName": "Healthcheck Not Set", - "severity": "MEDIUM", - "line": 14, - "filename": "positive3.yaml" - } + { + "queryName": "Healthcheck Not Set", + "severity": "MEDIUM", + "line": 4, + "fileName": "positive1.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "services.lelele-service", + "searchValue": "", + "expectedValue": "Healthcheck should be defined.", + "actualValue": "Healthcheck is not defined.", + "issueType": "MissingAttribute", + "similarityID": "b85f5e4a0fa11efa5e5b6a5e20e6a5cc5441728e49e8696e8e2f7b53b8934afe", + "search_line": 4 + }, + { + "queryName": "Healthcheck Not Set", + "severity": "MEDIUM", + "line": 14, + "fileName": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "services.lelele-service.healthcheck.disable", + "searchValue": "", + "expectedValue": "Healthcheck should be enabled.", + "actualValue": "Healthcheck is disabled.", + "issueType": "IncorrectValue", + "similarityID": "98573383519421a37c0cfe61b11e31ca1460291a13953ec4faf362da6cb4206c", + "search_line": 14 + }, + { + "queryName": "Healthcheck Not Set", + "severity": "MEDIUM", + "line": 14, + "fileName": "positive3.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "services.lelele-service.healthcheck.test", + "searchValue": "", + "expectedValue": "Healthcheck should be enabled.", + "actualValue": "Healthcheck is disabled.", + "issueType": "IncorrectValue", + "similarityID": "26dc41bda21f0b9a565f489bddf66f663a71f8ab420dfe778c7424dae684e337", + "search_line": 14 + } ] diff --git a/assets/queries/dockerCompose/host_namespace_is_shared/test/positive_expected_result.json b/assets/queries/dockerCompose/host_namespace_is_shared/test/positive_expected_result.json index 3a17ab2508c..d8c1778a726 100644 --- a/assets/queries/dockerCompose/host_namespace_is_shared/test/positive_expected_result.json +++ b/assets/queries/dockerCompose/host_namespace_is_shared/test/positive_expected_result.json @@ -1,20 +1,47 @@ [ - { - "queryName": "Host Namespace is Shared", - "severity": "MEDIUM", - "line": 10, - "filename": "positive1.yaml" - }, - { - "queryName": "Host Namespace is Shared", - "severity": "MEDIUM", - "line": 6, - "filename": "positive2.yaml" - }, - { - "queryName": "Host Namespace is Shared", - "severity": "MEDIUM", - "line": 11, - "filename": "positive3.yaml" - } - ] + { + "queryName": "Host Namespace is Shared", + "severity": "MEDIUM", + "line": 10, + "fileName": "positive1.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "services.service_name_1.pid", + "searchValue": "", + "expectedValue": "There shouldn't be pid mode declared as host", + "actualValue": "There is a pid mode declared as host", + "issueType": "IncorrectValue", + "similarityID": "88dc148e3d6283fd97bc9370101cd1aec52070b78bf1d8bc71e8e4cc068e4bb0", + "search_line": 10 + }, + { + "queryName": "Host Namespace is Shared", + "severity": "MEDIUM", + "line": 6, + "fileName": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "services.service_name_2.pid", + "searchValue": "", + "expectedValue": "There shouldn't be pid mode declared as host", + "actualValue": "There is a pid mode declared as host", + "issueType": "IncorrectValue", + "similarityID": "72e73c0d3096425995e8e057b4f0ff08aed4375ff206ba0d85a71b13a2e647cf", + "search_line": 6 + }, + { + "queryName": "Host Namespace is Shared", + "severity": "MEDIUM", + "line": 11, + "fileName": "positive3.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "services.internal.pid", + "searchValue": "", + "expectedValue": "There shouldn't be pid mode declared as host", + "actualValue": "There is a pid mode declared as host", + "issueType": "IncorrectValue", + "similarityID": "e26feec2f2659bca4653c12b861979292e9cf99e0b304f542cf21555ae17aa2f", + "search_line": 11 + } +] diff --git a/assets/queries/dockerCompose/memory_not_limited/test/positive_expected_result.json b/assets/queries/dockerCompose/memory_not_limited/test/positive_expected_result.json index dc2ba07fd8e..2f5ca04ba3e 100644 --- a/assets/queries/dockerCompose/memory_not_limited/test/positive_expected_result.json +++ b/assets/queries/dockerCompose/memory_not_limited/test/positive_expected_result.json @@ -1,38 +1,92 @@ [ - { - "queryName": "Memory Not Limited", - "severity": "MEDIUM", - "line": 9, - "filename": "positive1.yaml" - }, - { - "queryName": "Memory Not Limited", - "severity": "MEDIUM", - "line": 4, - "filename": "positive2.yaml" - }, - { - "queryName": "Memory Not Limited", - "severity": "MEDIUM", - "line": 3, - "filename": "positive3.yaml" - }, - { - "queryName": "Memory Not Limited", - "severity": "MEDIUM", - "line": 7, - "filename": "positive3.yaml" - }, - { - "queryName": "Memory Not Limited", - "severity": "MEDIUM", - "line": 8, - "filename": "positive4.yaml" - }, - { - "queryName": "Memory Not Limited", - "severity": "MEDIUM", - "line": 5, - "filename": "positive5.yaml" - } - ] + { + "queryName": "Memory Not Limited", + "severity": "MEDIUM", + "line": 9, + "fileName": "positive1.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "services.zapzop.deploy.resources.limits", + "searchValue": "", + "expectedValue": "'deploy.resources.limits.memory' should be defined", + "actualValue": "'deploy.resources.limits.memory' is not defined", + "issueType": "MissingAttribute", + "similarityID": "6ea74f9b8e2abf61f7f109fc4dacb0b55a5c17348b00f059d8f1f02c56b0d8a6", + "search_line": 9 + }, + { + "queryName": "Memory Not Limited", + "severity": "MEDIUM", + "line": 4, + "fileName": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "services.criwhat", + "searchValue": "", + "expectedValue": "For mem_limit should be declared.", + "actualValue": "There is no mem_limit declared.", + "issueType": "MissingAttribute", + "similarityID": "c3ade69521dc45cf8e3b59ab11bf9e556160aa4fd1c81f3e04b714c98c89a558", + "search_line": 4 + }, + { + "queryName": "Memory Not Limited", + "severity": "MEDIUM", + "line": 3, + "fileName": "positive3.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "services.zapzop", + "searchValue": "", + "expectedValue": "'deploy.resources.limits.memory' should be defined", + "actualValue": "'deploy' is not defined", + "issueType": "MissingAttribute", + "similarityID": "33db19bd4e91454146f18b05f8f936aa49c593155611aff3e177837c60107d66", + "search_line": 3 + }, + { + "queryName": "Memory Not Limited", + "severity": "MEDIUM", + "line": 7, + "fileName": "positive3.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "services.zapzop.deploy", + "searchValue": "", + "expectedValue": "'deploy.resources' should be defined", + "actualValue": "'deploy.resources' is not defined", + "issueType": "MissingAttribute", + "similarityID": "5cdd2d98316be66547582a0437e5768ec03b6966d5b596a4dadf4799e0752e19", + "search_line": 7 + }, + { + "queryName": "Memory Not Limited", + "severity": "MEDIUM", + "line": 8, + "fileName": "positive4.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "services.zapzop.deploy.resources", + "searchValue": "", + "expectedValue": "'deploy.resources.limits' should be defined", + "actualValue": "'deploy.resources.limits' is not defined", + "issueType": "MissingAttribute", + "similarityID": "dc0aa47ed7f98b13ae28e63731be4862ce8d562a648755cf024f07253c327a05", + "search_line": 8 + }, + { + "queryName": "Memory Not Limited", + "severity": "MEDIUM", + "line": 5, + "fileName": "positive5.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "services.redis.deploy", + "searchValue": "", + "expectedValue": "'deploy.resources' should be defined", + "actualValue": "'deploy.resources' is not defined", + "issueType": "MissingAttribute", + "similarityID": "0ccf9210f496f76f3cd3bbc6d348a4b64623f1c79364a128856ed9770a7d095f", + "search_line": 5 + } +] diff --git a/assets/queries/dockerCompose/no_new_privileges_not_set/test/positive_expected_result.json b/assets/queries/dockerCompose/no_new_privileges_not_set/test/positive_expected_result.json index 904cf5d83a0..9e383903bc2 100644 --- a/assets/queries/dockerCompose/no_new_privileges_not_set/test/positive_expected_result.json +++ b/assets/queries/dockerCompose/no_new_privileges_not_set/test/positive_expected_result.json @@ -1,14 +1,32 @@ [ - { - "queryName": "No New Privileges Not Set", - "severity": "HIGH", - "line": 12, - "filename": "positive1.yaml" - }, - { - "queryName": "No New Privileges Not Set", - "severity": "HIGH", - "line": 12, - "filename": "positive2.yaml" - } + { + "queryName": "No New Privileges Not Set", + "severity": "HIGH", + "line": 12, + "fileName": "positive1.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "services.service-service-service.security_opt", + "searchValue": "", + "expectedValue": "no-new-privileges should be set in security_opt.", + "actualValue": "no-new-privileges is not set in security_opt", + "issueType": "MissingAttribute", + "similarityID": "5cf9b49dd27860279e455df73c954bcbba101b774e7ab6bc680f023e946403b2", + "search_line": 12 + }, + { + "queryName": "No New Privileges Not Set", + "severity": "HIGH", + "line": 12, + "fileName": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "services.service-service-service.security_opt", + "searchValue": "", + "expectedValue": "no-new-privileges should be set in security_opt.", + "actualValue": "no-new-privileges is not set in security_opt", + "issueType": "MissingAttribute", + "similarityID": "a3abbd03f39bc43027f8391ffadd92c8b33f0606fcb1eb7e6fecbad7bc402a38", + "search_line": 12 + } ] diff --git a/assets/queries/dockerCompose/pids_limit_not_set/test/positive_expected_result.json b/assets/queries/dockerCompose/pids_limit_not_set/test/positive_expected_result.json index c662bfd1292..19a7a8ef9a1 100644 --- a/assets/queries/dockerCompose/pids_limit_not_set/test/positive_expected_result.json +++ b/assets/queries/dockerCompose/pids_limit_not_set/test/positive_expected_result.json @@ -1,14 +1,32 @@ [ - { - "queryName": "Pids Limit Not Set", - "severity": "MEDIUM", - "line": 7, - "filename": "positive1.yaml" - }, - { - "queryName": "Pids Limit Not Set", - "severity": "MEDIUM", - "line": 12, - "filename": "positive2.yaml" - } + { + "queryName": "Pids Limit Not Set", + "severity": "MEDIUM", + "line": 7, + "fileName": "positive1.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "services.auth", + "searchValue": "", + "expectedValue": "Pids_limit should be defined.", + "actualValue": "Pids_limit is not defined.", + "issueType": "MissingAttribute", + "similarityID": "3eccf82bd2232cf521efed84db7aa90ff9d6bf8cf20291afa268f56adb4fabc1", + "search_line": 7 + }, + { + "queryName": "Pids Limit Not Set", + "severity": "MEDIUM", + "line": 12, + "fileName": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "services.auth.pids_limit", + "searchValue": "", + "expectedValue": "Pids_limit should be limited.", + "actualValue": "Pids_limit is not limited.", + "issueType": "IncorrectValue", + "similarityID": "0e97ecb5f84ab84194f889eafa10b1582be5ff4a24873218017fda1658152647", + "search_line": 12 + } ] diff --git a/assets/queries/dockerCompose/privileged_containers_enabled/test/positive_expected_result.json b/assets/queries/dockerCompose/privileged_containers_enabled/test/positive_expected_result.json index 880f3c8359a..d934d652505 100644 --- a/assets/queries/dockerCompose/privileged_containers_enabled/test/positive_expected_result.json +++ b/assets/queries/dockerCompose/privileged_containers_enabled/test/positive_expected_result.json @@ -1,14 +1,32 @@ [ - { - "queryName": "Privileged Containers Enabled", - "severity": "HIGH", - "line": 10, - "filename": "positive1.yaml" - }, - { - "queryName": "Privileged Containers Enabled", - "severity": "HIGH", - "line": 13, - "filename": "positive2.yaml" - } + { + "queryName": "Privileged Containers Enabled", + "severity": "HIGH", + "line": 10, + "fileName": "positive1.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "services.webapp.privileged", + "searchValue": "", + "expectedValue": "Docker compose file to have 'privileged' attribute set to false or not set", + "actualValue": "Docker compose file has 'privileged' attribute as true", + "issueType": "IncorrectValue", + "similarityID": "2ae0eb3f2205a1a2c641060578f372c1e1c6374bc8a8bc82160e0e17ef6de35c", + "search_line": 10 + }, + { + "queryName": "Privileged Containers Enabled", + "severity": "HIGH", + "line": 13, + "fileName": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "services.webapp.privileged", + "searchValue": "", + "expectedValue": "Docker compose file to have 'privileged' attribute set to false or not set", + "actualValue": "Docker compose file has 'privileged' attribute as true", + "issueType": "IncorrectValue", + "similarityID": "e58252c9b1ad0fce086580f4a8eff56c8ca5295b3ac8e44afe143dab078f7a0a", + "search_line": 13 + } ] diff --git a/assets/queries/dockerCompose/privileged_ports_mapped_in_container/test/positive_expected_result.json b/assets/queries/dockerCompose/privileged_ports_mapped_in_container/test/positive_expected_result.json index 4f29698ae01..68683d4076a 100644 --- a/assets/queries/dockerCompose/privileged_ports_mapped_in_container/test/positive_expected_result.json +++ b/assets/queries/dockerCompose/privileged_ports_mapped_in_container/test/positive_expected_result.json @@ -1,80 +1,197 @@ [ - { - "queryName": "Privileged Ports Mapped In Container", - "severity": "MEDIUM", - "line": 12, - "filename": "positive1.yaml" - }, - { - "queryName": "Privileged Ports Mapped In Container", - "severity": "MEDIUM", - "line": 11, - "filename": "positive7.yaml" - }, - { - "queryName": "Privileged Ports Mapped In Container", - "severity": "MEDIUM", - "line": 11, - "filename": "positive5.yaml" - }, - { - "queryName": "Privileged Ports Mapped In Container", - "severity": "MEDIUM", - "line": 11, - "filename": "positive2.yaml" - }, - { - "queryName": "Privileged Ports Mapped In Container", - "severity": "MEDIUM", - "line": 11, - "filename": "positive4.yaml" - }, - { - "queryName": "Privileged Ports Mapped In Container", - "severity": "MEDIUM", - "line": 11, - "filename": "positive8.yaml" - }, - { - "queryName": "Privileged Ports Mapped In Container", - "severity": "MEDIUM", - "line": 5, - "filename": "positive1.yaml" - }, - { - "queryName": "Privileged Ports Mapped In Container", - "severity": "MEDIUM", - "line": 11, - "filename": "positive10.yaml" - }, - { - "queryName": "Privileged Ports Mapped In Container", - "severity": "MEDIUM", - "line": 11, - "filename": "positive6.yaml" - }, - { - "queryName": "Privileged Ports Mapped In Container", - "severity": "MEDIUM", - "line": 11, - "filename": "positive11.yaml" - }, - { - "queryName": "Privileged Ports Mapped In Container", - "severity": "MEDIUM", - "line": 11, - "filename": "positive3.yaml" - }, - { - "queryName": "Privileged Ports Mapped In Container", - "severity": "MEDIUM", - "line": 11, - "filename": "positive9.yaml" - }, - { - "queryName": "Privileged Ports Mapped In Container", - "severity": "MEDIUM", - "line": 11, - "filename": "positive12.yaml" - } + { + "queryName": "Privileged Ports Mapped In Container", + "severity": "MEDIUM", + "line": 5, + "fileName": "positive1.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "services.dhcpd.ports", + "searchValue": "", + "expectedValue": "Docker compose file to have 'ports' attribute not set to privileged ports (<1024).", + "actualValue": "Docker compose file has 'ports' attribute set to privileged ports (<1024).", + "issueType": "IncorrectValue", + "similarityID": "2beabfce9c06a1811183b09936119dd29de3f7bb3836257855b81a5c8bb68b56", + "search_line": 5 + }, + { + "queryName": "Privileged Ports Mapped In Container", + "severity": "MEDIUM", + "line": 12, + "fileName": "positive1.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "services.dhcp_client.ports", + "searchValue": "", + "expectedValue": "Docker compose file to have 'ports' attribute not set to privileged ports (<1024).", + "actualValue": "Docker compose file has 'ports' attribute set to privileged ports (<1024).", + "issueType": "IncorrectValue", + "similarityID": "3e8bb918c713dfe636365ead13442bceaf38a3908b84b41edf1a8717a3eb5af9", + "search_line": 12 + }, + { + "queryName": "Privileged Ports Mapped In Container", + "severity": "MEDIUM", + "line": 11, + "fileName": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "services.webapp.ports", + "searchValue": "", + "expectedValue": "Docker compose file to have 'ports' attribute not set to privileged ports (<1024).", + "actualValue": "Docker compose file has 'ports' attribute set to privileged ports (<1024).", + "issueType": "IncorrectValue", + "similarityID": "8f4e0d4203c1372854714b42a854a0b2febf8df76aebf9196fae75dcc907a698", + "search_line": 11 + }, + { + "queryName": "Privileged Ports Mapped In Container", + "severity": "MEDIUM", + "line": 11, + "fileName": "positive3.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "services.webapp.ports", + "searchValue": "", + "expectedValue": "Docker compose file to have 'ports' attribute not set to privileged ports (<1024).", + "actualValue": "Docker compose file has 'ports' attribute set to privileged ports (<1024).", + "issueType": "IncorrectValue", + "similarityID": "4ba19d7087240453528bd991ca88e1714c7ada9361b2ef0f94f977ed95f04731", + "search_line": 11 + }, + { + "queryName": "Privileged Ports Mapped In Container", + "severity": "MEDIUM", + "line": 11, + "fileName": "positive4.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "services.webapp.ports", + "searchValue": "", + "expectedValue": "Docker compose file to have 'ports' attribute not set to privileged ports (<1024).", + "actualValue": "Docker compose file has 'ports' attribute set to privileged ports (<1024).", + "issueType": "IncorrectValue", + "similarityID": "e7418329e1f31b65fea3ab927cff25dc280b2174daa782428c70adc4213aa114", + "search_line": 11 + }, + { + "queryName": "Privileged Ports Mapped In Container", + "severity": "MEDIUM", + "line": 11, + "fileName": "positive5.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "services.webapp.ports", + "searchValue": "", + "expectedValue": "Docker compose file to have 'ports' attribute not set to privileged ports (<1024).", + "actualValue": "Docker compose file has 'ports' attribute set to privileged ports (<1024).", + "issueType": "IncorrectValue", + "similarityID": "f4a1a52e700cf4db7c5ddbc70928c9a8e344d424a071e2f5c1f83e2b18cceb5b", + "search_line": 11 + }, + { + "queryName": "Privileged Ports Mapped In Container", + "severity": "MEDIUM", + "line": 11, + "fileName": "positive6.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "services.webapp.ports", + "searchValue": "", + "expectedValue": "Docker compose file to have 'ports' attribute not set to privileged ports (<1024).", + "actualValue": "Docker compose file has 'ports' attribute set to privileged ports (<1024).", + "issueType": "IncorrectValue", + "similarityID": "c7f3bfa9cc3d9358e607ef97585168b923bc2da3d5aac927aec559337f31a2be", + "search_line": 11 + }, + { + "queryName": "Privileged Ports Mapped In Container", + "severity": "MEDIUM", + "line": 11, + "fileName": "positive7.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "services.webapp.ports", + "searchValue": "", + "expectedValue": "Docker compose file to have 'ports' attribute not set to privileged ports (<1024).", + "actualValue": "Docker compose file has 'ports' attribute set to privileged ports (<1024).", + "issueType": "IncorrectValue", + "similarityID": "83e1a0ba6d60aa768e7bdf3098d78164af568c5361f83afe8620398cb92ddff5", + "search_line": 11 + }, + { + "queryName": "Privileged Ports Mapped In Container", + "severity": "MEDIUM", + "line": 11, + "fileName": "positive8.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "services.webapp.ports", + "searchValue": "", + "expectedValue": "Docker compose file to have 'ports' attribute not set to privileged ports (<1024).", + "actualValue": "Docker compose file has 'ports' attribute set to privileged ports (<1024).", + "issueType": "IncorrectValue", + "similarityID": "73ccca8bab821af3d80fe2aeed92b036194614abcb77282a61396a2ce11379b5", + "search_line": 11 + }, + { + "queryName": "Privileged Ports Mapped In Container", + "severity": "MEDIUM", + "line": 11, + "fileName": "positive9.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "services.webapp.ports", + "searchValue": "", + "expectedValue": "Docker compose file to have 'ports' attribute not set to privileged ports (<1024).", + "actualValue": "Docker compose file has 'ports' attribute set to privileged ports (<1024).", + "issueType": "IncorrectValue", + "similarityID": "7ffe3051df6c5451fd1c31a035370a1e3ee0b521cf7437cb45be19bfe67d9af8", + "search_line": 11 + }, + { + "queryName": "Privileged Ports Mapped In Container", + "severity": "MEDIUM", + "line": 11, + "fileName": "positive10.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "services.webapp.ports", + "searchValue": "", + "expectedValue": "Docker compose file to have 'ports' attribute not set to privileged ports (<1024).", + "actualValue": "Docker compose file has 'ports' attribute set to privileged ports (<1024).", + "issueType": "IncorrectValue", + "similarityID": "572d3829b2014d34ff5b45733ce962a9367e7ef61ef72a049e2e1846772cda04", + "search_line": 11 + }, + { + "queryName": "Privileged Ports Mapped In Container", + "severity": "MEDIUM", + "line": 11, + "fileName": "positive11.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "services.webapp.ports", + "searchValue": "", + "expectedValue": "Docker compose file to have 'ports' attribute not set to privileged ports (<1024).", + "actualValue": "Docker compose file has 'ports' attribute set to privileged ports (<1024).", + "issueType": "IncorrectValue", + "similarityID": "6e76000de25ca7949b7e19d26163525018f5a4e50d4429ca51df221bb059f6e8", + "search_line": 11 + }, + { + "queryName": "Privileged Ports Mapped In Container", + "severity": "MEDIUM", + "line": 11, + "fileName": "positive12.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "services.webapp.ports", + "searchValue": "", + "expectedValue": "Docker compose file to have 'ports' attribute not set to privileged ports (<1024).", + "actualValue": "Docker compose file has 'ports' attribute set to privileged ports (<1024).", + "issueType": "IncorrectValue", + "similarityID": "d08fc1421bcf15b3743533ab870ea9ab5cdcb9f19c72d77417513dc753674ee1", + "search_line": 11 + } ] diff --git a/assets/queries/dockerCompose/restart_policy_on_failure_not_set_to_5/test/positive_expected_result.json b/assets/queries/dockerCompose/restart_policy_on_failure_not_set_to_5/test/positive_expected_result.json index bf96e318d8c..ff7d49957b9 100644 --- a/assets/queries/dockerCompose/restart_policy_on_failure_not_set_to_5/test/positive_expected_result.json +++ b/assets/queries/dockerCompose/restart_policy_on_failure_not_set_to_5/test/positive_expected_result.json @@ -3,30 +3,75 @@ "queryName": "Restart Policy On Failure Not Set To 5", "severity": "MEDIUM", "line": 6, - "filename": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "services.customer.restart", + "searchValue": "", + "expectedValue": "on-failure restart attempts should be 5", + "actualValue": "on-failure restart attempts are not 5", + "issueType": "IncorrectValue", + "similarityID": "3c6e231b4328da584e7d8838dc935d832bf737da6de395f197488fe0fc606ee0", + "search_line": 6 }, { "queryName": "Restart Policy On Failure Not Set To 5", "severity": "MEDIUM", "line": 17, - "filename": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "services.customer.deploy.restart_policy.max_attempts", + "searchValue": "", + "expectedValue": "on-failure restart attempts should be 5", + "actualValue": "on-failure restart attempts are not 5", + "issueType": "IncorrectValue", + "similarityID": "642d759db34cd96dfe2c61916891c36610d13f6a0bb65a265f84f9790bb384a7", + "search_line": 17 }, { "queryName": "Restart Policy On Failure Not Set To 5", "severity": "MEDIUM", "line": 15, - "filename": "positive2.yaml" + "fileName": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "services.name_of_service.restart", + "searchValue": "", + "expectedValue": "on-failure restart attempts should be 5", + "actualValue": "on-failure restart attempts are not 5", + "issueType": "IncorrectValue", + "similarityID": "140b3e9b846d01c55bad0faece35b04c519e6048d68f42889be6ad0f610438d5", + "search_line": 15 }, { "queryName": "Restart Policy On Failure Not Set To 5", "severity": "MEDIUM", "line": 6, - "filename": "positive3.yaml" + "fileName": "positive3.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "services.customer.restart", + "searchValue": "", + "expectedValue": "on-failure restart attempts should be 5", + "actualValue": "on-failure restart attempts are not 5", + "issueType": "IncorrectValue", + "similarityID": "5bcca09765a5102924874732b5d1be24bb6582e0b4c31a4cd1b5cdd7d18c226b", + "search_line": 6 }, { "queryName": "Restart Policy On Failure Not Set To 5", "severity": "MEDIUM", "line": 17, - "filename": "positive4.yaml" + "fileName": "positive4.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "services.customer.deploy.restart_policy.max_attempts", + "searchValue": "", + "expectedValue": "on-failure restart attempts should be 5", + "actualValue": "on-failure restart attempts are not 5", + "issueType": "IncorrectValue", + "similarityID": "62a6a6ce7e35b342e289934bfdf311a7d5f0bb73ce40bf48d7a4fb348406ef8c", + "search_line": 17 } ] diff --git a/assets/queries/dockerCompose/security_opt_not_set/test/positive_expected_result.json b/assets/queries/dockerCompose/security_opt_not_set/test/positive_expected_result.json index 5f83e948915..fa711b4a61f 100644 --- a/assets/queries/dockerCompose/security_opt_not_set/test/positive_expected_result.json +++ b/assets/queries/dockerCompose/security_opt_not_set/test/positive_expected_result.json @@ -3,6 +3,15 @@ "queryName": "Security Opt Not Set", "severity": "MEDIUM", "line": 4, - "filename": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "services.webapp", + "searchValue": "", + "expectedValue": "Docker compose file to have 'security_opt' attribute", + "actualValue": "Docker compose file does not have 'security_opt' attribute", + "issueType": "MissingAttribute", + "similarityID": "17bd0bcfce4e41039a4b51ed436035d739e6842db0953ba6e693cce4dfc61a82", + "search_line": 4 } ] diff --git a/assets/queries/dockerCompose/shared_host_ipc_namespace/test/positive_expected_result.json b/assets/queries/dockerCompose/shared_host_ipc_namespace/test/positive_expected_result.json index 3963d4a3f4e..89bc63c730e 100644 --- a/assets/queries/dockerCompose/shared_host_ipc_namespace/test/positive_expected_result.json +++ b/assets/queries/dockerCompose/shared_host_ipc_namespace/test/positive_expected_result.json @@ -1,14 +1,32 @@ [ - { - "queryName": "Shared Host IPC Namespace", - "severity": "MEDIUM", - "line": 10, - "filename": "positive1.yaml" - }, - { - "queryName": "Shared Host IPC Namespace", - "severity": "MEDIUM", - "line": 13, - "filename": "positive2.yaml" - } + { + "queryName": "Shared Host IPC Namespace", + "severity": "MEDIUM", + "line": 10, + "fileName": "positive1.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "services.webapp.privileged", + "searchValue": "", + "expectedValue": "Docker compose file to have 'ipc' attribute not set to host, or not set", + "actualValue": "Docker compose file has 'ipc' attribute as host", + "issueType": "IncorrectValue", + "similarityID": "483a6009279eed88c424416edcfd25feae9e49a2bc28ea5c7a5b6bdac9538b47", + "search_line": 10 + }, + { + "queryName": "Shared Host IPC Namespace", + "severity": "MEDIUM", + "line": 13, + "fileName": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "services.webapp.privileged", + "searchValue": "", + "expectedValue": "Docker compose file to have 'ipc' attribute not set to host, or not set", + "actualValue": "Docker compose file has 'ipc' attribute as host", + "issueType": "IncorrectValue", + "similarityID": "cb347a46a84d1f50b8831638ed408f241ed27e5da46c92e9017f6d7e80e97d25", + "search_line": 13 + } ] diff --git a/assets/queries/dockerCompose/shared_host_network_namespace/test/positive_expected_result.json b/assets/queries/dockerCompose/shared_host_network_namespace/test/positive_expected_result.json index 049396ca1ed..2c0704fd5b4 100644 --- a/assets/queries/dockerCompose/shared_host_network_namespace/test/positive_expected_result.json +++ b/assets/queries/dockerCompose/shared_host_network_namespace/test/positive_expected_result.json @@ -1,9 +1,17 @@ [ - { - "queryName": "Shared Host Network Namespace", - "severity": "MEDIUM", - "line": 11, - "filename": "positive1.yaml" - } - ] - \ No newline at end of file + { + "queryName": "Shared Host Network Namespace", + "severity": "MEDIUM", + "line": 11, + "fileName": "positive1.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "services.mongo.network_mode", + "searchValue": "", + "expectedValue": "There shouldn't be network mode declared as host", + "actualValue": "There is a network mode declared as host", + "issueType": "IncorrectValue", + "similarityID": "3288abc6fc17e8a1e384ee7211d398c639e65b5797593d668ddc3ccbc758f893", + "search_line": 11 + } +] diff --git a/assets/queries/dockerCompose/shared_host_user_namespace/test/positive_expected_result.json b/assets/queries/dockerCompose/shared_host_user_namespace/test/positive_expected_result.json index 24517d5ef89..1ee89ec9f56 100644 --- a/assets/queries/dockerCompose/shared_host_user_namespace/test/positive_expected_result.json +++ b/assets/queries/dockerCompose/shared_host_user_namespace/test/positive_expected_result.json @@ -3,7 +3,15 @@ "queryName": "Shared Host User Namespace", "severity": "MEDIUM", "line": 9, - "filename": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "services.service1.userns_mode", + "searchValue": "", + "expectedValue": "Attribute 'userns_mode' should not be set or not set to host", + "actualValue": "Attribute 'userns_mode' is set to host", + "issueType": "IncorrectValue", + "similarityID": "d90bb04aa74c85163c0a6df3fa35685a63203af7aab4da27fdf5e12f3a81f610", + "search_line": 9 } ] - \ No newline at end of file diff --git a/assets/queries/dockerCompose/shared_volumes_between_containers/test/positive_expected_result.json b/assets/queries/dockerCompose/shared_volumes_between_containers/test/positive_expected_result.json index 4036243d3a3..59dedcee852 100644 --- a/assets/queries/dockerCompose/shared_volumes_between_containers/test/positive_expected_result.json +++ b/assets/queries/dockerCompose/shared_volumes_between_containers/test/positive_expected_result.json @@ -1,26 +1,62 @@ [ - { - "queryName": "Shared Volumes Between Containers", - "severity": "INFO", - "line": 9, - "filename": "positive1.yaml" - }, - { - "queryName": "Shared Volumes Between Containers", - "severity": "INFO", - "line": 16, - "filename": "positive1.yaml" - }, - { - "queryName": "Shared Volumes Between Containers", - "severity": "INFO", - "line": 8, - "filename": "positive2.yaml" - }, - { - "queryName": "Shared Volumes Between Containers", - "severity": "INFO", - "line": 17, - "filename": "positive2.yaml" - } + { + "queryName": "Shared Volumes Between Containers", + "severity": "INFO", + "line": 9, + "fileName": "positive1.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "services.frontend.volumes", + "searchValue": "shared", + "expectedValue": "There shouldn't be volumes shared between containers", + "actualValue": "Volume ./logic:/app shared between containers", + "issueType": "IncorrectValue", + "similarityID": "91e8285a01071de29d4734306c423b9a79c6e10a662e8f91fe361988ec5a6378", + "search_line": 9 + }, + { + "queryName": "Shared Volumes Between Containers", + "severity": "INFO", + "line": 16, + "fileName": "positive1.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "services.backend.volumes", + "searchValue": "shared", + "expectedValue": "There shouldn't be volumes shared between containers", + "actualValue": "Volume ./logic:/app shared between containers", + "issueType": "IncorrectValue", + "similarityID": "36093bbddf97e32ae6ee6cfb5db50531cada3ae33d1e4d8f51b9ed8fcb62b6de", + "search_line": 16 + }, + { + "queryName": "Shared Volumes Between Containers", + "severity": "INFO", + "line": 8, + "fileName": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "services.app.volumes", + "searchValue": "created-and-shared", + "expectedValue": "There shouldn't be volumes created and shared between containers", + "actualValue": "Volume shared-volume created and shared between containers", + "issueType": "IncorrectValue", + "similarityID": "08974eb71a788a72794a431cc332f9b64bb4097312fecc52680f0735ba677991", + "search_line": 8 + }, + { + "queryName": "Shared Volumes Between Containers", + "severity": "INFO", + "line": 17, + "fileName": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "services.checker.volumes", + "searchValue": "created-and-shared", + "expectedValue": "There shouldn't be volumes created and shared between containers", + "actualValue": "Volume shared-volume created and shared between containers", + "issueType": "IncorrectValue", + "similarityID": "78d2dce36f7145e48b3fe4b26a33b67cfac8ada61d903930c0165b76285ef64a", + "search_line": 17 + } ] diff --git a/assets/queries/dockerCompose/volume_has_sensitive_host_directory/test/positive_expected_result.json b/assets/queries/dockerCompose/volume_has_sensitive_host_directory/test/positive_expected_result.json index 0c70a091734..3547c02b684 100644 --- a/assets/queries/dockerCompose/volume_has_sensitive_host_directory/test/positive_expected_result.json +++ b/assets/queries/dockerCompose/volume_has_sensitive_host_directory/test/positive_expected_result.json @@ -1,26 +1,62 @@ [ - { - "queryName": "Volume Has Sensitive Host Directory", - "severity": "HIGH", - "line": 11, - "filename": "positive1.yaml" - }, - { - "queryName": "Volume Has Sensitive Host Directory", - "severity": "HIGH", - "line": 18, - "filename": "positive2.yaml" - }, - { - "queryName": "Volume Has Sensitive Host Directory", - "severity": "HIGH", - "line": 14, - "filename": "positive3.yaml" - }, - { - "queryName": "Volume Has Sensitive Host Directory", - "severity": "HIGH", - "line": 11, - "filename": "positive4.yaml" - } + { + "queryName": "Volume Has Sensitive Host Directory", + "severity": "HIGH", + "line": 11, + "fileName": "positive1.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "services.backup.volumes", + "searchValue": "", + "expectedValue": "There shouldn't be sensitive directory mounted as a volume", + "actualValue": "There is a sensitive directory (/var/lib/backup/data) mounted as a volume", + "issueType": "IncorrectValue", + "similarityID": "d61f9cc8e05cddaf3337b35cf2136dd427485fd0864bdb9ceb50a63ce14618ad", + "search_line": 11 + }, + { + "queryName": "Volume Has Sensitive Host Directory", + "severity": "HIGH", + "line": 18, + "fileName": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "volumes.vol.driver_opts.device", + "searchValue": "", + "expectedValue": "There shouldn't be sensitive directory mounted as a volume", + "actualValue": "There is a sensitive directory (/var/lib/backup/data) mounted as a volume", + "issueType": "IncorrectValue", + "similarityID": "3665ddf21eff8233219845619d445948833f0546e5b924a91db0e93198e16237", + "search_line": 18 + }, + { + "queryName": "Volume Has Sensitive Host Directory", + "severity": "HIGH", + "line": 14, + "fileName": "positive3.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "volumes.wp-content.driver_opts.mountpoint", + "searchValue": "", + "expectedValue": "There shouldn't be sensitive directory mounted as a volume", + "actualValue": "There is a sensitive directory (/var/data) mounted as a volume", + "issueType": "IncorrectValue", + "similarityID": "646228fa710ff0cd5736092d39054d0e24c3609147dd72156764d210e3038fe5", + "search_line": 14 + }, + { + "queryName": "Volume Has Sensitive Host Directory", + "severity": "HIGH", + "line": 11, + "fileName": "positive4.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "services.yesno.volumes.source", + "searchValue": "", + "expectedValue": "There shouldn't be sensitive directory mounted as a volume", + "actualValue": "There is a sensitive directory (/etc/exercise) mounted as a volume", + "issueType": "IncorrectValue", + "similarityID": "fb459ca93b47372a996b6ea4a5e544ab4c8bfd10a2d0bc842ce5baed1fbbdab9", + "search_line": 11 + } ] diff --git a/assets/queries/dockerCompose/volume_mounted_in_multiple_containers/test/positive_expected_result.json b/assets/queries/dockerCompose/volume_mounted_in_multiple_containers/test/positive_expected_result.json index 09452900a9e..1e1d64df6f3 100644 --- a/assets/queries/dockerCompose/volume_mounted_in_multiple_containers/test/positive_expected_result.json +++ b/assets/queries/dockerCompose/volume_mounted_in_multiple_containers/test/positive_expected_result.json @@ -1,26 +1,62 @@ [ - { - "queryName": "Volume Mounted In Multiple Containers", - "severity": "HIGH", - "line": 15, - "filename": "positive1.yaml" - }, - { - "queryName": "Volume Mounted In Multiple Containers", - "severity": "HIGH", - "line": 15, - "filename": "positive2.yaml" - }, - { - "queryName": "Volume Mounted In Multiple Containers", - "severity": "HIGH", - "line": 15, - "filename": "positive3.yaml" - }, - { - "queryName": "Volume Mounted In Multiple Containers", - "severity": "HIGH", - "line": 15, - "filename": "positive4.yaml" - } + { + "queryName": "Volume Mounted In Multiple Containers", + "severity": "HIGH", + "line": 15, + "fileName": "positive1.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "services.old8k.volumes.bind.propagation", + "searchValue": "", + "expectedValue": "Volumes should not be mounted in multiple containers", + "actualValue": "Volumes are being mounted in multiple containers, mode: rshared", + "issueType": "IncorrectValue", + "similarityID": "69fb974996bdfda1c9bfa2aaae96ec6236c45f527c3b7ea34d0bf69274d8000e", + "search_line": 15 + }, + { + "queryName": "Volume Mounted In Multiple Containers", + "severity": "HIGH", + "line": 15, + "fileName": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "services.old8k.volumes.bind.propagation", + "searchValue": "", + "expectedValue": "Volumes should not be mounted in multiple containers", + "actualValue": "Volumes are being mounted in multiple containers, mode: shared", + "issueType": "IncorrectValue", + "similarityID": "8e121b7af6265971ef4516b93b91bf1b515ea00ac5d5dd6485a611e99157237b", + "search_line": 15 + }, + { + "queryName": "Volume Mounted In Multiple Containers", + "severity": "HIGH", + "line": 15, + "fileName": "positive3.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "services.old8k.volumes.bind.propagation", + "searchValue": "", + "expectedValue": "Volumes should not be mounted in multiple containers", + "actualValue": "Volumes are being mounted in multiple containers, mode: rslave", + "issueType": "IncorrectValue", + "similarityID": "d2f579eb4c43bbc6b775488a8cafb68c545307e180ad7f546a672d5af245e48a", + "search_line": 15 + }, + { + "queryName": "Volume Mounted In Multiple Containers", + "severity": "HIGH", + "line": 15, + "fileName": "positive4.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "services.old8k.volumes.bind.propagation", + "searchValue": "", + "expectedValue": "Volumes should not be mounted in multiple containers", + "actualValue": "Volumes are being mounted in multiple containers, mode: slave", + "issueType": "IncorrectValue", + "similarityID": "4aeb80e6a97e3a54cd3d7eb41fb5ad332aaaa800be25b7fdd7044cc3f52a5215", + "search_line": 15 + } ] diff --git a/assets/queries/dockerfile/add_instead_of_copy/test/positive_expected_result.json b/assets/queries/dockerfile/add_instead_of_copy/test/positive_expected_result.json index 7e9efb25dd7..9db22e5b3a7 100644 --- a/assets/queries/dockerfile/add_instead_of_copy/test/positive_expected_result.json +++ b/assets/queries/dockerfile/add_instead_of_copy/test/positive_expected_result.json @@ -2,6 +2,16 @@ { "queryName": "Add Instead of Copy", "severity": "MEDIUM", - "line": 8 + "line": 8, + "fileName": "positive.dockerfile", + "resourceType": "", + "resourceName": "", + "searchKey": "FROM={{openjdk:10-jdk}}.{{ADD ${JAR_FILE} app.jar}}", + "searchValue": "", + "expectedValue": "'COPY' ${JAR_FILE}", + "actualValue": "'ADD' ${JAR_FILE}", + "issueType": "IncorrectValue", + "similarityID": "e8e377b223eacf8bdca06426cf7af617ab25412c679870a6fd6729b4611a66b3", + "search_line": -1 } ] diff --git a/assets/queries/dockerfile/apk_add_using_local_cache_path/test/positive_expected_result.json b/assets/queries/dockerfile/apk_add_using_local_cache_path/test/positive_expected_result.json index ab094181dbb..144a142c0d1 100644 --- a/assets/queries/dockerfile/apk_add_using_local_cache_path/test/positive_expected_result.json +++ b/assets/queries/dockerfile/apk_add_using_local_cache_path/test/positive_expected_result.json @@ -1,14 +1,32 @@ [ - { - "queryName": "Apk Add Using Local Cache Path", - "severity": "INFO", - "line": 2, - "fileName": "positive.dockerfile" - }, - { - "queryName": "Apk Add Using Local Cache Path", - "severity": "INFO", - "line": 2, - "fileName": "positive2.dockerfile" - } + { + "queryName": "Apk Add Using Local Cache Path", + "severity": "INFO", + "line": 2, + "fileName": "positive2.dockerfile", + "resourceType": "", + "resourceName": "", + "searchKey": "FROM={{gliderlabs/alpine:3.3}}.{{RUN apk add --update-cache python}}", + "searchValue": "", + "expectedValue": "'RUN' should not contain 'apk add' command without '--no-cache' switch", + "actualValue": "'RUN' contains 'apk add' command without '--no-cache' switch", + "issueType": "IncorrectValue", + "similarityID": "f872f5a089d6884f57e9305b5ce8b42055dac9ad71eef7bd7d4ee6485cd59543", + "search_line": -1 + }, + { + "queryName": "Apk Add Using Local Cache Path", + "severity": "INFO", + "line": 2, + "fileName": "positive.dockerfile", + "resourceType": "", + "resourceName": "", + "searchKey": "FROM={{gliderlabs/alpine:3.3}}.{{RUN apk add --update-cache python}}", + "searchValue": "", + "expectedValue": "'RUN' should not contain 'apk add' command without '--no-cache' switch", + "actualValue": "'RUN' contains 'apk add' command without '--no-cache' switch", + "issueType": "IncorrectValue", + "similarityID": "9d74206602aa797d477d3a8173131cbc049e41cbb735a05685a5615f37f76489", + "search_line": -1 + } ] diff --git a/assets/queries/dockerfile/apt_get_install_lists_were_not_deleted/test/positive_expected_result.json b/assets/queries/dockerfile/apt_get_install_lists_were_not_deleted/test/positive_expected_result.json index ab1370df2dd..de6cf4ce84b 100644 --- a/assets/queries/dockerfile/apt_get_install_lists_were_not_deleted/test/positive_expected_result.json +++ b/assets/queries/dockerfile/apt_get_install_lists_were_not_deleted/test/positive_expected_result.json @@ -3,30 +3,75 @@ "queryName": "Apt Get Install Lists Were Not Deleted", "severity": "INFO", "line": 2, - "fileName": "positive.dockerfile" + "fileName": "positive2.dockerfile", + "resourceType": "", + "resourceName": "", + "searchKey": "FROM={{busybox5}}.RUN={{set -eux; \tapt-get update; \tapt-get install -y --no-install-recommends package=0.0.0}}", + "searchValue": "", + "expectedValue": "After using apt-get install, the apt-get lists should be deleted", + "actualValue": "After using apt-get install, the apt-get lists were not deleted", + "issueType": "IncorrectValue", + "similarityID": "56b1a1a6fa4cfd2f8bdd13611e394e9eff045d29fc2de0bb556b1a717cb8cb99", + "search_line": -1 }, { "queryName": "Apt Get Install Lists Were Not Deleted", "severity": "INFO", - "line": 5, - "fileName": "positive.dockerfile" + "line": 2, + "fileName": "positive.dockerfile", + "resourceType": "", + "resourceName": "", + "searchKey": "FROM={{busybox1}}.RUN={{apt-get update && apt-get install --no-install-recommends -y python}}", + "searchValue": "", + "expectedValue": "After using apt-get install, the apt-get lists should be deleted", + "actualValue": "After using apt-get install, the apt-get lists were not deleted", + "issueType": "IncorrectValue", + "similarityID": "c07edd4d624cfe28134599df8890346820acf8d4ba759dbf1892b362a85539e8", + "search_line": -1 }, { "queryName": "Apt Get Install Lists Were Not Deleted", "severity": "INFO", - "line": 8, - "fileName": "positive.dockerfile" + "line": 5, + "fileName": "positive.dockerfile", + "resourceType": "", + "resourceName": "", + "searchKey": "FROM={{busybox2}}.RUN={{apt-get install python}}", + "searchValue": "", + "expectedValue": "After using apt-get install, the apt-get lists should be deleted", + "actualValue": "After using apt-get install, the apt-get lists were not deleted", + "issueType": "IncorrectValue", + "similarityID": "523ae91e156509c6cf08e0feb66e3f8402fd0f08997c1f6d43be28a589b32e17", + "search_line": -1 }, { "queryName": "Apt Get Install Lists Were Not Deleted", "severity": "INFO", - "line": 12, - "fileName": "positive.dockerfile" + "line": 8, + "fileName": "positive.dockerfile", + "resourceType": "", + "resourceName": "", + "searchKey": "FROM={{busybox3}}.RUN={{apt-get update && apt-get install --no-install-recommends -y python}}", + "searchValue": "", + "expectedValue": "After using apt-get install, the apt-get lists should be deleted", + "actualValue": "After using apt-get install, the apt-get lists were not deleted", + "issueType": "IncorrectValue", + "similarityID": "3c8fe0469cd162a01c3884a0cb73776d78d668e099de9607b100fa48c98a47d8", + "search_line": -1 }, { "queryName": "Apt Get Install Lists Were Not Deleted", "severity": "INFO", - "line": 2, - "fileName": "positive2.dockerfile" + "line": 12, + "fileName": "positive.dockerfile", + "resourceType": "", + "resourceName": "", + "searchKey": "FROM={{busybox4}}.RUN={{apt-get update && apt-get install --no-install-recommends -y python}}", + "searchValue": "", + "expectedValue": "After using apt-get install, the apt-get lists should be deleted", + "actualValue": "After using apt-get install, the apt-get lists were not deleted", + "issueType": "IncorrectValue", + "similarityID": "d256b08f1cb7bb7baa1c0a0e9d08db276fb6efec725d3c714b9f3c61c33d88f4", + "search_line": -1 } ] diff --git a/assets/queries/dockerfile/apt_get_install_pin_version_not_defined/test/positive_expected_result.json b/assets/queries/dockerfile/apt_get_install_pin_version_not_defined/test/positive_expected_result.json index f2afe4b4ae2..b65d7cd9a9e 100644 --- a/assets/queries/dockerfile/apt_get_install_pin_version_not_defined/test/positive_expected_result.json +++ b/assets/queries/dockerfile/apt_get_install_pin_version_not_defined/test/positive_expected_result.json @@ -3,96 +3,240 @@ "queryName": "Apt Get Install Pin Version Not Defined", "severity": "MEDIUM", "line": 2, - "fileName": "positive.dockerfile" + "fileName": "positive2.dockerfile", + "resourceType": "", + "resourceName": "", + "searchKey": "FROM={{busybox4}}.RUN={{apt-get install python}}", + "searchValue": "python", + "expectedValue": "Package 'python' has version defined", + "actualValue": "Package 'python' does not have version defined", + "issueType": "MissingAttribute", + "similarityID": "6c806aca7e9a5bc8e7ae8fe2bad386ecb076a0402b743960d22becd34076a1fd", + "search_line": -1 }, { "queryName": "Apt Get Install Pin Version Not Defined", "severity": "MEDIUM", "line": 3, - "fileName": "positive.dockerfile" + "fileName": "positive2.dockerfile", + "resourceType": "", + "resourceName": "", + "searchKey": "FROM={{busybox4}}.{{RUN [\"apt-get\", \"install\", \"python\"]}}", + "searchValue": "python", + "expectedValue": "Package 'python' has version defined", + "actualValue": "Package 'python' does not have version defined", + "issueType": "IncorrectValue", + "similarityID": "35243c7afe5ca8609b2395065587bc6ed36606e2bcce41e25593ceda64031dca", + "search_line": -1 }, { "queryName": "Apt Get Install Pin Version Not Defined", "severity": "MEDIUM", "line": 6, - "fileName": "positive.dockerfile" + "fileName": "positive2.dockerfile", + "resourceType": "", + "resourceName": "", + "searchKey": "FROM={{busybox5}}.RUN={{apt-get install -y -t python}}", + "searchValue": "python", + "expectedValue": "Package 'python' has version defined", + "actualValue": "Package 'python' does not have version defined", + "issueType": "MissingAttribute", + "similarityID": "441df51b0737e6855960ebd79b69c918e13509063e2d0dd32dfc759409638a68", + "search_line": -1 }, { "queryName": "Apt Get Install Pin Version Not Defined", "severity": "MEDIUM", "line": 9, - "fileName": "positive.dockerfile" + "fileName": "positive2.dockerfile", + "resourceType": "", + "resourceName": "", + "searchKey": "FROM={{busybox6}}.RUN={{apt-get update ; apt-get install -y python-qt4 python-pyside python-pip python3-pip python3-pyqt5}}", + "searchValue": "python-pip", + "expectedValue": "Package 'python-pip' has version defined", + "actualValue": "Package 'python-pip' does not have version defined", + "issueType": "MissingAttribute", + "similarityID": "f8aa2509ff86f2950ca94982f11857f8a1716c08c9b90998a4736e7d4c134378", + "search_line": -1 }, { "queryName": "Apt Get Install Pin Version Not Defined", "severity": "MEDIUM", "line": 9, - "fileName": "positive.dockerfile" + "fileName": "positive2.dockerfile", + "resourceType": "", + "resourceName": "", + "searchKey": "FROM={{busybox6}}.RUN={{apt-get update ; apt-get install -y python-qt4 python-pyside python-pip python3-pip python3-pyqt5}}", + "searchValue": "python-pyside", + "expectedValue": "Package 'python-pyside' has version defined", + "actualValue": "Package 'python-pyside' does not have version defined", + "issueType": "MissingAttribute", + "similarityID": "21e19a27f511fcc87f19b3258c6134f8d7f394d3f7a5a452221277a70c3ba137", + "search_line": -1 }, { "queryName": "Apt Get Install Pin Version Not Defined", "severity": "MEDIUM", "line": 9, - "fileName": "positive.dockerfile" + "fileName": "positive2.dockerfile", + "resourceType": "", + "resourceName": "", + "searchKey": "FROM={{busybox6}}.RUN={{apt-get update ; apt-get install -y python-qt4 python-pyside python-pip python3-pip python3-pyqt5}}", + "searchValue": "python-qt4", + "expectedValue": "Package 'python-qt4' has version defined", + "actualValue": "Package 'python-qt4' does not have version defined", + "issueType": "MissingAttribute", + "similarityID": "cf085c6d31c3e81cdad4f9014c096be98047e3a8336c3e1a6d3c024a454408ef", + "search_line": -1 }, { "queryName": "Apt Get Install Pin Version Not Defined", "severity": "MEDIUM", "line": 9, - "fileName": "positive.dockerfile" + "fileName": "positive2.dockerfile", + "resourceType": "", + "resourceName": "", + "searchKey": "FROM={{busybox6}}.RUN={{apt-get update ; apt-get install -y python-qt4 python-pyside python-pip python3-pip python3-pyqt5}}", + "searchValue": "python3-pip", + "expectedValue": "Package 'python3-pip' has version defined", + "actualValue": "Package 'python3-pip' does not have version defined", + "issueType": "MissingAttribute", + "similarityID": "246208493d979792971beb1c1185c562fe6be029a321ba54d9927b0052a937b5", + "search_line": -1 }, { "queryName": "Apt Get Install Pin Version Not Defined", "severity": "MEDIUM", "line": 9, - "fileName": "positive.dockerfile" + "fileName": "positive2.dockerfile", + "resourceType": "", + "resourceName": "", + "searchKey": "FROM={{busybox6}}.RUN={{apt-get update ; apt-get install -y python-qt4 python-pyside python-pip python3-pip python3-pyqt5}}", + "searchValue": "python3-pyqt5", + "expectedValue": "Package 'python3-pyqt5' has version defined", + "actualValue": "Package 'python3-pyqt5' does not have version defined", + "issueType": "MissingAttribute", + "similarityID": "7b90e07417dc4698108f6783b0c43c152c21e2f032293a3467138b8430b57036", + "search_line": -1 }, { "queryName": "Apt Get Install Pin Version Not Defined", "severity": "MEDIUM", "line": 2, - "fileName": "positive2.dockerfile" + "fileName": "positive.dockerfile", + "resourceType": "", + "resourceName": "", + "searchKey": "FROM={{busybox}}.RUN={{apt-get install python}}", + "searchValue": "python", + "expectedValue": "Package 'python' has version defined", + "actualValue": "Package 'python' does not have version defined", + "issueType": "MissingAttribute", + "similarityID": "b8fb5880e4b6a35cfe4ac5cb88e735d495b6334a79e91b60d8bbd9766ab99331", + "search_line": -1 }, { "queryName": "Apt Get Install Pin Version Not Defined", "severity": "MEDIUM", "line": 3, - "fileName": "positive2.dockerfile" + "fileName": "positive.dockerfile", + "resourceType": "", + "resourceName": "", + "searchKey": "FROM={{busybox}}.{{RUN [\"apt-get\", \"install\", \"python\"]}}", + "searchValue": "python", + "expectedValue": "Package 'python' has version defined", + "actualValue": "Package 'python' does not have version defined", + "issueType": "IncorrectValue", + "similarityID": "6484d91d46dd3f2814beb6a17c6cf1aabc90ca10a8abd73823156670adfa2ca9", + "search_line": -1 }, { "queryName": "Apt Get Install Pin Version Not Defined", "severity": "MEDIUM", "line": 6, - "fileName": "positive2.dockerfile" + "fileName": "positive.dockerfile", + "resourceType": "", + "resourceName": "", + "searchKey": "FROM={{busybox2}}.RUN={{apt-get install -y -t python}}", + "searchValue": "python", + "expectedValue": "Package 'python' has version defined", + "actualValue": "Package 'python' does not have version defined", + "issueType": "MissingAttribute", + "similarityID": "1e5d45ab36c1aa7f2fe93251b303d9cd68f9d81ba4d912214b96bd7eb8ac4d3e", + "search_line": -1 }, { "queryName": "Apt Get Install Pin Version Not Defined", "severity": "MEDIUM", "line": 9, - "fileName": "positive2.dockerfile" + "fileName": "positive.dockerfile", + "resourceType": "", + "resourceName": "", + "searchKey": "FROM={{busybox3}}.RUN={{apt-get update && apt-get install -y python-qt4 python-pyside python-pip python3-pip python3-pyqt5}}", + "searchValue": "python-pip", + "expectedValue": "Package 'python-pip' has version defined", + "actualValue": "Package 'python-pip' does not have version defined", + "issueType": "MissingAttribute", + "similarityID": "6e5bd9ae44dab59784f79e15fce815ae66c32a20ba8911543d8d79f529e98784", + "search_line": -1 }, { "queryName": "Apt Get Install Pin Version Not Defined", "severity": "MEDIUM", "line": 9, - "fileName": "positive2.dockerfile" + "fileName": "positive.dockerfile", + "resourceType": "", + "resourceName": "", + "searchKey": "FROM={{busybox3}}.RUN={{apt-get update && apt-get install -y python-qt4 python-pyside python-pip python3-pip python3-pyqt5}}", + "searchValue": "python-pyside", + "expectedValue": "Package 'python-pyside' has version defined", + "actualValue": "Package 'python-pyside' does not have version defined", + "issueType": "MissingAttribute", + "similarityID": "6750b748adad59b376893acecbec3bf31b3ce9390e97fc3227561560db7e21f4", + "search_line": -1 }, { "queryName": "Apt Get Install Pin Version Not Defined", "severity": "MEDIUM", "line": 9, - "fileName": "positive2.dockerfile" + "fileName": "positive.dockerfile", + "resourceType": "", + "resourceName": "", + "searchKey": "FROM={{busybox3}}.RUN={{apt-get update && apt-get install -y python-qt4 python-pyside python-pip python3-pip python3-pyqt5}}", + "searchValue": "python-qt4", + "expectedValue": "Package 'python-qt4' has version defined", + "actualValue": "Package 'python-qt4' does not have version defined", + "issueType": "MissingAttribute", + "similarityID": "0fc40b0196ca3d83c5ca10cf41e12a0d7faa434bff6565e09f37775856ea6615", + "search_line": -1 }, { "queryName": "Apt Get Install Pin Version Not Defined", "severity": "MEDIUM", "line": 9, - "fileName": "positive2.dockerfile" + "fileName": "positive.dockerfile", + "resourceType": "", + "resourceName": "", + "searchKey": "FROM={{busybox3}}.RUN={{apt-get update && apt-get install -y python-qt4 python-pyside python-pip python3-pip python3-pyqt5}}", + "searchValue": "python3-pip", + "expectedValue": "Package 'python3-pip' has version defined", + "actualValue": "Package 'python3-pip' does not have version defined", + "issueType": "MissingAttribute", + "similarityID": "6c05fb5843b892800cfa0a0fb1a563ce02712dceb1fc6ef97fb0cfef9371bc69", + "search_line": -1 }, { "queryName": "Apt Get Install Pin Version Not Defined", "severity": "MEDIUM", "line": 9, - "fileName": "positive2.dockerfile" + "fileName": "positive.dockerfile", + "resourceType": "", + "resourceName": "", + "searchKey": "FROM={{busybox3}}.RUN={{apt-get update && apt-get install -y python-qt4 python-pyside python-pip python3-pip python3-pyqt5}}", + "searchValue": "python3-pyqt5", + "expectedValue": "Package 'python3-pyqt5' has version defined", + "actualValue": "Package 'python3-pyqt5' does not have version defined", + "issueType": "MissingAttribute", + "similarityID": "28e50646c0d09cf4d0bc5269d11ccb285bc1996f1ee5db94c0f799636de3394b", + "search_line": -1 } ] diff --git a/assets/queries/dockerfile/apt_get_missing_flags_to_avoid_manual_input/test/positive_expected_result.json b/assets/queries/dockerfile/apt_get_missing_flags_to_avoid_manual_input/test/positive_expected_result.json index eb501cf7739..9ab91ea6eb7 100644 --- a/assets/queries/dockerfile/apt_get_missing_flags_to_avoid_manual_input/test/positive_expected_result.json +++ b/assets/queries/dockerfile/apt_get_missing_flags_to_avoid_manual_input/test/positive_expected_result.json @@ -3,90 +3,225 @@ "queryName": "APT-GET Missing Flags To Avoid Manual Input", "severity": "LOW", "line": 2, - "filename": "positive1.dockerfile" + "fileName": "positive1.dockerfile", + "resourceType": "", + "resourceName": "", + "searchKey": "FROM={{node:12}}.{{RUN apt-get install python=2.7}}", + "searchValue": "", + "expectedValue": "{{RUN apt-get install python=2.7}} should avoid manual input", + "actualValue": "{{RUN apt-get install python=2.7}} doesn't avoid manual input", + "issueType": "IncorrectValue", + "similarityID": "15b4a5beeef52826cfe68b3d885f2ccb50ff49a0aae3f3baefd8be2a5c210a90", + "search_line": -1 }, { "queryName": "APT-GET Missing Flags To Avoid Manual Input", "severity": "LOW", "line": 3, - "filename": "positive1.dockerfile" + "fileName": "positive1.dockerfile", + "resourceType": "", + "resourceName": "", + "searchKey": "FROM={{node:12}}.{{RUN apt-get install apt-utils}}", + "searchValue": "", + "expectedValue": "{{RUN apt-get install apt-utils}} should avoid manual input", + "actualValue": "{{RUN apt-get install apt-utils}} doesn't avoid manual input", + "issueType": "IncorrectValue", + "similarityID": "4ca17592efe08f055bc6dddac956f035e167c4d0ef8054b3a225da7b85251070", + "search_line": -1 }, { "queryName": "APT-GET Missing Flags To Avoid Manual Input", "severity": "LOW", "line": 4, - "filename": "positive1.dockerfile" + "fileName": "positive1.dockerfile", + "resourceType": "", + "resourceName": "", + "searchKey": "FROM={{node:12}}.{{RUN [\"apt-get\", \"install\", \"apt-utils\"]}}", + "searchValue": "", + "expectedValue": "{{RUN [\"apt-get\", \"install\", \"apt-utils\"]}} should avoid manual input", + "actualValue": "{{RUN [\"apt-get\", \"install\", \"apt-utils\"]}} doesn't avoid manual input", + "issueType": "IncorrectValue", + "similarityID": "905e5238fa58373168fb601ddc6372dd8de27c225bacf5f61c86d0f85fb8a80e", + "search_line": -1 }, { "queryName": "APT-GET Missing Flags To Avoid Manual Input", "severity": "LOW", "line": 2, - "filename": "positive2.dockerfile" + "fileName": "positive2.dockerfile", + "resourceType": "", + "resourceName": "", + "searchKey": "FROM={{node:12}}.{{RUN sudo apt-get install python=2.7}}", + "searchValue": "", + "expectedValue": "{{RUN sudo apt-get install python=2.7}} should avoid manual input", + "actualValue": "{{RUN sudo apt-get install python=2.7}} doesn't avoid manual input", + "issueType": "IncorrectValue", + "similarityID": "52324bc09bd6ea4d8c1f28673209bae94ae54ad4e18463e45a3716cf877d6f05", + "search_line": -1 }, { "queryName": "APT-GET Missing Flags To Avoid Manual Input", "severity": "LOW", "line": 3, - "filename": "positive2.dockerfile" + "fileName": "positive2.dockerfile", + "resourceType": "", + "resourceName": "", + "searchKey": "FROM={{node:12}}.{{RUN sudo apt-get install apt-utils}}", + "searchValue": "", + "expectedValue": "{{RUN sudo apt-get install apt-utils}} should avoid manual input", + "actualValue": "{{RUN sudo apt-get install apt-utils}} doesn't avoid manual input", + "issueType": "IncorrectValue", + "similarityID": "7a548d0f2c5b565d97a4536f86b90e64fca4a9d0e0a15c318c35444fa798d13f", + "search_line": -1 }, { "queryName": "APT-GET Missing Flags To Avoid Manual Input", "severity": "LOW", "line": 4, - "filename": "positive2.dockerfile" + "fileName": "positive2.dockerfile", + "resourceType": "", + "resourceName": "", + "searchKey": "FROM={{node:12}}.{{RUN [\"sudo\", \"apt-get\", \"install\", \"apt-utils\"]}}", + "searchValue": "", + "expectedValue": "{{RUN [\"sudo\", \"apt-get\", \"install\", \"apt-utils\"]}} should avoid manual input", + "actualValue": "{{RUN [\"sudo\", \"apt-get\", \"install\", \"apt-utils\"]}} doesn't avoid manual input", + "issueType": "IncorrectValue", + "similarityID": "40c50ebf3e48a157c14416047b586507bae22383348f697246098916304d376c", + "search_line": -1 }, { "queryName": "APT-GET Missing Flags To Avoid Manual Input", "severity": "LOW", "line": 2, - "filename": "positive3.dockerfile" + "fileName": "positive3.dockerfile", + "resourceType": "", + "resourceName": "", + "searchKey": "FROM={{node:12}}.{{RUN DUMMY=test apt-get install python=2.7}}", + "searchValue": "", + "expectedValue": "{{RUN DUMMY=test apt-get install python=2.7}} should avoid manual input", + "actualValue": "{{RUN DUMMY=test apt-get install python=2.7}} doesn't avoid manual input", + "issueType": "IncorrectValue", + "similarityID": "1efcfc516776079228cb9735d81abae81e7e8283d36f3659ce3e0e04cafcffe0", + "search_line": -1 }, { "queryName": "APT-GET Missing Flags To Avoid Manual Input", "severity": "LOW", "line": 2, - "filename": "positive4.dockerfile" + "fileName": "positive4.dockerfile", + "resourceType": "", + "resourceName": "", + "searchKey": "FROM={{node:12}}.{{RUN [\"sudo\", \"apt-get\", \"-q\" ,\"install\", \"apt-utils\"]}}", + "searchValue": "", + "expectedValue": "{{RUN [\"sudo\", \"apt-get\", \"-q\" ,\"install\", \"apt-utils\"]}} should avoid manual input", + "actualValue": "{{RUN [\"sudo\", \"apt-get\", \"-q\" ,\"install\", \"apt-utils\"]}} doesn't avoid manual input", + "issueType": "IncorrectValue", + "similarityID": "04702cffe8c634ca7ea28f6004c761679d59d165dec8e0111dcc731bc8a595d5", + "search_line": -1 }, { "queryName": "APT-GET Missing Flags To Avoid Manual Input", "severity": "LOW", "line": 3, - "filename": "positive4.dockerfile" + "fileName": "positive4.dockerfile", + "resourceType": "", + "resourceName": "", + "searchKey": "FROM={{node:12}}.{{RUN sudo apt-get -q install apt-utils}}", + "searchValue": "", + "expectedValue": "{{RUN sudo apt-get -q install apt-utils}} should avoid manual input", + "actualValue": "{{RUN sudo apt-get -q install apt-utils}} doesn't avoid manual input", + "issueType": "IncorrectValue", + "similarityID": "832c0fa70c691be1a9b97f06ac5b4a7cb694e735a709a5412453134cd16538cb", + "search_line": -1 }, - { - "queryName": "APT-GET Missing Flags To Avoid Manual Input", - "severity": "LOW", - "line": 3, - "filename": "positive5.dockerfile" - }, { "queryName": "APT-GET Missing Flags To Avoid Manual Input", "severity": "LOW", "line": 2, - "filename": "positive5.dockerfile" + "fileName": "positive5.dockerfile", + "resourceType": "", + "resourceName": "", + "searchKey": "FROM={{node:12}}.{{RUN [\"sudo\", \"apt-get\", \"--quiet\", \"install\", \"apt-utils\"] }}", + "searchValue": "", + "expectedValue": "{{RUN [\"sudo\", \"apt-get\", \"--quiet\", \"install\", \"apt-utils\"] }} should avoid manual input", + "actualValue": "{{RUN [\"sudo\", \"apt-get\", \"--quiet\", \"install\", \"apt-utils\"] }} doesn't avoid manual input", + "issueType": "IncorrectValue", + "similarityID": "5429b137af185aaebcd0b9926bb97b6cbbf9621862a1c7240fe6830f8e30e9a9", + "search_line": -1 }, { "queryName": "APT-GET Missing Flags To Avoid Manual Input", "severity": "LOW", "line": 3, - "filename": "positive6.dockerfile" - }, + "fileName": "positive5.dockerfile", + "resourceType": "", + "resourceName": "", + "searchKey": "FROM={{node:12}}.{{RUN sudo apt-get --quiet install apt-utils}}", + "searchValue": "", + "expectedValue": "{{RUN sudo apt-get --quiet install apt-utils}} should avoid manual input", + "actualValue": "{{RUN sudo apt-get --quiet install apt-utils}} doesn't avoid manual input", + "issueType": "IncorrectValue", + "similarityID": "dfaeab8e598d7524e8de83f3394c8460648b8b9ef5c6c776cc33f62cbbedb01d", + "search_line": -1 + }, { "queryName": "APT-GET Missing Flags To Avoid Manual Input", "severity": "LOW", "line": 2, - "filename": "positive6.dockerfile" + "fileName": "positive6.dockerfile", + "resourceType": "", + "resourceName": "", + "searchKey": "FROM={{node:12}}.{{RUN sudo apt-get --quiet install sl}}", + "searchValue": "", + "expectedValue": "{{RUN sudo apt-get --quiet install sl}} should avoid manual input", + "actualValue": "{{RUN sudo apt-get --quiet install sl}} doesn't avoid manual input", + "issueType": "IncorrectValue", + "similarityID": "ccfbff2719bc2299cf5b568e74cd4ab2f6d493ec3ed9fcb463728e0d858b5dd9", + "search_line": -1 }, { "queryName": "APT-GET Missing Flags To Avoid Manual Input", "severity": "LOW", "line": 3, - "filename": "positive7.dockerfile" - }, + "fileName": "positive6.dockerfile", + "resourceType": "", + "resourceName": "", + "searchKey": "FROM={{node:12}}.{{RUN [\"apt-get\", \"--quiet\" ,\"install\", \"apt-utils\"] }}", + "searchValue": "", + "expectedValue": "{{RUN [\"apt-get\", \"--quiet\" ,\"install\", \"apt-utils\"] }} should avoid manual input", + "actualValue": "{{RUN [\"apt-get\", \"--quiet\" ,\"install\", \"apt-utils\"] }} doesn't avoid manual input", + "issueType": "IncorrectValue", + "similarityID": "054e1451b59c8f8041029181f23b6ca0991944bf8eb6687f5fcc5270f6e79cc2", + "search_line": -1 + }, { "queryName": "APT-GET Missing Flags To Avoid Manual Input", "severity": "LOW", "line": 2, - "filename": "positive7.dockerfile" + "fileName": "positive7.dockerfile", + "resourceType": "", + "resourceName": "", + "searchKey": "FROM={{node:12}}.{{RUN sudo apt-get -q install sl}}", + "searchValue": "", + "expectedValue": "{{RUN sudo apt-get -q install sl}} should avoid manual input", + "actualValue": "{{RUN sudo apt-get -q install sl}} doesn't avoid manual input", + "issueType": "IncorrectValue", + "similarityID": "cf135ffe0047c2e03841b63f77c7143e64c2d3a1821a3536078878af5da67070", + "search_line": -1 + }, + { + "queryName": "APT-GET Missing Flags To Avoid Manual Input", + "severity": "LOW", + "line": 3, + "fileName": "positive7.dockerfile", + "resourceType": "", + "resourceName": "", + "searchKey": "FROM={{node:12}}.{{RUN [\"apt-get\", \"-q\", \"install\", \"apt-utils\"] }}", + "searchValue": "", + "expectedValue": "{{RUN [\"apt-get\", \"-q\", \"install\", \"apt-utils\"] }} should avoid manual input", + "actualValue": "{{RUN [\"apt-get\", \"-q\", \"install\", \"apt-utils\"] }} doesn't avoid manual input", + "issueType": "IncorrectValue", + "similarityID": "6609d7a6211647b259810b9ce0e4cf9fed9e9de2ad0e9adc9b9dce71726ebccb", + "search_line": -1 } -] \ No newline at end of file +] diff --git a/assets/queries/dockerfile/apt_get_not_avoiding_additional_packages/test/positive_expected_result.json b/assets/queries/dockerfile/apt_get_not_avoiding_additional_packages/test/positive_expected_result.json index 224923adbc5..474d7ff2a31 100644 --- a/assets/queries/dockerfile/apt_get_not_avoiding_additional_packages/test/positive_expected_result.json +++ b/assets/queries/dockerfile/apt_get_not_avoiding_additional_packages/test/positive_expected_result.json @@ -1,12 +1,32 @@ [ - { - "queryName": "APT-GET Not Avoiding Additional Packages", - "severity": "INFO", - "line": 2 - }, - { - "queryName": "APT-GET Not Avoiding Additional Packages", - "severity": "INFO", - "line": 3 - } + { + "queryName": "APT-GET Not Avoiding Additional Packages", + "severity": "INFO", + "line": 2, + "fileName": "positive.dockerfile", + "resourceType": "", + "resourceName": "", + "searchKey": "FROM={{node:12}}.{{RUN apt-get install apt-utils}}", + "searchValue": "", + "expectedValue": "'RUN apt-get install apt-utils' uses '--no-install-recommends' flag to avoid installing additional packages", + "actualValue": "'RUN apt-get install apt-utils' does not use '--no-install-recommends' flag to avoid installing additional packages", + "issueType": "IncorrectValue", + "similarityID": "bd6a6441b06fc4f56237f01a221f4b4cbd205ee973f85bfeffb5133f80bb857e", + "search_line": -1 + }, + { + "queryName": "APT-GET Not Avoiding Additional Packages", + "severity": "INFO", + "line": 3, + "fileName": "positive.dockerfile", + "resourceType": "", + "resourceName": "", + "searchKey": "FROM={{node:12}}.{{RUN [\"apt-get\", \"install\", \"apt-utils\"]}}", + "searchValue": "", + "expectedValue": "'RUN [\"apt-get\", \"install\", \"apt-utils\"]' uses '--no-install-recommends' flag to avoid installing additional packages", + "actualValue": "'RUN [\"apt-get\", \"install\", \"apt-utils\"]' does not use '--no-install-recommends' flag to avoid installing additional packages", + "issueType": "IncorrectValue", + "similarityID": "05068bea70164382b3e38337759f6b81f34d7bf53837da327cd89f167c42ede4", + "search_line": -1 + } ] diff --git a/assets/queries/dockerfile/changing_default_shell_using_run_command/test/positive_expected_result.json b/assets/queries/dockerfile/changing_default_shell_using_run_command/test/positive_expected_result.json index c9854941220..b62f988f23c 100644 --- a/assets/queries/dockerfile/changing_default_shell_using_run_command/test/positive_expected_result.json +++ b/assets/queries/dockerfile/changing_default_shell_using_run_command/test/positive_expected_result.json @@ -1,14 +1,32 @@ [ - { - "queryName": "Changing Default Shell Using RUN Command", - "severity": "MEDIUM", - "line": 5, - "filename": "positive1.dockerfile" - }, - { - "queryName": "Changing Default Shell Using RUN Command", - "severity": "MEDIUM", - "line": 5, - "filename": "positive2.dockerfile" - } + { + "queryName": "Changing Default Shell Using RUN Command", + "severity": "MEDIUM", + "line": 5, + "fileName": "positive1.dockerfile", + "resourceType": "", + "resourceName": "", + "searchKey": "FROM={{alpine:3.5}}.{{RUN ln -sfv /bin/bash /bin/sh}}", + "searchValue": "", + "expectedValue": "{{RUN ln -sfv /bin/bash /bin/sh}} should use the SHELL command to change the default shell", + "actualValue": "{{RUN ln -sfv /bin/bash /bin/sh}} uses the RUN command to change the default shell", + "issueType": "IncorrectValue", + "similarityID": "a4baeda61dc820fad3c74dbee690d5e8cf1adaca5696dbe2d4c67f05a90cc7f8", + "search_line": -1 + }, + { + "queryName": "Changing Default Shell Using RUN Command", + "severity": "MEDIUM", + "line": 5, + "fileName": "positive2.dockerfile", + "resourceType": "", + "resourceName": "", + "searchKey": "FROM={{alpine:3.5}}.{{RUN powershell -command}}", + "searchValue": "", + "expectedValue": "{{RUN powershell -command}} should use the SHELL command to change the default shell", + "actualValue": "{{RUN powershell -command}} uses the RUN command to change the default shell", + "issueType": "IncorrectValue", + "similarityID": "7dd5be1d2a71ae39f3a4e65bb9daad97c0cccc05da7c422d90d8e02b5a57667d", + "search_line": -1 + } ] diff --git a/assets/queries/dockerfile/chown_flag_exists/test/positive_expected_result.json b/assets/queries/dockerfile/chown_flag_exists/test/positive_expected_result.json index 41cc05a4a3d..48b5f60a217 100644 --- a/assets/queries/dockerfile/chown_flag_exists/test/positive_expected_result.json +++ b/assets/queries/dockerfile/chown_flag_exists/test/positive_expected_result.json @@ -2,6 +2,16 @@ { "queryName": "Chown Flag Exists", "severity": "LOW", - "line": 4 + "line": 4, + "fileName": "positive.dockerfile", + "resourceType": "", + "resourceName": "", + "searchKey": "FROM={{python:3.7}}.{{COPY --chown=patrick:patrick app /app}}", + "searchValue": "", + "expectedValue": "The 'Dockerfile' shouldn\u00b4t contain the 'chown' flag", + "actualValue": "The 'Dockerfile' contains the 'chown' flag", + "issueType": "IncorrectValue", + "similarityID": "bbbd8f2148a6d1e7e9913e6b67a10df1b171ec8b2609ce3c6cc8f768ee307134", + "search_line": -1 } ] diff --git a/assets/queries/dockerfile/copy_from_references_current_from_alias/test/positive_expected_result.json b/assets/queries/dockerfile/copy_from_references_current_from_alias/test/positive_expected_result.json index 0a577a86177..1af2b3340c9 100644 --- a/assets/queries/dockerfile/copy_from_references_current_from_alias/test/positive_expected_result.json +++ b/assets/queries/dockerfile/copy_from_references_current_from_alias/test/positive_expected_result.json @@ -2,6 +2,16 @@ { "queryName": "COPY '--from' References Current FROM Alias", "severity": "LOW", - "line": 2 + "line": 2, + "fileName": "positive.dockerfile", + "resourceType": "", + "resourceName": "", + "searchKey": "FROM={{myimage:tag as dep}}.{{COPY --from=dep /binary /}}", + "searchValue": "", + "expectedValue": "COPY --from should not reference the current FROM alias", + "actualValue": "COPY --from references the current FROM alias", + "issueType": "IncorrectValue", + "similarityID": "aecff3960c701a2fe929812a2b558e878406b7f67dd9872c59a3a53d8f5a0f5b", + "search_line": -1 } -] \ No newline at end of file +] diff --git a/assets/queries/dockerfile/copy_with_more_than_two_arguments_not_ending_with_slash/test/positive_expected_result.json b/assets/queries/dockerfile/copy_with_more_than_two_arguments_not_ending_with_slash/test/positive_expected_result.json index 2774ad6013d..3e5c38d6d9e 100644 --- a/assets/queries/dockerfile/copy_with_more_than_two_arguments_not_ending_with_slash/test/positive_expected_result.json +++ b/assets/queries/dockerfile/copy_with_more_than_two_arguments_not_ending_with_slash/test/positive_expected_result.json @@ -2,7 +2,16 @@ { "queryName": "Copy With More Than Two Arguments Not Ending With Slash", "severity": "LOW", + "line": 2, "fileName": "positive.dockerfile", - "line": 2 + "resourceType": "", + "resourceName": "", + "searchKey": "FROM={{node:carbon2}}.COPY={{package.json}}", + "searchValue": "", + "expectedValue": "When COPY command has more than two arguments, the last one should end with a slash", + "actualValue": "COPY command has more than two arguments and the last one does not end with a slash", + "issueType": "IncorrectValue", + "similarityID": "5d73230985c736202dcc046a098484d359ecb71ec1debfea951e34d745d7af1f", + "search_line": -1 } -] \ No newline at end of file +] diff --git a/assets/queries/dockerfile/curl_or_wget_instead_of_add/test/positive_expected_result.json b/assets/queries/dockerfile/curl_or_wget_instead_of_add/test/positive_expected_result.json index 914f34a3b1a..e9a1be40045 100644 --- a/assets/queries/dockerfile/curl_or_wget_instead_of_add/test/positive_expected_result.json +++ b/assets/queries/dockerfile/curl_or_wget_instead_of_add/test/positive_expected_result.json @@ -2,6 +2,16 @@ { "queryName": "Curl or Wget Instead of Add", "severity": "LOW", - "line": 3 + "line": 3, + "fileName": "positive.dockerfile", + "resourceType": "", + "resourceName": "", + "searchKey": "FROM={{openjdk:10-jdk}}.{{ADD https://example.com/big.tar.xz /usr/src/things/}}", + "searchValue": "", + "expectedValue": "Should use 'curl' or 'wget' to download https://example.com/big.tar.xz", + "actualValue": "'ADD' https://example.com/big.tar.xz", + "issueType": "IncorrectValue", + "similarityID": "c917b8c680b99ed30237927b9375e87cb3d39e7cb9eff04324dc15a77709c93a", + "search_line": -1 } ] diff --git a/assets/queries/dockerfile/exposing_port_22/test/positive_expected_result.json b/assets/queries/dockerfile/exposing_port_22/test/positive_expected_result.json index 7c697fbb3e4..4b81662018d 100644 --- a/assets/queries/dockerfile/exposing_port_22/test/positive_expected_result.json +++ b/assets/queries/dockerfile/exposing_port_22/test/positive_expected_result.json @@ -2,6 +2,16 @@ { "queryName": "Exposing Port 22 (SSH)", "severity": "LOW", - "line": 3 + "line": 3, + "fileName": "positive.dockerfile", + "resourceType": "", + "resourceName": "", + "searchKey": "FROM={{gliderlabs/alpine:3.3}}.{{EXPOSE 3000 80 443 22}}", + "searchValue": "", + "expectedValue": "'EXPOSE' shouldn't contain the port 22 ", + "actualValue": "'EXPOSE' contains the port 22 ", + "issueType": "IncorrectValue", + "similarityID": "2f128ce1df95536dcda9c5101c8ba296f4d3be6111b2b3bd19b957b598b4481b", + "search_line": -1 } ] diff --git a/assets/queries/dockerfile/gem_install_without_version/test/positive_expected_result.json b/assets/queries/dockerfile/gem_install_without_version/test/positive_expected_result.json index 9e0dc193dc6..79129aa8a91 100644 --- a/assets/queries/dockerfile/gem_install_without_version/test/positive_expected_result.json +++ b/assets/queries/dockerfile/gem_install_without_version/test/positive_expected_result.json @@ -2,16 +2,46 @@ { "queryName": "Gem Install Without Version", "severity": "MEDIUM", - "line": 3 + "line": 3, + "fileName": "positive.dockerfile", + "resourceType": "", + "resourceName": "", + "searchKey": "FROM={{alpine:3.5}}.{{RUN gem install bundler}}", + "searchValue": "", + "expectedValue": "RUN gem install bundler is 'gem install :'", + "actualValue": "RUN gem install bundler is 'gem install ', you should use 'gem install :", + "issueType": "IncorrectValue", + "similarityID": "4b3f69e0acb287888ec895f3bf3a2a777a98c20910bad89b9d856ef48949b504", + "search_line": -1 }, { "queryName": "Gem Install Without Version", "severity": "MEDIUM", - "line": 4 + "line": 4, + "fileName": "positive.dockerfile", + "resourceType": "", + "resourceName": "", + "searchKey": "FROM={{alpine:3.5}}.{{RUN [\"gem\", \"install\", \"blunder\"]}}", + "searchValue": "", + "expectedValue": "RUN [\"gem\", \"install\", \"blunder\"] is 'gem install :'", + "actualValue": "RUN [\"gem\", \"install\", \"blunder\"] is 'gem install ', you should use 'gem install :", + "issueType": "IncorrectValue", + "similarityID": "432fde0e556e53f41ab2472d0497555a6dfc3050fa5530de5045a52611748497", + "search_line": -1 }, { "queryName": "Gem Install Without Version", "severity": "MEDIUM", - "line": 5 + "line": 5, + "fileName": "positive.dockerfile", + "resourceType": "", + "resourceName": "", + "searchKey": "FROM={{alpine:3.5}}.{{RUN gem install grpc -v ${GRPC_RUBY_VERSION} blunder}}", + "searchValue": "", + "expectedValue": "RUN gem install grpc -v ${GRPC_RUBY_VERSION} blunder is 'gem install :'", + "actualValue": "RUN gem install grpc -v ${GRPC_RUBY_VERSION} blunder is 'gem install ', you should use 'gem install :", + "issueType": "IncorrectValue", + "similarityID": "ae9e4b85ce4bea3eb95ce7a6a88b10ce01dc0dfbf9e9d3b7ca6fe44265f38af5", + "search_line": -1 } ] diff --git a/assets/queries/dockerfile/healthcheck_instruction_missing/test/positive_expected_result.json b/assets/queries/dockerfile/healthcheck_instruction_missing/test/positive_expected_result.json index 3fff0a3f2f4..58cc4a9f811 100644 --- a/assets/queries/dockerfile/healthcheck_instruction_missing/test/positive_expected_result.json +++ b/assets/queries/dockerfile/healthcheck_instruction_missing/test/positive_expected_result.json @@ -1,14 +1,32 @@ [ - { - "queryName": "Healthcheck Instruction Missing", - "severity": "LOW", - "line": 1, - "fileName": "positive.dockerfile" - }, - { - "queryName": "Healthcheck Instruction Missing", - "severity": "LOW", - "line": 7, - "fileName": "positive2.dockerfile" - } + { + "queryName": "Healthcheck Instruction Missing", + "severity": "LOW", + "line": 7, + "fileName": "positive2.dockerfile", + "resourceType": "", + "resourceName": "", + "searchKey": "FROM={{alpine:latest }}", + "searchValue": "", + "expectedValue": "Dockerfile should contain instruction 'HEALTHCHECK'", + "actualValue": "Dockerfile doesn't contain instruction 'HEALTHCHECK'", + "issueType": "MissingAttribute", + "similarityID": "5a01bccea4a1686e9eef7fe6f8e291a134f9a710d962baed4c0abfd04a52558f", + "search_line": -1 + }, + { + "queryName": "Healthcheck Instruction Missing", + "severity": "LOW", + "line": 1, + "fileName": "positive.dockerfile", + "resourceType": "", + "resourceName": "", + "searchKey": "FROM={{node:alpine}}", + "searchValue": "", + "expectedValue": "Dockerfile should contain instruction 'HEALTHCHECK'", + "actualValue": "Dockerfile doesn't contain instruction 'HEALTHCHECK'", + "issueType": "MissingAttribute", + "similarityID": "c41844d3841583b93b5fcfe4086c9c8a4081ceb4370d55594b36bb2e822f0293", + "search_line": -1 + } ] diff --git a/assets/queries/dockerfile/image_version_not_explicit/test/positive_expected_result.json b/assets/queries/dockerfile/image_version_not_explicit/test/positive_expected_result.json index a5cbb7933e2..13316f40786 100644 --- a/assets/queries/dockerfile/image_version_not_explicit/test/positive_expected_result.json +++ b/assets/queries/dockerfile/image_version_not_explicit/test/positive_expected_result.json @@ -1,38 +1,92 @@ [ - { - "queryName": "Image Version Not Explicit", - "severity": "MEDIUM", - "fileName": "positive1.dockerfile", - "line": 1 - }, - { - "queryName": "Image Version Not Explicit", - "severity": "MEDIUM", - "fileName": "positive2.dockerfile", - "line": 7 - }, - { - "queryName": "Image Version Not Explicit", - "severity": "MEDIUM", - "fileName": "positive3.dockerfile", - "line": 4 - }, - { - "queryName": "Image Version Not Explicit", - "severity": "MEDIUM", - "fileName": "positive3.dockerfile", - "line": 7 - }, - { - "queryName": "Image Version Not Explicit", - "severity": "MEDIUM", - "fileName": "positive4.dockerfile", - "line": 7 - }, - { - "queryName": "Image Version Not Explicit", - "severity": "MEDIUM", - "fileName": "positive4.dockerfile", - "line": 10 - } + { + "queryName": "Image Version Not Explicit", + "severity": "MEDIUM", + "line": 1, + "fileName": "positive1.dockerfile", + "resourceType": "", + "resourceName": "", + "searchKey": "FROM={{alpine}}", + "searchValue": "", + "expectedValue": "FROM alpine:'version'", + "actualValue": "FROM alpine'", + "issueType": "MissingAttribute", + "similarityID": "25609f4714e0744c04a3af1b259d36a548cef4279609f769175794106574c008", + "search_line": -1 + }, + { + "queryName": "Image Version Not Explicit", + "severity": "MEDIUM", + "line": 7, + "fileName": "positive2.dockerfile", + "resourceType": "", + "resourceName": "", + "searchKey": "FROM={{construction AS final}}", + "searchValue": "", + "expectedValue": "FROM construction:'version'", + "actualValue": "FROM construction'", + "issueType": "MissingAttribute", + "similarityID": "68253c8b6423a5ef3c67cdf9026f7c23de0efeb472bac997fbf986551147d257", + "search_line": -1 + }, + { + "queryName": "Image Version Not Explicit", + "severity": "MEDIUM", + "line": 4, + "fileName": "positive3.dockerfile", + "resourceType": "", + "resourceName": "", + "searchKey": "FROM={{positive4 }}", + "searchValue": "", + "expectedValue": "FROM positive4:'version'", + "actualValue": "FROM positive4'", + "issueType": "MissingAttribute", + "similarityID": "6095db8c9109d37ddf89103f1010d8682d78e674aa96868a028a7e64c047bb05", + "search_line": -1 + }, + { + "queryName": "Image Version Not Explicit", + "severity": "MEDIUM", + "line": 7, + "fileName": "positive3.dockerfile", + "resourceType": "", + "resourceName": "", + "searchKey": "FROM={{positive42}}", + "searchValue": "", + "expectedValue": "FROM positive42:'version'", + "actualValue": "FROM positive42'", + "issueType": "MissingAttribute", + "similarityID": "10aae26ac83fb0c30df09a7cb057505e0115fa42c7868310be308b4bae9985cd", + "search_line": -1 + }, + { + "queryName": "Image Version Not Explicit", + "severity": "MEDIUM", + "line": 7, + "fileName": "positive4.dockerfile", + "resourceType": "", + "resourceName": "", + "searchKey": "FROM={{test_fail_1}}", + "searchValue": "", + "expectedValue": "FROM test_fail_1:'version'", + "actualValue": "FROM test_fail_1'", + "issueType": "MissingAttribute", + "similarityID": "4617753e887c40274ab072255a72144edd038fa6d924b771f9f1866bf2d03594", + "search_line": -1 + }, + { + "queryName": "Image Version Not Explicit", + "severity": "MEDIUM", + "line": 10, + "fileName": "positive4.dockerfile", + "resourceType": "", + "resourceName": "", + "searchKey": "FROM={{test3 AS test_fail_2}}", + "searchValue": "", + "expectedValue": "FROM test3:'version'", + "actualValue": "FROM test3'", + "issueType": "MissingAttribute", + "similarityID": "43da5c36738be1c92501796dc2f2abe5547498e182adac5ec762fa8c061188dc", + "search_line": -1 + } ] diff --git a/assets/queries/dockerfile/image_version_using_latest/test/positive_expected_result.json b/assets/queries/dockerfile/image_version_using_latest/test/positive_expected_result.json index 54fb27a0982..6c2d1e26041 100644 --- a/assets/queries/dockerfile/image_version_using_latest/test/positive_expected_result.json +++ b/assets/queries/dockerfile/image_version_using_latest/test/positive_expected_result.json @@ -1,7 +1,17 @@ [ - { - "queryName": "Image Version Using 'latest'", - "severity": "MEDIUM", - "line": 1 - } + { + "queryName": "Image Version Using 'latest'", + "severity": "MEDIUM", + "line": 1, + "fileName": "positive.dockerfile", + "resourceType": "", + "resourceName": "", + "searchKey": "FROM={{alpine:latest}}", + "searchValue": "", + "expectedValue": "FROM alpine:latest:'version' where version should not be 'latest'", + "actualValue": "FROM alpine:latest'", + "issueType": "IncorrectValue", + "similarityID": "7dc834796b59260e76f8d9ebdfb43a3102b8239b4ab1400dc37a59843d9235f6", + "search_line": -1 + } ] diff --git a/assets/queries/dockerfile/last_user_is_root/test/positive_expected_result.json b/assets/queries/dockerfile/last_user_is_root/test/positive_expected_result.json index 751442ed373..8e717d787d5 100644 --- a/assets/queries/dockerfile/last_user_is_root/test/positive_expected_result.json +++ b/assets/queries/dockerfile/last_user_is_root/test/positive_expected_result.json @@ -2,6 +2,16 @@ { "queryName": "Last User Is 'root'", "severity": "HIGH", - "line": 2 + "line": 2, + "fileName": "positive.dockerfile", + "resourceType": "", + "resourceName": "", + "searchKey": "FROM={{alpine:2.6}}.{{USER root}}", + "searchValue": "", + "expectedValue": "Last User shouldn't be root", + "actualValue": "Last User is root", + "issueType": "IncorrectValue", + "similarityID": "1ce74bd6ba4265fdbed4134277352c47feda66c304899e7700d2285b40c0f1b4", + "search_line": -1 } -] \ No newline at end of file +] diff --git a/assets/queries/dockerfile/maintainer_instruction_being_used/test/positive_expected_result.json b/assets/queries/dockerfile/maintainer_instruction_being_used/test/positive_expected_result.json index ae5d0a537f5..62a500bb26a 100644 --- a/assets/queries/dockerfile/maintainer_instruction_being_used/test/positive_expected_result.json +++ b/assets/queries/dockerfile/maintainer_instruction_being_used/test/positive_expected_result.json @@ -1,7 +1,17 @@ [ - { - "queryName": "MAINTAINER Instruction Being Used", - "severity": "LOW", - "line": 4 - } + { + "queryName": "MAINTAINER Instruction Being Used", + "severity": "LOW", + "line": 4, + "fileName": "positive.dockerfile", + "resourceType": "", + "resourceName": "", + "searchKey": "FROM={{alpine:3.5}}.MAINTAINER={{\"SvenDowideit@home.org.au\"}}", + "searchValue": "", + "expectedValue": "Maintainer instruction being used in Label 'LABEL maintainer=\"SvenDowideit@home.org.au\"'", + "actualValue": "Maintainer instruction not being used in Label 'MAINTAINER \"SvenDowideit@home.org.au\"'", + "issueType": "IncorrectValue", + "similarityID": "d7e971d626c60e5911c63b0a42e38a6967657d27beec5309e8302b255cbd44b2", + "search_line": -1 + } ] diff --git a/assets/queries/dockerfile/missing_dnf_clean_all/test/positive_expected_result.json b/assets/queries/dockerfile/missing_dnf_clean_all/test/positive_expected_result.json index 0c521996f67..46ded25c49a 100644 --- a/assets/queries/dockerfile/missing_dnf_clean_all/test/positive_expected_result.json +++ b/assets/queries/dockerfile/missing_dnf_clean_all/test/positive_expected_result.json @@ -2,6 +2,16 @@ { "queryName": "Missing Dnf Clean All", "severity": "LOW", - "line": 2 + "line": 2, + "fileName": "positive.dockerfile", + "resourceType": "", + "resourceName": "", + "searchKey": "FROM={{fedora:27}}.RUN={{set -uex && dnf config-manager --add-repo https://download.docker.com/linux/fedora/docker-ce.repo && sed -i 's/\\$releasever/26/g' /etc/yum.repos.d/docker-ce.repo && dnf install -vy docker-ce}}", + "searchValue": "", + "expectedValue": "After installing a package with dnf, command 'dnf clean all' should run.", + "actualValue": "Command `dnf clean all` is not being run after installing packages.", + "issueType": "IncorrectValue", + "similarityID": "bcae7b5b1f7613639d298e24bf27c4820c15d30681b5e3cb4d8f6fb55deae141", + "search_line": -1 } -] \ No newline at end of file +] diff --git a/assets/queries/dockerfile/missing_flag_from_dnf_install/test/positive_expected_result.json b/assets/queries/dockerfile/missing_flag_from_dnf_install/test/positive_expected_result.json index 8ca30d102d6..01c45ed9c97 100644 --- a/assets/queries/dockerfile/missing_flag_from_dnf_install/test/positive_expected_result.json +++ b/assets/queries/dockerfile/missing_flag_from_dnf_install/test/positive_expected_result.json @@ -3,36 +3,90 @@ "queryName": "Missing Flag From Dnf Install", "severity": "LOW", "line": 2, - "fileName": "positive.dockerfile" + "fileName": "positive2.dockerfile", + "resourceType": "", + "resourceName": "", + "searchKey": "FROM={{fedora:27}}.RUN={{set -uex; dnf config-manager --set-enabled docker-ce-test; dnf install docker-ce; dnf clean all}}", + "searchValue": "set -uex; dnf config-manager --set-enabled docker-ce-test; dnf install docker-ce; dnf clean all", + "expectedValue": "When running `dnf install`, `-y` or `--assumeyes` switch should be set to avoid build failure ", + "actualValue": "Command `RUN={{set -uex; dnf config-manager --set-enabled docker-ce-test; dnf install docker-ce; dnf clean all}}` doesn't have the `-y` or `--assumeyes` switch set", + "issueType": "IncorrectValue", + "similarityID": "3dd41b9220750db3ce0f7df11623b4cdd48befe364b263b9f12d31d4b766e9da", + "search_line": -1 }, { "queryName": "Missing Flag From Dnf Install", "severity": "LOW", "line": 10, - "fileName": "positive.dockerfile" + "fileName": "positive2.dockerfile", + "resourceType": "", + "resourceName": "", + "searchKey": "FROM={{fedora:28}}.RUN={{dnf in docker-ce}}", + "searchValue": "dnf in docker-ce", + "expectedValue": "When running `dnf install`, `-y` or `--assumeyes` switch should be set to avoid build failure ", + "actualValue": "Command `RUN={{dnf in docker-ce}}` doesn't have the `-y` or `--assumeyes` switch set", + "issueType": "IncorrectValue", + "similarityID": "37f64721dc2e1c2cb82224c4bf8c931e5d4f097a53382d8e0c33f2365add5dc9", + "search_line": -1 }, { "queryName": "Missing Flag From Dnf Install", "severity": "LOW", "line": 2, - "fileName": "positive2.dockerfile" + "fileName": "positive3.dockerfile", + "resourceType": "", + "resourceName": "", + "searchKey": "FROM={{fedora:27}}.RUN={{microdnf install openssl-libs-1:1.1.1k-6.el8_5.x86_64 zlib-1.2.11-18.el8_5.x86_64 && microdnf clean all}}", + "searchValue": "microdnf install openssl-libs-1:1.1.1k-6.el8_5.x86_64 zlib-1.2.11-18.el8_5.x86_64", + "expectedValue": "When running `dnf install`, `-y` or `--assumeyes` switch should be set to avoid build failure ", + "actualValue": "Command `RUN={{microdnf install openssl-libs-1:1.1.1k-6.el8_5.x86_64 zlib-1.2.11-18.el8_5.x86_64}}` doesn't have the `-y` or `--assumeyes` switch set", + "issueType": "IncorrectValue", + "similarityID": "3f2e03a384c80be2594886f7086500fa27988950701852f88539296fa91fa11c", + "search_line": -1 }, { "queryName": "Missing Flag From Dnf Install", "severity": "LOW", - "line": 10, - "fileName": "positive2.dockerfile" + "line": 21, + "fileName": "positive4.dockerfile", + "resourceType": "", + "resourceName": "", + "searchKey": "FROM={{${BASE_CONTAINER_REGISTRY:-mcr.microsoft.com}/azure-cli AS installer}}.RUN={{tdnf install jq tar libicu python3-requests python3-yaml}}", + "searchValue": "tdnf install jq tar libicu python3-requests python3-yaml", + "expectedValue": "When running `dnf install`, `-y` or `--assumeyes` switch should be set to avoid build failure ", + "actualValue": "Command `RUN={{tdnf install jq tar libicu python3-requests python3-yaml}}` doesn't have the `-y` or `--assumeyes` switch set", + "issueType": "IncorrectValue", + "similarityID": "652382f89222a2a65122962464f3a4935f9611fba783e1b7b5bf3d4ac3cc383c", + "search_line": -1 }, { "queryName": "Missing Flag From Dnf Install", "severity": "LOW", "line": 2, - "fileName": "positive3.dockerfile" + "fileName": "positive.dockerfile", + "resourceType": "", + "resourceName": "", + "searchKey": "FROM={{fedora:27}}.RUN={{set -uex && dnf config-manager --set-enabled docker-ce-test && dnf install docker-ce && dnf clean all}}", + "searchValue": "dnf install docker-ce", + "expectedValue": "When running `dnf install`, `-y` or `--assumeyes` switch should be set to avoid build failure ", + "actualValue": "Command `RUN={{dnf install docker-ce}}` doesn't have the `-y` or `--assumeyes` switch set", + "issueType": "IncorrectValue", + "similarityID": "1c586207e093c8600486e3deafe74c6d4f7fe113bbc3ed9dd7267ed0bf83ce4b", + "search_line": -1 }, { "queryName": "Missing Flag From Dnf Install", "severity": "LOW", - "line": 21, - "fileName": "positive4.dockerfile" + "line": 10, + "fileName": "positive.dockerfile", + "resourceType": "", + "resourceName": "", + "searchKey": "FROM={{fedora:28}}.RUN={{dnf in docker-ce}}", + "searchValue": "dnf in docker-ce", + "expectedValue": "When running `dnf install`, `-y` or `--assumeyes` switch should be set to avoid build failure ", + "actualValue": "Command `RUN={{dnf in docker-ce}}` doesn't have the `-y` or `--assumeyes` switch set", + "issueType": "IncorrectValue", + "similarityID": "18d2f13d065fc158351bc2369fcdfd7a1f2f17567794080de578c9e6cec5a102", + "search_line": -1 } -] \ No newline at end of file +] diff --git a/assets/queries/dockerfile/missing_user_instruction/test/positive_expected_result.json b/assets/queries/dockerfile/missing_user_instruction/test/positive_expected_result.json index 8a0833e1de1..1e42095b2e4 100644 --- a/assets/queries/dockerfile/missing_user_instruction/test/positive_expected_result.json +++ b/assets/queries/dockerfile/missing_user_instruction/test/positive_expected_result.json @@ -1,14 +1,32 @@ [ - { - "queryName": "Missing User Instruction", - "severity": "HIGH", - "line": 1, - "fileName": "positive.dockerfile" - }, - { - "queryName": "Missing User Instruction", - "severity": "HIGH", - "line": 7, - "fileName": "positive2.dockerfile" - } + { + "queryName": "Missing User Instruction", + "severity": "HIGH", + "line": 7, + "fileName": "positive2.dockerfile", + "resourceType": "", + "resourceName": "", + "searchKey": "FROM={{alpine:latest }}", + "searchValue": "", + "expectedValue": "The 'Dockerfile' should contain the 'USER' instruction", + "actualValue": "The 'Dockerfile' does not contain any 'USER' instruction", + "issueType": "MissingAttribute", + "similarityID": "8f06b797ed4fe607b201dfc4bcc23614f61365ddace5defadd411f7464898960", + "search_line": -1 + }, + { + "queryName": "Missing User Instruction", + "severity": "HIGH", + "line": 1, + "fileName": "positive.dockerfile", + "resourceType": "", + "resourceName": "", + "searchKey": "FROM={{python:2.7}}", + "searchValue": "", + "expectedValue": "The 'Dockerfile' should contain the 'USER' instruction", + "actualValue": "The 'Dockerfile' does not contain any 'USER' instruction", + "issueType": "MissingAttribute", + "similarityID": "dceb883897a76938fb70b71edbc0bc676f8d06fd70dcc9d85944611686ab1eff", + "search_line": -1 + } ] diff --git a/assets/queries/dockerfile/missing_version_specification_in_dnf_install/test/positive_expected_result.json b/assets/queries/dockerfile/missing_version_specification_in_dnf_install/test/positive_expected_result.json index 53dca70b9fb..4654b36431a 100644 --- a/assets/queries/dockerfile/missing_version_specification_in_dnf_install/test/positive_expected_result.json +++ b/assets/queries/dockerfile/missing_version_specification_in_dnf_install/test/positive_expected_result.json @@ -2,11 +2,31 @@ { "queryName": "Missing Version Specification In dnf install", "severity": "MEDIUM", - "line": 2 + "line": 2, + "fileName": "positive.dockerfile", + "resourceType": "", + "resourceName": "", + "searchKey": "FROM={{fedora:latest}}.{{RUN dnf -y update && dnf -y install httpd && dnf clean all}}", + "searchValue": "", + "expectedValue": "Package version should be specified when using 'dnf install'", + "actualValue": "Package version should be pinned when running \u00b4dnf install\u00b4", + "issueType": "IncorrectValue", + "similarityID": "0628c8e891f9f0afed558446ba41184486ff6fb4d54bacf04e19ca1aae5fe004", + "search_line": -1 }, { "queryName": "Missing Version Specification In dnf install", "severity": "MEDIUM", - "line": 3 + "line": 3, + "fileName": "positive.dockerfile", + "resourceType": "", + "resourceName": "", + "searchKey": "FROM={{fedora:latest}}.{{RUN [\"dnf\", \"install\", \"httpd\"]}}", + "searchValue": "", + "expectedValue": "Package version should be specified when using 'dnf install'", + "actualValue": "Package version should be pinned when running \u00b4dnf install\u00b4", + "issueType": "IncorrectValue", + "similarityID": "b8babbc4f9726e5b150d98be7673f0e6f42f3a3a56d6d5ac0c7c46b63276b2b1", + "search_line": -1 } ] diff --git a/assets/queries/dockerfile/missing_zypper_clean/test/positive_expected_result.json b/assets/queries/dockerfile/missing_zypper_clean/test/positive_expected_result.json index 5570f022802..4d0ad7264f7 100644 --- a/assets/queries/dockerfile/missing_zypper_clean/test/positive_expected_result.json +++ b/assets/queries/dockerfile/missing_zypper_clean/test/positive_expected_result.json @@ -2,6 +2,16 @@ { "queryName": "Missing Zypper Clean", "severity": "LOW", - "line": 2 + "line": 2, + "fileName": "positive.dockerfile", + "resourceType": "", + "resourceName": "", + "searchKey": "FROM={{busybox:1.0}}.{{RUN zypper install}}", + "searchValue": "", + "expectedValue": "There should be a zypper clean after a zypper usage", + "actualValue": "The command 'zypper install' does not have a zypper clean after it", + "issueType": "MissingAttribute", + "similarityID": "2c8fdf66b036a23b5ed16d1efd5c8cceda4933d22ff2913a9ba7bafcc519b9c6", + "search_line": -1 } -] \ No newline at end of file +] diff --git a/assets/queries/dockerfile/missing_zypper_non_interactive_switch/test/positive_expected_result.json b/assets/queries/dockerfile/missing_zypper_non_interactive_switch/test/positive_expected_result.json index fa3f05610c9..aed22c4eef7 100644 --- a/assets/queries/dockerfile/missing_zypper_non_interactive_switch/test/positive_expected_result.json +++ b/assets/queries/dockerfile/missing_zypper_non_interactive_switch/test/positive_expected_result.json @@ -1,7 +1,17 @@ [ - { - "queryName": "Missing Zypper Non-interactive Switch", - "severity": "MEDIUM", - "line": 2 - } + { + "queryName": "Missing Zypper Non-interactive Switch", + "severity": "MEDIUM", + "line": 2, + "fileName": "positive.dockerfile", + "resourceType": "", + "resourceName": "", + "searchKey": "FROM={{busybox:1.0}}.{{RUN zypper install httpd && zypper clean}}", + "searchValue": "", + "expectedValue": "zypper usages should have the non-interactive switch activated", + "actualValue": "The command 'RUN zypper install httpd && zypper clean' does not have the non-interactive switch activated (-y | --no-confirm)", + "issueType": "IncorrectValue", + "similarityID": "ed6732efd7382c5084abeadf82f279be4fafa112a562e24ea96366811cd783e2", + "search_line": -1 + } ] diff --git a/assets/queries/dockerfile/multiple_cmd_instructions_listed/test/positive_expected_result.json b/assets/queries/dockerfile/multiple_cmd_instructions_listed/test/positive_expected_result.json index 5110e6420af..99877503d31 100644 --- a/assets/queries/dockerfile/multiple_cmd_instructions_listed/test/positive_expected_result.json +++ b/assets/queries/dockerfile/multiple_cmd_instructions_listed/test/positive_expected_result.json @@ -3,6 +3,15 @@ "queryName": "Multiple CMD Instructions Listed", "severity": "LOW", "line": 11, - "fileName": "positive.dockerfile" + "fileName": "positive.dockerfile", + "resourceType": "", + "resourceName": "", + "searchKey": "FROM={{alpine:latest }}.{{CMD [\"./app\"] }}", + "searchValue": "", + "expectedValue": "There should be only one CMD instruction", + "actualValue": "There are 2 CMD instructions", + "issueType": "RedundantAttribute", + "similarityID": "cdd8410f69ddb77e364a2e727dbba6f3236a2ea1825413227c129515f047ecbe", + "search_line": -1 } -] \ No newline at end of file +] diff --git a/assets/queries/dockerfile/multiple_entrypoint_instructions_listed/test/positive_expected_result.json b/assets/queries/dockerfile/multiple_entrypoint_instructions_listed/test/positive_expected_result.json index c1c67a870ea..db582c6a745 100644 --- a/assets/queries/dockerfile/multiple_entrypoint_instructions_listed/test/positive_expected_result.json +++ b/assets/queries/dockerfile/multiple_entrypoint_instructions_listed/test/positive_expected_result.json @@ -3,6 +3,15 @@ "queryName": "Multiple ENTRYPOINT Instructions Listed", "severity": "LOW", "line": 11, - "fileName": "positive.dockerfile" + "fileName": "positive.dockerfile", + "resourceType": "", + "resourceName": "", + "searchKey": "FROM={{alpine:latest }}.{{ENTRYPOINT [ \"/opt/app/run.sh\", \"--port\", \"8080\" ]}}", + "searchValue": "", + "expectedValue": "There should be only one ENTRYPOINT instruction", + "actualValue": "There are 2 ENTRYPOINT instructions", + "issueType": "RedundantAttribute", + "similarityID": "321f745a0f2d11b009133b2f2be9b9b6bc1dfb86fb41db190bca97a1c0f1aee7", + "search_line": -1 } -] \ No newline at end of file +] diff --git a/assets/queries/dockerfile/multiple_run_add_copy_instructions_listed/test/positive_expected_result.json b/assets/queries/dockerfile/multiple_run_add_copy_instructions_listed/test/positive_expected_result.json index 7474b74c429..c43e26075e4 100644 --- a/assets/queries/dockerfile/multiple_run_add_copy_instructions_listed/test/positive_expected_result.json +++ b/assets/queries/dockerfile/multiple_run_add_copy_instructions_listed/test/positive_expected_result.json @@ -3,18 +3,45 @@ "queryName": "Multiple RUN, ADD, COPY, Instructions Listed", "severity": "LOW", "line": 2, - "fileName": "positive1.dockerfile" + "fileName": "positive1.dockerfile", + "resourceType": "", + "resourceName": "", + "searchKey": "FROM={{ubuntu}}.{{RUN apt-get install -y wget}}", + "searchValue": "", + "expectedValue": "There isn\u00b4t any RUN instruction that could be grouped", + "actualValue": "There are RUN instructions that could be grouped", + "issueType": "RedundantAttribute", + "similarityID": "0bcc8d4c913b014a3e736c1d4039394d127857d1adfc1a7b3fe69221a0a3ae1c", + "search_line": -1 }, { "queryName": "Multiple RUN, ADD, COPY, Instructions Listed", "severity": "LOW", "line": 2, - "fileName": "positive2.dockerfile" + "fileName": "positive2.dockerfile", + "resourceType": "", + "resourceName": "", + "searchKey": "FROM={{ubuntu}}.{{COPY README.md ./}}", + "searchValue": "", + "expectedValue": "There isn\u00b4t any COPY instruction that could be grouped", + "actualValue": "There are COPY instructions that could be grouped", + "issueType": "RedundantAttribute", + "similarityID": "19157fe9f1662bdbe370f47ffc2c65f4187955dd2ba8828eee5f4c471c693bdd", + "search_line": -1 }, { "queryName": "Multiple RUN, ADD, COPY, Instructions Listed", "severity": "LOW", "line": 2, - "fileName": "positive3.dockerfile" + "fileName": "positive3.dockerfile", + "resourceType": "", + "resourceName": "", + "searchKey": "FROM={{ubuntu}}.{{ADD cairo.spec /rpmbuild/SOURCES}}", + "searchValue": "", + "expectedValue": "There isn\u00b4t any ADD instruction that could be grouped", + "actualValue": "There are ADD instructions that could be grouped", + "issueType": "RedundantAttribute", + "similarityID": "f1de0824f227342b7b5d9f6150d2ec1a3bfb3f657365240ad29a6d3663fba8d4", + "search_line": -1 } ] diff --git a/assets/queries/dockerfile/not_using_json_in_cmd_and_entrypoint_arguments/test/positive_expected_result.json b/assets/queries/dockerfile/not_using_json_in_cmd_and_entrypoint_arguments/test/positive_expected_result.json index 779bfea3ef6..4fa5ebdb167 100644 --- a/assets/queries/dockerfile/not_using_json_in_cmd_and_entrypoint_arguments/test/positive_expected_result.json +++ b/assets/queries/dockerfile/not_using_json_in_cmd_and_entrypoint_arguments/test/positive_expected_result.json @@ -1,12 +1,32 @@ [ - { - "queryName": "Not Using JSON In CMD And ENTRYPOINT Arguments", - "severity": "MEDIUM", - "line": 10 - }, - { - "queryName": "Not Using JSON In CMD And ENTRYPOINT Arguments", - "severity": "MEDIUM", - "line": 11 - } + { + "queryName": "Not Using JSON In CMD And ENTRYPOINT Arguments", + "severity": "MEDIUM", + "line": 10, + "fileName": "positive.dockerfile", + "resourceType": "", + "resourceName": "", + "searchKey": "FROM={{alpine:3.5}}.{{CMD [python, /usr/src/app/app.py] }}", + "searchValue": "", + "expectedValue": "{{CMD [python, /usr/src/app/app.py] }} should be in the JSON Notation", + "actualValue": "{{CMD [python, /usr/src/app/app.py] }} isn't in JSON Notation", + "issueType": "IncorrectValue", + "similarityID": "3d23340495151ac6c19e293c6631ea2afd20044023f86af6358a4d3c8688fb1a", + "search_line": -1 + }, + { + "queryName": "Not Using JSON In CMD And ENTRYPOINT Arguments", + "severity": "MEDIUM", + "line": 11, + "fileName": "positive.dockerfile", + "resourceType": "", + "resourceName": "", + "searchKey": "FROM={{alpine:3.5}}.{{ENTRYPOINT [top, -b]}}", + "searchValue": "", + "expectedValue": "{{ENTRYPOINT [top, -b]}} should be in the JSON Notation", + "actualValue": "{{ENTRYPOINT [top, -b]}} isn't in JSON Notation", + "issueType": "IncorrectValue", + "similarityID": "5f92f977927ce81a93f1a4097e21ae7df0633f5d9dc40031fa05f53ce07ccc1a", + "search_line": -1 + } ] diff --git a/assets/queries/dockerfile/npm_install_without_pinned_version/test/positive_expected_result.json b/assets/queries/dockerfile/npm_install_without_pinned_version/test/positive_expected_result.json index ec6862cd11b..50b7b8097e4 100644 --- a/assets/queries/dockerfile/npm_install_without_pinned_version/test/positive_expected_result.json +++ b/assets/queries/dockerfile/npm_install_without_pinned_version/test/positive_expected_result.json @@ -3,42 +3,105 @@ "queryName": "NPM Install Command Without Pinned Version", "severity": "MEDIUM", "line": 2, - "filename": "positive1.dockerfile" + "fileName": "positive1.dockerfile", + "resourceType": "", + "resourceName": "", + "searchKey": "FROM={{node:12}}.{{RUN npm install sax}}", + "searchValue": "", + "expectedValue": "'RUN npm install sax' uses npm install with a pinned version", + "actualValue": "'RUN npm install sax' does not uses npm install with a pinned version", + "issueType": "IncorrectValue", + "similarityID": "a55b551c163b2a0f5afcb9df731f44a79e9f7fe2a2315de6f147910cd7acc436", + "search_line": -1 }, { "queryName": "NPM Install Command Without Pinned Version", "severity": "MEDIUM", "line": 3, - "filename": "positive1.dockerfile" + "fileName": "positive1.dockerfile", + "resourceType": "", + "resourceName": "", + "searchKey": "FROM={{node:12}}.{{RUN npm install sax --no-cache}}", + "searchValue": "", + "expectedValue": "'RUN npm install sax --no-cache' uses npm install with a pinned version", + "actualValue": "'RUN npm install sax --no-cache' does not uses npm install with a pinned version", + "issueType": "IncorrectValue", + "similarityID": "766ef47a4f0d5de0d24e6a4ec31163525fda22916713753168720de84c1230d9", + "search_line": -1 }, { "queryName": "NPM Install Command Without Pinned Version", "severity": "MEDIUM", "line": 4, - "filename": "positive1.dockerfile" + "fileName": "positive1.dockerfile", + "resourceType": "", + "resourceName": "", + "searchKey": "FROM={{node:12}}.{{RUN npm install sax | grep fail && npm install sax@latest}}", + "searchValue": "", + "expectedValue": "'RUN npm install sax | grep fail && npm install sax@latest' uses npm install with a pinned version", + "actualValue": "'RUN npm install sax | grep fail && npm install sax@latest' does not uses npm install with a pinned version", + "issueType": "IncorrectValue", + "similarityID": "b08a26eaf8119039034ba133397f0df0fbee47a8d3c439bf911e72265dd49e5d", + "search_line": -1 }, { "queryName": "NPM Install Command Without Pinned Version", "severity": "MEDIUM", "line": 5, - "filename": "positive1.dockerfile" + "fileName": "positive1.dockerfile", + "resourceType": "", + "resourceName": "", + "searchKey": "FROM={{node:12}}.{{RUN npm install sax@latest | grep fail && npm install sax}}", + "searchValue": "", + "expectedValue": "'RUN npm install sax@latest | grep fail && npm install sax' uses npm install with a pinned version", + "actualValue": "'RUN npm install sax@latest | grep fail && npm install sax' does not uses npm install with a pinned version", + "issueType": "IncorrectValue", + "similarityID": "29ff38f7b79220bf6551844f728500d16102d4a7574b409b812feb011af1394e", + "search_line": -1 }, { "queryName": "NPM Install Command Without Pinned Version", "severity": "MEDIUM", "line": 6, - "filename": "positive1.dockerfile" + "fileName": "positive1.dockerfile", + "resourceType": "", + "resourceName": "", + "searchKey": "FROM={{node:12}}.{{RUN npm install sax | grep fail && npm install sax}}", + "searchValue": "", + "expectedValue": "'RUN npm install sax | grep fail && npm install sax' uses npm install with a pinned version", + "actualValue": "'RUN npm install sax | grep fail && npm install sax' does not uses npm install with a pinned version", + "issueType": "IncorrectValue", + "similarityID": "c24ac6ff0e4dc22be8edf240c5b95bb21103f3e993c816fa8e5bacb850ee8f30", + "search_line": -1 }, { "queryName": "NPM Install Command Without Pinned Version", "severity": "MEDIUM", "line": 7, - "filename": "positive1.dockerfile" + "fileName": "positive1.dockerfile", + "resourceType": "", + "resourceName": "", + "searchKey": "FROM={{node:12}}.{{RUN npm i -g @angular/cli}}", + "searchValue": "", + "expectedValue": "'RUN npm i -g @angular/cli' uses npm install with a pinned version", + "actualValue": "'RUN npm i -g @angular/cli' does not uses npm install with a pinned version", + "issueType": "IncorrectValue", + "similarityID": "fc73c895c4c2dcf9d8c686d4c368087f878c9f263ec0aac3def90f5426436a69", + "search_line": -1 }, { "queryName": "NPM Install Command Without Pinned Version", "severity": "MEDIUM", "line": 8, - "filename": "positive1.dockerfile" + "fileName": "positive1.dockerfile", + "resourceType": "", + "resourceName": "", + "searchKey": "FROM={{node:12}}.{{RUN [\"npm\",\"add\",\"sax\"]}}", + "searchValue": "", + "expectedValue": "'RUN [\"npm\",\"add\",\"sax\"]' uses npm install with a pinned version", + "actualValue": "'RUN [\"npm\",\"add\",\"sax\"]' does not uses npm install with a pinned version", + "issueType": "IncorrectValue", + "similarityID": "5dba4a651019aefe5c71ad3eb474be07108381de446f5abcc864fd0077faf39f", + "search_line": -1 } -] \ No newline at end of file +] diff --git a/assets/queries/dockerfile/pip_install_keeping_cached_packages/test/positive_expected_result.json b/assets/queries/dockerfile/pip_install_keeping_cached_packages/test/positive_expected_result.json index 727c06aeff6..ea1b1b51321 100644 --- a/assets/queries/dockerfile/pip_install_keeping_cached_packages/test/positive_expected_result.json +++ b/assets/queries/dockerfile/pip_install_keeping_cached_packages/test/positive_expected_result.json @@ -2,26 +2,76 @@ { "queryName": "Pip install Keeping Cached Packages", "severity": "LOW", - "line": 2 + "line": 2, + "fileName": "positive.dockerfile", + "resourceType": "", + "resourceName": "", + "searchKey": "FROM={{python:3}}.{{pip install --upgrade pip && pip install nibabel pydicom matplotlib pillow && pip install med2image}}", + "searchValue": "", + "expectedValue": "The '--no-cache-dir' flag should be set when running 'pip/pip3 install'", + "actualValue": "The '--no-cache-dir' flag isn't set when running 'pip/pip3 install'", + "issueType": "IncorrectValue", + "similarityID": "286fb342326823f9605364707b4533a6b236d9060e2bdb51817d6b204016f85d", + "search_line": -1 }, { "queryName": "Pip install Keeping Cached Packages", "severity": "LOW", - "line": 8 + "line": 8, + "fileName": "positive.dockerfile", + "resourceType": "", + "resourceName": "", + "searchKey": "FROM={{python:3.1}}.{{pip install --upgrade pip}}", + "searchValue": "", + "expectedValue": "The '--no-cache-dir' flag should be set when running 'pip/pip3 install'", + "actualValue": "The '--no-cache-dir' flag isn't set when running 'pip/pip3 install'", + "issueType": "IncorrectValue", + "similarityID": "c821103080c3af55bd8bb71208c41655b256c89e61f01b60e26fadbc86dc10dd", + "search_line": -1 }, { "queryName": "Pip install Keeping Cached Packages", "severity": "LOW", - "line": 9 + "line": 9, + "fileName": "positive.dockerfile", + "resourceType": "", + "resourceName": "", + "searchKey": "FROM={{python:3.1}}.{{python -m pip install nibabel pydicom matplotlib pillow}}", + "searchValue": "", + "expectedValue": "The '--no-cache-dir' flag should be set when running 'pip/pip3 install'", + "actualValue": "The '--no-cache-dir' flag isn't set when running 'pip/pip3 install'", + "issueType": "IncorrectValue", + "similarityID": "182b0fe77f00388c71038b649494eea87c5bc7d88164def402ecfbcb6807cd47", + "search_line": -1 }, { "queryName": "Pip install Keeping Cached Packages", "severity": "LOW", - "line": 10 + "line": 10, + "fileName": "positive.dockerfile", + "resourceType": "", + "resourceName": "", + "searchKey": "FROM={{python:3.1}}.{{pip3 install requests=2.7.0}}", + "searchValue": "", + "expectedValue": "The '--no-cache-dir' flag should be set when running 'pip/pip3 install'", + "actualValue": "The '--no-cache-dir' flag isn't set when running 'pip/pip3 install'", + "issueType": "IncorrectValue", + "similarityID": "cc89d3fbfecb4575147fba7c699b8dd9a4b5866bc5ca028343d494af6847f11e", + "search_line": -1 }, { "queryName": "Pip install Keeping Cached Packages", "severity": "LOW", - "line": 11 + "line": 11, + "fileName": "positive.dockerfile", + "resourceType": "", + "resourceName": "", + "searchKey": "FROM={{python:3.1}}.{{RUN [\"pip3\", \"install\", \"requests=2.7.0\"]}}", + "searchValue": "", + "expectedValue": "The '--no-cache-dir' flag should be set when running 'pip/pip3 install'", + "actualValue": "The '--no-cache-dir' flag isn't set when running 'pip/pip3 install'", + "issueType": "IncorrectValue", + "similarityID": "4e9f0be8aaf11c7d9780af5de802b6ac16265b1b09a27785125490782c4ccef5", + "search_line": -1 } -] \ No newline at end of file +] diff --git a/assets/queries/dockerfile/run_command_cd_instead_of_workdir/test/positive_expected_result.json b/assets/queries/dockerfile/run_command_cd_instead_of_workdir/test/positive_expected_result.json index 4cba6c72f3f..0512845bd0e 100644 --- a/assets/queries/dockerfile/run_command_cd_instead_of_workdir/test/positive_expected_result.json +++ b/assets/queries/dockerfile/run_command_cd_instead_of_workdir/test/positive_expected_result.json @@ -3,18 +3,45 @@ "queryName": "RUN Instruction Using 'cd' Instead of WORKDIR", "severity": "LOW", "line": 3, - "fileName": "positive.dockerfile" + "fileName": "positive.dockerfile", + "resourceType": "", + "resourceName": "", + "searchKey": "FROM={{nginx}}.RUN={{cd /../share/nginx/html}}", + "searchValue": "", + "expectedValue": "Using WORKDIR to change directory", + "actualValue": "RUN cd /../share/nginx/html'", + "issueType": "IncorrectValue", + "similarityID": "19171f8fcec7de7a76a995d61183acc918ec8a4c1d445467fa16f3e209f1e533", + "search_line": -1 }, { "queryName": "RUN Instruction Using 'cd' Instead of WORKDIR", "severity": "LOW", "line": 9, - "fileName": "positive.dockerfile" + "fileName": "positive.dockerfile", + "resourceType": "", + "resourceName": "", + "searchKey": "FROM={{nginx}}.RUN={{cd ../share/nginx/html}}", + "searchValue": "", + "expectedValue": "Using WORKDIR to change directory", + "actualValue": "RUN cd ../share/nginx/html'", + "issueType": "IncorrectValue", + "similarityID": "509c051032db5d0ea554d04cacff99a004503bb8b1be687354dcc7d6dd09c625", + "search_line": -1 }, { "queryName": "RUN Instruction Using 'cd' Instead of WORKDIR", "severity": "LOW", "line": 15, - "fileName": "positive.dockerfile" + "fileName": "positive.dockerfile", + "resourceType": "", + "resourceName": "", + "searchKey": "FROM={{nginx}}.RUN={{cd /usr/../share/nginx/html}}", + "searchValue": "", + "expectedValue": "Using WORKDIR to change directory", + "actualValue": "RUN cd /usr/../share/nginx/html'", + "issueType": "IncorrectValue", + "similarityID": "633d850a94fb82cb565446981c9ceb08cc3b30ceff9e3d24c2778320130d28a6", + "search_line": -1 } -] \ No newline at end of file +] diff --git a/assets/queries/dockerfile/run_using_apt/test/positive_expected_result.json b/assets/queries/dockerfile/run_using_apt/test/positive_expected_result.json index c6a5e011847..8e31844392d 100644 --- a/assets/queries/dockerfile/run_using_apt/test/positive_expected_result.json +++ b/assets/queries/dockerfile/run_using_apt/test/positive_expected_result.json @@ -2,6 +2,16 @@ { "queryName": "Run Using apt", "severity": "LOW", - "line": 2 + "line": 2, + "fileName": "positive.dockerfile", + "resourceType": "", + "resourceName": "", + "searchKey": "FROM={{busybox:1.0}}.{{RUN apt install curl}}", + "searchValue": "", + "expectedValue": "RUN instructions should not use the 'apt' program", + "actualValue": "RUN instruction is invoking the 'apt' program", + "issueType": "IncorrectValue", + "similarityID": "59199720dc88ce76449c600169d5787360b29ea88334730a4759a857ece516c7", + "search_line": -1 } -] \ No newline at end of file +] diff --git a/assets/queries/dockerfile/run_using_sudo/test/positive_expected_result.json b/assets/queries/dockerfile/run_using_sudo/test/positive_expected_result.json index 581fa52051a..09ee5b6b247 100644 --- a/assets/queries/dockerfile/run_using_sudo/test/positive_expected_result.json +++ b/assets/queries/dockerfile/run_using_sudo/test/positive_expected_result.json @@ -2,6 +2,16 @@ { "queryName": "Run Using Sudo", "severity": "MEDIUM", - "line": 3 + "line": 3, + "fileName": "positive.dockerfile", + "resourceType": "", + "resourceName": "", + "searchKey": "FROM={{alpine:3.5}}.RUN={{sudo pip install --upgrade pip}}", + "searchValue": "", + "expectedValue": "RUN instruction shouldn't contain sudo", + "actualValue": "RUN instruction contains sudo", + "issueType": "IncorrectValue", + "similarityID": "66bf1e6c78ada6faf6840a6897c9e72d91f614c19001050f1bc234cf084d1d57", + "search_line": -1 } -] \ No newline at end of file +] diff --git a/assets/queries/dockerfile/run_using_wget_and_curl/test/positive_expected_result.json b/assets/queries/dockerfile/run_using_wget_and_curl/test/positive_expected_result.json index 82340b752d6..645cf59f763 100644 --- a/assets/queries/dockerfile/run_using_wget_and_curl/test/positive_expected_result.json +++ b/assets/queries/dockerfile/run_using_wget_and_curl/test/positive_expected_result.json @@ -2,16 +2,46 @@ { "queryName": "Run Using 'wget' and 'curl'", "severity": "LOW", - "line": 3 + "line": 3, + "fileName": "positive.dockerfile", + "resourceType": "", + "resourceName": "", + "searchKey": "FROM={{debian}}.{{RUN curl http://bing.com}}", + "searchValue": "", + "expectedValue": "Exclusively using 'wget' or 'curl'", + "actualValue": "Using both 'wget' and 'curl'", + "issueType": "RedundantAttribute", + "similarityID": "4c8abbe28f82d53dbd6a24bff4cfc8866a9549d2f1d6a998046a58024ddd007a", + "search_line": -1 }, { "queryName": "Run Using 'wget' and 'curl'", "severity": "LOW", - "line": 7 + "line": 7, + "fileName": "positive.dockerfile", + "resourceType": "", + "resourceName": "", + "searchKey": "FROM={{baseImage}}.{{RUN curl http://bing.com}}", + "searchValue": "", + "expectedValue": "Exclusively using 'wget' or 'curl'", + "actualValue": "Using both 'wget' and 'curl'", + "issueType": "RedundantAttribute", + "similarityID": "30615ca7cb65b4f426375503c2b9e2764475da708b8c5bac6d1548fb77fdf0f8", + "search_line": -1 }, { "queryName": "Run Using 'wget' and 'curl'", "severity": "LOW", - "line": 8 + "line": 8, + "fileName": "positive.dockerfile", + "resourceType": "", + "resourceName": "", + "searchKey": "FROM={{baseImage}}.{{RUN [\"curl\", \"http://bing.com\"]}}", + "searchValue": "", + "expectedValue": "Exclusively using 'wget' or 'curl'", + "actualValue": "Using both 'wget' and 'curl'", + "issueType": "RedundantAttribute", + "similarityID": "81af9803fc9ae4b5117ed4c261fe78640fb54163ffe5545d117a3a516869136b", + "search_line": -1 } -] \ No newline at end of file +] diff --git a/assets/queries/dockerfile/run_utilities_and_posix_commands/test/positive_expected_result.json b/assets/queries/dockerfile/run_utilities_and_posix_commands/test/positive_expected_result.json index 9f366ada36a..b8a695d9fca 100644 --- a/assets/queries/dockerfile/run_utilities_and_posix_commands/test/positive_expected_result.json +++ b/assets/queries/dockerfile/run_utilities_and_posix_commands/test/positive_expected_result.json @@ -2,11 +2,31 @@ { "queryName": "Run Utilities And POSIX Commands", "severity": "INFO", - "line": 4 + "line": 4, + "fileName": "positive.dockerfile", + "resourceType": "", + "resourceName": "", + "searchKey": "FROM={{golang:1.12.0-stretch}}.{{RUN top}}", + "searchValue": "", + "expectedValue": "There should be no dangerous commands or utilities executed", + "actualValue": "Run instruction is executing the top command", + "issueType": "IncorrectValue", + "similarityID": "53afc099bbe3ab95c2d0d663d2f546cf38e3823e4e2e92dc02ee600fc15d9fc1", + "search_line": -1 }, { "queryName": "Run Utilities And POSIX Commands", "severity": "INFO", - "line": 5 + "line": 5, + "fileName": "positive.dockerfile", + "resourceType": "", + "resourceName": "", + "searchKey": "FROM={{golang:1.12.0-stretch}}.{{RUN [\"ps\", \"-d\"]}}", + "searchValue": "", + "expectedValue": "There should be no dangerous commands or utilities executed", + "actualValue": "Run instruction is executing the ps command", + "issueType": "IncorrectValue", + "similarityID": "e31e17b7591957be5f5133a31fb20c2ea6d27e2dbdc313fcb6971fb5f87eefed", + "search_line": -1 } ] diff --git a/assets/queries/dockerfile/same_alias_in_different_froms/test/positive_expected_result.json b/assets/queries/dockerfile/same_alias_in_different_froms/test/positive_expected_result.json index 9e65369181b..fd1d3697057 100644 --- a/assets/queries/dockerfile/same_alias_in_different_froms/test/positive_expected_result.json +++ b/assets/queries/dockerfile/same_alias_in_different_froms/test/positive_expected_result.json @@ -2,6 +2,16 @@ { "queryName": "Same Alias In Different Froms", "severity": "LOW", - "line": 4 + "line": 4, + "fileName": "positive.dockerfile", + "resourceType": "", + "resourceName": "", + "searchKey": "FROM={{build}}", + "searchValue": "", + "expectedValue": "Different FROM commands don't have the same alias defined", + "actualValue": "Different FROM commands with with the same alias 'build' defined", + "issueType": "IncorrectValue", + "similarityID": "78b6f666b89e28f9be82fbbb75e311fc187d4adc001dabe3f9f7b3422038ccca", + "search_line": -1 } -] \ No newline at end of file +] diff --git a/assets/queries/dockerfile/shell_running_a_pipe_without_pipefail_flag/test/positive_expected_result.json b/assets/queries/dockerfile/shell_running_a_pipe_without_pipefail_flag/test/positive_expected_result.json index 66769b07386..b3ebc833669 100644 --- a/assets/queries/dockerfile/shell_running_a_pipe_without_pipefail_flag/test/positive_expected_result.json +++ b/assets/queries/dockerfile/shell_running_a_pipe_without_pipefail_flag/test/positive_expected_result.json @@ -2,11 +2,31 @@ { "queryName": "Shell Running A Pipe Without Pipefail Flag", "severity": "LOW", - "line": 2 + "line": 2, + "fileName": "positive.dockerfile", + "resourceType": "", + "resourceName": "", + "searchKey": "FROM={{node:12}}.{{RUN zsh ./some_output | ./some_script}}", + "searchValue": "zsh", + "expectedValue": "'RUN zsh ./some_output | ./some_script' has pipefail option set for pipe command with shell zsh.", + "actualValue": "'RUN zsh ./some_output | ./some_script' does not have pipefail option set for pipe command with shell zsh.", + "issueType": "MissingAttribute", + "similarityID": "a76115a0651d74793b6079753c518cee991dc70fa5f7ddf803d85a02ca8c56f7", + "search_line": -1 }, { "queryName": "Shell Running A Pipe Without Pipefail Flag", "severity": "LOW", - "line": 3 + "line": 3, + "fileName": "positive.dockerfile", + "resourceType": "", + "resourceName": "", + "searchKey": "FROM={{node:12}}.{{RUN [ \"/bin/bash\", \"./some_output\", \"|\", \"./some_script\" ]}}", + "searchValue": "/bin/bash", + "expectedValue": "'RUN [ '/bin/bash', './some_output', '|', './some_script' ]' has pipefail option set for pipe command with shell /bin/bash.", + "actualValue": "'RUN [ '/bin/bash', './some_output', '|', './some_script' ]' does not have pipefail option set for pipe command with shell /bin/bash.", + "issueType": "MissingAttribute", + "similarityID": "9648f1361abb8e822ecabba8f610e72cb5b870b4f50c1afba4ae78428ffffb64", + "search_line": -1 } -] \ No newline at end of file +] diff --git a/assets/queries/dockerfile/unix_ports_out_of_range/test/positive_expected_result.json b/assets/queries/dockerfile/unix_ports_out_of_range/test/positive_expected_result.json index 5d57ac73d0c..ca2e9e102fd 100644 --- a/assets/queries/dockerfile/unix_ports_out_of_range/test/positive_expected_result.json +++ b/assets/queries/dockerfile/unix_ports_out_of_range/test/positive_expected_result.json @@ -2,6 +2,16 @@ { "queryName": "UNIX Ports Out Of Range", "severity": "INFO", - "line": 3 + "line": 3, + "fileName": "positive.dockerfile", + "resourceType": "", + "resourceName": "", + "searchKey": "FROM={{gliderlabs/alpine:3.3}}.{{EXPOSE 65536/tcp 80 443 22}}", + "searchValue": "", + "expectedValue": "'EXPOSE' should not contain ports out of range [0, 65535]", + "actualValue": "'EXPOSE' contains ports out of range [0, 65535]", + "issueType": "IncorrectValue", + "similarityID": "6c1d05d89d11e7a0ddec9a627903340379ec42c4926158374f16967360826dba", + "search_line": -1 } -] \ No newline at end of file +] diff --git a/assets/queries/dockerfile/unpinned_package_version_in_apk_add/test/positive_expected_result.json b/assets/queries/dockerfile/unpinned_package_version_in_apk_add/test/positive_expected_result.json index 9f377d63c28..ff42fad39b9 100644 --- a/assets/queries/dockerfile/unpinned_package_version_in_apk_add/test/positive_expected_result.json +++ b/assets/queries/dockerfile/unpinned_package_version_in_apk_add/test/positive_expected_result.json @@ -2,26 +2,76 @@ { "queryName": "Unpinned Package Version in Apk Add", "severity": "MEDIUM", - "line": 2 + "line": 2, + "fileName": "positive.dockerfile", + "resourceType": "", + "resourceName": "", + "searchKey": "FROM={{alpine:3.9}}.{{RUN apk add --update py-pip}}", + "searchValue": "", + "expectedValue": "RUN instruction with 'apk add ' should use package pinning form 'apk add ='", + "actualValue": "RUN instruction apk add --update py-pip does not use package pinning form", + "issueType": "IncorrectValue", + "similarityID": "9f0e17fae1c4425bb732fb1abc94941f81da7c573f6891609dbce76473f57254", + "search_line": -1 }, { "queryName": "Unpinned Package Version in Apk Add", "severity": "MEDIUM", - "line": 13 + "line": 13, + "fileName": "positive.dockerfile", + "resourceType": "", + "resourceName": "", + "searchKey": "FROM={{alpine:3.7}}.{{RUN apk add py-pip && apk add tea}}", + "searchValue": "", + "expectedValue": "RUN instruction with 'apk add ' should use package pinning form 'apk add ='", + "actualValue": "RUN instruction apk add py-pip && apk add tea does not use package pinning form", + "issueType": "IncorrectValue", + "similarityID": "059ff5052f6c3c2545c7509ffc239d6f5d683b3b3f10e6dba76a4f697b39f8fa", + "search_line": -1 }, { "queryName": "Unpinned Package Version in Apk Add", "severity": "MEDIUM", - "line": 14 + "line": 14, + "fileName": "positive.dockerfile", + "resourceType": "", + "resourceName": "", + "searchKey": "FROM={{alpine:3.7}}.{{RUN apk add py-pip && rm -rf /tmp/*}}", + "searchValue": "", + "expectedValue": "RUN instruction with 'apk add ' should use package pinning form 'apk add ='", + "actualValue": "RUN instruction apk add py-pip && rm -rf /tmp/* does not use package pinning form", + "issueType": "IncorrectValue", + "similarityID": "5a5c3610415da5dbcc93de211d5e328b0b6902e022436dc646028b9889674f1b", + "search_line": -1 }, { "queryName": "Unpinned Package Version in Apk Add", "severity": "MEDIUM", - "line": 16 + "line": 16, + "fileName": "positive.dockerfile", + "resourceType": "", + "resourceName": "", + "searchKey": "FROM={{alpine:3.7}}.{{RUN apk add --dir /dir libimagequant && minidlna}}", + "searchValue": "", + "expectedValue": "RUN instruction with 'apk add ' should use package pinning form 'apk add ='", + "actualValue": "RUN instruction apk add --dir /dir libimagequant && minidlna does not use package pinning form", + "issueType": "IncorrectValue", + "similarityID": "3ff33f739623441bda969333a1d4dcc6118f375afc77d299578ac7d78ff8851d", + "search_line": -1 }, { "queryName": "Unpinned Package Version in Apk Add", "severity": "MEDIUM", - "line": 18 + "line": 18, + "fileName": "positive.dockerfile", + "resourceType": "", + "resourceName": "", + "searchKey": "FROM={{alpine:3.7}}.{{RUN [\"apk\", \"add\", \"py-pip\"]}}", + "searchValue": "py-pip", + "expectedValue": "RUN instruction with 'apk add ' should use package pinning form 'apk add ='", + "actualValue": "RUN instruction py-pip does not use package pinning form", + "issueType": "IncorrectValue", + "similarityID": "7c2ab04ad44a011c8d5beb0fd306a2ffd653d28bcb2e17d8b7287316630a5982", + "search_line": -1 } ] diff --git a/assets/queries/dockerfile/unpinned_package_version_in_pip_install/test/positive_expected_result.json b/assets/queries/dockerfile/unpinned_package_version_in_pip_install/test/positive_expected_result.json index 4ffe50570bf..2f1058e3fb8 100644 --- a/assets/queries/dockerfile/unpinned_package_version_in_pip_install/test/positive_expected_result.json +++ b/assets/queries/dockerfile/unpinned_package_version_in_pip_install/test/positive_expected_result.json @@ -3,24 +3,60 @@ "queryName": "Unpinned Package Version in Pip Install", "severity": "MEDIUM", "line": 3, - "filename": "positive1.dockerfile" + "fileName": "positive1.dockerfile", + "resourceType": "", + "resourceName": "", + "searchKey": "FROM={{alpine:3.9}}.{{RUN pip install --user pip}}", + "searchValue": "", + "expectedValue": "RUN instruction with 'pip/pip3 install ' should use package pinning form 'pip/pip3 install ='", + "actualValue": "RUN instruction pip install --user pip does not use package pinning form", + "issueType": "IncorrectValue", + "similarityID": "0d2a57e71e3a717bda8c05a57e46fe217d469421b189ef41c95b303e0ebb3f63", + "search_line": -1 }, { "queryName": "Unpinned Package Version in Pip Install", "severity": "MEDIUM", "line": 4, - "filename": "positive1.dockerfile" + "fileName": "positive1.dockerfile", + "resourceType": "", + "resourceName": "", + "searchKey": "FROM={{alpine:3.9}}.{{RUN [\"pip\", \"install\", \"connexion\"]}}", + "searchValue": "", + "expectedValue": "RUN instruction with 'pip/pip3 install ' should use package pinning form 'pip/pip3 install ='", + "actualValue": "RUN instruction connexion does not use package pinning form", + "issueType": "IncorrectValue", + "similarityID": "a87fa26f53610ec3df66a51ecc145e406eef54fa36defd95d3243b8c29cd305f", + "search_line": -1 }, { "queryName": "Unpinned Package Version in Pip Install", "severity": "MEDIUM", "line": 15, - "filename": "positive1.dockerfile" + "fileName": "positive1.dockerfile", + "resourceType": "", + "resourceName": "", + "searchKey": "FROM={{alpine:3.7}}.{{RUN pip install connexion}}", + "searchValue": "", + "expectedValue": "RUN instruction with 'pip/pip3 install ' should use package pinning form 'pip/pip3 install ='", + "actualValue": "RUN instruction pip install connexion does not use package pinning form", + "issueType": "IncorrectValue", + "similarityID": "6b22b8a50fb8d7b20c7f437835e1f5eb988ea0578d7372d0fa1a817e99dcc958", + "search_line": -1 }, { "queryName": "Unpinned Package Version in Pip Install", "severity": "MEDIUM", "line": 18, - "filename": "positive1.dockerfile" + "fileName": "positive1.dockerfile", + "resourceType": "", + "resourceName": "", + "searchKey": "FROM={{alpine:3.7}}.{{RUN pip3 install requests}}", + "searchValue": "", + "expectedValue": "RUN instruction with 'pip/pip3 install ' should use package pinning form 'pip/pip3 install ='", + "actualValue": "RUN instruction pip3 install requests does not use package pinning form", + "issueType": "IncorrectValue", + "similarityID": "5f754710730aa77e38f5f0fc439494302367bf2c504d7629ca0f7f3249138e6d", + "search_line": -1 } ] diff --git a/assets/queries/dockerfile/update_instruction_alone/test/positive_expected_result.json b/assets/queries/dockerfile/update_instruction_alone/test/positive_expected_result.json index 64b7e65cd1f..2b03c6110e9 100644 --- a/assets/queries/dockerfile/update_instruction_alone/test/positive_expected_result.json +++ b/assets/queries/dockerfile/update_instruction_alone/test/positive_expected_result.json @@ -3,42 +3,105 @@ "queryName": "Update Instruction Alone", "severity": "LOW", "line": 3, - "fileName": "positive1.dockerfile" + "fileName": "positive1.dockerfile", + "resourceType": "", + "resourceName": "", + "searchKey": "FROM={{alpine:latest}}.RUN={{apk add nginx}}", + "searchValue": "", + "expectedValue": "Instruction 'RUN apk [\"add\"]' should be combined with 'RUN apk [\"update\"]' in the same 'RUN' statement", + "actualValue": "Instruction 'RUN apk [\"add\"]' isn't combined with 'RUN apk [\"update\"] in the same 'RUN' statement", + "issueType": "IncorrectValue", + "similarityID": "3e6249729e06b84f7a1e91fdb528333b7e716555dd08e359cd292da760fdaae7", + "search_line": -1 }, { "queryName": "Update Instruction Alone", "severity": "LOW", "line": 3, - "fileName": "positive2.dockerfile" + "fileName": "positive2.dockerfile", + "resourceType": "", + "resourceName": "", + "searchKey": "FROM={{opensuse:latest}}.RUN={{zypper install nginx}}", + "searchValue": "", + "expectedValue": "Instruction 'RUN zypper [\"install\"]' should be combined with 'RUN zypper [\"refresh\"]' in the same 'RUN' statement", + "actualValue": "Instruction 'RUN zypper [\"install\"]' isn't combined with 'RUN zypper [\"refresh\"] in the same 'RUN' statement", + "issueType": "IncorrectValue", + "similarityID": "ccd306c80d5731f3826cd701b4844dc41a873552bf3803ba686e979ad5f2ad55", + "search_line": -1 }, { "queryName": "Update Instruction Alone", "severity": "LOW", "line": 3, - "fileName": "positive3.dockerfile" + "fileName": "positive3.dockerfile", + "resourceType": "", + "resourceName": "", + "searchKey": "FROM={{debian:latest}}.RUN={{apt install nginx}}", + "searchValue": "", + "expectedValue": "Instruction 'RUN apt [\"install\"]' should be combined with 'RUN apt [\"update\"]' in the same 'RUN' statement", + "actualValue": "Instruction 'RUN apt [\"install\"]' isn't combined with 'RUN apt [\"update\"] in the same 'RUN' statement", + "issueType": "IncorrectValue", + "similarityID": "ad8d682824ffb548f7076a65130663eeab28f4e632e97f1d2494f064805c9bdf", + "search_line": -1 }, { "queryName": "Update Instruction Alone", "severity": "LOW", "line": 3, - "fileName": "positive4.dockerfile" + "fileName": "positive4.dockerfile", + "resourceType": "", + "resourceName": "", + "searchKey": "FROM={{centos:latest}}.RUN={{yum install nginx}}", + "searchValue": "", + "expectedValue": "Instruction 'RUN yum [\"install\"]' should be combined with 'RUN yum [\"update\"]' in the same 'RUN' statement", + "actualValue": "Instruction 'RUN yum [\"install\"]' isn't combined with 'RUN yum [\"update\"] in the same 'RUN' statement", + "issueType": "IncorrectValue", + "similarityID": "00ba12fd9dd81312c488ef7bb23ed3ba59b586202a8450940d78b7fc9176a57f", + "search_line": -1 }, { "queryName": "Update Instruction Alone", "severity": "LOW", "line": 3, - "fileName": "positive5.dockerfile" + "fileName": "positive5.dockerfile", + "resourceType": "", + "resourceName": "", + "searchKey": "FROM={{fedora:latest}}.RUN={{dnf install nginx}}", + "searchValue": "", + "expectedValue": "Instruction 'RUN dnf [\"install\"]' should be combined with 'RUN dnf [\"update\"]' in the same 'RUN' statement", + "actualValue": "Instruction 'RUN dnf [\"install\"]' isn't combined with 'RUN dnf [\"update\"] in the same 'RUN' statement", + "issueType": "IncorrectValue", + "similarityID": "2f5aa02996ab0b880493911c4ae28cc75602d51e50fa425102ff61443b2be8ce", + "search_line": -1 }, { "queryName": "Update Instruction Alone", "severity": "LOW", "line": 3, - "fileName": "positive6.dockerfile" + "fileName": "positive6.dockerfile", + "resourceType": "", + "resourceName": "", + "searchKey": "FROM={{archlinux:latest}}.RUN={{pacman -S nginx}}", + "searchValue": "", + "expectedValue": "Instruction 'RUN pacman [\"-S\"]' should be combined with 'RUN pacman [\"-Syu\"]' in the same 'RUN' statement", + "actualValue": "Instruction 'RUN pacman [\"-S\"]' isn't combined with 'RUN pacman [\"-Syu\"] in the same 'RUN' statement", + "issueType": "IncorrectValue", + "similarityID": "e1db7bebd150273589fcfa4174f96cb83e1593d3db017977c998c50cc1d6add1", + "search_line": -1 }, { "queryName": "Update Instruction Alone", "severity": "LOW", "line": 3, - "fileName": "positive7.dockerfile" + "fileName": "positive7.dockerfile", + "resourceType": "", + "resourceName": "", + "searchKey": "FROM={{ubuntu:18.04}}.RUN={{apt-get install -y --no-install-recommends mysql-client && rm -rf /var/lib/apt/lists/*}}", + "searchValue": "", + "expectedValue": "Instruction 'RUN apt-get [\"install\", \"source-install\", \"reinstall\"]' should be combined with 'RUN apt-get [\"update\"]' in the same 'RUN' statement", + "actualValue": "Instruction 'RUN apt-get [\"install\", \"source-install\", \"reinstall\"]' isn't combined with 'RUN apt-get [\"update\"] in the same 'RUN' statement", + "issueType": "IncorrectValue", + "similarityID": "74941a883f02518c5eafe5f85b69ea7b5550a63b8686143d3b7cb4a5323b81f2", + "search_line": -1 } -] \ No newline at end of file +] diff --git a/assets/queries/dockerfile/using_platform_with_from/test/positive_expected_result.json b/assets/queries/dockerfile/using_platform_with_from/test/positive_expected_result.json index 17bce5638c8..5806b6cb66a 100644 --- a/assets/queries/dockerfile/using_platform_with_from/test/positive_expected_result.json +++ b/assets/queries/dockerfile/using_platform_with_from/test/positive_expected_result.json @@ -3,6 +3,15 @@ "queryName": "Using Platform Flag with FROM Command", "severity": "INFO", "line": 6, - "fileName": "positive1.dockerfile" + "fileName": "positive1.dockerfile", + "resourceType": "", + "resourceName": "", + "searchKey": "FROM={{--platform=arm64 baseimage as baseimage-build}}.{{FROM --platform=arm64 baseimage as baseimage-build}}", + "searchValue": "", + "expectedValue": "FROM={{--platform=arm64 baseimage as baseimage-build}}.{{FROM --platform=arm64 baseimage as baseimage-build}} should not use the '--platform' flag", + "actualValue": "FROM={{--platform=arm64 baseimage as baseimage-build}}.{{FROM --platform=arm64 baseimage as baseimage-build}} is using the '--platform' flag", + "issueType": "IncorrectValue", + "similarityID": "ecd874a164d0a0f68be50d2a46c086755a2b4216981dfb9c7e1c399ccbe47131", + "search_line": -1 } -] \ No newline at end of file +] diff --git a/assets/queries/dockerfile/using_unnamed_build_stages/test/positive_expected_result.json b/assets/queries/dockerfile/using_unnamed_build_stages/test/positive_expected_result.json index d0e9eb1f3db..f904df0e75c 100644 --- a/assets/queries/dockerfile/using_unnamed_build_stages/test/positive_expected_result.json +++ b/assets/queries/dockerfile/using_unnamed_build_stages/test/positive_expected_result.json @@ -1,8 +1,17 @@ [ - { - "queryName": "Using Unnamed Build Stages", - "severity": "LOW", - "line": 10, - "filename": "positive1.dockerfile" - } + { + "queryName": "Using Unnamed Build Stages", + "severity": "LOW", + "line": 10, + "fileName": "positive1.dockerfile", + "resourceType": "", + "resourceName": "", + "searchKey": "FROM={{alpine:latest }}.{{COPY --from=0 /go/src/github.com/foo/href-counter/app ./}}", + "searchValue": "", + "expectedValue": "COPY '--from' should reference a previously defined FROM alias", + "actualValue": "COPY '--from' does not reference a previously defined FROM alias", + "issueType": "IncorrectValue", + "similarityID": "69fa9fef4b51173f057a508f5072859b7c60e99591001f728a4eb43595d24e51", + "search_line": -1 + } ] diff --git a/assets/queries/dockerfile/workdir_path_not_absolute/test/positive_expected_result.json b/assets/queries/dockerfile/workdir_path_not_absolute/test/positive_expected_result.json index ece07faaf7f..f0e6e53b774 100644 --- a/assets/queries/dockerfile/workdir_path_not_absolute/test/positive_expected_result.json +++ b/assets/queries/dockerfile/workdir_path_not_absolute/test/positive_expected_result.json @@ -2,6 +2,16 @@ { "queryName": "WORKDIR Path Not Absolute", "severity": "LOW", - "line": 5 + "line": 5, + "fileName": "positive.dockerfile", + "resourceType": "", + "resourceName": "", + "searchKey": "FROM={{alpine:3.5}}.WORKDIR={{workdir}}", + "searchValue": "", + "expectedValue": "'WORKDIR' Command has absolute path", + "actualValue": "'WORKDIR' Command doesn't have absolute path", + "issueType": "IncorrectValue", + "similarityID": "7de4754aa0431648e646bca49058161b82cc2f8cd30259c7cc072f4c21a407ff", + "search_line": -1 } -] \ No newline at end of file +] diff --git a/assets/queries/dockerfile/yum_clean_all_missing/test/positive_expected_result.json b/assets/queries/dockerfile/yum_clean_all_missing/test/positive_expected_result.json index f4e28bb33cf..906e3a49adc 100644 --- a/assets/queries/dockerfile/yum_clean_all_missing/test/positive_expected_result.json +++ b/assets/queries/dockerfile/yum_clean_all_missing/test/positive_expected_result.json @@ -3,6 +3,15 @@ "queryName": "Yum Clean All Missing", "severity": "LOW", "line": 12, - "fileName": "positive.dockerfile" + "fileName": "positive.dockerfile", + "resourceType": "", + "resourceName": "", + "searchKey": "FROM={{alpine:3.4}}.{{RUN yum clean all yum -y install}}", + "searchValue": "", + "expectedValue": "{{RUN yum clean all yum -y install}} should have 'yum clean all' after 'yum install' command", + "actualValue": "{{RUN yum clean all yum -y install}} doesn't have 'yum clean all' after 'yum install' command", + "issueType": "IncorrectValue", + "similarityID": "d4d9e7fab817e17d40dee5b12f4388db0e31e2c250bda9ff5e703a3ded0e0d0a", + "search_line": -1 } -] \ No newline at end of file +] diff --git a/assets/queries/dockerfile/yum_install_allows_manual_input/test/positive_expected_result.json b/assets/queries/dockerfile/yum_install_allows_manual_input/test/positive_expected_result.json index c6fa582d3aa..ed894ae69bb 100644 --- a/assets/queries/dockerfile/yum_install_allows_manual_input/test/positive_expected_result.json +++ b/assets/queries/dockerfile/yum_install_allows_manual_input/test/positive_expected_result.json @@ -2,11 +2,31 @@ { "queryName": "Yum Install Allows Manual Input", "severity": "LOW", - "line": 3 + "line": 3, + "fileName": "positive.dockerfile", + "resourceType": "", + "resourceName": "", + "searchKey": "FROM={{alpine:3.5}}.{{RUN sudo yum install bundler}}", + "searchValue": "", + "expectedValue": "{{RUN sudo yum install bundler}} should avoid manual input", + "actualValue": "{{RUN sudo yum install bundler}} doesn't avoid manual input", + "issueType": "IncorrectValue", + "similarityID": "7886fb5973ec21abcf13e2377be579005d1b96a768952b5027584c5a3f5563e0", + "search_line": -1 }, { "queryName": "Yum Install Allows Manual Input", "severity": "LOW", - "line": 4 + "line": 4, + "fileName": "positive.dockerfile", + "resourceType": "", + "resourceName": "", + "searchKey": "FROM={{alpine:3.5}}.{{RUN [\"sudo yum\", \"install\", \"bundler\"]}}", + "searchValue": "", + "expectedValue": "{{RUN [\"sudo yum\", \"install\", \"bundler\"]}} should avoid manual input", + "actualValue": "{{RUN [\"sudo yum\", \"install\", \"bundler\"]}} doesn't avoid manual input", + "issueType": "IncorrectValue", + "similarityID": "e730a7bc5332ae393de550bfb3b4aaad60d740d025c000c2f86e9eddd9cb67ca", + "search_line": -1 } -] \ No newline at end of file +] diff --git a/assets/queries/dockerfile/yum_install_without_version/test/positive_expected_result.json b/assets/queries/dockerfile/yum_install_without_version/test/positive_expected_result.json index 2ed431a5849..9e13d2eea14 100644 --- a/assets/queries/dockerfile/yum_install_without_version/test/positive_expected_result.json +++ b/assets/queries/dockerfile/yum_install_without_version/test/positive_expected_result.json @@ -2,11 +2,31 @@ { "queryName": "Yum install Without Version", "severity": "MEDIUM", - "line": 2 + "line": 2, + "fileName": "positive.dockerfile", + "resourceType": "", + "resourceName": "", + "searchKey": "FROM={{opensuse/leap:15.2}}.{{RUN yum install -y httpd && yum clean all}}", + "searchValue": "httpd", + "expectedValue": "The package version should always be specified when using yum install", + "actualValue": "No version is specified in package 'httpd'", + "issueType": "IncorrectValue", + "similarityID": "9c40b4a93a5956beb0e5f6a7507d7b48b5f21291ac96f1581b73b9a1caa97f06", + "search_line": -1 }, { "queryName": "Yum install Without Version", "severity": "MEDIUM", - "line": 3 + "line": 3, + "fileName": "positive.dockerfile", + "resourceType": "", + "resourceName": "", + "searchKey": "FROM={{opensuse/leap:15.2}}.{{RUN [\"yum\", \"install\", \"httpd\"]}}", + "searchValue": "httpd", + "expectedValue": "The package version should always be specified when using yum install", + "actualValue": "No version is specified in package 'httpd'", + "issueType": "IncorrectValue", + "similarityID": "b1376a80466222e7863af688a27a63c09e70f550d89d4f6b8e620a671ae39b0d", + "search_line": -1 } ] diff --git a/assets/queries/dockerfile/zypper_install_without_version/test/positive_expected_result.json b/assets/queries/dockerfile/zypper_install_without_version/test/positive_expected_result.json index 7d64d6a1109..fded6cd6b04 100644 --- a/assets/queries/dockerfile/zypper_install_without_version/test/positive_expected_result.json +++ b/assets/queries/dockerfile/zypper_install_without_version/test/positive_expected_result.json @@ -2,11 +2,31 @@ { "queryName": "Zypper Install Without Version", "severity": "LOW", - "line": 2 + "line": 2, + "fileName": "positive.dockerfile", + "resourceType": "", + "resourceName": "", + "searchKey": "FROM={{opensuse/leap:15.2}}.{{RUN zypper install -y httpd && zypper clean}}", + "searchValue": "httpd", + "expectedValue": "The package version should always be specified when using zypper install", + "actualValue": "No version is specified in package 'httpd'", + "issueType": "IncorrectValue", + "similarityID": "4814189ac42be511ec7b6a2609313968ef61e20463a8834385777b1991340cf5", + "search_line": -1 }, { "queryName": "Zypper Install Without Version", "severity": "LOW", - "line": 3 + "line": 3, + "fileName": "positive.dockerfile", + "resourceType": "", + "resourceName": "", + "searchKey": "FROM={{opensuse/leap:15.2}}.{{RUN [\"zypper\", \"install\", \"http\"]}}", + "searchValue": "http", + "expectedValue": "The package version should always be specified when using zypper install", + "actualValue": "No version is specified in package 'http'", + "issueType": "IncorrectValue", + "similarityID": "7e52d5f353f5c55a7606f622eddaf096ae71ba7769af7f3e8340bfc320116b9e", + "search_line": -1 } -] \ No newline at end of file +] diff --git a/assets/queries/googleDeploymentManager/gcp/bigquery_database_is_public/test/positive_expected_result.json b/assets/queries/googleDeploymentManager/gcp/bigquery_database_is_public/test/positive_expected_result.json index 588bf368806..79cfd3313de 100644 --- a/assets/queries/googleDeploymentManager/gcp/bigquery_database_is_public/test/positive_expected_result.json +++ b/assets/queries/googleDeploymentManager/gcp/bigquery_database_is_public/test/positive_expected_result.json @@ -3,6 +3,15 @@ "queryName": "BigQuery Dataset Is Public", "severity": "HIGH", "line": 7, - "filename": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "bigquery.v2.dataset", + "resourceName": "bigquery", + "searchKey": "resources.name={{bigquery}}.properties.access[0].specialGroup", + "searchValue": "", + "expectedValue": "'access[0].specialGroup' should not equal to 'allAuthenticatedUsers'", + "actualValue": "'access[0].specialGroup' is equal to 'allAuthenticatedUsers'", + "issueType": "IncorrectValue", + "similarityID": "00bed6eb5dc2252720d71d5a45b115db3708d49ae76cd4b91575d646be275a8e", + "search_line": 7 } ] diff --git a/assets/queries/googleDeploymentManager/gcp/bucket_without_versioning/test/positive_expected_result.json b/assets/queries/googleDeploymentManager/gcp/bucket_without_versioning/test/positive_expected_result.json index 6bf204bca1f..121c3157f4a 100644 --- a/assets/queries/googleDeploymentManager/gcp/bucket_without_versioning/test/positive_expected_result.json +++ b/assets/queries/googleDeploymentManager/gcp/bucket_without_versioning/test/positive_expected_result.json @@ -3,12 +3,30 @@ "queryName": "Bucket Without Versioning", "severity": "MEDIUM", "line": 4, - "filename": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "storage.v1.bucket", + "resourceName": "bucket", + "searchKey": "resources.name={{bucket}}.properties", + "searchValue": "", + "expectedValue": "'versioning' should be defined and not null", + "actualValue": "'versioning' is undefined or null", + "issueType": "MissingAttribute", + "similarityID": "9c82d45eda2537ca0ffd59718a4f5836fb3df3fbf89b11f799d6a43d192ed7e8", + "search_line": 4 }, { "queryName": "Bucket Without Versioning", "severity": "MEDIUM", "line": 7, - "filename": "positive2.yaml" + "fileName": "positive2.yaml", + "resourceType": "storage.v1.bucket", + "resourceName": "bucket", + "searchKey": "resources.name={{bucket}}.properties.versioning.enabled", + "searchValue": "", + "expectedValue": "'versioning.enabled' should be true", + "actualValue": "'versioning.enabled' is false", + "issueType": "IncorrectValue", + "similarityID": "e9ecf7817e79d3f8eb4b822ea482c6ecc7cc3f13dfd05dbcc3519831b16c8bc5", + "search_line": 7 } ] diff --git a/assets/queries/googleDeploymentManager/gcp/client_certificate_disabled/test/positive_expected_result.json b/assets/queries/googleDeploymentManager/gcp/client_certificate_disabled/test/positive_expected_result.json index 52d56a7fb6c..480667c8f74 100644 --- a/assets/queries/googleDeploymentManager/gcp/client_certificate_disabled/test/positive_expected_result.json +++ b/assets/queries/googleDeploymentManager/gcp/client_certificate_disabled/test/positive_expected_result.json @@ -3,18 +3,45 @@ "queryName": "Client Certificate Disabled", "severity": "HIGH", "line": 4, - "filename": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "container.v1.cluster", + "resourceName": "cluster", + "searchKey": "resources.name={{cluster}}.properties", + "searchValue": "", + "expectedValue": "'masterAuth' should be defined and not null", + "actualValue": "'masterAuth' is undefined or null", + "issueType": "MissingAttribute", + "similarityID": "b9987e7cf38934d421fdf9d1770a443ac274b30cd69324d56b65e9c0fcde8ff2", + "search_line": 4 }, { "queryName": "Client Certificate Disabled", "severity": "HIGH", "line": 6, - "filename": "positive2.yaml" + "fileName": "positive2.yaml", + "resourceType": "container.v1.cluster", + "resourceName": "cluster", + "searchKey": "resources.name={{cluster}}.properties.masterAuth", + "searchValue": "", + "expectedValue": "'masterAuth.clientCertificateConfig' should be defined and not null", + "actualValue": "'masterAuth.clientCertificateConfig' is undefined or null", + "issueType": "MissingAttribute", + "similarityID": "fa793f5f5d6d4d3e43cf553d272ce78b534c28e2d1673459925f04665b6f6b7c", + "search_line": 6 }, { "queryName": "Client Certificate Disabled", "severity": "HIGH", "line": 8, - "filename": "positive3.yaml" + "fileName": "positive3.yaml", + "resourceType": "container.v1.cluster", + "resourceName": "cluster", + "searchKey": "resources.name={{cluster}}.properties.masterAuth.clientCertificateConfig.issueClientCertificate", + "searchValue": "", + "expectedValue": "'masterAuth.clientCertificateConfig.issueClientCertificate' should be true", + "actualValue": "'masterAuth.clientCertificateConfig.issueClientCertificate' is false", + "issueType": "IncorrectValue", + "similarityID": "8c0cf4424e58614ae9bfb2690b1d1a2ce2ea34972cb1c4c6207756bbb9b62cdd", + "search_line": 8 } ] diff --git a/assets/queries/googleDeploymentManager/gcp/cloud_dns_without_dnnsec/test/positive_expected_result.json b/assets/queries/googleDeploymentManager/gcp/cloud_dns_without_dnnsec/test/positive_expected_result.json index 0cc01b954eb..876bbe8e7d5 100644 --- a/assets/queries/googleDeploymentManager/gcp/cloud_dns_without_dnnsec/test/positive_expected_result.json +++ b/assets/queries/googleDeploymentManager/gcp/cloud_dns_without_dnnsec/test/positive_expected_result.json @@ -3,18 +3,45 @@ "queryName": "Cloud DNS Without DNSSEC", "severity": "MEDIUM", "line": 4, - "filename": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "dns.v1.managedZone", + "resourceName": "dns", + "searchKey": "resources.name={{dns}}.properties", + "searchValue": "", + "expectedValue": "'dnssecConfig' should be defined and not null", + "actualValue": "'dnssecConfig' is undefined or null", + "issueType": "MissingAttribute", + "similarityID": "6fed4f26f08207e4eba9a8217b4649a95fb809e74b2dfcc00490e55a263f7dd4", + "search_line": 4 }, { "queryName": "Cloud DNS Without DNSSEC", "severity": "MEDIUM", "line": 6, - "filename": "positive2.yaml" + "fileName": "positive2.yaml", + "resourceType": "dns.v1.managedZone", + "resourceName": "dns2", + "searchKey": "resources.name={{dns2}}.properties.dnssecConfig", + "searchValue": "", + "expectedValue": "'state' should be defined and not null", + "actualValue": "'state' is undefined or null", + "issueType": "MissingAttribute", + "similarityID": "a56138bcd503ebf478cd51e567dc5cc6ecdce2b727a5f27f9cf262708bbe9345", + "search_line": 6 }, { "queryName": "Cloud DNS Without DNSSEC", "severity": "MEDIUM", "line": 7, - "filename": "positive3.yaml" + "fileName": "positive3.yaml", + "resourceType": "dns.v1.managedZone", + "resourceName": "dns3", + "searchKey": "resources.name={{dns3}}.properties.dnssecConfig.state", + "searchValue": "", + "expectedValue": "'state' should be set to 'on'", + "actualValue": "'state' is not set to 'on'", + "issueType": "IncorrectValue", + "similarityID": "8c9520f22b508c6ce62e2e7bf0a9bb111a4aa87b48ee7cfb01591db4393af6cf", + "search_line": 7 } ] diff --git a/assets/queries/googleDeploymentManager/gcp/cloud_storage_anonymous_or_publicly_accessible/test/positive_expected_result.json b/assets/queries/googleDeploymentManager/gcp/cloud_storage_anonymous_or_publicly_accessible/test/positive_expected_result.json index bd96fd1b8e3..41d0aea84af 100644 --- a/assets/queries/googleDeploymentManager/gcp/cloud_storage_anonymous_or_publicly_accessible/test/positive_expected_result.json +++ b/assets/queries/googleDeploymentManager/gcp/cloud_storage_anonymous_or_publicly_accessible/test/positive_expected_result.json @@ -3,36 +3,90 @@ "queryName": "Cloud Storage Anonymous or Publicly Accessible", "severity": "CRITICAL", "line": 4, - "filename": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "storage.v1.bucket", + "resourceName": "storage-bucket", + "searchKey": "resources.name={{storage-bucket}}.properties", + "searchValue": "acl", + "expectedValue": "'acl' should be defined", + "actualValue": "'acl' is undefined or null", + "issueType": "MissingAttribute", + "similarityID": "e68769162328da212b6f181d3e1edbc9693ab47fe484fa69947c0bd60a256f6e", + "search_line": 4 }, { "queryName": "Cloud Storage Anonymous or Publicly Accessible", "severity": "CRITICAL", "line": 4, - "filename": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "storage.v1.bucket", + "resourceName": "storage-bucket", + "searchKey": "resources.name={{storage-bucket}}.properties", + "searchValue": "defaultObjectAcl", + "expectedValue": "'defaultObjectAcl' should be defined", + "actualValue": "'defaultObjectAcl' is undefined or null", + "issueType": "MissingAttribute", + "similarityID": "0a866bca32390f0d72a557f05647e79854a537dce30706512b43a5da893c1b65", + "search_line": 4 }, { "queryName": "Cloud Storage Anonymous or Publicly Accessible", "severity": "CRITICAL", - "line": 7, - "filename": "positive2.yaml" + "line": 4, + "fileName": "positive2.yaml", + "resourceType": "storage.v1.bucket", + "resourceName": "storage-bucket", + "searchKey": "resources.name={{storage-bucket}}.properties", + "searchValue": "acl", + "expectedValue": "'acl' should be defined", + "actualValue": "'acl' is undefined or null", + "issueType": "MissingAttribute", + "similarityID": "99e261331c703a01537a4bf5e011ea241c58e8ddc76b39f71a8e8e2c81fba6fc", + "search_line": 4 }, { "queryName": "Cloud Storage Anonymous or Publicly Accessible", "severity": "CRITICAL", - "line": 4, - "filename": "positive2.yaml" + "line": 7, + "fileName": "positive2.yaml", + "resourceType": "storage.v1.bucket", + "resourceName": "storage-bucket", + "searchKey": "resources.name={{storage-bucket}}.properties.defaultObjectAcl[0].entity", + "searchValue": "", + "expectedValue": "properties.defaultObjectAcl[0].entity should not equal to 'allUsers' or 'AllAuthenticatedUsers'", + "actualValue": "properties.defaultObjectAcl[0].entity is equal to 'allUsers' or 'AllAuthenticatedUsers'", + "issueType": "IncorrectValue", + "similarityID": "77b3567439ad4317bb53e21561fe890a1a640e6806d75bfcada5cdcd21766343", + "search_line": 7 }, { "queryName": "Cloud Storage Anonymous or Publicly Accessible", "severity": "CRITICAL", "line": 7, - "filename": "positive3.yaml" + "fileName": "positive3.yaml", + "resourceType": "storage.v1.bucket", + "resourceName": "storage-bucket", + "searchKey": "resources.name={{storage-bucket}}.properties.acl[0].entity", + "searchValue": "", + "expectedValue": "properties.acl[0].entity should not equal to 'allUsers' or 'AllAuthenticatedUsers'", + "actualValue": "properties.acl[0].entity is equal to 'allUsers' or 'AllAuthenticatedUsers'", + "issueType": "IncorrectValue", + "similarityID": "8e727922727136b9ae5ef0c26ede02151c2ca750b2029e1bfb812995e246f580", + "search_line": 7 }, { "queryName": "Cloud Storage Anonymous or Publicly Accessible", "severity": "CRITICAL", "line": 10, - "filename": "positive3.yaml" + "fileName": "positive3.yaml", + "resourceType": "storage.v1.bucket", + "resourceName": "storage-bucket", + "searchKey": "resources.name={{storage-bucket}}.properties.defaultObjectAcl[0].entity", + "searchValue": "", + "expectedValue": "properties.defaultObjectAcl[0].entity should not equal to 'allUsers' or 'AllAuthenticatedUsers'", + "actualValue": "properties.defaultObjectAcl[0].entity is equal to 'allUsers' or 'AllAuthenticatedUsers'", + "issueType": "IncorrectValue", + "similarityID": "43a2ec8f7383a09c241c4b5d49c1fe3995a00d2907d9d398fc6bd57f9db6c7ca", + "search_line": 10 } -] \ No newline at end of file +] diff --git a/assets/queries/googleDeploymentManager/gcp/cloud_storage_bucket_is_publicly_accessible/test/positive_expected_result.json b/assets/queries/googleDeploymentManager/gcp/cloud_storage_bucket_is_publicly_accessible/test/positive_expected_result.json index d42c2587d0d..c10e5c91991 100644 --- a/assets/queries/googleDeploymentManager/gcp/cloud_storage_bucket_is_publicly_accessible/test/positive_expected_result.json +++ b/assets/queries/googleDeploymentManager/gcp/cloud_storage_bucket_is_publicly_accessible/test/positive_expected_result.json @@ -3,12 +3,30 @@ "queryName": "Cloud Storage Bucket Is Publicly Accessible", "severity": "MEDIUM", "line": 5, - "filename": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "storage.v1.bucketAccessControl", + "resourceName": "bucket-access-control", + "searchKey": "resources.name={{bucket-access-control}}.properties.entity", + "searchValue": "", + "expectedValue": "'entity' should not equal to 'allUsers' or 'allAuthenticatedUsers'", + "actualValue": "'entity' is equal to 'allUsers'", + "issueType": "IncorrectValue", + "similarityID": "135ed1b7ca5df38ad4682accc222a95db25d169a22b6bf34baacca97e9d57b3b", + "search_line": 5 }, { "queryName": "Cloud Storage Bucket Is Publicly Accessible", "severity": "MEDIUM", "line": 5, - "filename": "positive2.yaml" + "fileName": "positive2.yaml", + "resourceType": "storage.v1.bucketAccessControl", + "resourceName": "bucket-access-control", + "searchKey": "resources.name={{bucket-access-control}}.properties.entity", + "searchValue": "", + "expectedValue": "'entity' should not equal to 'allUsers' or 'allAuthenticatedUsers'", + "actualValue": "'entity' is equal to 'allAuthenticatedUsers'", + "issueType": "IncorrectValue", + "similarityID": "a78c64359ea5007b13677d17bd36dc840f56f9df2bae8a3a32367e325b454ef2", + "search_line": 5 } -] \ No newline at end of file +] diff --git a/assets/queries/googleDeploymentManager/gcp/cloud_storage_bucket_versioning_disabled/test/positive_expected_result.json b/assets/queries/googleDeploymentManager/gcp/cloud_storage_bucket_versioning_disabled/test/positive_expected_result.json index 3eb292cd0a7..1f67fb2952e 100644 --- a/assets/queries/googleDeploymentManager/gcp/cloud_storage_bucket_versioning_disabled/test/positive_expected_result.json +++ b/assets/queries/googleDeploymentManager/gcp/cloud_storage_bucket_versioning_disabled/test/positive_expected_result.json @@ -3,12 +3,30 @@ "queryName": "Cloud Storage Bucket Versioning Disabled", "severity": "MEDIUM", "line": 4, - "filename": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "storage.v1.bucket", + "resourceName": "a-new-pubsub-topic", + "searchKey": "resources.name={{a-new-pubsub-topic}}.properties", + "searchValue": "", + "expectedValue": "'versioning' should be defined and not null", + "actualValue": "'versioning' is undefined or null", + "issueType": "MissingAttribute", + "similarityID": "561eec19c675b9b38c9b3c42e58c63f7e46be58b37a97cefed1918c5598ac4fd", + "search_line": 4 }, { "queryName": "Cloud Storage Bucket Versioning Disabled", "severity": "MEDIUM", "line": 8, - "filename": "positive2.yaml" + "fileName": "positive2.yaml", + "resourceType": "storage.v1.bucket", + "resourceName": "a-new-pubsub-topic2", + "searchKey": "resources.name={{a-new-pubsub-topic2}}.properties.versioning.enabled", + "searchValue": "", + "expectedValue": "'enabled' should be set to true", + "actualValue": "'enabled' is set to false", + "issueType": "IncorrectValue", + "similarityID": "846603c3d10262243c30c91a13d0fa0d81f730988796ea9cf34e2c936ea29d11", + "search_line": 8 } -] \ No newline at end of file +] diff --git a/assets/queries/googleDeploymentManager/gcp/cluster_labels_disabled/test/positive_expected_result.json b/assets/queries/googleDeploymentManager/gcp/cluster_labels_disabled/test/positive_expected_result.json index 6dad84347c3..cf0e263a82b 100644 --- a/assets/queries/googleDeploymentManager/gcp/cluster_labels_disabled/test/positive_expected_result.json +++ b/assets/queries/googleDeploymentManager/gcp/cluster_labels_disabled/test/positive_expected_result.json @@ -3,6 +3,15 @@ "queryName": "Cluster Labels Disabled", "severity": "LOW", "line": 4, - "filename": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "container.v1.cluster", + "resourceName": "cluster", + "searchKey": "resources.name={{cluster}}.properties", + "searchValue": "", + "expectedValue": "'resourceLabels' should be defined and not null", + "actualValue": "'resourceLabels' is undefined or null", + "issueType": "MissingAttribute", + "similarityID": "f6b9d435d5a6627ce76113f7e75fbc7b99308978c9d2124fc6684702fc969b17", + "search_line": 4 } -] \ No newline at end of file +] diff --git a/assets/queries/googleDeploymentManager/gcp/cluster_master_authentication_disabled/test/positive_expected_result.json b/assets/queries/googleDeploymentManager/gcp/cluster_master_authentication_disabled/test/positive_expected_result.json index 37ca92ffb33..6ca809e3ab8 100644 --- a/assets/queries/googleDeploymentManager/gcp/cluster_master_authentication_disabled/test/positive_expected_result.json +++ b/assets/queries/googleDeploymentManager/gcp/cluster_master_authentication_disabled/test/positive_expected_result.json @@ -3,18 +3,45 @@ "queryName": "Cluster Master Authentication Disabled", "severity": "MEDIUM", "line": 4, - "filename": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "container.v1.cluster", + "resourceName": "cluster", + "searchKey": "resources.name={{cluster}}.properties", + "searchValue": "", + "expectedValue": "'masterAuth' should be defined and not null", + "actualValue": "'masterAuth' is undefined or null", + "issueType": "MissingAttribute", + "similarityID": "dd78983b9b2a6ab0e1a3d838fcba778f22658098e8e984f4f0e0355d142ef56f", + "search_line": 4 }, { "queryName": "Cluster Master Authentication Disabled", "severity": "MEDIUM", "line": 5, - "filename": "positive2.yaml" + "fileName": "positive2.yaml", + "resourceType": "container.v1.cluster", + "resourceName": "cluster", + "searchKey": "resources.name={{cluster}}.properties.masterAuth", + "searchValue": "", + "expectedValue": "Attribute 'masterAuth.username' should be defined and Attribute 'masterAuth.password' should be defined", + "actualValue": "Attribute 'masterAuth.username' is undefined or attribute 'masterAuth.password' is undefined", + "issueType": "MissingAttribute", + "similarityID": "db8f32bdc8b6ab072f84f9780b0e303dc682ccbab2c2fea238cb2cd8bf1ee3a8", + "search_line": 5 }, { "queryName": "Cluster Master Authentication Disabled", "severity": "MEDIUM", "line": 5, - "filename": "positive3.yaml" + "fileName": "positive3.yaml", + "resourceType": "container.v1.cluster", + "resourceName": "cluster", + "searchKey": "resources.name={{cluster}}.properties.masterAuth", + "searchValue": "", + "expectedValue": "Attribute 'masterAuth.username' should be defined and Attribute 'masterAuth.password' should be defined", + "actualValue": "Attribute 'masterAuth.username' is undefined or attribute 'masterAuth.password' is undefined", + "issueType": "MissingAttribute", + "similarityID": "43103ba9d03558b5d28b0bb3aa75f666504608749215814334b23b2fe0ee38e2", + "search_line": 5 } -] \ No newline at end of file +] diff --git a/assets/queries/googleDeploymentManager/gcp/compute_instance_is_publicly_accessible/test/positive_expected_result.json b/assets/queries/googleDeploymentManager/gcp/compute_instance_is_publicly_accessible/test/positive_expected_result.json index 7e5816b6e71..79aebb395be 100644 --- a/assets/queries/googleDeploymentManager/gcp/compute_instance_is_publicly_accessible/test/positive_expected_result.json +++ b/assets/queries/googleDeploymentManager/gcp/compute_instance_is_publicly_accessible/test/positive_expected_result.json @@ -3,6 +3,15 @@ "queryName": "Compute Instance Is Publicly Accessible", "severity": "MEDIUM", "line": 8, - "filename": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "compute.v1.instance", + "resourceName": "instance", + "searchKey": "resources.name={{instance}}.properties.networkInterfaces", + "searchValue": "", + "expectedValue": "'accessConfigs' should be undefined", + "actualValue": "'accessConfigs' is defined and not null", + "issueType": "IncorrectValue", + "similarityID": "3b0e6124f05aeec7a2a92e9737c3e3e2ddd83dc69a9eb2e8c9ee8d9ba94188d5", + "search_line": 8 } -] \ No newline at end of file +] diff --git a/assets/queries/googleDeploymentManager/gcp/cos_node_image_not_used/test/positive_expected_result.json b/assets/queries/googleDeploymentManager/gcp/cos_node_image_not_used/test/positive_expected_result.json index 46de3aa0e69..e5259f97187 100644 --- a/assets/queries/googleDeploymentManager/gcp/cos_node_image_not_used/test/positive_expected_result.json +++ b/assets/queries/googleDeploymentManager/gcp/cos_node_image_not_used/test/positive_expected_result.json @@ -3,6 +3,15 @@ "queryName": "COS Node Image Not Used", "severity": "LOW", "line": 7, - "filename": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "container.v1.nodePool", + "resourceName": "nodePool", + "searchKey": "resources.name={{nodePool}}.properties.config.imageType", + "searchValue": "", + "expectedValue": "'config.imageType' should start with 'cos'", + "actualValue": "'config.imageType' is ubuntu", + "issueType": "IncorrectValue", + "similarityID": "bdaca958f9dd1eee44fec53a984b94318e5e166079eec314b6d77e08489c31f6", + "search_line": 7 } -] \ No newline at end of file +] diff --git a/assets/queries/googleDeploymentManager/gcp/disk_encryption_disabled/test/positive_expected_result.json b/assets/queries/googleDeploymentManager/gcp/disk_encryption_disabled/test/positive_expected_result.json index 7586900135f..2a65411f13c 100644 --- a/assets/queries/googleDeploymentManager/gcp/disk_encryption_disabled/test/positive_expected_result.json +++ b/assets/queries/googleDeploymentManager/gcp/disk_encryption_disabled/test/positive_expected_result.json @@ -3,36 +3,90 @@ "queryName": "Disk Encryption Disabled", "severity": "MEDIUM", "line": 8, - "filename": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "compute.v1.instance", + "resourceName": "vm-template", + "searchKey": "resources.name={{vm-template}}.properties.disks", + "searchValue": "", + "expectedValue": "'diskEncryptionKey' should be defined and not null", + "actualValue": "'diskEncryptionKey' is undefined or null", + "issueType": "MissingAttribute", + "similarityID": "ff814dfdb3f42492751002a5c937dcc56080c79d5c44b268e5df6b5d3a87657f", + "search_line": 8 }, { "queryName": "Disk Encryption Disabled", "severity": "MEDIUM", - "line": 14, - "filename": "positive2.yaml" + "line": 18, + "fileName": "positive1.yaml", + "resourceType": "compute.v1.disk", + "resourceName": "disk-3-data", + "searchKey": "resources.name={{disk-3-data}}.properties.disks", + "searchValue": "", + "expectedValue": "'diskEncryptionKey' should be defined and not null", + "actualValue": "'diskEncryptionKey' is undefined or null", + "issueType": "MissingAttribute", + "similarityID": "37e4dd40edf9f1b1d43341277a7f8c1182b7d413221389ba29eab585e7a3e7f0", + "search_line": 18 }, { "queryName": "Disk Encryption Disabled", "severity": "MEDIUM", - "line": 16, - "filename": "positive3.yaml" + "line": 14, + "fileName": "positive2.yaml", + "resourceType": "compute.v1.instance", + "resourceName": "vm-template2", + "searchKey": "resources.name={{vm-template2}}.properties.disks.diskEncryptionKey", + "searchValue": "", + "expectedValue": "'disk_encryption_key.rawKey' or 'disk_encryption_key.kmsKeyName' should be defined and not null", + "actualValue": "'disk_encryption_key.rawKey' and 'disk_encryption_key.kmsKeyName' are undefined or null", + "issueType": "MissingAttribute", + "similarityID": "0ec5ba3b16b1fddffa3555617ee1579b602ead49846d4ce46528d6ca62129330", + "search_line": 14 }, { "queryName": "Disk Encryption Disabled", "severity": "MEDIUM", - "line": 18, - "filename": "positive1.yaml" + "line": 23, + "fileName": "positive2.yaml", + "resourceType": "compute.v1.disk", + "resourceName": "disk-4-data", + "searchKey": "resources.name={{disk-4-data}}.properties.diskEncryptionKey", + "searchValue": "", + "expectedValue": "'disk_encryption_key.rawKey' or 'disk_encryption_key.kmsKeyName' should be defined and not null", + "actualValue": "'disk_encryption_key.rawKey' and 'disk_encryption_key.kmsKeyName' are undefined or null", + "issueType": "MissingAttribute", + "similarityID": "1875ce085db37c4e2b2e9a9faf147de8adc1b319abe982e4510565eb71421664", + "search_line": 23 }, { "queryName": "Disk Encryption Disabled", "severity": "MEDIUM", - "line": 23, - "filename": "positive2.yaml" + "line": 16, + "fileName": "positive3.yaml", + "resourceType": "compute.v1.instance", + "resourceName": "vm-template3", + "searchKey": "resources.name={{vm-template3}}.properties.disks.diskEncryptionKey.rawKey", + "searchValue": "", + "expectedValue": "'diskEncryptionKey.rawKey' should not be empty", + "actualValue": "'diskEncryptionKey.rawKey' is empty", + "issueType": "IncorrectValue", + "similarityID": "ed972ba592060a3f97f779752af6dbb3555a989a1813a33d94703c487bf733d7", + "search_line": 16 }, { "queryName": "Disk Encryption Disabled", "severity": "MEDIUM", "line": 26, - "filename": "positive3.yaml" + "fileName": "positive3.yaml", + "resourceType": "compute.v1.disk", + "resourceName": "disk-5-data", + "searchKey": "resources.name={{disk-5-data}}.properties.diskEncryptionKey.rawKey", + "searchValue": "", + "expectedValue": "'diskEncryptionKey.rawKey' should not be empty", + "actualValue": "'diskEncryptionKey.rawKey' is empty", + "issueType": "IncorrectValue", + "similarityID": "436ea9e053a8695915ef100f0e0ad776f6d3ba5cc44e9c33b70a2faf3586b7c5", + "search_line": 26 } ] diff --git a/assets/queries/googleDeploymentManager/gcp/dnssec_using_rsasha1/test/positive_expected_result.json b/assets/queries/googleDeploymentManager/gcp/dnssec_using_rsasha1/test/positive_expected_result.json index f40a3d8a8a0..6ff020e5021 100644 --- a/assets/queries/googleDeploymentManager/gcp/dnssec_using_rsasha1/test/positive_expected_result.json +++ b/assets/queries/googleDeploymentManager/gcp/dnssec_using_rsasha1/test/positive_expected_result.json @@ -3,6 +3,15 @@ "queryName": "DNSSEC Using RSASHA1", "severity": "MEDIUM", "line": 9, - "filename": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "dns.v1.managedZone", + "resourceName": "dns", + "searchKey": "resources.name={{dns}}.properties.dnssecConfig.defaultKeySpecs", + "searchValue": "", + "expectedValue": "'algorithm' should not equal to 'rsasha1'", + "actualValue": "'algorithm' is equal to 'rsasha1'", + "issueType": "IncorrectValue", + "similarityID": "3e719e1a39c0f7207ffe9789d76e0963bbe6470f38fa296f0e53621edd72f961", + "search_line": 9 } -] \ No newline at end of file +] diff --git a/assets/queries/googleDeploymentManager/gcp/gke_legacy_authorization_enabled/test/positive_expected_result.json b/assets/queries/googleDeploymentManager/gcp/gke_legacy_authorization_enabled/test/positive_expected_result.json index a34c5e90f58..70d1ec248cc 100644 --- a/assets/queries/googleDeploymentManager/gcp/gke_legacy_authorization_enabled/test/positive_expected_result.json +++ b/assets/queries/googleDeploymentManager/gcp/gke_legacy_authorization_enabled/test/positive_expected_result.json @@ -3,6 +3,15 @@ "queryName": "GKE Legacy Authorization Enabled", "severity": "HIGH", "line": 7, - "filename": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "container.v1.cluster", + "resourceName": "cluster", + "searchKey": "resources.name={{cluster}}.properties.legacyAbac.enabled", + "searchValue": "", + "expectedValue": "'legacyAbac.enabled' should be false", + "actualValue": "'legacyAbac.enabled' is true", + "issueType": "IncorrectValue", + "similarityID": "90796cff77b65607e043a5a5e3b41ecc8fef0593bd3d3265364960031418fdd6", + "search_line": 7 } ] diff --git a/assets/queries/googleDeploymentManager/gcp/gke_master_authorized_networks_disabled/test/positive_expected_result.json b/assets/queries/googleDeploymentManager/gcp/gke_master_authorized_networks_disabled/test/positive_expected_result.json index c2a87118b33..b3369973c17 100644 --- a/assets/queries/googleDeploymentManager/gcp/gke_master_authorized_networks_disabled/test/positive_expected_result.json +++ b/assets/queries/googleDeploymentManager/gcp/gke_master_authorized_networks_disabled/test/positive_expected_result.json @@ -3,12 +3,30 @@ "queryName": "GKE Master Authorized Networks Disabled", "severity": "MEDIUM", "line": 4, - "filename": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "container.v1.cluster", + "resourceName": "my-cluster", + "searchKey": "resources.name={{my-cluster}}.properties", + "searchValue": "", + "expectedValue": "'masterAuthorizedNetworksConfig' should be defined and not null", + "actualValue": "'masterAuthorizedNetworksConfig' is undefined or null", + "issueType": "MissingAttribute", + "similarityID": "c2254fd4b764838a96b0fe6eca2824b3b3df417f041537029f58668079d21230", + "search_line": 4 }, { "queryName": "GKE Master Authorized Networks Disabled", "severity": "MEDIUM", "line": 7, - "filename": "positive2.yaml" + "fileName": "positive2.yaml", + "resourceType": "container.v1.cluster", + "resourceName": "my-cluster", + "searchKey": "resources.name={{my-cluster}}.properties.masterAuthorizedNetworksConfig.enabled", + "searchValue": "", + "expectedValue": "'masterAuthorizedNetworksConfig.enabled' should be true", + "actualValue": "'masterAuthorizedNetworksConfig.enabled' is false", + "issueType": "IncorrectValue", + "similarityID": "508f0825e6a890d5e9581a1bcf74bc717babc4e6e38d404b9c80d1a9b7822b53", + "search_line": 7 } -] \ No newline at end of file +] diff --git a/assets/queries/googleDeploymentManager/gcp/google_storage_bucket_level_access_disabled/test/positive_expected_result.json b/assets/queries/googleDeploymentManager/gcp/google_storage_bucket_level_access_disabled/test/positive_expected_result.json index c73e8f724a2..4846ad4d522 100644 --- a/assets/queries/googleDeploymentManager/gcp/google_storage_bucket_level_access_disabled/test/positive_expected_result.json +++ b/assets/queries/googleDeploymentManager/gcp/google_storage_bucket_level_access_disabled/test/positive_expected_result.json @@ -3,6 +3,15 @@ "queryName": "Google Storage Bucket Level Access Disabled", "severity": "HIGH", "line": 11, - "filename": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "storage.v1.bucket", + "resourceName": "a-new-pubsub-topic1", + "searchKey": "resources.name={{a-new-pubsub-topic1}}.properties.iamConfiguration.uniformBucketLevelAccess.enabled", + "searchValue": "", + "expectedValue": "'enabled' should be set to true", + "actualValue": "'enabled' is set to false", + "issueType": "IncorrectValue", + "similarityID": "958796d3ff9cecc1880e0454eb94f23e4b9d46f3a48850430a6b8ae0f6a1e530", + "search_line": 11 } -] \ No newline at end of file +] diff --git a/assets/queries/googleDeploymentManager/gcp/ip_aliasing_disabled/test/positive_expected_result.json b/assets/queries/googleDeploymentManager/gcp/ip_aliasing_disabled/test/positive_expected_result.json index db68ada83e5..0288caa4662 100644 --- a/assets/queries/googleDeploymentManager/gcp/ip_aliasing_disabled/test/positive_expected_result.json +++ b/assets/queries/googleDeploymentManager/gcp/ip_aliasing_disabled/test/positive_expected_result.json @@ -3,18 +3,45 @@ "queryName": "IP Aliasing Disabled", "severity": "MEDIUM", "line": 4, - "filename": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "container.v1.cluster", + "resourceName": "cluster", + "searchKey": "resources.name={{cluster}}.properties", + "searchValue": "", + "expectedValue": "'ipAllocationPolicy' should be defined and not null", + "actualValue": "'ipAllocationPolicy' is undefined or null", + "issueType": "MissingAttribute", + "similarityID": "e64039504421b769560b0a039ca6e563ec89453641c95b8d820291103a4e2f1b", + "search_line": 4 }, { "queryName": "IP Aliasing Disabled", "severity": "MEDIUM", "line": 6, - "filename": "positive2.yaml" + "fileName": "positive2.yaml", + "resourceType": "container.v1.cluster", + "resourceName": "cluster", + "searchKey": "resources.name={{cluster}}.properties.ipAllocationPolicy", + "searchValue": "", + "expectedValue": "'ipAllocationPolicy.useIpAliases' should be defined and not null", + "actualValue": "'ipAllocationPolicy.useIpAliases' is undefined or null", + "issueType": "MissingAttribute", + "similarityID": "9e5f34d8dddb68a7228ff41c42bb5d02bbca5244de6c6de85cccc999bc6824ce", + "search_line": 6 }, { "queryName": "IP Aliasing Disabled", "severity": "MEDIUM", "line": 8, - "filename": "positive3.yaml" + "fileName": "positive3.yaml", + "resourceType": "container.v1.cluster", + "resourceName": "cluster", + "searchKey": "resources.name={{cluster}}.properties.ipAllocationPolicy.useIpAliases", + "searchValue": "", + "expectedValue": "'ipAllocationPolicy.useIpAliases' should be true", + "actualValue": "'ipAllocationPolicy.useIpAliases' is false", + "issueType": "IncorrectValue", + "similarityID": "8fa6b068700b8dfac2a8a5cec844c8590b10723aa3cf16fedd6142a3d6ff9d18", + "search_line": 8 } -] \ No newline at end of file +] diff --git a/assets/queries/googleDeploymentManager/gcp/ip_forwarding_enabled/test/positive_expected_result.json b/assets/queries/googleDeploymentManager/gcp/ip_forwarding_enabled/test/positive_expected_result.json index d7d2261870e..070d3e6cc2f 100644 --- a/assets/queries/googleDeploymentManager/gcp/ip_forwarding_enabled/test/positive_expected_result.json +++ b/assets/queries/googleDeploymentManager/gcp/ip_forwarding_enabled/test/positive_expected_result.json @@ -3,6 +3,15 @@ "queryName": "IP Forwarding Enabled", "severity": "MEDIUM", "line": 16, - "filename": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "compute.v1.instance", + "resourceName": "vm-template", + "searchKey": "resources.name={{vm-template}}.properties.canIpForward", + "searchValue": "", + "expectedValue": "'canIpForward' should not be set to true", + "actualValue": "'canIpForward' is set to true", + "issueType": "IncorrectValue", + "similarityID": "1b6d577acbcaaedff8a40500b472e72f6ef38fd1beeba2a8f0cf52788deeb742", + "search_line": 16 } ] diff --git a/assets/queries/googleDeploymentManager/gcp/mysql_instance_with_local_infile_on/test/positive_expected_result.json b/assets/queries/googleDeploymentManager/gcp/mysql_instance_with_local_infile_on/test/positive_expected_result.json index 19d10797fc4..3e0123c80bb 100644 --- a/assets/queries/googleDeploymentManager/gcp/mysql_instance_with_local_infile_on/test/positive_expected_result.json +++ b/assets/queries/googleDeploymentManager/gcp/mysql_instance_with_local_infile_on/test/positive_expected_result.json @@ -3,6 +3,15 @@ "queryName": "MySQL Instance With Local Infile On", "severity": "HIGH", "line": 8, - "filename": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "sqladmin.v1beta4.instance", + "resourceName": "db-instance", + "searchKey": "resources.name={{db-instance}}.properties.settings.databaseFlags[0]", + "searchValue": "", + "expectedValue": "'settings.databaseFlags[0]' should be 'off'", + "actualValue": "'settings.databaseFlags[0]' is equal to 'on'", + "issueType": "IncorrectValue", + "similarityID": "d693fffb7ed1b4ab2f7b36adb454763c3006c7be77c2f4dfd340971f7bbb425d", + "search_line": 8 } ] diff --git a/assets/queries/googleDeploymentManager/gcp/network_policy_disabled/test/positive_expected_result.json b/assets/queries/googleDeploymentManager/gcp/network_policy_disabled/test/positive_expected_result.json index 3d252b3cbfc..6670394e16d 100644 --- a/assets/queries/googleDeploymentManager/gcp/network_policy_disabled/test/positive_expected_result.json +++ b/assets/queries/googleDeploymentManager/gcp/network_policy_disabled/test/positive_expected_result.json @@ -3,48 +3,120 @@ "queryName": "Network Policy Disabled", "severity": "MEDIUM", "line": 4, - "filename": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "container.v1.cluster", + "resourceName": "cluster", + "searchKey": "resources.name={{cluster}}.properties", + "searchValue": "addonsConfig", + "expectedValue": "'addonsConfig' should be defined and not null", + "actualValue": "'addonsConfig' is undefined or null", + "issueType": "MissingAttribute", + "similarityID": "f338be1fa18d05f3998acb37b7fbba586f5f9dc3e8ba89becbe327173583b6eb", + "search_line": 4 }, { "queryName": "Network Policy Disabled", "severity": "MEDIUM", "line": 4, - "filename": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "container.v1.cluster", + "resourceName": "cluster", + "searchKey": "resources.name={{cluster}}.properties", + "searchValue": "networkPolicy", + "expectedValue": "'networkPolicy' should be defined and not null", + "actualValue": "'networkPolicy' is undefined or null", + "issueType": "MissingAttribute", + "similarityID": "a13dd8bc179c3880f13b68f51ac78e4c8af60375a15089c545cc54bd444b9d43", + "search_line": 4 }, { "queryName": "Network Policy Disabled", "severity": "MEDIUM", "line": 4, - "filename": "positive2.yaml" + "fileName": "positive2.yaml", + "resourceType": "container.v1.cluster", + "resourceName": "cluster", + "searchKey": "resources.name={{cluster}}.properties", + "searchValue": "addonsConfig", + "expectedValue": "'addonsConfig' should be defined and not null", + "actualValue": "'addonsConfig' is undefined or null", + "issueType": "MissingAttribute", + "similarityID": "1a498e49aac6596e17139a0b130feff2343dda39f7ba635adca5ea0fd2756c35", + "search_line": 4 }, { "queryName": "Network Policy Disabled", "severity": "MEDIUM", "line": 7, - "filename": "positive2.yaml" + "fileName": "positive2.yaml", + "resourceType": "container.v1.cluster", + "resourceName": "cluster", + "searchKey": "resources.name={{cluster}}.properties.networkPolicy.enabled", + "searchValue": "", + "expectedValue": "'networkPolicy.enabled' should be true", + "actualValue": "'networkPolicy.enabled' is false", + "issueType": "IncorrectValue", + "similarityID": "8d6b222eb22695e60ac02575fc3e6ef972e2bce4aabac1486ee8219b35a77be3", + "search_line": 7 }, { "queryName": "Network Policy Disabled", "severity": "MEDIUM", - "line": 8, - "filename": "positive3.yaml" + "line": 4, + "fileName": "positive3.yaml", + "resourceType": "container.v1.cluster", + "resourceName": "cluster", + "searchKey": "resources.name={{cluster}}.properties", + "searchValue": "networkPolicy", + "expectedValue": "'networkPolicy' should be defined and not null", + "actualValue": "'networkPolicy' is undefined or null", + "issueType": "MissingAttribute", + "similarityID": "13fd843ed235b66fbff569f46f2417542d032c2f6dc57909fd302fc04d8a71df", + "search_line": 4 }, { "queryName": "Network Policy Disabled", "severity": "MEDIUM", - "line": 4, - "filename": "positive3.yaml" + "line": 8, + "fileName": "positive3.yaml", + "resourceType": "container.v1.cluster", + "resourceName": "cluster", + "searchKey": "resources.name={{cluster}}.properties.addonsConfig.networkPolicyConfig.disabled", + "searchValue": "", + "expectedValue": "'addonsConfig.networkPolicyConfig.disabled' should be false", + "actualValue": "'addonsConfig.networkPolicyConfig.disabled' is true", + "issueType": "IncorrectValue", + "similarityID": "190d6c6efe6984010cd8a398e0557aba3e4d3e0639e19c0ddfea48040463d59a", + "search_line": 8 }, { "queryName": "Network Policy Disabled", "severity": "MEDIUM", - "line": 10, - "filename": "positive4.yaml" + "line": 7, + "fileName": "positive4.yaml", + "resourceType": "container.v1.cluster", + "resourceName": "cluster", + "searchKey": "resources.name={{cluster}}.properties.networkPolicy.enabled", + "searchValue": "", + "expectedValue": "'networkPolicy.enabled' should be true", + "actualValue": "'networkPolicy.enabled' is false", + "issueType": "IncorrectValue", + "similarityID": "cccfcd7c45662d55e20e157a84642a883a7b0cb9bb41a4a65fb697b41250ffef", + "search_line": 7 }, { "queryName": "Network Policy Disabled", "severity": "MEDIUM", - "line": 7, - "filename": "positive4.yaml" + "line": 10, + "fileName": "positive4.yaml", + "resourceType": "container.v1.cluster", + "resourceName": "cluster", + "searchKey": "resources.name={{cluster}}.properties.addonsConfig.networkPolicyConfig.disabled", + "searchValue": "", + "expectedValue": "'addonsConfig.networkPolicyConfig.disabled' should be false", + "actualValue": "'addonsConfig.networkPolicyConfig.disabled' is true", + "issueType": "IncorrectValue", + "similarityID": "fafa3e5bc0b19c193c28a1f14f9cd7924ce4730fa78c18b357f5a9c599ea30ba", + "search_line": 10 } -] \ No newline at end of file +] diff --git a/assets/queries/googleDeploymentManager/gcp/node_auto_upgrade_disabled/test/positive_expected_result.json b/assets/queries/googleDeploymentManager/gcp/node_auto_upgrade_disabled/test/positive_expected_result.json index 41f14f2827f..752b2dc98ab 100644 --- a/assets/queries/googleDeploymentManager/gcp/node_auto_upgrade_disabled/test/positive_expected_result.json +++ b/assets/queries/googleDeploymentManager/gcp/node_auto_upgrade_disabled/test/positive_expected_result.json @@ -3,24 +3,60 @@ "queryName": "Node Auto Upgrade Disabled", "severity": "MEDIUM", "line": 4, - "filename": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "container.v1.cluster", + "resourceName": "cluster", + "searchKey": "resources.name={{cluster}}.properties", + "searchValue": "", + "expectedValue": "'nodePools' should be defined and not null", + "actualValue": "'nodePools' is undefined or null", + "issueType": "MissingAttribute", + "similarityID": "7dc38ee98d912b7f197def7f075af88e810a268976007a421baf0a92021fbcdf", + "search_line": 4 }, { "queryName": "Node Auto Upgrade Disabled", "severity": "MEDIUM", "line": 6, - "filename": "positive2.yaml" + "fileName": "positive2.yaml", + "resourceType": "container.v1.cluster", + "resourceName": "cluster", + "searchKey": "resources.name={{cluster}}.properties.nodePools", + "searchValue": "", + "expectedValue": "'nodePools.management' should be defined and not null", + "actualValue": "'nodePools.management' is undefined or null", + "issueType": "MissingAttribute", + "similarityID": "9856a1db1d40bf1321309ac9315e6988f7594e15597c5e37182063e49f5e1d11", + "search_line": 6 }, { "queryName": "Node Auto Upgrade Disabled", "severity": "MEDIUM", "line": 8, - "filename": "positive3.yaml" + "fileName": "positive3.yaml", + "resourceType": "container.v1.cluster", + "resourceName": "cluster", + "searchKey": "resources.name={{cluster}}.properties.nodePools.management", + "searchValue": "", + "expectedValue": "'nodePools.management.autoUpgrade' should be defined and not null", + "actualValue": "'nodePools.management.autoUpgrade' is undefined or null", + "issueType": "MissingAttribute", + "similarityID": "bc9ffe6d7374488cb538c0dcc3d5bee095f4646e6e566e5d3017ccf54ee5b221", + "search_line": 8 }, { "queryName": "Node Auto Upgrade Disabled", "severity": "MEDIUM", "line": 9, - "filename": "positive4.yaml" + "fileName": "positive4.yaml", + "resourceType": "container.v1.cluster", + "resourceName": "cluster", + "searchKey": "resources.name={{cluster}}.properties.nodePools.management.autoUpgrade", + "searchValue": "", + "expectedValue": "'nodePools.management.autoUpgrade' should be true", + "actualValue": "'nodePools.management.autoUpgrade' is false", + "issueType": "IncorrectValue", + "similarityID": "019b119b0aa243da893f25fefa04904c87bdebd18af0c97a9df33cfe6333e4f3", + "search_line": 9 } -] \ No newline at end of file +] diff --git a/assets/queries/googleDeploymentManager/gcp/not_proper_email_account_in_use/test/positive_expected_result.json b/assets/queries/googleDeploymentManager/gcp/not_proper_email_account_in_use/test/positive_expected_result.json index d8a159bff9b..ed498e74cab 100644 --- a/assets/queries/googleDeploymentManager/gcp/not_proper_email_account_in_use/test/positive_expected_result.json +++ b/assets/queries/googleDeploymentManager/gcp/not_proper_email_account_in_use/test/positive_expected_result.json @@ -3,6 +3,15 @@ "queryName": "Not Proper Email Account In Use", "severity": "LOW", "line": 9, - "filename": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "pubsub.v1.topic", + "resourceName": "a-new-pubsub-topic", + "searchKey": "accessControl.gcpIamPolicy.bindings[%!s(int=0)].members.user:jane@gmail.com", + "searchValue": "", + "expectedValue": "'members' cannot contain Gmail account addresses", + "actualValue": "'members' has email address: user:jane@gmail.com", + "issueType": "IncorrectValue", + "similarityID": "fcc32782aa847dc8aeea4457c4944ff261565135b245c5ff5aef1450fa119ed1", + "search_line": 9 } -] \ No newline at end of file +] diff --git a/assets/queries/googleDeploymentManager/gcp/os_login_is_disabled_for_vm_instance/test/positive_expected_result.json b/assets/queries/googleDeploymentManager/gcp/os_login_is_disabled_for_vm_instance/test/positive_expected_result.json index ad76c251278..c6fedcd9103 100644 --- a/assets/queries/googleDeploymentManager/gcp/os_login_is_disabled_for_vm_instance/test/positive_expected_result.json +++ b/assets/queries/googleDeploymentManager/gcp/os_login_is_disabled_for_vm_instance/test/positive_expected_result.json @@ -3,6 +3,15 @@ "queryName": "OSLogin Is Disabled In VM Instance", "severity": "MEDIUM", "line": 10, - "filename": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "compute.v1.instance", + "resourceName": "vm", + "searchKey": "resources.name={{vm}}.properties.metadata.items[0]", + "searchValue": "", + "expectedValue": "'metadata.items[0]'.value should be true", + "actualValue": "'metadata.items[0]'.value is false", + "issueType": "IncorrectValue", + "similarityID": "5a63abf60d0a505ed3fbde9c1674295a5ab797d0c86bd233df041eefa09b208d", + "search_line": 10 } ] diff --git a/assets/queries/googleDeploymentManager/gcp/private_cluster_disabled/test/positive_expected_result.json b/assets/queries/googleDeploymentManager/gcp/private_cluster_disabled/test/positive_expected_result.json index a9805abe4bb..30f31f9d93e 100644 --- a/assets/queries/googleDeploymentManager/gcp/private_cluster_disabled/test/positive_expected_result.json +++ b/assets/queries/googleDeploymentManager/gcp/private_cluster_disabled/test/positive_expected_result.json @@ -3,18 +3,45 @@ "queryName": "Private Cluster Disabled", "severity": "MEDIUM", "line": 4, - "filename": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "container.v1.cluster", + "resourceName": "mycluster", + "searchKey": "resources.name={{mycluster}}.properties", + "searchValue": "", + "expectedValue": "'privateClusterConfig' should be defined and not null", + "actualValue": "'privateClusterConfig' is undefined or null", + "issueType": "MissingAttribute", + "similarityID": "59802b122b5e1057790d8476f5e71cd1399e5e5d3101e4e4ad4010f1273e2f7b", + "search_line": 4 }, { "queryName": "Private Cluster Disabled", "severity": "MEDIUM", "line": 6, - "filename": "positive2.yaml" + "fileName": "positive2.yaml", + "resourceType": "container.v1.cluster", + "resourceName": "mycluster2", + "searchKey": "resources.name={{mycluster2}}.properties.privateClusterConfig", + "searchValue": "", + "expectedValue": "'enablePrivateNodes' should be defined and not null", + "actualValue": "'enablePrivateNodes' is undefined or null", + "issueType": "MissingAttribute", + "similarityID": "825889c00f9be083bd7c8628cb99612f8bd45c595a048d9039c8b4535ebc2d92", + "search_line": 6 }, { "queryName": "Private Cluster Disabled", "severity": "MEDIUM", "line": 7, - "filename": "positive2.yaml" + "fileName": "positive2.yaml", + "resourceType": "container.v1.cluster", + "resourceName": "mycluster2", + "searchKey": "resources.name={{mycluster2}}.properties.privateClusterConfig.enablePrivateEndpoint", + "searchValue": "", + "expectedValue": "'enablePrivateEndpoint' should be set to true", + "actualValue": "'enablePrivateEndpoint' is set to false", + "issueType": "IncorrectValue", + "similarityID": "bf1f4c2561137ca84dc3de87f120b0d51496d15614e221b6ed302b8837772650", + "search_line": 7 } -] \ No newline at end of file +] diff --git a/assets/queries/googleDeploymentManager/gcp/project_wide_ssh_keys_are_enabled_in_vm_instances/test/positive_expected_result.json b/assets/queries/googleDeploymentManager/gcp/project_wide_ssh_keys_are_enabled_in_vm_instances/test/positive_expected_result.json index 975ce957b25..bbb31c4cc19 100644 --- a/assets/queries/googleDeploymentManager/gcp/project_wide_ssh_keys_are_enabled_in_vm_instances/test/positive_expected_result.json +++ b/assets/queries/googleDeploymentManager/gcp/project_wide_ssh_keys_are_enabled_in_vm_instances/test/positive_expected_result.json @@ -3,18 +3,45 @@ "queryName": "Project-wide SSH Keys Are Enabled In VM Instances", "severity": "MEDIUM", "line": 4, - "filename": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "compute.v1.instance", + "resourceName": "vm", + "searchKey": "resources.name={{vm}}.properties", + "searchValue": "", + "expectedValue": "'metadata' should be defined and not null", + "actualValue": "'metadata' is undefined or null", + "issueType": "MissingAttribute", + "similarityID": "38ddfcd86a8c97f92e0f07558277d0e77db6da81a397bdb81031e1649f11780a", + "search_line": 4 }, { "queryName": "Project-wide SSH Keys Are Enabled In VM Instances", "severity": "MEDIUM", "line": 8, - "filename": "positive2.yaml" + "fileName": "positive2.yaml", + "resourceType": "compute.v1.instance", + "resourceName": "vm", + "searchKey": "resources.name={{vm}}.properties.metadata.items", + "searchValue": "", + "expectedValue": "'metadata.items' should have 'block-project-ssh-keys'", + "actualValue": "'metadata.items' does not have 'block-project-ssh-keys'", + "issueType": "MissingAttribute", + "similarityID": "2448324f71d5ee123bcac225da5dfb9feb0f2f92376a3da0aee5cd9e47598f67", + "search_line": 8 }, { "queryName": "Project-wide SSH Keys Are Enabled In VM Instances", "severity": "MEDIUM", "line": 12, - "filename": "positive3.yaml" + "fileName": "positive3.yaml", + "resourceType": "compute.v1.instance", + "resourceName": "vm", + "searchKey": "resources.name={{vm}}.properties.metadata.items[1].key", + "searchValue": "", + "expectedValue": "'metadata.items[1].value' should be true", + "actualValue": "'metadata.items[1].value' is false", + "issueType": "IncorrectValue", + "similarityID": "fc561b8a93790ac1c72841e93d9356acbfdbe28112dc0b1df4486899f328a480", + "search_line": 12 } ] diff --git a/assets/queries/googleDeploymentManager/gcp/rdp_access_is_not_restricted/test/positive_expected_result.json b/assets/queries/googleDeploymentManager/gcp/rdp_access_is_not_restricted/test/positive_expected_result.json index cc92fb60bc4..30df1d6b1de 100644 --- a/assets/queries/googleDeploymentManager/gcp/rdp_access_is_not_restricted/test/positive_expected_result.json +++ b/assets/queries/googleDeploymentManager/gcp/rdp_access_is_not_restricted/test/positive_expected_result.json @@ -3,18 +3,45 @@ "queryName": "RDP Access Is Not Restricted", "severity": "HIGH", "line": 14, - "filename": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "compute.v1.firewall", + "resourceName": "firewall", + "searchKey": "resources.name={{firewall}}.properties.allowed", + "searchValue": "", + "expectedValue": "'allowed.ports' to not include RDP port 3389", + "actualValue": "'allowed.ports' includes RDP port 3389", + "issueType": "IncorrectValue", + "similarityID": "538a345025f7be9d96d739c3ae1c86db743d48bc3151de4a55d9210016b415b9", + "search_line": 14 }, { "queryName": "RDP Access Is Not Restricted", "severity": "HIGH", "line": 14, - "filename": "positive2.yaml" + "fileName": "positive2.yaml", + "resourceType": "compute.v1.firewall", + "resourceName": "firewall", + "searchKey": "resources.name={{firewall}}.properties.allowed", + "searchValue": "", + "expectedValue": "'allowed.ports' to not include RDP port 3389", + "actualValue": "'allowed.ports' includes RDP port 3389", + "issueType": "IncorrectValue", + "similarityID": "4488ffcc2584902cabb9705dd42c8b0afe5e0775f545d2c7ff3d1f139321aea5", + "search_line": 14 }, { "queryName": "RDP Access Is Not Restricted", "severity": "HIGH", "line": 9, - "filename": "positive3.yaml" + "fileName": "positive3.yaml", + "resourceType": "compute.v1.firewall", + "resourceName": "firewall", + "searchKey": "resources.name={{firewall}}.properties.allowed", + "searchValue": "", + "expectedValue": "'allowed.ports' to not include RDP port 3389", + "actualValue": "'allowed.ports' includes RDP port 3389", + "issueType": "IncorrectValue", + "similarityID": "0d4899412d86415ae3a7c4da41d84e0bed73850165aad817ad7255ad0fd00cec", + "search_line": 9 } -] \ No newline at end of file +] diff --git a/assets/queries/googleDeploymentManager/gcp/shielded_vm_disabled/test/positive_expected_result.json b/assets/queries/googleDeploymentManager/gcp/shielded_vm_disabled/test/positive_expected_result.json index ee8a1dd650e..cd73b68919e 100644 --- a/assets/queries/googleDeploymentManager/gcp/shielded_vm_disabled/test/positive_expected_result.json +++ b/assets/queries/googleDeploymentManager/gcp/shielded_vm_disabled/test/positive_expected_result.json @@ -3,24 +3,60 @@ "queryName": "Shielded VM Disabled", "severity": "MEDIUM", "line": 4, - "filename": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "compute.v1.instance", + "resourceName": "vm-template", + "searchKey": "resources.name={{vm-template}}.properties", + "searchValue": "", + "expectedValue": "'shieldedInstanceConfig' should be defined and not null", + "actualValue": "'shieldedInstanceConfig' is undefined or null", + "issueType": "MissingAttribute", + "similarityID": "bc90144e0e386f2516b2b05823a1326d05b3ec4e1628e9b9f41df0673f5542ea", + "search_line": 4 }, { "queryName": "Shielded VM Disabled", "severity": "MEDIUM", "line": 17, - "filename": "positive2.yaml" + "fileName": "positive2.yaml", + "resourceType": "compute.v1.instance", + "resourceName": "vm-template2", + "searchKey": "resources.name={{vm-template2}}.properties.shieldedInstanceConfig", + "searchValue": "enableIntegrityMonitoring", + "expectedValue": "'enableIntegrityMonitoring' should be defined and not null", + "actualValue": "'enableIntegrityMonitoring' is undefined or null", + "issueType": "MissingAttribute", + "similarityID": "6a73045530ca430c32488cdba1c0d187b8698d4a9ded3a8a47d7bf50e45d790d", + "search_line": 17 }, { "queryName": "Shielded VM Disabled", "severity": "MEDIUM", "line": 17, - "filename": "positive2.yaml" + "fileName": "positive2.yaml", + "resourceType": "compute.v1.instance", + "resourceName": "vm-template2", + "searchKey": "resources.name={{vm-template2}}.properties.shieldedInstanceConfig", + "searchValue": "enableVtpm", + "expectedValue": "'enableVtpm' should be defined and not null", + "actualValue": "'enableVtpm' is undefined or null", + "issueType": "MissingAttribute", + "similarityID": "0d02709536f9fbc380fc5e4236f7148c959a4a96f66fc505c48603b2ee657974", + "search_line": 17 }, { "queryName": "Shielded VM Disabled", "severity": "MEDIUM", "line": 18, - "filename": "positive2.yaml" + "fileName": "positive2.yaml", + "resourceType": "compute.v1.instance", + "resourceName": "vm-template2", + "searchKey": "resources.name={{vm-template2}}.properties.shieldedInstanceConfig.enableSecureBoot", + "searchValue": "", + "expectedValue": "'enableSecureBoot' should be set to true", + "actualValue": "'enableSecureBoot' is set to false", + "issueType": "IncorrectValue", + "similarityID": "f4f30ade6bfa4798705cfec3ada64b6213c1f69d3be50d97fdc8cc4b461229aa", + "search_line": 18 } ] diff --git a/assets/queries/googleDeploymentManager/gcp/sql_db_instance_backup_disabled/test/positive_expected_result.json b/assets/queries/googleDeploymentManager/gcp/sql_db_instance_backup_disabled/test/positive_expected_result.json index 98d4feb7317..0a6c4d724a0 100644 --- a/assets/queries/googleDeploymentManager/gcp/sql_db_instance_backup_disabled/test/positive_expected_result.json +++ b/assets/queries/googleDeploymentManager/gcp/sql_db_instance_backup_disabled/test/positive_expected_result.json @@ -3,18 +3,45 @@ "queryName": "SQL DB Instance Backup Disabled", "severity": "MEDIUM", "line": 5, - "filename": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "sqladmin.v1beta4.instance", + "resourceName": "sql-instance", + "searchKey": "resources.name={{sql-instance}}.properties.settings", + "searchValue": "", + "expectedValue": "'settings.backupConfiguration' should be defined and not null", + "actualValue": "'settings.backupConfiguration' is undefined or null", + "issueType": "MissingAttribute", + "similarityID": "23b3fcf139fc56121b56ab5c46207e13352b4970fbec6d80004d034232e541f4", + "search_line": 5 }, { "queryName": "SQL DB Instance Backup Disabled", "severity": "MEDIUM", "line": 7, - "filename": "positive2.yaml" + "fileName": "positive2.yaml", + "resourceType": "sqladmin.v1beta4.instance", + "resourceName": "sql-instance", + "searchKey": "resources.name={{sql-instance}}.properties.settings.backupConfiguration", + "searchValue": "", + "expectedValue": "'settings.backupConfiguration.enabled' should be defined and not null", + "actualValue": "'settings.backupConfiguration.enabled' is undefined or null", + "issueType": "MissingAttribute", + "similarityID": "e5fcc53b3af0cf77b0e320801941a535e360758ee3d1d14d80a62f51b505c44c", + "search_line": 7 }, { "queryName": "SQL DB Instance Backup Disabled", "severity": "MEDIUM", "line": 8, - "filename": "positive3.yaml" + "fileName": "positive3.yaml", + "resourceType": "sqladmin.v1beta4.instance", + "resourceName": "sql-instance", + "searchKey": "resources.name={{sql-instance}}.properties.settings.backupConfiguration.enabled", + "searchValue": "", + "expectedValue": "'settings.backupConfiguration.enabled' should be true", + "actualValue": "'settings.backupConfiguration.enabled' is false", + "issueType": "IncorrectValue", + "similarityID": "8acfd4c0344c4869b26c49c35fcf65d3e42a5fa2198eaeb22efd80c928c4929d", + "search_line": 8 } -] \ No newline at end of file +] diff --git a/assets/queries/googleDeploymentManager/gcp/sql_db_instance_with_ssl_disabled/test/positive_expected_result.json b/assets/queries/googleDeploymentManager/gcp/sql_db_instance_with_ssl_disabled/test/positive_expected_result.json index 137b73b9845..9e0b06e5a91 100644 --- a/assets/queries/googleDeploymentManager/gcp/sql_db_instance_with_ssl_disabled/test/positive_expected_result.json +++ b/assets/queries/googleDeploymentManager/gcp/sql_db_instance_with_ssl_disabled/test/positive_expected_result.json @@ -3,18 +3,45 @@ "queryName": "SQL DB Instance With SSL Disabled", "severity": "HIGH", "line": 5, - "filename": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "sqladmin.v1beta4.instance", + "resourceName": "sql-instance", + "searchKey": "resources.name={{sql-instance}}.properties.settings", + "searchValue": "", + "expectedValue": "'settings.ipConfiguration' should be defined and not null", + "actualValue": "'settings.ipConfiguration' is undefined or null", + "issueType": "MissingAttribute", + "similarityID": "179fcbc2b5d24d7a1c21ce51f232a5b5aef3f491303fc47f4d89447fcf201785", + "search_line": 5 }, { "queryName": "SQL DB Instance With SSL Disabled", "severity": "HIGH", "line": 7, - "filename": "positive2.yaml" + "fileName": "positive2.yaml", + "resourceType": "sqladmin.v1beta4.instance", + "resourceName": "sql-instance", + "searchKey": "resources.name={{sql-instance}}.properties.settings.ipConfiguration", + "searchValue": "", + "expectedValue": "'settings.ipConfiguration.requireSsl' should be defined and not null", + "actualValue": "'settings.ipConfiguration.requireSsl' is undefined or null", + "issueType": "MissingAttribute", + "similarityID": "ef89ba43688ed815d97bef1ffbf625088747d1da9494f4d56789a9871659f956", + "search_line": 7 }, { "queryName": "SQL DB Instance With SSL Disabled", "severity": "HIGH", "line": 9, - "filename": "positive3.yaml" + "fileName": "positive3.yaml", + "resourceType": "sqladmin.v1beta4.instance", + "resourceName": "sql-instance", + "searchKey": "resources.name={{sql-instance}}.properties.settings.ipConfiguration.requireSsl", + "searchValue": "", + "expectedValue": "'settings.ipConfiguration.requireSsl' should be true", + "actualValue": "'settings.ipConfiguration.requireSsl' is false", + "issueType": "IncorrectValue", + "similarityID": "04544fd2ef25a05fc5a8e3482f38dcc2ee98dca4426e9a5423c6c26f679bf68d", + "search_line": 9 } ] diff --git a/assets/queries/googleDeploymentManager/gcp/ssh_access_is_not_restricted/test/positive_expected_result.json b/assets/queries/googleDeploymentManager/gcp/ssh_access_is_not_restricted/test/positive_expected_result.json index 19728bf8299..279d2ce9b50 100644 --- a/assets/queries/googleDeploymentManager/gcp/ssh_access_is_not_restricted/test/positive_expected_result.json +++ b/assets/queries/googleDeploymentManager/gcp/ssh_access_is_not_restricted/test/positive_expected_result.json @@ -3,18 +3,45 @@ "queryName": "SSH Access Is Not Restricted", "severity": "MEDIUM", "line": 10, - "filename": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "compute.v1.firewall", + "resourceName": "firewall", + "searchKey": "resources.name={{firewall}}.properties.allowed[%!d(string=22)].ports=%!s(MISSING)", + "searchValue": "", + "expectedValue": "'allowed[0].ports' to not include SSH port 22", + "actualValue": "'allowed[0].ports' includes SSH port 22", + "issueType": "IncorrectValue", + "similarityID": "2e933c6a4d6372acb35d07485d840a1b382c56759942b33e234cfcb8f1c96970", + "search_line": 10 }, { "queryName": "SSH Access Is Not Restricted", "severity": "MEDIUM", "line": 10, - "filename": "positive2.yaml" + "fileName": "positive2.yaml", + "resourceType": "compute.v1.firewall", + "resourceName": "firewall", + "searchKey": "resources.name={{firewall}}.properties.allowed[%!d(string=21-3390)].ports=%!s(MISSING)", + "searchValue": "", + "expectedValue": "'allowed[0].ports' to not include SSH port 22", + "actualValue": "'allowed[0].ports' includes SSH port 22", + "issueType": "IncorrectValue", + "similarityID": "0e8aa75447187f032217f44b0c8bca56a090f667ba73788d8d2edb08380b7ffe", + "search_line": 10 }, { "queryName": "SSH Access Is Not Restricted", "severity": "MEDIUM", "line": 4, - "filename": "positive3.yaml" + "fileName": "positive3.yaml", + "resourceType": "compute.v1.firewall", + "resourceName": "firewall", + "searchKey": "resources.name={{firewall}}.properties.allowed[%!d(string=0-65535)].ports=%!s(MISSING)", + "searchValue": "", + "expectedValue": "'allowed[0].ports' to not include SSH port 22", + "actualValue": "'allowed[0].ports' includes SSH port 22", + "issueType": "IncorrectValue", + "similarityID": "f0ecef102b4be6ed45591b13ac1f1d9cf9576890e65a8cb06c94fc0092793398", + "search_line": -1 } ] diff --git a/assets/queries/googleDeploymentManager/gcp/stackdriver_logging_disabled/test/positive_expected_result.json b/assets/queries/googleDeploymentManager/gcp/stackdriver_logging_disabled/test/positive_expected_result.json index 54222d9059a..820fbd15c2e 100644 --- a/assets/queries/googleDeploymentManager/gcp/stackdriver_logging_disabled/test/positive_expected_result.json +++ b/assets/queries/googleDeploymentManager/gcp/stackdriver_logging_disabled/test/positive_expected_result.json @@ -3,12 +3,30 @@ "queryName": "Stackdriver Logging Disabled", "severity": "MEDIUM", "line": 4, - "filename": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "container.v1.cluster", + "resourceName": "cluster", + "searchKey": "resources.name={{cluster}}.properties", + "searchValue": "", + "expectedValue": "'loggingService' should be defined and not null", + "actualValue": "'loggingService' is undefined or null", + "issueType": "MissingAttribute", + "similarityID": "8f2b71f4e67e5af177d1b0cc836e1dff15ef3c0270a53a0e9e4814dcc68a52c7", + "search_line": 4 }, { "queryName": "Stackdriver Logging Disabled", "severity": "MEDIUM", "line": 6, - "filename": "positive2.yaml" + "fileName": "positive2.yaml", + "resourceType": "container.v1.cluster", + "resourceName": "cluster", + "searchKey": "resources.name={{cluster}}.properties.loggingService", + "searchValue": "", + "expectedValue": "'loggingService' to not be none", + "actualValue": "'loggingService' is none", + "issueType": "IncorrectValue", + "similarityID": "2d8961db3ddcfe319846495db0aae1db03186087e919997c235f4603e943688a", + "search_line": 6 } -] \ No newline at end of file +] diff --git a/assets/queries/googleDeploymentManager/gcp/stackdriver_monitoring_disabled/test/positive_expected_result.json b/assets/queries/googleDeploymentManager/gcp/stackdriver_monitoring_disabled/test/positive_expected_result.json index 26074b13c9b..0744694a956 100644 --- a/assets/queries/googleDeploymentManager/gcp/stackdriver_monitoring_disabled/test/positive_expected_result.json +++ b/assets/queries/googleDeploymentManager/gcp/stackdriver_monitoring_disabled/test/positive_expected_result.json @@ -3,12 +3,30 @@ "queryName": "Stackdriver Monitoring Disabled", "severity": "MEDIUM", "line": 4, - "filename": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "container.v1.cluster", + "resourceName": "my-cluster", + "searchKey": "resources.name={{my-cluster}}.properties", + "searchValue": "", + "expectedValue": "'monitoringService' should be defined and not null", + "actualValue": "'monitoringService' is undefined or null", + "issueType": "MissingAttribute", + "similarityID": "906dae57414cd1fbdc3258082dc9da7e950f9455a3e2c2516951ecc8ba86ba0e", + "search_line": 4 }, { "queryName": "Stackdriver Monitoring Disabled", "severity": "MEDIUM", "line": 6, - "filename": "positive2.yaml" + "fileName": "positive2.yaml", + "resourceType": "container.v1.cluster", + "resourceName": "my-cluster", + "searchKey": "resources.name={{my-cluster}}.properties.monitoringService", + "searchValue": "", + "expectedValue": "'monitoringService' to not be 'none'", + "actualValue": "'monitoringService' is 'none'", + "issueType": "IncorrectValue", + "similarityID": "5d79d5b905b268d3381dcb67f6621aacfc8a5af2cf8c090fe92f7d800040e2a0", + "search_line": 6 } -] \ No newline at end of file +] diff --git a/assets/queries/googleDeploymentManager/gcp_bom/pd/test/positive_expected_result.json b/assets/queries/googleDeploymentManager/gcp_bom/pd/test/positive_expected_result.json index 831cb325438..b4a79a8b5fd 100644 --- a/assets/queries/googleDeploymentManager/gcp_bom/pd/test/positive_expected_result.json +++ b/assets/queries/googleDeploymentManager/gcp_bom/pd/test/positive_expected_result.json @@ -1,32 +1,77 @@ [ - { - "queryName": "BOM - GCP PD", - "severity": "TRACE", - "line": 3, - "fileName": "positive.yaml" - }, - { - "queryName": "BOM - GCP PD", - "severity": "TRACE", - "line": 11, - "fileName": "positive.yaml" - }, - { - "queryName": "BOM - GCP PD", - "severity": "TRACE", - "line": 19, - "fileName": "positive.yaml" - }, - { - "queryName": "BOM - GCP PD", - "severity": "TRACE", - "line": 24, - "fileName": "positive.yaml" - }, - { - "queryName": "BOM - GCP PD", - "severity": "TRACE", - "line": 31, - "fileName": "positive.yaml" - } + { + "queryName": "BOM - GCP PD", + "severity": "TRACE", + "line": 3, + "fileName": "positive.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "resources.name={{disk-1-data}}", + "searchValue": "", + "expectedValue": "", + "actualValue": "", + "issueType": "BillOfMaterials", + "similarityID": "2b35c8881650564c10d4e51de5615cffda260c84623f82acd6866f916a813a6c", + "search_line": -1 + }, + { + "queryName": "BOM - GCP PD", + "severity": "TRACE", + "line": 11, + "fileName": "positive.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "resources.name={{disk-2-data}}", + "searchValue": "", + "expectedValue": "", + "actualValue": "", + "issueType": "BillOfMaterials", + "similarityID": "628859761dd2406be9ae0f62a8e437f223bb1daba69060f65ff01fd2173ddf61", + "search_line": -1 + }, + { + "queryName": "BOM - GCP PD", + "severity": "TRACE", + "line": 19, + "fileName": "positive.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "resources.name={{disk-3-data}}", + "searchValue": "", + "expectedValue": "", + "actualValue": "", + "issueType": "BillOfMaterials", + "similarityID": "cb6c9923010d1379be8f0042593182e770bf1b0dc6931b20fef1f0b8216a32d0", + "search_line": -1 + }, + { + "queryName": "BOM - GCP PD", + "severity": "TRACE", + "line": 24, + "fileName": "positive.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "resources.name={{disk-4-data}}", + "searchValue": "", + "expectedValue": "", + "actualValue": "", + "issueType": "BillOfMaterials", + "similarityID": "1f0d7e54790ffae4a26dbef6dc19563a375ff7630ad70c6ea3b30058d9083435", + "search_line": -1 + }, + { + "queryName": "BOM - GCP PD", + "severity": "TRACE", + "line": 31, + "fileName": "positive.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "resources.name={{disk-5-data}}", + "searchValue": "", + "expectedValue": "", + "actualValue": "", + "issueType": "BillOfMaterials", + "similarityID": "0acfcb8054a01d512da6028f4b834774a7a49990209a64288702b69a63cf8721", + "search_line": -1 + } ] diff --git a/assets/queries/googleDeploymentManager/gcp_bom/pst/test/positive_expected_result.json b/assets/queries/googleDeploymentManager/gcp_bom/pst/test/positive_expected_result.json index 1afedf213ad..93d15658bee 100644 --- a/assets/queries/googleDeploymentManager/gcp_bom/pst/test/positive_expected_result.json +++ b/assets/queries/googleDeploymentManager/gcp_bom/pst/test/positive_expected_result.json @@ -1,14 +1,32 @@ [ - { - "queryName": "BOM - GCP PST", - "severity": "TRACE", - "line": 3, - "fileName": "positive.yaml" - }, - { - "queryName": "BOM - GCP PST", - "severity": "TRACE", - "line": 8, - "fileName": "positive.yaml" - } + { + "queryName": "BOM - GCP PST", + "severity": "TRACE", + "line": 3, + "fileName": "positive.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "resources.name={{topic-1}}", + "searchValue": "", + "expectedValue": "", + "actualValue": "", + "issueType": "BillOfMaterials", + "similarityID": "5a49820e48357de2d5d63a349dc362a9869299dec214caed098ca6aab3ebbc07", + "search_line": -1 + }, + { + "queryName": "BOM - GCP PST", + "severity": "TRACE", + "line": 8, + "fileName": "positive.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "resources.name={{topic-2}}", + "searchValue": "", + "expectedValue": "", + "actualValue": "", + "issueType": "BillOfMaterials", + "similarityID": "95b5ebb3cc45f75075a24524cb6c5309e8100a9beea945a0fac1f4a99283b57e", + "search_line": -1 + } ] diff --git a/assets/queries/googleDeploymentManager/gcp_bom/sb/test/positive_expected_result.json b/assets/queries/googleDeploymentManager/gcp_bom/sb/test/positive_expected_result.json index 217d13d622a..a8880c8f583 100644 --- a/assets/queries/googleDeploymentManager/gcp_bom/sb/test/positive_expected_result.json +++ b/assets/queries/googleDeploymentManager/gcp_bom/sb/test/positive_expected_result.json @@ -1,32 +1,77 @@ [ - { - "queryName": "BOM - GCP SB", - "severity": "TRACE", - "line": 2, - "fileName": "positive.yaml" - }, - { - "queryName": "BOM - GCP SB", - "severity": "TRACE", - "line": 12, - "fileName": "positive.yaml" - }, - { - "queryName": "BOM - GCP SB", - "severity": "TRACE", - "line": 20, - "fileName": "positive.yaml" - }, - { - "queryName": "BOM - GCP SB", - "severity": "TRACE", - "line": 33, - "fileName": "positive.yaml" - }, - { - "queryName": "BOM - GCP SB", - "severity": "TRACE", - "line": 44, - "fileName": "positive.yaml" - } + { + "queryName": "BOM - GCP SB", + "severity": "TRACE", + "line": 2, + "fileName": "positive.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "resources.name={{sample-input}}", + "searchValue": "", + "expectedValue": "", + "actualValue": "", + "issueType": "BillOfMaterials", + "similarityID": "7360bb0aba73109350d129e7fac4b0cd489d6ef3d59cdf92a9eb0277840f217e", + "search_line": -1 + }, + { + "queryName": "BOM - GCP SB", + "severity": "TRACE", + "line": 12, + "fileName": "positive.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "resources.name={{sample-input2}}", + "searchValue": "", + "expectedValue": "", + "actualValue": "", + "issueType": "BillOfMaterials", + "similarityID": "4b12c79af6155ce5d694533bdf40647979149faffce796a52db2c20d16949c37", + "search_line": -1 + }, + { + "queryName": "BOM - GCP SB", + "severity": "TRACE", + "line": 20, + "fileName": "positive.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "resources.name={{sample-input3}}", + "searchValue": "", + "expectedValue": "", + "actualValue": "", + "issueType": "BillOfMaterials", + "similarityID": "4f5446a3311cca4599ecb0f8c834c78b44e895281bff83d364bfb0caf3e37e8b", + "search_line": -1 + }, + { + "queryName": "BOM - GCP SB", + "severity": "TRACE", + "line": 33, + "fileName": "positive.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "resources.name={{sample-input4}}", + "searchValue": "", + "expectedValue": "", + "actualValue": "", + "issueType": "BillOfMaterials", + "similarityID": "0a4cbace231c952b1f3ebb4afc9c80da0f1e462a5d1a81ff7b524624ad8fae89", + "search_line": -1 + }, + { + "queryName": "BOM - GCP SB", + "severity": "TRACE", + "line": 44, + "fileName": "positive.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "resources.name={{sample-input5}}", + "searchValue": "", + "expectedValue": "", + "actualValue": "", + "issueType": "BillOfMaterials", + "similarityID": "d6565a595a1196e0bac0fbbaa51c5a1b240d693ca1e2b179bf5bf4548ffa92cf", + "search_line": -1 + } ] diff --git a/assets/queries/grpc/enum_name_not_camel_case/test/positive_expected_result.json b/assets/queries/grpc/enum_name_not_camel_case/test/positive_expected_result.json index abf536df43f..013dc084b86 100644 --- a/assets/queries/grpc/enum_name_not_camel_case/test/positive_expected_result.json +++ b/assets/queries/grpc/enum_name_not_camel_case/test/positive_expected_result.json @@ -2,16 +2,46 @@ { "queryName": "Enum Name Not CamelCase", "severity": "INFO", - "line": 3 + "line": 3, + "fileName": "positive.proto", + "resourceType": "", + "resourceName": "", + "searchKey": "enum[noInitCap]", + "searchValue": "", + "expectedValue": "Enum Name should follow CamelCase (Initial Letter is Capital)", + "actualValue": "Enum Name doesn't follow CamelCase", + "issueType": "IncorrectValue", + "similarityID": "95c33c42d83e2e0f0c59293fdafb30a4e31f58b46d3b151f4d729a71d9295f01", + "search_line": 3 }, { "queryName": "Enum Name Not CamelCase", "severity": "INFO", - "line": 10 + "line": 10, + "fileName": "positive.proto", + "resourceType": "", + "resourceName": "", + "searchKey": "enum[NOT_CAMEL_CASE]", + "searchValue": "", + "expectedValue": "Enum Name should follow CamelCase (Initial Letter is Capital)", + "actualValue": "Enum Name doesn't follow CamelCase", + "issueType": "IncorrectValue", + "similarityID": "097f5f12ffc3e12c34b86d8f1967854ed7ed3610b22b47c65406ba87bfcbcd0e", + "search_line": 10 }, { "queryName": "Enum Name Not CamelCase", "severity": "INFO", - "line": 18 + "line": 18, + "fileName": "positive.proto", + "resourceType": "", + "resourceName": "", + "searchKey": "enum[ALLCAPS]", + "searchValue": "", + "expectedValue": "Enum Name should follow CamelCase (Initial Letter is Capital)", + "actualValue": "Enum Name doesn't follow CamelCase", + "issueType": "IncorrectValue", + "similarityID": "33724bf136e7a6db51ad9d252c024bf6556dc1d8906cd682626960b3419dcbd2", + "search_line": 18 } -] \ No newline at end of file +] diff --git a/assets/queries/k8s/always_admit_admission_control_plugin_set/test/positive_expected_result.json b/assets/queries/k8s/always_admit_admission_control_plugin_set/test/positive_expected_result.json index 31ba5cb355b..48007a0eb5d 100644 --- a/assets/queries/k8s/always_admit_admission_control_plugin_set/test/positive_expected_result.json +++ b/assets/queries/k8s/always_admit_admission_control_plugin_set/test/positive_expected_result.json @@ -3,6 +3,15 @@ "queryName": "Always Admit Admission Control Plugin Set", "severity": "MEDIUM", "line": 11, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "Pod", + "resourceName": "command-demo", + "searchKey": "metadata.name={{command-demo}}.spec.containers.name={{command-demo-container}}.command", + "searchValue": "", + "expectedValue": "--enable-admission-plugins flag should not contain 'AlwaysAdmit' plugin", + "actualValue": "--enable-admission-plugins flag contains 'AlwaysAdmit' plugin", + "issueType": "MissingAttribute", + "similarityID": "f78448583dcb6a0c8a4ffb8f4890826d7392b86e1efd711a2a14e626f189ea39", + "search_line": 11 } -] \ No newline at end of file +] diff --git a/assets/queries/k8s/always_pull_images_admission_control_plugin_not_set/test/positive_expected_result.json b/assets/queries/k8s/always_pull_images_admission_control_plugin_not_set/test/positive_expected_result.json index d55ecb5d476..07d7b2b226e 100644 --- a/assets/queries/k8s/always_pull_images_admission_control_plugin_not_set/test/positive_expected_result.json +++ b/assets/queries/k8s/always_pull_images_admission_control_plugin_not_set/test/positive_expected_result.json @@ -1,8 +1,17 @@ [ - { - "queryName": "Always Pull Images Admission Control Plugin Not Set", - "severity": "MEDIUM", - "line": 11, - "fileName": "positive1.yaml" - } + { + "queryName": "Always Pull Images Admission Control Plugin Not Set", + "severity": "MEDIUM", + "line": 11, + "fileName": "positive1.yaml", + "resourceType": "Pod", + "resourceName": "command-demo", + "searchKey": "metadata.name={{command-demo}}.spec.containers.name={{command-demo-container}}.command", + "searchValue": "", + "expectedValue": "--enable-admission-plugins flag should contain 'AlwaysPullImages' plugin", + "actualValue": "--enable-admission-plugins flag does not contain 'AlwaysPullImages' plugin", + "issueType": "MissingAttribute", + "similarityID": "cca690e28b9ef8f6320e747822faf97421c2796b1cc5ef1fc68914f490ef53e3", + "search_line": 11 + } ] diff --git a/assets/queries/k8s/anonymous_auth_is_not_set_to_false/test/positive_expected_result.json b/assets/queries/k8s/anonymous_auth_is_not_set_to_false/test/positive_expected_result.json index 90189e0113d..9339767e1ec 100644 --- a/assets/queries/k8s/anonymous_auth_is_not_set_to_false/test/positive_expected_result.json +++ b/assets/queries/k8s/anonymous_auth_is_not_set_to_false/test/positive_expected_result.json @@ -3,36 +3,90 @@ "queryName": "Anonymous Auth Is Not Set To False", "severity": "MEDIUM", "line": 11, - "filename": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "Pod", + "resourceName": "command-demo", + "searchKey": "metadata.name={{command-demo}}.spec.containers.name={{command-demo-container}}.command", + "searchValue": "", + "expectedValue": "--anonymous-auth flag should be set to false", + "actualValue": "--anonymous-auth flag is set to true", + "issueType": "IncorrectValue", + "similarityID": "ffa0ed2c7d4144d5849156b470a8fde6fbd5d12e7293098e0b64ae5b7c1b5fda", + "search_line": -1 }, { "queryName": "Anonymous Auth Is Not Set To False", "severity": "MEDIUM", "line": 11, - "filename": "positive2.yaml" + "fileName": "positive2.yaml", + "resourceType": "Pod", + "resourceName": "command-demo", + "searchKey": "metadata.name={{command-demo}}.spec.containers.name={{command-demo-container}}.command", + "searchValue": "", + "expectedValue": "--anonymous-auth flag should be set to false", + "actualValue": "--anonymous-auth flag is set to true", + "issueType": "IncorrectValue", + "similarityID": "af03885d9b34bf95516eaff215344567811f3e474ad79153a3e5b8f2f55087d7", + "search_line": -1 }, { "queryName": "Anonymous Auth Is Not Set To False", "severity": "MEDIUM", "line": 11, - "filename": "positive3.yaml" + "fileName": "positive3.yaml", + "resourceType": "Pod", + "resourceName": "command-demo", + "searchKey": "metadata.name={{command-demo}}.spec.containers.name={{command-demo-container}}.command", + "searchValue": "", + "expectedValue": "--anonymous-auth flag should be set to false", + "actualValue": "--anonymous-auth flag is set to true", + "issueType": "IncorrectValue", + "similarityID": "27e031eaea3b62522245239acc1648778e8ef31a6833d932f9150cfbb2343646", + "search_line": -1 }, { "queryName": "Anonymous Auth Is Not Set To False", "severity": "MEDIUM", "line": 11, - "filename": "positive4.yaml" + "fileName": "positive4.yaml", + "resourceType": "Pod", + "resourceName": "command-demo", + "searchKey": "metadata.name={{command-demo}}.spec.containers.name={{command-demo-container}}.command", + "searchValue": "", + "expectedValue": "--anonymous-auth flag should be set to false", + "actualValue": "--anonymous-auth flag is set to true", + "issueType": "IncorrectValue", + "similarityID": "f5f9a3332a165cd2fa032457c07bca94cdf0c5fd5e0721a7f3d76e8e3a9b184e", + "search_line": -1 }, { "queryName": "Anonymous Auth Is Not Set To False", "severity": "MEDIUM", "line": 9, - "filename": "positive5.yaml" + "fileName": "positive5.yaml", + "resourceType": "KubeletConfiguration", + "resourceName": "n/a", + "searchKey": "kind={{KubeletConfiguration}}.authentication.enabled", + "searchValue": "", + "expectedValue": "authentication.anonymous.enabled attribute should be false", + "actualValue": "authentication.anonymous.enabled attribute is true", + "issueType": "IncorrectValue", + "similarityID": "458e31862dfef394ae70d05d91c2e2036d6c11211fd10292e05d5dbe1260ef11", + "search_line": -1 }, { "queryName": "Anonymous Auth Is Not Set To False", "severity": "MEDIUM", "line": 7, - "filename": "positive6.json" + "fileName": "positive6.json", + "resourceType": "KubeletConfiguration", + "resourceName": "n/a", + "searchKey": "kind={{KubeletConfiguration}}.authentication.enabled", + "searchValue": "", + "expectedValue": "authentication.anonymous.enabled attribute should be false", + "actualValue": "authentication.anonymous.enabled attribute is true", + "issueType": "IncorrectValue", + "similarityID": "d45a3834be497746111c56364535814d6f648db80a6aa3b0e8543dfca83c4598", + "search_line": -1 } -] \ No newline at end of file +] diff --git a/assets/queries/k8s/audit_log_maxage_not_properly_set/test/positive_expected_result.json b/assets/queries/k8s/audit_log_maxage_not_properly_set/test/positive_expected_result.json index f6dd72c9d09..4033e844e2a 100644 --- a/assets/queries/k8s/audit_log_maxage_not_properly_set/test/positive_expected_result.json +++ b/assets/queries/k8s/audit_log_maxage_not_properly_set/test/positive_expected_result.json @@ -1,38 +1,92 @@ [ - { - "queryName": "Audit Log Maxage Not Properly Set", - "severity": "LOW", - "line": 11, - "fileName": "positive1.yaml" - }, - { - "queryName": "Audit Log Maxage Not Properly Set", - "severity": "LOW", - "line": 11, - "fileName": "positive2.yaml" - }, - { - "queryName": "Audit Log Maxage Not Properly Set", - "severity": "LOW", - "line": 12, - "fileName": "positive3.yaml" - }, - { - "queryName": "Audit Log Maxage Not Properly Set", - "severity": "LOW", - "line": 27, - "fileName": "positive3.yaml" - }, - { - "queryName": "Audit Log Maxage Not Properly Set", - "severity": "LOW", - "line": 40, - "fileName": "positive3.yaml" - }, - { - "queryName": "Audit Log Maxage Not Properly Set", - "severity": "LOW", - "line": 55, - "fileName": "positive3.yaml" - } + { + "queryName": "Audit Log Maxage Not Properly Set", + "severity": "LOW", + "line": 11, + "fileName": "positive1.yaml", + "resourceType": "Pod", + "resourceName": "command-demo", + "searchKey": "metadata.name={{command-demo}}.spec.containers.name={{command-demo-container}}.command", + "searchValue": "", + "expectedValue": "--audit-log-maxage flag should be set to 30 or more days", + "actualValue": "--audit-log-maxage flag is set to less than 30 days", + "issueType": "IncorrectValue", + "similarityID": "25606bbdfa3a9d20fb5c2147701d5b9f61cab46e0417c269f2f8af078f29b84a", + "search_line": 11 + }, + { + "queryName": "Audit Log Maxage Not Properly Set", + "severity": "LOW", + "line": 11, + "fileName": "positive2.yaml", + "resourceType": "Pod", + "resourceName": "command-demo", + "searchKey": "metadata.name={{command-demo}}.spec.containers.name={{command-demo-container}}.command", + "searchValue": "", + "expectedValue": "--audit-log-maxage flag should be defined and set to 30 or more days", + "actualValue": "--audit-log-maxage flag is not defined", + "issueType": "MissingAttribute", + "similarityID": "315b75a39489cd02e9a9b8977e65ba37276f3f694fc9505af1be187b24aa5d89", + "search_line": 11 + }, + { + "queryName": "Audit Log Maxage Not Properly Set", + "severity": "LOW", + "line": 12, + "fileName": "positive3.yaml", + "resourceType": "Service", + "resourceName": "dummy", + "searchKey": "metadata.name={{dummy}}.spec.template.spec.containers.name={{command-demo-container}}.command", + "searchValue": "", + "expectedValue": "--audit-log-maxage flag should be defined and set to 30 or more days", + "actualValue": "--audit-log-maxage flag is not defined", + "issueType": "MissingAttribute", + "similarityID": "4dac52b912c1da43c1814f3f709dc87ce7f4f96c7e16c03beb0df8c0a65affc4", + "search_line": 12 + }, + { + "queryName": "Audit Log Maxage Not Properly Set", + "severity": "LOW", + "line": 27, + "fileName": "positive3.yaml", + "resourceType": "Configuration", + "resourceName": "dummy-config", + "searchKey": "metadata.name={{dummy-config}}.spec.template.spec.containers.name={{command-demo-container}}.command", + "searchValue": "", + "expectedValue": "--audit-log-maxage flag should be defined and set to 30 or more days", + "actualValue": "--audit-log-maxage flag is not defined", + "issueType": "MissingAttribute", + "similarityID": "576f18acbfea506c790f576cb6e928dcf04d60795c3c64c70679a92d54f95e91", + "search_line": 27 + }, + { + "queryName": "Audit Log Maxage Not Properly Set", + "severity": "LOW", + "line": 40, + "fileName": "positive3.yaml", + "resourceType": "Revision", + "resourceName": "dummy-rev", + "searchKey": "metadata.name={{dummy-rev}}.spec.containers.name={{command-demo-container}}.command", + "searchValue": "", + "expectedValue": "--audit-log-maxage flag should be defined and set to 30 or more days", + "actualValue": "--audit-log-maxage flag is not defined", + "issueType": "MissingAttribute", + "similarityID": "6519a34acaddae2f643b84a5728a77ac18db92074af69edbd1cff40a30426a44", + "search_line": 40 + }, + { + "queryName": "Audit Log Maxage Not Properly Set", + "severity": "LOW", + "line": 55, + "fileName": "positive3.yaml", + "resourceType": "ContainerSource", + "resourceName": "dummy-cs", + "searchKey": "metadata.name={{dummy-cs}}.spec.template.spec.containers.name={{command-demo-container}}.command", + "searchValue": "", + "expectedValue": "--audit-log-maxage flag should be defined and set to 30 or more days", + "actualValue": "--audit-log-maxage flag is not defined", + "issueType": "MissingAttribute", + "similarityID": "ef0d5d2316971223f7c45417ae43e8ca9e2af5932b6a1bd28ce0f210e1f634bb", + "search_line": 55 + } ] diff --git a/assets/queries/k8s/audit_log_maxbackup_not_properly_set/test/positive_expected_result.json b/assets/queries/k8s/audit_log_maxbackup_not_properly_set/test/positive_expected_result.json index 7da00e34745..932c2d1648b 100644 --- a/assets/queries/k8s/audit_log_maxbackup_not_properly_set/test/positive_expected_result.json +++ b/assets/queries/k8s/audit_log_maxbackup_not_properly_set/test/positive_expected_result.json @@ -3,36 +3,90 @@ "queryName": "Audit Log Maxbackup Not Properly Set", "severity": "LOW", "line": 11, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "Pod", + "resourceName": "command-demo", + "searchKey": "metadata.name={{command-demo}}.spec.containers.name={{command-demo-container}}.command", + "searchValue": "", + "expectedValue": "--audit-log-maxbackup flag should be set to 10 or more files", + "actualValue": "--audit-log-maxbackup flag is set to less than 10 files", + "issueType": "IncorrectValue", + "similarityID": "5291b427eaa74a66615e42aff3659d23ce3a8535fadf2f9713fee77a0c77bc4a", + "search_line": 11 }, { "queryName": "Audit Log Maxbackup Not Properly Set", "severity": "LOW", "line": 11, - "fileName": "positive2.yaml" + "fileName": "positive2.yaml", + "resourceType": "Pod", + "resourceName": "command-demo", + "searchKey": "metadata.name={{command-demo}}.spec.containers.name={{command-demo-container}}.command", + "searchValue": "", + "expectedValue": "--audit-log-maxbackup flag should be defined and set to 10 or more files", + "actualValue": "--audit-log-maxbackup flag is not defined", + "issueType": "MissingAttribute", + "similarityID": "3ae305530194c8a865b43dc113e930bb0dbd07b4825b0ecc22ec516c62ca1eb7", + "search_line": 11 }, { "queryName": "Audit Log Maxbackup Not Properly Set", "severity": "LOW", "line": 12, - "fileName": "positive3.yaml" + "fileName": "positive3.yaml", + "resourceType": "Service", + "resourceName": "dummy", + "searchKey": "metadata.name={{dummy}}.spec.template.spec.containers.name={{command-demo-container}}.command", + "searchValue": "", + "expectedValue": "--audit-log-maxbackup flag should be set to 10 or more files", + "actualValue": "--audit-log-maxbackup flag is set to less than 10 files", + "issueType": "IncorrectValue", + "similarityID": "45e4553e32ca7a48d73e08f87d378d010a058398a941d062cbaa5e7a01e0cd9a", + "search_line": 12 }, { "queryName": "Audit Log Maxbackup Not Properly Set", "severity": "LOW", "line": 27, - "fileName": "positive3.yaml" + "fileName": "positive3.yaml", + "resourceType": "Configuration", + "resourceName": "dummy-config", + "searchKey": "metadata.name={{dummy-config}}.spec.template.spec.containers.name={{command-demo-container}}.command", + "searchValue": "", + "expectedValue": "--audit-log-maxbackup flag should be set to 10 or more files", + "actualValue": "--audit-log-maxbackup flag is set to less than 10 files", + "issueType": "IncorrectValue", + "similarityID": "87a122fe29f97d7b5027af9f8e654e83a1c4a8ba12dc1029f124a31d9dddd560", + "search_line": 27 }, { "queryName": "Audit Log Maxbackup Not Properly Set", "severity": "LOW", "line": 40, - "fileName": "positive3.yaml" + "fileName": "positive3.yaml", + "resourceType": "Revision", + "resourceName": "dummy-rev", + "searchKey": "metadata.name={{dummy-rev}}.spec.containers.name={{command-demo-container}}.command", + "searchValue": "", + "expectedValue": "--audit-log-maxbackup flag should be set to 10 or more files", + "actualValue": "--audit-log-maxbackup flag is set to less than 10 files", + "issueType": "IncorrectValue", + "similarityID": "594edb62b9ccaa76455414924a03d55e748c5a60b7181bb079232a96712d6a34", + "search_line": 40 }, { "queryName": "Audit Log Maxbackup Not Properly Set", "severity": "LOW", "line": 55, - "fileName": "positive3.yaml" + "fileName": "positive3.yaml", + "resourceType": "ContainerSource", + "resourceName": "dummy-cs", + "searchKey": "metadata.name={{dummy-cs}}.spec.template.spec.containers.name={{command-demo-container}}.command", + "searchValue": "", + "expectedValue": "--audit-log-maxbackup flag should be set to 10 or more files", + "actualValue": "--audit-log-maxbackup flag is set to less than 10 files", + "issueType": "IncorrectValue", + "similarityID": "0549e3ba368f6bb573c9a3b2d4dc055c2e2b1ff2b79625d3cb68634f774ea3ca", + "search_line": 55 } ] diff --git a/assets/queries/k8s/audit_log_maxsize_not_properly_set/test/positive_expected_result.json b/assets/queries/k8s/audit_log_maxsize_not_properly_set/test/positive_expected_result.json index 50437ce4286..675df6b612c 100644 --- a/assets/queries/k8s/audit_log_maxsize_not_properly_set/test/positive_expected_result.json +++ b/assets/queries/k8s/audit_log_maxsize_not_properly_set/test/positive_expected_result.json @@ -3,36 +3,90 @@ "queryName": "Audit Log Maxsize Not Properly Set", "severity": "LOW", "line": 11, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "Pod", + "resourceName": "command-demo", + "searchKey": "metadata.name={{command-demo}}.spec.containers.name={{command-demo-container}}.command", + "searchValue": "", + "expectedValue": "--audit-log-maxsize flag should be set to 100 or more MegaBytes", + "actualValue": "--audit-log-maxsize flag is set to less than 100 MegaBytes", + "issueType": "IncorrectValue", + "similarityID": "e8b2327d3731a9c1fcd2329eb370490d73a525bfd00eb538e588a93b00aa33d0", + "search_line": 11 }, { "queryName": "Audit Log Maxsize Not Properly Set", "severity": "LOW", "line": 11, - "fileName": "positive2.yaml" + "fileName": "positive2.yaml", + "resourceType": "Pod", + "resourceName": "command-demo", + "searchKey": "metadata.name={{command-demo}}.spec.containers.name={{command-demo-container}}.command", + "searchValue": "", + "expectedValue": "--audit-log-maxsize flag should be defined and set to 100 or more MegaBytes", + "actualValue": "--audit-log-maxsize flag is not defined", + "issueType": "MissingAttribute", + "similarityID": "f5d689760403aaa9c5c5fe86d371750efc1b90b32da28ec67374137386ae384e", + "search_line": 11 }, { "queryName": "Audit Log Maxsize Not Properly Set", "severity": "LOW", "line": 12, - "fileName": "positive3.yaml" + "fileName": "positive3.yaml", + "resourceType": "Service", + "resourceName": "dummy", + "searchKey": "metadata.name={{dummy}}.spec.template.spec.containers.name={{command-demo-container}}.command", + "searchValue": "", + "expectedValue": "--audit-log-maxsize flag should be set to 100 or more MegaBytes", + "actualValue": "--audit-log-maxsize flag is set to less than 100 MegaBytes", + "issueType": "IncorrectValue", + "similarityID": "0a8317854149251c533e2330c87fb3be158a9412a9ce8974afde14b2f5bc5d9d", + "search_line": 12 }, { "queryName": "Audit Log Maxsize Not Properly Set", "severity": "LOW", "line": 27, - "fileName": "positive3.yaml" + "fileName": "positive3.yaml", + "resourceType": "Configuration", + "resourceName": "dummy-config", + "searchKey": "metadata.name={{dummy-config}}.spec.template.spec.containers.name={{command-demo-container}}.command", + "searchValue": "", + "expectedValue": "--audit-log-maxsize flag should be set to 100 or more MegaBytes", + "actualValue": "--audit-log-maxsize flag is set to less than 100 MegaBytes", + "issueType": "IncorrectValue", + "similarityID": "8320a048d57a8befb5fec6cce39aa2bd1ade61d68c5935397e59ad39b0b3dec5", + "search_line": 27 }, { "queryName": "Audit Log Maxsize Not Properly Set", "severity": "LOW", "line": 40, - "fileName": "positive3.yaml" + "fileName": "positive3.yaml", + "resourceType": "Revision", + "resourceName": "dummy-rev", + "searchKey": "metadata.name={{dummy-rev}}.spec.containers.name={{command-demo-container}}.command", + "searchValue": "", + "expectedValue": "--audit-log-maxsize flag should be set to 100 or more MegaBytes", + "actualValue": "--audit-log-maxsize flag is set to less than 100 MegaBytes", + "issueType": "IncorrectValue", + "similarityID": "ff04a6fa68686c8ac3b881eb651ad56795ff64fdf5616f08f0cb5eb6dac7f75b", + "search_line": 40 }, { "queryName": "Audit Log Maxsize Not Properly Set", "severity": "LOW", "line": 55, - "fileName": "positive3.yaml" + "fileName": "positive3.yaml", + "resourceType": "ContainerSource", + "resourceName": "dummy-cs", + "searchKey": "metadata.name={{dummy-cs}}.spec.template.spec.containers.name={{command-demo-container}}.command", + "searchValue": "", + "expectedValue": "--audit-log-maxsize flag should be set to 100 or more MegaBytes", + "actualValue": "--audit-log-maxsize flag is set to less than 100 MegaBytes", + "issueType": "IncorrectValue", + "similarityID": "354c6b013d2c26ffbea074bbaac5293e9c39471f75f78772a33339b0e514003b", + "search_line": 55 } ] diff --git a/assets/queries/k8s/audit_log_path_not_set/test/positive_expected_result.json b/assets/queries/k8s/audit_log_path_not_set/test/positive_expected_result.json index d2d9950e15c..ecf544b0e46 100644 --- a/assets/queries/k8s/audit_log_path_not_set/test/positive_expected_result.json +++ b/assets/queries/k8s/audit_log_path_not_set/test/positive_expected_result.json @@ -3,30 +3,75 @@ "queryName": "Audit Log Path Not Set", "severity": "MEDIUM", "line": 11, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "Pod", + "resourceName": "command-demo", + "searchKey": "metadata.name={{command-demo}}.spec.containers.name={{command-demo-container}}.command", + "searchValue": "", + "expectedValue": "--audit-log-path flag should be defined", + "actualValue": "--audit-log-path flag is not defined", + "issueType": "MissingAttribute", + "similarityID": "625c59f9cb7b644721b870e8338bfb9b71a3e12d0689b30213d3f9d0efc4a738", + "search_line": 11 }, { "queryName": "Audit Log Path Not Set", "severity": "MEDIUM", - "line": 55, - "fileName": "positive2.yaml" + "line": 12, + "fileName": "positive2.yaml", + "resourceType": "Service", + "resourceName": "dummy", + "searchKey": "metadata.name={{dummy}}.spec.template.spec.containers.name={{command-demo-container}}.command", + "searchValue": "", + "expectedValue": "--audit-log-path flag should be defined", + "actualValue": "--audit-log-path flag is not defined", + "issueType": "MissingAttribute", + "similarityID": "667341c955f5a5dc415683292750100bb789b732d3609546462ceb20c662c45d", + "search_line": 12 }, { "queryName": "Audit Log Path Not Set", "severity": "MEDIUM", - "line": 12, - "fileName": "positive2.yaml" + "line": 27, + "fileName": "positive2.yaml", + "resourceType": "Configuration", + "resourceName": "dummy-config", + "searchKey": "metadata.name={{dummy-config}}.spec.template.spec.containers.name={{command-demo-container}}.command", + "searchValue": "", + "expectedValue": "--audit-log-path flag should be defined", + "actualValue": "--audit-log-path flag is not defined", + "issueType": "MissingAttribute", + "similarityID": "f8e494c95fd78ac695d152c6409532535abd924ae1a2e9bc04ee457e616996d9", + "search_line": 27 }, { "queryName": "Audit Log Path Not Set", "severity": "MEDIUM", - "line": 27, - "fileName": "positive2.yaml" + "line": 40, + "fileName": "positive2.yaml", + "resourceType": "Revision", + "resourceName": "dummy-rev", + "searchKey": "metadata.name={{dummy-rev}}.spec.containers.name={{command-demo-container}}.command", + "searchValue": "", + "expectedValue": "--audit-log-path flag should be defined", + "actualValue": "--audit-log-path flag is not defined", + "issueType": "MissingAttribute", + "similarityID": "004c119e73be1207c6e9ee9f05924cf47bc663455993df5574e1b65a8cfe2f7a", + "search_line": 40 }, { "queryName": "Audit Log Path Not Set", "severity": "MEDIUM", - "line": 40, - "fileName": "positive2.yaml" + "line": 55, + "fileName": "positive2.yaml", + "resourceType": "ContainerSource", + "resourceName": "dummy-cs", + "searchKey": "metadata.name={{dummy-cs}}.spec.template.spec.containers.name={{command-demo-container}}.command", + "searchValue": "", + "expectedValue": "--audit-log-path flag should be defined", + "actualValue": "--audit-log-path flag is not defined", + "issueType": "MissingAttribute", + "similarityID": "a953477dd17b8c376ae445f10171dd1991c8a19e30f3f8b8aaf1f0ee5ac6b49f", + "search_line": 55 } ] diff --git a/assets/queries/k8s/audit_policy_file_not_defined/test/positive_expected_result.json b/assets/queries/k8s/audit_policy_file_not_defined/test/positive_expected_result.json index feefd2c4b41..49e405f3402 100644 --- a/assets/queries/k8s/audit_policy_file_not_defined/test/positive_expected_result.json +++ b/assets/queries/k8s/audit_policy_file_not_defined/test/positive_expected_result.json @@ -1,20 +1,47 @@ [ - { - "queryName": "Audit Policy File Not Defined", - "severity": "MEDIUM", - "line": 11, - "fileName": "positive1.yaml" - }, - { - "queryName": "Audit Policy File Not Defined", - "severity": "MEDIUM", - "line": 11, - "fileName": "positive2.yaml" - }, - { - "queryName": "Audit Policy File Not Defined", - "severity": "MEDIUM", - "line": 12, - "fileName": "positive3.yaml" - } + { + "queryName": "Audit Policy File Not Defined", + "severity": "MEDIUM", + "line": 11, + "fileName": "positive1.yaml", + "resourceType": "Pod", + "resourceName": "command-demo", + "searchKey": "metadata.name={{command-demo}}.spec.containers.name={{command-demo-container}}.command", + "searchValue": "", + "expectedValue": "--audit-policy-file flag should be defined", + "actualValue": "--audit-policy-file is not defined", + "issueType": "MissingAttribute", + "similarityID": "a53063be36619a246da535c0ee308ef280cb3b08ae9496a76e9363edebd66bfa", + "search_line": 11 + }, + { + "queryName": "Audit Policy File Not Defined", + "severity": "MEDIUM", + "line": 11, + "fileName": "positive2.yaml", + "resourceType": "Pod", + "resourceName": "command-demo", + "searchKey": "metadata.name={{command-demo}}.spec.containers.name={{command-demo-container}}.command", + "searchValue": "", + "expectedValue": "--audit-policy-file flag should have a valid file", + "actualValue": "--audit-policy-file does not have a valid file", + "issueType": "IncorrectValue", + "similarityID": "d7c0efac80dff4c8f9de35432519ad5358db513bfa97bce2e4f0a686834e45fe", + "search_line": 11 + }, + { + "queryName": "Audit Policy File Not Defined", + "severity": "MEDIUM", + "line": 12, + "fileName": "positive3.yaml", + "resourceType": "Service", + "resourceName": "dummy", + "searchKey": "metadata.name={{dummy}}.spec.template.spec.containers.name={{command-demo-container}}.command", + "searchValue": "", + "expectedValue": "--audit-policy-file flag should be defined", + "actualValue": "--audit-policy-file is not defined", + "issueType": "MissingAttribute", + "similarityID": "81c5abe3b34035f22ce40a0230f532ff6f6c0ce6c5b65d2ab0ed3749a6df0a4c", + "search_line": 12 + } ] diff --git a/assets/queries/k8s/audit_policy_not_cover_key_security_concerns/test/positive_expected_result.json b/assets/queries/k8s/audit_policy_not_cover_key_security_concerns/test/positive_expected_result.json index 6283d929b54..0a948207538 100644 --- a/assets/queries/k8s/audit_policy_not_cover_key_security_concerns/test/positive_expected_result.json +++ b/assets/queries/k8s/audit_policy_not_cover_key_security_concerns/test/positive_expected_result.json @@ -3,102 +3,255 @@ "queryName": "Audit Policy Not Cover Key Security Concerns", "severity": "LOW", "line": 6, - "filename": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "Policy", + "resourceName": "n/a", + "searchKey": "kind={{Policy}}.rules", + "searchValue": "configmaps", + "expectedValue": "Resource 'configmaps' should be defined in one of following levels '[\"Metadata\"]'", + "actualValue": "Resource 'configmaps' is currently defined with the following levels '[]'", + "issueType": "MissingAttribute", + "similarityID": "fc16ba6edcb629d9b92ac2cf84507cbb1a0c63559c5e409fe72d32133536110e", + "search_line": 6 }, { "queryName": "Audit Policy Not Cover Key Security Concerns", "severity": "LOW", "line": 6, - "filename": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "Policy", + "resourceName": "n/a", + "searchKey": "kind={{Policy}}.rules", + "searchValue": "deployments", + "expectedValue": "Resource 'deployments' should be defined in one of following levels '[\"Metadata\"]'", + "actualValue": "Resource 'deployments' is currently defined with the following levels '[]'", + "issueType": "MissingAttribute", + "similarityID": "c4f5b982213bbe281be8de23fcd659279f1d3c6cd4399a4c779d8ba9f1c0a814", + "search_line": 6 }, { "queryName": "Audit Policy Not Cover Key Security Concerns", "severity": "LOW", "line": 6, - "filename": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "Policy", + "resourceName": "n/a", + "searchKey": "kind={{Policy}}.rules", + "searchValue": "pods", + "expectedValue": "Resource 'pods' should be defined in one of following levels '[\"Metadata\"]'", + "actualValue": "Resource 'pods' is currently defined with the following levels '[]'", + "issueType": "MissingAttribute", + "similarityID": "f8030798ded82f64ebf72d4c85343244f7e749e817c3998b8d94eaec5765ede8", + "search_line": 6 }, { "queryName": "Audit Policy Not Cover Key Security Concerns", "severity": "LOW", "line": 6, - "filename": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "Policy", + "resourceName": "n/a", + "searchKey": "kind={{Policy}}.rules", + "searchValue": "pods/exec", + "expectedValue": "Resource 'pods/exec' should be defined in one of following levels '[\"Metadata\", \"Request\", \"RequestResponse\"]'", + "actualValue": "Resource 'pods/exec' is currently defined with the following levels '[]'", + "issueType": "MissingAttribute", + "similarityID": "482bf9aed5286b937f48eebddcef587233701d1459530b221659d67b7a4467f8", + "search_line": 6 }, { "queryName": "Audit Policy Not Cover Key Security Concerns", "severity": "LOW", "line": 6, - "filename": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "Policy", + "resourceName": "n/a", + "searchKey": "kind={{Policy}}.rules", + "searchValue": "pods/portforward", + "expectedValue": "Resource 'pods/portforward' should be defined in one of following levels '[\"Metadata\", \"Request\", \"RequestResponse\"]'", + "actualValue": "Resource 'pods/portforward' is currently defined with the following levels '[]'", + "issueType": "MissingAttribute", + "similarityID": "fabaf9074bd2e9ff56c142b4a906a996ee0ddd441e8a5802025c3984f3de4a82", + "search_line": 6 }, { "queryName": "Audit Policy Not Cover Key Security Concerns", "severity": "LOW", "line": 6, - "filename": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "Policy", + "resourceName": "n/a", + "searchKey": "kind={{Policy}}.rules", + "searchValue": "pods/proxy", + "expectedValue": "Resource 'pods/proxy' should be defined in one of following levels '[\"Metadata\", \"Request\", \"RequestResponse\"]'", + "actualValue": "Resource 'pods/proxy' is currently defined with the following levels '[]'", + "issueType": "MissingAttribute", + "similarityID": "d85f00fc4a3e43dd5f98eb5c611d81a50c81044c6ae5cbac9b3b357249960bab", + "search_line": 6 }, { "queryName": "Audit Policy Not Cover Key Security Concerns", "severity": "LOW", "line": 6, - "filename": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "Policy", + "resourceName": "n/a", + "searchKey": "kind={{Policy}}.rules", + "searchValue": "secrets", + "expectedValue": "Resource 'secrets' should be defined in one of following levels '[\"Metadata\"]'", + "actualValue": "Resource 'secrets' is currently defined with the following levels '[]'", + "issueType": "MissingAttribute", + "similarityID": "86b04ea886c1e7c1969da5523f23040b68542fd197b3fe0c5ae6295a34fb412d", + "search_line": 6 }, { "queryName": "Audit Policy Not Cover Key Security Concerns", "severity": "LOW", "line": 6, - "filename": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "Policy", + "resourceName": "n/a", + "searchKey": "kind={{Policy}}.rules", + "searchValue": "services/proxy", + "expectedValue": "Resource 'services/proxy' should be defined in one of following levels '[\"Metadata\", \"Request\", \"RequestResponse\"]'", + "actualValue": "Resource 'services/proxy' is currently defined with the following levels '[]'", + "issueType": "MissingAttribute", + "similarityID": "669af482604d55876a9af903e5f73c9f8863ccae24ce2e464139fd858352f679", + "search_line": 6 }, { "queryName": "Audit Policy Not Cover Key Security Concerns", "severity": "LOW", "line": 6, - "filename": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "Policy", + "resourceName": "n/a", + "searchKey": "kind={{Policy}}.rules", + "searchValue": "tokenreviews", + "expectedValue": "Resource 'tokenreviews' should be defined in one of following levels '[\"Metadata\"]'", + "actualValue": "Resource 'tokenreviews' is currently defined with the following levels '[]'", + "issueType": "MissingAttribute", + "similarityID": "43061feeeec1836f086c4866a75fd2a2ed3806735f92efafd264aed71d2db263", + "search_line": 6 }, { "queryName": "Audit Policy Not Cover Key Security Concerns", "severity": "LOW", "line": 4, - "filename": "positive2.yaml" + "fileName": "positive2.yaml", + "resourceType": "Policy", + "resourceName": "n/a", + "searchKey": "kind={{Policy}}.rules", + "searchValue": "configmaps", + "expectedValue": "Resource 'configmaps' should be defined in one of following levels '[\"Metadata\"]'", + "actualValue": "Resource 'configmaps' is currently defined with the following levels '[]'", + "issueType": "MissingAttribute", + "similarityID": "86acbb05818fcf3ced486583a654f5fb4398484aa94c0c7c96d2dba33cae1466", + "search_line": 4 }, { "queryName": "Audit Policy Not Cover Key Security Concerns", "severity": "LOW", "line": 4, - "filename": "positive2.yaml" + "fileName": "positive2.yaml", + "resourceType": "Policy", + "resourceName": "n/a", + "searchKey": "kind={{Policy}}.rules", + "searchValue": "pods/exec", + "expectedValue": "Resource 'pods/exec' should be defined in one of following levels '[\"Metadata\", \"Request\", \"RequestResponse\"]'", + "actualValue": "Resource 'pods/exec' is currently defined with the following levels '[]'", + "issueType": "MissingAttribute", + "similarityID": "772778d7e401239dd5cbcc159d841b9bb51c63788f04066fe4e1a5e41b858336", + "search_line": 4 }, { "queryName": "Audit Policy Not Cover Key Security Concerns", "severity": "LOW", "line": 4, - "filename": "positive2.yaml" + "fileName": "positive2.yaml", + "resourceType": "Policy", + "resourceName": "n/a", + "searchKey": "kind={{Policy}}.rules", + "searchValue": "pods/portforward", + "expectedValue": "Resource 'pods/portforward' should be defined in one of following levels '[\"Metadata\", \"Request\", \"RequestResponse\"]'", + "actualValue": "Resource 'pods/portforward' is currently defined with the following levels '[]'", + "issueType": "MissingAttribute", + "similarityID": "425912c29f080478e58388a0e0343c9f55d88f583040315afe45ea58a50d71c3", + "search_line": 4 }, { "queryName": "Audit Policy Not Cover Key Security Concerns", "severity": "LOW", "line": 4, - "filename": "positive2.yaml" + "fileName": "positive2.yaml", + "resourceType": "Policy", + "resourceName": "n/a", + "searchKey": "kind={{Policy}}.rules", + "searchValue": "pods/proxy", + "expectedValue": "Resource 'pods/proxy' should be defined in one of following levels '[\"Metadata\", \"Request\", \"RequestResponse\"]'", + "actualValue": "Resource 'pods/proxy' is currently defined with the following levels '[]'", + "issueType": "MissingAttribute", + "similarityID": "238d4aa1f20c6928ad629f41dee63d88cd985b5c6ea467f4c0edd9a8eee3d6d8", + "search_line": 4 }, { "queryName": "Audit Policy Not Cover Key Security Concerns", "severity": "LOW", "line": 4, - "filename": "positive2.yaml" + "fileName": "positive2.yaml", + "resourceType": "Policy", + "resourceName": "n/a", + "searchKey": "kind={{Policy}}.rules", + "searchValue": "secrets", + "expectedValue": "Resource 'secrets' should be defined in one of following levels '[\"Metadata\"]'", + "actualValue": "Resource 'secrets' is currently defined with the following levels '[]'", + "issueType": "MissingAttribute", + "similarityID": "f3cc65b6c2e353decc6401d100f0690b75ad9b505b36243782b141853eeafe5e", + "search_line": 4 }, { "queryName": "Audit Policy Not Cover Key Security Concerns", "severity": "LOW", "line": 4, - "filename": "positive2.yaml" + "fileName": "positive2.yaml", + "resourceType": "Policy", + "resourceName": "n/a", + "searchKey": "kind={{Policy}}.rules", + "searchValue": "services/proxy", + "expectedValue": "Resource 'services/proxy' should be defined in one of following levels '[\"Metadata\", \"Request\", \"RequestResponse\"]'", + "actualValue": "Resource 'services/proxy' is currently defined with the following levels '[]'", + "issueType": "MissingAttribute", + "similarityID": "011882194ae83ab0bc3d8ca2256d14b956c1fd3ffa867fa92e1fdba8d2112124", + "search_line": 4 }, { "queryName": "Audit Policy Not Cover Key Security Concerns", "severity": "LOW", "line": 4, - "filename": "positive2.yaml" + "fileName": "positive2.yaml", + "resourceType": "Policy", + "resourceName": "n/a", + "searchKey": "kind={{Policy}}.rules", + "searchValue": "tokenreviews", + "expectedValue": "Resource 'tokenreviews' should be defined in one of following levels '[\"Metadata\"]'", + "actualValue": "Resource 'tokenreviews' is currently defined with the following levels '[]'", + "issueType": "MissingAttribute", + "similarityID": "3b6cc9f4dac6c9f5be19cf0340cec87a2afe7e900b9361916653eaae3a3c9c02", + "search_line": 4 }, { "queryName": "Audit Policy Not Cover Key Security Concerns", "severity": "LOW", "line": 6, - "filename": "positive3.yaml" + "fileName": "positive3.yaml", + "resourceType": "Policy", + "resourceName": "n/a", + "searchKey": "kind={{Policy}}.rules", + "searchValue": "deployments", + "expectedValue": "Resource 'deployments' should be defined in one of following levels '[\"Metadata\"]'", + "actualValue": "Resource 'deployments' is currently defined with the following levels '[]'", + "issueType": "MissingAttribute", + "similarityID": "c315cb837bcf498b209114826fee06009f66efc8903bc8c33eeb3635fb6b7c38", + "search_line": 6 } ] diff --git a/assets/queries/k8s/authorization_mode_node_not_set/test/positive_expected_result.json b/assets/queries/k8s/authorization_mode_node_not_set/test/positive_expected_result.json index eea4b0a2e53..6371013937c 100644 --- a/assets/queries/k8s/authorization_mode_node_not_set/test/positive_expected_result.json +++ b/assets/queries/k8s/authorization_mode_node_not_set/test/positive_expected_result.json @@ -3,12 +3,30 @@ "queryName": "Authorization Mode Node Not Set", "severity": "MEDIUM", "line": 11, - "filename": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "Pod", + "resourceName": "command-demo", + "searchKey": "metadata.name={{command-demo}}.spec.containers.name={{command-demo-container}}.command", + "searchValue": "", + "expectedValue": "--authorization-mode flag should contain 'Node' mode", + "actualValue": "--authorization-mode flag does not contain 'Node' mode", + "issueType": "MissingAttribute", + "similarityID": "f587def11145da806de84bf6b0404eb99eda439b27f99f3c071a03e4b8ec97d2", + "search_line": 11 }, { "queryName": "Authorization Mode Node Not Set", "severity": "MEDIUM", "line": 11, - "filename": "positive2.yaml" + "fileName": "positive2.yaml", + "resourceType": "Pod", + "resourceName": "command-demo", + "searchKey": "metadata.name={{command-demo}}.spec.containers.name={{command-demo-container}}.command", + "searchValue": "", + "expectedValue": "--authorization-mode flag should contain 'Node' mode", + "actualValue": "--authorization-mode flag does not contain 'Node' mode", + "issueType": "MissingAttribute", + "similarityID": "abf30a2a06ffeac3ec03927b16bbf05da8d637da61f05d95dbc0bd001390d10d", + "search_line": 11 } ] diff --git a/assets/queries/k8s/authorization_mode_rbac_not_set/test/positive_expected_result.json b/assets/queries/k8s/authorization_mode_rbac_not_set/test/positive_expected_result.json index 80c0e857697..3dc91d31392 100644 --- a/assets/queries/k8s/authorization_mode_rbac_not_set/test/positive_expected_result.json +++ b/assets/queries/k8s/authorization_mode_rbac_not_set/test/positive_expected_result.json @@ -3,12 +3,30 @@ "queryName": "Authorization Mode RBAC Not Set", "severity": "MEDIUM", "line": 11, - "filename": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "Pod", + "resourceName": "command-demo", + "searchKey": "metadata.name={{command-demo}}.spec.containers.name={{command-demo-container}}.command", + "searchValue": "", + "expectedValue": "--authorization-mode flag should contain 'RBAC' mode", + "actualValue": "--authorization-mode flag does not contain 'RBAC' mode", + "issueType": "MissingAttribute", + "similarityID": "8c375047eeed625beaf2a855bc297ab18471ddc67d29f3f24808dde7e723ecd5", + "search_line": 11 }, { "queryName": "Authorization Mode RBAC Not Set", "severity": "MEDIUM", "line": 11, - "filename": "positive2.yaml" + "fileName": "positive2.yaml", + "resourceType": "Pod", + "resourceName": "command-demo", + "searchKey": "metadata.name={{command-demo}}.spec.containers.name={{command-demo-container}}.command", + "searchValue": "", + "expectedValue": "--authorization-mode flag should contain 'RBAC' mode", + "actualValue": "--authorization-mode flag does not contain 'RBAC' mode", + "issueType": "MissingAttribute", + "similarityID": "297c546842e06d3b535c2b6689201b50166185361af61188d9474b9ed3c39fce", + "search_line": 11 } -] \ No newline at end of file +] diff --git a/assets/queries/k8s/authorization_mode_set_to_always_allow/test/positive_expected_result.json b/assets/queries/k8s/authorization_mode_set_to_always_allow/test/positive_expected_result.json index 174d3224c48..4648fae3026 100644 --- a/assets/queries/k8s/authorization_mode_set_to_always_allow/test/positive_expected_result.json +++ b/assets/queries/k8s/authorization_mode_set_to_always_allow/test/positive_expected_result.json @@ -3,36 +3,90 @@ "queryName": "Authorization Mode Set To Always Allow", "severity": "HIGH", "line": 11, - "filename": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "Pod", + "resourceName": "command-demo", + "searchKey": "metadata.name={{command-demo}}.spec.containers.name={{command-demo-container}}.command", + "searchValue": "", + "expectedValue": "--authorization-mode flag to not have 'AlwaysAllow' mode", + "actualValue": "--authorization-mode flag contains 'AlwaysAllow' mode", + "issueType": "IncorrectValue", + "similarityID": "b0c72e95465aaf65f68c83d4eab5fada4ebf0e14b6b2000a3169518302c1dca2", + "search_line": -1 }, { "queryName": "Authorization Mode Set To Always Allow", "severity": "HIGH", "line": 11, - "filename": "positive2.yaml" + "fileName": "positive2.yaml", + "resourceType": "Pod", + "resourceName": "command-demo", + "searchKey": "metadata.name={{command-demo}}.spec.containers.name={{command-demo-container}}.command", + "searchValue": "", + "expectedValue": "--authorization-mode flag to not have 'AlwaysAllow' mode", + "actualValue": "--authorization-mode flag contains 'AlwaysAllow' mode", + "issueType": "IncorrectValue", + "similarityID": "86d8962be258a154f9f675701a694d03321ca7008d542eff9358290802cf5719", + "search_line": -1 }, { "queryName": "Authorization Mode Set To Always Allow", "severity": "HIGH", "line": 11, - "filename": "positive3.yaml" + "fileName": "positive3.yaml", + "resourceType": "Pod", + "resourceName": "command-demo", + "searchKey": "metadata.name={{command-demo}}.spec.containers.name={{command-demo-container}}.command", + "searchValue": "", + "expectedValue": "--authorization-mode flag to not have 'AlwaysAllow' mode", + "actualValue": "--authorization-mode flag contains 'AlwaysAllow' mode", + "issueType": "IncorrectValue", + "similarityID": "b31df93c77c8df74fbf50d3b957e0f4bb1980ca545e9477880151c90c2c50447", + "search_line": -1 }, { "queryName": "Authorization Mode Set To Always Allow", "severity": "HIGH", "line": 11, - "filename": "positive4.yaml" + "fileName": "positive4.yaml", + "resourceType": "Pod", + "resourceName": "command-demo", + "searchKey": "metadata.name={{command-demo}}.spec.containers.name={{command-demo-container}}.command", + "searchValue": "", + "expectedValue": "--authorization-mode flag to not have 'AlwaysAllow' mode", + "actualValue": "--authorization-mode flag contains 'AlwaysAllow' mode", + "issueType": "IncorrectValue", + "similarityID": "0eb7100e2e36d62225f7517cc507b85bf6782aa6012d5deac5eb999b4a73dced", + "search_line": -1 }, { "queryName": "Authorization Mode Set To Always Allow", "severity": "HIGH", "line": 11, - "filename": "positive5.yaml" + "fileName": "positive5.yaml", + "resourceType": "KubeletConfiguration", + "resourceName": "n/a", + "searchKey": "kind={{KubeletConfiguration}}.authorization.mode", + "searchValue": "", + "expectedValue": "authorization.mode attribute should not be 'AlwaysAllow'", + "actualValue": "authorization.mode attribute is equal to 'AlwaysAllow'", + "issueType": "IncorrectValue", + "similarityID": "7b5a1d206bdcb0a2e2cb4f6050c9f231c8ad591bf2470d37c0271b26912d0838", + "search_line": -1 }, { "queryName": "Authorization Mode Set To Always Allow", "severity": "HIGH", "line": 6, - "filename": "positive6.json" + "fileName": "positive6.json", + "resourceType": "KubeletConfiguration", + "resourceName": "n/a", + "searchKey": "kind={{KubeletConfiguration}}.authorization.mode", + "searchValue": "", + "expectedValue": "authorization.mode attribute should not be 'AlwaysAllow'", + "actualValue": "authorization.mode attribute is equal to 'AlwaysAllow'", + "issueType": "IncorrectValue", + "similarityID": "a0da91607f6f61d297bae3c7bfc2ea8644ffdd8ebc17064c93a49dba34cf359c", + "search_line": -1 } -] \ No newline at end of file +] diff --git a/assets/queries/k8s/auto_tls_set_to_true/test/positive_expected_result.json b/assets/queries/k8s/auto_tls_set_to_true/test/positive_expected_result.json index e34115cbfc9..5b3d872ccbc 100644 --- a/assets/queries/k8s/auto_tls_set_to_true/test/positive_expected_result.json +++ b/assets/queries/k8s/auto_tls_set_to_true/test/positive_expected_result.json @@ -3,6 +3,15 @@ "queryName": "Auto TLS Set To True", "severity": "MEDIUM", "line": 21, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "Deployment", + "resourceName": "app-etcd-deployment", + "searchKey": "metadata.name={{app-etcd-deployment}}.spec.template.spec.containers.name={{database}}.command", + "searchValue": "", + "expectedValue": "--auto-tls flag should be set to false or not be defined", + "actualValue": "--auto-tls flag is set to true", + "issueType": "IncorrectValue", + "similarityID": "3751f4606568cff2f5a583178f4175c92375538d096f13f42148ee8702093b44", + "search_line": 21 } -] \ No newline at end of file +] diff --git a/assets/queries/k8s/basic_auth_file_is_set/test/positive_expected_result.json b/assets/queries/k8s/basic_auth_file_is_set/test/positive_expected_result.json index c1651f47ffa..adfda8f8d36 100644 --- a/assets/queries/k8s/basic_auth_file_is_set/test/positive_expected_result.json +++ b/assets/queries/k8s/basic_auth_file_is_set/test/positive_expected_result.json @@ -3,12 +3,30 @@ "queryName": "Basic Auth File Is Set", "severity": "HIGH", "line": 11, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "Pod", + "resourceName": "command-demo", + "searchKey": "metadata.name={{command-demo}}.spec.containers.name={{command-demo-container}}.command", + "searchValue": "", + "expectedValue": "--basic-auth-file flag should not be set", + "actualValue": "--basic-auth-file flag is set", + "issueType": "IncorrectValue", + "similarityID": "e9b27b5a28c10df1c26fbf0acf1dc866e5f3d9da3bc994ead4a342858fa0a77f", + "search_line": 11 }, { "queryName": "Basic Auth File Is Set", "severity": "HIGH", "line": 11, - "fileName": "positive2.yaml" + "fileName": "positive2.yaml", + "resourceType": "Pod", + "resourceName": "command-demo", + "searchKey": "metadata.name={{command-demo}}.spec.containers.name={{command-demo-container}}.command", + "searchValue": "", + "expectedValue": "--basic-auth-file flag should not be set", + "actualValue": "--basic-auth-file flag is set", + "issueType": "IncorrectValue", + "similarityID": "440659aebf26f3f4e6919d93d1c76de5b021bd316715ece875f5b33de5980285", + "search_line": 11 } ] diff --git a/assets/queries/k8s/bind_address_not_properly_set/test/positive_expected_result.json b/assets/queries/k8s/bind_address_not_properly_set/test/positive_expected_result.json index 07dd9af49e0..f40fa7274f4 100644 --- a/assets/queries/k8s/bind_address_not_properly_set/test/positive_expected_result.json +++ b/assets/queries/k8s/bind_address_not_properly_set/test/positive_expected_result.json @@ -3,24 +3,60 @@ "queryName": "Bind Address Not Properly Set", "severity": "INFO", "line": 11, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "Pod", + "resourceName": "command-demo", + "searchKey": "metadata.name={{command-demo}}.spec.containers.name={{command-demo-container}}.command", + "searchValue": "", + "expectedValue": "--bind-address flag should not be set to 127.0.0.1", + "actualValue": "--bind-address flag is set to a 127.0.01", + "issueType": "IncorrectValue", + "similarityID": "230d2e4a65afd2141e583b01135ffe3cd4a77c5c1bc8265460d91a70026737ee", + "search_line": 11 }, { "queryName": "Bind Address Not Properly Set", "severity": "INFO", "line": 11, - "fileName": "positive2.yaml" + "fileName": "positive2.yaml", + "resourceType": "Pod", + "resourceName": "command-demo", + "searchKey": "metadata.name={{command-demo}}.spec.containers.name={{command-demo-container}}.command", + "searchValue": "", + "expectedValue": "--bind-address flag should not be set to 127.0.0.1", + "actualValue": "--bind-address flag is set to a 127.0.01", + "issueType": "IncorrectValue", + "similarityID": "3122f84fcd9a43cabc2b8df9fb3e9f1befd01efea98aa63780974b3f9ca0aad4", + "search_line": 11 }, { "queryName": "Bind Address Not Properly Set", "severity": "INFO", "line": 20, - "fileName": "positive3.yaml" + "fileName": "positive3.yaml", + "resourceType": "Pod", + "resourceName": "kube-scheduler", + "searchKey": "metadata.name={{kube-scheduler}}.spec.containers.name={{command-demo-container}}.command", + "searchValue": "", + "expectedValue": "--bind-address flag should not be set to 127.0.0.1", + "actualValue": "--bind-address flag is set to a 127.0.01", + "issueType": "IncorrectValue", + "similarityID": "509e140c22c8fec3ddf8632bee602732a098ad26fa051c16d33ce8b1f4a3b333", + "search_line": 20 }, { "queryName": "Bind Address Not Properly Set", "severity": "INFO", "line": 20, - "fileName": "positive4.yaml" + "fileName": "positive4.yaml", + "resourceType": "Pod", + "resourceName": "kube-scheduler", + "searchKey": "metadata.name={{kube-scheduler}}.spec.containers.name={{command-demo-container}}.command", + "searchValue": "", + "expectedValue": "--bind-address flag should not be set to 127.0.0.1", + "actualValue": "--bind-address flag is set to a 127.0.01", + "issueType": "IncorrectValue", + "similarityID": "73fbeab5a42acbd393766b3afe228c2f0031ef38fb5cb05054d0a2c49ea921b1", + "search_line": 20 } -] \ No newline at end of file +] diff --git a/assets/queries/k8s/client_certificate_authentication_not_setup_properly/test/positive_expected_result.json b/assets/queries/k8s/client_certificate_authentication_not_setup_properly/test/positive_expected_result.json index 9fe04be75e3..fc63c47fada 100644 --- a/assets/queries/k8s/client_certificate_authentication_not_setup_properly/test/positive_expected_result.json +++ b/assets/queries/k8s/client_certificate_authentication_not_setup_properly/test/positive_expected_result.json @@ -3,36 +3,90 @@ "queryName": "Client Certificate Authentication Not Setup Properly", "severity": "HIGH", "line": 11, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "Pod", + "resourceName": "command-demo", + "searchKey": "metadata.name={{command-demo}}.spec.containers.name={{command-demo-container}}.command", + "searchValue": "", + "expectedValue": "Client Certification should have a .pem or .crt file", + "actualValue": "Client Certification is not properly set", + "issueType": "IncorrectValue", + "similarityID": "ec8ea370878f3df3f9d96ee49ccce17e6fdb70b6f75574cef7fd8acd82593c68", + "search_line": 11 }, { "queryName": "Client Certificate Authentication Not Setup Properly", "severity": "HIGH", "line": 11, - "fileName": "positive2.yaml" + "fileName": "positive2.yaml", + "resourceType": "Pod", + "resourceName": "command-demo", + "searchKey": "metadata.name={{command-demo}}.spec.containers.name={{command-demo-container}}.command", + "searchValue": "", + "expectedValue": "Client Certification should have a .pem or .crt file", + "actualValue": "Client Certification is not properly set", + "issueType": "IncorrectValue", + "similarityID": "b5591da3ee6423db203a973ca32d3ab46e3893ced34171ebd169a252bb24be2c", + "search_line": 11 }, { "queryName": "Client Certificate Authentication Not Setup Properly", "severity": "HIGH", "line": 11, - "fileName": "positive3.yaml" + "fileName": "positive3.yaml", + "resourceType": "Pod", + "resourceName": "command-demo", + "searchKey": "metadata.name={{command-demo}}.spec.containers.name={{command-demo-container}}.command", + "searchValue": "", + "expectedValue": "Client Certification should be set", + "actualValue": "Client Certification is not set", + "issueType": "MissingAttribute", + "similarityID": "0fa8fedbfcffca5250093694e19b11e6f4691740d478261da522e3b6b4677fcf", + "search_line": 11 }, { "queryName": "Client Certificate Authentication Not Setup Properly", "severity": "HIGH", "line": 2, - "fileName": "positive4.yaml" + "fileName": "positive4.yaml", + "resourceType": "KubeletConfiguration", + "resourceName": "n/a", + "searchKey": "kind={{KubeletConfiguration}}", + "searchValue": "", + "expectedValue": "Client Certification should have a .pem or .crt file", + "actualValue": "Client Certification is not properly set", + "issueType": "IncorrectValue", + "similarityID": "7aa5be8691ef0380f34e9b3dcbdc6007760a8fee2008ff4a4bcb9953654c18c0", + "search_line": -1 }, { "queryName": "Client Certificate Authentication Not Setup Properly", "severity": "HIGH", "line": 2, - "fileName": "positive5.yaml" + "fileName": "positive5.yaml", + "resourceType": "KubeletConfiguration", + "resourceName": "n/a", + "searchKey": "kind={{KubeletConfiguration}}", + "searchValue": "", + "expectedValue": "Client Certification should be set", + "actualValue": "Client Certification is not set", + "issueType": "MissingAttribute", + "similarityID": "2da786d4e6ee84f173a21c326a12aedbdc4a137a624f5048a2b512df722f0892", + "search_line": -1 }, { "queryName": "Client Certificate Authentication Not Setup Properly", "severity": "HIGH", "line": 2, - "fileName": "positive6.yaml" + "fileName": "positive6.yaml", + "resourceType": "KubeletConfiguration", + "resourceName": "n/a", + "searchKey": "kind={{KubeletConfiguration}}", + "searchValue": "", + "expectedValue": "Client Certification should be set", + "actualValue": "Client Certification is not set", + "issueType": "MissingAttribute", + "similarityID": "f7e0d0b57a9b9f2a0a400d633490abeb27bf789819cf80ed63847ca9fac1199d", + "search_line": -1 } ] diff --git a/assets/queries/k8s/cluster_admin_role_binding_with_super_user_permissions/test/positive_expected_result.json b/assets/queries/k8s/cluster_admin_role_binding_with_super_user_permissions/test/positive_expected_result.json index 7dc8cf23ce2..1f4abd462ea 100644 --- a/assets/queries/k8s/cluster_admin_role_binding_with_super_user_permissions/test/positive_expected_result.json +++ b/assets/queries/k8s/cluster_admin_role_binding_with_super_user_permissions/test/positive_expected_result.json @@ -2,6 +2,16 @@ { "queryName": "Cluster Admin Rolebinding With Superuser Permissions", "severity": "LOW", - "line": 11 + "line": 11, + "fileName": "positive.yaml", + "resourceType": "ClusterRoleBinding", + "resourceName": "tiller-clusterrolebinding", + "searchKey": "metadata.name={{tiller-clusterrolebinding}}.roleRef.name=cluster-admin", + "searchValue": "", + "expectedValue": "Resource name 'tiller-clusterrolebinding' of kind 'ClusterRoleBinding' isn't binding 'cluster-admin' role with superuser permissions", + "actualValue": "Resource name 'tiller-clusterrolebinding' of kind 'ClusterRoleBinding' is binding 'cluster-admin' role with superuser permissions", + "issueType": "IncorrectValue", + "similarityID": "bec99fa67519284bd5aecc16e39166618454a1939ae413655d40cb72b0033ff0", + "search_line": -1 } ] diff --git a/assets/queries/k8s/cluster_allows_unsafe_sysctls/test/positive_expected_result.json b/assets/queries/k8s/cluster_allows_unsafe_sysctls/test/positive_expected_result.json index 3f8fa2aa8f3..7a12818bdd1 100644 --- a/assets/queries/k8s/cluster_allows_unsafe_sysctls/test/positive_expected_result.json +++ b/assets/queries/k8s/cluster_allows_unsafe_sysctls/test/positive_expected_result.json @@ -1,26 +1,62 @@ [ - { - "queryName": "Cluster Allows Unsafe Sysctls", - "severity": "HIGH", - "line": 11, - "fileName": "positive1.yaml" - }, - { - "queryName": "Cluster Allows Unsafe Sysctls", - "severity": "HIGH", - "line": 13, - "fileName": "positive1.yaml" - }, - { - "queryName": "Cluster Allows Unsafe Sysctls", - "severity": "HIGH", - "line": 24, - "fileName": "positive1.yaml" - }, - { - "queryName": "Cluster Allows Unsafe Sysctls", - "severity": "HIGH", - "line": 18, - "fileName": "positive2.yaml" - } + { + "queryName": "Cluster Allows Unsafe Sysctls", + "severity": "HIGH", + "line": 11, + "fileName": "positive1.yaml", + "resourceType": "Pod", + "resourceName": "sysctl-example", + "searchKey": "metadata.name={{sysctl-example}}.spec.securityContext.sysctls.name={{net.core.somaxconn}}", + "searchValue": "", + "expectedValue": "metadata.name={{sysctl-example}}.spec.securityContext.sysctls.name={{net.core.somaxconn}} should not be used", + "actualValue": "metadata.name={{sysctl-example}}.spec.securityContext.sysctls.name={{net.core.somaxconn}} is an unsafe sysctl", + "issueType": "IncorrectValue", + "similarityID": "7b9e6d256e9d6620b3772d7d46dcd016c8743b3ac9641c6c76516398d5f07355", + "search_line": -1 + }, + { + "queryName": "Cluster Allows Unsafe Sysctls", + "severity": "HIGH", + "line": 13, + "fileName": "positive1.yaml", + "resourceType": "Pod", + "resourceName": "sysctl-example", + "searchKey": "metadata.name={{sysctl-example}}.spec.securityContext.sysctls.name={{kernel.msgmax}}", + "searchValue": "", + "expectedValue": "metadata.name={{sysctl-example}}.spec.securityContext.sysctls.name={{kernel.msgmax}} should not be used", + "actualValue": "metadata.name={{sysctl-example}}.spec.securityContext.sysctls.name={{kernel.msgmax}} is an unsafe sysctl", + "issueType": "IncorrectValue", + "similarityID": "d480fb7c28f6d0bbae3fa30f6bd598727521573714f2d8e36ff9243844f8f3c9", + "search_line": -1 + }, + { + "queryName": "Cluster Allows Unsafe Sysctls", + "severity": "HIGH", + "line": 24, + "fileName": "positive1.yaml", + "resourceType": "PodSecurityPolicy", + "resourceName": "sysctl-psp", + "searchKey": "metadata.name={{sysctl-psp}}.spec.allowedUnsafeSysctls", + "searchValue": "", + "expectedValue": "metadata.name={{sysctl-psp}}.spec.allowedUnsafeSysctls should be undefined", + "actualValue": "metadata.name={{sysctl-psp}}.spec.allowedUnsafeSysctls is defined", + "issueType": "IncorrectValue", + "similarityID": "c9a0e32f62175e5b1eff7673848a77715398c38e7c3c4817834b037ba80801cc", + "search_line": -1 + }, + { + "queryName": "Cluster Allows Unsafe Sysctls", + "severity": "HIGH", + "line": 18, + "fileName": "positive2.yaml", + "resourceType": "Deployment", + "resourceName": "test-app", + "searchKey": "metadata.name={{test-app}}.spec.template.spec.securityContext.sysctls.name={{kernel.sem}}", + "searchValue": "", + "expectedValue": "metadata.name={{test-app}}.spec.template.spec.securityContext.sysctls.name={{kernel.sem}} should not be used", + "actualValue": "metadata.name={{test-app}}.spec.template.spec.securityContext.sysctls.name={{kernel.sem}} is an unsafe sysctl", + "issueType": "IncorrectValue", + "similarityID": "d2458829b75b6d8b7f741ee7fd5c5074743ffc4fa35899491c25a74284824a93", + "search_line": -1 + } ] diff --git a/assets/queries/k8s/cni_plugin_does_not_support_network_policies/test/positive_expected_result.json b/assets/queries/k8s/cni_plugin_does_not_support_network_policies/test/positive_expected_result.json index 954e413166f..a50e3cdca4b 100644 --- a/assets/queries/k8s/cni_plugin_does_not_support_network_policies/test/positive_expected_result.json +++ b/assets/queries/k8s/cni_plugin_does_not_support_network_policies/test/positive_expected_result.json @@ -2,13 +2,31 @@ { "queryName": "CNI Plugin Does Not Support Network Policies", "severity": "MEDIUM", - "line": 6, - "fileName": "positive.json" + "line": 10, + "fileName": "positive2.yaml", + "resourceType": "ConfigMap", + "resourceName": "kube-flannel-cfg", + "searchKey": "data.cni-conf.json", + "searchValue": "", + "expectedValue": "Plugins should not contain a plugin that does not support Network Policies", + "actualValue": "Plugins contains a plugin that does not support Network Policies", + "issueType": "IncorrectValue", + "similarityID": "7b62aa99180f566835e9f096cc1605d79fcc2cee26c74c199b7a0d1228e2b6f2", + "search_line": 10 }, { "queryName": "CNI Plugin Does Not Support Network Policies", "severity": "MEDIUM", - "line": 10, - "fileName": "positive2.yaml" + "line": 6, + "fileName": "positive.json", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "plugins", + "searchValue": "", + "expectedValue": "Plugins should not contain a plugin that does not support Network Policies", + "actualValue": "Plugins contains a plugin that does not support Network Policies", + "issueType": "IncorrectValue", + "similarityID": "9f9d55ee80338fdb854f4dc2b0f8d58918eaa2dc8d433c9d75e5affcec6a9559", + "search_line": 6 } ] diff --git a/assets/queries/k8s/container_is_privileged/test/positive_expected_result.json b/assets/queries/k8s/container_is_privileged/test/positive_expected_result.json index 82fa1663583..c42f22f5970 100644 --- a/assets/queries/k8s/container_is_privileged/test/positive_expected_result.json +++ b/assets/queries/k8s/container_is_privileged/test/positive_expected_result.json @@ -3,18 +3,45 @@ "queryName": "Container Is Privileged", "severity": "HIGH", "line": 10, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "Pod", + "resourceName": "security-context-demo-4", + "searchKey": "metadata.name={{security-context-demo-4}}.spec.containers.name={{sec-ctx-4}}.securityContext.privileged", + "searchValue": "", + "expectedValue": "metadata.name={{security-context-demo-4}}.spec.containers.name={{sec-ctx-4}}.securityContext.privileged is unset or false", + "actualValue": "metadata.name={{security-context-demo-4}}.spec.containers.name={{sec-ctx-4}}.securityContext.privileged is true", + "issueType": "IncorrectValue", + "similarityID": "21961d22a60b3f56c773e09dcd724255eee02eb80c371b8c84eba9d174f3fbb3", + "search_line": -1 }, { "queryName": "Container Is Privileged", "severity": "HIGH", "line": 23, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "Pod", + "resourceName": "security-context-demo-5", + "searchKey": "metadata.name={{security-context-demo-5}}.spec.initContainers.name={{sec-ctx-4}}.securityContext.privileged", + "searchValue": "", + "expectedValue": "metadata.name={{security-context-demo-5}}.spec.initContainers.name={{sec-ctx-4}}.securityContext.privileged is unset or false", + "actualValue": "metadata.name={{security-context-demo-5}}.spec.initContainers.name={{sec-ctx-4}}.securityContext.privileged is true", + "issueType": "IncorrectValue", + "similarityID": "a2825270a0fc509e57751fc1526f9e73899e8d7541db8aa642931ddd8f9d8155", + "search_line": -1 }, { "queryName": "Container Is Privileged", "severity": "HIGH", "line": 21, - "fileName": "positive2.yaml" + "fileName": "positive2.yaml", + "resourceType": "Deployment", + "resourceName": "test-deployment", + "searchKey": "metadata.name={{test-deployment}}.spec.template.spec.containers.name={{pause}}.securityContext.privileged", + "searchValue": "", + "expectedValue": "metadata.name={{test-deployment}}.spec.template.spec.containers.name={{pause}}.securityContext.privileged is unset or false", + "actualValue": "metadata.name={{test-deployment}}.spec.template.spec.containers.name={{pause}}.securityContext.privileged is true", + "issueType": "IncorrectValue", + "similarityID": "a827ff8cc1832f772de48584bf8eb47c2615cd42e6824c28a1b8b7a4b312649c", + "search_line": -1 } ] diff --git a/assets/queries/k8s/container_runs_unmasked/test/positive_expected_result.json b/assets/queries/k8s/container_runs_unmasked/test/positive_expected_result.json index 1d2470f17f5..1015c26721e 100644 --- a/assets/queries/k8s/container_runs_unmasked/test/positive_expected_result.json +++ b/assets/queries/k8s/container_runs_unmasked/test/positive_expected_result.json @@ -2,6 +2,16 @@ { "queryName": "Container Runs Unmasked", "severity": "HIGH", - "line": 12 + "line": 12, + "fileName": "positive.yaml", + "resourceType": "PodSecurityPolicy", + "resourceName": "restricted", + "searchKey": "metadata.name={{restricted}}.spec.allowedProcMountTypes", + "searchValue": "", + "expectedValue": "AllowedProcMountTypes should contain the value Default", + "actualValue": "AllowedProcMountTypes contains the value Unmasked", + "issueType": "IncorrectValue", + "similarityID": "a28a3642eed8b49ba3ad96ed143ac52da675d4bad9741d9b8c369f9cd93a971e", + "search_line": -1 } -] \ No newline at end of file +] diff --git a/assets/queries/k8s/containers_run_with_low_uid/test/positive_expected_result.json b/assets/queries/k8s/containers_run_with_low_uid/test/positive_expected_result.json index 081d3da70a3..a5786087599 100644 --- a/assets/queries/k8s/containers_run_with_low_uid/test/positive_expected_result.json +++ b/assets/queries/k8s/containers_run_with_low_uid/test/positive_expected_result.json @@ -3,102 +3,255 @@ "queryName": "Container Running With Low UID", "severity": "MEDIUM", "line": 12, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "Pod", + "resourceName": "security-context-demo-2", + "searchKey": "metadata.name={{security-context-demo-2}}.spec.containers.name={{sec-ctx-demo-2}}.securityContext.runAsUser=2000", + "searchValue": "Pod", + "expectedValue": "1 metadata.name={{security-context-demo-2}}.spec.containers.name={{sec-ctx-demo-2}}.securityContext.runAsUser should be set to a UID >= 10000", + "actualValue": "metadata.name={{security-context-demo-2}}.spec.containers.name={{sec-ctx-demo-2}}.securityContext.runAsUser is set to a low UID", + "issueType": "IncorrectValue", + "similarityID": "ae1c77ad0420d929ab7c3df6ceca65a4fadc167737813813c38cd783f88d435c", + "search_line": 12 }, { "queryName": "Container Running With Low UID", "severity": "MEDIUM", "line": 13, - "fileName": "positive2.yaml" + "fileName": "positive2.yaml", + "resourceType": "Pod", + "resourceName": "security-context-demo-2", + "searchKey": "metadata.name={{security-context-demo-2}}.spec.containers.name={{sec-ctx-demo-100}}.securityContext.runAsUser=333", + "searchValue": "Pod", + "expectedValue": "1 metadata.name={{security-context-demo-2}}.spec.containers.name={{sec-ctx-demo-100}}.securityContext.runAsUser should be set to a UID >= 10000", + "actualValue": "metadata.name={{security-context-demo-2}}.spec.containers.name={{sec-ctx-demo-100}}.securityContext.runAsUser is set to a low UID", + "issueType": "IncorrectValue", + "similarityID": "898e7f25fc0f494fa36c53be32400cb38107ed69f7c80cffccb7c47dae4cc8bd", + "search_line": 13 }, { "queryName": "Container Running With Low UID", "severity": "MEDIUM", "line": 18, - "fileName": "positive2.yaml" + "fileName": "positive2.yaml", + "resourceType": "Pod", + "resourceName": "security-context-demo-2", + "searchKey": "metadata.name={{security-context-demo-2}}.spec.containers.name={{sec-ctx-demo-200}}.securityContext.runAsUser=340", + "searchValue": "Pod", + "expectedValue": "1 metadata.name={{security-context-demo-2}}.spec.containers.name={{sec-ctx-demo-200}}.securityContext.runAsUser should be set to a UID >= 10000", + "actualValue": "metadata.name={{security-context-demo-2}}.spec.containers.name={{sec-ctx-demo-200}}.securityContext.runAsUser is set to a low UID", + "issueType": "IncorrectValue", + "similarityID": "f81423031fafeca38ded2f44b122c7c8beaaa708ae13078393fb7f1ec1b4522f", + "search_line": 18 }, { "queryName": "Container Running With Low UID", "severity": "MEDIUM", "line": 12, - "fileName": "positive3.yaml" + "fileName": "positive3.yaml", + "resourceType": "Pod", + "resourceName": "containers-runs-as-root", + "searchKey": "metadata.name={{containers-runs-as-root}}.spec.containers.name={{sec-ctx-demo-100}}.securityContext.runAsUser=13", + "searchValue": "Pod", + "expectedValue": "1 metadata.name={{containers-runs-as-root}}.spec.containers.name={{sec-ctx-demo-100}}.securityContext.runAsUser should be set to a UID >= 10000", + "actualValue": "metadata.name={{containers-runs-as-root}}.spec.containers.name={{sec-ctx-demo-100}}.securityContext.runAsUser is set to a low UID", + "issueType": "IncorrectValue", + "similarityID": "126e70ab8108a40596ede1695929939cefe7c3f375a003a1add83aec396059a4", + "search_line": 12 }, { "queryName": "Container Running With Low UID", "severity": "MEDIUM", "line": 18, - "fileName": "positive4.yaml" + "fileName": "positive4.yaml", + "resourceType": "Deployment", + "resourceName": "securitydemo", + "searchKey": "metadata.name={{securitydemo}}.spec.template.spec.securityContext.runAsUser=1200", + "searchValue": "Deployment", + "expectedValue": "2 metadata.name={{securitydemo}}.spec.template.spec.securityContext.runAsUser should be set to a UID >= 10000", + "actualValue": "metadata.name={{securitydemo}}.spec.template.spec.securityContext.runAsUser is set to a low UID", + "issueType": "IncorrectValue", + "similarityID": "f179e22352ecd63b18bc2955ff5ed94044b0c013e31e2e9b4241bffc14964e76", + "search_line": 18 }, { "queryName": "Container Running With Low UID", "severity": "MEDIUM", "line": 18, - "fileName": "positive5.yaml" + "fileName": "positive5.yaml", + "resourceType": "Deployment", + "resourceName": "securitydemo", + "searchKey": "metadata.name={{securitydemo}}.spec.template.spec.containers.name={{frontend}}.securityContext", + "searchValue": "Deployment", + "expectedValue": "3 metadata.name={{securitydemo}}.spec.template.spec.containers.name={{frontend}}.securityContext.runAsUser should be defined", + "actualValue": "metadata.name={{securitydemo}}.spec.template.spec.containers.name={{frontend}}.securityContext.runAsUser is undefined", + "issueType": "MissingAttribute", + "similarityID": "a8067ca1a597c63825c1bc250ef69d7bd1652175f3f666b1939b38e8d946309e", + "search_line": 18 }, { "queryName": "Container Running With Low UID", "severity": "MEDIUM", "line": 24, - "fileName": "positive5.yaml" + "fileName": "positive5.yaml", + "resourceType": "Deployment", + "resourceName": "securitydemo", + "searchKey": "metadata.name={{securitydemo}}.spec.template.spec.containers.name={{echoserver}}.securityContext", + "searchValue": "Deployment", + "expectedValue": "3 metadata.name={{securitydemo}}.spec.template.spec.containers.name={{echoserver}}.securityContext.runAsUser should be defined", + "actualValue": "metadata.name={{securitydemo}}.spec.template.spec.containers.name={{echoserver}}.securityContext.runAsUser is undefined", + "issueType": "MissingAttribute", + "similarityID": "1486a79eed03ecd7a59469ced2d1215bedb1893a6679f39bce32244a3aacd302", + "search_line": 24 }, { "queryName": "Container Running With Low UID", "severity": "MEDIUM", "line": 25, - "fileName": "positive6.yaml" + "fileName": "positive6.yaml", + "resourceType": "Deployment", + "resourceName": "securitydemo", + "searchKey": "metadata.name={{securitydemo}}.spec.template.spec.containers.name={{frontend}}.securityContext.runAsUser=1234", + "searchValue": "Deployment", + "expectedValue": "1 metadata.name={{securitydemo}}.spec.template.spec.containers.name={{frontend}}.securityContext.runAsUser should be set to a UID >= 10000", + "actualValue": "metadata.name={{securitydemo}}.spec.template.spec.containers.name={{frontend}}.securityContext.runAsUser is set to a low UID", + "issueType": "IncorrectValue", + "similarityID": "467774d2fd28c1f2950ee1c3e956ebbb07a60eb29db3b7ca0f0fc6aac78c48b9", + "search_line": 25 }, { "queryName": "Container Running With Low UID", "severity": "MEDIUM", "line": 32, - "fileName": "positive6.yaml" + "fileName": "positive6.yaml", + "resourceType": "Deployment", + "resourceName": "securitydemo", + "searchKey": "metadata.name={{securitydemo}}.spec.template.spec.containers.name={{echoserver}}.securityContext.runAsUser=5678", + "searchValue": "Deployment", + "expectedValue": "1 metadata.name={{securitydemo}}.spec.template.spec.containers.name={{echoserver}}.securityContext.runAsUser should be set to a UID >= 10000", + "actualValue": "metadata.name={{securitydemo}}.spec.template.spec.containers.name={{echoserver}}.securityContext.runAsUser is set to a low UID", + "issueType": "IncorrectValue", + "similarityID": "47f2fbd3e77df0aca8d3899a99a7d6534f38811df544ecba6a0dfce735be99c1", + "search_line": 32 }, { "queryName": "Container Running With Low UID", "severity": "MEDIUM", "line": 23, - "fileName": "positive7.yaml" + "fileName": "positive7.yaml", + "resourceType": "Deployment", + "resourceName": "securitydemo", + "searchKey": "metadata.name={{securitydemo}}.spec.template.spec.containers.name={{frontend}}.securityContext.runAsUser=1234", + "searchValue": "Deployment", + "expectedValue": "1 metadata.name={{securitydemo}}.spec.template.spec.containers.name={{frontend}}.securityContext.runAsUser should be set to a UID >= 10000", + "actualValue": "metadata.name={{securitydemo}}.spec.template.spec.containers.name={{frontend}}.securityContext.runAsUser is set to a low UID", + "issueType": "IncorrectValue", + "similarityID": "1a4d336f29f6b4380b1823a321d9b33f71914c5dc980a88929d0caa6902ef484", + "search_line": 23 }, { "queryName": "Container Running With Low UID", "severity": "MEDIUM", "line": 25, - "fileName": "positive7.yaml" + "fileName": "positive7.yaml", + "resourceType": "Deployment", + "resourceName": "securitydemo", + "searchKey": "metadata.name={{securitydemo}}.spec.template.spec.containers.name={{echoserver}}", + "searchValue": "Deployment", + "expectedValue": "3 metadata.name={{securitydemo}}.spec.template.spec.containers.name={{echoserver}}.securityContext.runAsUser should be defined", + "actualValue": "metadata.name={{securitydemo}}.spec.template.spec.containers.name={{echoserver}}.securityContext.runAsUser is undefined", + "issueType": "MissingAttribute", + "similarityID": "adcefc5494c0fd93599b33dbcdd56c159018c992ea0bc4fcefd7e9f0b235de98", + "search_line": 25 }, { "queryName": "Container Running With Low UID", "severity": "MEDIUM", "line": 21, - "fileName": "positive8.yaml" + "fileName": "positive8.yaml", + "resourceType": "StatefulSet", + "resourceName": "security-context-demo", + "searchKey": "metadata.name={{security-context-demo}}.spec.template.spec.containers.name={{sec-ctx-demo}}.securityContext.runAsUser=1", + "searchValue": "StatefulSet", + "expectedValue": "1 metadata.name={{security-context-demo}}.spec.template.spec.containers.name={{sec-ctx-demo}}.securityContext.runAsUser should be set to a UID >= 10000", + "actualValue": "metadata.name={{security-context-demo}}.spec.template.spec.containers.name={{sec-ctx-demo}}.securityContext.runAsUser is set to a low UID", + "issueType": "IncorrectValue", + "similarityID": "28475ca3841ef1f776fb876893ebacf4b6e1eebf658f49677e63c273c67275e4", + "search_line": 21 }, { "queryName": "Container Running With Low UID", "severity": "MEDIUM", "line": 43, - "fileName": "positive8.yaml" + "fileName": "positive8.yaml", + "resourceType": "Deployment", + "resourceName": "security-context-demo", + "searchKey": "metadata.name={{security-context-demo}}.spec.template.spec.containers.name={{sec-ctx-demo}}.securityContext.runAsUser=1", + "searchValue": "Deployment", + "expectedValue": "1 metadata.name={{security-context-demo}}.spec.template.spec.containers.name={{sec-ctx-demo}}.securityContext.runAsUser should be set to a UID >= 10000", + "actualValue": "metadata.name={{security-context-demo}}.spec.template.spec.containers.name={{sec-ctx-demo}}.securityContext.runAsUser is set to a low UID", + "issueType": "IncorrectValue", + "similarityID": "266c66dafe469e4f1b550cea0e7408511032b22262b5d38acc069ba505c25503", + "search_line": 43 }, { "queryName": "Container Running With Low UID", "severity": "MEDIUM", "line": 18, - "fileName": "positive9.yaml" + "fileName": "positive9.yaml", + "resourceType": "StatefulSet", + "resourceName": "security-context-demo", + "searchKey": "metadata.name={{security-context-demo}}.spec.template.spec.securityContext.runAsUser=1000", + "searchValue": "StatefulSet", + "expectedValue": "2 metadata.name={{security-context-demo}}.spec.template.spec.securityContext.runAsUser should be set to a UID >= 10000", + "actualValue": "metadata.name={{security-context-demo}}.spec.template.spec.securityContext.runAsUser is set to a low UID", + "issueType": "IncorrectValue", + "similarityID": "0e3e282e24f5587dd84c5715ef00849cba9d1248a9c12f7cb17a396479cf3734", + "search_line": 18 }, { "queryName": "Container Running With Low UID", "severity": "MEDIUM", "line": 38, - "fileName": "positive9.yaml" + "fileName": "positive9.yaml", + "resourceType": "Deployment", + "resourceName": "security-context-demo", + "searchKey": "metadata.name={{security-context-demo}}.spec.template.spec.securityContext.runAsUser=1000", + "searchValue": "Deployment", + "expectedValue": "2 metadata.name={{security-context-demo}}.spec.template.spec.securityContext.runAsUser should be set to a UID >= 10000", + "actualValue": "metadata.name={{security-context-demo}}.spec.template.spec.securityContext.runAsUser is set to a low UID", + "issueType": "IncorrectValue", + "similarityID": "9f46f4c40f5e5470f1eaf4df72da94f707a26e7337ba5882669704832e03d4a8", + "search_line": 38 }, { "queryName": "Container Running With Low UID", "severity": "MEDIUM", "line": 18, - "fileName": "positive10.yaml" + "fileName": "positive10.yaml", + "resourceType": "StatefulSet", + "resourceName": "security-context-demo", + "searchKey": "metadata.name={{security-context-demo}}.spec.template.spec.containers.name={{sec-ctx-demo}}", + "searchValue": "StatefulSet", + "expectedValue": "3 metadata.name={{security-context-demo}}.spec.template.spec.containers.name={{sec-ctx-demo}}.securityContext.runAsUser should be defined", + "actualValue": "metadata.name={{security-context-demo}}.spec.template.spec.containers.name={{sec-ctx-demo}}.securityContext.runAsUser is undefined", + "issueType": "MissingAttribute", + "similarityID": "1b60386329fabd1881d58eef759f5167fe3f6ad400ecda260f746021988f9ed7", + "search_line": 18 }, { "queryName": "Container Running With Low UID", "severity": "MEDIUM", "line": 36, - "fileName": "positive10.yaml" + "fileName": "positive10.yaml", + "resourceType": "Deployment", + "resourceName": "security-context-demo", + "searchKey": "metadata.name={{security-context-demo}}.spec.template.spec.containers.name={{sec-ctx-demo}}", + "searchValue": "Deployment", + "expectedValue": "3 metadata.name={{security-context-demo}}.spec.template.spec.containers.name={{sec-ctx-demo}}.securityContext.runAsUser should be defined", + "actualValue": "metadata.name={{security-context-demo}}.spec.template.spec.containers.name={{sec-ctx-demo}}.securityContext.runAsUser is undefined", + "issueType": "MissingAttribute", + "similarityID": "0631b9386a9262ea3f5faf5f0cd988d6f050645c0d98ce7ae3e20e1042896e5e", + "search_line": 36 } ] diff --git a/assets/queries/k8s/containers_running_as_root/test/positive_expected_result.json b/assets/queries/k8s/containers_running_as_root/test/positive_expected_result.json index a2faab363dc..46700dae580 100644 --- a/assets/queries/k8s/containers_running_as_root/test/positive_expected_result.json +++ b/assets/queries/k8s/containers_running_as_root/test/positive_expected_result.json @@ -1,86 +1,212 @@ [ - { - "queryName": "Container Running As Root", - "severity": "MEDIUM", - "line": 12, - "fileName": "positive1.yaml" - }, - { - "queryName": "Container Running As Root", - "severity": "MEDIUM", - "line": 28, - "fileName": "positive1.yaml" - }, - { - "queryName": "Container Running As Root", - "severity": "MEDIUM", - "line": 43, - "fileName": "positive1.yaml" - }, - { - "queryName": "Container Running As Root", - "severity": "MEDIUM", - "line": 17, - "fileName": "positive2.yaml" - }, - { - "queryName": "Container Running As Root", - "severity": "MEDIUM", - "line": 12, - "fileName": "positive2.yaml" - }, - { - "queryName": "Container Running As Root", - "severity": "MEDIUM", - "line": 12, - "fileName": "positive3.yaml" - }, - { - "queryName": "Container Running As Root", - "severity": "MEDIUM", - "line": 7, - "fileName": "positive4.yaml" - }, - { - "queryName": "Container Running As Root", - "severity": "MEDIUM", - "line": 11, - "fileName": "positive4.yaml" - }, + { + "queryName": "Container Running As Root", + "severity": "MEDIUM", + "line": 12, + "fileName": "positive1.yaml", + "resourceType": "Pod", + "resourceName": "security-context-demo-2", + "searchKey": "metadata.name={{security-context-demo-2}}.spec.containers.name={{sec-ctx-demo-2}}.securityContext.runAsUser", + "searchValue": "Pod", + "expectedValue": "metadata.name={{security-context-demo-2}}.spec.containers.name={{sec-ctx-demo-2}}.securityContext runAsUser is higher than 0 and/or 'runAsNonRoot' is true", + "actualValue": "metadata.name={{security-context-demo-2}}.spec.containers.name={{sec-ctx-demo-2}}.securityContext runAsUser is 0 and 'runAsNonRoot' is false", + "issueType": "IncorrectValue", + "similarityID": "1749d4a888ae4a6b3d2dc76f0328bd2aa19f24efe4c4539aca1c0ace7bbee5b7", + "search_line": 12 + }, + { + "queryName": "Container Running As Root", + "severity": "MEDIUM", + "line": 28, + "fileName": "positive1.yaml", + "resourceType": "Pod", + "resourceName": "security-context-demo-3", + "searchKey": "metadata.name={{security-context-demo-3}}.spec.containers.name={{sec-ctx-demo-2}}.securityContext.runAsUser", + "searchValue": "Pod", + "expectedValue": "metadata.name={{security-context-demo-3}}.spec.containers.name={{sec-ctx-demo-2}}.securityContext runAsUser is higher than 0 and/or 'runAsNonRoot' is true", + "actualValue": "metadata.name={{security-context-demo-3}}.spec.containers.name={{sec-ctx-demo-2}}.securityContext runAsUser is 0 and 'runAsNonRoot' is false", + "issueType": "IncorrectValue", + "similarityID": "20ff72ba0fd901601dd988992f593f87050c164dcff282fa7295aac4b71bd7f2", + "search_line": 28 + }, + { + "queryName": "Container Running As Root", + "severity": "MEDIUM", + "line": 43, + "fileName": "positive1.yaml", + "resourceType": "Pod", + "resourceName": "security-context-demo-4", + "searchKey": "metadata.name={{security-context-demo-4}}.spec.containers.name={{sec-ctx-demo-2}}.securityContext.runAsUser", + "searchValue": "Pod", + "expectedValue": "metadata.name={{security-context-demo-4}}.spec.containers.name={{sec-ctx-demo-2}}.securityContext runAsUser is higher than 0 and/or 'runAsNonRoot' is true", + "actualValue": "metadata.name={{security-context-demo-4}}.spec.containers.name={{sec-ctx-demo-2}}.securityContext runAsUser is 0 and 'runAsNonRoot' is false", + "issueType": "IncorrectValue", + "similarityID": "5e7076d6969d6ad22bbf80f4754ed04589f1b4ed20e7862d0d34078984348e56", + "search_line": 43 + }, + { + "queryName": "Container Running As Root", + "severity": "MEDIUM", + "line": 12, + "fileName": "positive2.yaml", + "resourceType": "Pod", + "resourceName": "security-context-demo-2", + "searchKey": "metadata.name={{security-context-demo-2}}.spec.containers.name={{sec-ctx-demo-100}}.securityContext.runAsUser", + "searchValue": "Pod", + "expectedValue": "metadata.name={{security-context-demo-2}}.spec.containers.name={{sec-ctx-demo-100}}.securityContext runAsUser is higher than 0 and/or 'runAsNonRoot' is true", + "actualValue": "metadata.name={{security-context-demo-2}}.spec.containers.name={{sec-ctx-demo-100}}.securityContext runAsUser is 0 and 'runAsNonRoot' is false", + "issueType": "IncorrectValue", + "similarityID": "076d9df3397f94fdf3f296335d2d7fd472348f115ec9b7d971e6eccd0f9bd168", + "search_line": 12 + }, + { + "queryName": "Container Running As Root", + "severity": "MEDIUM", + "line": 17, + "fileName": "positive2.yaml", + "resourceType": "Pod", + "resourceName": "security-context-demo-2", + "searchKey": "metadata.name={{security-context-demo-2}}.spec.containers.name={{sec-ctx-demo-200}}.securityContext.runAsUser", + "searchValue": "Pod", + "expectedValue": "metadata.name={{security-context-demo-2}}.spec.containers.name={{sec-ctx-demo-200}}.securityContext runAsUser is higher than 0 and/or 'runAsNonRoot' is true", + "actualValue": "metadata.name={{security-context-demo-2}}.spec.containers.name={{sec-ctx-demo-200}}.securityContext runAsUser is 0 and 'runAsNonRoot' is false", + "issueType": "IncorrectValue", + "similarityID": "51bb308be981357918f61e3ad086ec6a1a3fb21395764607807863fc7ac11a89", + "search_line": 17 + }, + { + "queryName": "Container Running As Root", + "severity": "MEDIUM", + "line": 12, + "fileName": "positive3.yaml", + "resourceType": "Pod", + "resourceName": "containers-runs-as-root", + "searchKey": "metadata.name={{containers-runs-as-root}}.spec.containers.name={{sec-ctx-demo-100}}.securityContext.runAsUser", + "searchValue": "Pod", + "expectedValue": "metadata.name={{containers-runs-as-root}}.spec.containers.name={{sec-ctx-demo-100}}.securityContext runAsUser is higher than 0 and/or 'runAsNonRoot' is true", + "actualValue": "metadata.name={{containers-runs-as-root}}.spec.containers.name={{sec-ctx-demo-100}}.securityContext runAsUser is 0 and 'runAsNonRoot' is false", + "issueType": "IncorrectValue", + "similarityID": "57da3345ab0d7d97e34e796d06b94ac2d2225a9bc53b7e5cb0b2b97a2eca2610", + "search_line": 12 + }, + { + "queryName": "Container Running As Root", + "severity": "MEDIUM", + "line": 7, + "fileName": "positive4.yaml", + "resourceType": "Pod", + "resourceName": "security-context-demo-2", + "searchKey": "metadata.name={{security-context-demo-2}}.spec.containers.name={{sec-ctx-demo-1}}", + "searchValue": "Pod", + "expectedValue": "metadata.name={{security-context-demo-2}}.spec.containers.name={{sec-ctx-demo-1}}.securityContext.runAsUser is higher than 0 and/or 'runAsNonRoot' is true", + "actualValue": "metadata.name={{security-context-demo-2}}.spec.containers.name={{sec-ctx-demo-1}}.securityContext.runAsUser is 0 and 'runAsNonRoot' is false", + "issueType": "MissingAttribute", + "similarityID": "3490e1f65b2ee442b4e8c42e3d426cb6bf720c6d24047c7616ccc5cc7e11da08", + "search_line": 7 + }, + { + "queryName": "Container Running As Root", + "severity": "MEDIUM", + "line": 11, + "fileName": "positive4.yaml", + "resourceType": "Pod", + "resourceName": "security-context-demo-2", + "searchKey": "metadata.name={{security-context-demo-2}}.spec.containers.name={{sec-ctx-demo-2}}.securityContext.runAsUser", + "searchValue": "Pod", + "expectedValue": "metadata.name={{security-context-demo-2}}.spec.containers.name={{sec-ctx-demo-2}}.securityContext runAsUser is higher than 0 and/or 'runAsNonRoot' is true", + "actualValue": "metadata.name={{security-context-demo-2}}.spec.containers.name={{sec-ctx-demo-2}}.securityContext runAsUser is 0 and 'runAsNonRoot' is false", + "issueType": "IncorrectValue", + "similarityID": "1fe9234b2f6682b58597afeb520288eed338e5f14b22a9943fad706b078e7117", + "search_line": 11 + }, { "queryName": "Container Running As Root", "severity": "MEDIUM", "line": 20, - "fileName": "positive5.yaml" + "fileName": "positive5.yaml", + "resourceType": "StatefulSet", + "resourceName": "security-context-demo", + "searchKey": "metadata.name={{security-context-demo}}.spec.template.spec.containers.name={{sec-ctx-demo}}.securityContext.runAsUser", + "searchValue": "StatefulSet", + "expectedValue": "metadata.name={{security-context-demo}}.spec.template.spec.containers.name={{sec-ctx-demo}}.securityContext runAsUser is higher than 0 and/or 'runAsNonRoot' is true", + "actualValue": "metadata.name={{security-context-demo}}.spec.template.spec.containers.name={{sec-ctx-demo}}.securityContext runAsUser is 0 and 'runAsNonRoot' is false", + "issueType": "IncorrectValue", + "similarityID": "8608d943ed8c1ec51d0e07254efa2800cb9b448be1e5adf0098bad358f97e7bc", + "search_line": 20 }, { "queryName": "Container Running As Root", "severity": "MEDIUM", "line": 42, - "fileName": "positive5.yaml" + "fileName": "positive5.yaml", + "resourceType": "Deployment", + "resourceName": "security-context-demo", + "searchKey": "metadata.name={{security-context-demo}}.spec.template.spec.containers.name={{sec-ctx-demo}}.securityContext.runAsUser", + "searchValue": "Deployment", + "expectedValue": "metadata.name={{security-context-demo}}.spec.template.spec.containers.name={{sec-ctx-demo}}.securityContext runAsUser is higher than 0 and/or 'runAsNonRoot' is true", + "actualValue": "metadata.name={{security-context-demo}}.spec.template.spec.containers.name={{sec-ctx-demo}}.securityContext runAsUser is 0 and 'runAsNonRoot' is false", + "issueType": "IncorrectValue", + "similarityID": "b9fe433d4e5c1de82255173683b6b86b54e34e4c3b12271a4752f221cd7c920c", + "search_line": 42 }, { "queryName": "Container Running As Root", "severity": "MEDIUM", "line": 17, - "fileName": "positive6.yaml" + "fileName": "positive6.yaml", + "resourceType": "StatefulSet", + "resourceName": "security-context-demo", + "searchKey": "metadata.name={{security-context-demo}}.spec.template.spec.securityContext.runAsUser", + "searchValue": "StatefulSet", + "expectedValue": "metadata.name={{security-context-demo}}.spec.template.spec.securityContext.runAsUser is higher than 0 and/or 'runAsNonRoot' is true", + "actualValue": "metadata.name={{security-context-demo}}.spec.template.spec.securityContext.runAsUser is 0 and 'runAsNonRoot' is false", + "issueType": "IncorrectValue", + "similarityID": "1f9d01e014089d583e3011ba7afddf8e97ec0b8d648bcd5dc3c505cf76a8dbcd", + "search_line": 17 }, { "queryName": "Container Running As Root", "severity": "MEDIUM", "line": 37, - "fileName": "positive6.yaml" + "fileName": "positive6.yaml", + "resourceType": "Deployment", + "resourceName": "security-context-demo", + "searchKey": "metadata.name={{security-context-demo}}.spec.template.spec.securityContext.runAsUser", + "searchValue": "Deployment", + "expectedValue": "metadata.name={{security-context-demo}}.spec.template.spec.securityContext.runAsUser is higher than 0 and/or 'runAsNonRoot' is true", + "actualValue": "metadata.name={{security-context-demo}}.spec.template.spec.securityContext.runAsUser is 0 and 'runAsNonRoot' is false", + "issueType": "IncorrectValue", + "similarityID": "71907436dfffcbccd35ac78aa7a203f6d42d87cc401a496857a4ebccb39b0193", + "search_line": 37 }, { "queryName": "Container Running As Root", "severity": "MEDIUM", "line": 18, - "fileName": "positive7.yaml" + "fileName": "positive7.yaml", + "resourceType": "StatefulSet", + "resourceName": "security-context-demo", + "searchKey": "metadata.name={{security-context-demo}}.spec.template.spec.containers.name={{sec-ctx-demo}}", + "searchValue": "StatefulSet", + "expectedValue": "metadata.name={{security-context-demo}}.spec.template.spec.containers.name={{sec-ctx-demo}}.securityContext.runAsUser is higher than 0 and/or 'runAsNonRoot' is true", + "actualValue": "metadata.name={{security-context-demo}}.spec.template.spec.containers.name={{sec-ctx-demo}}.securityContext.runAsUser is 0 and 'runAsNonRoot' is false", + "issueType": "MissingAttribute", + "similarityID": "403bced8aa3782d81bf8299edac8d452abfe6163db0ae026e58f896a2d12a64c", + "search_line": 18 }, { "queryName": "Container Running As Root", "severity": "MEDIUM", "line": 36, - "fileName": "positive7.yaml" + "fileName": "positive7.yaml", + "resourceType": "Deployment", + "resourceName": "security-context-demo", + "searchKey": "metadata.name={{security-context-demo}}.spec.template.spec.containers.name={{sec-ctx-demo}}", + "searchValue": "Deployment", + "expectedValue": "metadata.name={{security-context-demo}}.spec.template.spec.containers.name={{sec-ctx-demo}}.securityContext.runAsUser is higher than 0 and/or 'runAsNonRoot' is true", + "actualValue": "metadata.name={{security-context-demo}}.spec.template.spec.containers.name={{sec-ctx-demo}}.securityContext.runAsUser is 0 and 'runAsNonRoot' is false", + "issueType": "MissingAttribute", + "similarityID": "67f38684ea32c8f6375fe840f349730292b9a90276ad660d661cd51e4f5b2665", + "search_line": 36 } ] diff --git a/assets/queries/k8s/containers_with_added_capabilities/test/positive_expected_result.json b/assets/queries/k8s/containers_with_added_capabilities/test/positive_expected_result.json index 6d5c8e6976e..8927856f7a4 100644 --- a/assets/queries/k8s/containers_with_added_capabilities/test/positive_expected_result.json +++ b/assets/queries/k8s/containers_with_added_capabilities/test/positive_expected_result.json @@ -2,11 +2,31 @@ { "queryName": "Containers With Added Capabilities", "severity": "MEDIUM", - "line": 12 + "line": 12, + "fileName": "positive.yaml", + "resourceType": "Pod", + "resourceName": "pod2", + "searchKey": "metadata.name={{pod2}}.spec.containers.name={{app}}.securityContext.capabilities.add", + "searchValue": "", + "expectedValue": "metadata.name={{pod2}}.spec.containers.name={{app}} has no capability added other than NET_BIND_SERVICE", + "actualValue": "metadata.name={{pod2}}.spec.containers.name={{app}} has a capability added other than NET_BIND_SERVICE", + "issueType": "IncorrectValue", + "similarityID": "765649813a008887c1d21f88e8e2bd2cb6395a8c39a06c3b3042c410bde50854", + "search_line": -1 }, { "queryName": "Containers With Added Capabilities", "severity": "MEDIUM", - "line": 43 + "line": 43, + "fileName": "positive.yaml", + "resourceType": "Pod", + "resourceName": "pod3", + "searchKey": "metadata.name={{pod3}}.spec.initContainers.name={{app}}.securityContext.capabilities.add", + "searchValue": "", + "expectedValue": "metadata.name={{pod3}}.spec.initContainers.name={{app}} has no capability added other than NET_BIND_SERVICE", + "actualValue": "metadata.name={{pod3}}.spec.initContainers.name={{app}} has a capability added other than NET_BIND_SERVICE", + "issueType": "IncorrectValue", + "similarityID": "5035ae78a38804fe2139bd8f07a0a253818fdddd3c8bbceb006b58bc0cfb44fc", + "search_line": -1 } ] diff --git a/assets/queries/k8s/containers_with_sys_admin_capabilities/test/positive_expected_result.json b/assets/queries/k8s/containers_with_sys_admin_capabilities/test/positive_expected_result.json index 6882f8cf635..2d58f1e26e1 100644 --- a/assets/queries/k8s/containers_with_sys_admin_capabilities/test/positive_expected_result.json +++ b/assets/queries/k8s/containers_with_sys_admin_capabilities/test/positive_expected_result.json @@ -2,6 +2,16 @@ { "queryName": "Containers With Sys Admin Capabilities", "severity": "HIGH", - "line": 12 + "line": 12, + "fileName": "positive.yaml", + "resourceType": "Pod", + "resourceName": "pod4", + "searchKey": "metadata.name={{pod4}}.spec.containers.name={{app}}.securityContext.capabilities.add", + "searchValue": "", + "expectedValue": "spec.containers.name=app should not use CAP_SYS_ADMIN Linux capability", + "actualValue": "spec.containers.name=app uses CAP_SYS_ADMIN Linux capability", + "issueType": "IncorrectValue", + "similarityID": "a2115d4fb54acba517cb35f9893b544b5a0bcfe3a1c65c9fdf449245af138277", + "search_line": -1 } -] \ No newline at end of file +] diff --git a/assets/queries/k8s/cpu_limits_not_set/test/positive_expected_result.json b/assets/queries/k8s/cpu_limits_not_set/test/positive_expected_result.json index 3b9e5802174..c3f96ce2746 100644 --- a/assets/queries/k8s/cpu_limits_not_set/test/positive_expected_result.json +++ b/assets/queries/k8s/cpu_limits_not_set/test/positive_expected_result.json @@ -3,24 +3,60 @@ "queryName": "CPU Limits Not Set", "severity": "LOW", "line": 10, - "fineName": "positive.yaml" + "fileName": "positive.yaml", + "resourceType": "Pod", + "resourceName": "frontend", + "searchKey": "metadata.name={{frontend}}.spec.containers.name={{app}}.resources.limits", + "searchValue": "", + "expectedValue": "spec.containers.name=app has CPU limits", + "actualValue": "spec.containers.name=app doesn't have CPU limits", + "issueType": "MissingAttribute", + "similarityID": "5734faad21a94e0efe1eaf4253671fe0f31906171cd877b0b95d7ddfb398c90b", + "search_line": -1 }, { "queryName": "CPU Limits Not Set", "severity": "LOW", "line": 14, - "fineName": "positive.yaml" + "fileName": "positive.yaml", + "resourceType": "Pod", + "resourceName": "frontend", + "searchKey": "metadata.name={{frontend}}.spec.containers.name={{log-aggregator}}.resources", + "searchValue": "", + "expectedValue": "spec.containers.name=log-aggregator has limits defined", + "actualValue": "spec.containers.name=log-aggregator doesn't have limits defined", + "issueType": "MissingAttribute", + "similarityID": "3ce7ff2368ad6fa3f7ce2e5a2f2be7b64c764c55b1028e9bd36893ae645fc5f2", + "search_line": -1 }, { "queryName": "CPU Limits Not Set", "severity": "LOW", "line": 31, - "fineName": "positive.yaml" + "fileName": "positive.yaml", + "resourceType": "Configuration", + "resourceName": "dummy-config", + "searchKey": "metadata.name={{dummy-config}}.spec.template.spec.containers.name={{app}}.resources.limits", + "searchValue": "", + "expectedValue": "spec.template.spec.containers.name=app has CPU limits", + "actualValue": "spec.template.spec.containers.name=app doesn't have CPU limits", + "issueType": "MissingAttribute", + "similarityID": "c9f536549d59c671f09795b547d3d1691a2098841158b76919b15715973fb9c7", + "search_line": -1 }, { "queryName": "CPU Limits Not Set", "severity": "LOW", "line": 35, - "fineName": "positive.yaml" + "fileName": "positive.yaml", + "resourceType": "Configuration", + "resourceName": "dummy-config", + "searchKey": "metadata.name={{dummy-config}}.spec.template.spec.containers.name={{log-aggregator}}.resources", + "searchValue": "", + "expectedValue": "spec.template.spec.containers.name=log-aggregator has limits defined", + "actualValue": "spec.template.spec.containers.name=log-aggregator doesn't have limits defined", + "issueType": "MissingAttribute", + "similarityID": "e20041c998e6d6deba5c19b01a8430f1dc0407482f8f1ffbd6a188e14adc676a", + "search_line": -1 } -] \ No newline at end of file +] diff --git a/assets/queries/k8s/cpu_requests_not_set/test/positive_expected_result.json b/assets/queries/k8s/cpu_requests_not_set/test/positive_expected_result.json index 888b2a2deb2..cdcc30ee4bf 100644 --- a/assets/queries/k8s/cpu_requests_not_set/test/positive_expected_result.json +++ b/assets/queries/k8s/cpu_requests_not_set/test/positive_expected_result.json @@ -2,21 +2,61 @@ { "queryName": "CPU Requests Not Set", "severity": "LOW", - "line": 10 + "line": 10, + "fileName": "positive.yaml", + "resourceType": "Pod", + "resourceName": "frontend", + "searchKey": "metadata.name={{frontend}}.spec.containers.name={{app}}.resources.requests", + "searchValue": "Pod", + "expectedValue": "spec.containers.name={{app}}.resources.requests should have CPU requests", + "actualValue": "spec.containers.name={{app}}.resources.requests doesn't have CPU requests", + "issueType": "MissingAttribute", + "similarityID": "53adc6471bb632e6bfce296a427d0c8de7fd321b7437daa0fe0e361ededab819", + "search_line": 10 }, { "queryName": "CPU Requests Not Set", "severity": "LOW", - "line": 15 + "line": 15, + "fileName": "positive.yaml", + "resourceType": "Pod", + "resourceName": "frontend", + "searchKey": "metadata.name={{frontend}}.spec.containers.name=log-aggregator", + "searchValue": "Pod", + "expectedValue": "spec.containers.name=log-aggregator should have resources defined", + "actualValue": "spec.containers.name=log-aggregator doesn't have resources defined", + "issueType": "MissingAttribute", + "similarityID": "8aa0922a6dc06dff661dc32dcc6af96b5059514c2dc09c8023055d410f2fa524", + "search_line": 15 }, { "queryName": "CPU Requests Not Set", "severity": "LOW", - "line": 30 + "line": 30, + "fileName": "positive.yaml", + "resourceType": "Configuration", + "resourceName": "dummy-config", + "searchKey": "metadata.name={{dummy-config}}.spec.template.spec.containers.name={{app}}.resources.requests", + "searchValue": "Configuration", + "expectedValue": "spec.template.spec.containers.name={{app}}.resources.requests should have CPU requests", + "actualValue": "spec.template.spec.containers.name={{app}}.resources.requests doesn't have CPU requests", + "issueType": "MissingAttribute", + "similarityID": "dd122f9bfdf3a1148c873714209b37480d9fdd0ed4a9c1d1af3584d3cdaed6fb", + "search_line": 30 }, { "queryName": "CPU Requests Not Set", "severity": "LOW", - "line": 37 + "line": 37, + "fileName": "positive.yaml", + "resourceType": "Configuration", + "resourceName": "dummy-config", + "searchKey": "metadata.name={{dummy-config}}.spec.template.spec.containers.name={{log-aggregator}}.resources", + "searchValue": "Configuration", + "expectedValue": "spec.template.spec.containers.name=log-aggregator.resources should have requests defined", + "actualValue": "spec.template.spec.containers.name=log-aggregator.resources doesn't have requests defined", + "issueType": "MissingAttribute", + "similarityID": "2ab9e14600f5958d226771c6834159301b758ad828289fb61ed5eb6facd3f393", + "search_line": 37 } ] diff --git a/assets/queries/k8s/cronjob_deadline_not_configured/test/positive_expected_result.json b/assets/queries/k8s/cronjob_deadline_not_configured/test/positive_expected_result.json index f0639d33d8a..a552e23ae70 100644 --- a/assets/queries/k8s/cronjob_deadline_not_configured/test/positive_expected_result.json +++ b/assets/queries/k8s/cronjob_deadline_not_configured/test/positive_expected_result.json @@ -1,7 +1,17 @@ [ - { - "queryName": "CronJob Deadline Not Configured", - "severity": "LOW", - "line": 6 - } + { + "queryName": "CronJob Deadline Not Configured", + "severity": "LOW", + "line": 6, + "fileName": "positive.yaml", + "resourceType": "CronJob", + "resourceName": "hello", + "searchKey": "metadata.name={{hello}}.spec", + "searchValue": "", + "expectedValue": "spec.startingDeadlineSeconds should be defined", + "actualValue": "spec.startingDeadlineSeconds is not defined", + "issueType": "MissingAttribute", + "similarityID": "64d9afecb9b27b81aaf043bdc372abd4221e802c25dd919801dba0bde70d256a", + "search_line": -1 + } ] diff --git a/assets/queries/k8s/dashboard_is_enabled/test/positive_expected_result.json b/assets/queries/k8s/dashboard_is_enabled/test/positive_expected_result.json index be1e86defc1..79c3224f4a7 100644 --- a/assets/queries/k8s/dashboard_is_enabled/test/positive_expected_result.json +++ b/assets/queries/k8s/dashboard_is_enabled/test/positive_expected_result.json @@ -1,12 +1,32 @@ [ - { - "queryName": "Dashboard Is Enabled", - "severity": "LOW", - "line": 22 - }, - { - "queryName": "Dashboard Is Enabled", - "severity": "LOW", - "line": 67 - } + { + "queryName": "Dashboard Is Enabled", + "severity": "LOW", + "line": 22, + "fileName": "positive.yaml", + "resourceType": "Deployment", + "resourceName": "kubernetes-dashboard-1", + "searchKey": "metadata.name={{kubernetes-dashboard-1}}.spec.template.spec.containers.name={{kubernetes-dashboard}}.image", + "searchValue": "", + "expectedValue": "metadata.name={{kubernetes-dashboard-1}}.spec.template.spec.containers.name={{kubernetes-dashboard}}.image has not kubernetes-dashboard deployed", + "actualValue": "metadata.name={{kubernetes-dashboard-1}}.spec.template.spec.containers.name={{kubernetes-dashboard}}.image has kubernetes-dashboard deployed", + "issueType": "IncorrectValue", + "similarityID": "ad51a15f98d6bed689d1fb010eeb3664acb3cb2253d866c805f60432a66b2021", + "search_line": -1 + }, + { + "queryName": "Dashboard Is Enabled", + "severity": "LOW", + "line": 67, + "fileName": "positive.yaml", + "resourceType": "Pod", + "resourceName": "myapp-pod", + "searchKey": "metadata.name={{myapp-pod}}.spec.initContainers.name={{init-myservice}}.image", + "searchValue": "", + "expectedValue": "metadata.name={{myapp-pod}}.spec.initContainers.name={{init-myservice}}.image has not kubernetes-dashboard deployed", + "actualValue": "metadata.name={{myapp-pod}}.spec.initContainers.name={{init-myservice}}.image has kubernetes-dashboard deployed", + "issueType": "IncorrectValue", + "similarityID": "c4f33cc863c6687dffdac5a9f8f0808d5562e244ad748ce0c555d131c53112c5", + "search_line": -1 + } ] diff --git a/assets/queries/k8s/deployment_has_no_pod_anti_affinity/test/positive_expected_result.json b/assets/queries/k8s/deployment_has_no_pod_anti_affinity/test/positive_expected_result.json index 54d5837dd84..1cb11e7cf80 100644 --- a/assets/queries/k8s/deployment_has_no_pod_anti_affinity/test/positive_expected_result.json +++ b/assets/queries/k8s/deployment_has_no_pod_anti_affinity/test/positive_expected_result.json @@ -1,12 +1,32 @@ [ - { - "queryName": "Deployment Has No PodAntiAffinity", - "severity": "LOW", - "line": 19 - }, - { - "queryName": "Deployment Has No PodAntiAffinity", - "severity": "LOW", - "line": 39 - } + { + "queryName": "Deployment Has No PodAntiAffinity", + "severity": "LOW", + "line": 19, + "fileName": "positive.yaml", + "resourceType": "Deployment", + "resourceName": "label-mismatch", + "searchKey": "metadata.name={{label-mismatch}}.spec.template.spec.affinity.podAntiAffinity.requiredDuringSchedulingIgnoredDuringExecution.labelSelector.matchLabels", + "searchValue": "", + "expectedValue": "'spec.template.spec.affinity.podAntiAffinity.requiredDuringSchedulingIgnoredDuringExecution[0].labelSelector.matchLabels' match any label on template metadata", + "actualValue": "'spec.template.spec.affinity.podAntiAffinity.requiredDuringSchedulingIgnoredDuringExecution[0].labelSelector.matchLabels' don't match any label on template metadata", + "issueType": "IncorrectValue", + "similarityID": "770ab58c82feceee550bad5ee7af5d936030024e2689551b1fd03a21cf2d998c", + "search_line": -1 + }, + { + "queryName": "Deployment Has No PodAntiAffinity", + "severity": "LOW", + "line": 39, + "fileName": "positive.yaml", + "resourceType": "Deployment", + "resourceName": "no-affinity", + "searchKey": "metadata.name={{no-affinity}}.spec.template.spec", + "searchValue": "", + "expectedValue": "'spec.template.spec.affinity' should be set", + "actualValue": "'spec.template.spec.affinity' is undefined", + "issueType": "MissingAttribute", + "similarityID": "fff45bb7c04ed34d1c2548b780bbea9b286eb5cd250cb7761b3392a865b50005", + "search_line": -1 + } ] diff --git a/assets/queries/k8s/deployment_without_pod_disruption_budget/test/positive_expected_result.json b/assets/queries/k8s/deployment_without_pod_disruption_budget/test/positive_expected_result.json index 2576b9bc43d..37686104b3f 100644 --- a/assets/queries/k8s/deployment_without_pod_disruption_budget/test/positive_expected_result.json +++ b/assets/queries/k8s/deployment_without_pod_disruption_budget/test/positive_expected_result.json @@ -2,6 +2,16 @@ { "queryName": "Deployment Without PodDisruptionBudget", "severity": "LOW", - "line": 20 + "line": 20, + "fileName": "positive.yaml", + "resourceType": "Deployment", + "resourceName": "nginx-deployment", + "searchKey": "metadata.name={{nginx-deployment}}.spec.selector.matchLabels", + "searchValue": "", + "expectedValue": "metadata.name=nginx-deployment is targeted by a PodDisruptionBudget", + "actualValue": "metadata.name=nginx-deployment is not targeted by a PodDisruptionBudget", + "issueType": "MissingAttribute", + "similarityID": "1c731c4a3ba723aaea8de5e0c1bc5defc8689d81b4d8544deeb5feddbbb8daa4", + "search_line": -1 } ] diff --git a/assets/queries/k8s/docker_daemon_socket_is_exposed_to_containers/test/positive_expected_result.json b/assets/queries/k8s/docker_daemon_socket_is_exposed_to_containers/test/positive_expected_result.json index 4389559e412..6106e0f2233 100644 --- a/assets/queries/k8s/docker_daemon_socket_is_exposed_to_containers/test/positive_expected_result.json +++ b/assets/queries/k8s/docker_daemon_socket_is_exposed_to_containers/test/positive_expected_result.json @@ -2,16 +2,46 @@ { "queryName": "Docker Daemon Socket is Exposed to Containers", "severity": "MEDIUM", - "line": 15 + "line": 15, + "fileName": "positive.yaml", + "resourceType": "Pod", + "resourceName": "test-pd", + "searchKey": "metadata.name={{test-pd}}.spec.volumes.name={{test-volume}}.hostPath.path", + "searchValue": "", + "expectedValue": "metadata.name={{test-pd}}.spec.volumes.name={{test-volume}}.hostPath.path should not be '/var/run/docker.sock'", + "actualValue": "metadata.name={{test-pd}}.spec.volumes.name={{test-volume}}.hostPath.path is '/var/run/docker.sock'", + "issueType": "IncorrectValue", + "similarityID": "c15d22a597aa508f28108b61fc2f7b494fd05804ba91eedce476961adae7c94a", + "search_line": -1 }, { "queryName": "Docker Daemon Socket is Exposed to Containers", "severity": "MEDIUM", - "line": 43 + "line": 43, + "fileName": "positive.yaml", + "resourceType": "ReplicationController", + "resourceName": "node-manager", + "searchKey": "metadata.name={{node-manager}}.spec.template.spec.volumes.name={{test-volume}}.hostPath.path", + "searchValue": "", + "expectedValue": "metadata.name={{node-manager}}.spec.template.spec.volumes.name={{test-volume}}.hostPath.path should not be '/var/run/docker.sock'", + "actualValue": "metadata.name={{node-manager}}.spec.template.spec.volumes.name={{test-volume}}.hostPath.path is '/var/run/docker.sock'", + "issueType": "IncorrectValue", + "similarityID": "89b2288e3c6f66d1b8fcaed1e2cf3214fc0e94c39c4e88a89d91eb478f25a348", + "search_line": -1 }, { "queryName": "Docker Daemon Socket is Exposed to Containers", "severity": "MEDIUM", - "line": 67 + "line": 67, + "fileName": "positive.yaml", + "resourceType": "CronJob", + "resourceName": "hello", + "searchKey": "metadata.name={{hello}}.spec.jobTemplate.spec.template.spec.volumes.name={{test-volume}}.hostPath.path", + "searchValue": "", + "expectedValue": "metadata.name={{hello}}.spec.jobTemplate.spec.template.spec.volumes.name={{test-volume}}.hostPath.path should not be '/var/run/docker.sock'", + "actualValue": "metadata.name={{hello}}.spec.jobTemplate.spec.template.spec.volumes.name={{test-volume}}.hostPath.path is '/var/run/docker.sock'", + "issueType": "IncorrectValue", + "similarityID": "88358b45115ae90e65e471e21de8e286c472706fc6de65814f58fe197d2aa64f", + "search_line": -1 } -] \ No newline at end of file +] diff --git a/assets/queries/k8s/encryption_provider_config_is_not_defined/test/positive_expected_result.json b/assets/queries/k8s/encryption_provider_config_is_not_defined/test/positive_expected_result.json index 32144a1d9ff..d3ec71d253e 100644 --- a/assets/queries/k8s/encryption_provider_config_is_not_defined/test/positive_expected_result.json +++ b/assets/queries/k8s/encryption_provider_config_is_not_defined/test/positive_expected_result.json @@ -1,8 +1,17 @@ [ - { - "queryName": "Encryption Provider Config Is Not Defined", - "severity": "MEDIUM", - "line": 11, - "fileName": "positive1.yaml" - } + { + "queryName": "Encryption Provider Config Is Not Defined", + "severity": "MEDIUM", + "line": 11, + "fileName": "positive1.yaml", + "resourceType": "Pod", + "resourceName": "command-demo", + "searchKey": "metadata.name={{command-demo}}.spec.containers.name={{command-demo-container}}.command", + "searchValue": "", + "expectedValue": "--encryption-provider-config flag should be defined", + "actualValue": "--encryption-provider-config flag is not defined", + "issueType": "MissingAttribute", + "similarityID": "18748a3a58b07bdb67e9c69587b94270716b2c88bf7615b01295bccf55affc36", + "search_line": 11 + } ] diff --git a/assets/queries/k8s/encryption_provider_not_properly_configured/test/positive_expected_result.json b/assets/queries/k8s/encryption_provider_not_properly_configured/test/positive_expected_result.json index 8f74ab86fd4..488f90748f2 100644 --- a/assets/queries/k8s/encryption_provider_not_properly_configured/test/positive_expected_result.json +++ b/assets/queries/k8s/encryption_provider_not_properly_configured/test/positive_expected_result.json @@ -1,8 +1,17 @@ [ - { - "queryName": "Encryption Provider Not Properly Configured", - "severity": "MEDIUM", - "line": 6, - "fileName": "positive1.yaml" - } + { + "queryName": "Encryption Provider Not Properly Configured", + "severity": "MEDIUM", + "line": 6, + "fileName": "positive1.yaml", + "resourceType": "EncryptionConfiguration", + "resourceName": "n/a", + "searchKey": "kind={{EncryptionConfiguration}}.providers", + "searchValue": "", + "expectedValue": "aescbc, kms or secretbox provider should be defined", + "actualValue": "aescbc, kms or secretbox provider is not defined", + "issueType": "MissingAttribute", + "similarityID": "158d2ecf8cfbe287d24880ed53547ed938cf46d558a518d9b635d2f07f094cb0", + "search_line": -1 + } ] diff --git a/assets/queries/k8s/ensure_administrative_boundaries_between_resources/test/positive_expected_result.json b/assets/queries/k8s/ensure_administrative_boundaries_between_resources/test/positive_expected_result.json index 90ca7d5c875..2004c01078d 100644 --- a/assets/queries/k8s/ensure_administrative_boundaries_between_resources/test/positive_expected_result.json +++ b/assets/queries/k8s/ensure_administrative_boundaries_between_resources/test/positive_expected_result.json @@ -1,8 +1,17 @@ [ - { - "queryName": "Ensure Administrative Boundaries Between Resources", - "severity": "INFO", - "line": 5, - "fileName": "positive.yaml" - } + { + "queryName": "Ensure Administrative Boundaries Between Resources", + "severity": "INFO", + "line": 5, + "fileName": "positive.yaml", + "resourceType": "Pod", + "resourceName": "frontend", + "searchKey": "metadata.namespace={{cosmic-namespace}}", + "searchValue": "", + "expectedValue": "ensure that these namespaces are the ones you need and are adequately administered as per your requirements.", + "actualValue": "namespaces in use: cosmic-namespace", + "issueType": "IncorrectValue", + "similarityID": "656dc930c3bd8ee7b645a8809b365baac9bc60f4ffc01ce86e97d836889d80e7", + "search_line": 5 + } ] diff --git a/assets/queries/k8s/etcd_client_certificate_authentication_set_to_false/test/positive_expected_result.json b/assets/queries/k8s/etcd_client_certificate_authentication_set_to_false/test/positive_expected_result.json index 6d3c14dce1b..dc76995df81 100644 --- a/assets/queries/k8s/etcd_client_certificate_authentication_set_to_false/test/positive_expected_result.json +++ b/assets/queries/k8s/etcd_client_certificate_authentication_set_to_false/test/positive_expected_result.json @@ -1,14 +1,32 @@ [ - { - "queryName": "Etcd Client Certificate Authentication Set To False", - "severity": "MEDIUM", - "line": 21, - "fileName": "positive1.yaml" - }, - { - "queryName": "Etcd Client Certificate Authentication Set To False", - "severity": "MEDIUM", - "line": 21, - "fileName": "positive2.yaml" - } + { + "queryName": "Etcd Client Certificate Authentication Set To False", + "severity": "MEDIUM", + "line": 21, + "fileName": "positive1.yaml", + "resourceType": "Deployment", + "resourceName": "app-etcd-deployment", + "searchKey": "metadata.name={{app-etcd-deployment}}.spec.template.spec.containers.name={{database}}.command", + "searchValue": "", + "expectedValue": "--client-cert-auth flag should be set to true", + "actualValue": "--client-cert-auth flag is set to false", + "issueType": "IncorrectValue", + "similarityID": "21a1532812d15254795e0f0006d0a97cd89ded41666cfcbebe4fdd206962dcac", + "search_line": 21 + }, + { + "queryName": "Etcd Client Certificate Authentication Set To False", + "severity": "MEDIUM", + "line": 21, + "fileName": "positive2.yaml", + "resourceType": "Deployment", + "resourceName": "app-etcd-deployment", + "searchKey": "metadata.name={{app-etcd-deployment}}.spec.template.spec.containers.name={{database}}.command", + "searchValue": "", + "expectedValue": "--client-cert-auth flag should be defined and set to true", + "actualValue": "--client-cert-auth flag is not defined", + "issueType": "MissingAttribute", + "similarityID": "694d0faaf9608ad461dc771532372a050cd4b793769b6d6ae97128ff655cded0", + "search_line": 21 + } ] diff --git a/assets/queries/k8s/etcd_client_certificate_file_not_defined/test/positive_expected_result.json b/assets/queries/k8s/etcd_client_certificate_file_not_defined/test/positive_expected_result.json index 7a9969fbe96..4896ca5d9e9 100644 --- a/assets/queries/k8s/etcd_client_certificate_file_not_defined/test/positive_expected_result.json +++ b/assets/queries/k8s/etcd_client_certificate_file_not_defined/test/positive_expected_result.json @@ -1,8 +1,17 @@ [ - { - "queryName": "Etcd Client Certificate File Not Defined", - "severity": "MEDIUM", - "line": 11, - "fileName": "positive1.yaml" - } + { + "queryName": "Etcd Client Certificate File Not Defined", + "severity": "MEDIUM", + "line": 11, + "fileName": "positive1.yaml", + "resourceType": "Pod", + "resourceName": "command-demo", + "searchKey": "metadata.name={{command-demo}}.spec.containers.name={{command-demo-container}}.command", + "searchValue": "", + "expectedValue": "--etcd-cafile flag should be defined", + "actualValue": "--etcd-cafile flag is not defined", + "issueType": "MissingAttribute", + "similarityID": "c7ea1cce5a039be6d13da30e6fcb938b62ee4e0fc7deb75eba844871dc03ad69", + "search_line": 11 + } ] diff --git a/assets/queries/k8s/etcd_peer_client_certificate_authentication_set_to_false/test/positive_expected_result.json b/assets/queries/k8s/etcd_peer_client_certificate_authentication_set_to_false/test/positive_expected_result.json index 968c9fab2a9..4eac45fb1c3 100644 --- a/assets/queries/k8s/etcd_peer_client_certificate_authentication_set_to_false/test/positive_expected_result.json +++ b/assets/queries/k8s/etcd_peer_client_certificate_authentication_set_to_false/test/positive_expected_result.json @@ -1,14 +1,32 @@ [ - { - "queryName": "Etcd Peer Client Certificate Authentication Set To False", - "severity": "MEDIUM", - "line": 21, - "fileName": "positive1.yaml" - }, - { - "queryName": "Etcd Peer Client Certificate Authentication Set To False", - "severity": "MEDIUM", - "line": 21, - "fileName": "positive2.yaml" - } + { + "queryName": "Etcd Peer Client Certificate Authentication Set To False", + "severity": "MEDIUM", + "line": 21, + "fileName": "positive1.yaml", + "resourceType": "Deployment", + "resourceName": "app-etcd-deployment", + "searchKey": "metadata.name={{app-etcd-deployment}}.spec.template.spec.containers.name={{database}}.command", + "searchValue": "", + "expectedValue": "--peer-client-cert-auth flag should be set to true", + "actualValue": "--peer-client-cert-auth flag is set to false", + "issueType": "IncorrectValue", + "similarityID": "6a6957b17c21ff6d6d3d6e4fbf800bb151d18210aea9d357221267f5bbf409da", + "search_line": 21 + }, + { + "queryName": "Etcd Peer Client Certificate Authentication Set To False", + "severity": "MEDIUM", + "line": 21, + "fileName": "positive2.yaml", + "resourceType": "Deployment", + "resourceName": "app-etcd-deployment", + "searchKey": "metadata.name={{app-etcd-deployment}}.spec.template.spec.containers.name={{database}}.command", + "searchValue": "", + "expectedValue": "--peer-client-cert-auth flag should be defined and set to true", + "actualValue": "--peer-client-cert-auth flag is not defined", + "issueType": "MissingAttribute", + "similarityID": "4a425d854eb219c0c5eba8190e79a9721f6a567afa728747ab6ee94adf64fa8b", + "search_line": 21 + } ] diff --git a/assets/queries/k8s/etcd_peer_tls_certificate_files_not_properly_set/test/positive_expected_result.json b/assets/queries/k8s/etcd_peer_tls_certificate_files_not_properly_set/test/positive_expected_result.json index 6c81f41de7e..4a3399d7fd6 100644 --- a/assets/queries/k8s/etcd_peer_tls_certificate_files_not_properly_set/test/positive_expected_result.json +++ b/assets/queries/k8s/etcd_peer_tls_certificate_files_not_properly_set/test/positive_expected_result.json @@ -3,18 +3,45 @@ "queryName": "Etcd Peer TLS Certificate Files Not Properly Set", "severity": "HIGH", "line": 21, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "Deployment", + "resourceName": "app-etcd-deployment", + "searchKey": "metadata.name={{app-etcd-deployment}}.spec.template.spec.containers.name={{database}}.command", + "searchValue": "Deployment--peer-key-file", + "expectedValue": "--peer-key-file flag should be defined", + "actualValue": "--peer-key-file flag is not defined", + "issueType": "MissingAttribute", + "similarityID": "b35a2d8ac2f9f72644f60ff292c6de9f4991644ece32cef17fc4c73052eafae4", + "search_line": 21 }, { "queryName": "Etcd Peer TLS Certificate Files Not Properly Set", "severity": "HIGH", "line": 46, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "Deployment", + "resourceName": "app-etcd-deployment2", + "searchKey": "metadata.name={{app-etcd-deployment2}}.spec.template.spec.containers.name={{database}}.command", + "searchValue": "Deployment--peer-cert-file", + "expectedValue": "--peer-cert-file flag should be defined", + "actualValue": "--peer-cert-file flag is not defined", + "issueType": "MissingAttribute", + "similarityID": "c859269a6530d9654c88bb780a044b9adc093a2b55569d4a1f7e320d3edbee24", + "search_line": 46 }, { "queryName": "Etcd Peer TLS Certificate Files Not Properly Set", "severity": "HIGH", "line": 21, - "fileName": "positive2.yaml" + "fileName": "positive2.yaml", + "resourceType": "Deployment", + "resourceName": "app-etcd-deployment", + "searchKey": "metadata.name={{app-etcd-deployment}}.spec.template.spec.containers.name={{database}}.command", + "searchValue": "Deployment--peer-cert-file", + "expectedValue": "--peer-cert-file flag should be defined", + "actualValue": "--peer-cert-file flag is not defined", + "issueType": "MissingAttribute", + "similarityID": "51978f0785c2a12c9978079f7087b74d50f4255ad032a69ddc4f876e3a9ff63e", + "search_line": 21 } ] diff --git a/assets/queries/k8s/etcd_tls_certificate_files_not_properly_set/test/positive_expected_result.json b/assets/queries/k8s/etcd_tls_certificate_files_not_properly_set/test/positive_expected_result.json index 2894ecb6935..1ed8e0bd1b0 100644 --- a/assets/queries/k8s/etcd_tls_certificate_files_not_properly_set/test/positive_expected_result.json +++ b/assets/queries/k8s/etcd_tls_certificate_files_not_properly_set/test/positive_expected_result.json @@ -3,18 +3,45 @@ "queryName": "Etcd TLS Certificate Files Not Properly Set", "severity": "MEDIUM", "line": 21, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "Deployment", + "resourceName": "app-etcd-deployment", + "searchKey": "metadata.name={{app-etcd-deployment}}.spec.template.spec.containers.name={{database}}.command", + "searchValue": "Deployment--key-file", + "expectedValue": "--key-file flag should be defined", + "actualValue": "--key-file flag is not defined", + "issueType": "MissingAttribute", + "similarityID": "32f5b610a7eff9938582c9a8ccea6c516b410b3532eb91725ef46a6078b001e0", + "search_line": 21 }, { "queryName": "Etcd TLS Certificate Files Not Properly Set", "severity": "MEDIUM", "line": 46, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "Deployment", + "resourceName": "app-etcd-deployment2", + "searchKey": "metadata.name={{app-etcd-deployment2}}.spec.template.spec.containers.name={{database}}.command", + "searchValue": "Deployment--key-file", + "expectedValue": "--key-file flag should be defined", + "actualValue": "--key-file flag is not defined", + "issueType": "MissingAttribute", + "similarityID": "6bea780b1dec47a46dda3e6c3bee72c747485c704850fe7f6ab45a69c54f28e4", + "search_line": 46 }, { "queryName": "Etcd TLS Certificate Files Not Properly Set", "severity": "MEDIUM", "line": 21, - "fileName": "positive2.yaml" + "fileName": "positive2.yaml", + "resourceType": "Deployment", + "resourceName": "app-etcd-deployment", + "searchKey": "metadata.name={{app-etcd-deployment}}.spec.template.spec.containers.name={{database}}.command", + "searchValue": "Deployment--cert-file", + "expectedValue": "--cert-file flag should be defined", + "actualValue": "--cert-file flag is not defined", + "issueType": "MissingAttribute", + "similarityID": "976c323086b3511566960c3704971d9684f2ebdecbec70d207f8a233ea773fae", + "search_line": 21 } ] diff --git a/assets/queries/k8s/etcd_tls_certificate_not_properly_configured/test/positive_expected_result.json b/assets/queries/k8s/etcd_tls_certificate_not_properly_configured/test/positive_expected_result.json index ec4e7429b21..0810076927a 100644 --- a/assets/queries/k8s/etcd_tls_certificate_not_properly_configured/test/positive_expected_result.json +++ b/assets/queries/k8s/etcd_tls_certificate_not_properly_configured/test/positive_expected_result.json @@ -3,18 +3,45 @@ "queryName": "Etcd TLS Certificate Not Properly Configured", "severity": "MEDIUM", "line": 11, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "Pod", + "resourceName": "command-demo", + "searchKey": "metadata.name={{command-demo}}.spec.containers.name={{command-demo-container}}.command", + "searchValue": "Pod--etcd-certfile", + "expectedValue": "--etcd-certfile flag should be defined", + "actualValue": "--etcd-certfile flag is not defined", + "issueType": "MissingAttribute", + "similarityID": "312101d7d40b5860c1e7e819e2230cdf99af39c0f155584ddf676856dc353ffb", + "search_line": 11 }, { "queryName": "Etcd TLS Certificate Not Properly Configured", "severity": "MEDIUM", "line": 25, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "Pod", + "resourceName": "command-demo2", + "searchKey": "metadata.name={{command-demo2}}.spec.containers.name={{command-demo-container}}.command", + "searchValue": "Pod--etcd-keyfile", + "expectedValue": "--etcd-keyfile flag should be defined", + "actualValue": "--etcd-keyfile flag is not defined", + "issueType": "MissingAttribute", + "similarityID": "65515f6aff430af9c39b7a185c772d59a02f3a9460798741d8a14de86ab781c3", + "search_line": 25 }, { "queryName": "Etcd TLS Certificate Not Properly Configured", "severity": "MEDIUM", "line": 11, - "fileName": "positive2.yaml" + "fileName": "positive2.yaml", + "resourceType": "Pod", + "resourceName": "command-demo", + "searchKey": "metadata.name={{command-demo}}.spec.containers.name={{command-demo-container}}.command", + "searchValue": "Pod--etcd-keyfile", + "expectedValue": "--etcd-keyfile flag should be defined", + "actualValue": "--etcd-keyfile flag is not defined", + "issueType": "MissingAttribute", + "similarityID": "28e87d5582f63a1f08c3d9b308212bbd3b2f52ec6907d8f364c8610ad387b334", + "search_line": 11 } ] diff --git a/assets/queries/k8s/event_rate_limit_admission_control_plugin_not_set/test/positive_expected_result.json b/assets/queries/k8s/event_rate_limit_admission_control_plugin_not_set/test/positive_expected_result.json index a668b988671..72aa66123f2 100644 --- a/assets/queries/k8s/event_rate_limit_admission_control_plugin_not_set/test/positive_expected_result.json +++ b/assets/queries/k8s/event_rate_limit_admission_control_plugin_not_set/test/positive_expected_result.json @@ -1,8 +1,17 @@ [ - { - "queryName": "Event Rate Limit Admission Control Plugin Not Set", - "severity": "LOW", - "line": 11, - "fileName": "positive1.yaml" - } + { + "queryName": "Event Rate Limit Admission Control Plugin Not Set", + "severity": "LOW", + "line": 11, + "fileName": "positive1.yaml", + "resourceType": "Pod", + "resourceName": "command-demo", + "searchKey": "metadata.name={{command-demo}}.spec.containers.name={{command-demo-container}}.command", + "searchValue": "", + "expectedValue": "--enable-admission-plugins flag should contain 'EventRateLimit' plugin", + "actualValue": "--enable-admission-plugins flag does not contain 'EventRateLimit' plugin", + "issueType": "MissingAttribute", + "similarityID": "4c901b999dc93db19dc1c28d9d205aa0a6f8ed0f4bf463747d94ea26117d919e", + "search_line": 11 + } ] diff --git a/assets/queries/k8s/hpa_targeted_deployments_with_configured_replica_count/test/positive_expected_result.json b/assets/queries/k8s/hpa_targeted_deployments_with_configured_replica_count/test/positive_expected_result.json index d1981d9c340..ed510edd4dc 100644 --- a/assets/queries/k8s/hpa_targeted_deployments_with_configured_replica_count/test/positive_expected_result.json +++ b/assets/queries/k8s/hpa_targeted_deployments_with_configured_replica_count/test/positive_expected_result.json @@ -2,6 +2,16 @@ { "queryName": "HPA Targeted Deployments With Configured Replica Count", "severity": "INFO", - "line": 10 + "line": 10, + "fileName": "positive.yaml", + "resourceType": "Deployment", + "resourceName": "php-apache-1", + "searchKey": "metadata.name={{php-apache-1}}.spec.replicas", + "searchValue": "", + "expectedValue": "metadata.name={{php-apache-1}}.spec.replicas should be undefined", + "actualValue": "metadata.name={{php-apache-1}}.spec.replicas is defined", + "issueType": "IncorrectValue", + "similarityID": "8dade528a8b0d5e0b01d5c02fde3cee02c0357579f2316cba0376937b7cb5edd", + "search_line": -1 } -] \ No newline at end of file +] diff --git a/assets/queries/k8s/hpa_targets_invalid_object/test/positive_expected_result.json b/assets/queries/k8s/hpa_targets_invalid_object/test/positive_expected_result.json index 0ca04478879..5465ebbdcd4 100644 --- a/assets/queries/k8s/hpa_targets_invalid_object/test/positive_expected_result.json +++ b/assets/queries/k8s/hpa_targets_invalid_object/test/positive_expected_result.json @@ -1,7 +1,17 @@ [ - { - "queryName": "HPA Targets Invalid Object", - "severity": "LOW", - "line": 12 - } + { + "queryName": "HPA Targets Invalid Object", + "severity": "LOW", + "line": 12, + "fileName": "positive.yaml", + "resourceType": "HorizontalPodAutoscaler", + "resourceName": "php-apache", + "searchKey": "spec.metrics", + "searchValue": "", + "expectedValue": "spec.metrics[0] is a valid object ", + "actualValue": "spec.metrics[0] is an invalid object ", + "issueType": "IncorrectValue", + "similarityID": "bbf3ac26a64f78f4c3936253af3074f8823d43fc7ed653b31cd1c31b9645d674", + "search_line": -1 + } ] diff --git a/assets/queries/k8s/image_policy_webhook_admission_control_plugin_not_set/test/positive_expected_result.json b/assets/queries/k8s/image_policy_webhook_admission_control_plugin_not_set/test/positive_expected_result.json index a4059658917..2f0633192c0 100644 --- a/assets/queries/k8s/image_policy_webhook_admission_control_plugin_not_set/test/positive_expected_result.json +++ b/assets/queries/k8s/image_policy_webhook_admission_control_plugin_not_set/test/positive_expected_result.json @@ -1,8 +1,17 @@ [ - { - "queryName": "Image Policy Webhook Admission Control Plugin Not Set", - "severity": "LOW", - "line": 11, - "fileName": "positive1.yaml" - } + { + "queryName": "Image Policy Webhook Admission Control Plugin Not Set", + "severity": "LOW", + "line": 11, + "fileName": "positive1.yaml", + "resourceType": "Pod", + "resourceName": "command-demo", + "searchKey": "metadata.name={{command-demo}}.spec.containers.name={{command-demo-container}}.command", + "searchValue": "", + "expectedValue": "--enable-admission-plugins flag should contain 'ImagePolicyWebhook' plugin", + "actualValue": "--enable-admission-plugins flag does not contain 'ImagePolicyWebhook' plugin", + "issueType": "MissingAttribute", + "similarityID": "f32f9d240a4b698fba1072edf661f28feeebdf45abd87904007ff8a1d6d6ad14", + "search_line": 11 + } ] diff --git a/assets/queries/k8s/image_pull_policy_of_container_is_not_always/test/positive_expected_result.json b/assets/queries/k8s/image_pull_policy_of_container_is_not_always/test/positive_expected_result.json index 5cbf7249971..218a26e3c35 100644 --- a/assets/queries/k8s/image_pull_policy_of_container_is_not_always/test/positive_expected_result.json +++ b/assets/queries/k8s/image_pull_policy_of_container_is_not_always/test/positive_expected_result.json @@ -1,20 +1,47 @@ [ - { - "queryName": "Image Pull Policy Of The Container Is Not Set To Always", - "severity": "LOW", - "line": 9, - "fileName": "positive1.yaml" - }, - { - "queryName": "Image Pull Policy Of The Container Is Not Set To Always", - "severity": "LOW", - "line": 18, - "fileName": "positive2.yaml" - }, - { - "queryName": "Image Pull Policy Of The Container Is Not Set To Always", - "severity": "LOW", - "line": 16, - "fileName": "positive3.yaml" - } + { + "queryName": "Image Pull Policy Of The Container Is Not Set To Always", + "severity": "LOW", + "line": 9, + "fileName": "positive1.yaml", + "resourceType": "Pod", + "resourceName": "private-image-test-always", + "searchKey": "metadata.name={{private-image-test-always}}.spec.containers.name={{uses-private-image}}.imagePullPolicy", + "searchValue": "Pod", + "expectedValue": "metadata.name={{private-image-test-always}}.spec.containers.name={{uses-private-image}}.imagePullPolicy should be set to 'Always'", + "actualValue": "metadata.name={{private-image-test-always}}.spec.containers.name={{uses-private-image}}.imagePullPolicy relies on mutable images in cache", + "issueType": "IncorrectValue", + "similarityID": "c74339891995d9c00530ea1561340097b8fb6f18bd314d56137d0b9774f6c5a8", + "search_line": 9 + }, + { + "queryName": "Image Pull Policy Of The Container Is Not Set To Always", + "severity": "LOW", + "line": 18, + "fileName": "positive2.yaml", + "resourceType": "Deployment", + "resourceName": "deployment-with-image-pull-policy", + "searchKey": "metadata.name={{deployment-with-image-pull-policy}}.spec.template.spec.containers.name={{nginx}}.imagePullPolicy", + "searchValue": "Deployment", + "expectedValue": "metadata.name={{deployment-with-image-pull-policy}}.spec.template.spec.containers.name={{nginx}}.imagePullPolicy should be set to 'Always'", + "actualValue": "metadata.name={{deployment-with-image-pull-policy}}.spec.template.spec.containers.name={{nginx}}.imagePullPolicy relies on mutable images in cache", + "issueType": "IncorrectValue", + "similarityID": "0a14c1e2c1ad9b1d635ae7b4e539f6d36199c471ffcdc8f4711d9ef4e5c421c4", + "search_line": 18 + }, + { + "queryName": "Image Pull Policy Of The Container Is Not Set To Always", + "severity": "LOW", + "line": 16, + "fileName": "positive3.yaml", + "resourceType": "Deployment", + "resourceName": "deployment-with-image-pull-policy1", + "searchKey": "metadata.name={{deployment-with-image-pull-policy1}}.spec.template.spec.containers.name={{nginx}}", + "searchValue": "Deployment", + "expectedValue": "metadata.name={{deployment-with-image-pull-policy1}}.spec.template.spec.containers.name={{nginx}}.imagePullPolicy should be set to 'Always'", + "actualValue": "metadata.name={{deployment-with-image-pull-policy1}}.spec.template.spec.containers.name={{nginx}}.imagePullPolicy relies on mutable images in cache", + "issueType": "MissingAttribute", + "similarityID": "a4f7d2f3bc91c2f7df97224a70760355288e237ac115ae079fc45423714b0e9f", + "search_line": 16 + } ] diff --git a/assets/queries/k8s/image_without_digest/test/positive_expected_result.json b/assets/queries/k8s/image_without_digest/test/positive_expected_result.json index e4028708fbc..3da2c2a5b77 100644 --- a/assets/queries/k8s/image_without_digest/test/positive_expected_result.json +++ b/assets/queries/k8s/image_without_digest/test/positive_expected_result.json @@ -2,6 +2,16 @@ { "queryName": "Image Without Digest", "severity": "LOW", - "line": 8 + "line": 8, + "fileName": "positive.yaml", + "resourceType": "Pod", + "resourceName": "private-image-test-1", + "searchKey": "metadata.name={{private-image-test-1}}.spec.containers.name={{uses-private-image}}.image", + "searchValue": "Pod", + "expectedValue": "metadata.name={{private-image-test-1}}.spec.containers.name={{uses-private-image}}.image should specify the image with a digest", + "actualValue": "metadata.name={{private-image-test-1}}.spec.containers.name={{uses-private-image}}.image does not include an image digest", + "issueType": "IncorrectValue", + "similarityID": "e1e2a413e7d000706301a0bd5a7274254aa93cb29fc5f2dd2006888a3e6e204a", + "search_line": 8 } ] diff --git a/assets/queries/k8s/incorrect_volume_claim_access_mode_read_write_once/test/positive_expected_result.json b/assets/queries/k8s/incorrect_volume_claim_access_mode_read_write_once/test/positive_expected_result.json index 8a5e62a2f23..1d67106cd8c 100644 --- a/assets/queries/k8s/incorrect_volume_claim_access_mode_read_write_once/test/positive_expected_result.json +++ b/assets/queries/k8s/incorrect_volume_claim_access_mode_read_write_once/test/positive_expected_result.json @@ -1,12 +1,32 @@ [ - { - "queryName": "Incorrect Volume Claim Access Mode ReadWriteOnce", - "severity": "MEDIUM", - "line": 27 - }, - { - "queryName": "Incorrect Volume Claim Access Mode ReadWriteOnce", - "severity": "MEDIUM", - "line": 72 - } + { + "queryName": "Incorrect Volume Claim Access Mode ReadWriteOnce", + "severity": "MEDIUM", + "line": 27, + "fileName": "positive.yaml", + "resourceType": "StatefulSet", + "resourceName": "web", + "searchKey": "metadata.name=web.spec.volumeClaimTemplates", + "searchValue": "", + "expectedValue": "metadata.name=web.spec.volumeClaimTemplates has only one template with a 'ReadWriteOnce'", + "actualValue": "metadata.name=web.spec.volumeClaimTemplates has multiple templates with 'ReadWriteOnce'", + "issueType": "IncorrectValue", + "similarityID": "b42bb9576598d84649b1e4538c30bba0312553f883f68acfcd9717723c58a0b2", + "search_line": -1 + }, + { + "queryName": "Incorrect Volume Claim Access Mode ReadWriteOnce", + "severity": "MEDIUM", + "line": 72, + "fileName": "positive.yaml", + "resourceType": "StatefulSet", + "resourceName": "web2", + "searchKey": "metadata.name=web2.spec.volumeClaimTemplates", + "searchValue": "", + "expectedValue": "metadata.name=web2.spec.volumeClaimTemplates has one template with a 'ReadWriteOnce'", + "actualValue": "metadata.name=web2.spec.volumeClaimTemplates does not have a template with a 'ReadWriteOnce'", + "issueType": "MissingAttribute", + "similarityID": "73ec2fb452d9e71203e1a706aa489dfeea9f83d315fd6aca1574f29fa3e60d38", + "search_line": -1 + } ] diff --git a/assets/queries/k8s/ingress_controller_exposes_workload/test/positive_expected_result.json b/assets/queries/k8s/ingress_controller_exposes_workload/test/positive_expected_result.json index cd39ebbc112..4f0c8513875 100644 --- a/assets/queries/k8s/ingress_controller_exposes_workload/test/positive_expected_result.json +++ b/assets/queries/k8s/ingress_controller_exposes_workload/test/positive_expected_result.json @@ -1,7 +1,17 @@ [ - { - "queryName": "Ingress Controller Exposes Workload", - "severity": "MEDIUM", - "line": 31 - } + { + "queryName": "Ingress Controller Exposes Workload", + "severity": "MEDIUM", + "line": 31, + "fileName": "positive.yaml", + "resourceType": "Ingress", + "resourceName": "app-ingress", + "searchKey": "metadata.name={{app-ingress}}.spec.rules.http.paths.backend", + "searchValue": "", + "expectedValue": "metadata.name=app-ingress should not be exposing the workload", + "actualValue": "metadata.name=app-ingress is exposing the workload", + "issueType": "IncorrectValue", + "similarityID": "d9dc3bf1dfd3a1dae5ff48da6e3795d9547d0214f1f47220b8eacc3fdf8322ca", + "search_line": -1 + } ] diff --git a/assets/queries/k8s/insecure_bind_address_set/test/positive_expected_result.json b/assets/queries/k8s/insecure_bind_address_set/test/positive_expected_result.json index 5ad480dadd1..1e7dc2a4531 100644 --- a/assets/queries/k8s/insecure_bind_address_set/test/positive_expected_result.json +++ b/assets/queries/k8s/insecure_bind_address_set/test/positive_expected_result.json @@ -3,12 +3,30 @@ "queryName": "Insecure Bind Address Set", "severity": "HIGH", "line": 11, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "Pod", + "resourceName": "command-demo", + "searchKey": "metadata.name={{command-demo}}.spec.containers.name={{command-demo-container}}.command", + "searchValue": "", + "expectedValue": "--insecure-bind-address flag should not be set", + "actualValue": "--insecure-bind-address flag is set", + "issueType": "IncorrectValue", + "similarityID": "50b4e94ba75a29f72b1d4575264a93c0c4091e659625423365de48876f93e09f", + "search_line": 11 }, { "queryName": "Insecure Bind Address Set", "severity": "HIGH", "line": 11, - "fileName": "positive2.yaml" + "fileName": "positive2.yaml", + "resourceType": "Pod", + "resourceName": "command-demo", + "searchKey": "metadata.name={{command-demo}}.spec.containers.name={{command-demo-container}}.command", + "searchValue": "", + "expectedValue": "--insecure-bind-address flag should not be set", + "actualValue": "--insecure-bind-address flag is set", + "issueType": "IncorrectValue", + "similarityID": "430f2bde39a53eb1832f54f70876c1e7d9f657def34793a065bdd3d199846b07", + "search_line": 11 } ] diff --git a/assets/queries/k8s/insecure_port_not_properly_set/test/positive_expected_result.json b/assets/queries/k8s/insecure_port_not_properly_set/test/positive_expected_result.json index 0220b09dd9d..15d2e1adebe 100644 --- a/assets/queries/k8s/insecure_port_not_properly_set/test/positive_expected_result.json +++ b/assets/queries/k8s/insecure_port_not_properly_set/test/positive_expected_result.json @@ -3,12 +3,30 @@ "queryName": "Insecure Port Not Properly Set", "severity": "HIGH", "line": 11, - "filename": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "Pod", + "resourceName": "command-demo", + "searchKey": "metadata.name={{command-demo}}.spec.containers.name={{command-demo-container}}.command", + "searchValue": "", + "expectedValue": "--insecure-port flag should be set to 0", + "actualValue": "--insecure-port flag is not properly set", + "issueType": "IncorrectValue", + "similarityID": "b16c420ec61600ee98f4e61f64cc5e58aabc6527d0b4ea5bd7f4afc947d18405", + "search_line": 11 }, { "queryName": "Insecure Port Not Properly Set", "severity": "HIGH", "line": 11, - "filename": "positive2.yaml" + "fileName": "positive2.yaml", + "resourceType": "Pod", + "resourceName": "command-demo", + "searchKey": "metadata.name={{command-demo}}.spec.containers.name={{command-demo-container}}.command", + "searchValue": "", + "expectedValue": "--insecure-port flag should be defined and set to 0", + "actualValue": "--insecure-port flag is not defined", + "issueType": "MissingAttribute", + "similarityID": "da65ddeb6b9feb4861fa4861db8c290c233fb268f08fd6e47d28cd0a492b7938", + "search_line": 11 } ] diff --git a/assets/queries/k8s/invalid_image/test/positive_expected_result.json b/assets/queries/k8s/invalid_image/test/positive_expected_result.json index e0493f320e4..32a29e89abf 100644 --- a/assets/queries/k8s/invalid_image/test/positive_expected_result.json +++ b/assets/queries/k8s/invalid_image/test/positive_expected_result.json @@ -2,11 +2,31 @@ { "queryName": "Invalid Image Tag", "severity": "LOW", - "line": 8 + "line": 8, + "fileName": "positive.yaml", + "resourceType": "Pod", + "resourceName": "private-image-test-3", + "searchKey": "metadata.name={{private-image-test-3}}.spec.containers.name={{uses-private-image-container}}.image", + "searchValue": "", + "expectedValue": "metadata.name={{private-image-test-3}}.spec.containers.name={{uses-private-image-container}}.image tag is provided and not latest", + "actualValue": "metadata.name={{private-image-test-3}}.spec.containers.name={{uses-private-image-container}}.image tag is not provided or latest", + "issueType": "MissingAttribute", + "similarityID": "fcbd5a9990cce20b1161b71e031460f2c94ecb6d8d941644c162d33857aac40c", + "search_line": -1 }, { "queryName": "Invalid Image Tag", "severity": "LOW", - "line": 19 + "line": 19, + "fileName": "positive.yaml", + "resourceType": "Pod", + "resourceName": "private-image-test-33", + "searchKey": "metadata.name={{private-image-test-33}}.spec.containers.name={{uses-private-image-container}}.image", + "searchValue": "", + "expectedValue": "metadata.name={{private-image-test-33}}.spec.containers.name={{uses-private-image-container}}.image tag is provided and not latest", + "actualValue": "metadata.name={{private-image-test-33}}.spec.containers.name={{uses-private-image-container}}.image tag is not provided or latest", + "issueType": "MissingAttribute", + "similarityID": "068c6e45367cd42df841535812142fe3f6682d9a3ee762f92edd29e01932c257", + "search_line": -1 } ] diff --git a/assets/queries/k8s/kubelet_certificate_authority_not_set/test/positive_expected_result.json b/assets/queries/k8s/kubelet_certificate_authority_not_set/test/positive_expected_result.json index fbd6365dacf..7f90f2cb4c5 100644 --- a/assets/queries/k8s/kubelet_certificate_authority_not_set/test/positive_expected_result.json +++ b/assets/queries/k8s/kubelet_certificate_authority_not_set/test/positive_expected_result.json @@ -3,6 +3,15 @@ "queryName": "Kubelet Certificate Authority Not Set", "severity": "MEDIUM", "line": 11, - "filename": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "Pod", + "resourceName": "command-demo", + "searchKey": "metadata.name={{command-demo}}.spec.containers.name={{command-demo-container}}.command", + "searchValue": "", + "expectedValue": "--kubelet-certificate-authority flag should be set", + "actualValue": "--kubelet-certificate-authority flag is not set", + "issueType": "MissingAttribute", + "similarityID": "05903bf632b31fd772f6257baf640cd3d545bea726ad3fe7d374386e593c3ca6", + "search_line": 11 } ] diff --git a/assets/queries/k8s/kubelet_client_certificate_or_key_not_set/test/positive_expected_result.json b/assets/queries/k8s/kubelet_client_certificate_or_key_not_set/test/positive_expected_result.json index 56e7122183a..21a5cd4d737 100644 --- a/assets/queries/k8s/kubelet_client_certificate_or_key_not_set/test/positive_expected_result.json +++ b/assets/queries/k8s/kubelet_client_certificate_or_key_not_set/test/positive_expected_result.json @@ -3,30 +3,75 @@ "queryName": "Kubelet Client Certificate Or Key Not Set", "severity": "MEDIUM", "line": 11, - "filename": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "Pod", + "resourceName": "command-demo", + "searchKey": "metadata.name={{command-demo}}.spec.containers.name={{command-demo-container}}.command", + "searchValue": "Pod--kubelet-client-certificate", + "expectedValue": "--kubelet-client-certificate flag should be set", + "actualValue": "--kubelet-client-certificate flag is not set", + "issueType": "MissingAttribute", + "similarityID": "6c57cb5fb7e29cca58ff56304b6772e2e80ed94dc26d962ad7e8a935c0c48837", + "search_line": 11 }, { "queryName": "Kubelet Client Certificate Or Key Not Set", "severity": "MEDIUM", "line": 11, - "filename": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "Pod", + "resourceName": "command-demo", + "searchKey": "metadata.name={{command-demo}}.spec.containers.name={{command-demo-container}}.command", + "searchValue": "Pod--kubelet-client-key", + "expectedValue": "--kubelet-client-key flag should be set", + "actualValue": "--kubelet-client-key flag is not set", + "issueType": "MissingAttribute", + "similarityID": "0118346d3ffab9f99330c65ff9ec627035a47941227d69a30fcc7705558085ff", + "search_line": 11 }, { "queryName": "Kubelet Client Certificate Or Key Not Set", "severity": "MEDIUM", "line": 11, - "filename": "positive2.yaml" + "fileName": "positive2.yaml", + "resourceType": "Pod", + "resourceName": "command-demo", + "searchKey": "metadata.name={{command-demo}}.spec.containers.name={{command-demo-container}}.command", + "searchValue": "Pod--kubelet-client-key", + "expectedValue": "--kubelet-client-key flag should be set", + "actualValue": "--kubelet-client-key flag is not set", + "issueType": "MissingAttribute", + "similarityID": "49a4794f455e65d1dfe73895a7c622d63002c00792b41bd0884c6b14f6e78182", + "search_line": 11 }, { "queryName": "Kubelet Client Certificate Or Key Not Set", "severity": "MEDIUM", "line": 25, - "filename": "positive2.yaml" + "fileName": "positive2.yaml", + "resourceType": "Pod", + "resourceName": "command-demo2", + "searchKey": "metadata.name={{command-demo2}}.spec.containers.name={{command-demo-container}}.command", + "searchValue": "Pod--kubelet-client-certificate", + "expectedValue": "--kubelet-client-certificate flag should be set", + "actualValue": "--kubelet-client-certificate flag is not set", + "issueType": "MissingAttribute", + "similarityID": "1e78d6ffff26b311982286f0fb006f9d81b1e5f1a23939576584354887402573", + "search_line": 25 }, { "queryName": "Kubelet Client Certificate Or Key Not Set", "severity": "MEDIUM", "line": 11, - "filename": "positive3.yaml" + "fileName": "positive3.yaml", + "resourceType": "Pod", + "resourceName": "command-demo", + "searchKey": "metadata.name={{command-demo}}.spec.containers.name={{command-demo-container}}.command", + "searchValue": "Pod--kubelet-client-certificate", + "expectedValue": "--kubelet-client-certificate flag should be set", + "actualValue": "--kubelet-client-certificate flag is not set", + "issueType": "MissingAttribute", + "similarityID": "bc20f44c972e95de294e1f72545159c05f2746db10ec86b5cbc5e10d789e08b1", + "search_line": 11 } ] diff --git a/assets/queries/k8s/kubelet_client_periodic_certificate_switch_disabled/test/positive_expected_result.json b/assets/queries/k8s/kubelet_client_periodic_certificate_switch_disabled/test/positive_expected_result.json index 186ed212f02..b24b55526d9 100644 --- a/assets/queries/k8s/kubelet_client_periodic_certificate_switch_disabled/test/positive_expected_result.json +++ b/assets/queries/k8s/kubelet_client_periodic_certificate_switch_disabled/test/positive_expected_result.json @@ -1,26 +1,62 @@ [ - { - "queryName": "Kubelet Client Periodic Certificate Switch Disabled", - "severity": "MEDIUM", - "line": 2, - "filename": "positive4.yaml" - }, - { - "queryName": "Kubelet Client Periodic Certificate Switch Disabled", - "severity": "MEDIUM", - "line": 8, - "filename": "positive2.yaml" - }, - { - "queryName": "Kubelet Client Periodic Certificate Switch Disabled", - "severity": "MEDIUM", - "line": 11, - "filename": "positive1.yaml" - }, - { - "queryName": "Kubelet Client Periodic Certificate Switch Disabled", - "severity": "MEDIUM", - "line": 6, - "filename": "positive3.json" - } + { + "queryName": "Kubelet Client Periodic Certificate Switch Disabled", + "severity": "MEDIUM", + "line": 11, + "fileName": "positive1.yaml", + "resourceType": "Pod", + "resourceName": "command-demo", + "searchKey": "metadata.name={{command-demo}}.spec.containers.name={{command-demo-container}}.command", + "searchValue": "", + "expectedValue": "--rotate-certificates flag should be true", + "actualValue": "--rotate-certificates flag is false", + "issueType": "IncorrectValue", + "similarityID": "b28a49f0a5651109e472c8b683ad55ab4381f0ca7fd4b03708c37cc8024f6cab", + "search_line": 11 + }, + { + "queryName": "Kubelet Client Periodic Certificate Switch Disabled", + "severity": "MEDIUM", + "line": 8, + "fileName": "positive2.yaml", + "resourceType": "KubeletConfiguration", + "resourceName": "n/a", + "searchKey": "kind={{KubeletConfiguration}}.rotateCertificates", + "searchValue": "", + "expectedValue": "rotateCertificates should be true", + "actualValue": "rotateCertificates is false", + "issueType": "IncorrectValue", + "similarityID": "19cc1bb4015adcfe4f19a213ead6e72a34597a69811fdba50bc1de7c6a646be6", + "search_line": -1 + }, + { + "queryName": "Kubelet Client Periodic Certificate Switch Disabled", + "severity": "MEDIUM", + "line": 6, + "fileName": "positive3.json", + "resourceType": "KubeletConfiguration", + "resourceName": "n/a", + "searchKey": "kind={{KubeletConfiguration}}.rotateCertificates", + "searchValue": "", + "expectedValue": "rotateCertificates should be true", + "actualValue": "rotateCertificates is not set (default is false)", + "issueType": "MissingAttribute", + "similarityID": "5e19a8a0d33685183357c92278dd4a13665e39a6b881a786661fa275d109831b", + "search_line": -1 + }, + { + "queryName": "Kubelet Client Periodic Certificate Switch Disabled", + "severity": "MEDIUM", + "line": 2, + "fileName": "positive4.yaml", + "resourceType": "KubeletConfiguration", + "resourceName": "n/a", + "searchKey": "kind={{KubeletConfiguration}}.rotateCertificates", + "searchValue": "", + "expectedValue": "rotateCertificates should be true", + "actualValue": "rotateCertificates is not set (default is false)", + "issueType": "MissingAttribute", + "similarityID": "2f1bb68313da0a53fb78677fd45598cdec07cc8bba238b02cd5ef4c43a53bb05", + "search_line": -1 + } ] diff --git a/assets/queries/k8s/kubelet_event_qps_not_properly_set/test/positive_expected_result.json b/assets/queries/k8s/kubelet_event_qps_not_properly_set/test/positive_expected_result.json index cbbfd67cb87..a0c6fc4859d 100644 --- a/assets/queries/k8s/kubelet_event_qps_not_properly_set/test/positive_expected_result.json +++ b/assets/queries/k8s/kubelet_event_qps_not_properly_set/test/positive_expected_result.json @@ -1,26 +1,62 @@ [ - { - "queryName": "Kubelet Event QPS Not Properly Set", - "severity": "LOW", - "line": 11, - "fileName": "positive1.yaml" - }, - { - "queryName": "Kubelet Event QPS Not Properly Set", - "severity": "LOW", - "line": 11, - "fileName": "positive2.yaml" - }, - { - "queryName": "Kubelet Event QPS Not Properly Set", - "severity": "LOW", - "line": 5, - "fileName": "positive3.yaml" - }, - { - "queryName": "Kubelet Event QPS Not Properly Set", - "severity": "LOW", - "line": 2, - "fileName": "positive4.yaml" - } + { + "queryName": "Kubelet Event QPS Not Properly Set", + "severity": "LOW", + "line": 11, + "fileName": "positive1.yaml", + "resourceType": "Pod", + "resourceName": "command-demo", + "searchKey": "metadata.name={{command-demo}}.spec.containers.name={{command-demo-container}}.command", + "searchValue": "", + "expectedValue": "--event-qps flag should be set to 0", + "actualValue": "--event-qps flag is not set to 0", + "issueType": "IncorrectValue", + "similarityID": "36d7497999b18ef7ec51d3c0da754f06799c5370fdc58e8fca2c16870c13110b", + "search_line": 11 + }, + { + "queryName": "Kubelet Event QPS Not Properly Set", + "severity": "LOW", + "line": 11, + "fileName": "positive2.yaml", + "resourceType": "Pod", + "resourceName": "command-demo", + "searchKey": "metadata.name={{command-demo}}.spec.containers.name={{command-demo-container}}.command", + "searchValue": "", + "expectedValue": "--event-qps flag should be set to 0", + "actualValue": "--event-qps flag is not set to 0", + "issueType": "IncorrectValue", + "similarityID": "ee01aa576d297875b801200d80b0501b143f84db3d4d41fd2aa649fb9ce47584", + "search_line": 11 + }, + { + "queryName": "Kubelet Event QPS Not Properly Set", + "severity": "LOW", + "line": 5, + "fileName": "positive3.yaml", + "resourceType": "KubeletConfiguration", + "resourceName": "n/a", + "searchKey": "kind={{KubeletConfiguration}}.eventRecordQPS", + "searchValue": "", + "expectedValue": "eventRecordQPS flag should set to 0", + "actualValue": "eventRecordQPS flag is not set to 0", + "issueType": "IncorrectValue", + "similarityID": "89de8b6c823261d9c786b6827f7915edf45b60c2dc8be799743003cd5cd88f53", + "search_line": -1 + }, + { + "queryName": "Kubelet Event QPS Not Properly Set", + "severity": "LOW", + "line": 2, + "fileName": "positive4.yaml", + "resourceType": "KubeletConfiguration", + "resourceName": "n/a", + "searchKey": "kind={{KubeletConfiguration}}", + "searchValue": "", + "expectedValue": "eventRecordQPS flag should set to 0", + "actualValue": "eventRecordQPS flag is not defined", + "issueType": "MissingAttribute", + "similarityID": "84e8c2505fb4fd36cda04b9fc4d6ce3d85cdebbe8b7bd544fab09a5a103c485d", + "search_line": -1 + } ] diff --git a/assets/queries/k8s/kubelet_hostname_override_is_set/test/positive_expected_result.json b/assets/queries/k8s/kubelet_hostname_override_is_set/test/positive_expected_result.json index 130b1b46734..ef0cbe28b51 100644 --- a/assets/queries/k8s/kubelet_hostname_override_is_set/test/positive_expected_result.json +++ b/assets/queries/k8s/kubelet_hostname_override_is_set/test/positive_expected_result.json @@ -1,14 +1,32 @@ [ - { - "queryName": "Kubelet Hostname Override Is Set", - "severity": "LOW", - "line": 11, - "fileName": "positive1.yaml" - }, - { - "queryName": "Kubelet Hostname Override Is Set", - "severity": "LOW", - "line": 11, - "fileName": "positive2.yaml" - } + { + "queryName": "Kubelet Hostname Override Is Set", + "severity": "LOW", + "line": 11, + "fileName": "positive1.yaml", + "resourceType": "Pod", + "resourceName": "command-demo", + "searchKey": "metadata.name={{command-demo}}.spec.containers.name={{command-demo-container}}.command", + "searchValue": "", + "expectedValue": "--hostname-override= flag should not be defined", + "actualValue": "--hostname-override= flag is defined", + "issueType": "IncorrectValue", + "similarityID": "8560b744a7bb93efeb08ba12f1446b7d4f86f5193214dbe11553b30aa8a0f3cf", + "search_line": 11 + }, + { + "queryName": "Kubelet Hostname Override Is Set", + "severity": "LOW", + "line": 11, + "fileName": "positive2.yaml", + "resourceType": "Pod", + "resourceName": "command-demo", + "searchKey": "metadata.name={{command-demo}}.spec.containers.name={{command-demo-container}}.command", + "searchValue": "", + "expectedValue": "--hostname-override= flag should not be defined", + "actualValue": "--hostname-override= flag is defined", + "issueType": "IncorrectValue", + "similarityID": "c1d8b3b98b93561c0aee0eb4beb955033d5e4cf55b947286be51541faed92ea0", + "search_line": 11 + } ] diff --git a/assets/queries/k8s/kubelet_https_set_to_false/test/positive_expected_result.json b/assets/queries/k8s/kubelet_https_set_to_false/test/positive_expected_result.json index d63831fc18f..32eb6349956 100644 --- a/assets/queries/k8s/kubelet_https_set_to_false/test/positive_expected_result.json +++ b/assets/queries/k8s/kubelet_https_set_to_false/test/positive_expected_result.json @@ -3,6 +3,15 @@ "queryName": "Kubelet HTTPS Set To False", "severity": "MEDIUM", "line": 11, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "Pod", + "resourceName": "command-demo", + "searchKey": "metadata.name={{command-demo}}.spec.containers.name={{command-demo-container}}.command", + "searchValue": "", + "expectedValue": "--kubelet-https flag should be set to true or not be defined", + "actualValue": "--kubelet-https flag is set to false", + "issueType": "IncorrectValue", + "similarityID": "2f14960a23d914d87741caa528f697a984857d82f07db78393bbc907c08b3faf", + "search_line": 11 } -] \ No newline at end of file +] diff --git a/assets/queries/k8s/kubelet_not_managing_ip_tables/test/positive_expected_result.json b/assets/queries/k8s/kubelet_not_managing_ip_tables/test/positive_expected_result.json index 2774b893079..4f54716f498 100644 --- a/assets/queries/k8s/kubelet_not_managing_ip_tables/test/positive_expected_result.json +++ b/assets/queries/k8s/kubelet_not_managing_ip_tables/test/positive_expected_result.json @@ -1,20 +1,47 @@ [ - { - "queryName": "Kubelet Not Managing Ip Tables", - "severity": "MEDIUM", - "line": 11, - "filename": "positive1.yaml" - }, - { - "queryName": "Kubelet Not Managing Ip Tables", - "severity": "MEDIUM", - "line": 8, - "filename": "positive2.yaml" - }, - { - "queryName": "Kubelet Not Managing Ip Tables", - "severity": "MEDIUM", - "line": 7, - "filename": "positive3.json" - } - ] + { + "queryName": "Kubelet Not Managing Ip Tables", + "severity": "MEDIUM", + "line": 11, + "fileName": "positive1.yaml", + "resourceType": "Pod", + "resourceName": "command-demo", + "searchKey": "metadata.name={{command-demo}}.spec.containers.name={{command-demo-container}}.command", + "searchValue": "", + "expectedValue": "--make-iptables-util-chains flag should be true", + "actualValue": "--make-iptables-util-chains= flag is false", + "issueType": "IncorrectValue", + "similarityID": "66d00c08a2d052f089362394139b459f7e6c38f6d8db79c28df4fb3b291fc48b", + "search_line": 11 + }, + { + "queryName": "Kubelet Not Managing Ip Tables", + "severity": "MEDIUM", + "line": 8, + "fileName": "positive2.yaml", + "resourceType": "KubeletConfiguration", + "resourceName": "n/a", + "searchKey": "kind={{KubeletConfiguration}}.makeIPTablesUtilChains", + "searchValue": "", + "expectedValue": "makeIPTablesUtilChains should be true", + "actualValue": "makeIPTablesUtilChains is false", + "issueType": "IncorrectValue", + "similarityID": "0b1af0fb9803f01bf2c1984c186dd44638202dad444a9da71eff13fff8a0f9f7", + "search_line": -1 + }, + { + "queryName": "Kubelet Not Managing Ip Tables", + "severity": "MEDIUM", + "line": 7, + "fileName": "positive3.json", + "resourceType": "KubeletConfiguration", + "resourceName": "n/a", + "searchKey": "kind={{KubeletConfiguration}}.makeIPTablesUtilChains", + "searchValue": "", + "expectedValue": "makeIPTablesUtilChains should be true", + "actualValue": "makeIPTablesUtilChains is false", + "issueType": "IncorrectValue", + "similarityID": "e8d02073774bb21ada667a88fd04d25c82433df5fb6b129d1f8abba4ff5f56ca", + "search_line": -1 + } +] diff --git a/assets/queries/k8s/kubelet_protect_kernel_defaults_set_to_false/test/positive_expected_result.json b/assets/queries/k8s/kubelet_protect_kernel_defaults_set_to_false/test/positive_expected_result.json index ada1cee8bcc..b8e3be2bafe 100644 --- a/assets/queries/k8s/kubelet_protect_kernel_defaults_set_to_false/test/positive_expected_result.json +++ b/assets/queries/k8s/kubelet_protect_kernel_defaults_set_to_false/test/positive_expected_result.json @@ -1,26 +1,62 @@ [ - { - "queryName": "Kubelet Protect Kernel Defaults Set To False", - "severity": "MEDIUM", - "line": 11, - "fileName": "positive1.yaml" - }, - { - "queryName": "Kubelet Protect Kernel Defaults Set To False", - "severity": "MEDIUM", - "line": 11, - "fileName": "positive2.yaml" - }, - { - "queryName": "Kubelet Protect Kernel Defaults Set To False", - "severity": "MEDIUM", - "line": 5, - "fileName": "positive3.yaml" - }, - { - "queryName": "Kubelet Protect Kernel Defaults Set To False", - "severity": "MEDIUM", - "line": 2, - "fileName": "positive4.yaml" - } + { + "queryName": "Kubelet Protect Kernel Defaults Set To False", + "severity": "MEDIUM", + "line": 11, + "fileName": "positive1.yaml", + "resourceType": "Pod", + "resourceName": "command-demo", + "searchKey": "metadata.name={{command-demo}}.spec.containers.name={{command-demo-container}}.command", + "searchValue": "", + "expectedValue": "--protect-kernel-defaults flag should not be set to false", + "actualValue": "--protect-kernel-defaults flag is set to false", + "issueType": "IncorrectValue", + "similarityID": "ee58ba414bd1505a131ef662c65c457ab9007830f8206f924881cab3735289bd", + "search_line": 11 + }, + { + "queryName": "Kubelet Protect Kernel Defaults Set To False", + "severity": "MEDIUM", + "line": 11, + "fileName": "positive2.yaml", + "resourceType": "Pod", + "resourceName": "command-demo", + "searchKey": "metadata.name={{command-demo}}.spec.containers.name={{command-demo-container}}.command", + "searchValue": "", + "expectedValue": "--protect-kernel-defaults flag should not be set to false", + "actualValue": "--protect-kernel-defaults flag is set to false", + "issueType": "IncorrectValue", + "similarityID": "d15ac4d244811b08601a20df66fbd2d21a2e0c7f7cc17811a1bf3f72ac46c25f", + "search_line": 11 + }, + { + "queryName": "Kubelet Protect Kernel Defaults Set To False", + "severity": "MEDIUM", + "line": 5, + "fileName": "positive3.yaml", + "resourceType": "KubeletConfiguration", + "resourceName": "n/a", + "searchKey": "kind={{KubeletConfiguration}}.protectKernelDefaults", + "searchValue": "", + "expectedValue": "protectKernelDefaults flag should defined to true", + "actualValue": "protectKernelDefaults flag is set to false", + "issueType": "IncorrectValue", + "similarityID": "f93ff73ede5aced6822d0d1cf6759dc5ac1d783b01fe7fefe4d78e5290c52abe", + "search_line": -1 + }, + { + "queryName": "Kubelet Protect Kernel Defaults Set To False", + "severity": "MEDIUM", + "line": 2, + "fileName": "positive4.yaml", + "resourceType": "KubeletConfiguration", + "resourceName": "n/a", + "searchKey": "kind={{KubeletConfiguration}}", + "searchValue": "", + "expectedValue": "protectKernelDefaults flag should defined to true", + "actualValue": "protectKernelDefaults flag is not defined", + "issueType": "MissingAttribute", + "similarityID": "03a77675bce0bee2843980ae81814f843fb3f67791c4a55bc45f411a5a589cb1", + "search_line": -1 + } ] diff --git a/assets/queries/k8s/kubelet_read_only_port_is_not_set_to_zero/test/positive_expected_result.json b/assets/queries/k8s/kubelet_read_only_port_is_not_set_to_zero/test/positive_expected_result.json index 8216d07cc52..dd603361614 100644 --- a/assets/queries/k8s/kubelet_read_only_port_is_not_set_to_zero/test/positive_expected_result.json +++ b/assets/queries/k8s/kubelet_read_only_port_is_not_set_to_zero/test/positive_expected_result.json @@ -3,24 +3,60 @@ "queryName": "Kubelet Read Only Port Is Not Set To Zero", "severity": "MEDIUM", "line": 11, - "filename": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "Pod", + "resourceName": "command-demo", + "searchKey": "metadata.name={{command-demo}}.spec.containers.name={{command-demo-container}}.command", + "searchValue": "", + "expectedValue": "--read-only-port flag should be '0'", + "actualValue": "--read-only-port flag is not set to '0'", + "issueType": "IncorrectValue", + "similarityID": "f82628f2fa3964a741aed1535bf4dd20173cd5ed847e6ecac65d05260de27ab2", + "search_line": -1 }, { "queryName": "Kubelet Read Only Port Is Not Set To Zero", "severity": "MEDIUM", "line": 11, - "filename": "positive2.yaml" + "fileName": "positive2.yaml", + "resourceType": "Pod", + "resourceName": "command-demo", + "searchKey": "metadata.name={{command-demo}}.spec.containers.name={{command-demo-container}}.command", + "searchValue": "", + "expectedValue": "--read-only-port flag should be '0'", + "actualValue": "--read-only-port flag is not set to '0'", + "issueType": "IncorrectValue", + "similarityID": "f5a76a826529a77bb31a5edadcfc44d913f5f070b5dbd2d4d465ca28530d0e56", + "search_line": -1 }, { "queryName": "Kubelet Read Only Port Is Not Set To Zero", "severity": "MEDIUM", "line": 8, - "filename": "positive3.yaml" + "fileName": "positive3.yaml", + "resourceType": "KubeletConfiguration", + "resourceName": "n/a", + "searchKey": "kind={{KubeletConfiguration}}.readOnlyPort", + "searchValue": "", + "expectedValue": "readOnlyPort attribute to have value of 0", + "actualValue": "readOnlyPort attribute has value of 1", + "issueType": "IncorrectValue", + "similarityID": "3fc5943118c41c5ccf33c0f92f31141f813ba42dacc1f30aafc10a0051a71876", + "search_line": -1 }, { "queryName": "Kubelet Read Only Port Is Not Set To Zero", "severity": "MEDIUM", "line": 5, - "filename": "positive4.json" + "fileName": "positive4.json", + "resourceType": "KubeletConfiguration", + "resourceName": "n/a", + "searchKey": "kind={{KubeletConfiguration}}.readOnlyPort", + "searchValue": "", + "expectedValue": "readOnlyPort attribute to have value of 0", + "actualValue": "readOnlyPort attribute has value of 1", + "issueType": "IncorrectValue", + "similarityID": "d8a3d1d2d466905384c3935a9946a2c805a4494da8606314e5674f844c80b442", + "search_line": -1 } -] \ No newline at end of file +] diff --git a/assets/queries/k8s/kubelet_streaming_connection_timeout_disabled/test/positive_expected_result.json b/assets/queries/k8s/kubelet_streaming_connection_timeout_disabled/test/positive_expected_result.json index b566c96215a..e66799e9db5 100644 --- a/assets/queries/k8s/kubelet_streaming_connection_timeout_disabled/test/positive_expected_result.json +++ b/assets/queries/k8s/kubelet_streaming_connection_timeout_disabled/test/positive_expected_result.json @@ -3,18 +3,45 @@ "queryName": "Kubelet Streaming Connection Timeout Disabled", "severity": "MEDIUM", "line": 11, - "filename": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "Pod", + "resourceName": "command-demo", + "searchKey": "metadata.name={{command-demo}}.spec.containers.name={{command-demo-container}}.command", + "searchValue": "", + "expectedValue": "--streaming-connection-idle-timeout flag not should be 0", + "actualValue": "--streaming-connection-idle-timeout flag is 0", + "issueType": "IncorrectValue", + "similarityID": "4f863f9126d1db438bb75f2c53cc392f6ae3af70e021ef50b5d8d0bede82a3ee", + "search_line": 11 }, { "queryName": "Kubelet Streaming Connection Timeout Disabled", "severity": "MEDIUM", "line": 8, - "filename": "positive2.yaml" + "fileName": "positive2.yaml", + "resourceType": "KubeletConfiguration", + "resourceName": "n/a", + "searchKey": "kind={{KubeletConfiguration}}.streamingConnectionIdleTimeout", + "searchValue": "", + "expectedValue": "streamingConnectionIdleTimeout not should be 0s", + "actualValue": "streamingConnectionIdleTimeout is 0s", + "issueType": "IncorrectValue", + "similarityID": "82fff1e64890655dd3c0822f5b6b878495d70c492c01bf4ae53df596b0113188", + "search_line": -1 }, { "queryName": "Kubelet Streaming Connection Timeout Disabled", "severity": "MEDIUM", "line": 10, - "filename": "positive3.json" + "fileName": "positive3.json", + "resourceType": "KubeletConfiguration", + "resourceName": "n/a", + "searchKey": "kind={{KubeletConfiguration}}.streamingConnectionIdleTimeout", + "searchValue": "", + "expectedValue": "streamingConnectionIdleTimeout not should be 0s", + "actualValue": "streamingConnectionIdleTimeout is 0s", + "issueType": "IncorrectValue", + "similarityID": "925eef7c798a5b1d5f6d579145d9d49e73cb1488ba291a7111267fa554db6a3a", + "search_line": -1 } ] diff --git a/assets/queries/k8s/liveness_probe_is_not_defined/test/positive_expected_result.json b/assets/queries/k8s/liveness_probe_is_not_defined/test/positive_expected_result.json index 81ec960d567..3ebeb4cd41a 100644 --- a/assets/queries/k8s/liveness_probe_is_not_defined/test/positive_expected_result.json +++ b/assets/queries/k8s/liveness_probe_is_not_defined/test/positive_expected_result.json @@ -3,6 +3,15 @@ "queryName": "Liveness Probe Is Not Defined", "severity": "INFO", "line": 9, - "fileName": "positive.yaml" + "fileName": "positive.yaml", + "resourceType": "Pod", + "resourceName": "liveness-exec", + "searchKey": "metadata.name={{liveness-exec}}.spec.containers.name={{liveness}}", + "searchValue": "Pod", + "expectedValue": "metadata.name={{liveness-exec}}.spec.containers.name={{liveness}}.livenessProbe should be defined", + "actualValue": "metadata.name={{liveness-exec}}.spec.containers.name={{liveness}}.livenessProbe is undefined", + "issueType": "MissingAttribute", + "similarityID": "fc53c015ad35065943ec5094b6d04e3f2927bd2a4fc4520cf9e7ef1b55044f65", + "search_line": 9 } -] \ No newline at end of file +] diff --git a/assets/queries/k8s/memory_limits_not_defined/test/positive_expected_result.json b/assets/queries/k8s/memory_limits_not_defined/test/positive_expected_result.json index d58246a8c5f..1b85c696850 100644 --- a/assets/queries/k8s/memory_limits_not_defined/test/positive_expected_result.json +++ b/assets/queries/k8s/memory_limits_not_defined/test/positive_expected_result.json @@ -3,30 +3,75 @@ "queryName": "Memory Limits Not Defined", "severity": "MEDIUM", "line": 8, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "Pod", + "resourceName": "memory-demo-1", + "searchKey": "metadata.name={{memory-demo-1}}.spec.containers.name={{memory-demo-ctr}}", + "searchValue": "", + "expectedValue": "metadata.name={{memory-demo-1}}.spec.containers.name={{memory-demo-ctr}}.resources.limits.memory should be defined", + "actualValue": "metadata.name={{memory-demo-1}}.spec.containers.name={{memory-demo-ctr}}.resources.limits.memory is undefined", + "issueType": "MissingAttribute", + "similarityID": "f89a8c717b5721701a9816df1e456a4d4e71b675965d0ef9af39fab6258eaac8", + "search_line": -1 }, { "queryName": "Memory Limits Not Defined", "severity": "MEDIUM", "line": 23, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "Pod", + "resourceName": "memory-demo-2", + "searchKey": "metadata.name={{memory-demo-2}}.spec.containers.name={{memory-demo-ctr}}", + "searchValue": "", + "expectedValue": "metadata.name={{memory-demo-2}}.spec.containers.name={{memory-demo-ctr}}.resources.limits.memory should be defined", + "actualValue": "metadata.name={{memory-demo-2}}.spec.containers.name={{memory-demo-ctr}}.resources.limits.memory is undefined", + "issueType": "MissingAttribute", + "similarityID": "2915dfa66cad09fc2a4f7e4ed29ab6235ebf7eb556e1d48b4c070c4c9cfcc691", + "search_line": -1 }, { "queryName": "Memory Limits Not Defined", "severity": "MEDIUM", "line": 38, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "Pod", + "resourceName": "memory-demo-3", + "searchKey": "metadata.name={{memory-demo-3}}.spec.containers.name={{memory-demo-ctr}}", + "searchValue": "", + "expectedValue": "metadata.name={{memory-demo-3}}.spec.containers.name={{memory-demo-ctr}}.resources.limits.memory should be defined", + "actualValue": "metadata.name={{memory-demo-3}}.spec.containers.name={{memory-demo-ctr}}.resources.limits.memory is undefined", + "issueType": "MissingAttribute", + "similarityID": "a5f938cb8a0d6639f6e837a942080d6f39ab3a3b69ce9765613824e2dfb0ce1a", + "search_line": -1 }, { "queryName": "Memory Limits Not Defined", "severity": "MEDIUM", "line": 57, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "Pod", + "resourceName": "memory-demo-4", + "searchKey": "metadata.name={{memory-demo-4}}.spec.containers.name={{memory-demo-ctr}}", + "searchValue": "", + "expectedValue": "metadata.name={{memory-demo-4}}.spec.containers.name={{memory-demo-ctr}}.resources.limits.memory should be defined", + "actualValue": "metadata.name={{memory-demo-4}}.spec.containers.name={{memory-demo-ctr}}.resources.limits.memory is undefined", + "issueType": "MissingAttribute", + "similarityID": "919cdd75183f26ee65960f9a1d356bcf2549adbae3dc2ea89cf8b8a14e4a295b", + "search_line": -1 }, { "queryName": "Memory Limits Not Defined", "severity": "MEDIUM", "line": 21, - "fileName": "positive2.yaml" + "fileName": "positive2.yaml", + "resourceType": "Deployment", + "resourceName": "test-deployment", + "searchKey": "metadata.name={{test-deployment}}.spec.template.spec.containers.name={{pause}}", + "searchValue": "", + "expectedValue": "metadata.name={{test-deployment}}.spec.template.spec.containers.name={{pause}}.resources.limits.memory should be defined", + "actualValue": "metadata.name={{test-deployment}}.spec.template.spec.containers.name={{pause}}.resources.limits.memory is undefined", + "issueType": "MissingAttribute", + "similarityID": "04d048afb6e699dc8a70834273c31d524c412bc8d6eccc29003c2443345f535e", + "search_line": 21 } ] diff --git a/assets/queries/k8s/memory_requests_not_defined/test/positive_expected_result.json b/assets/queries/k8s/memory_requests_not_defined/test/positive_expected_result.json index 5b0984b8d86..842500211ab 100644 --- a/assets/queries/k8s/memory_requests_not_defined/test/positive_expected_result.json +++ b/assets/queries/k8s/memory_requests_not_defined/test/positive_expected_result.json @@ -3,30 +3,75 @@ "queryName": "Memory Requests Not Defined", "severity": "MEDIUM", "line": 13, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "Pod", + "resourceName": "memory-demo", + "searchKey": "metadata.name={{memory-demo}}.spec.containers.name={{memory-demo-ctr-1}}", + "searchValue": "Pod", + "expectedValue": "metadata.name={{memory-demo}}.spec.containers.name={{memory-demo-ctr-1}}.resources.requests.memory should be defined", + "actualValue": "metadata.name={{memory-demo}}.spec.containers.name={{memory-demo-ctr-1}}.resources.requests.memory is undefined", + "issueType": "MissingAttribute", + "similarityID": "404325384b8fdb074e83f2915637797155452a2655e570f658c15f47959064a6", + "search_line": 13 }, { "queryName": "Memory Requests Not Defined", "severity": "MEDIUM", "line": 27, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "Pod", + "resourceName": "memory-demo-1", + "searchKey": "metadata.name={{memory-demo-1}}.spec.containers.name={{memory-demo-ctr-2}}", + "searchValue": "Pod", + "expectedValue": "metadata.name={{memory-demo-1}}.spec.containers.name={{memory-demo-ctr-2}}.resources.requests.memory should be defined", + "actualValue": "metadata.name={{memory-demo-1}}.spec.containers.name={{memory-demo-ctr-2}}.resources.requests.memory is undefined", + "issueType": "MissingAttribute", + "similarityID": "5997d1913819ded7f05177ee7b5fe371618bce5aae9667e1155f631504d8ff66", + "search_line": 27 }, { "queryName": "Memory Requests Not Defined", "severity": "MEDIUM", "line": 40, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "Pod", + "resourceName": "memory-demo-2", + "searchKey": "metadata.name={{memory-demo-2}}.spec.containers.name={{memory-demo-ctr-3}}", + "searchValue": "Pod", + "expectedValue": "metadata.name={{memory-demo-2}}.spec.containers.name={{memory-demo-ctr-3}}.resources.requests.memory should be defined", + "actualValue": "metadata.name={{memory-demo-2}}.spec.containers.name={{memory-demo-ctr-3}}.resources.requests.memory is undefined", + "issueType": "MissingAttribute", + "similarityID": "cd62db406876dfb8fd1682185300301f8d8ad213852965ede97e6535404bc6d5", + "search_line": 40 }, { "queryName": "Memory Requests Not Defined", "severity": "MEDIUM", "line": 59, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "Pod", + "resourceName": "memory-demo-3", + "searchKey": "metadata.name={{memory-demo-3}}.spec.containers.name={{memory-demo-ctr-4}}", + "searchValue": "Pod", + "expectedValue": "metadata.name={{memory-demo-3}}.spec.containers.name={{memory-demo-ctr-4}}.resources.requests.memory should be defined", + "actualValue": "metadata.name={{memory-demo-3}}.spec.containers.name={{memory-demo-ctr-4}}.resources.requests.memory is undefined", + "issueType": "MissingAttribute", + "similarityID": "2a92c59ae247bfa71bc24adf9534b030daa39ff71a11135be0753d563346e742", + "search_line": 59 }, { "queryName": "Memory Requests Not Defined", "severity": "MEDIUM", "line": 20, - "fileName": "positive2.yaml" + "fileName": "positive2.yaml", + "resourceType": "Deployment", + "resourceName": "test-deployment2", + "searchKey": "metadata.name={{test-deployment2}}.spec.template.spec.containers.name={{pause}}", + "searchValue": "Deployment", + "expectedValue": "metadata.name={{test-deployment2}}.spec.template.spec.containers.name={{pause}}.resources.requests.memory should be defined", + "actualValue": "metadata.name={{test-deployment2}}.spec.template.spec.containers.name={{pause}}.resources.requests.memory is undefined", + "issueType": "MissingAttribute", + "similarityID": "05fb663e3a5ae7e5fe4376a30fbb42a1cb1541ddf66d5ccdce1ac6df5d8f822e", + "search_line": 20 } ] diff --git a/assets/queries/k8s/metadata_label_is_invalid/test/positive_expected_result.json b/assets/queries/k8s/metadata_label_is_invalid/test/positive_expected_result.json index 4602eb0db3e..e15a3039210 100644 --- a/assets/queries/k8s/metadata_label_is_invalid/test/positive_expected_result.json +++ b/assets/queries/k8s/metadata_label_is_invalid/test/positive_expected_result.json @@ -2,6 +2,16 @@ { "queryName": "Metadata Label Is Invalid", "severity": "LOW", - "line": 6 + "line": 6, + "fileName": "positive.yaml", + "resourceType": "Pod", + "resourceName": "goproxy", + "searchKey": "metadata.name={{goproxy}}.labels.app", + "searchValue": "Pod", + "expectedValue": "'metadata.labels.{{app}}' has valid label g**dy.l+bel.", + "actualValue": "'metadata.labels.{{app}}' has invalid label g**dy.l+bel.", + "issueType": "IncorrectValue", + "similarityID": "e44198714bc9ea92bf4f8106546e40ce8d444d3888c1abf3bd3e8685d5f6f5a8", + "search_line": 6 } -] \ No newline at end of file +] diff --git a/assets/queries/k8s/missing_app_armor_config/test/positive_expected_result.json b/assets/queries/k8s/missing_app_armor_config/test/positive_expected_result.json index 9750d762fc9..25bbd3af4a4 100644 --- a/assets/queries/k8s/missing_app_armor_config/test/positive_expected_result.json +++ b/assets/queries/k8s/missing_app_armor_config/test/positive_expected_result.json @@ -1,22 +1,62 @@ [ - { - "queryName": "Missing AppArmor Profile", - "severity": "LOW", - "line": 5 - }, - { - "queryName": "Missing AppArmor Profile", - "severity": "LOW", - "line": 5 - }, - { - "queryName": "Missing AppArmor Profile", - "severity": "LOW", - "line": 5 - }, - { - "queryName": "Missing AppArmor Profile", - "severity": "LOW", - "line": 36 - } + { + "queryName": "Missing AppArmor Profile", + "severity": "LOW", + "line": 5, + "fileName": "positive.yaml", + "resourceType": "Pod", + "resourceName": "hello-apparmor-1", + "searchKey": "metadata.name={{hello-apparmor-1}}", + "searchValue": "Podcontainer.apparmor.security.beta.kubernetes.io/hello1", + "expectedValue": "metadata.name={{hello-apparmor-1}}.annotations[container.apparmor.security.beta.kubernetes.io/hello1] should be set to 'runtime/default' or 'localhost'", + "actualValue": "metadata.name={{hello-apparmor-1}}.annotations[container.apparmor.security.beta.kubernetes.io/hello1] does not specify a valid AppArmor profile", + "issueType": "IncorrectValue", + "similarityID": "f4a10a406b6902f1cb32c1d1cd0438d7c29935dd37a00e16f73f8c0a5271df5b", + "search_line": 5 + }, + { + "queryName": "Missing AppArmor Profile", + "severity": "LOW", + "line": 5, + "fileName": "positive.yaml", + "resourceType": "Pod", + "resourceName": "hello-apparmor-1", + "searchKey": "metadata.name={{hello-apparmor-1}}", + "searchValue": "Podcontainer.apparmor.security.beta.kubernetes.io/hello2", + "expectedValue": "metadata.name={{hello-apparmor-1}}.annotations[container.apparmor.security.beta.kubernetes.io/hello2] should be set to 'runtime/default' or 'localhost'", + "actualValue": "metadata.name={{hello-apparmor-1}}.annotations[container.apparmor.security.beta.kubernetes.io/hello2] does not specify a valid AppArmor profile", + "issueType": "IncorrectValue", + "similarityID": "b82457cd5a6d9547b0b8844d15490a8664f94735690c299bdd0eb8f10146d08b", + "search_line": 5 + }, + { + "queryName": "Missing AppArmor Profile", + "severity": "LOW", + "line": 5, + "fileName": "positive.yaml", + "resourceType": "Pod", + "resourceName": "hello-apparmor-1", + "searchKey": "metadata.name={{hello-apparmor-1}}.annotations", + "searchValue": "Podcontainers2", + "expectedValue": "metadata.name={{hello-apparmor-1}}.annotations should specify an AppArmor profile for container {{hello3}}", + "actualValue": "metadata.name={{hello-apparmor-1}}.annotations does not specify an AppArmor profile for container {{hello3}}", + "issueType": "MissingAttribute", + "similarityID": "85c427bbc6f89c2baaa44621a9f5160f0de1ef2d2aa6ba1a7ba8ba049ae7916c", + "search_line": 5 + }, + { + "queryName": "Missing AppArmor Profile", + "severity": "LOW", + "line": 36, + "fileName": "positive.yaml", + "resourceType": "Deployment", + "resourceName": "ubuntu-test1", + "searchKey": "metadata.name={{ubuntu-test1}}.spec.template.metadata", + "searchValue": "Deploymentcontainer.apparmor.security.beta.kubernetes.io/ubuntu-1-container", + "expectedValue": "metadata.name={{ubuntu-test1}}.spec.template.metadata.annotations[container.apparmor.security.beta.kubernetes.io/ubuntu-1-container] should be set to 'runtime/default' or 'localhost'", + "actualValue": "metadata.name={{ubuntu-test1}}.spec.template.metadata.annotations[container.apparmor.security.beta.kubernetes.io/ubuntu-1-container] does not specify a valid AppArmor profile", + "issueType": "IncorrectValue", + "similarityID": "00571dc95c3372fe2e94d32589b37335ce86614bfdb0d0e8077ab551b4a7ee79", + "search_line": 36 + } ] diff --git a/assets/queries/k8s/namespace_lifecycle_admission_control_plugin_disabled/test/positive_expected_result.json b/assets/queries/k8s/namespace_lifecycle_admission_control_plugin_disabled/test/positive_expected_result.json index 4b83ee1a4fc..7200dc01180 100644 --- a/assets/queries/k8s/namespace_lifecycle_admission_control_plugin_disabled/test/positive_expected_result.json +++ b/assets/queries/k8s/namespace_lifecycle_admission_control_plugin_disabled/test/positive_expected_result.json @@ -1,14 +1,32 @@ [ - { - "queryName": "Namespace Lifecycle Admission Control Plugin Disabled", - "severity": "LOW", - "line": 11, - "fileName": "positive1.yaml" - }, - { - "queryName": "Namespace Lifecycle Admission Control Plugin Disabled", - "severity": "LOW", - "line": 11, - "fileName": "positive2.yaml" - } + { + "queryName": "Namespace Lifecycle Admission Control Plugin Disabled", + "severity": "LOW", + "line": 11, + "fileName": "positive1.yaml", + "resourceType": "Pod", + "resourceName": "command-demo", + "searchKey": "metadata.name={{command-demo}}.spec.containers.name={{command-demo-container}}.command", + "searchValue": "", + "expectedValue": "--disable-admission-plugins flag should not contain 'NamespaceLifecycle' plugin", + "actualValue": "--disable-admission-plugins flag contains 'NamespaceLifecycle' plugin", + "issueType": "IncorrectValue", + "similarityID": "9b0490bd6ff77df2a2e7fe45a39debb6da228e414fadf64ca2dfe856489318be", + "search_line": 11 + }, + { + "queryName": "Namespace Lifecycle Admission Control Plugin Disabled", + "severity": "LOW", + "line": 11, + "fileName": "positive2.yaml", + "resourceType": "Pod", + "resourceName": "command-demo", + "searchKey": "metadata.name={{command-demo}}.spec.containers.name={{command-demo-container}}.command", + "searchValue": "", + "expectedValue": "--disable-admission-plugins flag should not contain 'NamespaceLifecycle' plugin", + "actualValue": "--disable-admission-plugins flag contains 'NamespaceLifecycle' plugin", + "issueType": "IncorrectValue", + "similarityID": "05556d767913bd81ec216206bcbcebe8a7f8a7fd7a1aa77ae2da4da5e96c170e", + "search_line": 11 + } ] diff --git a/assets/queries/k8s/net_raw_capabilities_disabled_for_psp/test/positive_expected_result.json b/assets/queries/k8s/net_raw_capabilities_disabled_for_psp/test/positive_expected_result.json index 92cae458def..fa854bc9261 100644 --- a/assets/queries/k8s/net_raw_capabilities_disabled_for_psp/test/positive_expected_result.json +++ b/assets/queries/k8s/net_raw_capabilities_disabled_for_psp/test/positive_expected_result.json @@ -2,11 +2,31 @@ { "queryName": "NET_RAW Capabilities Disabled for PSP", "severity": "MEDIUM", - "line": 13 + "line": 13, + "fileName": "positive.yaml", + "resourceType": "PodSecurityPolicy", + "resourceName": "restricted", + "searchKey": "metadata.name={{restricted}}.spec.requiredDropCapabilities", + "searchValue": "", + "expectedValue": "spec.requiredDropCapabilities 'is ALL or NET_RAW'", + "actualValue": "spec.requiredDropCapabilities 'is not ALL or NET_RAW'", + "issueType": "IncorrectValue", + "similarityID": "c9e81a6f74d5ee0b71848ce319cee49713d33bc6b7ab3293c49399d99d7e34a1", + "search_line": -1 }, { "queryName": "NET_RAW Capabilities Disabled for PSP", "severity": "MEDIUM", - "line": 57 + "line": 57, + "fileName": "positive.yaml", + "resourceType": "PodSecurityPolicy", + "resourceName": "restricted2", + "searchKey": "metadata.name={{restricted2}}.spec.requiredDropCapabilities", + "searchValue": "", + "expectedValue": "spec.requiredDropCapabilities 'is ALL or NET_RAW'", + "actualValue": "spec.requiredDropCapabilities 'is not ALL or NET_RAW'", + "issueType": "IncorrectValue", + "similarityID": "cfa59fbc824c205a190be28b057803bf15ba913c83e71a969c630bab2ac069b0", + "search_line": -1 } ] diff --git a/assets/queries/k8s/net_raw_capabilities_not_being_dropped/test/positive_expected_result.json b/assets/queries/k8s/net_raw_capabilities_not_being_dropped/test/positive_expected_result.json index b850bf2243a..8c5ffffd936 100644 --- a/assets/queries/k8s/net_raw_capabilities_not_being_dropped/test/positive_expected_result.json +++ b/assets/queries/k8s/net_raw_capabilities_not_being_dropped/test/positive_expected_result.json @@ -3,30 +3,75 @@ "queryName": "NET_RAW Capabilities Not Being Dropped", "severity": "MEDIUM", "line": 11, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "Pod", + "resourceName": "example", + "searchKey": "metadata.name={{example}}.spec.containers.name={{payment}}.securityContext.capabilities.drop", + "searchValue": "Pod", + "expectedValue": "metadata.name={{example}}.spec.containers.name={{payment}}.securityContext.capabilities.drop includes ALL or NET_RAW", + "actualValue": "metadata.name={{example}}.spec.containers.name={{payment}}.securityContext.capabilities.drop does not include ALL or NET_RAW", + "issueType": "IncorrectValue", + "similarityID": "98363bc21c81d78aefcac71b4138084bac1019ced0137e14540ba90802b81b35", + "search_line": 11 }, { "queryName": "NET_RAW Capabilities Not Being Dropped", "severity": "MEDIUM", - "line": 18, - "fileName": "positive1.yaml" + "line": 13, + "fileName": "positive1.yaml", + "resourceType": "Pod", + "resourceName": "example", + "searchKey": "metadata.name={{example}}.spec.containers.name={{payment2}}", + "searchValue": "Pod", + "expectedValue": "metadata.name={{example}}.spec.containers.name={{payment2}}.securityContext.capabilities.drop should be defined", + "actualValue": "metadata.name={{example}}.spec.containers.name={{payment2}}.securityContext.capabilities.drop is undefined", + "issueType": "MissingAttribute", + "similarityID": "44e996a2d60e11c5b65f9c1b5a997c5a08017043809b1573254359b4e341868b", + "search_line": 13 }, { "queryName": "NET_RAW Capabilities Not Being Dropped", "severity": "MEDIUM", - "line": 23, - "fileName": "positive1.yaml" + "line": 18, + "fileName": "positive1.yaml", + "resourceType": "Pod", + "resourceName": "example", + "searchKey": "metadata.name={{example}}.spec.containers.name={{payment4}}", + "searchValue": "Pod", + "expectedValue": "metadata.name={{example}}.spec.containers.name={{payment4}}.securityContext.capabilities.drop should be defined", + "actualValue": "metadata.name={{example}}.spec.containers.name={{payment4}}.securityContext.capabilities.drop is undefined", + "issueType": "MissingAttribute", + "similarityID": "c47d7e680a9d678fc2c47f3ff0410a5ce1209404c13d975cd30885fa6358343d", + "search_line": 18 }, { "queryName": "NET_RAW Capabilities Not Being Dropped", "severity": "MEDIUM", - "line": 13, - "fileName": "positive1.yaml" + "line": 23, + "fileName": "positive1.yaml", + "resourceType": "Pod", + "resourceName": "example", + "searchKey": "metadata.name={{example}}.spec.containers.name={{payment3}}", + "searchValue": "Pod", + "expectedValue": "metadata.name={{example}}.spec.containers.name={{payment3}}.securityContext.capabilities.drop should be defined", + "actualValue": "metadata.name={{example}}.spec.containers.name={{payment3}}.securityContext.capabilities.drop is undefined", + "issueType": "MissingAttribute", + "similarityID": "bc0f05efa5b005c7c8036f5d2b57a9a3acc77baf15bab3f28d5cb6aa5e9257e6", + "search_line": 23 }, { "queryName": "NET_RAW Capabilities Not Being Dropped", "severity": "MEDIUM", "line": 31, - "fileName": "positive2.yaml" + "fileName": "positive2.yaml", + "resourceType": "Deployment", + "resourceName": "redis-unhealthy-deployment", + "searchKey": "metadata.name={{redis-unhealthy-deployment}}.spec.template.spec.containers.name={{redis}}", + "searchValue": "Deployment", + "expectedValue": "metadata.name={{redis-unhealthy-deployment}}.spec.template.spec.containers.name={{redis}}.securityContext.capabilities.drop should be defined", + "actualValue": "metadata.name={{redis-unhealthy-deployment}}.spec.template.spec.containers.name={{redis}}.securityContext.capabilities.drop is undefined", + "issueType": "MissingAttribute", + "similarityID": "19756d67fceb30c59706ac9caff71e3509237dc9b4a69074bedb6351e91f8ca7", + "search_line": 31 } ] diff --git a/assets/queries/k8s/network_policy_is_not_targeting_any_pod/test/positive_expected_result.json b/assets/queries/k8s/network_policy_is_not_targeting_any_pod/test/positive_expected_result.json index bb09f21ab6f..c8daf1589e5 100644 --- a/assets/queries/k8s/network_policy_is_not_targeting_any_pod/test/positive_expected_result.json +++ b/assets/queries/k8s/network_policy_is_not_targeting_any_pod/test/positive_expected_result.json @@ -2,6 +2,16 @@ { "queryName": "Network Policy Is Not Targeting Any Pod", "severity": "LOW", - "line": 22 + "line": 22, + "fileName": "positive.yaml", + "resourceType": "NetworkPolicy", + "resourceName": "test-network-policy", + "searchKey": "metadata.name={{test-network-policy}}.spec.podSelector.matchLabels.app", + "searchValue": "", + "expectedValue": "'spec.podSelector.matchLabels.app' is targeting at least a pod", + "actualValue": "'spec.podSelector.matchLabels.app' is not targeting any pod", + "issueType": "IncorrectValue", + "similarityID": "5f0f0b7a627e69cce3a8dcea72bb871a78663d682a24ca35f7a4933d9ee516ce", + "search_line": -1 } -] \ No newline at end of file +] diff --git a/assets/queries/k8s/no_drop_capabilities_for_containers/test/positive_expected_result.json b/assets/queries/k8s/no_drop_capabilities_for_containers/test/positive_expected_result.json index c79222edd9c..dddd3d08dfc 100644 --- a/assets/queries/k8s/no_drop_capabilities_for_containers/test/positive_expected_result.json +++ b/assets/queries/k8s/no_drop_capabilities_for_containers/test/positive_expected_result.json @@ -2,16 +2,46 @@ { "queryName": "No Drop Capabilities for Containers", "severity": "LOW", - "line": 21 + "line": 21, + "fileName": "positive.yaml", + "resourceType": "Deployment", + "resourceName": "nginx-deployment", + "searchKey": "metadata.name={{nginx-deployment}}.spec.containers.name={{payment}}.securityContext.capabilities", + "searchValue": "Deployment", + "expectedValue": "spec.containers[payment].securityContext.capabilities.drop should be defined", + "actualValue": "spec.containers[payment].securityContext.capabilities.drop is not defined", + "issueType": "MissingAttribute", + "similarityID": "b1bb0d3fd6d0f55b139b8bbb609a1196550e95f40fffde274bb8877b584d6482", + "search_line": 21 }, { "queryName": "No Drop Capabilities for Containers", "severity": "LOW", - "line": 26 + "line": 26, + "fileName": "positive.yaml", + "resourceType": "Deployment", + "resourceName": "nginx-deployment", + "searchKey": "metadata.name={{nginx-deployment}}.spec.containers.name={{payment2}}.securityContext", + "searchValue": "Deployment", + "expectedValue": "metadata.name={{nginx-deployment}}.spec.containers.name={{payment2}}.securityContext.capabilities should be set", + "actualValue": "metadata.name={{nginx-deployment}}.spec.containers.name={{payment2}}.securityContext.capabilities is undefined", + "issueType": "MissingAttribute", + "similarityID": "9ce7112c9684aae171cc4395ed97fc547a0fdd77ce60334dc1403fbde5ccb5e3", + "search_line": 26 }, { "queryName": "No Drop Capabilities for Containers", "severity": "LOW", - "line": 28 + "line": 28, + "fileName": "positive.yaml", + "resourceType": "Deployment", + "resourceName": "nginx-deployment", + "searchKey": "metadata.name={{nginx-deployment}}.spec.containers.name=payment3", + "searchValue": "Deployment", + "expectedValue": "metadata.name={{nginx-deployment}}.spec.containers.name=payment3.securityContext should be set", + "actualValue": "metadata.name={{nginx-deployment}}.spec.containers.name=payment3.securityContext is undefined", + "issueType": "MissingAttribute", + "similarityID": "7e030012e62a402855cb94e2fc455da4f6c368a43c6139c68948885ed957e895", + "search_line": 28 } ] diff --git a/assets/queries/k8s/node_restriction_admission_control_plugin_not_set/test/positive_expected_result.json b/assets/queries/k8s/node_restriction_admission_control_plugin_not_set/test/positive_expected_result.json index 1a40d67c3d1..f371e27ad9e 100644 --- a/assets/queries/k8s/node_restriction_admission_control_plugin_not_set/test/positive_expected_result.json +++ b/assets/queries/k8s/node_restriction_admission_control_plugin_not_set/test/positive_expected_result.json @@ -3,6 +3,15 @@ "queryName": "Node Restriction Admission Control Plugin Not Set", "severity": "MEDIUM", "line": 11, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "Pod", + "resourceName": "command-demo", + "searchKey": "metadata.name={{command-demo}}.spec.containers.name={{command-demo-container}}.command", + "searchValue": "", + "expectedValue": "--enable-admission-plugins flag should contain 'NodeRestriction' plugin", + "actualValue": "--enable-admission-plugins flag does not contain 'NodeRestriction' plugin", + "issueType": "MissingAttribute", + "similarityID": "43adcb719949ba6996fa440f9d1efef819e08e848b4864717ac57c3afae230d1", + "search_line": 11 } -] \ No newline at end of file +] diff --git a/assets/queries/k8s/non_kube_system_pod_with_host_mount/test/positive_expected_result.json b/assets/queries/k8s/non_kube_system_pod_with_host_mount/test/positive_expected_result.json index 860b273c2d4..fdac262018f 100644 --- a/assets/queries/k8s/non_kube_system_pod_with_host_mount/test/positive_expected_result.json +++ b/assets/queries/k8s/non_kube_system_pod_with_host_mount/test/positive_expected_result.json @@ -2,46 +2,136 @@ { "queryName": "Non Kube System Pod With Host Mount", "severity": "HIGH", - "line": 40 + "line": 40, + "fileName": "positive.yaml", + "resourceType": "DaemonSet", + "resourceName": "fluentd-elasticsearch", + "searchKey": "metadata.name={{fluentd-elasticsearch}}.spec.template.spec.volumes.name={{varlog}}.hostPath.path", + "searchValue": "", + "expectedValue": "Resource name 'fluentd-elasticsearch' of kind 'DaemonSet' in non kube-system namespace 'default' should not have hostPath '/var/log' mounted", + "actualValue": "Resource name 'fluentd-elasticsearch' of kind 'DaemonSet' in non kube-system namespace 'default' has a hostPath '/var/log' mounted", + "issueType": "IncorrectValue", + "similarityID": "abb8a5f7614848043fa8f18e737abcf81fb07323ef586d8d2f96c2c3d0dd6caf", + "search_line": -1 }, { "queryName": "Non Kube System Pod With Host Mount", "severity": "HIGH", - "line": 43 + "line": 43, + "fileName": "positive.yaml", + "resourceType": "DaemonSet", + "resourceName": "fluentd-elasticsearch", + "searchKey": "metadata.name={{fluentd-elasticsearch}}.spec.template.spec.volumes.name={{varlibdockercontainers}}.hostPath.path", + "searchValue": "", + "expectedValue": "Resource name 'fluentd-elasticsearch' of kind 'DaemonSet' in non kube-system namespace 'default' should not have hostPath '/var/lib/docker/containers' mounted", + "actualValue": "Resource name 'fluentd-elasticsearch' of kind 'DaemonSet' in non kube-system namespace 'default' has a hostPath '/var/lib/docker/containers' mounted", + "issueType": "IncorrectValue", + "similarityID": "4138dee3d9241bcd67be88b8a0d0dadef1d1e90816abb624bd778710f3785e79", + "search_line": -1 }, { "queryName": "Non Kube System Pod With Host Mount", "severity": "HIGH", - "line": 59 + "line": 59, + "fileName": "positive.yaml", + "resourceType": "Pod", + "resourceName": "redis", + "searchKey": "metadata.name={{redis}}.spec.volumes.name={{redis-storage}}.hostPath.path", + "searchValue": "", + "expectedValue": "Resource name 'redis' of kind 'Pod' in non kube-system namespace 'default' should not have hostPath '/var/redis/data' mounted", + "actualValue": "Resource name 'redis' of kind 'Pod' in non kube-system namespace 'default' has a hostPath '/var/redis/data' mounted", + "issueType": "IncorrectValue", + "similarityID": "b498d4a86edc252fd2e5a58f585449914185492832093aedf9779904935ab819", + "search_line": 59 }, { "queryName": "Non Kube System Pod With Host Mount", "severity": "HIGH", - "line": 76 + "line": 76, + "fileName": "positive.yaml", + "resourceType": "Pod", + "resourceName": "redis-memcache", + "searchKey": "metadata.name={{redis-memcache}}.spec.volumes.name={{redis-storage}}.hostPath.path", + "searchValue": "", + "expectedValue": "Resource name 'redis-memcache' of kind 'Pod' in non kube-system namespace 'memcache' should not have hostPath '/var/redis/data' mounted", + "actualValue": "Resource name 'redis-memcache' of kind 'Pod' in non kube-system namespace 'memcache' has a hostPath '/var/redis/data' mounted", + "issueType": "IncorrectValue", + "similarityID": "c640c96d78935939eee1349c86dcd878ad23512497dd6b523c00dfed30a484b5", + "search_line": 76 }, { "queryName": "Non Kube System Pod With Host Mount", "severity": "HIGH", - "line": 106 + "line": 106, + "fileName": "positive.yaml", + "resourceType": "Deployment", + "resourceName": "nginx-deployment", + "searchKey": "metadata.name={{nginx-deployment}}.spec.template.spec.volumes.name={{static-page-dir}}.hostPath.path", + "searchValue": "", + "expectedValue": "Resource name 'nginx-deployment' of kind 'Deployment' in non kube-system namespace 'default' should not have hostPath '/var/local/static' mounted", + "actualValue": "Resource name 'nginx-deployment' of kind 'Deployment' in non kube-system namespace 'default' has a hostPath '/var/local/static' mounted", + "issueType": "IncorrectValue", + "similarityID": "fa75acc7560fd21e3278a87dd8a2acd5fe15b61072f512a47c05950ec7b3faaf", + "search_line": -1 }, { "queryName": "Non Kube System Pod With Host Mount", "severity": "HIGH", - "line": 136 + "line": 136, + "fileName": "positive.yaml", + "resourceType": "Deployment", + "resourceName": "nginx-deployment-undefined-ns", + "searchKey": "metadata.name={{nginx-deployment-undefined-ns}}.spec.template.spec.volumes.name={{static-page-dir}}.hostPath.path", + "searchValue": "", + "expectedValue": "Resource name 'nginx-deployment-undefined-ns' of kind 'Deployment' in a non kube-system namespace 'default' should not have hostPath '/var/local/static' mounted", + "actualValue": "Resource name 'nginx-deployment-undefined-ns' of kind 'Deployment' in a non kube-system namespace 'default' has a hostPath '/var/local/static' mounted", + "issueType": "IncorrectValue", + "similarityID": "037a2bc4388d8ea309c4f451e7b2b2a29d998ac3966d6e07152e6cfdc017dfea", + "search_line": -1 }, { "queryName": "Non Kube System Pod With Host Mount", "severity": "HIGH", - "line": 153 + "line": 153, + "fileName": "positive.yaml", + "resourceType": "PersistentVolume", + "resourceName": "pv-001", + "searchKey": "metadata.name={{pv-001}}.spec.hostPath.path", + "searchValue": "", + "expectedValue": "PersistentVolume name 'pv-001' of kind 'PersistentVolume' in non kube-system namespace 'default' should not mount a host sensitive OS directory '/' with hostPath", + "actualValue": "PersistentVolume name 'pv-001' of kind 'PersistentVolume' in non kube-system namespace 'default' is mounting a host sensitive OS directory '/' with hostPath", + "issueType": "IncorrectValue", + "similarityID": "5f044cd4d218c510624b30acff89e76f56a4f4db2fecd1f91911d14ed814bc59", + "search_line": -1 }, { "queryName": "Non Kube System Pod With Host Mount", "severity": "HIGH", - "line": 168 + "line": 168, + "fileName": "positive.yaml", + "resourceType": "PersistentVolume", + "resourceName": "pv-002", + "searchKey": "metadata.name={{pv-002}}.hostPath.path", + "searchValue": "", + "expectedValue": "PersistentVolume name 'pv-002' of kind 'PersistentVolume' in non kube-system namespace 'default' should not mount a host sensitive OS directory '/boot' with hostPath", + "actualValue": "PersistentVolume name 'pv-002' of kind 'PersistentVolume' in non kube-system namespace 'default' is mounting a host sensitive OS directory '/boot' with hostPath", + "issueType": "IncorrectValue", + "similarityID": "af9941426795920861cf0265d9188f1c34f5556ae9b496318b5708ace1eee727", + "search_line": -1 }, { "queryName": "Non Kube System Pod With Host Mount", "severity": "HIGH", - "line": 185 + "line": 185, + "fileName": "positive.yaml", + "resourceType": "Revision", + "resourceName": "dummy-rev", + "searchKey": "metadata.name={{dummy-rev}}.spec.volumes.name={{redis-storage}}.hostPath.path", + "searchValue": "", + "expectedValue": "Resource name 'dummy-rev' of kind 'Revision' in non kube-system namespace 'knative-sequence' should not have hostPath '/var/redis/data' mounted", + "actualValue": "Resource name 'dummy-rev' of kind 'Revision' in non kube-system namespace 'knative-sequence' has a hostPath '/var/redis/data' mounted", + "issueType": "IncorrectValue", + "similarityID": "5cd412402cfe2664db2d6a8b35bf8ef54d8141c981332d7e63162d6185d2822b", + "search_line": 185 } -] \ No newline at end of file +] diff --git a/assets/queries/k8s/not_limited_capabilities_for_pod_security_policy/test/positive_expected_result.json b/assets/queries/k8s/not_limited_capabilities_for_pod_security_policy/test/positive_expected_result.json index 9bddecf306a..7c963b4c475 100644 --- a/assets/queries/k8s/not_limited_capabilities_for_pod_security_policy/test/positive_expected_result.json +++ b/assets/queries/k8s/not_limited_capabilities_for_pod_security_policy/test/positive_expected_result.json @@ -2,6 +2,16 @@ { "queryName": "Not Limited Capabilities For Pod Security Policy", "severity": "INFO", - "line": 10 + "line": 10, + "fileName": "positive.yaml", + "resourceType": "PodSecurityPolicy", + "resourceName": "restricted", + "searchKey": "metadata.name={{restricted}}.spec", + "searchValue": "", + "expectedValue": "metadata.name={{restricted}}.spec.requiredDropCapabilities should be defined", + "actualValue": "metadata.name={{restricted}}.spec.requiredDropCapabilities is undefined", + "issueType": "MissingAttribute", + "similarityID": "11d4a5de4ec532f43adcf6fa99bb00e4f1f636315cf996e7ca85c58a9691962e", + "search_line": -1 } -] \ No newline at end of file +] diff --git a/assets/queries/k8s/not_unique_certificate_authority/test/positive_expected_result.json b/assets/queries/k8s/not_unique_certificate_authority/test/positive_expected_result.json index 6b7e077664a..520cc8b0522 100644 --- a/assets/queries/k8s/not_unique_certificate_authority/test/positive_expected_result.json +++ b/assets/queries/k8s/not_unique_certificate_authority/test/positive_expected_result.json @@ -1,8 +1,17 @@ [ - { - "queryName": "Not Unique Certificate Authority", - "severity": "MEDIUM", - "line": 22, - "filename": "positive1.yaml" - } + { + "queryName": "Not Unique Certificate Authority", + "severity": "MEDIUM", + "line": 22, + "fileName": "positive1.yaml", + "resourceType": "Deployment", + "resourceName": "database", + "searchKey": "metadata.name={{database}}.spec.template.spec.containers.name={{database}}.command", + "searchValue": "", + "expectedValue": "Trusted Certificate Authentication File should not be the same of a Client Certificate Authentication File", + "actualValue": "Trusted Certificate Authentication File is the same of a Client Certificate Authentication File", + "issueType": "IncorrectValue", + "similarityID": "28fe5233864943d1d7d3d1744ccdd39cefcc951fa7b5004c0ccf61e9a5e353e1", + "search_line": 22 + } ] diff --git a/assets/queries/k8s/object_is_using_a_deprecated_api_version/test/positive_expected_result.json b/assets/queries/k8s/object_is_using_a_deprecated_api_version/test/positive_expected_result.json index aeea421e766..2c73899be0c 100644 --- a/assets/queries/k8s/object_is_using_a_deprecated_api_version/test/positive_expected_result.json +++ b/assets/queries/k8s/object_is_using_a_deprecated_api_version/test/positive_expected_result.json @@ -1,27 +1,77 @@ [ - { - "queryName": "Object Is Using A Deprecated API Version", - "severity": "LOW", - "line": 1 - }, - { - "queryName": "Object Is Using A Deprecated API Version", - "severity": "LOW", - "line": 23 - }, - { - "queryName": "Object Is Using A Deprecated API Version", - "severity": "LOW", - "line": 58 - }, - { - "queryName": "Object Is Using A Deprecated API Version", - "severity": "LOW", - "line": 76 - }, - { - "queryName": "Object Is Using A Deprecated API Version", - "severity": "LOW", - "line": 94 - } + { + "queryName": "Object Is Using A Deprecated API Version", + "severity": "LOW", + "line": 1, + "fileName": "positive.yaml", + "resourceType": "Deployment", + "resourceName": "nginx-deployment", + "searchKey": "apiVersion={{apps/v1beta1}}", + "searchValue": "Deployment", + "expectedValue": "metadata.name={{nginx-deployment}}.apiVersion of Deployment should be {{apps/v1}}", + "actualValue": "metadata.name={{nginx-deployment}}.apiVersion of Deployment is deprecated and is {{apps/v1beta1}}", + "issueType": "IncorrectValue", + "similarityID": "b8ff5d222f4d9c8630740b83d9b4210f7b1e8ef4a297bb92950c737bddde33dc", + "search_line": 1 + }, + { + "queryName": "Object Is Using A Deprecated API Version", + "severity": "LOW", + "line": 23, + "fileName": "positive.yaml", + "resourceType": "DaemonSet", + "resourceName": "fluentd-elasticsearch", + "searchKey": "apiVersion={{apps/v1beta2}}", + "searchValue": "DaemonSet", + "expectedValue": "metadata.name={{fluentd-elasticsearch}}.apiVersion of DaemonSet should be {{apps/v1}}", + "actualValue": "metadata.name={{fluentd-elasticsearch}}.apiVersion of DaemonSet is deprecated and is {{apps/v1beta2}}", + "issueType": "IncorrectValue", + "similarityID": "e5b47515feb3d5ec75864f09aa81ed76d72f0f47a0935177fc1830ce116bf11f", + "search_line": 23 + }, + { + "queryName": "Object Is Using A Deprecated API Version", + "severity": "LOW", + "line": 58, + "fileName": "positive.yaml", + "resourceType": "Ingress", + "resourceName": "minimal-ingress", + "searchKey": "apiVersion={{extensions/v1beta1}}", + "searchValue": "Ingress", + "expectedValue": "metadata.name={{minimal-ingress}}.apiVersion of Ingress should be {{networking.k8s.io/v1}}", + "actualValue": "metadata.name={{minimal-ingress}}.apiVersion of Ingress is deprecated and is {{extensions/v1beta1}}", + "issueType": "IncorrectValue", + "similarityID": "a989e9a03124306f489b7e26adb001470440b2eb02ad3812d4d56d77a060eccf", + "search_line": 58 + }, + { + "queryName": "Object Is Using A Deprecated API Version", + "severity": "LOW", + "line": 76, + "fileName": "positive.yaml", + "resourceType": "Ingress", + "resourceName": "minimal-ingress1", + "searchKey": "apiVersion={{networking.k8s.io/v1beta1}}", + "searchValue": "Ingress", + "expectedValue": "metadata.name={{minimal-ingress1}}.apiVersion of Ingress should be {{networking.k8s.io/v1}}", + "actualValue": "metadata.name={{minimal-ingress1}}.apiVersion of Ingress is deprecated and is {{networking.k8s.io/v1beta1}}", + "issueType": "IncorrectValue", + "similarityID": "67b7de037bbd7b7d0b73a77f3fd62a3acc2e974c5ae805dfc5e3138354d2a80e", + "search_line": 76 + }, + { + "queryName": "Object Is Using A Deprecated API Version", + "severity": "LOW", + "line": 94, + "fileName": "positive.yaml", + "resourceType": "CronJob", + "resourceName": "hello", + "searchKey": "apiVersion={{batch/v1beta1}}", + "searchValue": "CronJob", + "expectedValue": "metadata.name={{hello}}.apiVersion of CronJob should be {{batch/v1}}", + "actualValue": "metadata.name={{hello}}.apiVersion of CronJob is deprecated and is {{batch/v1beta1}}", + "issueType": "IncorrectValue", + "similarityID": "d9f78c9c0176bfeb00f216fc09790a179fd5933f91baac3b9f152bf9ce427f84", + "search_line": 94 + } ] diff --git a/assets/queries/k8s/peer_auto_tls_set_to_true/test/positive_expected_result.json b/assets/queries/k8s/peer_auto_tls_set_to_true/test/positive_expected_result.json index a13287dd345..26713ed5dc8 100644 --- a/assets/queries/k8s/peer_auto_tls_set_to_true/test/positive_expected_result.json +++ b/assets/queries/k8s/peer_auto_tls_set_to_true/test/positive_expected_result.json @@ -3,6 +3,15 @@ "queryName": "Peer Auto TLS Set To True", "severity": "MEDIUM", "line": 21, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "Deployment", + "resourceName": "app-etcd-deployment", + "searchKey": "metadata.name={{app-etcd-deployment}}.spec.template.spec.containers.name={{database}}.command", + "searchValue": "", + "expectedValue": "--peer-auto-tls flag should be set to false or not be defined", + "actualValue": "--peer-auto-tls flag is set to true", + "issueType": "IncorrectValue", + "similarityID": "60cb4d9ae7813a748836a8a0661b07c4549c5c9c29f0bdb51f179d5f71ab4cb2", + "search_line": 21 } -] \ No newline at end of file +] diff --git a/assets/queries/k8s/permissive_access_to_create_pods/test/positive_expected_result.json b/assets/queries/k8s/permissive_access_to_create_pods/test/positive_expected_result.json index df38f6a5872..52df3c5ddc2 100644 --- a/assets/queries/k8s/permissive_access_to_create_pods/test/positive_expected_result.json +++ b/assets/queries/k8s/permissive_access_to_create_pods/test/positive_expected_result.json @@ -1,43 +1,107 @@ -[{ - "queryName": "Permissive Access to Create Pods", - "severity": "MEDIUM", - "line": 12, - "fileName": "positive1.yaml" - }, - { - "queryName": "Permissive Access to Create Pods", - "severity": "MEDIUM", - "line": 21, - "fileName": "positive1.yaml" - }, - { - "queryName": "Permissive Access to Create Pods", - "severity": "MEDIUM", - "line": 30, - "fileName": "positive1.yaml" - }, - { - "queryName": "Permissive Access to Create Pods", - "severity": "MEDIUM", - "line": 39, - "fileName": "positive1.yaml" - }, - { - "queryName": "Permissive Access to Create Pods", - "severity": "MEDIUM", - "line": 48, - "fileName": "positive1.yaml" - }, - { - "queryName": "Permissive Access to Create Pods", - "severity": "MEDIUM", - "line": 60, - "fileName": "positive1.yaml" - }, - { - "queryName": "Permissive Access to Create Pods", - "severity": "MEDIUM", - "line": 26, - "fileName": "positive2.yaml" - } +[ + { + "queryName": "Permissive Access to Create Pods", + "severity": "MEDIUM", + "line": 12, + "fileName": "positive1.yaml", + "resourceType": "ClusterRole", + "resourceName": "secret-reader", + "searchKey": "metadata.name={{secret-reader}}.rules.verbs.create", + "searchValue": "ClusterRole/create", + "expectedValue": "metadata.name=secret-reader.rules.verbs should not contain the value 'create' when metadata.name=secret-reader.rules.resources contains the value 'pods'", + "actualValue": "metadata.name=secret-reader.rules.verbs contains the value 'create' and metadata.name=secret-reader.rules.resources contains the value 'pods'", + "issueType": "IncorrectValue", + "similarityID": "274b55ac531f835abf7f1b3dbb079f04b69dcc5e874180a0165284bd3e377f5c", + "search_line": 12 + }, + { + "queryName": "Permissive Access to Create Pods", + "severity": "MEDIUM", + "line": 21, + "fileName": "positive1.yaml", + "resourceType": "Role", + "resourceName": "secret-reader2", + "searchKey": "metadata.name={{secret-reader2}}.rules.verbs.create", + "searchValue": "Role/create", + "expectedValue": "metadata.name=secret-reader2.rules.verbs should not contain the value 'create' when metadata.name=secret-reader2.rules.resources contains a wildcard value", + "actualValue": "metadata.name=secret-reader2.rules.verbs contains the value 'create' and metadata.name=secret-reader2.rules.resources contains a wildcard value", + "issueType": "IncorrectValue", + "similarityID": "126f23072baf33430e35da9ec44823f6ec858266f849b360642aa6ad3f54a73c", + "search_line": 21 + }, + { + "queryName": "Permissive Access to Create Pods", + "severity": "MEDIUM", + "line": 30, + "fileName": "positive1.yaml", + "resourceType": "ClusterRole", + "resourceName": "secret-reader3", + "searchKey": "metadata.name={{secret-reader3}}.rules.verbs.*", + "searchValue": "ClusterRole/*", + "expectedValue": "metadata.name=secret-reader3.rules.verbs should not contain a wildcard value when metadata.name=secret-reader3.rules.resources contains the value 'pods'", + "actualValue": "metadata.name=secret-reader3.rules.verbs contains a wildcard value and metadata.name=secret-reader3.rules.resources contains the value 'pods'", + "issueType": "IncorrectValue", + "similarityID": "3b6809eb756deb200b66447fca834242a9b951affbf142f087879a5952491b9d", + "search_line": 30 + }, + { + "queryName": "Permissive Access to Create Pods", + "severity": "MEDIUM", + "line": 39, + "fileName": "positive1.yaml", + "resourceType": "Role", + "resourceName": "secret-reader4", + "searchKey": "metadata.name={{secret-reader4}}.rules.verbs.*", + "searchValue": "Role/*", + "expectedValue": "metadata.name=secret-reader4.rules.verbs should not contain a wildcard value when metadata.name=secret-reader4.rules.resources contains a wildcard value", + "actualValue": "metadata.name=secret-reader4.rules.verbs contains a wildcard value and metadata.name=secret-reader4.rules.resources contains a wildcard value", + "issueType": "IncorrectValue", + "similarityID": "6af6b63cf1bbfedd2c15445764953b5bb0ca557f4c423f00c72272e7dbca85c8", + "search_line": 39 + }, + { + "queryName": "Permissive Access to Create Pods", + "severity": "MEDIUM", + "line": 48, + "fileName": "positive1.yaml", + "resourceType": "ClusterRole", + "resourceName": "secret-reader5", + "searchKey": "metadata.name={{secret-reader5}}.rules.verbs.c*e", + "searchValue": "ClusterRole/*", + "expectedValue": "metadata.name=secret-reader5.rules.verbs should not contain a wildcard value when metadata.name=secret-reader5.rules.resources contains the value 'pods'", + "actualValue": "metadata.name=secret-reader5.rules.verbs contains a wildcard value and metadata.name=secret-reader5.rules.resources contains the value 'pods'", + "issueType": "IncorrectValue", + "similarityID": "b2d03b0987f5be7abbd0ac8fb918dfdaae9a1181a70c8d8706f166822a7c6f40", + "search_line": 48 + }, + { + "queryName": "Permissive Access to Create Pods", + "severity": "MEDIUM", + "line": 60, + "fileName": "positive1.yaml", + "resourceType": "ClusterRole", + "resourceName": "secret-reader6", + "searchKey": "metadata.name={{secret-reader6}}.rules.verbs.create", + "searchValue": "ClusterRole/create", + "expectedValue": "metadata.name=secret-reader6.rules.verbs should not contain the value 'create' when metadata.name=secret-reader6.rules.resources contains a wildcard value", + "actualValue": "metadata.name=secret-reader6.rules.verbs contains the value 'create' and metadata.name=secret-reader6.rules.resources contains a wildcard value", + "issueType": "IncorrectValue", + "similarityID": "71a9873c5885a309f620785574af16dc517d4d095a77f90b4fd7ee302657e6fe", + "search_line": 60 + }, + { + "queryName": "Permissive Access to Create Pods", + "severity": "MEDIUM", + "line": 26, + "fileName": "positive2.yaml", + "resourceType": "ClusterRole", + "resourceName": "secret-reader", + "searchKey": "metadata.name={{secret-reader}}.rules.verbs.create", + "searchValue": "ClusterRole/create", + "expectedValue": "metadata.name=secret-reader.rules.verbs should not contain the value 'create' when metadata.name=secret-reader.rules.resources contains a wildcard value", + "actualValue": "metadata.name=secret-reader.rules.verbs contains the value 'create' and metadata.name=secret-reader.rules.resources contains a wildcard value", + "issueType": "IncorrectValue", + "similarityID": "5a1a841e61ea54680619797113cc4e52b9175078fa48d013fa8ca376be7978a0", + "search_line": 26 + } ] diff --git a/assets/queries/k8s/pod_misconfigured_network_policy/test/positive_expected_result.json b/assets/queries/k8s/pod_misconfigured_network_policy/test/positive_expected_result.json index 984dc94bf72..6b540816735 100644 --- a/assets/queries/k8s/pod_misconfigured_network_policy/test/positive_expected_result.json +++ b/assets/queries/k8s/pod_misconfigured_network_policy/test/positive_expected_result.json @@ -3,12 +3,30 @@ "queryName": "Pod Misconfigured Network Policy", "severity": "MEDIUM", "line": 4, - "fileName": "positive2.yaml" + "fileName": "positive1.yaml", + "resourceType": "Pod", + "resourceName": "positive1-pod", + "searchKey": "metadata.name=positive1-pod", + "searchValue": "", + "expectedValue": "Pod positive1-pod should have ingress and egress rules in matching NetworkPolicy", + "actualValue": "Pod positive1-pod has no ingress or egress rules in matching NetworkPolicy", + "issueType": "MissingAttribute", + "similarityID": "82b3cfeeda7e76c54263ff4b349d42879d10ed9519b1141a9231971966a13147", + "search_line": -1 }, { "queryName": "Pod Misconfigured Network Policy", "severity": "MEDIUM", "line": 4, - "fileName": "positive1.yaml" + "fileName": "positive2.yaml", + "resourceType": "Pod", + "resourceName": "positive2-pod", + "searchKey": "metadata.name=positive2-pod", + "searchValue": "", + "expectedValue": "Pod positive2-pod should have ingress and egress rules in matching NetworkPolicy", + "actualValue": "Pod positive2-pod has no ingress or egress rules in matching NetworkPolicy", + "issueType": "MissingAttribute", + "similarityID": "5be66a127bd44adc4a0f3cf6eaf1f6b0c260aba2f545a1e56e94107992174a32", + "search_line": -1 } ] diff --git a/assets/queries/k8s/pod_or_container_without_limit_range/test/positive_expected_result.json b/assets/queries/k8s/pod_or_container_without_limit_range/test/positive_expected_result.json index f5c689151e5..0f2ef0d6ca1 100644 --- a/assets/queries/k8s/pod_or_container_without_limit_range/test/positive_expected_result.json +++ b/assets/queries/k8s/pod_or_container_without_limit_range/test/positive_expected_result.json @@ -1,26 +1,62 @@ [ - { - "queryName": "Pod or Container Without LimitRange", - "severity": "LOW", - "line": 5, - "fileName": "positive1.yaml" - }, - { - "queryName": "Pod or Container Without LimitRange", - "severity": "LOW", - "line": 4, - "fileName": "positive2.yaml" - }, - { - "queryName": "Pod or Container Without LimitRange", - "severity": "LOW", - "line": 5, - "fileName": "positive3.yaml" - }, - { - "queryName": "Pod or Container Without LimitRange", - "severity": "LOW", - "line": 5, - "fileName": "positive4.yaml" - } + { + "queryName": "Pod or Container Without LimitRange", + "severity": "LOW", + "line": 5, + "fileName": "positive1.yaml", + "resourceType": "Pod", + "resourceName": "frontend1", + "searchKey": "metadata.name={{frontend1}}", + "searchValue": "Pod", + "expectedValue": "metadata.name={{frontend1}} has a 'LimitRange' policy associated", + "actualValue": "metadata.name={{frontend1}} does not have a 'LimitRange' policy associated", + "issueType": "MissingAttribute", + "similarityID": "6e145e941f601639b0bc8bbd19a5564083192d7311883620eff67d344474f903", + "search_line": 5 + }, + { + "queryName": "Pod or Container Without LimitRange", + "severity": "LOW", + "line": 4, + "fileName": "positive2.yaml", + "resourceType": "Pod", + "resourceName": "frontend2", + "searchKey": "metadata.name={{frontend2}}", + "searchValue": "Pod", + "expectedValue": "metadata.name={{frontend2}} has a 'LimitRange' policy associated", + "actualValue": "metadata.name={{frontend2}} does not have a 'LimitRange' policy associated", + "issueType": "MissingAttribute", + "similarityID": "40c0690b8278167588efccdcea8b10b52de21198c773c6c0d8f125cb78977fd3", + "search_line": -1 + }, + { + "queryName": "Pod or Container Without LimitRange", + "severity": "LOW", + "line": 5, + "fileName": "positive3.yaml", + "resourceType": "DaemonSet", + "resourceName": "fluentd-elasticsearch", + "searchKey": "metadata.name={{fluentd-elasticsearch}}", + "searchValue": "DaemonSet", + "expectedValue": "metadata.name={{fluentd-elasticsearch}} has a 'LimitRange' policy associated", + "actualValue": "metadata.name={{fluentd-elasticsearch}} does not have a 'LimitRange' policy associated", + "issueType": "MissingAttribute", + "similarityID": "ccccc4bea2c9e51899a6e943ebbc069b3b0ef79bf7794b5a194521d9d4b4c5a4", + "search_line": 5 + }, + { + "queryName": "Pod or Container Without LimitRange", + "severity": "LOW", + "line": 5, + "fileName": "positive4.yaml", + "resourceType": "PersistentVolumeClaim", + "resourceName": "webcontent", + "searchKey": "metadata.name={{webcontent}}", + "searchValue": "PersistentVolumeClaim", + "expectedValue": "metadata.name={{webcontent}} has a 'LimitRange' policy associated", + "actualValue": "metadata.name={{webcontent}} does not have a 'LimitRange' policy associated", + "issueType": "MissingAttribute", + "similarityID": "8b323d447f0b76979b30ab8e813d91206206b477a08392d4cf74bf835ddba6ed", + "search_line": 5 + } ] diff --git a/assets/queries/k8s/pod_or_container_without_resource_quota/test/positive_expected_result.json b/assets/queries/k8s/pod_or_container_without_resource_quota/test/positive_expected_result.json index 37773d522e0..902d78b00af 100644 --- a/assets/queries/k8s/pod_or_container_without_resource_quota/test/positive_expected_result.json +++ b/assets/queries/k8s/pod_or_container_without_resource_quota/test/positive_expected_result.json @@ -1,26 +1,62 @@ [ - { - "queryName": "Pod or Container Without ResourceQuota", - "severity": "LOW", - "line": 5, - "fileName": "positive1.yaml" - }, - { - "queryName": "Pod or Container Without ResourceQuota", - "severity": "LOW", - "line": 4, - "fileName": "positive2.yaml" - }, - { - "queryName": "Pod or Container Without ResourceQuota", - "severity": "LOW", - "line": 5, - "fileName": "positive3.yaml" - }, - { - "queryName": "Pod or Container Without ResourceQuota", - "severity": "LOW", - "line": 5, - "fileName": "positive4.yaml" - } + { + "queryName": "Pod or Container Without ResourceQuota", + "severity": "LOW", + "line": 5, + "fileName": "positive1.yaml", + "resourceType": "Pod", + "resourceName": "pod1", + "searchKey": "metadata.name={{pod1}}", + "searchValue": "Pod", + "expectedValue": "metadata.name={{pod1}} has a 'ResourceQuota' policy associated", + "actualValue": "metadata.name={{pod1}} does not have a 'ResourceQuota' policy associated", + "issueType": "MissingAttribute", + "similarityID": "cc57d61b8558602f78c9cd959d280aacf66bea4e81ff073ec6cea4f629864e42", + "search_line": 5 + }, + { + "queryName": "Pod or Container Without ResourceQuota", + "severity": "LOW", + "line": 4, + "fileName": "positive2.yaml", + "resourceType": "Pod", + "resourceName": "pod2", + "searchKey": "metadata.name={{pod2}}", + "searchValue": "Pod", + "expectedValue": "metadata.name={{pod2}} has a 'ResourceQuota' policy associated", + "actualValue": "metadata.name={{pod2}} does not have a 'ResourceQuota' policy associated", + "issueType": "MissingAttribute", + "similarityID": "9ce619f6c5bbf584f937a094b422c723dc513a96aa5a2bfeef72ccc386f24b9d", + "search_line": -1 + }, + { + "queryName": "Pod or Container Without ResourceQuota", + "severity": "LOW", + "line": 5, + "fileName": "positive3.yaml", + "resourceType": "DaemonSet", + "resourceName": "fluentd-elasticsearch", + "searchKey": "metadata.name={{fluentd-elasticsearch}}", + "searchValue": "DaemonSet", + "expectedValue": "metadata.name={{fluentd-elasticsearch}} has a 'ResourceQuota' policy associated", + "actualValue": "metadata.name={{fluentd-elasticsearch}} does not have a 'ResourceQuota' policy associated", + "issueType": "MissingAttribute", + "similarityID": "ee583fbc73b9cc69cc6d09dcb098a4dd258fe0e9bd983d3c125db956fe77dd61", + "search_line": 5 + }, + { + "queryName": "Pod or Container Without ResourceQuota", + "severity": "LOW", + "line": 5, + "fileName": "positive4.yaml", + "resourceType": "PersistentVolumeClaim", + "resourceName": "webcontent", + "searchKey": "metadata.name={{webcontent}}", + "searchValue": "PersistentVolumeClaim", + "expectedValue": "metadata.name={{webcontent}} has a 'ResourceQuota' policy associated", + "actualValue": "metadata.name={{webcontent}} does not have a 'ResourceQuota' policy associated", + "issueType": "MissingAttribute", + "similarityID": "532d778315d6ce3e7924181fdab2715840d289c7f4aa15fd9d69ccfe2bf85a4d", + "search_line": 5 + } ] diff --git a/assets/queries/k8s/pod_or_container_without_security_context/test/positive_expected_result.json b/assets/queries/k8s/pod_or_container_without_security_context/test/positive_expected_result.json index 7767c0122ee..bb1a4e6e757 100644 --- a/assets/queries/k8s/pod_or_container_without_security_context/test/positive_expected_result.json +++ b/assets/queries/k8s/pod_or_container_without_security_context/test/positive_expected_result.json @@ -1,13 +1,32 @@ [ - { - "queryName": "Pod or Container Without Security Context", - "severity": "LOW", - "line": 5 - }, - - { - "queryName": "Pod or Container Without Security Context", - "severity": "LOW", - "line": 19 - } + { + "queryName": "Pod or Container Without Security Context", + "severity": "LOW", + "line": 5, + "fileName": "positive.yaml", + "resourceType": "Pod", + "resourceName": "frontend", + "searchKey": "metadata.name={{frontend}}.spec", + "searchValue": "", + "expectedValue": "metadata.name={{frontend}}.spec has a security context", + "actualValue": "metadata.name={{frontend}}.spec does not have a security context", + "issueType": "MissingAttribute", + "similarityID": "61923990f3ed22f82f7dae18d5237380a9d87702da6e38b9139721d874cf8940", + "search_line": 5 + }, + { + "queryName": "Pod or Container Without Security Context", + "severity": "LOW", + "line": 19, + "fileName": "positive.yaml", + "resourceType": "Pod", + "resourceName": "frontend", + "searchKey": "metadata.name={{frontend}}.spec.containers.name=log-aggregator", + "searchValue": "Pod", + "expectedValue": "spec.containers.name=log-aggregator has a security context", + "actualValue": "spec.containers.name=log-aggregator does not have a security context", + "issueType": "MissingAttribute", + "similarityID": "aae17741cb99480b6fae71a7d29e5b1383495146939a8358738793d7ba3dd1da", + "search_line": 19 + } ] diff --git a/assets/queries/k8s/pod_security_policy_admission_control_plugin_not_set/test/positive_expected_result.json b/assets/queries/k8s/pod_security_policy_admission_control_plugin_not_set/test/positive_expected_result.json index 74190bca4a7..e4e0d9bc1fe 100644 --- a/assets/queries/k8s/pod_security_policy_admission_control_plugin_not_set/test/positive_expected_result.json +++ b/assets/queries/k8s/pod_security_policy_admission_control_plugin_not_set/test/positive_expected_result.json @@ -1,8 +1,17 @@ [ - { - "queryName": "Pod Security Policy Admission Control Plugin Not Set", - "severity": "HIGH", - "line": 11, - "fileName": "positive1.yaml" - } + { + "queryName": "Pod Security Policy Admission Control Plugin Not Set", + "severity": "HIGH", + "line": 11, + "fileName": "positive1.yaml", + "resourceType": "Pod", + "resourceName": "command-demo", + "searchKey": "metadata.name={{command-demo}}.spec.containers.name={{command-demo-container}}.command", + "searchValue": "", + "expectedValue": "--enable-admission-plugins flag should contain 'PodSecurityPolicy' plugin", + "actualValue": "--enable-admission-plugins flag does not contain 'PodSecurityPolicy' plugin", + "issueType": "MissingAttribute", + "similarityID": "272a53c0315631bb5c14755bd64c26ab280942e11d23efeadfa4d0b09a6a421f", + "search_line": 11 + } ] diff --git a/assets/queries/k8s/privilege_escalation_allowed/test/positive_expected_result.json b/assets/queries/k8s/privilege_escalation_allowed/test/positive_expected_result.json index 4f333322132..344537f6dce 100644 --- a/assets/queries/k8s/privilege_escalation_allowed/test/positive_expected_result.json +++ b/assets/queries/k8s/privilege_escalation_allowed/test/positive_expected_result.json @@ -1,32 +1,77 @@ [ - { - "queryName": "Privilege Escalation Allowed", - "severity": "HIGH", - "line": 10, - "fileName": "positive1.yaml" - }, - { - "queryName": "Privilege Escalation Allowed", - "severity": "HIGH", - "line": 21, - "fileName": "positive1.yaml" - }, - { - "queryName": "Privilege Escalation Allowed", - "severity": "HIGH", - "line": 9, - "fileName": "positive2.yaml" - }, - { - "queryName": "Privilege Escalation Allowed", - "severity": "HIGH", - "line": 13, - "fileName": "positive2.yaml" - }, - { - "queryName": "Privilege Escalation Allowed", - "severity": "HIGH", - "line": 17, - "fileName": "positive2.yaml" - } + { + "queryName": "Privilege Escalation Allowed", + "severity": "HIGH", + "line": 10, + "fileName": "positive1.yaml", + "resourceType": "Pod", + "resourceName": "pod2", + "searchKey": "metadata.name={{pod2}}.spec.containers.name={{app}}.securityContext.allowPrivilegeEscalation", + "searchValue": "Pod", + "expectedValue": "metadata.name={{pod2}}.spec.containers.name={{app}}.securityContext.allowPrivilegeEscalation should be set to false", + "actualValue": "metadata.name={{pod2}}.spec.containers.name={{app}}.securityContext.allowPrivilegeEscalation is true", + "issueType": "IncorrectValue", + "similarityID": "79385452360a3bc98b91ea8fcad02bc1b406d358a1bc72d99ae4c2c1f152bad2", + "search_line": 10 + }, + { + "queryName": "Privilege Escalation Allowed", + "severity": "HIGH", + "line": 21, + "fileName": "positive1.yaml", + "resourceType": "Pod", + "resourceName": "pod2", + "searchKey": "metadata.name={{pod2}}.spec.containers.name={{log-aggregator}}", + "searchValue": "Pod", + "expectedValue": "metadata.name={{pod2}}.spec.containers.name={{log-aggregator}}.securityContext.allowPrivilegeEscalation should be set and should be set to false", + "actualValue": "metadata.name={{pod2}}.spec.containers.name={{log-aggregator}}.securityContext.allowPrivilegeEscalation is undefined", + "issueType": "MissingAttribute", + "similarityID": "044a7fb7e14c9188f57ec9daeefad8929dd54dcce3f708548a53116deab6e079", + "search_line": 21 + }, + { + "queryName": "Privilege Escalation Allowed", + "severity": "HIGH", + "line": 9, + "fileName": "positive2.yaml", + "resourceType": "Pod", + "resourceName": "example-priv", + "searchKey": "metadata.name={{example-priv}}.spec.containers.name={{payment}}", + "searchValue": "Pod", + "expectedValue": "metadata.name={{example-priv}}.spec.containers.name={{payment}}.securityContext.allowPrivilegeEscalation should be set and should be set to false", + "actualValue": "metadata.name={{example-priv}}.spec.containers.name={{payment}}.securityContext.allowPrivilegeEscalation is undefined", + "issueType": "MissingAttribute", + "similarityID": "6603b94a9a5b6c39de8faa82c798a128bccd347266825773702a1f5e49c52f42", + "search_line": 9 + }, + { + "queryName": "Privilege Escalation Allowed", + "severity": "HIGH", + "line": 13, + "fileName": "positive2.yaml", + "resourceType": "Pod", + "resourceName": "example-priv", + "searchKey": "metadata.name={{example-priv}}.spec.containers.name={{payment2}}", + "searchValue": "Pod", + "expectedValue": "metadata.name={{example-priv}}.spec.containers.name={{payment2}}.securityContext.allowPrivilegeEscalation should be set and should be set to false", + "actualValue": "metadata.name={{example-priv}}.spec.containers.name={{payment2}}.securityContext.allowPrivilegeEscalation is undefined", + "issueType": "MissingAttribute", + "similarityID": "40566df749eb229e0dd73e526f390ff70bf57d8f44d816b38a2f06854f33ff6a", + "search_line": 13 + }, + { + "queryName": "Privilege Escalation Allowed", + "severity": "HIGH", + "line": 17, + "fileName": "positive2.yaml", + "resourceType": "Pod", + "resourceName": "example-priv", + "searchKey": "metadata.name={{example-priv}}.spec.containers.name={{payment4}}", + "searchValue": "Pod", + "expectedValue": "metadata.name={{example-priv}}.spec.containers.name={{payment4}}.securityContext.allowPrivilegeEscalation should be set and should be set to false", + "actualValue": "metadata.name={{example-priv}}.spec.containers.name={{payment4}}.securityContext.allowPrivilegeEscalation is undefined", + "issueType": "MissingAttribute", + "similarityID": "d626ab4583bfd92dc7f453046e0b95f1a1324529a41f49e640b018d3259b7d3e", + "search_line": 17 + } ] diff --git a/assets/queries/k8s/profiling_not_set_to_false/test/positive_expected_result.json b/assets/queries/k8s/profiling_not_set_to_false/test/positive_expected_result.json index 899cc5ca74d..0914d04bad4 100644 --- a/assets/queries/k8s/profiling_not_set_to_false/test/positive_expected_result.json +++ b/assets/queries/k8s/profiling_not_set_to_false/test/positive_expected_result.json @@ -1,44 +1,107 @@ [ - { - "queryName": "Profiling Not Set To False", - "severity": "LOW", - "line": 11, - "fileName": "positive1.yaml" - }, - { - "queryName": "Profiling Not Set To False", - "severity": "LOW", - "line": 11, - "fileName": "positive2.yaml" - }, - { - "queryName": "Profiling Not Set To False", - "severity": "LOW", - "line": 21, - "fileName": "positive3.yaml" - }, - { - "queryName": "Profiling Not Set To False", - "severity": "LOW", - "line": 21, - "fileName": "positive4.yaml" - }, - { - "queryName": "Profiling Not Set To False", - "severity": "LOW", - "line": 2, - "fileName": "positive5.yaml" - }, - { - "queryName": "Profiling Not Set To False", - "severity": "LOW", - "line": 3, - "fileName": "positive6.yaml" - }, - { - "queryName": "Profiling Not Set To False", - "severity": "LOW", - "line": 14, - "fileName": "positive7.yaml" - } + { + "queryName": "Profiling Not Set To False", + "severity": "LOW", + "line": 11, + "fileName": "positive1.yaml", + "resourceType": "Pod", + "resourceName": "command-demo", + "searchKey": "metadata.name={{command-demo}}.spec.containers.name={{command-demo-container}}.command", + "searchValue": "", + "expectedValue": "--profiling flag should be set to false", + "actualValue": "--profiling flag is set to true", + "issueType": "IncorrectValue", + "similarityID": "969ae16c62c7dca3fde2f79be6d3700c861c84230dcb8519ad46b72c74b8a28b", + "search_line": 11 + }, + { + "queryName": "Profiling Not Set To False", + "severity": "LOW", + "line": 11, + "fileName": "positive2.yaml", + "resourceType": "Pod", + "resourceName": "command-demo-1", + "searchKey": "metadata.name={{command-demo-1}}.spec.containers.name={{command-demo-container}}.command", + "searchValue": "", + "expectedValue": "--profiling flag should be defined and set to false", + "actualValue": "--profiling flag is not defined", + "issueType": "MissingAttribute", + "similarityID": "fe49695ae6cf5d033069d607ad89e370e500bcb3b07e4fb5efdae2a7ae9a99ef", + "search_line": 11 + }, + { + "queryName": "Profiling Not Set To False", + "severity": "LOW", + "line": 21, + "fileName": "positive3.yaml", + "resourceType": "Pod", + "resourceName": "kube-controller-manager-master-3", + "searchKey": "metadata.name={{kube-controller-manager-master-3}}.spec.containers.name={{command-demo-container}}.command", + "searchValue": "", + "expectedValue": "--profiling flag should be set to false", + "actualValue": "--profiling flag is set to true", + "issueType": "IncorrectValue", + "similarityID": "5cdea7b889078a1bdd0893217113d61adeb644f0860725b0cb9c853cc6a5fe9d", + "search_line": 21 + }, + { + "queryName": "Profiling Not Set To False", + "severity": "LOW", + "line": 21, + "fileName": "positive4.yaml", + "resourceType": "Pod", + "resourceName": "kube-controller-manager-master-4", + "searchKey": "metadata.name={{kube-controller-manager-master-4}}.spec.containers.name={{command-demo-container}}.command", + "searchValue": "", + "expectedValue": "--profiling flag should be defined and set to false", + "actualValue": "--profiling flag is not defined", + "issueType": "MissingAttribute", + "similarityID": "4191eada266f25de63109a840a00f339bf3c0b2fc607db6f86063357f43baf4b", + "search_line": 21 + }, + { + "queryName": "Profiling Not Set To False", + "severity": "LOW", + "line": 2, + "fileName": "positive5.yaml", + "resourceType": "KubeSchedulerConfiguration", + "resourceName": "n/a", + "searchKey": "kind={{KubeSchedulerConfiguration}}", + "searchValue": "", + "expectedValue": "enableProfiling argument flag should be defined and set to false", + "actualValue": "enableProfiling argument is not defined", + "issueType": "MissingAttribute", + "similarityID": "b91afcf1e5df9a0b6efe13484356d52307cb2cb110ff2194f54613bb0cd4a9d1", + "search_line": -1 + }, + { + "queryName": "Profiling Not Set To False", + "severity": "LOW", + "line": 3, + "fileName": "positive6.yaml", + "resourceType": "KubeSchedulerConfiguration", + "resourceName": "n/a", + "searchKey": "kind={{KubeSchedulerConfiguration}}.enableProfiling", + "searchValue": "", + "expectedValue": "enableProfiling argument flag should be set to false", + "actualValue": "enableProfiling argument is set to true", + "issueType": "IncorrectValue", + "similarityID": "ddfdd4f91cfedf167b29f74c4418054477084614e11c10c7f2590cc109c64991", + "search_line": -1 + }, + { + "queryName": "Profiling Not Set To False", + "severity": "LOW", + "line": 14, + "fileName": "positive7.yaml", + "resourceType": "Pod", + "resourceName": "kube-scheduler-master-2", + "searchKey": "metadata.name={{kube-scheduler-master-2}}.spec.containers.name={{command-demo-container}}.command", + "searchValue": "", + "expectedValue": "--profiling flag should be set to false", + "actualValue": "--profiling flag is set to true", + "issueType": "IncorrectValue", + "similarityID": "1d01c7e70b54109a0d0a2b234edd646133be8fb91301c4d931f57336e344f2fd", + "search_line": 14 + } ] diff --git a/assets/queries/k8s/psp_allows_privilege_escalation/test/positive_expected_result.json b/assets/queries/k8s/psp_allows_privilege_escalation/test/positive_expected_result.json index 86ec9f078d3..26b8e2b6902 100644 --- a/assets/queries/k8s/psp_allows_privilege_escalation/test/positive_expected_result.json +++ b/assets/queries/k8s/psp_allows_privilege_escalation/test/positive_expected_result.json @@ -2,11 +2,31 @@ { "queryName": "PSP Allows Privilege Escalation", "severity": "HIGH", - "line": 9 + "line": 9, + "fileName": "positive.yaml", + "resourceType": "PodSecurityPolicy", + "resourceName": "privileged", + "searchKey": "metadata.name={{privileged}}.spec.allowPrivilegeEscalation", + "searchValue": "", + "expectedValue": "Attribute 'allowPrivilegeEscalation' should be set to false", + "actualValue": "Attribute 'allowPrivilegeEscalation' is true", + "issueType": "IncorrectValue", + "similarityID": "7774a97938a79132666520e1326f6954ce85e6008aa2bab76916fd9776600481", + "search_line": -1 }, { "queryName": "PSP Allows Privilege Escalation", "severity": "HIGH", - "line": 32 + "line": 32, + "fileName": "positive.yaml", + "resourceType": "PodSecurityPolicy", + "resourceName": "privileged2", + "searchKey": "metadata.name={{privileged2}}.spec", + "searchValue": "", + "expectedValue": "Attribute 'allowPrivilegeEscalation' should be set", + "actualValue": "Attribute 'allowPrivilegeEscalation' is undefined", + "issueType": "MissingAttribute", + "similarityID": "ad9fd8df13a71926d94e90d82d1452387c4d58492539de8ac5d8b4784994da21", + "search_line": -1 } -] \ No newline at end of file +] diff --git a/assets/queries/k8s/psp_allows_sharing_host_ipc/test/positive_expected_result.json b/assets/queries/k8s/psp_allows_sharing_host_ipc/test/positive_expected_result.json index e5f72bb23f2..ba8e7a29a81 100644 --- a/assets/queries/k8s/psp_allows_sharing_host_ipc/test/positive_expected_result.json +++ b/assets/queries/k8s/psp_allows_sharing_host_ipc/test/positive_expected_result.json @@ -2,6 +2,16 @@ { "queryName": "PSP Allows Sharing Host IPC", "severity": "HIGH", - "line": 6 + "line": 6, + "fileName": "positive.yaml", + "resourceType": "PodSecurityPolicy", + "resourceName": "example", + "searchKey": "metadata.name={{example}}.spec.hostIPC", + "searchValue": "", + "expectedValue": "'spec.hostIPC' should be set to false or undefined", + "actualValue": "'spec.hostIPC' is true", + "issueType": "IncorrectValue", + "similarityID": "53efb854bb67d8e8d74ba7457c8c6c52b573af76236af619f8f42f4902e5d4ca", + "search_line": -1 } -] \ No newline at end of file +] diff --git a/assets/queries/k8s/psp_allows_sharing_host_pid/test/positive_expected_result.json b/assets/queries/k8s/psp_allows_sharing_host_pid/test/positive_expected_result.json index 288f1c94199..bd74ce3cd5b 100644 --- a/assets/queries/k8s/psp_allows_sharing_host_pid/test/positive_expected_result.json +++ b/assets/queries/k8s/psp_allows_sharing_host_pid/test/positive_expected_result.json @@ -1,7 +1,17 @@ [ - { - "queryName": "PSP Allows Sharing Host PID", - "severity": "MEDIUM", - "line": 6 - } + { + "queryName": "PSP Allows Sharing Host PID", + "severity": "MEDIUM", + "line": 6, + "fileName": "positive.yaml", + "resourceType": "PodSecurityPolicy", + "resourceName": "example", + "searchKey": "metadata.name={{example}}.spec.hostPID", + "searchValue": "", + "expectedValue": "'spec.hostPID' should be set to false or undefined", + "actualValue": "'spec.hostPID' is true", + "issueType": "IncorrectValue", + "similarityID": "cc4eaed1eb213bc470a82ca39539ebd1fa8f67aa70ee3a8ef34857e1632588e6", + "search_line": -1 + } ] diff --git a/assets/queries/k8s/psp_containers_share_host_network_namespace/test/positive_expected_result.json b/assets/queries/k8s/psp_containers_share_host_network_namespace/test/positive_expected_result.json index a99cbc0ca3d..feb4b619494 100644 --- a/assets/queries/k8s/psp_containers_share_host_network_namespace/test/positive_expected_result.json +++ b/assets/queries/k8s/psp_containers_share_host_network_namespace/test/positive_expected_result.json @@ -1,7 +1,17 @@ [ - { - "queryName": "PSP Allows Containers To Share The Host Network Namespace", - "severity": "HIGH", - "line": 14 - } + { + "queryName": "PSP Allows Containers To Share The Host Network Namespace", + "severity": "HIGH", + "line": 14, + "fileName": "positive.yaml", + "resourceType": "PodSecurityPolicy", + "resourceName": "privileged", + "searchKey": "metadata.name={{privileged}}.spec.hostNetwork", + "searchValue": "", + "expectedValue": "'spec.hostNetwork' should be set to false or undefined", + "actualValue": "'spec.hostNetwork' is true", + "issueType": "IncorrectValue", + "similarityID": "49a5b83ef9899ef78241040a117ad1375e1b69052f1c96e704071bf347aa7007", + "search_line": -1 + } ] diff --git a/assets/queries/k8s/psp_set_to_privileged/test/positive_expected_result.json b/assets/queries/k8s/psp_set_to_privileged/test/positive_expected_result.json index 18055bdda6c..de67864e4bd 100644 --- a/assets/queries/k8s/psp_set_to_privileged/test/positive_expected_result.json +++ b/assets/queries/k8s/psp_set_to_privileged/test/positive_expected_result.json @@ -2,6 +2,16 @@ { "queryName": "PSP Set To Privileged", "severity": "HIGH", - "line": 6 + "line": 6, + "fileName": "positive.yaml", + "resourceType": "PodSecurityPolicy", + "resourceName": "example", + "searchKey": "metadata.name={{example}}.spec.privileged", + "searchValue": "", + "expectedValue": "metadata.name={{example}}.spec.privileged should be set to false", + "actualValue": "metadata.name={{example}}.spec.privileged is true", + "issueType": "IncorrectValue", + "similarityID": "af994f63f8f3bb611624960410d1843b339b637855b9c6d9ca6a57441d198f6a", + "search_line": -1 } -] \ No newline at end of file +] diff --git a/assets/queries/k8s/psp_with_added_capabilities/test/positive_expected_result.json b/assets/queries/k8s/psp_with_added_capabilities/test/positive_expected_result.json index c9d9361f647..c6ca2cfb8bf 100644 --- a/assets/queries/k8s/psp_with_added_capabilities/test/positive_expected_result.json +++ b/assets/queries/k8s/psp_with_added_capabilities/test/positive_expected_result.json @@ -2,6 +2,16 @@ { "queryName": "PSP With Added Capabilities", "severity": "HIGH", - "line": 10 + "line": 10, + "fileName": "positive.yaml", + "resourceType": "PodSecurityPolicy", + "resourceName": "privileged", + "searchKey": "metadata.name={{privileged}}.spec.allowedCapabilities", + "searchValue": "", + "expectedValue": "PodSecurityPolicy should not have allowed capabilities", + "actualValue": "PodSecurityPolicy has allowed capabilities", + "issueType": "IncorrectValue", + "similarityID": "dfc91538782f43ee3688bf6503bb39643333a3f979905fcf0e5720a7a775663e", + "search_line": -1 } -] \ No newline at end of file +] diff --git a/assets/queries/k8s/psp_with_unrestricted_access_to_host_path/test/positive_expected_result.json b/assets/queries/k8s/psp_with_unrestricted_access_to_host_path/test/positive_expected_result.json index eb361d4aa64..a1fd6a8f6ef 100644 --- a/assets/queries/k8s/psp_with_unrestricted_access_to_host_path/test/positive_expected_result.json +++ b/assets/queries/k8s/psp_with_unrestricted_access_to_host_path/test/positive_expected_result.json @@ -1,20 +1,47 @@ [ - { - "queryName": "PSP With Unrestricted Access to Host Path", - "severity": "HIGH", - "line": 5, - "fileName": "positive1.yaml" - }, - { - "queryName": "PSP With Unrestricted Access to Host Path", - "severity": "HIGH", - "line": 8, - "fileName": "positive2.yaml" - }, - { - "queryName": "PSP With Unrestricted Access to Host Path", - "severity": "HIGH", - "line": 9, - "fileName": "positive3.yaml" - } + { + "queryName": "PSP With Unrestricted Access to Host Path", + "severity": "HIGH", + "line": 5, + "fileName": "positive1.yaml", + "resourceType": "PodSecurityPolicy", + "resourceName": "example", + "searchKey": "metadata.name={{example}}.spec", + "searchValue": "", + "expectedValue": "'spec.allowedHostPaths' should be defined and not null", + "actualValue": "'spec.allowedHostPaths' is undefined or null", + "issueType": "MissingAttribute", + "similarityID": "c2bd8cde907efa4cf85899a18e1347584a3bf890421a28ef3c24273fdbe2d008", + "search_line": 5 + }, + { + "queryName": "PSP With Unrestricted Access to Host Path", + "severity": "HIGH", + "line": 8, + "fileName": "positive2.yaml", + "resourceType": "PodSecurityPolicy", + "resourceName": "example", + "searchKey": "metadata.name={{example}}.spec.allowedHostPaths", + "searchValue": "", + "expectedValue": "'spec.allowedHostPaths[0].readOnly' should be set to true", + "actualValue": "'spec.allowedHostPaths[0].readOnly' is undefined or null", + "issueType": "MissingAttribute", + "similarityID": "a9a22dcf20c18f8d5c1e902031ac4e8d7fab2f15088aeb033fd1bac966a44848", + "search_line": 8 + }, + { + "queryName": "PSP With Unrestricted Access to Host Path", + "severity": "HIGH", + "line": 9, + "fileName": "positive3.yaml", + "resourceType": "PodSecurityPolicy", + "resourceName": "example", + "searchKey": "metadata.name={{example}}.spec.allowedHostPaths.readOnly", + "searchValue": "", + "expectedValue": "'spec.allowedHostPaths[0].readOnly' should be set to true", + "actualValue": "'spec.allowedHostPaths[0].readOnly' is set to false", + "issueType": "IncorrectValue", + "similarityID": "3fb5f61a6df6f86964a99ae555212f4fed8f85b295b8e81dc617f8d21c460dc4", + "search_line": 9 + } ] diff --git a/assets/queries/k8s/rbac_roles_allow_privilege_escalation/test/positive_expected_result.json b/assets/queries/k8s/rbac_roles_allow_privilege_escalation/test/positive_expected_result.json index 2d795e4b970..be35ccd9d32 100644 --- a/assets/queries/k8s/rbac_roles_allow_privilege_escalation/test/positive_expected_result.json +++ b/assets/queries/k8s/rbac_roles_allow_privilege_escalation/test/positive_expected_result.json @@ -2,6 +2,16 @@ { "queryName": "RBAC Roles Allow Privilege Escalation", "severity": "MEDIUM", - "line": 8 + "line": 8, + "fileName": "positive.yaml", + "resourceType": "ClusterRole", + "resourceName": "rbac-binder", + "searchKey": "metadata.name={{rbac-binder}}.rules", + "searchValue": "", + "expectedValue": "metadata.name={{rbac-binder}}.rules[0].verbs should not include the 'bind' and/or 'escalate' permission", + "actualValue": "metadata.name={{rbac-binder}}.rules[0].verbs includes the 'bind' and/or 'escalate' permission", + "issueType": "IncorrectValue", + "similarityID": "06faaf61917a3feef54b50d94b81cb393ff17d968d0811ae91a9f4afbfac532b", + "search_line": 8 } ] diff --git a/assets/queries/k8s/rbac_roles_with_attach_permission/test/positive_expected_result.json b/assets/queries/k8s/rbac_roles_with_attach_permission/test/positive_expected_result.json index 3e44d4cb64b..cfbb32fcbe2 100644 --- a/assets/queries/k8s/rbac_roles_with_attach_permission/test/positive_expected_result.json +++ b/assets/queries/k8s/rbac_roles_with_attach_permission/test/positive_expected_result.json @@ -2,6 +2,16 @@ { "queryName": "RBAC Roles with Attach Permission", "severity": "MEDIUM", - "line": 8 + "line": 8, + "fileName": "positive.yaml", + "resourceType": "Role", + "resourceName": "allow-attach", + "searchKey": "metadata.name={{allow-attach}}.rules", + "searchValue": "", + "expectedValue": "metadata.name={{allow-attach}}.rules[0].resources should not include the 'pods/attach' resource", + "actualValue": "metadata.name={{allow-attach}}.rules[0].resources includes the 'pods/attach' resource", + "issueType": "IncorrectValue", + "similarityID": "5dc22b0296867f7132f31cb4787b532d07ce9cecd90ca19a704cd77375b39357", + "search_line": 8 } ] diff --git a/assets/queries/k8s/rbac_roles_with_exec_permission/test/positive_expected_result.json b/assets/queries/k8s/rbac_roles_with_exec_permission/test/positive_expected_result.json index 22147fdfcd5..95b08a8ac99 100644 --- a/assets/queries/k8s/rbac_roles_with_exec_permission/test/positive_expected_result.json +++ b/assets/queries/k8s/rbac_roles_with_exec_permission/test/positive_expected_result.json @@ -2,6 +2,16 @@ { "queryName": "RBAC Roles with Exec Permission", "severity": "MEDIUM", - "line": 8 + "line": 8, + "fileName": "positive.yaml", + "resourceType": "Role", + "resourceName": "allow-exec", + "searchKey": "metadata.name={{allow-exec}}.rules", + "searchValue": "", + "expectedValue": "metadata.name={{allow-exec}}.rules[0].resources should not include the 'pods/exec' resource", + "actualValue": "metadata.name={{allow-exec}}.rules[0].resources includes the 'pods/exec' resource", + "issueType": "IncorrectValue", + "similarityID": "43467c69a58a5e252528d0bc726031ff95dbe2fb9e65fb6dc865968b7ce10ed8", + "search_line": 8 } ] diff --git a/assets/queries/k8s/rbac_roles_with_impersonate_permission/test/positive_expected_result.json b/assets/queries/k8s/rbac_roles_with_impersonate_permission/test/positive_expected_result.json index 6e71882dfd1..5da8e5b740c 100644 --- a/assets/queries/k8s/rbac_roles_with_impersonate_permission/test/positive_expected_result.json +++ b/assets/queries/k8s/rbac_roles_with_impersonate_permission/test/positive_expected_result.json @@ -2,6 +2,16 @@ { "queryName": "RBAC Roles with Impersonate Permission", "severity": "MEDIUM", - "line": 9 + "line": 9, + "fileName": "positive.yaml", + "resourceType": "ClusterRole", + "resourceName": "impersonator-role", + "searchKey": "metadata.name={{impersonator-role}}.rules", + "searchValue": "", + "expectedValue": "metadata.name={{impersonator-role}}.rules[0].verbs should not include the 'impersonate' verb", + "actualValue": "metadata.name={{impersonator-role}}.rules[0].verbs includes the 'impersonate' verb", + "issueType": "IncorrectValue", + "similarityID": "650dbb41119e77496a0c563f370810a6327e60e712c400405b727c42fab627bf", + "search_line": 9 } ] diff --git a/assets/queries/k8s/rbac_roles_with_portforwarding_permissions/test/positive_expected_result.json b/assets/queries/k8s/rbac_roles_with_portforwarding_permissions/test/positive_expected_result.json index d5deff99de9..2a6d8a7b179 100644 --- a/assets/queries/k8s/rbac_roles_with_portforwarding_permissions/test/positive_expected_result.json +++ b/assets/queries/k8s/rbac_roles_with_portforwarding_permissions/test/positive_expected_result.json @@ -2,6 +2,16 @@ { "queryName": "RBAC Roles with Port-Forwarding Permission", "severity": "MEDIUM", - "line": 8 + "line": 8, + "fileName": "positive.yaml", + "resourceType": "Role", + "resourceName": "allow-port-forward", + "searchKey": "metadata.name={{allow-port-forward}}.rules", + "searchValue": "", + "expectedValue": "metadata.name={{allow-port-forward}}.rules[0].resources should not include the 'pods/portforward' resource", + "actualValue": "metadata.name={{allow-port-forward}}.rules[0].resources includes the 'pods/portforward' resource", + "issueType": "IncorrectValue", + "similarityID": "da32ae6562779526f18f9b57dd82775a9bde6f1230ae955590ef8f20acc4045b", + "search_line": 8 } ] diff --git a/assets/queries/k8s/rbac_roles_with_read_secrets_permissions/test/positive_expected_result.json b/assets/queries/k8s/rbac_roles_with_read_secrets_permissions/test/positive_expected_result.json index 12920608c50..1940046f844 100644 --- a/assets/queries/k8s/rbac_roles_with_read_secrets_permissions/test/positive_expected_result.json +++ b/assets/queries/k8s/rbac_roles_with_read_secrets_permissions/test/positive_expected_result.json @@ -1,12 +1,32 @@ [ - { - "queryName": "RBAC Roles with Read Secrets Permissions", - "severity": "MEDIUM", - "line": 9 - }, - { - "queryName": "RBAC Roles with Read Secrets Permissions", - "severity": "MEDIUM", - "line": 18 - } + { + "queryName": "RBAC Roles with Read Secrets Permissions", + "severity": "MEDIUM", + "line": 9, + "fileName": "positive.yaml", + "resourceType": "Role", + "resourceName": "role-secret-reader", + "searchKey": "metadata.name={{role-secret-reader}}.rules", + "searchValue": "Role0", + "expectedValue": "metadata.name={{role-secret-reader}}.rules[0] should not be granted read access to Secrets objects", + "actualValue": "metadata.name={{role-secret-reader}}.rules[0] is granted read access (verbs: get, watch, list) to Secrets objects", + "issueType": "IncorrectValue", + "similarityID": "3fa094f2335a83c3a2d05dcf694bd1fee71335a0d5acb1b55830b3df68068b44", + "search_line": 9 + }, + { + "queryName": "RBAC Roles with Read Secrets Permissions", + "severity": "MEDIUM", + "line": 18, + "fileName": "positive.yaml", + "resourceType": "ClusterRole", + "resourceName": "cluster-role-secret-reader", + "searchKey": "metadata.name={{cluster-role-secret-reader}}.rules", + "searchValue": "ClusterRole0", + "expectedValue": "metadata.name={{cluster-role-secret-reader}}.rules[0] should not be granted read access to Secrets objects", + "actualValue": "metadata.name={{cluster-role-secret-reader}}.rules[0] is granted read access (verbs: get, watch, list) to Secrets objects", + "issueType": "IncorrectValue", + "similarityID": "44ee62a16d8b2896109d6427692dcd70f4f2d92479b43a90c5fd9244118bc960", + "search_line": 18 + } ] diff --git a/assets/queries/k8s/rbac_wildcard_in_rule/test/positive_expected_result.json b/assets/queries/k8s/rbac_wildcard_in_rule/test/positive_expected_result.json index a03c04a68d9..a0e5704c9b0 100644 --- a/assets/queries/k8s/rbac_wildcard_in_rule/test/positive_expected_result.json +++ b/assets/queries/k8s/rbac_wildcard_in_rule/test/positive_expected_result.json @@ -2,36 +2,106 @@ { "queryName": "RBAC Wildcard In Rule", "severity": "HIGH", - "line": 7 + "line": 7, + "fileName": "positive.yaml", + "resourceType": "ClusterRole", + "resourceName": "configmap-modifier", + "searchKey": "metadata.name={{configmap-modifier}}.rules", + "searchValue": "", + "expectedValue": "metadata.name={{configmap-modifier}}.rules[0].apiGroups should list the minimal set of needed objects or actions", + "actualValue": "metadata.name={{configmap-modifier}}.rules[0].apiGroups uses wildcards to specify objects or actions", + "issueType": "IncorrectValue", + "similarityID": "45ed83524f68710f4a42ba8a63adf94cf0737d77300ad16d3938b1efaaabd929", + "search_line": 7 }, { "queryName": "RBAC Wildcard In Rule", "severity": "HIGH", - "line": 9 + "line": 9, + "fileName": "positive.yaml", + "resourceType": "ClusterRole", + "resourceName": "configmap-modifier", + "searchKey": "metadata.name={{configmap-modifier}}.rules", + "searchValue": "", + "expectedValue": "metadata.name={{configmap-modifier}}.rules[0].verbs should list the minimal set of needed objects or actions", + "actualValue": "metadata.name={{configmap-modifier}}.rules[0].verbs uses wildcards to specify objects or actions", + "issueType": "IncorrectValue", + "similarityID": "dac97c4e1989005516ee2761cca98d1cef77528132fbafc57b27096a1e0e69fa", + "search_line": 9 }, { "queryName": "RBAC Wildcard In Rule", "severity": "HIGH", - "line": 18 + "line": 18, + "fileName": "positive.yaml", + "resourceType": "Role", + "resourceName": "configmap-modifier1", + "searchKey": "metadata.name={{configmap-modifier1}}.rules", + "searchValue": "", + "expectedValue": "metadata.name={{configmap-modifier1}}.rules[0].apiGroups should list the minimal set of needed objects or actions", + "actualValue": "metadata.name={{configmap-modifier1}}.rules[0].apiGroups uses wildcards to specify objects or actions", + "issueType": "IncorrectValue", + "similarityID": "e077aadaba1cd0034b9b312704a91632970d55259daff3f14798beabae4ee6fc", + "search_line": 18 }, { "queryName": "RBAC Wildcard In Rule", "severity": "HIGH", - "line": 19 + "line": 19, + "fileName": "positive.yaml", + "resourceType": "Role", + "resourceName": "configmap-modifier1", + "searchKey": "metadata.name={{configmap-modifier1}}.rules", + "searchValue": "", + "expectedValue": "metadata.name={{configmap-modifier1}}.rules[0].resources should list the minimal set of needed objects or actions", + "actualValue": "metadata.name={{configmap-modifier1}}.rules[0].resources uses wildcards to specify objects or actions", + "issueType": "IncorrectValue", + "similarityID": "6a1e09cff6509028ffdb8c57fa8807f103517d22b1af994aa0922ccbe7a92071", + "search_line": 19 }, { "queryName": "RBAC Wildcard In Rule", "severity": "HIGH", - "line": 20 + "line": 20, + "fileName": "positive.yaml", + "resourceType": "Role", + "resourceName": "configmap-modifier1", + "searchKey": "metadata.name={{configmap-modifier1}}.rules", + "searchValue": "", + "expectedValue": "metadata.name={{configmap-modifier1}}.rules[0].verbs should list the minimal set of needed objects or actions", + "actualValue": "metadata.name={{configmap-modifier1}}.rules[0].verbs uses wildcards to specify objects or actions", + "issueType": "IncorrectValue", + "similarityID": "fcbd3064a35397ba46105b671b1f885aa28ea38d28bacc7a900ee2d50a31a205", + "search_line": 20 }, { "queryName": "RBAC Wildcard In Rule", "severity": "HIGH", - "line": 29 + "line": 29, + "fileName": "positive.yaml", + "resourceType": "Role", + "resourceName": "configmap-modifier2", + "searchKey": "metadata.name={{configmap-modifier2}}.rules", + "searchValue": "", + "expectedValue": "metadata.name={{configmap-modifier2}}.rules[0].apiGroups should list the minimal set of needed objects or actions", + "actualValue": "metadata.name={{configmap-modifier2}}.rules[0].apiGroups uses wildcards to specify objects or actions", + "issueType": "IncorrectValue", + "similarityID": "230ea3535b9760723e36b8d22ecd23b1466205ea813a63cea344bb642f121a2f", + "search_line": 29 }, { "queryName": "RBAC Wildcard In Rule", "severity": "HIGH", - "line": 31 + "line": 31, + "fileName": "positive.yaml", + "resourceType": "Role", + "resourceName": "configmap-modifier2", + "searchKey": "metadata.name={{configmap-modifier2}}.rules", + "searchValue": "", + "expectedValue": "metadata.name={{configmap-modifier2}}.rules[0].resources should list the minimal set of needed objects or actions", + "actualValue": "metadata.name={{configmap-modifier2}}.rules[0].resources uses wildcards to specify objects or actions", + "issueType": "IncorrectValue", + "similarityID": "4a0ce50457f5b69226b14bd1b036648d6ebda249e40c4ad4f11417edba825281", + "search_line": 31 } ] diff --git a/assets/queries/k8s/readiness_probe_is_not_configured/test/positive_expected_result.json b/assets/queries/k8s/readiness_probe_is_not_configured/test/positive_expected_result.json index b11c39bb6f5..bf722abfbc8 100644 --- a/assets/queries/k8s/readiness_probe_is_not_configured/test/positive_expected_result.json +++ b/assets/queries/k8s/readiness_probe_is_not_configured/test/positive_expected_result.json @@ -1,7 +1,17 @@ [ - { - "queryName": "Readiness Probe Is Not Configured", - "severity": "MEDIUM", - "line": 9 - } + { + "queryName": "Readiness Probe Is Not Configured", + "severity": "MEDIUM", + "line": 9, + "fileName": "positive.yaml", + "resourceType": "Pod", + "resourceName": "goproxy", + "searchKey": "metadata.name={{goproxy}}.spec.containers.name={{goproxy}}", + "searchValue": "Pod", + "expectedValue": "metadata.name={{goproxy}}.spec.containers.name={{goproxy}}.readinessProbe should be defined", + "actualValue": "metadata.name={{goproxy}}.spec.containers.name={{goproxy}}.readinessProbe is undefined", + "issueType": "MissingAttribute", + "similarityID": "26a467acab1762ba545e4b663c97c89bca142cf5ef30ae2b29606ba5c4ab1b75", + "search_line": 9 + } ] diff --git a/assets/queries/k8s/request_timeout_not_properly_set/test/positive_expected_result.json b/assets/queries/k8s/request_timeout_not_properly_set/test/positive_expected_result.json index 54584b5ee4b..0f1d0199ef8 100644 --- a/assets/queries/k8s/request_timeout_not_properly_set/test/positive_expected_result.json +++ b/assets/queries/k8s/request_timeout_not_properly_set/test/positive_expected_result.json @@ -1,38 +1,92 @@ [ - { - "queryName": "Request Timeout Not Properly Set", - "severity": "MEDIUM", - "line": 11, - "fileName": "positive1.yaml" - }, - { - "queryName": "Request Timeout Not Properly Set", - "severity": "MEDIUM", - "line": 11, - "fileName": "positive2.yaml" - }, - { - "queryName": "Request Timeout Not Properly Set", - "severity": "MEDIUM", - "line": 11, - "fileName": "positive3.yaml" - }, - { - "queryName": "Request Timeout Not Properly Set", - "severity": "MEDIUM", - "line": 11, - "fileName": "positive4.yaml" - }, - { - "queryName": "Request Timeout Not Properly Set", - "severity": "MEDIUM", - "line": 11, - "fileName": "positive5.yaml" - }, - { - "queryName": "Request Timeout Not Properly Set", - "severity": "MEDIUM", - "line": 11, - "fileName": "positive6.yaml" - } + { + "queryName": "Request Timeout Not Properly Set", + "severity": "MEDIUM", + "line": 11, + "fileName": "positive1.yaml", + "resourceType": "Pod", + "resourceName": "command-demo", + "searchKey": "metadata.name={{command-demo}}.spec.containers.name={{command-demo-container}}.command", + "searchValue": "", + "expectedValue": "--request-timeout flag should not be set to more than 300 seconds", + "actualValue": "--request-timeout flag is set to more than 300 seconds", + "issueType": "IncorrectValue", + "similarityID": "f7215646be3f76ec8801980766f873eb88ebc16a7c68f54b362ca8edf2ce24f5", + "search_line": 11 + }, + { + "queryName": "Request Timeout Not Properly Set", + "severity": "MEDIUM", + "line": 11, + "fileName": "positive2.yaml", + "resourceType": "Pod", + "resourceName": "command-demo", + "searchKey": "metadata.name={{command-demo}}.spec.containers.name={{command-demo-container}}.command", + "searchValue": "", + "expectedValue": "--request-timeout flag should not be set to more than 300 seconds", + "actualValue": "--request-timeout flag is set to more than 300 seconds", + "issueType": "IncorrectValue", + "similarityID": "04554f60068182ede2f90f508bddccd8e0f9576d7457b9875bd18a789455bf12", + "search_line": 11 + }, + { + "queryName": "Request Timeout Not Properly Set", + "severity": "MEDIUM", + "line": 11, + "fileName": "positive3.yaml", + "resourceType": "Pod", + "resourceName": "command-demo", + "searchKey": "metadata.name={{command-demo}}.spec.containers.name={{command-demo-container}}.command", + "searchValue": "", + "expectedValue": "--request-timeout flag should not be set to more than 300 seconds", + "actualValue": "--request-timeout flag is set to more than 300 seconds", + "issueType": "IncorrectValue", + "similarityID": "b53303389f2f69ac36a3b8aa28b1aa07911cffcf3a25d3ab0a7686172fccb765", + "search_line": 11 + }, + { + "queryName": "Request Timeout Not Properly Set", + "severity": "MEDIUM", + "line": 11, + "fileName": "positive4.yaml", + "resourceType": "Pod", + "resourceName": "command-demo", + "searchKey": "metadata.name={{command-demo}}.spec.containers.name={{command-demo-container}}.command", + "searchValue": "", + "expectedValue": "--request-timeout flag should not be set to more than 300 seconds", + "actualValue": "--request-timeout flag is set to more than 300 seconds", + "issueType": "IncorrectValue", + "similarityID": "9bda340f267344ec24f3be3f4b867483bec5c3b3802b2b987682087ee4b8cdff", + "search_line": 11 + }, + { + "queryName": "Request Timeout Not Properly Set", + "severity": "MEDIUM", + "line": 11, + "fileName": "positive5.yaml", + "resourceType": "Pod", + "resourceName": "command-demo", + "searchKey": "metadata.name={{command-demo}}.spec.containers.name={{command-demo-container}}.command", + "searchValue": "", + "expectedValue": "--request-timeout flag should not be set to more than 300 seconds", + "actualValue": "--request-timeout flag is set to more than 300 seconds", + "issueType": "IncorrectValue", + "similarityID": "5064a4ec5fc6dbfb4aa8e76232fdc9a5a42970ac861902d0a2120e5ae3288b8f", + "search_line": 11 + }, + { + "queryName": "Request Timeout Not Properly Set", + "severity": "MEDIUM", + "line": 11, + "fileName": "positive6.yaml", + "resourceType": "Pod", + "resourceName": "command-demo", + "searchKey": "metadata.name={{command-demo}}.spec.containers.name={{command-demo-container}}.command", + "searchValue": "", + "expectedValue": "--request-timeout flag should not be set to more than 300 seconds", + "actualValue": "--request-timeout flag is set to more than 300 seconds", + "issueType": "IncorrectValue", + "similarityID": "e0cdc61011fd1677e4c90b6fd4b7f3ebf7070fe003f8cd8a165dd979e57ceefa", + "search_line": 11 + } ] diff --git a/assets/queries/k8s/role_binding_to_default_service_account/test/positive_expected_result.json b/assets/queries/k8s/role_binding_to_default_service_account/test/positive_expected_result.json index d9effcde718..68755d2eef6 100644 --- a/assets/queries/k8s/role_binding_to_default_service_account/test/positive_expected_result.json +++ b/assets/queries/k8s/role_binding_to_default_service_account/test/positive_expected_result.json @@ -2,6 +2,16 @@ { "queryName": "Role Binding To Default Service Account", "severity": "MEDIUM", - "line": 11 + "line": 11, + "fileName": "positive.yaml", + "resourceType": "RoleBinding", + "resourceName": "read-pods", + "searchKey": "subjects.name=default", + "searchValue": "", + "expectedValue": "subjects.kind=ServiceAccount.name should not be default", + "actualValue": "subjects.kind=ServiceAccount.name is default", + "issueType": "IncorrectValue", + "similarityID": "a3b2002c3f85700586ea410803a160541d84f050478b632fc99544507127833d", + "search_line": -1 } -] \ No newline at end of file +] diff --git a/assets/queries/k8s/root_ca_file_not_defined/test/positive_expected_result.json b/assets/queries/k8s/root_ca_file_not_defined/test/positive_expected_result.json index bea7e048f65..b7ed52b077d 100644 --- a/assets/queries/k8s/root_ca_file_not_defined/test/positive_expected_result.json +++ b/assets/queries/k8s/root_ca_file_not_defined/test/positive_expected_result.json @@ -1,8 +1,17 @@ [ - { - "queryName": "Root CA File Not Defined", - "severity": "MEDIUM", - "line": 11, - "fileName": "positive1.yaml" - } + { + "queryName": "Root CA File Not Defined", + "severity": "MEDIUM", + "line": 11, + "fileName": "positive1.yaml", + "resourceType": "Pod", + "resourceName": "command-demo", + "searchKey": "metadata.name={{command-demo}}.spec.containers.name={{command-demo-container}}.command", + "searchValue": "", + "expectedValue": "--root-ca-file flag should be defined", + "actualValue": "--root-ca-file flag is not defined", + "issueType": "MissingAttribute", + "similarityID": "90f3670a86206ed1d65b9a49b03167c1bab797e2aa39e51d50d8427a2e9ba8e7", + "search_line": 11 + } ] diff --git a/assets/queries/k8s/root_container_not_mounted_as_read_only/test/positive_expected_result.json b/assets/queries/k8s/root_container_not_mounted_as_read_only/test/positive_expected_result.json index 8de5a2bce6b..ec1a5b7c3f2 100644 --- a/assets/queries/k8s/root_container_not_mounted_as_read_only/test/positive_expected_result.json +++ b/assets/queries/k8s/root_container_not_mounted_as_read_only/test/positive_expected_result.json @@ -1,12 +1,32 @@ [ - { - "queryName": "Root Container Not Mounted Read-only", - "severity": "LOW", - "line": 12 - }, - { - "queryName": "Root Container Not Mounted Read-only", - "severity": "LOW", - "line": 24 - } + { + "queryName": "Root Container Not Mounted Read-only", + "severity": "LOW", + "line": 12, + "fileName": "positive.yaml", + "resourceType": "Pod", + "resourceName": "rootfalse", + "searchKey": "metadata.name={{rootfalse}}.spec.containers.name={{contain1_1}}.securityContext.readOnlyRootFilesystem", + "searchValue": "Pod", + "expectedValue": "metadata.name={{rootfalse}}.spec.containers.name={{contain1_1}}.securityContext.readOnlyRootFilesystem is true", + "actualValue": "metadata.name={{rootfalse}}.spec.containers.name={{contain1_1}}.securityContext.readOnlyRootFilesystem is false", + "issueType": "IncorrectValue", + "similarityID": "fd0182e767d01d31645277804c7ad36e350f1553ed4b48fa1d812448c5d3fdea", + "search_line": 12 + }, + { + "queryName": "Root Container Not Mounted Read-only", + "severity": "LOW", + "line": 24, + "fileName": "positive.yaml", + "resourceType": "Pod", + "resourceName": "noroot", + "searchKey": "metadata.name={{noroot}}.spec.containers.name={{contain1_2}}", + "searchValue": "Pod", + "expectedValue": "metadata.name={{noroot}}.spec.containers.name={{contain1_2}}.securityContext.readOnlyRootFilesystem should be set to true", + "actualValue": "metadata.name={{noroot}}.spec.containers.name={{contain1_2}}.securityContext.readOnlyRootFilesystem is undefined", + "issueType": "MissingAttribute", + "similarityID": "b93456434a6a29244dd5c64bed546e001dbbf4d4e05c29048670b88a8ea6ad4c", + "search_line": 24 + } ] diff --git a/assets/queries/k8s/root_containers_admitted/test/positive_expected_result.json b/assets/queries/k8s/root_containers_admitted/test/positive_expected_result.json index 208bc44813c..599839870d2 100644 --- a/assets/queries/k8s/root_containers_admitted/test/positive_expected_result.json +++ b/assets/queries/k8s/root_containers_admitted/test/positive_expected_result.json @@ -2,26 +2,76 @@ { "queryName": "Root Containers Admitted", "severity": "MEDIUM", - "line": 12 + "line": 12, + "fileName": "positive.yaml", + "resourceType": "PodSecurityPolicy", + "resourceName": "restricted", + "searchKey": "metadata.name={{restricted}}.spec.privileged", + "searchValue": "", + "expectedValue": "metadata.name={{restricted}}.spec.privileged should be set to 'false'", + "actualValue": "metadata.name={{restricted}}.spec.privileged is set to 'true'", + "issueType": "IncorrectValue", + "similarityID": "cf860b4d127f04dfa74cdbf0936a50984d570490267a70872ad63d5624e7f02e", + "search_line": -1 }, { "queryName": "Root Containers Admitted", "severity": "MEDIUM", - "line": 13 + "line": 13, + "fileName": "positive.yaml", + "resourceType": "PodSecurityPolicy", + "resourceName": "restricted", + "searchKey": "metadata.name={{restricted}}.spec.allowPrivilegeEscalation", + "searchValue": "", + "expectedValue": "metadata.name={{restricted}}.spec.allowPrivilegeEscalation should be set to 'false'", + "actualValue": "metadata.name={{restricted}}.spec.allowPrivilegeEscalation is set to 'true'", + "issueType": "IncorrectValue", + "similarityID": "ac106e9dcf9421d278a570167a1eaa0732b0d67b72bfe030fb26d24cd940f88a", + "search_line": -1 }, { "queryName": "Root Containers Admitted", "severity": "MEDIUM", - "line": 27 + "line": 27, + "fileName": "positive.yaml", + "resourceType": "PodSecurityPolicy", + "resourceName": "restricted", + "searchKey": "metadata.name={{restricted}}.spec.runAsUser.rule", + "searchValue": "", + "expectedValue": "metadata.name={{restricted}}.spec.runAsUser.rule is equal to 'MustRunAsNonRoot'", + "actualValue": "metadata.name={{restricted}}.spec.runAsUser.rule is not equal to 'MustRunAsNonRoot'", + "issueType": "IncorrectValue", + "similarityID": "af1fd07638ac64e8839b487364b635b8701f11d1a894d6c4c1df796f13274801", + "search_line": -1 }, { "queryName": "Root Containers Admitted", "severity": "MEDIUM", - "line": 31 + "line": 31, + "fileName": "positive.yaml", + "resourceType": "PodSecurityPolicy", + "resourceName": "restricted", + "searchKey": "metadata.name={{restricted}}.spec.supplementalGroups.rule", + "searchValue": "", + "expectedValue": "metadata.name={{restricted}}.spec.supplementalGroups limits its ranges", + "actualValue": "metadata.name={{restricted}}.spec.supplementalGroups does not limit its ranges", + "issueType": "IncorrectValue", + "similarityID": "dbe4e92492121ddc36025c779dd761727c6b372d1da59e17fcf87bcfb9d6bc10", + "search_line": -1 }, { "queryName": "Root Containers Admitted", "severity": "MEDIUM", - "line": 32 + "line": 32, + "fileName": "positive.yaml", + "resourceType": "PodSecurityPolicy", + "resourceName": "restricted", + "searchKey": "metadata.name={{restricted}}.spec.fsGroup", + "searchValue": "", + "expectedValue": "metadata.name{{restricted}}.spec.fsGroup should not allow range '0' (root)", + "actualValue": "metadata.name={{restricted}}.spec.fsGroup allows range '0' (root)", + "issueType": "IncorrectValue", + "similarityID": "2cb606bba35c5f9be549993d7bf5e34c2daf4bc0c0ac9920e188d60751719058", + "search_line": -1 } ] diff --git a/assets/queries/k8s/rotate_kubelet_server_certificate_not_active/test/positive_expected_result.json b/assets/queries/k8s/rotate_kubelet_server_certificate_not_active/test/positive_expected_result.json index a1169399df7..657b6b66eb4 100644 --- a/assets/queries/k8s/rotate_kubelet_server_certificate_not_active/test/positive_expected_result.json +++ b/assets/queries/k8s/rotate_kubelet_server_certificate_not_active/test/positive_expected_result.json @@ -1,25 +1,62 @@ [ - { - "queryName": "Rotate Kubelet Server Certificate Not Active", - "severity": "MEDIUM", - "line": 8, - "filename": "positive1.yaml" - }, - { - "queryName": "Rotate Kubelet Server Certificate Not Active", - "severity": "MEDIUM", - "line": 11, - "filename": "positive2.yaml" - }, - { - "queryName": "Rotate Kubelet Server Certificate Not Active", - "severity": "MEDIUM", - "line": 8, - "filename": "positive3.json" - },{ - "queryName": "Rotate Kubelet Server Certificate Not Active", - "severity": "MEDIUM", - "line": 11, - "filename": "positive4.yaml" - } + { + "queryName": "Rotate Kubelet Server Certificate Not Active", + "severity": "MEDIUM", + "line": 8, + "fileName": "positive1.yaml", + "resourceType": "KubeletConfiguration", + "resourceName": "n/a", + "searchKey": "kind={{KubeletConfiguration}}.featureGates", + "searchValue": "", + "expectedValue": "RotateKubeletServerCertificates should be true", + "actualValue": "RotateKubeletServerCertificate is false", + "issueType": "IncorrectValue", + "similarityID": "71dd78b62a650cab4702c4767ecc2b820842cd190f483253ced05e8ddffbdac5", + "search_line": -1 + }, + { + "queryName": "Rotate Kubelet Server Certificate Not Active", + "severity": "MEDIUM", + "line": 11, + "fileName": "positive2.yaml", + "resourceType": "Pod", + "resourceName": "command-demo", + "searchKey": "metadata.name={{command-demo}}.spec.containers.name={{command-demo-container}}.command", + "searchValue": "", + "expectedValue": "--feature-gates=RotateKubeletServerCertificate flag should be true", + "actualValue": "--feature-gates=RotateKubeletServerCertificate flag is false", + "issueType": "IncorrectValue", + "similarityID": "8a17116713347a0fdb3657e68bd67a8f2a0d79433bd99b5324f15dfee94475f3", + "search_line": 11 + }, + { + "queryName": "Rotate Kubelet Server Certificate Not Active", + "severity": "MEDIUM", + "line": 8, + "fileName": "positive3.json", + "resourceType": "KubeletConfiguration", + "resourceName": "n/a", + "searchKey": "kind={{KubeletConfiguration}}.featureGates", + "searchValue": "", + "expectedValue": "RotateKubeletServerCertificates should be true", + "actualValue": "RotateKubeletServerCertificate is false", + "issueType": "IncorrectValue", + "similarityID": "05dd37d62c76c432799279aa7474d806d75aaf34df8569415d9be046b8321133", + "search_line": -1 + }, + { + "queryName": "Rotate Kubelet Server Certificate Not Active", + "severity": "MEDIUM", + "line": 11, + "fileName": "positive4.yaml", + "resourceType": "Pod", + "resourceName": "command-demo", + "searchKey": "metadata.name={{command-demo}}.spec.containers.name={{command-demo-container7}}.command", + "searchValue": "", + "expectedValue": "--feature-gates=RotateKubeletServerCertificate flag should be true", + "actualValue": "--feature-gates=RotateKubeletServerCertificate flag is false", + "issueType": "IncorrectValue", + "similarityID": "42802e72c7fa2c4c5e6eed32da87944956aa2956ea0075d368526d85f98ac329", + "search_line": 11 + } ] diff --git a/assets/queries/k8s/seccomp_profile_is_not_configured/test/positive_expected_result.json b/assets/queries/k8s/seccomp_profile_is_not_configured/test/positive_expected_result.json index b5d3b90f179..c45ecb5431d 100644 --- a/assets/queries/k8s/seccomp_profile_is_not_configured/test/positive_expected_result.json +++ b/assets/queries/k8s/seccomp_profile_is_not_configured/test/positive_expected_result.json @@ -1,50 +1,122 @@ [ - { - "queryName": "Seccomp Profile Is Not Configured", - "severity": "MEDIUM", - "line": 7, - "fileName": "positive1.yaml" - }, - { - "queryName": "Seccomp Profile Is Not Configured", - "severity": "MEDIUM", - "line": 18, - "fileName": "positive1.yaml" - }, - { - "queryName": "Seccomp Profile Is Not Configured", - "severity": "MEDIUM", - "line": 26, - "fileName": "positive1.yaml" - }, - { - "queryName": "Seccomp Profile Is Not Configured", - "severity": "MEDIUM", - "line": 43, - "fileName": "positive1.yaml" - }, - { - "queryName": "Seccomp Profile Is Not Configured", - "severity": "MEDIUM", - "line": 24, - "fileName": "positive2.yaml" - }, - { - "queryName": "Seccomp Profile Is Not Configured", - "severity": "MEDIUM", - "line": 24, - "fileName": "positive3.yaml" - }, - { - "queryName": "Seccomp Profile Is Not Configured", - "severity": "MEDIUM", - "line": 33, - "fileName": "positive3.yaml" - }, - { - "queryName": "Seccomp Profile Is Not Configured", - "severity": "MEDIUM", - "line": 35, - "fileName": "positive4.yaml" - } + { + "queryName": "Seccomp Profile Is Not Configured", + "severity": "MEDIUM", + "line": 7, + "fileName": "positive1.yaml", + "resourceType": "Pod", + "resourceName": "pod-test-1", + "searchKey": "metadata.name={{pod-test-1}}.spec.containers.name={{foobar}}", + "searchValue": "Pod", + "expectedValue": "metadata.name={{pod-test-1}}.spec.containers.name={{foobar}}.securityContext.seccompProfile.type should be defined", + "actualValue": "metadata.name={{pod-test-1}}.spec.containers.name={{foobar}}.securityContext.seccompProfile.type is undefined", + "issueType": "MissingAttribute", + "similarityID": "403cb566bca47e8647d3e5debc7cdcf7b8dd04a2b989bf4824d69662e439144e", + "search_line": 7 + }, + { + "queryName": "Seccomp Profile Is Not Configured", + "severity": "MEDIUM", + "line": 18, + "fileName": "positive1.yaml", + "resourceType": "Pod", + "resourceName": "pod-test-2", + "searchKey": "metadata.name={{pod-test-2}}.spec.containers.name={{foobar}}", + "searchValue": "Pod", + "expectedValue": "metadata.name={{pod-test-2}}.spec.containers.name={{foobar}}.securityContext.seccompProfile.type should be defined", + "actualValue": "metadata.name={{pod-test-2}}.spec.containers.name={{foobar}}.securityContext.seccompProfile.type is undefined", + "issueType": "MissingAttribute", + "similarityID": "a00ef6be3a9960fd4803ccbd8084c3ef2e18be048258f20064f9d6f5572fc07a", + "search_line": 18 + }, + { + "queryName": "Seccomp Profile Is Not Configured", + "severity": "MEDIUM", + "line": 26, + "fileName": "positive1.yaml", + "resourceType": "Pod", + "resourceName": "pod-test-3", + "searchKey": "metadata.name={{pod-test-3}}.annotations.seccomp.security.alpha.kubernetes.io/defaultProfileName", + "searchValue": "Pod", + "expectedValue": "metadata.name={{pod-test-3}}.annotations.seccomp.security.alpha.kubernetes.io/defaultProfileName is 'runtime/default'", + "actualValue": "metadata.name={{pod-test-3}}.annotations.seccomp.security.alpha.kubernetes.io/defaultProfileName is 'rntim/dfl'", + "issueType": "IncorrectValue", + "similarityID": "44260e712bb1cf5055d3dbdba8bb38e6762b43d171477c016126bb8e0e3b6c83", + "search_line": 26 + }, + { + "queryName": "Seccomp Profile Is Not Configured", + "severity": "MEDIUM", + "line": 43, + "fileName": "positive1.yaml", + "resourceType": "CronJob", + "resourceName": "hello", + "searchKey": "metadata.name={{hello}}.spec.jobTemplate.spec.template.annotations.seccomp.security.alpha.kubernetes.io/defaultProfileName", + "searchValue": "CronJob", + "expectedValue": "metadata.name={{hello}}.spec.jobTemplate.spec.template.annotations.seccomp.security.alpha.kubernetes.io/defaultProfileName is 'runtime/default'", + "actualValue": "metadata.name={{hello}}.spec.jobTemplate.spec.template.annotations.seccomp.security.alpha.kubernetes.io/defaultProfileName is 'rntim/dfl'", + "issueType": "IncorrectValue", + "similarityID": "7ed454520b8abe940fe2a491645178ff439dc86d1eeb5d2d4e00ad3e7756b721", + "search_line": 43 + }, + { + "queryName": "Seccomp Profile Is Not Configured", + "severity": "MEDIUM", + "line": 24, + "fileName": "positive2.yaml", + "resourceType": "Deployment", + "resourceName": "securitydemo", + "searchKey": "metadata.name={{securitydemo}}.spec.template.spec.containers.name={{frontend}}.securityContext", + "searchValue": "Deployment", + "expectedValue": "metadata.name={{securitydemo}}.spec.template.spec.containers.name={{frontend}}.securityContext.seccompProfile.type should be defined", + "actualValue": "metadata.name={{securitydemo}}.spec.template.spec.containers.name={{frontend}}.securityContext.seccompProfile.type is undefined", + "issueType": "MissingAttribute", + "similarityID": "f1ae59c1fa4bcaa6f8b18ef8a12f178b846e77bc92334132958ac634765e5ff6", + "search_line": 24 + }, + { + "queryName": "Seccomp Profile Is Not Configured", + "severity": "MEDIUM", + "line": 24, + "fileName": "positive3.yaml", + "resourceType": "Deployment", + "resourceName": "securitydemo", + "searchKey": "metadata.name={{securitydemo}}.spec.template.spec.containers.name={{frontend}}.securityContext", + "searchValue": "Deployment", + "expectedValue": "metadata.name={{securitydemo}}.spec.template.spec.containers.name={{frontend}}.securityContext.seccompProfile.type should be defined", + "actualValue": "metadata.name={{securitydemo}}.spec.template.spec.containers.name={{frontend}}.securityContext.seccompProfile.type is undefined", + "issueType": "MissingAttribute", + "similarityID": "848ee4bdb01cde1f4db58d89068a2057449e5ee89ee4fc33db020bd26c66d461", + "search_line": 24 + }, + { + "queryName": "Seccomp Profile Is Not Configured", + "severity": "MEDIUM", + "line": 33, + "fileName": "positive3.yaml", + "resourceType": "Deployment", + "resourceName": "securitydemo", + "searchKey": "metadata.name={{securitydemo}}.spec.template.spec.containers.name={{echoserver}}.securityContext.seccompProfile.type=Unconfined", + "searchValue": "Deployment", + "expectedValue": "metadata.name={{securitydemo}}.spec.template.spec.containers.name={{echoserver}}.securityContext.seccompProfile.type should be set to 'RuntimeDefault' or 'Localhost'", + "actualValue": "metadata.name={{securitydemo}}.spec.template.spec.containers.name={{echoserver}}.securityContext.seccompProfile.type is set to 'Unconfined'", + "issueType": "IncorrectValue", + "similarityID": "1b0fc7bfecac023aafa2ead9d9ff19196f2146f3fc989f946dadb518e7a9826b", + "search_line": 33 + }, + { + "queryName": "Seccomp Profile Is Not Configured", + "severity": "MEDIUM", + "line": 35, + "fileName": "positive4.yaml", + "resourceType": "Deployment", + "resourceName": "securitydemo", + "searchKey": "metadata.name={{securitydemo}}.spec.template.spec.containers.name={{echoserver}}.securityContext.seccompProfile.type=Unconfined", + "searchValue": "Deployment", + "expectedValue": "metadata.name={{securitydemo}}.spec.template.spec.containers.name={{echoserver}}.securityContext.seccompProfile.type should be set to 'RuntimeDefault' or 'Localhost'", + "actualValue": "metadata.name={{securitydemo}}.spec.template.spec.containers.name={{echoserver}}.securityContext.seccompProfile.type is set to 'Unconfined'", + "issueType": "IncorrectValue", + "similarityID": "0f277b429686ff5f2d1ddd75b71e21555dca5d4ad727265cb9d22b525467d3ca", + "search_line": 35 + } ] diff --git a/assets/queries/k8s/secrets_as_environment_variables/test/positive_expected_result.json b/assets/queries/k8s/secrets_as_environment_variables/test/positive_expected_result.json index 4f2095e9428..edf1c8d9d17 100644 --- a/assets/queries/k8s/secrets_as_environment_variables/test/positive_expected_result.json +++ b/assets/queries/k8s/secrets_as_environment_variables/test/positive_expected_result.json @@ -1,17 +1,47 @@ [ - { - "queryName": "Secrets As Environment Variables", - "severity": "LOW", - "line": 12 - }, - { - "queryName": "Secrets As Environment Variables", - "severity": "LOW", - "line": 17 - }, - { - "queryName": "Secrets As Environment Variables", - "severity": "LOW", - "line": 31 - } + { + "queryName": "Secrets As Environment Variables", + "severity": "LOW", + "line": 12, + "fileName": "positive.yaml", + "resourceType": "Pod", + "resourceName": "secret-env-pod", + "searchKey": "metadata.name={{secret-env-pod}}.spec.containers.env.name={{SECRET_USERNAME}}.valueFrom.secretKeyRef", + "searchValue": "Pod", + "expectedValue": "'spec.containers.name={{mycontainer}}.env.name={{SECRET_USERNAME}}.valueFrom.secretKeyRef' should be undefined", + "actualValue": "'spec.containers.name={{mycontainer}}.env.name={{SECRET_USERNAME}}.valueFrom.secretKeyRef' is defined", + "issueType": "IncorrectValue", + "similarityID": "1434003ceda5c63152aa446f446662e0f62b366be1414e6f69c43a53c10babfe", + "search_line": 12 + }, + { + "queryName": "Secrets As Environment Variables", + "severity": "LOW", + "line": 17, + "fileName": "positive.yaml", + "resourceType": "Pod", + "resourceName": "secret-env-pod", + "searchKey": "metadata.name={{secret-env-pod}}.spec.containers.env.name={{SECRET_PASSWORD}}.valueFrom.secretKeyRef", + "searchValue": "Pod", + "expectedValue": "'spec.containers.name={{mycontainer}}.env.name={{SECRET_PASSWORD}}.valueFrom.secretKeyRef' should be undefined", + "actualValue": "'spec.containers.name={{mycontainer}}.env.name={{SECRET_PASSWORD}}.valueFrom.secretKeyRef' is defined", + "issueType": "IncorrectValue", + "similarityID": "ddfcd72de3c860c2e7d41516fcb2fcb5b98412996b844271242b02471e456f72", + "search_line": 17 + }, + { + "queryName": "Secrets As Environment Variables", + "severity": "LOW", + "line": 31, + "fileName": "positive.yaml", + "resourceType": "Pod", + "resourceName": "envfrom-secret", + "searchKey": "metadata.name={{envfrom-secret}}.spec.containers.name={{envars-test-container}}.envFrom", + "searchValue": "Pod", + "expectedValue": "'spec.containers.name={{envars-test-container}}.envFrom.secretRef' should be undefined", + "actualValue": "'spec.containers.name={{envars-test-container}}.envFrom.secretRef' is defined", + "issueType": "IncorrectValue", + "similarityID": "39c6091c0b3e129fcfb924037c2d23f1517b78e2387dca1465d6b3d5ac22e2e7", + "search_line": 31 + } ] diff --git a/assets/queries/k8s/secure_port_set_to_zero/test/positive_expected_result.json b/assets/queries/k8s/secure_port_set_to_zero/test/positive_expected_result.json index 32788b10f00..9b612014637 100644 --- a/assets/queries/k8s/secure_port_set_to_zero/test/positive_expected_result.json +++ b/assets/queries/k8s/secure_port_set_to_zero/test/positive_expected_result.json @@ -1,8 +1,17 @@ [ - { - "queryName": "Secure Port Set To Zero", - "severity": "HIGH", - "line": 11, - "fileName": "positive1.yaml" - } + { + "queryName": "Secure Port Set To Zero", + "severity": "HIGH", + "line": 11, + "fileName": "positive1.yaml", + "resourceType": "Pod", + "resourceName": "command-demo", + "searchKey": "metadata.name={{command-demo}}.spec.containers.name={{command-demo-container}}.command", + "searchValue": "", + "expectedValue": "--secure-port flag should not be set to 0", + "actualValue": "--secure-port flag is set to 0", + "issueType": "IncorrectValue", + "similarityID": "e80fd6ae30f84935aeecf0b3420c28dea2b345946a46cbfbf8ccca49e5a29400", + "search_line": 11 + } ] diff --git a/assets/queries/k8s/security_context_deny_admission_control_plugin_not_set/test/positive_expected_result.json b/assets/queries/k8s/security_context_deny_admission_control_plugin_not_set/test/positive_expected_result.json index 8e2925f5acc..bee883ccf49 100644 --- a/assets/queries/k8s/security_context_deny_admission_control_plugin_not_set/test/positive_expected_result.json +++ b/assets/queries/k8s/security_context_deny_admission_control_plugin_not_set/test/positive_expected_result.json @@ -1,8 +1,17 @@ [ - { - "queryName": "Security Context Deny Admission Control Plugin Not Set", - "severity": "MEDIUM", - "line": 11, - "fileName": "positive1.yaml" - } + { + "queryName": "Security Context Deny Admission Control Plugin Not Set", + "severity": "MEDIUM", + "line": 11, + "fileName": "positive1.yaml", + "resourceType": "Pod", + "resourceName": "command-demo", + "searchKey": "metadata.name={{command-demo}}.spec.containers.name={{command-demo-container}}.command", + "searchValue": "", + "expectedValue": "--enable-admission-plugins flag should contain 'SecurityContextDeny' plugin if 'PodSecurityPolicy' plugin should not be set", + "actualValue": "--enable-admission-plugins flag does not contain 'SecurityContextDeny' plugin", + "issueType": "MissingAttribute", + "similarityID": "b771245635bbbe4e2664921c4a901e0f9049a068a193980c64da00967024e343", + "search_line": 11 + } ] diff --git a/assets/queries/k8s/service_account_admission_control_plugin_disabled/test/positive_expected_result.json b/assets/queries/k8s/service_account_admission_control_plugin_disabled/test/positive_expected_result.json index 91bac546e59..4446b034c57 100644 --- a/assets/queries/k8s/service_account_admission_control_plugin_disabled/test/positive_expected_result.json +++ b/assets/queries/k8s/service_account_admission_control_plugin_disabled/test/positive_expected_result.json @@ -1,14 +1,32 @@ [ - { - "queryName": "Service Account Admission Control Plugin Disabled", - "severity": "MEDIUM", - "line": 11, - "fileName": "positive1.yaml" - }, - { - "queryName": "Service Account Admission Control Plugin Disabled", - "severity": "MEDIUM", - "line": 11, - "fileName": "positive2.yaml" - } + { + "queryName": "Service Account Admission Control Plugin Disabled", + "severity": "MEDIUM", + "line": 11, + "fileName": "positive1.yaml", + "resourceType": "Pod", + "resourceName": "command-demo", + "searchKey": "metadata.name={{command-demo}}.spec.containers.name={{command-demo-container}}.command", + "searchValue": "", + "expectedValue": "--disable-admission-plugins flag should not contain 'ServiceAccount' plugin", + "actualValue": "--disable-admission-plugins flag contains 'ServiceAccount' plugin", + "issueType": "IncorrectValue", + "similarityID": "f0bc31d6dad9302fb9472bc93292f86033227f23a18acfe8aaf557ee08e639e4", + "search_line": 11 + }, + { + "queryName": "Service Account Admission Control Plugin Disabled", + "severity": "MEDIUM", + "line": 11, + "fileName": "positive2.yaml", + "resourceType": "Pod", + "resourceName": "command-demo", + "searchKey": "metadata.name={{command-demo}}.spec.containers.name={{command-demo-container}}.command", + "searchValue": "", + "expectedValue": "--disable-admission-plugins flag should not contain 'ServiceAccount' plugin", + "actualValue": "--disable-admission-plugins flag contains 'ServiceAccount' plugin", + "issueType": "IncorrectValue", + "similarityID": "d5f109310dea4bcba3186a1a3ba2e1f6aa77e29b29a1078b08e6f0324a775896", + "search_line": 11 + } ] diff --git a/assets/queries/k8s/service_account_allows_access_secrets/test/positive_expected_result.json b/assets/queries/k8s/service_account_allows_access_secrets/test/positive_expected_result.json index 67513d0289c..7cb2b7be45a 100644 --- a/assets/queries/k8s/service_account_allows_access_secrets/test/positive_expected_result.json +++ b/assets/queries/k8s/service_account_allows_access_secrets/test/positive_expected_result.json @@ -1,17 +1,47 @@ [ - { - "queryName": "ServiceAccount Allows Access Secrets", - "severity": "MEDIUM", - "line": 10 - }, - { - "queryName": "ServiceAccount Allows Access Secrets", - "severity": "MEDIUM", - "line": 34 - }, - { - "queryName": "ServiceAccount Allows Access Secrets", - "severity": "MEDIUM", - "line": 58 - } + { + "queryName": "ServiceAccount Allows Access Secrets", + "severity": "MEDIUM", + "line": 10, + "fileName": "positive.yaml", + "resourceType": "Role", + "resourceName": "testRoleVulnerable", + "searchKey": "metadata.name={{testRoleVulnerable}}.rules", + "searchValue": "Role", + "expectedValue": "The metadata.name={{testRoleVulnerable}}.rules.verbs should not contain the following verbs: [[\"get\", \"watch\", \"list\"]]", + "actualValue": "The metadata.name={{testRoleVulnerable}}.rules.verbs contain the following verbs: [[\"get\", \"watch\", \"list\"]]", + "issueType": "IncorrectValue", + "similarityID": "d066063b0e6379ae1cd5672d746b074ad904169662ce75effe4ae900eb574e6b", + "search_line": 10 + }, + { + "queryName": "ServiceAccount Allows Access Secrets", + "severity": "MEDIUM", + "line": 34, + "fileName": "positive.yaml", + "resourceType": "Role", + "resourceName": "testRoleVulnerable2", + "searchKey": "metadata.name={{testRoleVulnerable2}}.rules", + "searchValue": "Role", + "expectedValue": "The metadata.name={{testRoleVulnerable2}}.rules.verbs should not contain the following verbs: [[\"*\"]]", + "actualValue": "The metadata.name={{testRoleVulnerable2}}.rules.verbs contain the following verbs: [[\"*\"]]", + "issueType": "IncorrectValue", + "similarityID": "c3b2aeb60e73db935523dea716f6ea348234323def5c906c2437cf3baa285c3d", + "search_line": 34 + }, + { + "queryName": "ServiceAccount Allows Access Secrets", + "severity": "MEDIUM", + "line": 58, + "fileName": "positive.yaml", + "resourceType": "ClusterRole", + "resourceName": "testClusterRoleVulnerable", + "searchKey": "metadata.name={{testClusterRoleVulnerable}}.rules", + "searchValue": "ClusterRole", + "expectedValue": "The metadata.name={{testClusterRoleVulnerable}}.rules.verbs should not contain the following verbs: [[\"update\", \"list\"]]", + "actualValue": "The metadata.name={{testClusterRoleVulnerable}}.rules.verbs contain the following verbs: [[\"update\", \"list\"]]", + "issueType": "IncorrectValue", + "similarityID": "aac657348ad542676cd6131a8958c44a8c2d06644177b0a26be4527abb9f80af", + "search_line": 58 + } ] diff --git a/assets/queries/k8s/service_account_key_file_not_properly_set/test/positive_expected_result.json b/assets/queries/k8s/service_account_key_file_not_properly_set/test/positive_expected_result.json index f7d31744351..bf974189d2c 100644 --- a/assets/queries/k8s/service_account_key_file_not_properly_set/test/positive_expected_result.json +++ b/assets/queries/k8s/service_account_key_file_not_properly_set/test/positive_expected_result.json @@ -1,8 +1,17 @@ [ - { - "queryName": "Service Account Key File Not Properly Set", - "severity": "MEDIUM", - "line": 11, - "fileName": "positive1.yaml" - } + { + "queryName": "Service Account Key File Not Properly Set", + "severity": "MEDIUM", + "line": 11, + "fileName": "positive1.yaml", + "resourceType": "Pod", + "resourceName": "command-demo", + "searchKey": "metadata.name={{command-demo}}.spec.containers.name={{command-demo-container}}.command", + "searchValue": "", + "expectedValue": "--service-account-key-file flag should be defined and have a PEM encoded file", + "actualValue": "--service-account-key-file flag is not defined", + "issueType": "MissingAttribute", + "similarityID": "a94d01a06607db57aea79171185f42dc4afee129a55a4e81913b2d667196a42f", + "search_line": 11 + } ] diff --git a/assets/queries/k8s/service_account_lookup_set_to_false/test/positive_expected_result.json b/assets/queries/k8s/service_account_lookup_set_to_false/test/positive_expected_result.json index 88c2e8ff6dd..a66ceb0e2b6 100644 --- a/assets/queries/k8s/service_account_lookup_set_to_false/test/positive_expected_result.json +++ b/assets/queries/k8s/service_account_lookup_set_to_false/test/positive_expected_result.json @@ -1,8 +1,17 @@ [ - { - "queryName": "Service Account Lookup Set To False", - "severity": "HIGH", - "line": 11, - "fileName": "positive1.yaml" - } + { + "queryName": "Service Account Lookup Set To False", + "severity": "HIGH", + "line": 11, + "fileName": "positive1.yaml", + "resourceType": "Pod", + "resourceName": "command-demo", + "searchKey": "metadata.name={{command-demo}}.spec.containers.name={{command-demo-container}}.command", + "searchValue": "", + "expectedValue": "--service-account-lookup flag should be set to true", + "actualValue": "--service-account-lookup flag is set to false", + "issueType": "IncorrectValue", + "similarityID": "a7128edf4ea7449aa28a5f76557bce1085e4fb648e7c5fc88e907499e71b09e4", + "search_line": 11 + } ] diff --git a/assets/queries/k8s/service_account_name_undefined_or_empty/test/positive_expected_result.json b/assets/queries/k8s/service_account_name_undefined_or_empty/test/positive_expected_result.json index 31b58aadfee..0cc2250241e 100644 --- a/assets/queries/k8s/service_account_name_undefined_or_empty/test/positive_expected_result.json +++ b/assets/queries/k8s/service_account_name_undefined_or_empty/test/positive_expected_result.json @@ -1,17 +1,47 @@ [ - { - "queryName": "Service Account Name Undefined Or Empty", - "severity": "MEDIUM", - "line": 6 - }, - { - "queryName": "Service Account Name Undefined Or Empty", - "severity": "MEDIUM", - "line": 28 - }, - { - "queryName": "Service Account Name Undefined Or Empty", - "severity": "MEDIUM", - "line": 58 - } + { + "queryName": "Service Account Name Undefined Or Empty", + "severity": "MEDIUM", + "line": 6, + "fileName": "positive.yaml", + "resourceType": "Pod", + "resourceName": "nginx.container", + "searchKey": "metadata.name={{nginx.container}}.spec", + "searchValue": "", + "expectedValue": "metadata.name=nginx.container.spec.serviceAccountName should be defined", + "actualValue": "metadata.name=nginx.container.spec.serviceAccountName is undefined", + "issueType": "MissingAttribute", + "similarityID": "b74efe83d1948378454e25cb9c3ade0fa44339916affa64c2fc03b6645a7c6ef", + "search_line": -1 + }, + { + "queryName": "Service Account Name Undefined Or Empty", + "severity": "MEDIUM", + "line": 28, + "fileName": "positive.yaml", + "resourceType": "Pod", + "resourceName": "nginx2.container.group", + "searchKey": "metadata.name={{nginx2.container.group}}.spec", + "searchValue": "", + "expectedValue": "metadata.name=nginx2.container.group.spec.serviceAccountName should be defined", + "actualValue": "metadata.name=nginx2.container.group.spec.serviceAccountName is undefined", + "issueType": "MissingAttribute", + "similarityID": "d476665d4376c7a50f736fc57e0b4dfbd703a0f40618d478634472f37107200e", + "search_line": -1 + }, + { + "queryName": "Service Account Name Undefined Or Empty", + "severity": "MEDIUM", + "line": 58, + "fileName": "positive.yaml", + "resourceType": "Pod", + "resourceName": "nginx3", + "searchKey": "metadata.name={{nginx3}}.spec.serviceAccountName", + "searchValue": "", + "expectedValue": "metadata.name=nginx3.spec.serviceAccountName should not be empty", + "actualValue": "metadata.name=nginx3.spec.serviceAccountName is empty", + "issueType": "IncorrectValue", + "similarityID": "0fe8bc86637d7a130019169b2901ec4292a00a85fa3115a50f90935c75b569f8", + "search_line": -1 + } ] diff --git a/assets/queries/k8s/service_account_private_key_file_not_defined/test/positive_expected_result.json b/assets/queries/k8s/service_account_private_key_file_not_defined/test/positive_expected_result.json index 83a1aba8213..65d415d2182 100644 --- a/assets/queries/k8s/service_account_private_key_file_not_defined/test/positive_expected_result.json +++ b/assets/queries/k8s/service_account_private_key_file_not_defined/test/positive_expected_result.json @@ -3,6 +3,15 @@ "queryName": "Service Account Private Key File Not Defined", "severity": "MEDIUM", "line": 11, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "Pod", + "resourceName": "command-demo", + "searchKey": "metadata.name={{command-demo}}.spec.containers.name={{command-demo-container}}.command", + "searchValue": "", + "expectedValue": "--service-account-private-key-file flag should be defined", + "actualValue": "--service-account-private-key-file flag is not defined", + "issueType": "IncorrectValue", + "similarityID": "97a1c61a8a8fca663591ffaa2c882464b60e38a60384ce66737e3093786abed2", + "search_line": 11 } -] \ No newline at end of file +] diff --git a/assets/queries/k8s/service_account_token_automount_not_disabled/test/positive_expected_result.json b/assets/queries/k8s/service_account_token_automount_not_disabled/test/positive_expected_result.json index e9846ad638f..78b29eb5a58 100644 --- a/assets/queries/k8s/service_account_token_automount_not_disabled/test/positive_expected_result.json +++ b/assets/queries/k8s/service_account_token_automount_not_disabled/test/positive_expected_result.json @@ -3,24 +3,60 @@ "queryName": "Service Account Token Automount Not Disabled", "severity": "MEDIUM", "line": 5, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "Pod", + "resourceName": "security-context-demo", + "searchKey": "metadata.name={{security-context-demo}}.spec", + "searchValue": "Pod", + "expectedValue": "metadata.name={{security-context-demo}}.spec.automountServiceAccountToken should be defined and set to false", + "actualValue": "metadata.name={{security-context-demo}}.spec.automountServiceAccountToken is undefined", + "issueType": "MissingAttribute", + "similarityID": "fcf594677d2f01b344ac91688b4c98f4a9c6bd013f6dbe5e60b080592058e5ba", + "search_line": 5 }, { "queryName": "Service Account Token Automount Not Disabled", "severity": "MEDIUM", "line": 28, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "Pod", + "resourceName": "security.context.demo", + "searchKey": "metadata.name={{security.context.demo}}.spec.automountServiceAccountToken", + "searchValue": "Pod", + "expectedValue": "metadata.name={{security.context.demo}}.spec.automountServiceAccountToken should be set to false", + "actualValue": "metadata.name={{security.context.demo}}.spec.automountServiceAccountToken is true", + "issueType": "IncorrectValue", + "similarityID": "f39f9cac0acecbefe622a4a86b16dd64d08ea8f8a1da1088c499c8c1364c337e", + "search_line": 28 }, { "queryName": "Service Account Token Automount Not Disabled", "severity": "MEDIUM", "line": 54, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "Configuration", + "resourceName": "dummy-config", + "searchKey": "metadata.name={{dummy-config}}.spec.template.spec.automountServiceAccountToken", + "searchValue": "Configuration", + "expectedValue": "metadata.name={{dummy-config}}.spec.template.spec.automountServiceAccountToken should be set to false", + "actualValue": "metadata.name={{dummy-config}}.spec.template.spec.automountServiceAccountToken is true", + "issueType": "IncorrectValue", + "similarityID": "0b61d321b1cb9960cd15113db3813bcf3f67cde3652bf429d815bc76466d4592", + "search_line": 54 }, { "queryName": "Service Account Token Automount Not Disabled", "severity": "MEDIUM", "line": 5, - "fileName": "positive2.yaml" + "fileName": "positive2.yaml", + "resourceType": "ServiceAccount", + "resourceName": "redistest-sa", + "searchKey": "metadata.name={{redistest-sa}}.automountServiceAccountToken", + "searchValue": "", + "expectedValue": "metadata.name={{redistest-sa}}.automountServiceAccountToken should be set to false", + "actualValue": "metadata.name={{redistest-sa}}.automountServiceAccountToken is true", + "issueType": "IncorrectValue", + "similarityID": "c8d90f3314d596a61c0abe932ae6d3a835501cd07fb1d62904823c35448cc80d", + "search_line": 5 } ] diff --git a/assets/queries/k8s/service_does_not_target_pod/test/positive_expected_result.json b/assets/queries/k8s/service_does_not_target_pod/test/positive_expected_result.json index f4133656161..be5d1b33984 100644 --- a/assets/queries/k8s/service_does_not_target_pod/test/positive_expected_result.json +++ b/assets/queries/k8s/service_does_not_target_pod/test/positive_expected_result.json @@ -3,12 +3,30 @@ "queryName": "Service Does Not Target Pod", "severity": "LOW", "line": 7, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "Service", + "resourceName": "helloworld2", + "searchKey": "metadata.name={{helloworld2}}.spec.selector", + "searchValue": "", + "expectedValue": "metadata.name={{helloworld2}}.spec.selector label refers to a Pod label", + "actualValue": "metadata.name={{helloworld2}}.spec.selector label does not match with any Pod label", + "issueType": "IncorrectValue", + "similarityID": "7f818345fa0e1ab73e36c83cc6c86d8bef119d322e1f3f026ab92ae83868170c", + "search_line": -1 }, { "queryName": "Service Does Not Target Pod", "severity": "LOW", "line": 12, - "fileName": "positive2.yaml" + "fileName": "positive2.yaml", + "resourceType": "Service", + "resourceName": "helloworld3", + "searchKey": "metadata.name={{helloworld3}}.spec.ports.port={{9377}}", + "searchValue": "", + "expectedValue": "metadata.name={{helloworld3}}.spec.ports.port={{9377}} has a Pod port", + "actualValue": "metadata.name={{helloworld3}}.spec.ports.port={{9377}} does not have a Pod port", + "issueType": "IncorrectValue", + "similarityID": "3401142d3333d2cc406b93ce2d9426935fb08bd0d5487b9d2dd00d08c6331b12", + "search_line": -1 } ] diff --git a/assets/queries/k8s/service_type_is_nodeport/test/positive_expected_result.json b/assets/queries/k8s/service_type_is_nodeport/test/positive_expected_result.json index 83be0fdacda..59dea8177af 100644 --- a/assets/queries/k8s/service_type_is_nodeport/test/positive_expected_result.json +++ b/assets/queries/k8s/service_type_is_nodeport/test/positive_expected_result.json @@ -1,7 +1,17 @@ [ - { - "queryName": "Service Type is NodePort", - "severity": "LOW", - "line": 6 - } + { + "queryName": "Service Type is NodePort", + "severity": "LOW", + "line": 6, + "fileName": "positive.yaml", + "resourceType": "Service", + "resourceName": "my-service", + "searchKey": "metadata.name={{my-service}}.spec.type", + "searchValue": "", + "expectedValue": "spec.type should not be 'NodePort'", + "actualValue": "spec.type is 'NodePort'", + "issueType": "IncorrectValue", + "similarityID": "ade0510a432989225b047f93e85e39a0c34da0af7609ef7c4431839b2c24b928", + "search_line": -1 + } ] diff --git a/assets/queries/k8s/service_with_external_load_balancer/test/positive_expected_result.json b/assets/queries/k8s/service_with_external_load_balancer/test/positive_expected_result.json index 952a4769b95..b2a1abc8b67 100644 --- a/assets/queries/k8s/service_with_external_load_balancer/test/positive_expected_result.json +++ b/assets/queries/k8s/service_with_external_load_balancer/test/positive_expected_result.json @@ -1,27 +1,77 @@ [ - { - "queryName": "Service With External Load Balancer", - "severity": "MEDIUM", - "line": 4 - }, { - "queryName": "Service With External Load Balancer", - "severity": "MEDIUM", - "line": 18 - }, + "queryName": "Service With External Load Balancer", + "severity": "MEDIUM", + "line": 4, + "fileName": "positive.yaml", + "resourceType": "Service", + "resourceName": "sample-service 05", + "searchKey": "metadata.name={{sample-service 05}}", + "searchValue": "", + "expectedValue": "'metadata.annotations' should be set", + "actualValue": "'metadata.annotations' is undefined", + "issueType": "MissingAttribute", + "similarityID": "821f4c5a975175dd647f89cfdea9d31d60938986ce76c7e92e40031f8701286b", + "search_line": -1 + }, { - "queryName": "Service With External Load Balancer", - "severity": "MEDIUM", - "line": 33 - }, + "queryName": "Service With External Load Balancer", + "severity": "MEDIUM", + "line": 18, + "fileName": "positive.yaml", + "resourceType": "Service", + "resourceName": "sample-service 05334443", + "searchKey": "metadata.name={{sample-service 05334443}}.annotations", + "searchValue": "", + "expectedValue": "metadata.name={{sample-service 05334443}} using an external Load Balancer provider by cloud provider", + "actualValue": "metadata.name={{sample-service 05334443}} is exposing a workload, not using an external Load Balancer provider by cloud provider", + "issueType": "IncorrectValue", + "similarityID": "c17f15feab13712f2562c33abf6dae1cad117ac9ae33bf29bd4a99b140e604fc", + "search_line": -1 + }, { - "queryName": "Service With External Load Balancer", - "severity": "MEDIUM", - "line": 48 - }, + "queryName": "Service With External Load Balancer", + "severity": "MEDIUM", + "line": 33, + "fileName": "positive.yaml", + "resourceType": "Service", + "resourceName": "sample-service 07", + "searchKey": "metadata.name={{sample-service 07}}.annotations", + "searchValue": "", + "expectedValue": "metadata.name={{sample-service 07}} using an external Load Balancer provider by cloud provider", + "actualValue": "metadata.name={{sample-service 07}} is exposing a workload, not using an external Load Balancer provider by cloud provider", + "issueType": "IncorrectValue", + "similarityID": "8633261fa33ea266ab9f509d3f5d6b2128afb9cd77c62b9f82941d73af2cdc97", + "search_line": -1 + }, { - "queryName": "Service With External Load Balancer", - "severity": "MEDIUM", - "line": 63 - } + "queryName": "Service With External Load Balancer", + "severity": "MEDIUM", + "line": 48, + "fileName": "positive.yaml", + "resourceType": "Service", + "resourceName": "sample-service 08", + "searchKey": "metadata.name={{sample-service 08}}.annotations", + "searchValue": "", + "expectedValue": "metadata.name={{sample-service 08}} using an external Load Balancer provider by cloud provider", + "actualValue": "metadata.name={{sample-service 08}} is exposing a workload, not using an external Load Balancer provider by cloud provider", + "issueType": "IncorrectValue", + "similarityID": "9eca3f8fc6b15bfcd2de5eaff4c81fb6bd806bc08054c6f8fa04d63f77820c8c", + "search_line": -1 + }, + { + "queryName": "Service With External Load Balancer", + "severity": "MEDIUM", + "line": 63, + "fileName": "positive.yaml", + "resourceType": "Service", + "resourceName": "sample-service 09", + "searchKey": "metadata.name={{sample-service 09}}.annotations", + "searchValue": "", + "expectedValue": "metadata.name={{sample-service 09}} using an external Load Balancer provider by cloud provider", + "actualValue": "metadata.name={{sample-service 09}} is exposing a workload, not using an external Load Balancer provider by cloud provider", + "issueType": "IncorrectValue", + "similarityID": "8d9d64ad123e0d00bff0b0bbf8ce0fe24b04833d21a6ddbca0f1a756583ce72e", + "search_line": -1 + } ] diff --git a/assets/queries/k8s/shared_host_ipc_namespace/test/positive_expected_result.json b/assets/queries/k8s/shared_host_ipc_namespace/test/positive_expected_result.json index 703d9dce2af..d0aec92cd12 100644 --- a/assets/queries/k8s/shared_host_ipc_namespace/test/positive_expected_result.json +++ b/assets/queries/k8s/shared_host_ipc_namespace/test/positive_expected_result.json @@ -1,14 +1,32 @@ [ - { - "queryName": "Shared Host IPC Namespace", - "severity": "MEDIUM", - "line": 6, - "fileName": "positive.yaml" - }, - { - "queryName": "Shared Host IPC Namespace", - "severity": "MEDIUM", - "line": 9, - "fileName": "positive2.yaml" - } + { + "queryName": "Shared Host IPC Namespace", + "severity": "MEDIUM", + "line": 9, + "fileName": "positive2.yaml", + "resourceType": "Configuration", + "resourceName": "dummy-config", + "searchKey": "metadata.name={{dummy-config}}.spec.template.spec.hostIPC", + "searchValue": "", + "expectedValue": "'spec.template.spec.hostIPC' should be set to false or undefined", + "actualValue": "'spec.template.spec.hostIPC' is true", + "issueType": "IncorrectValue", + "similarityID": "45e78418040aadee3e0b056fe98e135d5c03bd58f52f6b35fe6b29533e5a6902", + "search_line": -1 + }, + { + "queryName": "Shared Host IPC Namespace", + "severity": "MEDIUM", + "line": 6, + "fileName": "positive.yaml", + "resourceType": "Pod", + "resourceName": "security-context-demo", + "searchKey": "metadata.name={{security-context-demo}}.spec.hostIPC", + "searchValue": "", + "expectedValue": "'spec.hostIPC' should be set to false or undefined", + "actualValue": "'spec.hostIPC' is true", + "issueType": "IncorrectValue", + "similarityID": "6e480e708baf6e3bebaa47fd127e0d9f3752b00f170265e67cb3e4c570fb8e0b", + "search_line": -1 + } ] diff --git a/assets/queries/k8s/shared_host_network_namespace/test/positive_expected_result.json b/assets/queries/k8s/shared_host_network_namespace/test/positive_expected_result.json index e7e02ec1826..5230e79709a 100644 --- a/assets/queries/k8s/shared_host_network_namespace/test/positive_expected_result.json +++ b/assets/queries/k8s/shared_host_network_namespace/test/positive_expected_result.json @@ -2,13 +2,31 @@ { "queryName": "Shared Host Network Namespace", "severity": "MEDIUM", - "line": 6, - "fileName": "positive.yaml" + "line": 9, + "fileName": "positive2.yaml", + "resourceType": "Configuration", + "resourceName": "dummy-config", + "searchKey": "metadata.name={{dummy-config}}.spec.template.spec.hostNetwork", + "searchValue": "", + "expectedValue": "'spec.template.spec.hostNetwork' should be set to false or undefined", + "actualValue": "'spec.template.spec.hostNetwork' is true", + "issueType": "IncorrectValue", + "similarityID": "2f33c9eedd0866ae2d9447000a38591fd4b48e3ddae4e1a53eddc13a850eb1e4", + "search_line": -1 }, { "queryName": "Shared Host Network Namespace", "severity": "MEDIUM", - "line": 9, - "fileName": "positive2.yaml" + "line": 6, + "fileName": "positive.yaml", + "resourceType": "Pod", + "resourceName": "security-context-demo", + "searchKey": "metadata.name={{security-context-demo}}.spec.hostNetwork", + "searchValue": "", + "expectedValue": "'spec.hostNetwork' should be set to false or undefined", + "actualValue": "'spec.hostNetwork' is true", + "issueType": "IncorrectValue", + "similarityID": "bb0532cd2eb747e4af82f822db6f636c80aaee953dc5408b0f4e61a50947d429", + "search_line": -1 } ] diff --git a/assets/queries/k8s/shared_host_pid_namespace/test/positive_expected_result.json b/assets/queries/k8s/shared_host_pid_namespace/test/positive_expected_result.json index 82c58726498..af209b01094 100644 --- a/assets/queries/k8s/shared_host_pid_namespace/test/positive_expected_result.json +++ b/assets/queries/k8s/shared_host_pid_namespace/test/positive_expected_result.json @@ -2,13 +2,31 @@ { "queryName": "Shared Host PID Namespace", "severity": "HIGH", - "line": 6, - "fileName": "positive.yaml" + "line": 9, + "fileName": "positive2.yaml", + "resourceType": "Configuration", + "resourceName": "dummy-config", + "searchKey": "metadata.name={{dummy-config}}.spec.template.spec.hostPID", + "searchValue": "", + "expectedValue": "'spec.template.spec.hostPID' should be set to false or undefined", + "actualValue": "'spec.template.spec.hostPID' is true", + "issueType": "IncorrectValue", + "similarityID": "8530125b81aa7e4f34e94ce209e3b04a9be003a96c5ee9cb01c9b77e9b7e56e2", + "search_line": -1 }, { "queryName": "Shared Host PID Namespace", "severity": "HIGH", - "line": 9, - "fileName": "positive2.yaml" + "line": 6, + "fileName": "positive.yaml", + "resourceType": "Pod", + "resourceName": "security-context-demo", + "searchKey": "metadata.name={{security-context-demo}}.spec.hostPID", + "searchValue": "", + "expectedValue": "'spec.hostPID' should be set to false or undefined", + "actualValue": "'spec.hostPID' is true", + "issueType": "IncorrectValue", + "similarityID": "221b86992263152cb916d1b3599a36e3f4fd751b7e27299af687c38733e691f0", + "search_line": -1 } ] diff --git a/assets/queries/k8s/shared_service_account/test/positive_expected_result.json b/assets/queries/k8s/shared_service_account/test/positive_expected_result.json index 0ac068bac66..53f613047b2 100644 --- a/assets/queries/k8s/shared_service_account/test/positive_expected_result.json +++ b/assets/queries/k8s/shared_service_account/test/positive_expected_result.json @@ -1,12 +1,32 @@ [ - { - "queryName": "Shared Service Account", - "severity": "MEDIUM", - "line": 6 - }, - { - "queryName": "Shared Service Account", - "severity": "MEDIUM", - "line": 16 - } + { + "queryName": "Shared Service Account", + "severity": "MEDIUM", + "line": 6, + "fileName": "positive.yaml", + "resourceType": "Pod", + "resourceName": "pod1", + "searchKey": "metadata.name={{pod1}}.spec.serviceAccountName", + "searchValue": "", + "expectedValue": "'spec.serviceAccountName' should not be shared with other workloads", + "actualValue": "'spec.serviceAccountName' is shared with other workloads", + "issueType": "IncorrectValue", + "similarityID": "85454d142604bae625465bcdb00e54b5364edbdab94da52830273e93cdf98e99", + "search_line": -1 + }, + { + "queryName": "Shared Service Account", + "severity": "MEDIUM", + "line": 16, + "fileName": "positive.yaml", + "resourceType": "Pod", + "resourceName": "pod2", + "searchKey": "metadata.name={{pod2}}.spec.serviceAccountName", + "searchValue": "", + "expectedValue": "'spec.serviceAccountName' should not be shared with other workloads", + "actualValue": "'spec.serviceAccountName' is shared with other workloads", + "issueType": "IncorrectValue", + "similarityID": "a97db366ec3f14636c00d786b5437cae9f231c8909d307de1370c42353275a73", + "search_line": -1 + } ] diff --git a/assets/queries/k8s/statefulset_has_no_pod_anti_affinity/test/positive_expected_result.json b/assets/queries/k8s/statefulset_has_no_pod_anti_affinity/test/positive_expected_result.json index 7dc6662744b..41a00276852 100644 --- a/assets/queries/k8s/statefulset_has_no_pod_anti_affinity/test/positive_expected_result.json +++ b/assets/queries/k8s/statefulset_has_no_pod_anti_affinity/test/positive_expected_result.json @@ -1,12 +1,32 @@ [ - { - "queryName": "StatefulSet Has No PodAntiAffinity", - "severity": "LOW", - "line": 23 - }, - { - "queryName": "StatefulSet Has No PodAntiAffinity", - "severity": "LOW", - "line": 53 - } + { + "queryName": "StatefulSet Has No PodAntiAffinity", + "severity": "LOW", + "line": 23, + "fileName": "positive.yaml", + "resourceType": "StatefulSet", + "resourceName": "zk-mismatch", + "searchKey": "metadata.name={{zk-mismatch}}.spec.template.spec.affinity.podAntiAffinity.requiredDuringSchedulingIgnoredDuringExecution.labelSelector.matchLabels", + "searchValue": "", + "expectedValue": "'spec.template.spec.affinity.podAntiAffinity.requiredDuringSchedulingIgnoredDuringExecution[0].labelSelector.matchLabels' match any label on template metadata", + "actualValue": "'spec.template.spec.affinity.podAntiAffinity.requiredDuringSchedulingIgnoredDuringExecution[0].labelSelector.matchLabels' don't match any label on template metadata", + "issueType": "IncorrectValue", + "similarityID": "f403a51c14169b3d0d899e238864aed00936cc88e7b12ad88e5b8e11f336b026", + "search_line": -1 + }, + { + "queryName": "StatefulSet Has No PodAntiAffinity", + "severity": "LOW", + "line": 53, + "fileName": "positive.yaml", + "resourceType": "StatefulSet", + "resourceName": "zk-noaffinity", + "searchKey": "metadata.name={{zk-noaffinity}}.spec.template.spec.affinity", + "searchValue": "", + "expectedValue": "'spec.template.spec.affinity.podAntiAffinity' should be set", + "actualValue": "'spec.template.spec.affinity.podAntiAffinity' is undefined", + "issueType": "MissingAttribute", + "similarityID": "f1fdacbeed03cbb98cb0fe1dacfc0bca9beff4e6f3ca9ba0183803ba9ca2439a", + "search_line": -1 + } ] diff --git a/assets/queries/k8s/statefulset_requests_storage/test/positive_expected_result.json b/assets/queries/k8s/statefulset_requests_storage/test/positive_expected_result.json index 4e60ad9727d..d18c794f149 100644 --- a/assets/queries/k8s/statefulset_requests_storage/test/positive_expected_result.json +++ b/assets/queries/k8s/statefulset_requests_storage/test/positive_expected_result.json @@ -1,17 +1,47 @@ [ - { - "queryName": "StatefulSet Requests Storage", - "severity": "LOW", - "line": 33 - }, - { - "queryName": "StatefulSet Requests Storage", - "severity": "LOW", - "line": 66 - }, - { - "queryName": "StatefulSet Requests Storage", - "severity": "LOW", - "line": 73 - } + { + "queryName": "StatefulSet Requests Storage", + "severity": "LOW", + "line": 33, + "fileName": "positive.yaml", + "resourceType": "StatefulSet", + "resourceName": "web", + "searchKey": "metadata.name={{web}}.spec.volumeClaimTemplates.spec.resources.requests.storage=1Gi", + "searchValue": "", + "expectedValue": "metadata.name={{web}}.spec.volumeClaimTemplates.spec.resources.requests.storage should not be set", + "actualValue": "metadata.name={{web}}.spec.volumeClaimTemplates.spec.resources.requests.storage is set to 1Gi", + "issueType": "IncorrectValue", + "similarityID": "135cdaa95a41b1c8e583e2ceda8bcd369094710a18e5e24f7cec7004f6adfcde", + "search_line": -1 + }, + { + "queryName": "StatefulSet Requests Storage", + "severity": "LOW", + "line": 66, + "fileName": "positive.yaml", + "resourceType": "StatefulSet", + "resourceName": "web2", + "searchKey": "metadata.name={{web2}}.spec.volumeClaimTemplates.spec.resources.requests.storage=1Gi", + "searchValue": "", + "expectedValue": "metadata.name={{web2}}.spec.volumeClaimTemplates.spec.resources.requests.storage should not be set", + "actualValue": "metadata.name={{web2}}.spec.volumeClaimTemplates.spec.resources.requests.storage is set to 1Gi", + "issueType": "IncorrectValue", + "similarityID": "49e8e496fa4bf9d1b62ca7636dac4e934c7e1ab50b8cfbfb8462d025bd585ee5", + "search_line": -1 + }, + { + "queryName": "StatefulSet Requests Storage", + "severity": "LOW", + "line": 73, + "fileName": "positive.yaml", + "resourceType": "StatefulSet", + "resourceName": "web2", + "searchKey": "metadata.name={{web2}}.spec.volumeClaimTemplates.spec.resources.requests.storage=2Gi", + "searchValue": "", + "expectedValue": "metadata.name={{web2}}.spec.volumeClaimTemplates.spec.resources.requests.storage should not be set", + "actualValue": "metadata.name={{web2}}.spec.volumeClaimTemplates.spec.resources.requests.storage is set to 2Gi", + "issueType": "IncorrectValue", + "similarityID": "132ee3c0e266dc44122f87f6f3436cf984ebffd226d9b8d8ed0f22c371bd2562", + "search_line": -1 + } ] diff --git a/assets/queries/k8s/statefulset_without_pod_disruption_budget/test/positive_expected_result.json b/assets/queries/k8s/statefulset_without_pod_disruption_budget/test/positive_expected_result.json index fd1b1bf0c83..383ac93f435 100644 --- a/assets/queries/k8s/statefulset_without_pod_disruption_budget/test/positive_expected_result.json +++ b/assets/queries/k8s/statefulset_without_pod_disruption_budget/test/positive_expected_result.json @@ -2,6 +2,16 @@ { "queryName": "StatefulSet Without PodDisruptionBudget", "severity": "LOW", - "line": 19 + "line": 19, + "fileName": "positive.yaml", + "resourceType": "StatefulSet", + "resourceName": "web", + "searchKey": "metadata.name={{web}}.spec.selector.matchLabels", + "searchValue": "", + "expectedValue": "metadata.name=web is targeted by a PodDisruptionBudget", + "actualValue": "metadata.name=web is not targeted by a PodDisruptionBudget", + "issueType": "MissingAttribute", + "similarityID": "4f7eea0e886f11332c1fb558fbb6d67dd5edcc0dd22690c433cb651e7d966b75", + "search_line": -1 } ] diff --git a/assets/queries/k8s/statefulset_without_service_name/test/positive_expected_result.json b/assets/queries/k8s/statefulset_without_service_name/test/positive_expected_result.json index 218b390f04b..d0ac532ed05 100644 --- a/assets/queries/k8s/statefulset_without_service_name/test/positive_expected_result.json +++ b/assets/queries/k8s/statefulset_without_service_name/test/positive_expected_result.json @@ -2,6 +2,16 @@ { "queryName": "StatefulSet Without Service Name", "severity": "LOW", - "line": 26 + "line": 26, + "fileName": "positive.yaml", + "resourceType": "StatefulSet", + "resourceName": "web", + "searchKey": "metadata.name=web.spec.serviceName", + "searchValue": "", + "expectedValue": "metadata.name=web.spec.serviceName should refer to a Headless Service", + "actualValue": "metadata.name=web.spec.serviceName doesn't refers to a Headless Service", + "issueType": "IncorrectValue", + "similarityID": "c865aca32d27d6cf22b84cc3542c77d4620069ac574b5d9494a5370766736217", + "search_line": 26 } ] diff --git a/assets/queries/k8s/terminated_pod_garbage_collector_threshold_not_properly_set/test/positive_expected_result.json b/assets/queries/k8s/terminated_pod_garbage_collector_threshold_not_properly_set/test/positive_expected_result.json index 8d16690b939..40e545c3ebb 100644 --- a/assets/queries/k8s/terminated_pod_garbage_collector_threshold_not_properly_set/test/positive_expected_result.json +++ b/assets/queries/k8s/terminated_pod_garbage_collector_threshold_not_properly_set/test/positive_expected_result.json @@ -1,14 +1,32 @@ [ - { - "queryName": "Terminated Pod Garbage Collector Threshold Not Properly Set", - "severity": "MEDIUM", - "line": 11, - "fileName": "positive1.yaml" - }, - { - "queryName": "Terminated Pod Garbage Collector Threshold Not Properly Set", - "severity": "MEDIUM", - "line": 11, - "fileName": "positive2.yaml" - } + { + "queryName": "Terminated Pod Garbage Collector Threshold Not Properly Set", + "severity": "MEDIUM", + "line": 11, + "fileName": "positive1.yaml", + "resourceType": "Pod", + "resourceName": "command-demo", + "searchKey": "metadata.name={{command-demo}}.spec.containers.name={{command-demo-container}}.command", + "searchValue": "", + "expectedValue": "--terminated-pod-gc-threshold flag should be set between 0 and 12501", + "actualValue": "--terminated-pod-gc-threshold flag is set to a incorrect value", + "issueType": "IncorrectValue", + "similarityID": "0b942395a930d45e478d770927d3d4d948fe46cc3087de828bf6b8bbfe972e3f", + "search_line": 11 + }, + { + "queryName": "Terminated Pod Garbage Collector Threshold Not Properly Set", + "severity": "MEDIUM", + "line": 11, + "fileName": "positive2.yaml", + "resourceType": "Pod", + "resourceName": "command-demo", + "searchKey": "metadata.name={{command-demo}}.spec.containers.name={{command-demo-container}}.command", + "searchValue": "", + "expectedValue": "--terminated-pod-gc-threshold flag should be set between 0 and 12501", + "actualValue": "--terminated-pod-gc-threshold flag is set to a incorrect value", + "issueType": "IncorrectValue", + "similarityID": "94d78e3858ed42790cf3cfb89d72da8cebfb2be373c37d1573a279aca1b33ba6", + "search_line": 11 + } ] diff --git a/assets/queries/k8s/tiller_deployment_is_accessible_from_within_the_cluster/test/positive_expected_result.json b/assets/queries/k8s/tiller_deployment_is_accessible_from_within_the_cluster/test/positive_expected_result.json index aa5e9b5b2e6..da6b07f9e76 100644 --- a/assets/queries/k8s/tiller_deployment_is_accessible_from_within_the_cluster/test/positive_expected_result.json +++ b/assets/queries/k8s/tiller_deployment_is_accessible_from_within_the_cluster/test/positive_expected_result.json @@ -1,12 +1,32 @@ [ - { - "queryName": "Tiller Deployment Is Accessible From Within The Cluster", - "severity": "HIGH", - "line": 21 - }, - { - "queryName": "Tiller Deployment Is Accessible From Within The Cluster", - "severity": "HIGH", - "line": 53 - } + { + "queryName": "Tiller Deployment Is Accessible From Within The Cluster", + "severity": "HIGH", + "line": 21, + "fileName": "positive.yaml", + "resourceType": "Deployment", + "resourceName": "tiller-bad-args", + "searchKey": "metadata.name=tiller-bad-args.spec.template.spec.containers.args", + "searchValue": "", + "expectedValue": "'spec.template.spec.containers[tiller-v2].args' sets the container to listen to localhost", + "actualValue": "'spec.template.spec.containers[tiller-v2].args' is not setting the container to listen to localhost", + "issueType": "IncorrectValue", + "similarityID": "4906127650be5ae1b96a4ba3c3c520ded7e10b37b092bb1c6acb65f7cbab1702", + "search_line": -1 + }, + { + "queryName": "Tiller Deployment Is Accessible From Within The Cluster", + "severity": "HIGH", + "line": 53, + "fileName": "positive.yaml", + "resourceType": "Deployment", + "resourceName": "tiller-deploy-no-args", + "searchKey": "metadata.name=tiller-deploy-no-args.spec.template.spec.containers", + "searchValue": "", + "expectedValue": "'spec.template.spec.containers[tiller-v2].args' should be set", + "actualValue": "'spec.template.spec.containers[tiller-v2].args' is undefined", + "issueType": "MissingAttribute", + "similarityID": "a9c4b6b2c792246b14ea6ca36ba7693a69ca717678677c5e7136ecc63ef7d21c", + "search_line": -1 + } ] diff --git a/assets/queries/k8s/tiller_is_deployed/test/positive_expected_result.json b/assets/queries/k8s/tiller_is_deployed/test/positive_expected_result.json index cbf0d880650..6b2db751f1e 100644 --- a/assets/queries/k8s/tiller_is_deployed/test/positive_expected_result.json +++ b/assets/queries/k8s/tiller_is_deployed/test/positive_expected_result.json @@ -1,23 +1,62 @@ [ - { - "queryName": "Tiller (Helm v2) Is Deployed", - "severity": "HIGH", - "line": 4 - }, - { - "queryName": "Tiller (Helm v2) Is Deployed", - "severity": "HIGH", - "line": 10 - }, - { - "queryName": "Tiller (Helm v2) Is Deployed", - "severity": "HIGH", - "line": 15 - }, - { - "queryName": "Tiller (Helm v2) Is Deployed", - "severity": "HIGH", - "line": 20 - } - + { + "queryName": "Tiller (Helm v2) Is Deployed", + "severity": "HIGH", + "line": 4, + "fileName": "positive.yaml", + "resourceType": "Deployment", + "resourceName": "tiller-deploy", + "searchKey": "metadata.name={{tiller-deploy}}", + "searchValue": "Deployment", + "expectedValue": "'metadata' of Deployment should not refer to any Tiller resource", + "actualValue": "'metadata' of Deployment refers to a Tiller resource", + "issueType": "IncorrectValue", + "similarityID": "22bfc5acf632b8ba8fd3c2f8163dd2b4975791a0dd9ed18ed57981e92db3b127", + "search_line": 4 + }, + { + "queryName": "Tiller (Helm v2) Is Deployed", + "severity": "HIGH", + "line": 10, + "fileName": "positive.yaml", + "resourceType": "Deployment", + "resourceName": "tiller-deploy", + "searchKey": "metadata.name={{tiller-deploy}}.spec.containers", + "searchValue": "Deployment", + "expectedValue": "'spec.containers' of Deployment shouldn't have any Tiller containers", + "actualValue": "'spec.containers' of Deployment contains a Tiller container", + "issueType": "IncorrectValue", + "similarityID": "ee8a622426f68e02e6a3a1eaf3b8922c204251ff1e3768f8e17780d0ac81c07a", + "search_line": 10 + }, + { + "queryName": "Tiller (Helm v2) Is Deployed", + "severity": "HIGH", + "line": 15, + "fileName": "positive.yaml", + "resourceType": "Deployment", + "resourceName": "tiller-deploy", + "searchKey": "metadata.name={{tiller-deploy}}.spec.template.metadata", + "searchValue": "Deployment", + "expectedValue": "'spec.template.metadata' should not refer to any Tiller resource%!(EXTRA string=Deployment)", + "actualValue": "'spec.template.metadata' refers to a Tiller resource%!(EXTRA string=Deployment)", + "issueType": "IncorrectValue", + "similarityID": "0d78162d23431af13fbe4dabd9bb41414be935bc576b9f4329852dbb86b18821", + "search_line": 15 + }, + { + "queryName": "Tiller (Helm v2) Is Deployed", + "severity": "HIGH", + "line": 20, + "fileName": "positive.yaml", + "resourceType": "Deployment", + "resourceName": "tiller-deploy", + "searchKey": "metadata.name={{tiller-deploy}}.spec.template.spec.containers", + "searchValue": "Deployment", + "expectedValue": "'spec.template.spec.containers' of Deployment shouldn't have any Tiller containers", + "actualValue": "'spec.template.spec.containers' of Deployment contains a Tiller container", + "issueType": "IncorrectValue", + "similarityID": "3cb8ca072bf9f53b5213fa7f4325be66bf505fbdefda458234a0523fe7b24b0d", + "search_line": 20 + } ] diff --git a/assets/queries/k8s/tiller_service_is_not_deleted/test/positive_expected_result.json b/assets/queries/k8s/tiller_service_is_not_deleted/test/positive_expected_result.json index d1f4f0d303e..6a72d6915fe 100644 --- a/assets/queries/k8s/tiller_service_is_not_deleted/test/positive_expected_result.json +++ b/assets/queries/k8s/tiller_service_is_not_deleted/test/positive_expected_result.json @@ -1,17 +1,47 @@ [ - { - "queryName": "Tiller Service Is Not Deleted", - "severity": "HIGH", - "line": 4 - }, - { - "queryName": "Tiller Service Is Not Deleted", - "severity": "HIGH", - "line": 7 - }, - { - "queryName": "Tiller Service Is Not Deleted", - "severity": "HIGH", - "line": 12 - } + { + "queryName": "Tiller Service Is Not Deleted", + "severity": "HIGH", + "line": 4, + "fileName": "positive.yaml", + "resourceType": "Service", + "resourceName": "tiller-deploy", + "searchKey": "metadata.name={{tiller-deploy}}", + "searchValue": "Service", + "expectedValue": "metadata.name of Service should not contain 'tiller'", + "actualValue": "metadata.name of Service contains 'tiller'", + "issueType": "IncorrectValue", + "similarityID": "11e89a10f2b3615f5fb337a51a138095c52f0ab8b5b6a025e5cad63e336634e4", + "search_line": 4 + }, + { + "queryName": "Tiller Service Is Not Deleted", + "severity": "HIGH", + "line": 7, + "fileName": "positive.yaml", + "resourceType": "Service", + "resourceName": "tiller-deploy", + "searchKey": "metadata.name={{tiller-deploy}}", + "searchValue": "Service", + "expectedValue": "metadata.labels of Service should not have values that contain 'tiller'", + "actualValue": "metadata.labels.Service of name contains 'tiller'", + "issueType": "IncorrectValue", + "similarityID": "c6b30f10191a2f28c0839ece7c8a90b346c947c3e216c3d37154b277545f5c97", + "search_line": 7 + }, + { + "queryName": "Tiller Service Is Not Deleted", + "severity": "HIGH", + "line": 12, + "fileName": "positive.yaml", + "resourceType": "Service", + "resourceName": "tiller-deploy", + "searchKey": "metadata.name={{tiller-deploy}}.spec.selector.name", + "searchValue": "Service", + "expectedValue": "spec.selector of Service should not have values that contain 'tiller'", + "actualValue": "spec.selector.Service of name contains 'tiller'", + "issueType": "IncorrectValue", + "similarityID": "03f9c4ac15ee3b8906b6440a30c2289caf95be38a08e6835962950e6c633c897", + "search_line": 12 + } ] diff --git a/assets/queries/k8s/tls_connection_certificate_not_setup/test/positive_expected_result.json b/assets/queries/k8s/tls_connection_certificate_not_setup/test/positive_expected_result.json index 6d46ad24a64..0f61fafe27f 100644 --- a/assets/queries/k8s/tls_connection_certificate_not_setup/test/positive_expected_result.json +++ b/assets/queries/k8s/tls_connection_certificate_not_setup/test/positive_expected_result.json @@ -3,30 +3,75 @@ "queryName": "TSL Connection Certificate Not Setup", "severity": "MEDIUM", "line": 11, - "filename": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "Pod", + "resourceName": "command-demo", + "searchKey": "metadata.name={{command-demo}}.spec.containers.name={{command-demo-container}}.command", + "searchValue": "--tls-cert-file", + "expectedValue": "TLS --tls-cert-file connection setting should be set", + "actualValue": "TLS --tls-cert-file connection not set", + "issueType": "MissingAttribute", + "similarityID": "39808c5e9b140ba2cdabefca6260a14d35416fa971e4b97b3a22d0843c227aae", + "search_line": 11 }, { "queryName": "TSL Connection Certificate Not Setup", "severity": "MEDIUM", "line": 11, - "filename": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "Pod", + "resourceName": "command-demo", + "searchKey": "metadata.name={{command-demo}}.spec.containers.name={{command-demo-container}}.command", + "searchValue": "--tls-private-key-file", + "expectedValue": "TLS --tls-private-key-file connection setting should be set", + "actualValue": "TLS --tls-private-key-file connection not set", + "issueType": "MissingAttribute", + "similarityID": "40c017b864d1e05911c7a2205954a5a1033c9f32c28bdea1b05015a6c7b6ef3e", + "search_line": 11 }, { "queryName": "TSL Connection Certificate Not Setup", "severity": "MEDIUM", "line": 2, - "filename": "positive2.yaml" + "fileName": "positive2.yaml", + "resourceType": "KubeletConfiguration", + "resourceName": "n/a", + "searchKey": "kind={{KubeletConfiguration}}", + "searchValue": "tlsCertFile", + "expectedValue": "TLS tlsCertFile connection setting should be set", + "actualValue": "TLS tlsCertFile connection not set", + "issueType": "MissingAttribute", + "similarityID": "a4c69270f56643c01f7791204dcae53159ff11ac265edf47bc6b15dd33a36f90", + "search_line": 2 }, { "queryName": "TSL Connection Certificate Not Setup", "severity": "MEDIUM", "line": 2, - "filename": "positive2.yaml" + "fileName": "positive2.yaml", + "resourceType": "KubeletConfiguration", + "resourceName": "n/a", + "searchKey": "kind={{KubeletConfiguration}}", + "searchValue": "tlsPrivateKeyFile", + "expectedValue": "TLS tlsPrivateKeyFile connection setting should be set", + "actualValue": "TLS tlsPrivateKeyFile connection not set", + "issueType": "MissingAttribute", + "similarityID": "8b1fe23a5c17aef9b86bef4b92d59551faf57f5c61df2565e114206192a4745e", + "search_line": 2 }, { "queryName": "TSL Connection Certificate Not Setup", "severity": "MEDIUM", "line": 2, - "filename": "positive3.json" + "fileName": "positive3.json", + "resourceType": "KubeletConfiguration", + "resourceName": "n/a", + "searchKey": "kind={{KubeletConfiguration}}", + "searchValue": "tlsPrivateKeyFile", + "expectedValue": "TLS tlsPrivateKeyFile connection setting should be set", + "actualValue": "TLS tlsPrivateKeyFile connection not set", + "issueType": "MissingAttribute", + "similarityID": "926e202a5b0e07e2b68c7e3237e18a601716426feb612e31dd353828f1be841c", + "search_line": 2 } ] diff --git a/assets/queries/k8s/token_auth_file_is_set/test/positive_expected_result.json b/assets/queries/k8s/token_auth_file_is_set/test/positive_expected_result.json index 5c25b795c94..55f1e3972e4 100644 --- a/assets/queries/k8s/token_auth_file_is_set/test/positive_expected_result.json +++ b/assets/queries/k8s/token_auth_file_is_set/test/positive_expected_result.json @@ -3,12 +3,30 @@ "queryName": "Token Auth File Is Set", "severity": "HIGH", "line": 11, - "filename": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "Pod", + "resourceName": "command-demo", + "searchKey": "metadata.name={{command-demo}}.spec.containers.name={{command-demo-container}}.command", + "searchValue": "", + "expectedValue": "--token-auth-file flag should not be set", + "actualValue": "--token-auth-file flag is set", + "issueType": "IncorrectValue", + "similarityID": "0c4cce42bcb9e94626f3d1f2f8edc01300b0ca53d3f4360202241672f97d969a", + "search_line": 11 }, { "queryName": "Token Auth File Is Set", "severity": "HIGH", "line": 11, - "filename": "positive2.yaml" + "fileName": "positive2.yaml", + "resourceType": "Pod", + "resourceName": "command-demo", + "searchKey": "metadata.name={{command-demo}}.spec.containers.name={{command-demo-container}}.command", + "searchValue": "", + "expectedValue": "--token-auth-file flag should not be set", + "actualValue": "--token-auth-file flag is set", + "issueType": "IncorrectValue", + "similarityID": "359bff1a7c206c71c519dbc1835183b778b5ab148eba37324afbee7085ee41ec", + "search_line": 11 } ] diff --git a/assets/queries/k8s/use_service_account_credentials_not_set_to_true/test/positive_expected_result.json b/assets/queries/k8s/use_service_account_credentials_not_set_to_true/test/positive_expected_result.json index 5d48942e668..ca614a97522 100644 --- a/assets/queries/k8s/use_service_account_credentials_not_set_to_true/test/positive_expected_result.json +++ b/assets/queries/k8s/use_service_account_credentials_not_set_to_true/test/positive_expected_result.json @@ -3,12 +3,30 @@ "queryName": "Use Service Account Credentials Not Set To True", "severity": "MEDIUM", "line": 11, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "Pod", + "resourceName": "command-demo", + "searchKey": "metadata.name={{command-demo}}.spec.containers.name={{command-demo-container}}.command", + "searchValue": "", + "expectedValue": "--use-service-account-credentials flag should be set to true", + "actualValue": "--use-service-account-credentials flag is set to false", + "issueType": "IncorrectValue", + "similarityID": "67c32cb3bee8b76edb3f0d62b4307d6f0a30c5fa68c365a85a3dca0ecb417040", + "search_line": 11 }, { "queryName": "Use Service Account Credentials Not Set To True", "severity": "MEDIUM", "line": 11, - "fileName": "positive2.yaml" + "fileName": "positive2.yaml", + "resourceType": "Pod", + "resourceName": "command-demo", + "searchKey": "metadata.name={{command-demo}}.spec.containers.name={{command-demo-container}}.command", + "searchValue": "", + "expectedValue": "--use-service-account-credentials flag should be defined and set to true", + "actualValue": "--use-service-account-credentials flag is not defined", + "issueType": "MissingAttribute", + "similarityID": "55aecd92f21a5aa6cf05dd86f61fccfd54066c7de5c4d05d540b9680b580f33a", + "search_line": 11 } -] \ No newline at end of file +] diff --git a/assets/queries/k8s/using_kubernetes_native_secret_management/test/positive_expected_result.json b/assets/queries/k8s/using_kubernetes_native_secret_management/test/positive_expected_result.json index 3f40317c868..90f9bd0472b 100644 --- a/assets/queries/k8s/using_kubernetes_native_secret_management/test/positive_expected_result.json +++ b/assets/queries/k8s/using_kubernetes_native_secret_management/test/positive_expected_result.json @@ -3,6 +3,15 @@ "queryName": "Using Kubernetes Native Secret Management", "severity": "INFO", "line": 4, - "filename": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "Secret", + "resourceName": "cluster-secrets", + "searchKey": "metadata.name={{cluster-secrets}}", + "searchValue": "", + "expectedValue": "External secret storage should be used", + "actualValue": "External secret storage is not in use", + "issueType": "MissingAttribute", + "similarityID": "1c7902a212fd79115434745dbb10a35a1c2a09243ac3bc5d19d592c76e89a790", + "search_line": 4 } ] diff --git a/assets/queries/k8s/using_unrecommended_namespace/test/positive_expected_result.json b/assets/queries/k8s/using_unrecommended_namespace/test/positive_expected_result.json index 08c4f42f9fd..93d922c0dac 100644 --- a/assets/queries/k8s/using_unrecommended_namespace/test/positive_expected_result.json +++ b/assets/queries/k8s/using_unrecommended_namespace/test/positive_expected_result.json @@ -3,30 +3,75 @@ "queryName": "Using Unrecommended Namespace", "severity": "MEDIUM", "line": 5, - "filename": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "Pod", + "resourceName": "frontend", + "searchKey": "metadata.name={{frontend}}.namespace", + "searchValue": "Pod", + "expectedValue": "'metadata.namespace' should not be set to default, kube-system or kube-public", + "actualValue": "'metadata.namespace' is set to default", + "issueType": "IncorrectValue", + "similarityID": "0be3f98f7ba1ca262fd31d9446f2e80c9401386a33894dd6af6235aa1bc86220", + "search_line": 5 }, { "queryName": "Using Unrecommended Namespace", "severity": "MEDIUM", "line": 4, - "filename": "positive2.yaml" + "fileName": "positive2.yaml", + "resourceType": "Pod", + "resourceName": "frontend2", + "searchKey": "kind={{Pod}}.metadata.name={{frontend2}}", + "searchValue": "Pod", + "expectedValue": "metadata.namespace should be defined and not null", + "actualValue": "metadata.namespace is undefined or null", + "issueType": "MissingAttribute", + "similarityID": "698bde8011bba82450e4433e794df2459efd674d2c484b5bd103a4051052ea2e", + "search_line": 4 }, { "queryName": "Using Unrecommended Namespace", "severity": "MEDIUM", "line": 5, - "filename": "positive3.yaml" + "fileName": "positive3.yaml", + "resourceType": "Pod", + "resourceName": "mongo.db.collection.com", + "searchKey": "metadata.name={{mongo.db.collection.com}}.namespace", + "searchValue": "Pod", + "expectedValue": "'metadata.namespace' should not be set to default, kube-system or kube-public", + "actualValue": "'metadata.namespace' is set to kube-public", + "issueType": "IncorrectValue", + "similarityID": "1297d4f1a9d169ceba0fe3d3988febb511b5d3e5b3a8c66386728a66b6cf1cba", + "search_line": 5 }, { "queryName": "Using Unrecommended Namespace", "severity": "MEDIUM", "line": 5, - "filename": "positive4.yaml" + "fileName": "positive4.yaml", + "resourceType": "Pod", + "resourceName": "mongo.db.collection.com", + "searchKey": "metadata.name={{mongo.db.collection.com}}.namespace", + "searchValue": "Pod", + "expectedValue": "'metadata.namespace' should not be set to default, kube-system or kube-public", + "actualValue": "'metadata.namespace' is set to kube-system", + "issueType": "IncorrectValue", + "similarityID": "42e0276d020c5f2d3559a33352765a92607ed4e6643240af0fac4c1d72f965b0", + "search_line": 5 }, { "queryName": "Using Unrecommended Namespace", "severity": "MEDIUM", "line": 5, - "filename": "positive5.yaml" + "fileName": "positive5.yaml", + "resourceType": "Configuration", + "resourceName": "dummy-config", + "searchKey": "metadata.name={{dummy-config}}.namespace", + "searchValue": "Configuration", + "expectedValue": "'metadata.namespace' should not be set to default, kube-system or kube-public", + "actualValue": "'metadata.namespace' is set to default", + "issueType": "IncorrectValue", + "similarityID": "734d3cfd161d9b169b31cd64ba0a632523c6c35e87bcf8ea699d743b2baebf73", + "search_line": 5 } ] diff --git a/assets/queries/k8s/volume_mount_with_os_directory_write_permissions/test/positive_expected_result.json b/assets/queries/k8s/volume_mount_with_os_directory_write_permissions/test/positive_expected_result.json index 2882a804407..37415ad4960 100644 --- a/assets/queries/k8s/volume_mount_with_os_directory_write_permissions/test/positive_expected_result.json +++ b/assets/queries/k8s/volume_mount_with_os_directory_write_permissions/test/positive_expected_result.json @@ -3,60 +3,150 @@ "queryName": "Volume Mount With OS Directory Write Permissions", "severity": "HIGH", "line": 10, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "Pod", + "resourceName": "pod-0", + "searchKey": "metadata.name={{pod-0}}.spec.containers.name={{pod-0}}.volumeMounts.name={{vol-0}}", + "searchValue": "PodreadOnly", + "expectedValue": "The properties readOnly and recursiveReadOnly in metadata.name={{pod-0}}.spec.containers.name={{pod-0}}.volumeMounts.name={{vol-0}} should be defined and set to true and Enabled, respectively", + "actualValue": "Either readOnly or recursiveReadOnly is missing in metadata.name={{pod-0}}.spec.containers.name={{pod-0}}.volumeMounts.name={{vol-0}}%!(EXTRA string=pod-0, string=spec, string=containers, string=pod-0, string=vol-0)", + "issueType": "MissingAttribute", + "similarityID": "704c83080d731542b728638055d79d63b500a37fd361025d648f85a12a9a8157", + "search_line": 10 }, { "queryName": "Volume Mount With OS Directory Write Permissions", "severity": "HIGH", "line": 12, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "Pod", + "resourceName": "pod-0", + "searchKey": "metadata.name={{pod-0}}.spec.containers.name={{pod-0}}.volumeMounts.name={{vol-1}}", + "searchValue": "PodreadOnly", + "expectedValue": "The properties readOnly and recursiveReadOnly in metadata.name={{pod-0}}.spec.containers.name={{pod-0}}.volumeMounts.name={{vol-1}} should be defined and set to true and Enabled, respectively", + "actualValue": "Either readOnly or recursiveReadOnly is missing in metadata.name={{pod-0}}.spec.containers.name={{pod-0}}.volumeMounts.name={{vol-1}}%!(EXTRA string=pod-0, string=spec, string=containers, string=pod-0, string=vol-1)", + "issueType": "MissingAttribute", + "similarityID": "09e134b3e6d9c5a59aecefaf0ae97454ed1a6f3040ce967863b53ef2631942a9", + "search_line": 12 }, { "queryName": "Volume Mount With OS Directory Write Permissions", "severity": "HIGH", "line": 12, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "Pod", + "resourceName": "pod-0", + "searchKey": "metadata.name={{pod-0}}.spec.containers.name={{pod-0}}.volumeMounts.name={{vol-1}}", + "searchValue": "PodrecursiveReadOnly", + "expectedValue": "The properties readOnly and recursiveReadOnly in metadata.name={{pod-0}}.spec.containers.name={{pod-0}}.volumeMounts.name={{vol-1}} are set to true and Enabled, respectively", + "actualValue": "The properties readOnly or recursiveReadOnly in metadata.name={{pod-0}}.spec.containers.name={{pod-0}}.volumeMounts.name={{vol-1}} are set to false or Disabled, respectively", + "issueType": "IncorrectValue", + "similarityID": "e9e66737a4332aadf3e12f1e2e74747867b7d9231493b437f9ce8e8a3b233667", + "search_line": 12 }, { "queryName": "Volume Mount With OS Directory Write Permissions", "severity": "HIGH", "line": 36, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "Pod", + "resourceName": "pod-1", + "searchKey": "metadata.name={{pod-1}}.spec.containers.name={{pod-1}}.volumeMounts.name={{vol-0}}", + "searchValue": "PodreadOnly", + "expectedValue": "The properties readOnly and recursiveReadOnly in metadata.name={{pod-1}}.spec.containers.name={{pod-1}}.volumeMounts.name={{vol-0}} should be defined and set to true and Enabled, respectively", + "actualValue": "Either readOnly or recursiveReadOnly is missing in metadata.name={{pod-1}}.spec.containers.name={{pod-1}}.volumeMounts.name={{vol-0}}%!(EXTRA string=pod-1, string=spec, string=containers, string=pod-1, string=vol-0)", + "issueType": "MissingAttribute", + "similarityID": "db51896005d822563aef097cd9cdbc1ec1647d924900a0998bb366a4552b6f62", + "search_line": 36 }, { "queryName": "Volume Mount With OS Directory Write Permissions", "severity": "HIGH", "line": 39, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "Pod", + "resourceName": "pod-1", + "searchKey": "metadata.name={{pod-1}}.spec.containers.name={{pod-1}}.volumeMounts.name={{vol-1}}", + "searchValue": "PodreadOnly", + "expectedValue": "The properties readOnly and recursiveReadOnly in metadata.name={{pod-1}}.spec.containers.name={{pod-1}}.volumeMounts.name={{vol-1}} are set to true and Enabled, respectively", + "actualValue": "The properties readOnly or recursiveReadOnly in metadata.name={{pod-1}}.spec.containers.name={{pod-1}}.volumeMounts.name={{vol-1}} are set to false or Disabled, respectively", + "issueType": "IncorrectValue", + "similarityID": "7360b6d140c8086bb1626f47d7a53dd77f9283d54c5bb3a0e19da929fd73460e", + "search_line": 39 }, { "queryName": "Volume Mount With OS Directory Write Permissions", "severity": "HIGH", "line": 39, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "Pod", + "resourceName": "pod-1", + "searchKey": "metadata.name={{pod-1}}.spec.containers.name={{pod-1}}.volumeMounts.name={{vol-1}}", + "searchValue": "PodrecursiveReadOnly", + "expectedValue": "The properties readOnly and recursiveReadOnly in metadata.name={{pod-1}}.spec.containers.name={{pod-1}}.volumeMounts.name={{vol-1}} should be defined and set to true and Enabled, respectively", + "actualValue": "Either readOnly or recursiveReadOnly is missing in metadata.name={{pod-1}}.spec.containers.name={{pod-1}}.volumeMounts.name={{vol-1}}%!(EXTRA string=pod-1, string=spec, string=containers, string=pod-1, string=vol-1)", + "issueType": "MissingAttribute", + "similarityID": "eb0e5b47601c001b102f1b28f0350aa6488e475da37901131c2404f260978b47", + "search_line": 39 }, { "queryName": "Volume Mount With OS Directory Write Permissions", "severity": "HIGH", "line": 10, - "fileName": "positive2.yaml" + "fileName": "positive2.yaml", + "resourceType": "Pod", + "resourceName": "pod-0", + "searchKey": "metadata.name={{pod-0}}.spec.containers.name={{pod-0}}.volumeMounts.name={{vol-0}}", + "searchValue": "PodreadOnly", + "expectedValue": "The properties readOnly and recursiveReadOnly in metadata.name={{pod-0}}.spec.containers.name={{pod-0}}.volumeMounts.name={{vol-0}} are set to true and Enabled, respectively", + "actualValue": "The properties readOnly or recursiveReadOnly in metadata.name={{pod-0}}.spec.containers.name={{pod-0}}.volumeMounts.name={{vol-0}} are set to false or Disabled, respectively", + "issueType": "IncorrectValue", + "similarityID": "81ccbe024b4c7c448941ec3b8174126ddf5831af121de0db8968968819bd727e", + "search_line": 10 }, { "queryName": "Volume Mount With OS Directory Write Permissions", "severity": "HIGH", "line": 14, - "fileName": "positive2.yaml" + "fileName": "positive2.yaml", + "resourceType": "Pod", + "resourceName": "pod-0", + "searchKey": "metadata.name={{pod-0}}.spec.containers.name={{pod-0}}.volumeMounts.name={{vol-1}}", + "searchValue": "PodreadOnly", + "expectedValue": "The properties readOnly and recursiveReadOnly in metadata.name={{pod-0}}.spec.containers.name={{pod-0}}.volumeMounts.name={{vol-1}} are set to true and Enabled, respectively", + "actualValue": "The properties readOnly or recursiveReadOnly in metadata.name={{pod-0}}.spec.containers.name={{pod-0}}.volumeMounts.name={{vol-1}} are set to false or Disabled, respectively", + "issueType": "IncorrectValue", + "similarityID": "cdb11f600e4eafbf7217b0a45bdac182085cd44d70c8ffe06ea1778ada027ba2", + "search_line": 14 }, { "queryName": "Volume Mount With OS Directory Write Permissions", "severity": "HIGH", "line": 33, - "fileName": "positive2.yaml" + "fileName": "positive2.yaml", + "resourceType": "Pod", + "resourceName": "pod-1", + "searchKey": "metadata.name={{pod-1}}.spec.containers.name={{pod-1}}.volumeMounts.name={{vol-0}}", + "searchValue": "PodrecursiveReadOnly", + "expectedValue": "The properties readOnly and recursiveReadOnly in metadata.name={{pod-1}}.spec.containers.name={{pod-1}}.volumeMounts.name={{vol-0}} should be defined and set to true and Enabled, respectively", + "actualValue": "Either readOnly or recursiveReadOnly is missing in metadata.name={{pod-1}}.spec.containers.name={{pod-1}}.volumeMounts.name={{vol-0}}%!(EXTRA string=pod-1, string=spec, string=containers, string=pod-1, string=vol-0)", + "issueType": "MissingAttribute", + "similarityID": "6076f7c1881a55c85c48404343228840121551f5b5685fbefc174e63bf47277d", + "search_line": 33 }, { "queryName": "Volume Mount With OS Directory Write Permissions", "severity": "HIGH", "line": 36, - "fileName": "positive2.yaml" + "fileName": "positive2.yaml", + "resourceType": "Pod", + "resourceName": "pod-1", + "searchKey": "metadata.name={{pod-1}}.spec.containers.name={{pod-1}}.volumeMounts.name={{vol-1}}", + "searchValue": "PodrecursiveReadOnly", + "expectedValue": "The properties readOnly and recursiveReadOnly in metadata.name={{pod-1}}.spec.containers.name={{pod-1}}.volumeMounts.name={{vol-1}} are set to true and Enabled, respectively", + "actualValue": "The properties readOnly or recursiveReadOnly in metadata.name={{pod-1}}.spec.containers.name={{pod-1}}.volumeMounts.name={{vol-1}} are set to false or Disabled, respectively", + "issueType": "IncorrectValue", + "similarityID": "ed19a8b6a170387eb553caae9ff3ac43d112072b8a3e957f058975028955436f", + "search_line": 36 } ] diff --git a/assets/queries/k8s/weak_tls_cipher_suites/test/positive_expected_result.json b/assets/queries/k8s/weak_tls_cipher_suites/test/positive_expected_result.json index 4cf484c04f2..0334c9d9c89 100644 --- a/assets/queries/k8s/weak_tls_cipher_suites/test/positive_expected_result.json +++ b/assets/queries/k8s/weak_tls_cipher_suites/test/positive_expected_result.json @@ -1,27 +1,62 @@ [ - { - "queryName": "Weak TLS Cipher Suites", - "severity": "MEDIUM", - "line": 11, - "filename": "positive1.yaml" - }, - { - "queryName": "Weak TLS Cipher Suites", - "severity": "MEDIUM", - "line": 11, - "filename": "positive2.yaml" - }, - { - "queryName": "Weak TLS Cipher Suites", - "severity": "MEDIUM", - "line": 9, - "filename": "positive3.yaml" - }, - { - "queryName": "Weak TLS Cipher Suites", - "severity": "MEDIUM", - "line": 2, - "filename": "positive4.json" - } - ] - \ No newline at end of file + { + "queryName": "Weak TLS Cipher Suites", + "severity": "MEDIUM", + "line": 11, + "fileName": "positive1.yaml", + "resourceType": "Pod", + "resourceName": "command-demo", + "searchKey": "metadata.name={{command-demo}}.spec.containers.name={{command-demo-container}}.command", + "searchValue": "", + "expectedValue": "TLS cipher suites should use strong ciphers", + "actualValue": "TLS cipher suites uses a weak cipher", + "issueType": "IncorrectValue", + "similarityID": "b4113b0a8aea2ed8c2132e6a531dc5a2c73668d6e871e7686c271bb064533247", + "search_line": 11 + }, + { + "queryName": "Weak TLS Cipher Suites", + "severity": "MEDIUM", + "line": 11, + "fileName": "positive2.yaml", + "resourceType": "Pod", + "resourceName": "command-demo", + "searchKey": "metadata.name={{command-demo}}.spec.containers.name={{command-demo-container}}.command", + "searchValue": "", + "expectedValue": "TLS cipher suites should use strong ciphers", + "actualValue": "TLS cipher suites uses a weak cipher", + "issueType": "IncorrectValue", + "similarityID": "199ba32e527646e09e6b70b85eb2aee7d32dd3f2df1876c31231b2681cd9c46f", + "search_line": 11 + }, + { + "queryName": "Weak TLS Cipher Suites", + "severity": "MEDIUM", + "line": 9, + "fileName": "positive3.yaml", + "resourceType": "KubeletConfiguration", + "resourceName": "n/a", + "searchKey": "kind={{KubeletConfiguration}}.tlsCipherSuites", + "searchValue": "", + "expectedValue": "TLS cipher suites should use strong ciphers", + "actualValue": "TLS cipher suites uses a weak cipher", + "issueType": "IncorrectValue", + "similarityID": "57f176a3e4fbc7fb6eaea25595f389d24c0e1ae6eafa2504374f75f42a733c5b", + "search_line": -1 + }, + { + "queryName": "Weak TLS Cipher Suites", + "severity": "MEDIUM", + "line": 2, + "fileName": "positive4.json", + "resourceType": "KubeletConfiguration", + "resourceName": "n/a", + "searchKey": "kind={{KubeletConfiguration}}", + "searchValue": "", + "expectedValue": "KubeletConfiguration should have 'tlsCipherSuites' attribute with strong ciphers defined", + "actualValue": "TLS cipher suites are not defined", + "issueType": "MissingAttribute", + "similarityID": "c9c7d91bdb2e290964b4fe4d98778d2e7efed00a95e9ed42a33e17e5f35d354c", + "search_line": -1 + } +] diff --git a/assets/queries/k8s/workload_host_port_not_specified/test/positive_expected_result.json b/assets/queries/k8s/workload_host_port_not_specified/test/positive_expected_result.json index 103391eb164..304afce4f59 100644 --- a/assets/queries/k8s/workload_host_port_not_specified/test/positive_expected_result.json +++ b/assets/queries/k8s/workload_host_port_not_specified/test/positive_expected_result.json @@ -2,11 +2,31 @@ { "queryName": "Workload Host Port Not Specified", "severity": "LOW", - "line": 9 + "line": 9, + "fileName": "positive.yaml", + "resourceType": "Pod", + "resourceName": "firstpod", + "searchKey": "metadata.name=firstpod.spec.containers.name=container.ports", + "searchValue": "", + "expectedValue": "spec[firstpod].containers[container].ports[10.0.0.1].hostPort should not be defined", + "actualValue": "spec[firstpod].containers[container].ports[10.0.0.1].hostPort is defined", + "issueType": "IncorrectValue", + "similarityID": "5aba0c663de7177ffb869b3bea44ddd355160db00fe7d0ddcea792ae3c745a13", + "search_line": -1 }, { "queryName": "Workload Host Port Not Specified", "severity": "LOW", - "line": 24 + "line": 24, + "fileName": "positive.yaml", + "resourceType": "Deployment", + "resourceName": "secondpod", + "searchKey": "metadata.name=secondpod.spec.template.spec.containers.name=container2.ports", + "searchValue": "", + "expectedValue": "spec[secondpod].template.spec.containers[container2].ports[10.0.0.2].hostPort should not be defined", + "actualValue": "spec[secondpod].template.spec.containers[container2].ports[10.0.0.2].hostPort is defined", + "issueType": "IncorrectValue", + "similarityID": "372c5a94ef0ccaf6f9195847a882d51ee32e97c743c3207fcbab99440603f503", + "search_line": -1 } ] diff --git a/assets/queries/k8s/workload_mounting_with_sensitive_os_directory/test/positive_expected_result.json b/assets/queries/k8s/workload_mounting_with_sensitive_os_directory/test/positive_expected_result.json index 459bc1f3e8a..d16de71b837 100644 --- a/assets/queries/k8s/workload_mounting_with_sensitive_os_directory/test/positive_expected_result.json +++ b/assets/queries/k8s/workload_mounting_with_sensitive_os_directory/test/positive_expected_result.json @@ -2,66 +2,196 @@ { "queryName": "Workload Mounting With Sensitive OS Directory", "severity": "HIGH", - "line": 66 + "line": 66, + "fileName": "positive.yaml", + "resourceType": "DaemonSet", + "resourceName": "exporter-prometheus-node-exporter", + "searchKey": "metadata.name={{exporter-prometheus-node-exporter}}.spec.template.spec.volumes.name={{proc}}.hostPath.path", + "searchValue": "", + "expectedValue": "Workload name 'exporter-prometheus-node-exporter' of kind 'DaemonSet' should not mount a host sensitive OS directory '/proc' with hostPath", + "actualValue": "Workload name 'exporter-prometheus-node-exporter' of kind 'DaemonSet' is mounting a host sensitive OS directory '/proc' with hostPath", + "issueType": "IncorrectValue", + "similarityID": "46a98645faa2c784f1c65b5ad038e1eb90491d38203dbdff8a6e53c59ca2505c", + "search_line": 66 }, { "queryName": "Workload Mounting With Sensitive OS Directory", "severity": "HIGH", - "line": 112 + "line": 70, + "fileName": "positive.yaml", + "resourceType": "DaemonSet", + "resourceName": "exporter-prometheus-node-exporter", + "searchKey": "metadata.name={{exporter-prometheus-node-exporter}}.spec.template.spec.volumes.name={{sys}}.hostPath.path", + "searchValue": "", + "expectedValue": "Workload name 'exporter-prometheus-node-exporter' of kind 'DaemonSet' should not mount a host sensitive OS directory '/sys' with hostPath", + "actualValue": "Workload name 'exporter-prometheus-node-exporter' of kind 'DaemonSet' is mounting a host sensitive OS directory '/sys' with hostPath", + "issueType": "IncorrectValue", + "similarityID": "81ea8fc39ee74abfac349ecf58a465c5412049f5fa7ddda3eb7fc80cb5bcfdfe", + "search_line": 70 }, { "queryName": "Workload Mounting With Sensitive OS Directory", "severity": "HIGH", - "line": 115 + "line": 112, + "fileName": "positive.yaml", + "resourceType": "DaemonSet", + "resourceName": "fluentd-elasticsearch", + "searchKey": "metadata.name={{fluentd-elasticsearch}}.spec.template.spec.volumes.name={{varlog}}.hostPath.path", + "searchValue": "", + "expectedValue": "Workload name 'fluentd-elasticsearch' of kind 'DaemonSet' should not mount a host sensitive OS directory '/var/log' with hostPath", + "actualValue": "Workload name 'fluentd-elasticsearch' of kind 'DaemonSet' is mounting a host sensitive OS directory '/var/log' with hostPath", + "issueType": "IncorrectValue", + "similarityID": "2df1c3accb1c1414ddad44ece40c473d0384372d8e1b94dc29cb9d2e6740d19b", + "search_line": 112 }, { "queryName": "Workload Mounting With Sensitive OS Directory", "severity": "HIGH", - "line": 145 + "line": 115, + "fileName": "positive.yaml", + "resourceType": "DaemonSet", + "resourceName": "fluentd-elasticsearch", + "searchKey": "metadata.name={{fluentd-elasticsearch}}.spec.template.spec.volumes.name={{varlibdockercontainers}}.hostPath.path", + "searchValue": "", + "expectedValue": "Workload name 'fluentd-elasticsearch' of kind 'DaemonSet' should not mount a host sensitive OS directory '/var/lib/docker/containers' with hostPath", + "actualValue": "Workload name 'fluentd-elasticsearch' of kind 'DaemonSet' is mounting a host sensitive OS directory '/var/lib/docker/containers' with hostPath", + "issueType": "IncorrectValue", + "similarityID": "d409d997729baec44c0228cb3259fa8a3bd6a84ecd1fd89acefbcb05ec95e871", + "search_line": 115 }, { "queryName": "Workload Mounting With Sensitive OS Directory", "severity": "HIGH", - "line": 175 + "line": 145, + "fileName": "positive.yaml", + "resourceType": "Deployment", + "resourceName": "nginx-deployment", + "searchKey": "metadata.name={{nginx-deployment}}.spec.template.spec.volumes.name={{static-page-dir}}.hostPath.path", + "searchValue": "", + "expectedValue": "Workload name 'nginx-deployment' of kind 'Deployment' should not mount a host sensitive OS directory '/var/local/static' with hostPath", + "actualValue": "Workload name 'nginx-deployment' of kind 'Deployment' is mounting a host sensitive OS directory '/var/local/static' with hostPath", + "issueType": "IncorrectValue", + "similarityID": "b7b6f340254ba0c06f8a343f4ad71dac1cc10212c02a644833e38f1e5573a8d0", + "search_line": 145 }, { "queryName": "Workload Mounting With Sensitive OS Directory", "severity": "HIGH", - "line": 193 + "line": 175, + "fileName": "positive.yaml", + "resourceType": "Deployment", + "resourceName": "nginx-deployment-undefined-ns", + "searchKey": "metadata.name={{nginx-deployment-undefined-ns}}.spec.template.spec.volumes.name={{static-page-dir}}.hostPath.path", + "searchValue": "", + "expectedValue": "Workload name 'nginx-deployment-undefined-ns' of kind 'Deployment' should not mount a host sensitive OS directory '/root/local/static' with hostPath", + "actualValue": "Workload name 'nginx-deployment-undefined-ns' of kind 'Deployment' is mounting a host sensitive OS directory '/root/local/static' with hostPath", + "issueType": "IncorrectValue", + "similarityID": "74f0f9ff22cf49d747d53d4a81818c7fde399cd7453f4be2a166569fa672e153", + "search_line": 175 }, { "queryName": "Workload Mounting With Sensitive OS Directory", "severity": "HIGH", - "line": 203 + "line": 193, + "fileName": "positive.yaml", + "resourceType": "Pod", + "resourceName": "redis-memcache", + "searchKey": "metadata.name={{redis-memcache}}.spec.volumes.name={{redis-storage}}.hostPath.path", + "searchValue": "", + "expectedValue": "Workload name 'redis-memcache' of kind 'Pod' should not mount a host sensitive OS directory '/var/redis/data' with hostPath", + "actualValue": "Workload name 'redis-memcache' of kind 'Pod' is mounting a host sensitive OS directory '/var/redis/data' with hostPath", + "issueType": "IncorrectValue", + "similarityID": "7861eeade50a89190d7a715126b17eafad3daf3f86f42949de6ba60de6070ddd", + "search_line": 193 }, { "queryName": "Workload Mounting With Sensitive OS Directory", "severity": "HIGH", - "line": 229 + "line": 203, + "fileName": "positive.yaml", + "resourceType": "Pod", + "resourceName": "web-server-pod", + "searchKey": "metadata.name={{web-server-pod}}.spec.volumes.name={{nginx-host-config}}.hostPath.path", + "searchValue": "", + "expectedValue": "Workload name 'web-server-pod' of kind 'Pod' should not mount a host sensitive OS directory '/etc/nginx' with hostPath", + "actualValue": "Workload name 'web-server-pod' of kind 'Pod' is mounting a host sensitive OS directory '/etc/nginx' with hostPath", + "issueType": "IncorrectValue", + "similarityID": "f50d8b23d213ea1a4f6966698c29f07d68694fff9dbbdd9f7a5c1d174fb06d78", + "search_line": 203 }, { "queryName": "Workload Mounting With Sensitive OS Directory", "severity": "HIGH", - "line": 250 + "line": 229, + "fileName": "positive.yaml", + "resourceType": "Pod", + "resourceName": "malicious-pod", + "searchKey": "metadata.name={{malicious-pod}}.spec.volumes.name={{rootdir}}.hostPath.path", + "searchValue": "", + "expectedValue": "Workload name 'malicious-pod' of kind 'Pod' should not mount a host sensitive OS directory '/' with hostPath", + "actualValue": "Workload name 'malicious-pod' of kind 'Pod' is mounting a host sensitive OS directory '/' with hostPath", + "issueType": "IncorrectValue", + "similarityID": "1ea349ea2ed24ca1a7e043bd5a8164b77b9b13a9957017aa72c4539ec7f61613", + "search_line": 229 }, { "queryName": "Workload Mounting With Sensitive OS Directory", "severity": "HIGH", - "line": 265 + "line": 250, + "fileName": "positive.yaml", + "resourceType": "Pod", + "resourceName": "dood", + "searchKey": "metadata.name={{dood}}.spec.volumes.name={{docker-sock}}.hostPath.path", + "searchValue": "", + "expectedValue": "Workload name 'dood' of kind 'Pod' should not mount a host sensitive OS directory '/var/run' with hostPath", + "actualValue": "Workload name 'dood' of kind 'Pod' is mounting a host sensitive OS directory '/var/run' with hostPath", + "issueType": "IncorrectValue", + "similarityID": "a93b1a9d31fa85e5a421d57a6994df87dc2ba005be007daaa6d382ea2a0c518b", + "search_line": 250 }, { "queryName": "Workload Mounting With Sensitive OS Directory", "severity": "HIGH", - "line": 280 + "line": 265, + "fileName": "positive.yaml", + "resourceType": "PersistentVolume", + "resourceName": "pv-001", + "searchKey": "metadata.name={{pv-001}}.spec.hostPath.path", + "searchValue": "", + "expectedValue": "PersistentVolume name 'pv-001' of kind 'PersistentVolume' should not mount a host sensitive OS directory '/dev/tty1' with hostPath", + "actualValue": "PersistentVolume name 'pv-001' of kind 'PersistentVolume' is mounting a host sensitive OS directory '/dev/tty1' with hostPath", + "issueType": "IncorrectValue", + "similarityID": "0f78c84959dd2d26de83ec9581b279fe81c3ac0ad67cabcb36278c225e305f65", + "search_line": 265 }, { "queryName": "Workload Mounting With Sensitive OS Directory", "severity": "HIGH", - "line": 70 + "line": 280, + "fileName": "positive.yaml", + "resourceType": "PersistentVolume", + "resourceName": "pv-002", + "searchKey": "metadata.name={{pv-002}}.spec.hostPath.path", + "searchValue": "", + "expectedValue": "PersistentVolume name 'pv-002' of kind 'PersistentVolume' should not mount a host sensitive OS directory '/boot' with hostPath", + "actualValue": "PersistentVolume name 'pv-002' of kind 'PersistentVolume' is mounting a host sensitive OS directory '/boot' with hostPath", + "issueType": "IncorrectValue", + "similarityID": "82309d6669443b5c2ac392f4171279a694990059c1bd898cd72d1c9e84dbb319", + "search_line": 280 }, { "queryName": "Workload Mounting With Sensitive OS Directory", "severity": "HIGH", - "line": 299 + "line": 299, + "fileName": "positive.yaml", + "resourceType": "Configuration", + "resourceName": "dummy-config", + "searchKey": "metadata.name={{dummy-config}}.spec.template.spec.volumes.name={{rootdir}}.hostPath.path", + "searchValue": "", + "expectedValue": "Workload name 'dummy-config' of kind 'Configuration' should not mount a host sensitive OS directory '/' with hostPath", + "actualValue": "Workload name 'dummy-config' of kind 'Configuration' is mounting a host sensitive OS directory '/' with hostPath", + "issueType": "IncorrectValue", + "similarityID": "90bcfdd1011f69080c90ea66c5dda42a5bbaab235b167417c96f041870e20a38", + "search_line": 299 } -] \ No newline at end of file +] diff --git a/assets/queries/knative/serving_revision_spec_without_timeout_settings/test/positive_expected_result.json b/assets/queries/knative/serving_revision_spec_without_timeout_settings/test/positive_expected_result.json index 7186c53d487..e24653f268a 100644 --- a/assets/queries/knative/serving_revision_spec_without_timeout_settings/test/positive_expected_result.json +++ b/assets/queries/knative/serving_revision_spec_without_timeout_settings/test/positive_expected_result.json @@ -1,14 +1,32 @@ [ - { - "queryName": "Serving Revision Spec Without Timeout Seconds", - "severity": "INFO", - "line": 7, - "fileName": "positive1.yaml" - }, - { - "queryName": "Serving Revision Spec Without Timeout Seconds", - "severity": "INFO", - "line": 42, - "fileName": "positive1.yaml" - } + { + "queryName": "Serving Revision Spec Without Timeout Seconds", + "severity": "INFO", + "line": 7, + "fileName": "positive1.yaml", + "resourceType": "Service", + "resourceName": "dummy", + "searchKey": "metadata.name={{dummy}}.spec.template.spec", + "searchValue": "", + "expectedValue": "Service should have 'timeoutSeconds' defined in 'template.spec'", + "actualValue": "Service 'timeoutSeconds' is not defined in 'template.spec'", + "issueType": "MissingAttribute", + "similarityID": "99afa0c4a566a58de26ef7f289b89b3de7f657259d7e11aff30ad40e5bf94e4f", + "search_line": 7 + }, + { + "queryName": "Serving Revision Spec Without Timeout Seconds", + "severity": "INFO", + "line": 42, + "fileName": "positive1.yaml", + "resourceType": "Service", + "resourceName": "dummy", + "searchKey": "metadata.name={{dummy}}.spec.template.spec.timeoutSeconds", + "searchValue": "", + "expectedValue": "Service should have 'timeoutSeconds' defined to a value higher than '0'", + "actualValue": "Service 'timeoutSeconds' is set to '0'", + "issueType": "IncorrectValue", + "similarityID": "8ebbe4dc285b36200f6d09778b365eb15b8cc8c946faf22e47460801c76768b8", + "search_line": 42 + } ] diff --git a/assets/queries/openAPI/2.0/basepath_with_wrong_format/test/positive_expected_result.json b/assets/queries/openAPI/2.0/basepath_with_wrong_format/test/positive_expected_result.json index 02fa6c3cbbb..57a426dc630 100644 --- a/assets/queries/openAPI/2.0/basepath_with_wrong_format/test/positive_expected_result.json +++ b/assets/queries/openAPI/2.0/basepath_with_wrong_format/test/positive_expected_result.json @@ -3,12 +3,30 @@ "queryName": "BasePath With Wrong Format", "severity": "INFO", "line": 7, - "filename": "positive1.json" + "fileName": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "basePath={{api/incorrect}}", + "searchValue": "", + "expectedValue": "'basePath' value matches the pattern '^/'", + "actualValue": "'basePath' value doesn't match the pattern '^/'", + "issueType": "IncorrectValue", + "similarityID": "bd8a14102a849501949bea1795fa63832dde8280e97b6a7f619f6036e4b76fb7", + "search_line": -1 }, { "queryName": "BasePath With Wrong Format", "severity": "INFO", "line": 5, - "filename": "positive2.yaml" + "fileName": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "basePath={{api/incorrect}}", + "searchValue": "", + "expectedValue": "'basePath' value matches the pattern '^/'", + "actualValue": "'basePath' value doesn't match the pattern '^/'", + "issueType": "IncorrectValue", + "similarityID": "d01c9a5cb45e0515c9d4719006a8b04eb36162656436f6a1ca052ab9b8005d37", + "search_line": -1 } ] diff --git a/assets/queries/openAPI/2.0/body_parameter_with_wrong_property/test/positive_expected_result.json b/assets/queries/openAPI/2.0/body_parameter_with_wrong_property/test/positive_expected_result.json index a725ff6735c..bac7dbaf4c6 100644 --- a/assets/queries/openAPI/2.0/body_parameter_with_wrong_property/test/positive_expected_result.json +++ b/assets/queries/openAPI/2.0/body_parameter_with_wrong_property/test/positive_expected_result.json @@ -3,24 +3,60 @@ "queryName": "Body Parameter With Wrong Property", "severity": "INFO", "line": 19, - "filename": "positive1.json" + "fileName": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.parameters.desc", + "searchValue": "", + "expectedValue": "{\"type\": \"string\"} is a valid property for body parameter", + "actualValue": "{\"type\": \"string\"} is not a valid property for body parameter", + "issueType": "IncorrectValue", + "similarityID": "1d2fa63b9c08010508a4643726cc5838b1b74c5650076fc0c5d38f8995e0aa41", + "search_line": -1 }, { "queryName": "Body Parameter With Wrong Property", "severity": "INFO", - "line": 30, - "filename": "positive2.yaml" + "line": 43, + "fileName": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "parameters.limitParam.desc", + "searchValue": "", + "expectedValue": "{\"type\": \"string\"} is a valid property for body parameter", + "actualValue": "{\"type\": \"string\"} is not a valid property for body parameter", + "issueType": "IncorrectValue", + "similarityID": "39c55cca76e7c3d8903f5e011ae29a7111050ae25f49a2963ee4c6912f5647fb", + "search_line": -1 }, { "queryName": "Body Parameter With Wrong Property", "severity": "INFO", - "line": 43, - "filename": "positive1.json" + "line": 20, + "fileName": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.parameters.desc", + "searchValue": "", + "expectedValue": "{\"type\": \"string\"} is a valid property for body parameter", + "actualValue": "{\"type\": \"string\"} is not a valid property for body parameter", + "issueType": "IncorrectValue", + "similarityID": "4025ac923aaa18b4116f31d0626a983328afe2da4616df853d584afa3a505d2b", + "search_line": -1 }, { "queryName": "Body Parameter With Wrong Property", "severity": "INFO", - "line": 20, - "filename": "positive2.yaml" + "line": 30, + "fileName": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "parameters.limitParam.desc", + "searchValue": "", + "expectedValue": "{\"type\": \"string\"} is a valid property for body parameter", + "actualValue": "{\"type\": \"string\"} is not a valid property for body parameter", + "issueType": "IncorrectValue", + "similarityID": "0866f032fe9f1eb4c148f570d876436e86367862bc3193874150dcfdea36e646", + "search_line": -1 } ] diff --git a/assets/queries/openAPI/2.0/body_parameter_without_schema/test/positive_expected_result.json b/assets/queries/openAPI/2.0/body_parameter_without_schema/test/positive_expected_result.json index 9d10b7eb914..2f173a15525 100644 --- a/assets/queries/openAPI/2.0/body_parameter_without_schema/test/positive_expected_result.json +++ b/assets/queries/openAPI/2.0/body_parameter_without_schema/test/positive_expected_result.json @@ -3,24 +3,60 @@ "queryName": "Body Parameter Without Schema", "severity": "INFO", "line": 12, - "filename": "positive1.json" + "fileName": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.parameters.name=limit2", + "searchValue": "", + "expectedValue": "'schema' should be set", + "actualValue": "'schema' is undefined", + "issueType": "MissingAttribute", + "similarityID": "9bb096e6149699e7c5a5877103187d9b83bd90a3530b26a44548bb088f96f14d", + "search_line": -1 }, { "queryName": "Body Parameter Without Schema", "severity": "INFO", - "line": 14, - "filename": "positive2.yaml" + "line": 30, + "fileName": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "parameters.name=limit", + "searchValue": "", + "expectedValue": "'schema' should be set", + "actualValue": "'schema' is undefined", + "issueType": "MissingAttribute", + "similarityID": "3683ddf84d63a6c98a20c54052735cf9f7c88bcf8c4de4a4b8799d181a70a40d", + "search_line": -1 }, { "queryName": "Body Parameter Without Schema", "severity": "INFO", - "line": 30, - "filename": "positive1.json" + "line": 14, + "fileName": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.parameters.name=limit2", + "searchValue": "", + "expectedValue": "'schema' should be set", + "actualValue": "'schema' is undefined", + "issueType": "MissingAttribute", + "similarityID": "e6f1723b6ba60abbc6b17b2021279ce01cf4e0da5b2f64a5685e1fffa38b6c09", + "search_line": -1 }, { "queryName": "Body Parameter Without Schema", "severity": "INFO", "line": 20, - "filename": "positive2.yaml" + "fileName": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "parameters.name=limit", + "searchValue": "", + "expectedValue": "'schema' should be set", + "actualValue": "'schema' is undefined", + "issueType": "MissingAttribute", + "similarityID": "2ce3db5a56aba01073d322435a76a9af96c9f2d3343841389bb2d7c4dbe7c785", + "search_line": -1 } ] diff --git a/assets/queries/openAPI/2.0/constraining_enum_property/test/positive_expected_result.json b/assets/queries/openAPI/2.0/constraining_enum_property/test/positive_expected_result.json index 0155d666dc8..8ecb2f0daa2 100644 --- a/assets/queries/openAPI/2.0/constraining_enum_property/test/positive_expected_result.json +++ b/assets/queries/openAPI/2.0/constraining_enum_property/test/positive_expected_result.json @@ -2,49 +2,121 @@ { "queryName": "Constraining Enum Property", "severity": "INFO", - "line": 38, - "filename": "positive1.json" + "line": 24, + "fileName": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.parameters.schema.$ref=#/definitions/Category", + "searchValue": "", + "expectedValue": "Type numeric should not have enum and constraining keywords", + "actualValue": "Type numeric has enum and minimum", + "issueType": "IncorrectValue", + "similarityID": "7c180be5f8701759e91b1885f42e2e16baa4203c9bb746e3d0a0e3abea182014", + "search_line": 0 }, { "queryName": "Constraining Enum Property", "severity": "INFO", - "line": 49, - "filename": "positive1.json" + "line": 24, + "fileName": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.parameters.schema.$ref=#/definitions/Category", + "searchValue": "", + "expectedValue": "Type string should not have enum and constraining keywords", + "actualValue": "Type string has enum and maxLength", + "issueType": "IncorrectValue", + "similarityID": "232f8f1cb857a23789e0badbd0b4e0de4eeb4bdb9c3e8ba3e1d0d5083a6af31b", + "search_line": 0 }, { "queryName": "Constraining Enum Property", "severity": "INFO", - "line": 24, - "filename": "positive1.json" + "line": 38, + "fileName": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "definitions.Category.properties.id.minimum", + "searchValue": "", + "expectedValue": "Type numeric should not have enum and constraining keywords", + "actualValue": "Type numeric has enum and minimum", + "issueType": "IncorrectValue", + "similarityID": "468ebf9cef2f0a8f63b1ec68f882554485089612608401e6f41a6f52cb1ab57a", + "search_line": 0 }, { "queryName": "Constraining Enum Property", "severity": "INFO", - "line": 24, - "filename": "positive1.json" + "line": 49, + "fileName": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "definitions.Category.properties.name.maxLength", + "searchValue": "", + "expectedValue": "Type string should not have enum and constraining keywords", + "actualValue": "Type string has enum and maxLength", + "issueType": "IncorrectValue", + "similarityID": "aa52a28e51534068868e5a28b5f9585e4f37a80470e2983bb95f2c770bc68fde", + "search_line": 0 }, { "queryName": "Constraining Enum Property", "severity": "INFO", - "line": 27, - "filename": "positive2.yaml" + "line": 19, + "fileName": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.parameters.schema.$ref=#/definitions/Category", + "searchValue": "", + "expectedValue": "Type numeric should not have enum and constraining keywords", + "actualValue": "Type numeric has enum and minimum", + "issueType": "IncorrectValue", + "similarityID": "1c09c48755c36d8125992e3d578a2e8439bea73f427182aeb419f0501f6156a0", + "search_line": 0 }, { "queryName": "Constraining Enum Property", "severity": "INFO", - "line": 36, - "filename": "positive2.yaml" + "line": 19, + "fileName": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.parameters.schema.$ref=#/definitions/Category", + "searchValue": "", + "expectedValue": "Type string should not have enum and constraining keywords", + "actualValue": "Type string has enum and maxLength", + "issueType": "IncorrectValue", + "similarityID": "0978114c76a2b9ff52a3dea3783305e80450f846c7625c39939fb38e44d4e7ff", + "search_line": 0 }, { "queryName": "Constraining Enum Property", "severity": "INFO", - "line": 19, - "filename": "positive2.yaml" + "line": 27, + "fileName": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "definitions.Category.properties.id.minimum", + "searchValue": "", + "expectedValue": "Type numeric should not have enum and constraining keywords", + "actualValue": "Type numeric has enum and minimum", + "issueType": "IncorrectValue", + "similarityID": "a740ea415c99812a4cdc02577c1af2bfe09f73e31b1a7a9210ac5fb5db061eb9", + "search_line": 0 }, { "queryName": "Constraining Enum Property", "severity": "INFO", - "line": 19, - "filename": "positive2.yaml" + "line": 36, + "fileName": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "definitions.Category.properties.name.maxLength", + "searchValue": "", + "expectedValue": "Type string should not have enum and constraining keywords", + "actualValue": "Type string has enum and maxLength", + "issueType": "IncorrectValue", + "similarityID": "1bad7742fb6ddb69d866ee2903020305385fd5514a2072ea03f09c5d872ca6e7", + "search_line": 0 } ] diff --git a/assets/queries/openAPI/2.0/file_parameter_with_wrong_consumes_property/test/positive_expected_result.json b/assets/queries/openAPI/2.0/file_parameter_with_wrong_consumes_property/test/positive_expected_result.json index 691824aa1f4..57808e96560 100644 --- a/assets/queries/openAPI/2.0/file_parameter_with_wrong_consumes_property/test/positive_expected_result.json +++ b/assets/queries/openAPI/2.0/file_parameter_with_wrong_consumes_property/test/positive_expected_result.json @@ -3,12 +3,30 @@ "queryName": "File Parameter With Wrong Consumes Property", "severity": "INFO", "line": 12, - "filename": "positive1.json" + "fileName": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.parameters", + "searchValue": "", + "expectedValue": "Operation or global 'consumes' field should have declared 'multipart/form-data', 'application/x-www-form-urlencoded' or both when there is a file type parameter", + "actualValue": "Operation or global 'consumes' field doesn't have declared 'multipart/form-data', 'application/x-www-form-urlencoded' or both when there is a file type parameter", + "issueType": "IncorrectValue", + "similarityID": "032a01cb6a33d6509113eb033174077152ddc1b364416ed6eb2fc8f3ccb14f97", + "search_line": -1 }, { "queryName": "File Parameter With Wrong Consumes Property", "severity": "INFO", "line": 10, - "filename": "positive2.yaml" + "fileName": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.parameters", + "searchValue": "", + "expectedValue": "Operation or global 'consumes' field should have declared 'multipart/form-data', 'application/x-www-form-urlencoded' or both when there is a file type parameter", + "actualValue": "Operation or global 'consumes' field doesn't have declared 'multipart/form-data', 'application/x-www-form-urlencoded' or both when there is a file type parameter", + "issueType": "IncorrectValue", + "similarityID": "3a723fb7091217602b8e44b55a4abcad80797b1ecb4fed483a9e994202e63029", + "search_line": -1 } ] diff --git a/assets/queries/openAPI/2.0/global_schemes_uses_http/test/positive_expected_result.json b/assets/queries/openAPI/2.0/global_schemes_uses_http/test/positive_expected_result.json index 32928065dce..a0302d514e0 100644 --- a/assets/queries/openAPI/2.0/global_schemes_uses_http/test/positive_expected_result.json +++ b/assets/queries/openAPI/2.0/global_schemes_uses_http/test/positive_expected_result.json @@ -3,12 +3,30 @@ "queryName": "Global Schemes Uses HTTP", "severity": "MEDIUM", "line": 8, - "filename": "positive1.json" + "fileName": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "schemes.http", + "searchValue": "", + "expectedValue": "The Scheme list uses only 'HTTPS' protocol", + "actualValue": "The Scheme list uses 'HTTP' protocol", + "issueType": "IncorrectValue", + "similarityID": "dfe16b20809bebcee33a3d89e976a48651fff891df01c0c677aa7da32cb0db8a", + "search_line": -1 }, { "queryName": "Global Schemes Uses HTTP", "severity": "MEDIUM", "line": 6, - "filename": "positive2.yaml" + "fileName": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "schemes.http", + "searchValue": "", + "expectedValue": "The Scheme list uses only 'HTTPS' protocol", + "actualValue": "The Scheme list uses 'HTTP' protocol", + "issueType": "IncorrectValue", + "similarityID": "2bec05756151a0477b4091bc805d4ab1af924951d0a3add8fb67e6b2be094c10", + "search_line": -1 } ] diff --git a/assets/queries/openAPI/2.0/global_security_using_password_flow/test/positive_expected_result.json b/assets/queries/openAPI/2.0/global_security_using_password_flow/test/positive_expected_result.json index 112159fbaea..72e1d57c1af 100644 --- a/assets/queries/openAPI/2.0/global_security_using_password_flow/test/positive_expected_result.json +++ b/assets/queries/openAPI/2.0/global_security_using_password_flow/test/positive_expected_result.json @@ -3,12 +3,30 @@ "queryName": "Global Security Using Password Flow", "severity": "MEDIUM", "line": 33, - "filename": "positive1.json" + "fileName": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "security.{{oAuth2AuthCodeNeg2}}", + "searchValue": "", + "expectedValue": "'security' should not be using 'password' flow in OAuth2 authentication", + "actualValue": "'security' is using 'password' flow in OAuth2 authentication", + "issueType": "IncorrectValue", + "similarityID": "597f31434f25e7f2d325f6575238b3aa7630879a3d325d8ae83bfd615cdf40ae", + "search_line": -1 }, { "queryName": "Global Security Using Password Flow", "severity": "MEDIUM", "line": 22, - "filename": "positive2.yaml" + "fileName": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "security.{{oAuth2AuthCodeNeg2}}", + "searchValue": "", + "expectedValue": "'security' should not be using 'password' flow in OAuth2 authentication", + "actualValue": "'security' is using 'password' flow in OAuth2 authentication", + "issueType": "IncorrectValue", + "similarityID": "61c685c1d3da3828467551f1109e1e13c39ac2895fd0e57bb6b9e30eea7fd9ea", + "search_line": -1 } ] diff --git a/assets/queries/openAPI/2.0/host_with_invalid_pattern/test/positive_expected_result.json b/assets/queries/openAPI/2.0/host_with_invalid_pattern/test/positive_expected_result.json index dd1b9779a6d..6b5ab149169 100644 --- a/assets/queries/openAPI/2.0/host_with_invalid_pattern/test/positive_expected_result.json +++ b/assets/queries/openAPI/2.0/host_with_invalid_pattern/test/positive_expected_result.json @@ -3,12 +3,30 @@ "queryName": "Host With Invalid Pattern", "severity": "INFO", "line": 7, - "filename": "positive1.json" + "fileName": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "host", + "searchValue": "", + "expectedValue": "Host should be a valid name or IP", + "actualValue": "kics.io/test is not valid IP or name", + "issueType": "IncorrectValue", + "similarityID": "22b36f4e991cea557f559d40a3fd8085064fcf40da797dd871485edbece15625", + "search_line": -1 }, { "queryName": "Host With Invalid Pattern", "severity": "INFO", "line": 6, - "filename": "positive2.yaml" + "fileName": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "host", + "searchValue": "", + "expectedValue": "Host should be a valid name or IP", + "actualValue": "kics.io/test is not valid IP or name", + "issueType": "IncorrectValue", + "similarityID": "7bb0ee95489e40deff3d3758f6eecab26be650935233e586b28744e59de4a5dc", + "search_line": -1 } ] diff --git a/assets/queries/openAPI/2.0/implicit_flow_oauth2/test/positive_expected_result.json b/assets/queries/openAPI/2.0/implicit_flow_oauth2/test/positive_expected_result.json index 04cc86c6670..e9ffb5847e9 100644 --- a/assets/queries/openAPI/2.0/implicit_flow_oauth2/test/positive_expected_result.json +++ b/assets/queries/openAPI/2.0/implicit_flow_oauth2/test/positive_expected_result.json @@ -3,12 +3,30 @@ "queryName": "Implicit Flow in OAuth2 (v2)", "severity": "MEDIUM", "line": 27, - "filename": "positive1.json" + "fileName": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "securityDefinitions.oAuth2AuthCodeNeg2.flow=implicit", + "searchValue": "", + "expectedValue": "OAuth2 security definitions flow should not use implicit flow", + "actualValue": "OAuth2 security definitions flow is using implicit flow", + "issueType": "IncorrectValue", + "similarityID": "f2db30baf690bdd021d17a8535083ffbbe580225398823a817b1ca17cc4dcd88", + "search_line": -1 }, { "queryName": "Implicit Flow in OAuth2 (v2)", "severity": "MEDIUM", "line": 19, - "filename": "positive2.yaml" + "fileName": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "securityDefinitions.oAuth2AuthCodeNeg2.flow=implicit", + "searchValue": "", + "expectedValue": "OAuth2 security definitions flow should not use implicit flow", + "actualValue": "OAuth2 security definitions flow is using implicit flow", + "issueType": "IncorrectValue", + "similarityID": "48de4270295a4054f336fd5e04305d0b333b5cfe60fcf83e0645fb153b96af2e", + "search_line": -1 } ] diff --git a/assets/queries/openAPI/2.0/invalid_media_type_value/test/positive_expected_result.json b/assets/queries/openAPI/2.0/invalid_media_type_value/test/positive_expected_result.json index 45a2f1271e1..dfb28d938a8 100644 --- a/assets/queries/openAPI/2.0/invalid_media_type_value/test/positive_expected_result.json +++ b/assets/queries/openAPI/2.0/invalid_media_type_value/test/positive_expected_result.json @@ -3,24 +3,60 @@ "queryName": "Invalid Media Type Value (v2)", "severity": "INFO", "line": 11, - "filename": "positive1.json" + "fileName": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.produces.image/ png", + "searchValue": "", + "expectedValue": "The Media Type should be a valid value", + "actualValue": "The Media Type is a invalid value", + "issueType": "IncorrectValue", + "similarityID": "3645ae135871540f5411373f4e8106a96634ef429fc804125337040781678559", + "search_line": -1 }, { "queryName": "Invalid Media Type Value (v2)", "severity": "INFO", "line": 16, - "filename": "positive1.json" + "fileName": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.consumes.application/ x-www-form-urlencoded", + "searchValue": "", + "expectedValue": "The Media Type should be a valid value", + "actualValue": "The Media Type is a invalid value", + "issueType": "IncorrectValue", + "similarityID": "2b4012b3c3e460c5a0aa92e0c1dab87cd9b7dca3e55e640bfa905a97df029d8f", + "search_line": -1 }, { "queryName": "Invalid Media Type Value (v2)", "severity": "INFO", "line": 14, - "filename": "positive2.yaml" + "fileName": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.produces.image/ png", + "searchValue": "", + "expectedValue": "The Media Type should be a valid value", + "actualValue": "The Media Type is a invalid value", + "issueType": "IncorrectValue", + "similarityID": "ffd906a42ab214fac971e178fc91d0c29ae29516a3c7e897d844da9794bef497", + "search_line": -1 }, { "queryName": "Invalid Media Type Value (v2)", "severity": "INFO", "line": 18, - "filename": "positive2.yaml" + "fileName": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.consumes.application/ x-www-form-urlencoded", + "searchValue": "", + "expectedValue": "The Media Type should be a valid value", + "actualValue": "The Media Type is a invalid value", + "issueType": "IncorrectValue", + "similarityID": "5daf310353634d7e5f47c976e4c1e5b0bf91155150fcc977b89d1560449b755e", + "search_line": -1 } ] diff --git a/assets/queries/openAPI/2.0/invalid_oauth2_token_url/test/positive_expected_result.json b/assets/queries/openAPI/2.0/invalid_oauth2_token_url/test/positive_expected_result.json index 083b754fcf3..1d0dd62846d 100644 --- a/assets/queries/openAPI/2.0/invalid_oauth2_token_url/test/positive_expected_result.json +++ b/assets/queries/openAPI/2.0/invalid_oauth2_token_url/test/positive_expected_result.json @@ -3,12 +3,30 @@ "queryName": "Invalid OAuth2 Token URL (v2)", "severity": "MEDIUM", "line": 22, - "filename": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "securityDefinitions.oAuth2AuthCodeNeg3.tokenUrl", + "searchValue": "", + "expectedValue": "OAuth2 security definition flow tokenUrl must be set with a valid URL", + "actualValue": "OAuth2 security definition flow tokenUrl has an invalid URL", + "issueType": "IncorrectValue", + "similarityID": "0329eebfcfda07a4daf25cb6a9d5ba89a629154c6a12805ba537c7d0c71e1de4", + "search_line": -1 }, { "queryName": "Invalid OAuth2 Token URL (v2)", "severity": "MEDIUM", "line": 30, - "filename": "positive2.json" + "fileName": "positive2.json", + "resourceType": "", + "resourceName": "", + "searchKey": "securityDefinitions.oAuth2AuthCodeNeg3.tokenUrl", + "searchValue": "", + "expectedValue": "OAuth2 security definition flow tokenUrl must be set with a valid URL", + "actualValue": "OAuth2 security definition flow tokenUrl has an invalid URL", + "issueType": "IncorrectValue", + "similarityID": "ddc163bc268f47cd71cbd879b3d13c03a8a659c4e9478a84cfdbe4998a03e50b", + "search_line": -1 } ] diff --git a/assets/queries/openAPI/2.0/invalid_oauth_authorization_url/test/positive_expected_result.json b/assets/queries/openAPI/2.0/invalid_oauth_authorization_url/test/positive_expected_result.json index b1c9a0d9c05..e455dbe96ff 100644 --- a/assets/queries/openAPI/2.0/invalid_oauth_authorization_url/test/positive_expected_result.json +++ b/assets/queries/openAPI/2.0/invalid_oauth_authorization_url/test/positive_expected_result.json @@ -3,24 +3,60 @@ "queryName": "Invalid OAuth2 Authorization URL (v2)", "severity": "MEDIUM", "line": 19, - "filename": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "securityDefinitions.api_key.authorizationUrl", + "searchValue": "", + "expectedValue": "OAuth2 security schema flow tokenUrl must be set with a valid URL", + "actualValue": "OAuth2 security schema flow tokenUrl has an invalid URL", + "issueType": "IncorrectValue", + "similarityID": "aa49993d50aaac49e7b1c16484f887599e0761e69ce098b73b5437807db279db", + "search_line": -1 }, { "queryName": "Invalid OAuth2 Authorization URL (v2)", "severity": "MEDIUM", "line": 23, - "filename": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "securityDefinitions.petstore_auth.authorizationUrl", + "searchValue": "", + "expectedValue": "OAuth2 security schema flow tokenUrl must be set with a valid URL", + "actualValue": "OAuth2 security schema flow tokenUrl has an invalid URL", + "issueType": "IncorrectValue", + "similarityID": "1c947ff0dfe83f137f03c912ed45920ea59146bb68f88fa284c608321d47c1d3", + "search_line": -1 }, { "queryName": "Invalid OAuth2 Authorization URL (v2)", "severity": "MEDIUM", "line": 27, - "filename": "positive2.json" + "fileName": "positive2.json", + "resourceType": "", + "resourceName": "", + "searchKey": "securityDefinitions.api_key.authorizationUrl", + "searchValue": "", + "expectedValue": "OAuth2 security schema flow tokenUrl must be set with a valid URL", + "actualValue": "OAuth2 security schema flow tokenUrl has an invalid URL", + "issueType": "IncorrectValue", + "similarityID": "20dce3ffe13724f07c0cceb7da51adad3faf7571fc59177f05f17a559cc1658d", + "search_line": -1 }, { "queryName": "Invalid OAuth2 Authorization URL (v2)", "severity": "MEDIUM", "line": 32, - "filename": "positive2.json" + "fileName": "positive2.json", + "resourceType": "", + "resourceName": "", + "searchKey": "securityDefinitions.petstore_auth.authorizationUrl", + "searchValue": "", + "expectedValue": "OAuth2 security schema flow tokenUrl must be set with a valid URL", + "actualValue": "OAuth2 security schema flow tokenUrl has an invalid URL", + "issueType": "IncorrectValue", + "similarityID": "daa22db7b497ea79a744ea2cba5eef2879529f1e80a496563f9dc71f03e5f1e4", + "search_line": -1 } ] diff --git a/assets/queries/openAPI/2.0/json_reference_does_not_exists_parameter/test/positive_expected_result.json b/assets/queries/openAPI/2.0/json_reference_does_not_exists_parameter/test/positive_expected_result.json index 9bb4d0d4a08..ddcfa82fc12 100644 --- a/assets/queries/openAPI/2.0/json_reference_does_not_exists_parameter/test/positive_expected_result.json +++ b/assets/queries/openAPI/2.0/json_reference_does_not_exists_parameter/test/positive_expected_result.json @@ -3,12 +3,30 @@ "queryName": "Parameter JSON Reference Does Not Exist (v2)", "severity": "INFO", "line": 19, - "filename": "positive1.json" + "fileName": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.parameters.$ref={{#/parameters/maxParam}}", + "searchValue": "", + "expectedValue": "maxParam from #/parameters/maxParam should be declared on parameters", + "actualValue": "maxParam from #/parameters/maxParam is not declared on parameters", + "issueType": "MissingAttribute", + "similarityID": "f835d88fa00b5c9b7cd7157664999a190cf011c2d036fe150717f08a0e4089c2", + "search_line": 0 }, { "queryName": "Parameter JSON Reference Does Not Exist (v2)", "severity": "INFO", "line": 14, - "filename": "positive2.yaml" + "fileName": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.parameters.$ref={{#/parameters/maxParam}}", + "searchValue": "", + "expectedValue": "maxParam from #/parameters/maxParam should be declared on parameters", + "actualValue": "maxParam from #/parameters/maxParam is not declared on parameters", + "issueType": "MissingAttribute", + "similarityID": "6cec3388dab271b3b66ad79ed8457d6000ab14bb304cea3c11282455ccf465b6", + "search_line": 0 } ] diff --git a/assets/queries/openAPI/2.0/json_reference_does_not_exists_response/test/positive_expected_result.json b/assets/queries/openAPI/2.0/json_reference_does_not_exists_response/test/positive_expected_result.json index 57036f1a305..eb5010db702 100644 --- a/assets/queries/openAPI/2.0/json_reference_does_not_exists_response/test/positive_expected_result.json +++ b/assets/queries/openAPI/2.0/json_reference_does_not_exists_response/test/positive_expected_result.json @@ -3,12 +3,30 @@ "queryName": "Responses JSON Reference Does Not Exists (v2)", "severity": "INFO", "line": 14, - "filename": "positive1.json" + "fileName": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.$ref=#/responses/Succes", + "searchValue": "", + "expectedValue": "Succes from #/responses/Succes should be declared on responses", + "actualValue": "Succes from #/responses/Succes is not declared on responses", + "issueType": "MissingAttribute", + "similarityID": "d6e29657c7a41446464b7eb4454a35bd01a99fc05b289fb1cd3b39ce34ba62b0", + "search_line": 0 }, { "queryName": "Responses JSON Reference Does Not Exists (v2)", "severity": "INFO", "line": 12, - "filename": "positive2.yaml" + "fileName": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.$ref=#/responses/Succes", + "searchValue": "", + "expectedValue": "Succes from #/responses/Succes should be declared on responses", + "actualValue": "Succes from #/responses/Succes is not declared on responses", + "issueType": "MissingAttribute", + "similarityID": "915956362427ce50cf46380ecf0145ae4316deba1caec2d5811eadd8dfb0022b", + "search_line": 0 } ] diff --git a/assets/queries/openAPI/2.0/json_reference_does_not_exists_schema/test/positive_expected_result.json b/assets/queries/openAPI/2.0/json_reference_does_not_exists_schema/test/positive_expected_result.json index 2220c2b21ec..7a600a988c2 100644 --- a/assets/queries/openAPI/2.0/json_reference_does_not_exists_schema/test/positive_expected_result.json +++ b/assets/queries/openAPI/2.0/json_reference_does_not_exists_schema/test/positive_expected_result.json @@ -3,12 +3,30 @@ "queryName": "Schema JSON Reference Does Not Exist (v2)", "severity": "INFO", "line": 15, - "filename": "positive1.json" + "fileName": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.schema.$ref=#/definitions/Use", + "searchValue": "", + "expectedValue": "Use from #/definitions/Use should be declared on definitions", + "actualValue": "Use from #/definitions/Use is not declared on definitions", + "issueType": "MissingAttribute", + "similarityID": "111681def49b88c9f72b7b80d3c87cdbc9749d69c729fc31535d2019233cf243", + "search_line": 0 }, { "queryName": "Schema JSON Reference Does Not Exist (v2)", "severity": "INFO", "line": 14, - "filename": "positive2.yaml" + "fileName": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.schema.$ref=#/definitions/Use", + "searchValue": "", + "expectedValue": "Use from #/definitions/Use should be declared on definitions", + "actualValue": "Use from #/definitions/Use is not declared on definitions", + "issueType": "MissingAttribute", + "similarityID": "503871e43255e588cc158e99f3ac7296771e072935a11510ad773099264b445c", + "search_line": 0 } ] diff --git a/assets/queries/openAPI/2.0/multi_body_parameters_same_operation/test/positive_expected_result.json b/assets/queries/openAPI/2.0/multi_body_parameters_same_operation/test/positive_expected_result.json index f6cba6674ce..af88a5ee788 100644 --- a/assets/queries/openAPI/2.0/multi_body_parameters_same_operation/test/positive_expected_result.json +++ b/assets/queries/openAPI/2.0/multi_body_parameters_same_operation/test/positive_expected_result.json @@ -3,12 +3,30 @@ "queryName": "Multiple Body Parameters In The Same Operation", "severity": "INFO", "line": 10, - "filename": "positive1.json" + "fileName": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.parameters", + "searchValue": "", + "expectedValue": "Operation's parameters should have just one body type parameter", + "actualValue": "Operation's parameters has more than one body type parameter", + "issueType": "IncorrectValue", + "similarityID": "f0db7aee6557185fec6dff7f98855f926a60dd5cc9d02afd6077ee43ce85c757", + "search_line": -1 }, { "queryName": "Multiple Body Parameters In The Same Operation", "severity": "INFO", "line": 8, - "filename": "positive2.yaml" + "fileName": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.parameters", + "searchValue": "", + "expectedValue": "Operation's parameters should have just one body type parameter", + "actualValue": "Operation's parameters has more than one body type parameter", + "issueType": "IncorrectValue", + "similarityID": "5e703313b41c9ec2867ebb71579c7e5575b57f806ec2e751647de34cb88f664d", + "search_line": -1 } ] diff --git a/assets/queries/openAPI/2.0/multi_collectionformat_not_valid_in_parameter/test/positive_expected_result.json b/assets/queries/openAPI/2.0/multi_collectionformat_not_valid_in_parameter/test/positive_expected_result.json index 12cb526c305..aa7dbaf5b48 100644 --- a/assets/queries/openAPI/2.0/multi_collectionformat_not_valid_in_parameter/test/positive_expected_result.json +++ b/assets/queries/openAPI/2.0/multi_collectionformat_not_valid_in_parameter/test/positive_expected_result.json @@ -3,24 +3,60 @@ "queryName": "Multi 'collectionformat' Not Valid For 'in' Parameter", "severity": "INFO", "line": 13, - "filename": "positive1.json" + "fileName": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.parameters.name=limit2.in", + "searchValue": "", + "expectedValue": "'in' field should be 'query' or 'formData'", + "actualValue": "'in' field is path", + "issueType": "IncorrectValue", + "similarityID": "e4e19788ac888b9d06912b3ce4245799e4f18f5259838649aef67e01b8d02cf9", + "search_line": -1 }, { "queryName": "Multi 'collectionformat' Not Valid For 'in' Parameter", "severity": "INFO", - "line": 10, - "filename": "positive2.yaml" + "line": 37, + "fileName": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "parameters.name=limit.in", + "searchValue": "", + "expectedValue": "'in' field should be 'query' or 'formData'", + "actualValue": "'in' field is path", + "issueType": "IncorrectValue", + "similarityID": "bf35a079aff3c12f96ed6129e243cec391f4a7e7e942086d862802b0f89f03ef", + "search_line": -1 }, { "queryName": "Multi 'collectionformat' Not Valid For 'in' Parameter", "severity": "INFO", - "line": 37, - "filename": "positive1.json" + "line": 10, + "fileName": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.parameters.name=limit2.in", + "searchValue": "", + "expectedValue": "'in' field should be 'query' or 'formData'", + "actualValue": "'in' field is path", + "issueType": "IncorrectValue", + "similarityID": "e8d76e9a991997c2f37de78df974727998b0221346e8822aecfcd77dbef451de", + "search_line": -1 }, { "queryName": "Multi 'collectionformat' Not Valid For 'in' Parameter", "severity": "INFO", "line": 26, - "filename": "positive2.yaml" + "fileName": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "parameters.name=limit.in", + "searchValue": "", + "expectedValue": "'in' field should be 'query' or 'formData'", + "actualValue": "'in' field is path", + "issueType": "IncorrectValue", + "similarityID": "e896b42b3b35492abd39fd13d50351a7e08f50fd6f9b1aecadacf5c3414c3798", + "search_line": -1 } ] diff --git a/assets/queries/openAPI/2.0/non_body_parameter_with_schema/test/positive_expected_result.json b/assets/queries/openAPI/2.0/non_body_parameter_with_schema/test/positive_expected_result.json index a49d349e700..8da1e11851a 100644 --- a/assets/queries/openAPI/2.0/non_body_parameter_with_schema/test/positive_expected_result.json +++ b/assets/queries/openAPI/2.0/non_body_parameter_with_schema/test/positive_expected_result.json @@ -3,24 +3,60 @@ "queryName": "Non Body Parameter Without Schema", "severity": "INFO", "line": 16, - "filename": "positive1.json" + "fileName": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.parameters.name=limit2.schema", + "searchValue": "", + "expectedValue": "'schema' should not be set", + "actualValue": "'schema' is set", + "issueType": "IncorrectValue", + "similarityID": "bb172850a87f037ed8ecb01e3d37a2c8faa539a3951e52d982c7cdf3e59689b3", + "search_line": -1 }, { "queryName": "Non Body Parameter Without Schema", "severity": "INFO", - "line": 13, - "filename": "positive2.yaml" + "line": 37, + "fileName": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "parameters.name=limit.schema", + "searchValue": "", + "expectedValue": "'schema' should not be set", + "actualValue": "'schema' is set", + "issueType": "IncorrectValue", + "similarityID": "b04dadc6f3188332ebe85e4d7f18eff77847fc6a07b538a498d649e4b6a90757", + "search_line": -1 }, { "queryName": "Non Body Parameter Without Schema", "severity": "INFO", - "line": 37, - "filename": "positive1.json" + "line": 13, + "fileName": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.parameters.name=limit2.schema", + "searchValue": "", + "expectedValue": "'schema' should not be set", + "actualValue": "'schema' is set", + "issueType": "IncorrectValue", + "similarityID": "5a5ab8d78f9089af9b5b7f8fa2be6eaf646e1f87ed39353eb6626ff92c8f631f", + "search_line": -1 }, { "queryName": "Non Body Parameter Without Schema", "severity": "INFO", "line": 26, - "filename": "positive2.yaml" + "fileName": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "parameters.name=limit.schema", + "searchValue": "", + "expectedValue": "'schema' should not be set", + "actualValue": "'schema' is set", + "issueType": "IncorrectValue", + "similarityID": "8cd38fbe09e36712b4baa0fa511cf303a9c136e38877ce7214f72db9d48b0c59", + "search_line": -1 } ] diff --git a/assets/queries/openAPI/2.0/non_oauth2_security_requirement_defining_oauth2_scopes/test/positive_expected_result.json b/assets/queries/openAPI/2.0/non_oauth2_security_requirement_defining_oauth2_scopes/test/positive_expected_result.json index ead08115961..6e9d918744c 100644 --- a/assets/queries/openAPI/2.0/non_oauth2_security_requirement_defining_oauth2_scopes/test/positive_expected_result.json +++ b/assets/queries/openAPI/2.0/non_oauth2_security_requirement_defining_oauth2_scopes/test/positive_expected_result.json @@ -3,12 +3,30 @@ "queryName": "Non OAuth2 Security Requirement Defining OAuth2 Scopes", "severity": "MEDIUM", "line": 33, - "filename": "positive1.json" + "fileName": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "security.petstore_auth", + "searchValue": "", + "expectedValue": "security scheme petstore_auth should specify scopes for type 'basic'", + "actualValue": "security scheme petstore_auth doesn't specify scopes for type 'basic'", + "issueType": "IncorrectValue", + "similarityID": "d4966b910d92dd1edd8f5f8c7f005e62969ad90299f05f7a8d8b48a48ab12ee2", + "search_line": -1 }, { "queryName": "Non OAuth2 Security Requirement Defining OAuth2 Scopes", "severity": "MEDIUM", "line": 21, - "filename": "positive2.yaml" + "fileName": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "security.petstore_auth", + "searchValue": "", + "expectedValue": "security scheme petstore_auth should specify scopes for type 'basic'", + "actualValue": "security scheme petstore_auth doesn't specify scopes for type 'basic'", + "issueType": "IncorrectValue", + "similarityID": "672322e7b91f8e352188a12493ce9c77ada87f4ee18b27062d1a16a55e6bbc8c", + "search_line": -1 } -] \ No newline at end of file +] diff --git a/assets/queries/openAPI/2.0/object_without_required_property/test/positive_expected_result.json b/assets/queries/openAPI/2.0/object_without_required_property/test/positive_expected_result.json index 8be9ac9534d..31e02cddeff 100644 --- a/assets/queries/openAPI/2.0/object_without_required_property/test/positive_expected_result.json +++ b/assets/queries/openAPI/2.0/object_without_required_property/test/positive_expected_result.json @@ -2,25 +2,61 @@ { "queryName": "Object Without Required Property (v2)", "severity": "INFO", - "line": 20, - "filename": "positive1.json" + "line": 3, + "fileName": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "info.", + "searchValue": "", + "expectedValue": "info has all required fields", + "actualValue": "info is missing required fields", + "issueType": "IncorrectValue", + "similarityID": "43981cd1f8d96ed18e8121dc846d4c343c05f5b77eb9460205315015d71fe9ef", + "search_line": -1 }, { "queryName": "Object Without Required Property (v2)", "severity": "INFO", - "line": 3, - "filename": "positive1.json" + "line": 20, + "fileName": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "parameters.{{limitParam}}", + "searchValue": "", + "expectedValue": "Parameter object has 'type' defined", + "actualValue": "Parameter object does not have 'type' defined", + "issueType": "IncorrectValue", + "similarityID": "36875ce656f3e35525dba60b79d8193ed345a1660985d0354b1aa6e25a42dd72", + "search_line": -1 }, { "queryName": "Object Without Required Property (v2)", "severity": "INFO", "line": 2, - "filename": "positive2.yaml" + "fileName": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "info.", + "searchValue": "", + "expectedValue": "info has all required fields", + "actualValue": "info is missing required fields", + "issueType": "IncorrectValue", + "similarityID": "90147ec3579403aee589a67ed53812447e384940b7774d0d3de21a7b6246b9a8", + "search_line": -1 }, { "queryName": "Object Without Required Property (v2)", "severity": "INFO", "line": 13, - "filename": "positive2.yaml" + "fileName": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "parameters.{{limitParam}}", + "searchValue": "", + "expectedValue": "Parameter object has 'type' defined", + "actualValue": "Parameter object does not have 'type' defined", + "issueType": "IncorrectValue", + "similarityID": "7076a173b205b2c27dc9eea7b746b6c5e02946768f7abf73a2bde685d93dd2f0", + "search_line": -1 } ] diff --git a/assets/queries/openAPI/2.0/operation_example_mismatch_produces_mediatype/test/positive_expected_result.json b/assets/queries/openAPI/2.0/operation_example_mismatch_produces_mediatype/test/positive_expected_result.json index 9acfc9fea22..a1c49df79c3 100644 --- a/assets/queries/openAPI/2.0/operation_example_mismatch_produces_mediatype/test/positive_expected_result.json +++ b/assets/queries/openAPI/2.0/operation_example_mismatch_produces_mediatype/test/positive_expected_result.json @@ -3,12 +3,30 @@ "queryName": "Operation Example Mismatch Produces MimeType", "severity": "INFO", "line": 34, - "filename": "positive1.json" + "fileName": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.{{200}}.examples.{{text/csv}}", + "searchValue": "", + "expectedValue": "Example MimeType should be listed on produces", + "actualValue": "Example MimeType is not listed on produces", + "issueType": "MissingAttribute", + "similarityID": "de47ff889476732481f0d14d57617a42b9d6f4437fccfaea1f4ca0e6aaca4c16", + "search_line": -1 }, { "queryName": "Operation Example Mismatch Produces MimeType", "severity": "INFO", "line": 27, - "filename": "positive2.yaml" + "fileName": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.{{200}}.examples.{{text/csv}}", + "searchValue": "", + "expectedValue": "Example MimeType should be listed on produces", + "actualValue": "Example MimeType is not listed on produces", + "issueType": "MissingAttribute", + "similarityID": "6ac643bb27c4b042bf8eaca488ce65415bf0173c2348d8f672a1568a9bb4a499", + "search_line": -1 } ] diff --git a/assets/queries/openAPI/2.0/operation_object_parameters_with_body_and_formatdata/test/positive_expected_result.json b/assets/queries/openAPI/2.0/operation_object_parameters_with_body_and_formatdata/test/positive_expected_result.json index 9273c0f82cd..1eb7fb09cd2 100644 --- a/assets/queries/openAPI/2.0/operation_object_parameters_with_body_and_formatdata/test/positive_expected_result.json +++ b/assets/queries/openAPI/2.0/operation_object_parameters_with_body_and_formatdata/test/positive_expected_result.json @@ -3,12 +3,30 @@ "queryName": "Operation Object Parameters With 'body' And 'formatData' locations", "severity": "INFO", "line": 17, - "filename": "positive1.json" + "fileName": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.parameters", + "searchValue": "", + "expectedValue": "operation object parameters only use one of 'body' or 'formatData' locations", + "actualValue": "operation object parameters use both 'body' and 'formatData' locations", + "issueType": "IncorrectValue", + "similarityID": "8c1614f4a62479e5a37f82b5dbace84dc8bc62d94ef04c581fc762ffda03cfb7", + "search_line": -1 }, { "queryName": "Operation Object Parameters With 'body' And 'formatData' locations", "severity": "INFO", "line": 13, - "filename": "positive2.yaml" + "fileName": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.parameters", + "searchValue": "", + "expectedValue": "operation object parameters only use one of 'body' or 'formatData' locations", + "actualValue": "operation object parameters use both 'body' and 'formatData' locations", + "issueType": "IncorrectValue", + "similarityID": "5b74e1adb1633552c2fafaf8d8c376e925b2df8d1364ddf1e69c344c309b98f3", + "search_line": -1 } ] diff --git a/assets/queries/openAPI/2.0/operation_object_without_consumes/test/positive_expected_result.json b/assets/queries/openAPI/2.0/operation_object_without_consumes/test/positive_expected_result.json index 8fad06ba31e..2621eb2e136 100644 --- a/assets/queries/openAPI/2.0/operation_object_without_consumes/test/positive_expected_result.json +++ b/assets/queries/openAPI/2.0/operation_object_without_consumes/test/positive_expected_result.json @@ -3,12 +3,30 @@ "queryName": "Operation Object Without 'consumes'", "severity": "MEDIUM", "line": 9, - "filename": "positive1.json" + "fileName": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.put", + "searchValue": "", + "expectedValue": "paths.{{/}}.put 'consumes' should be defined", + "actualValue": "paths.{{/}}.put 'consumes' is missing", + "issueType": "MissingAttribute", + "similarityID": "3b3acbe65f590af9a58ab0c3b17d0516eedc2910b163cb4c0870b12306a862c6", + "search_line": -1 }, { "queryName": "Operation Object Without 'consumes'", "severity": "MEDIUM", "line": 7, - "filename": "positive2.yaml" + "fileName": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.put", + "searchValue": "", + "expectedValue": "paths.{{/}}.put 'consumes' should be defined", + "actualValue": "paths.{{/}}.put 'consumes' is missing", + "issueType": "MissingAttribute", + "similarityID": "7eac76fb71f6da95561590a4e2c416c5d816395875d21f3fcfbc8dc03c9f261f", + "search_line": -1 } ] diff --git a/assets/queries/openAPI/2.0/operation_object_without_produces/test/positive_expected_result.json b/assets/queries/openAPI/2.0/operation_object_without_produces/test/positive_expected_result.json index 8ba5c879c13..f89e1630b7c 100644 --- a/assets/queries/openAPI/2.0/operation_object_without_produces/test/positive_expected_result.json +++ b/assets/queries/openAPI/2.0/operation_object_without_produces/test/positive_expected_result.json @@ -3,12 +3,30 @@ "queryName": "Operation Object Without 'produces'", "severity": "MEDIUM", "line": 9, - "filename": "positive1.json" + "fileName": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get", + "searchValue": "", + "expectedValue": "paths.{{/}}.get 'produces' should be defined", + "actualValue": "paths.{{/}}.get 'produces' is missing", + "issueType": "MissingAttribute", + "similarityID": "c150fbd684af6039da7707d4bfdb6e88f3e025efb1a5560bccaba99958f97039", + "search_line": 0 }, { "queryName": "Operation Object Without 'produces'", "severity": "MEDIUM", "line": 7, - "filename": "positive2.yaml" + "fileName": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get", + "searchValue": "", + "expectedValue": "paths.{{/}}.get 'produces' should be defined", + "actualValue": "paths.{{/}}.get 'produces' is missing", + "issueType": "MissingAttribute", + "similarityID": "3bc02251e5bb89b8e072368a3ced41e1c2d8b80eb3f3a078c64a665d51ccfe2e", + "search_line": 0 } ] diff --git a/assets/queries/openAPI/2.0/operation_summary_too_long/test/positive_expected_result.json b/assets/queries/openAPI/2.0/operation_summary_too_long/test/positive_expected_result.json index 75ea2ac2f3d..2669771e393 100644 --- a/assets/queries/openAPI/2.0/operation_summary_too_long/test/positive_expected_result.json +++ b/assets/queries/openAPI/2.0/operation_summary_too_long/test/positive_expected_result.json @@ -3,12 +3,30 @@ "queryName": "Operation Summary Too Long", "severity": "INFO", "line": 11, - "filename": "positive1.json" + "fileName": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.{{get}}.summary", + "searchValue": "", + "expectedValue": "Operation summary should not be less than 120 characters", + "actualValue": "Operation summary is less than 120 characters", + "issueType": "IncorrectValue", + "similarityID": "09dcd010e37ff15f4c3bb5cc57d8643e2d904ce1379432c90b0e35c848170345", + "search_line": -1 }, { "queryName": "Operation Summary Too Long", "severity": "INFO", "line": 9, - "filename": "positive2.yaml" + "fileName": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.{{get}}.summary", + "searchValue": "", + "expectedValue": "Operation summary should not be less than 120 characters", + "actualValue": "Operation summary is less than 120 characters", + "issueType": "IncorrectValue", + "similarityID": "a2d900dc25b9eeee02efc1e84a1d7752ac466eba02a8a261a7c8c7dc323be8ed", + "search_line": -1 } -] \ No newline at end of file +] diff --git a/assets/queries/openAPI/2.0/operation_using_basic_auth/test/positive_expected_result.json b/assets/queries/openAPI/2.0/operation_using_basic_auth/test/positive_expected_result.json index ed4f148d15e..7192391b70d 100644 --- a/assets/queries/openAPI/2.0/operation_using_basic_auth/test/positive_expected_result.json +++ b/assets/queries/openAPI/2.0/operation_using_basic_auth/test/positive_expected_result.json @@ -3,12 +3,30 @@ "queryName": "Operation Using Basic Auth", "severity": "MEDIUM", "line": 22, - "filename": "positive1.json" + "fileName": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.{{get}}.security.{{oAuth2AuthCodeNeg2}}", + "searchValue": "", + "expectedValue": "Operation Object should not be using basic authentication", + "actualValue": "Operation Object is using basic authentication", + "issueType": "IncorrectValue", + "similarityID": "0c76e65a2b327fc780082e258fafd781ca0de92554f26159ed5fd77ceefd1a95", + "search_line": -1 }, { "queryName": "Operation Using Basic Auth", "severity": "MEDIUM", "line": 16, - "filename": "positive2.yaml" + "fileName": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.{{get}}.security.{{oAuth2AuthCodeNeg2}}", + "searchValue": "", + "expectedValue": "Operation Object should not be using basic authentication", + "actualValue": "Operation Object is using basic authentication", + "issueType": "IncorrectValue", + "similarityID": "25b7f67ecaa219c820ca73b27dd0400b9b5a48b957305b4cb7beee4e04767aa6", + "search_line": -1 } -] \ No newline at end of file +] diff --git a/assets/queries/openAPI/2.0/operation_using_implicit_flow/test/positive_expected_result.json b/assets/queries/openAPI/2.0/operation_using_implicit_flow/test/positive_expected_result.json index ac32c231303..ba4fe5e9bf9 100644 --- a/assets/queries/openAPI/2.0/operation_using_implicit_flow/test/positive_expected_result.json +++ b/assets/queries/openAPI/2.0/operation_using_implicit_flow/test/positive_expected_result.json @@ -3,12 +3,30 @@ "queryName": "Operation Using Implicit Flow", "severity": "MEDIUM", "line": 22, - "filename": "positive1.json" + "fileName": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.{{get}}.security.{{oAuth2AuthCodeNeg2}}", + "searchValue": "", + "expectedValue": "Operation Object should not be using implicit flow", + "actualValue": "Operation Object is using implicit flow", + "issueType": "IncorrectValue", + "similarityID": "dead50c3370795234286b37d8081daf53585354c843d597a33e44d3f27be1536", + "search_line": -1 }, { "queryName": "Operation Using Implicit Flow", "severity": "MEDIUM", "line": 16, - "filename": "positive2.yaml" + "fileName": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.{{get}}.security.{{oAuth2AuthCodeNeg2}}", + "searchValue": "", + "expectedValue": "Operation Object should not be using implicit flow", + "actualValue": "Operation Object is using implicit flow", + "issueType": "IncorrectValue", + "similarityID": "b759832a1e942442c926a9ca9e527859975399d93a2eb3739ac9d21b0c447b23", + "search_line": -1 } -] \ No newline at end of file +] diff --git a/assets/queries/openAPI/2.0/operation_using_password_flow/test/positive_expected_result.json b/assets/queries/openAPI/2.0/operation_using_password_flow/test/positive_expected_result.json index e2eda6d01d7..9bd86885afe 100644 --- a/assets/queries/openAPI/2.0/operation_using_password_flow/test/positive_expected_result.json +++ b/assets/queries/openAPI/2.0/operation_using_password_flow/test/positive_expected_result.json @@ -3,12 +3,30 @@ "queryName": "Operation Using Password Flow", "severity": "MEDIUM", "line": 22, - "filename": "positive1.json" + "fileName": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.{{get}}.security.{{oAuth2AuthCodeNeg2}}", + "searchValue": "", + "expectedValue": "Operation Object should not be using 'password' flow in OAuth2 authentication", + "actualValue": "Operation Object is using 'password' flow in OAuth2 authentication", + "issueType": "IncorrectValue", + "similarityID": "de8bee006854b15ee3fc0c24238035276539231e1074d9990f98d7f4c1df8d32", + "search_line": -1 }, { "queryName": "Operation Using Password Flow", "severity": "MEDIUM", "line": 16, - "filename": "positive2.yaml" + "fileName": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.{{get}}.security.{{oAuth2AuthCodeNeg2}}", + "searchValue": "", + "expectedValue": "Operation Object should not be using 'password' flow in OAuth2 authentication", + "actualValue": "Operation Object is using 'password' flow in OAuth2 authentication", + "issueType": "IncorrectValue", + "similarityID": "0fcb570c04284b21c776f30d3265b19019f8516534bc4234ab30faeb4785b5ac", + "search_line": -1 } ] diff --git a/assets/queries/openAPI/2.0/parameter_file_type_not_in_formdata/test/positive_expected_result.json b/assets/queries/openAPI/2.0/parameter_file_type_not_in_formdata/test/positive_expected_result.json index 28de0b8b081..19d8d04e3d5 100644 --- a/assets/queries/openAPI/2.0/parameter_file_type_not_in_formdata/test/positive_expected_result.json +++ b/assets/queries/openAPI/2.0/parameter_file_type_not_in_formdata/test/positive_expected_result.json @@ -3,24 +3,60 @@ "queryName": "Parameter File Type Not In 'formData'", "severity": "INFO", "line": 12, - "filename": "positive1.json" + "fileName": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.parameters.name=limit2", + "searchValue": "", + "expectedValue": "'schema' should be set", + "actualValue": "'schema' is undefined", + "issueType": "MissingAttribute", + "similarityID": "ae8c4296a939c3f594372431ce700e7f5720e173c26ae697a29d4ecb4ce56a75", + "search_line": -1 }, { "queryName": "Parameter File Type Not In 'formData'", "severity": "INFO", - "line": 10, - "filename": "positive2.yaml" + "line": 31, + "fileName": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "parameters.name=limit", + "searchValue": "", + "expectedValue": "'schema' should be set", + "actualValue": "'schema' is undefined", + "issueType": "MissingAttribute", + "similarityID": "53620cfe0540ece2241321bb84547e323d8ea092d5999cd81eb2db998fe3f494", + "search_line": -1 }, { "queryName": "Parameter File Type Not In 'formData'", "severity": "INFO", - "line": 31, - "filename": "positive1.json" + "line": 10, + "fileName": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.parameters.name=limit2", + "searchValue": "", + "expectedValue": "'schema' should be set", + "actualValue": "'schema' is undefined", + "issueType": "MissingAttribute", + "similarityID": "f3ddfe3e18baf362da99ebf28eb22ad7726cc001a520b832971c21fc67e89540", + "search_line": -1 }, { "queryName": "Parameter File Type Not In 'formData'", "severity": "INFO", "line": 22, - "filename": "positive2.yaml" + "fileName": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "parameters.name=limit", + "searchValue": "", + "expectedValue": "'schema' should be set", + "actualValue": "'schema' is undefined", + "issueType": "MissingAttribute", + "similarityID": "fef16b52361a3990fe473b4ff35a3266f51d984ba251f7955998644edf52ce5e", + "search_line": -1 } ] diff --git a/assets/queries/openAPI/2.0/parameter_object_incorrect_ref/test/positive_expected_result.json b/assets/queries/openAPI/2.0/parameter_object_incorrect_ref/test/positive_expected_result.json index 261dbfde738..c3c9449b5c0 100644 --- a/assets/queries/openAPI/2.0/parameter_object_incorrect_ref/test/positive_expected_result.json +++ b/assets/queries/openAPI/2.0/parameter_object_incorrect_ref/test/positive_expected_result.json @@ -3,12 +3,30 @@ "queryName": "Parameter Object With Incorrect Ref (v2)", "severity": "INFO", "line": 22, - "filename": "positive1.json" + "fileName": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.parameters.$ref=#/definitions/User", + "searchValue": "", + "expectedValue": "Parameters ref points to '#/parameters'", + "actualValue": "Parameters ref doesn't point to '#/parameters'", + "issueType": "IncorrectValue", + "similarityID": "e797791fca0cb72435d24cfeebbc348dc74c490f9318347cf9d51c492f4a048f", + "search_line": 0 }, { "queryName": "Parameter Object With Incorrect Ref (v2)", "severity": "INFO", "line": 16, - "filename": "positive2.yaml" + "fileName": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.parameters.$ref=#/definitions/User", + "searchValue": "", + "expectedValue": "Parameters ref points to '#/parameters'", + "actualValue": "Parameters ref doesn't point to '#/parameters'", + "issueType": "IncorrectValue", + "similarityID": "189e0eceb15d2a09142dc6e373a47fe03a9a6f55b814e1c668dc246d3952a2ee", + "search_line": 0 } ] diff --git a/assets/queries/openAPI/2.0/path_scheme_accepts_http/test/positive_expected_result.json b/assets/queries/openAPI/2.0/path_scheme_accepts_http/test/positive_expected_result.json index 63170f665d1..c442516f996 100644 --- a/assets/queries/openAPI/2.0/path_scheme_accepts_http/test/positive_expected_result.json +++ b/assets/queries/openAPI/2.0/path_scheme_accepts_http/test/positive_expected_result.json @@ -3,12 +3,30 @@ "queryName": "Path Scheme Accepts HTTP (v2)", "severity": "MEDIUM", "line": 13, - "filename": "positive1.json" + "fileName": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.{{get}}.schemes.http", + "searchValue": "", + "expectedValue": "The Scheme list uses only 'HTTPS' protocol", + "actualValue": "The Scheme list uses 'HTTP' protocol", + "issueType": "IncorrectValue", + "similarityID": "5d48b2902175b986d0a1236b5f296119b892d29efaa35b51a86ad99938c457a1", + "search_line": -1 }, { "queryName": "Path Scheme Accepts HTTP (v2)", "severity": "MEDIUM", "line": 11, - "filename": "positive2.yaml" + "fileName": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.{{get}}.schemes.http", + "searchValue": "", + "expectedValue": "The Scheme list uses only 'HTTPS' protocol", + "actualValue": "The Scheme list uses 'HTTP' protocol", + "issueType": "IncorrectValue", + "similarityID": "789b92668a9ee035a73f7dbb6d8d3712f349aede0d161d9c8d945b267be78717", + "search_line": -1 } ] diff --git a/assets/queries/openAPI/2.0/property_not_unique/test/positive_expected_result.json b/assets/queries/openAPI/2.0/property_not_unique/test/positive_expected_result.json index 4adbe93ae00..3a7d0af07c0 100644 --- a/assets/queries/openAPI/2.0/property_not_unique/test/positive_expected_result.json +++ b/assets/queries/openAPI/2.0/property_not_unique/test/positive_expected_result.json @@ -2,73 +2,181 @@ { "queryName": "Property Not Unique", "severity": "INFO", - "line": 54, - "filename": "positive1.json" + "line": 27, + "fileName": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.parameters.schema.properties.name", + "searchValue": "", + "expectedValue": "'name' property is unique throughout the whole API", + "actualValue": "'name' property is not unique throughout the whole API", + "issueType": "IncorrectValue", + "similarityID": "6151b4ae66ee0e0c8de54e4e4db90294ffbd219705722288ff0a759981c12fc9", + "search_line": 0 }, { "queryName": "Property Not Unique", "severity": "INFO", - "line": 57, - "filename": "positive1.json" + "line": 30, + "fileName": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.parameters.schema.properties.address", + "searchValue": "", + "expectedValue": "'address' property is unique throughout the whole API", + "actualValue": "'address' property is not unique throughout the whole API", + "issueType": "IncorrectValue", + "similarityID": "e8aa5951419e274c493e49e5258fce70eb1e07b96dc1604c15452a9971841576", + "search_line": 0 }, { "queryName": "Property Not Unique", "severity": "INFO", - "line": 60, - "filename": "positive1.json" + "line": 33, + "fileName": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.parameters.schema.properties.age", + "searchValue": "", + "expectedValue": "'age' property is unique throughout the whole API", + "actualValue": "'age' property is not unique throughout the whole API", + "issueType": "IncorrectValue", + "similarityID": "d9e096f9096436b70834bd523aba4dac2ea1a18a5ec76567144c68365f99d3c8", + "search_line": 0 }, { "queryName": "Property Not Unique", "severity": "INFO", - "line": 38, - "filename": "positive2.yaml" + "line": 54, + "fileName": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "parameters.limitParam.properties.name", + "searchValue": "", + "expectedValue": "'name' property is unique throughout the whole API", + "actualValue": "'name' property is not unique throughout the whole API", + "issueType": "IncorrectValue", + "similarityID": "a0c4519dd9b91f4e6c91d1b6fab7cd6fd3f8a480ca07a27f3f8db7a6506044f8", + "search_line": 0 }, { "queryName": "Property Not Unique", "severity": "INFO", - "line": 40, - "filename": "positive2.yaml" + "line": 57, + "fileName": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "parameters.limitParam.properties.address", + "searchValue": "", + "expectedValue": "'address' property is unique throughout the whole API", + "actualValue": "'address' property is not unique throughout the whole API", + "issueType": "IncorrectValue", + "similarityID": "a74021747c3baafe6892f7a6a7ac60ee97418889a5ae70f25ba6c460b20ab34e", + "search_line": 0 }, { "queryName": "Property Not Unique", "severity": "INFO", - "line": 42, - "filename": "positive2.yaml" + "line": 60, + "fileName": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "parameters.limitParam.properties.age", + "searchValue": "", + "expectedValue": "'age' property is unique throughout the whole API", + "actualValue": "'age' property is not unique throughout the whole API", + "issueType": "IncorrectValue", + "similarityID": "5bf2fe536e872f8393aebc615c49e48e8521a759c03bbcf3311714d00c3e32f6", + "search_line": 0 }, { "queryName": "Property Not Unique", "severity": "INFO", - "line": 27, - "filename": "positive1.json" + "line": 22, + "fileName": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.parameters.schema.properties.name", + "searchValue": "", + "expectedValue": "'name' property is unique throughout the whole API", + "actualValue": "'name' property is not unique throughout the whole API", + "issueType": "IncorrectValue", + "similarityID": "80cd29c767b385cfc9220658361d0369d55758e9f71741e23368d6e75ecaf7f3", + "search_line": 0 }, { "queryName": "Property Not Unique", "severity": "INFO", - "line": 30, - "filename": "positive1.json" + "line": 24, + "fileName": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.parameters.schema.properties.address", + "searchValue": "", + "expectedValue": "'address' property is unique throughout the whole API", + "actualValue": "'address' property is not unique throughout the whole API", + "issueType": "IncorrectValue", + "similarityID": "cf74de973214f5dd87334c61999bcc10a2370fa3bac306045bcee91be151f112", + "search_line": 0 }, { "queryName": "Property Not Unique", "severity": "INFO", - "line": 33, - "filename": "positive1.json" + "line": 26, + "fileName": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.parameters.schema.properties.age", + "searchValue": "", + "expectedValue": "'age' property is unique throughout the whole API", + "actualValue": "'age' property is not unique throughout the whole API", + "issueType": "IncorrectValue", + "similarityID": "397d46e037ae7611d02f02b54bece5daecaad5951b21017cc53132fd80038268", + "search_line": 0 }, { "queryName": "Property Not Unique", "severity": "INFO", - "line": 22, - "filename": "positive2.yaml" + "line": 38, + "fileName": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "parameters.limitParam.properties.name", + "searchValue": "", + "expectedValue": "'name' property is unique throughout the whole API", + "actualValue": "'name' property is not unique throughout the whole API", + "issueType": "IncorrectValue", + "similarityID": "8ef4b0ff02adbb82e313a396274fc2e081366867bbba161d3737c1925b208182", + "search_line": 0 }, { "queryName": "Property Not Unique", "severity": "INFO", - "line": 24, - "filename": "positive2.yaml" + "line": 40, + "fileName": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "parameters.limitParam.properties.address", + "searchValue": "", + "expectedValue": "'address' property is unique throughout the whole API", + "actualValue": "'address' property is not unique throughout the whole API", + "issueType": "IncorrectValue", + "similarityID": "e24089fc107d6f91421923690ee0881a77cb3a64767064085f02f52cc649ad59", + "search_line": 0 }, { "queryName": "Property Not Unique", "severity": "INFO", - "line": 26, - "filename": "positive2.yaml" + "line": 42, + "fileName": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "parameters.limitParam.properties.age", + "searchValue": "", + "expectedValue": "'age' property is unique throughout the whole API", + "actualValue": "'age' property is not unique throughout the whole API", + "issueType": "IncorrectValue", + "similarityID": "3845d7e9bf91f038980b199b272b95f122020888e8cddd7ca7d8ce2d451f13c1", + "search_line": 0 } ] diff --git a/assets/queries/openAPI/2.0/response_object_incorrect_ref/test/positive_expected_result.json b/assets/queries/openAPI/2.0/response_object_incorrect_ref/test/positive_expected_result.json index b14643b039a..69cf0445181 100644 --- a/assets/queries/openAPI/2.0/response_object_incorrect_ref/test/positive_expected_result.json +++ b/assets/queries/openAPI/2.0/response_object_incorrect_ref/test/positive_expected_result.json @@ -3,12 +3,30 @@ "queryName": "Response Object With Incorrect Ref (v2)", "severity": "INFO", "line": 14, - "filename": "positive1.json" + "fileName": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.{{200}}.$ref", + "searchValue": "", + "expectedValue": "Response ref points to '#/responses'", + "actualValue": "Response ref doesn't point to '#/responses'", + "issueType": "IncorrectValue", + "similarityID": "d02a0da46fe7c43d11e59ff26335efd0b54b744da27d2af0004e26ac11ab2dde", + "search_line": 0 }, { "queryName": "Response Object With Incorrect Ref (v2)", "severity": "INFO", "line": 12, - "filename": "positive2.yaml" + "fileName": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.{{200}}.$ref", + "searchValue": "", + "expectedValue": "Response ref points to '#/responses'", + "actualValue": "Response ref doesn't point to '#/responses'", + "issueType": "IncorrectValue", + "similarityID": "6711101dc1b9b1c6df61eaf96d11b86c5fd316db4ed908135912c7c803b0c0b7", + "search_line": 0 } ] diff --git a/assets/queries/openAPI/2.0/schema_object_incorrect_ref/test/positive_expected_result.json b/assets/queries/openAPI/2.0/schema_object_incorrect_ref/test/positive_expected_result.json index 92c755b5e26..ad4dd7aef6e 100644 --- a/assets/queries/openAPI/2.0/schema_object_incorrect_ref/test/positive_expected_result.json +++ b/assets/queries/openAPI/2.0/schema_object_incorrect_ref/test/positive_expected_result.json @@ -3,12 +3,30 @@ "queryName": "Schema Object Incorrect Ref (v2)", "severity": "INFO", "line": 29, - "filename": "positive1.json" + "fileName": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "responses.Success.schema.$ref", + "searchValue": "", + "expectedValue": "Schema ref points to '#/definitions'", + "actualValue": "Schema ref doesn't point to '#/definitions'", + "issueType": "IncorrectValue", + "similarityID": "87719e1f53f5c99aebc483bf8048600e163d0bf4073acc705e81125c3ba2a59e", + "search_line": 0 }, { "queryName": "Schema Object Incorrect Ref (v2)", "severity": "INFO", "line": 19, - "filename": "positive2.yaml" + "fileName": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "responses.Success.schema.$ref", + "searchValue": "", + "expectedValue": "Schema ref points to '#/definitions'", + "actualValue": "Schema ref doesn't point to '#/definitions'", + "issueType": "IncorrectValue", + "similarityID": "854b8b0c02a37599d8b53064031b1f870c090e25e22c9bf1e02f9b7727922fee", + "search_line": 0 } ] diff --git a/assets/queries/openAPI/2.0/schema_with_additional_properties_set_as_boolean/test/positive_expected_result.json b/assets/queries/openAPI/2.0/schema_with_additional_properties_set_as_boolean/test/positive_expected_result.json index 906693d3928..a38ba46275f 100644 --- a/assets/queries/openAPI/2.0/schema_with_additional_properties_set_as_boolean/test/positive_expected_result.json +++ b/assets/queries/openAPI/2.0/schema_with_additional_properties_set_as_boolean/test/positive_expected_result.json @@ -3,36 +3,90 @@ "queryName": "Schema with 'additionalProperties' set as Boolean", "severity": "INFO", "line": 28, - "filename": "positive1.json" + "fileName": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.schema.additionalProperties", + "searchValue": "", + "expectedValue": "'additionalProperties' should be set as an object value", + "actualValue": "'additionalProperties' is set as a boolean value", + "issueType": "IncorrectValue", + "similarityID": "47d1cb46bdef7f9151959785a21e2486e7c5ec7dcbc3ea9d6a295bfd9b7cc2b7", + "search_line": -1 }, { "queryName": "Schema with 'additionalProperties' set as Boolean", "severity": "INFO", "line": 22, - "filename": "positive2.yaml" + "fileName": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.schema.additionalProperties", + "searchValue": "", + "expectedValue": "'additionalProperties' should be set as an object value", + "actualValue": "'additionalProperties' is set as a boolean value", + "issueType": "IncorrectValue", + "similarityID": "79314d17ab6df809b6274a9cdf6987806430c9d8b558bbc03728ad7d5e20679f", + "search_line": -1 }, { "queryName": "Schema with 'additionalProperties' set as Boolean", "severity": "INFO", "line": 29, - "filename": "positive3.json" + "fileName": "positive3.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.schema.additionalProperties.$ref=#/definitions/User", + "searchValue": "", + "expectedValue": "'additionalProperties' should be set as an object value", + "actualValue": "'additionalProperties' is set as a boolean value", + "issueType": "IncorrectValue", + "similarityID": "54018ffce30e7cd40d0135f88c55ab611b04aa22b21b5f0e17a5d8f445cd67b0", + "search_line": 0 }, { "queryName": "Schema with 'additionalProperties' set as Boolean", "severity": "INFO", "line": 51, - "filename": "positive3.json" + "fileName": "positive3.json", + "resourceType": "", + "resourceName": "", + "searchKey": "definitions.User.additionalProperties", + "searchValue": "", + "expectedValue": "'additionalProperties' should be set as an object value", + "actualValue": "'additionalProperties' is set as a boolean value", + "issueType": "IncorrectValue", + "similarityID": "e9a7e407ec14743c973a8936ebda6f588b2984ca838112b2d7f09cf850e71340", + "search_line": 0 }, { "queryName": "Schema with 'additionalProperties' set as Boolean", "severity": "INFO", "line": 23, - "filename": "positive4.yaml" + "fileName": "positive4.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.schema.additionalProperties.$ref=#/definitions/User", + "searchValue": "", + "expectedValue": "'additionalProperties' should be set as an object value", + "actualValue": "'additionalProperties' is set as a boolean value", + "issueType": "IncorrectValue", + "similarityID": "41a83e2d5b4cf0dc380f8a4d7d8966fe76887e04e26a8f36d09f35567723ff45", + "search_line": 0 }, { "queryName": "Schema with 'additionalProperties' set as Boolean", "severity": "INFO", "line": 34, - "filename": "positive4.yaml" + "fileName": "positive4.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "definitions.User.additionalProperties", + "searchValue": "", + "expectedValue": "'additionalProperties' should be set as an object value", + "actualValue": "'additionalProperties' is set as a boolean value", + "issueType": "IncorrectValue", + "similarityID": "6056c091b5bdc167fc91749c72bee0c71b71a80f56f7b6f303f716830533bf1c", + "search_line": 0 } ] diff --git a/assets/queries/openAPI/2.0/schemes_uses_http copy/test/positive_expected_result.json b/assets/queries/openAPI/2.0/schemes_uses_http copy/test/positive_expected_result.json index 6a968ab699b..f0e667f10e8 100644 --- a/assets/queries/openAPI/2.0/schemes_uses_http copy/test/positive_expected_result.json +++ b/assets/queries/openAPI/2.0/schemes_uses_http copy/test/positive_expected_result.json @@ -3,12 +3,30 @@ "queryName": "Schemes Uses HTTP", "severity": "MEDIUM", "line": 13, - "filename": "positive1.json" + "fileName": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.schemes.http", + "searchValue": "", + "expectedValue": "The Scheme list uses only 'HTTPS' protocol", + "actualValue": "The Scheme list uses 'HTTP' protocol", + "issueType": "IncorrectValue", + "similarityID": "0dfe7b17581d408175153c2e92164ec94cfd86881986721fd240ba5b055c6b6d", + "search_line": -1 }, { "queryName": "Schemes Uses HTTP", "severity": "MEDIUM", "line": 11, - "filename": "positive2.yaml" + "fileName": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.schemes.http", + "searchValue": "", + "expectedValue": "The Scheme list uses only 'HTTPS' protocol", + "actualValue": "The Scheme list uses 'HTTP' protocol", + "issueType": "IncorrectValue", + "similarityID": "b6b1f900157178642c63e0976ec7da0f78f3c2ca90ae4aa781f4edb0675216f5", + "search_line": -1 } ] diff --git a/assets/queries/openAPI/2.0/security_definitions_allows_password_flow/test/positive_expected_result.json b/assets/queries/openAPI/2.0/security_definitions_allows_password_flow/test/positive_expected_result.json index 20b6c9b5305..23f3749bd9c 100644 --- a/assets/queries/openAPI/2.0/security_definitions_allows_password_flow/test/positive_expected_result.json +++ b/assets/queries/openAPI/2.0/security_definitions_allows_password_flow/test/positive_expected_result.json @@ -3,12 +3,30 @@ "queryName": "Security Definitions Allows Password Flow", "severity": "MEDIUM", "line": 27, - "filename": "positive1.json" + "fileName": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "securityDefinitions.{{oAuth2AuthCodeNeg2}}.flow", + "searchValue": "", + "expectedValue": "security definition should not allow 'password' flow in OAuth2 authentication", + "actualValue": "security definition allows 'password' flow in OAuth2 authentication", + "issueType": "IncorrectValue", + "similarityID": "61a194863512d9b131217925be1c2c6a1ac0744d717aaae6106e9e61d33965e5", + "search_line": -1 }, { "queryName": "Security Definitions Allows Password Flow", "severity": "MEDIUM", "line": 19, - "filename": "positive2.yaml" + "fileName": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "securityDefinitions.{{oAuth2AuthCodeNeg2}}.flow", + "searchValue": "", + "expectedValue": "security definition should not allow 'password' flow in OAuth2 authentication", + "actualValue": "security definition allows 'password' flow in OAuth2 authentication", + "issueType": "IncorrectValue", + "similarityID": "a1fcedac15215544f578727d3e27aa35b8e1d3ad648a2da968a87d61984ceb8f", + "search_line": -1 } ] diff --git a/assets/queries/openAPI/2.0/security_definitions_undefined_or_empty/test/positive_expected_result.json b/assets/queries/openAPI/2.0/security_definitions_undefined_or_empty/test/positive_expected_result.json index d995a2572d8..0e9f6598aaf 100644 --- a/assets/queries/openAPI/2.0/security_definitions_undefined_or_empty/test/positive_expected_result.json +++ b/assets/queries/openAPI/2.0/security_definitions_undefined_or_empty/test/positive_expected_result.json @@ -3,24 +3,60 @@ "queryName": "Security Definitions Undefined or Empty", "severity": "HIGH", "line": 2, - "filename": "positive1.json" + "fileName": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "swagger", + "searchValue": "", + "expectedValue": "'securityDefinitions' should be set and not empty", + "actualValue": "'securityDefinitions' is undefined or empty", + "issueType": "IncorrectValue", + "similarityID": "bdf80a45dc42895d3524c878cb911d07dd21dd564c3020a09addc696d60f669b", + "search_line": -1 }, { "queryName": "Security Definitions Undefined or Empty", "severity": "HIGH", "line": 1, - "filename": "positive2.yaml" + "fileName": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "swagger", + "searchValue": "", + "expectedValue": "'securityDefinitions' should be set and not empty", + "actualValue": "'securityDefinitions' is undefined or empty", + "issueType": "IncorrectValue", + "similarityID": "c9acfc57893871ca447269e0d7a6cdd9fc508ee0237921b7beb8cde980f1f929", + "search_line": -1 }, { "queryName": "Security Definitions Undefined or Empty", "severity": "HIGH", "line": 2, - "filename": "positive3.json" + "fileName": "positive3.json", + "resourceType": "", + "resourceName": "", + "searchKey": "swagger", + "searchValue": "", + "expectedValue": "'securityDefinitions' should be set and not empty", + "actualValue": "'securityDefinitions' is undefined or empty", + "issueType": "MissingAttribute", + "similarityID": "d7a29dae614eefcd7036abfa40e6c1c5640e6b9dcdc80e6b64ff2cb05d477a08", + "search_line": -1 }, { "queryName": "Security Definitions Undefined or Empty", "severity": "HIGH", "line": 1, - "filename": "positive4.yaml" + "fileName": "positive4.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "swagger", + "searchValue": "", + "expectedValue": "'securityDefinitions' should be set and not empty", + "actualValue": "'securityDefinitions' is undefined or empty", + "issueType": "MissingAttribute", + "similarityID": "e9b91cfc6c452c92b721b7f9785a6edb5b51c27a9287f9f03123bc36a1acd2a6", + "search_line": -1 } ] diff --git a/assets/queries/openAPI/2.0/security_definitions_using_basic_auth/test/positive_expected_result.json b/assets/queries/openAPI/2.0/security_definitions_using_basic_auth/test/positive_expected_result.json index ec44a6d6bd7..a6fae0e406d 100644 --- a/assets/queries/openAPI/2.0/security_definitions_using_basic_auth/test/positive_expected_result.json +++ b/assets/queries/openAPI/2.0/security_definitions_using_basic_auth/test/positive_expected_result.json @@ -3,12 +3,30 @@ "queryName": "Security Definitions Using Basic Auth", "severity": "MEDIUM", "line": 25, - "filename": "positive1.json" + "fileName": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "securityDefinitions.{{oAuth2AuthCodeNeg2}}.type", + "searchValue": "", + "expectedValue": "security definition should not be using basic authentication", + "actualValue": "security definition is using basic authentication", + "issueType": "IncorrectValue", + "similarityID": "b64d34e703b4b29fa14611860f9ac5a7bbfad6281033d6446ab4b8ff62be8076", + "search_line": -1 }, { "queryName": "Security Definitions Using Basic Auth", "severity": "MEDIUM", "line": 17, - "filename": "positive2.yaml" + "fileName": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "securityDefinitions.{{oAuth2AuthCodeNeg2}}.type", + "searchValue": "", + "expectedValue": "security definition should not be using basic authentication", + "actualValue": "security definition is using basic authentication", + "issueType": "IncorrectValue", + "similarityID": "ad10c678754b725d6d2aa7e8df97e9577334d1b54d1180d5b10556f5b04e881a", + "search_line": -1 } -] \ No newline at end of file +] diff --git a/assets/queries/openAPI/2.0/security_requirement_not_defined_in_security_definition/test/positive_expected_result.json b/assets/queries/openAPI/2.0/security_requirement_not_defined_in_security_definition/test/positive_expected_result.json index f25b64d1c59..52aba91ba56 100644 --- a/assets/queries/openAPI/2.0/security_requirement_not_defined_in_security_definition/test/positive_expected_result.json +++ b/assets/queries/openAPI/2.0/security_requirement_not_defined_in_security_definition/test/positive_expected_result.json @@ -3,24 +3,60 @@ "queryName": "Security Requirement Not Defined In Security Definition", "severity": "HIGH", "line": 33, - "filename": "positive1.json" + "fileName": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "security.petstore_auth", + "searchValue": "", + "expectedValue": "petstore_auth should be defined in 'securityDefinitions'", + "actualValue": "petstore_auth is not defined in 'securityDefinitions'", + "issueType": "IncorrectValue", + "similarityID": "34eeb59bcd658c3ed5e0b72993f7bd2e848832bcf028e753636922cc1725b44e", + "search_line": -1 }, { "queryName": "Security Requirement Not Defined In Security Definition", "severity": "HIGH", "line": 21, - "filename": "positive2.yaml" + "fileName": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "security.petstore_auth", + "searchValue": "", + "expectedValue": "petstore_auth should be defined in 'securityDefinitions'", + "actualValue": "petstore_auth is not defined in 'securityDefinitions'", + "issueType": "IncorrectValue", + "similarityID": "82cd707f2d5e528ac322392edd409b1795ae189827f7d181c02fdf3e45c3e743", + "search_line": -1 }, { "queryName": "Security Requirement Not Defined In Security Definition", "severity": "HIGH", "line": 30, - "filename": "positive3.json" + "fileName": "positive3.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.security.petstore_auth", + "searchValue": "", + "expectedValue": "petstore_auth should be defined in 'securityDefinitions'", + "actualValue": "petstore_auth is not defined in 'securityDefinitions'", + "issueType": "IncorrectValue", + "similarityID": "30c769cac49b2e55c435d74d2b6ca687661d0ee9eea951a721b34f30f304bc1c", + "search_line": -1 }, { "queryName": "Security Requirement Not Defined In Security Definition", "severity": "HIGH", "line": 21, - "filename": "positive4.yaml" + "fileName": "positive4.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.security.petstore_auth", + "searchValue": "", + "expectedValue": "petstore_auth should be defined in 'securityDefinitions'", + "actualValue": "petstore_auth is not defined in 'securityDefinitions'", + "issueType": "IncorrectValue", + "similarityID": "d9e950437f46d38583ee225a9002cda441254eb64144a03d654f65f1357c51eb", + "search_line": -1 } ] diff --git a/assets/queries/openAPI/2.0/undefined_security_scope_global_security/test/positive_expected_result.json b/assets/queries/openAPI/2.0/undefined_security_scope_global_security/test/positive_expected_result.json index 0ebffca7687..ec9a47d7e79 100644 --- a/assets/queries/openAPI/2.0/undefined_security_scope_global_security/test/positive_expected_result.json +++ b/assets/queries/openAPI/2.0/undefined_security_scope_global_security/test/positive_expected_result.json @@ -3,12 +3,30 @@ "queryName": "Undefined Scope 'securityDefinition' On Global 'security' Field", "severity": "LOW", "line": 23, - "filename": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "security.{{oAuth2AuthCodeNeg2}}", + "searchValue": "", + "expectedValue": "scope error:api should be defined on 'securityDefinitions'", + "actualValue": "scope error:api is not defined on 'securityDefinitions'", + "issueType": "IncorrectValue", + "similarityID": "253d23847dd04ea0a55d0cd08948c1cb953d65f0a329bff496c6a9e55db61e8e", + "search_line": 23 }, { "queryName": "Undefined Scope 'securityDefinition' On Global 'security' Field", "severity": "LOW", "line": 33, - "filename": "positive2.json" + "fileName": "positive2.json", + "resourceType": "", + "resourceName": "", + "searchKey": "security.{{oAuth2AuthCodeNeg2}}", + "searchValue": "", + "expectedValue": "scope error:api should be defined on 'securityDefinitions'", + "actualValue": "scope error:api is not defined on 'securityDefinitions'", + "issueType": "IncorrectValue", + "similarityID": "16b7f0a85859f2504089c52f55640feb56dc5fe706b912a30504fbc07a18eaea", + "search_line": 33 } ] diff --git a/assets/queries/openAPI/2.0/undefined_security_scope_security_operations/test/positive_expected_result.json b/assets/queries/openAPI/2.0/undefined_security_scope_security_operations/test/positive_expected_result.json index ab06287ffd1..a73c162e085 100644 --- a/assets/queries/openAPI/2.0/undefined_security_scope_security_operations/test/positive_expected_result.json +++ b/assets/queries/openAPI/2.0/undefined_security_scope_security_operations/test/positive_expected_result.json @@ -3,12 +3,30 @@ "queryName": "Undefined Scope 'securityDefinition' On 'security' Field On Operations", "severity": "LOW", "line": 13, - "filename": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.{{get}}.security", + "searchValue": "", + "expectedValue": "scope error:api should be defined on 'securityDefinitions'", + "actualValue": "scope error:api is not defined on 'securityDefinitions'", + "issueType": "IncorrectValue", + "similarityID": "3bfe34cc5e66db3d8d66d064773b8ed18703a04fc7b2c58053bb227ded08baeb", + "search_line": 13 }, { "queryName": "Undefined Scope 'securityDefinition' On 'security' Field On Operations", "severity": "LOW", "line": 16, - "filename": "positive2.json" + "fileName": "positive2.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.{{get}}.security", + "searchValue": "", + "expectedValue": "scope error:api should be defined on 'securityDefinitions'", + "actualValue": "scope error:api is not defined on 'securityDefinitions'", + "issueType": "IncorrectValue", + "similarityID": "2fbd8973d6c8b2090970c29e554d299d13d9618edcc7057384e27cb05921d70c", + "search_line": 16 } ] diff --git a/assets/queries/openAPI/2.0/unknown_prefix/test/positive_expected_result.json b/assets/queries/openAPI/2.0/unknown_prefix/test/positive_expected_result.json index f84782e1bdb..7df301d6484 100644 --- a/assets/queries/openAPI/2.0/unknown_prefix/test/positive_expected_result.json +++ b/assets/queries/openAPI/2.0/unknown_prefix/test/positive_expected_result.json @@ -3,24 +3,60 @@ "queryName": "Unknown Prefix (v2)", "severity": "INFO", "line": 12, - "filename": "positive1.json" + "fileName": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.produces", + "searchValue": "", + "expectedValue": "paths.{{/}}.get.produces has only known prefixes", + "actualValue": "aplication/json on 'paths.{{/}}.get.produces' is an unknown prefix", + "issueType": "IncorrectValue", + "similarityID": "5c2e504e98ef8501d6ebefb8dcb5e085c12d5d3ffe766b23588405b435a9159c", + "search_line": 0 }, { "queryName": "Unknown Prefix (v2)", "severity": "INFO", "line": 38, - "filename": "positive2.json" + "fileName": "positive2.json", + "resourceType": "", + "resourceName": "", + "searchKey": "produces", + "searchValue": "", + "expectedValue": "produces has only known prefixes", + "actualValue": "aplication/json on 'produces' is an unknown prefix", + "issueType": "IncorrectValue", + "similarityID": "b0cf5c154becb87871ce12d5d33cdf9ba82e9f2d08e1bd702a2d566d74625019", + "search_line": 0 }, { "queryName": "Unknown Prefix (v2)", "severity": "INFO", "line": 10, - "filename": "positive3.yaml" + "fileName": "positive3.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.produces", + "searchValue": "", + "expectedValue": "paths.{{/}}.get.produces has only known prefixes", + "actualValue": "aplication/json on 'paths.{{/}}.get.produces' is an unknown prefix", + "issueType": "IncorrectValue", + "similarityID": "48d636001fe589218555c7e6e333b1eb1c44f2fadec6b3ca1f134a491bbd7779", + "search_line": 0 }, { "queryName": "Unknown Prefix (v2)", "severity": "INFO", "line": 24, - "filename": "positive4.yaml" + "fileName": "positive4.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "produces", + "searchValue": "", + "expectedValue": "produces has only known prefixes", + "actualValue": "aplication/json on 'produces' is an unknown prefix", + "issueType": "IncorrectValue", + "similarityID": "2e111fad2f45cec92763d6abcf55511484f4a5977b60a63e54ab01bce3b1009d", + "search_line": 0 } ] diff --git a/assets/queries/openAPI/2.0/unknown_property/test/positive_expected_result.json b/assets/queries/openAPI/2.0/unknown_property/test/positive_expected_result.json index 81b318304d5..e45f234dd41 100644 --- a/assets/queries/openAPI/2.0/unknown_property/test/positive_expected_result.json +++ b/assets/queries/openAPI/2.0/unknown_property/test/positive_expected_result.json @@ -3,48 +3,120 @@ "queryName": "Unknown Property (v2)", "severity": "INFO", "line": 20, - "filename": "positive1.json" + "fileName": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.parameters.descripption", + "searchValue": "", + "expectedValue": "The field 'descripption' is known in the parameters object", + "actualValue": "The field 'descripption' is unknown in the parameters object", + "issueType": "IncorrectValue", + "similarityID": "198c45f255348adb568f877c6ea6d692d2172d6bcd2c7a125e692d0d34f30d83", + "search_line": 20 }, { "queryName": "Unknown Property (v2)", "severity": "INFO", "line": 40, - "filename": "positive1.json" + "fileName": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "definitions.ErrorModel.propppperties", + "searchValue": "", + "expectedValue": "The field 'propppperties' is known in the definitions object", + "actualValue": "The field 'propppperties' is unknown in the definitions object", + "issueType": "IncorrectValue", + "similarityID": "fcfcfd11bedb67a0f6ebeba51b2a439d1ed621c1a2967c7e765227d43c0fb67c", + "search_line": 40 }, { "queryName": "Unknown Property (v2)", "severity": "INFO", "line": 7, - "filename": "positive2.json" + "fileName": "positive2.json", + "resourceType": "", + "resourceName": "", + "searchKey": "info.contact.nameee", + "searchValue": "", + "expectedValue": "The field 'nameee' is known in the contact object", + "actualValue": "The field 'nameee' is unknown in the contact object", + "issueType": "IncorrectValue", + "similarityID": "459f9c426c81c82a8f6fa2476df45526a7588b6a1a0eecd52ecb30b263735b61", + "search_line": 7 }, { "queryName": "Unknown Property (v2)", "severity": "INFO", "line": 25, - "filename": "positive2.json" + "fileName": "positive2.json", + "resourceType": "", + "resourceName": "", + "searchKey": "taggs", + "searchValue": "", + "expectedValue": "The field 'taggs' is known in the openapi object", + "actualValue": "The field 'taggs' is unknown in the openapi object", + "issueType": "IncorrectValue", + "similarityID": "6f6256f78a87eeb336939814728b1e9290e3275d1d795c20cb16763d519c09ca", + "search_line": 25 }, { "queryName": "Unknown Property (v2)", "severity": "INFO", "line": 16, - "filename": "positive3.yaml" + "fileName": "positive3.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.parameters.descripption", + "searchValue": "", + "expectedValue": "The field 'descripption' is known in the parameters object", + "actualValue": "The field 'descripption' is unknown in the parameters object", + "issueType": "IncorrectValue", + "similarityID": "bc328d2ad7815617638faf29056814c35904249c6bbe4e0abdade74b0176c27a", + "search_line": 16 }, { "queryName": "Unknown Property (v2)", "severity": "INFO", "line": 28, - "filename": "positive3.yaml" + "fileName": "positive3.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "definitions.ErrorModel.propppperties", + "searchValue": "", + "expectedValue": "The field 'propppperties' is known in the definitions object", + "actualValue": "The field 'propppperties' is unknown in the definitions object", + "issueType": "IncorrectValue", + "similarityID": "62f1fdfefc0b7aaf4c4251996838442fcf1d40ed9d8e24afc617d85958964736", + "search_line": 28 }, { "queryName": "Unknown Property (v2)", "severity": "INFO", "line": 6, - "filename": "positive4.yaml" + "fileName": "positive4.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "info.contact.nameee", + "searchValue": "", + "expectedValue": "The field 'nameee' is known in the contact object", + "actualValue": "The field 'nameee' is unknown in the contact object", + "issueType": "IncorrectValue", + "similarityID": "ce2e62dc999eceb5d426894bf101a3a1d082dace9e682a07da7a23acc9fb11e7", + "search_line": 6 }, { "queryName": "Unknown Property (v2)", "severity": "INFO", "line": 17, - "filename": "positive4.yaml" + "fileName": "positive4.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "taggs", + "searchValue": "", + "expectedValue": "The field 'taggs' is known in the openapi object", + "actualValue": "The field 'taggs' is unknown in the openapi object", + "issueType": "IncorrectValue", + "similarityID": "996796c7defacc24c13c11e2ca4815e3774318ea3c0861911789e77e6cad1726", + "search_line": 17 } ] diff --git a/assets/queries/openAPI/2.0/unused_parameter_definition/test/positive_expected_result.json b/assets/queries/openAPI/2.0/unused_parameter_definition/test/positive_expected_result.json index 3b9b810e5e9..c8ef6e57be0 100644 --- a/assets/queries/openAPI/2.0/unused_parameter_definition/test/positive_expected_result.json +++ b/assets/queries/openAPI/2.0/unused_parameter_definition/test/positive_expected_result.json @@ -3,12 +3,30 @@ "queryName": "Global Parameter Definition Not Being Used", "severity": "INFO", "line": 26, - "filename": "positive1.json" + "fileName": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "parameters.{{limitParam}}", + "searchValue": "", + "expectedValue": "parameter definition 'limitParam' is used", + "actualValue": "parameter definition 'limitParam' is not being used", + "issueType": "MissingAttribute", + "similarityID": "834f477c1daead90b74399556711a920ea3c94e8f487e4d5154a540a98a12db5", + "search_line": 0 }, { "queryName": "Global Parameter Definition Not Being Used", "severity": "INFO", "line": 16, - "filename": "positive2.yaml" + "fileName": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "parameters.{{limitParam}}", + "searchValue": "", + "expectedValue": "parameter definition 'limitParam' is used", + "actualValue": "parameter definition 'limitParam' is not being used", + "issueType": "MissingAttribute", + "similarityID": "50834dab124b84f41e1a719f907a4a8d8a7b7c5139813aa287a7cfda7d815d6a", + "search_line": 0 } ] diff --git a/assets/queries/openAPI/2.0/unused_response_definition/test/positive_expected_result.json b/assets/queries/openAPI/2.0/unused_response_definition/test/positive_expected_result.json index 3c30d6ec861..649306aecfa 100644 --- a/assets/queries/openAPI/2.0/unused_response_definition/test/positive_expected_result.json +++ b/assets/queries/openAPI/2.0/unused_response_definition/test/positive_expected_result.json @@ -3,24 +3,60 @@ "queryName": "Global Responses Definition Not Being Used", "severity": "INFO", "line": 38, - "filename": "positive1.json" + "fileName": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "responses.{{IllegalInput}}", + "searchValue": "", + "expectedValue": "responses definition 'IllegalInput' is used", + "actualValue": "responses definition 'IllegalInput' is not being used", + "issueType": "MissingAttribute", + "similarityID": "14a83f95282f8a995b6c0e55f0fd523307f83edae4061e725f9ef74c218f8ec3", + "search_line": 0 }, { "queryName": "Global Responses Definition Not Being Used", "severity": "INFO", - "line": 25, - "filename": "positive2.yaml" + "line": 41, + "fileName": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "responses.{{GeneralError}}", + "searchValue": "", + "expectedValue": "responses definition 'GeneralError' is used", + "actualValue": "responses definition 'GeneralError' is not being used", + "issueType": "MissingAttribute", + "similarityID": "15caa9a35ed83873bd6da4e6a4ac7f5a5e178c31cdd7a911bedb22e8874e8b2d", + "search_line": 0 }, { "queryName": "Global Responses Definition Not Being Used", "severity": "INFO", - "line": 41, - "filename": "positive1.json" + "line": 25, + "fileName": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "responses.{{IllegalInput}}", + "searchValue": "", + "expectedValue": "responses definition 'IllegalInput' is used", + "actualValue": "responses definition 'IllegalInput' is not being used", + "issueType": "MissingAttribute", + "similarityID": "f4ab10bc4f38dac3c1e732b3ed51f9d8a299e1a0b5e0be7d0d5752531cd1307d", + "search_line": 0 }, { "queryName": "Global Responses Definition Not Being Used", "severity": "INFO", "line": 27, - "filename": "positive2.yaml" + "fileName": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "responses.{{GeneralError}}", + "searchValue": "", + "expectedValue": "responses definition 'GeneralError' is used", + "actualValue": "responses definition 'GeneralError' is not being used", + "issueType": "MissingAttribute", + "similarityID": "e8b47dd63301baa14eea98f4fa14cec378e4aa1b23515e51c9032f5379944f4a", + "search_line": 0 } ] diff --git a/assets/queries/openAPI/2.0/unused_schema_definition/test/positive_expected_result.json b/assets/queries/openAPI/2.0/unused_schema_definition/test/positive_expected_result.json index 366d81a471f..90f20fc5636 100644 --- a/assets/queries/openAPI/2.0/unused_schema_definition/test/positive_expected_result.json +++ b/assets/queries/openAPI/2.0/unused_schema_definition/test/positive_expected_result.json @@ -3,12 +3,30 @@ "queryName": "Global Schema Definition Not Being Used", "severity": "INFO", "line": 44, - "filename": "positive1.json" + "fileName": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "definitions.{{Tag}}", + "searchValue": "", + "expectedValue": "responses definition 'Tag' is used", + "actualValue": "responses definition 'Tag' is not being used", + "issueType": "MissingAttribute", + "similarityID": "532f0b657e0ceb5034546a03a32fa58889129e741ed5567eb1a2c6bccde3307e", + "search_line": 0 }, { "queryName": "Global Schema Definition Not Being Used", "severity": "INFO", "line": 29, - "filename": "positive2.yaml" + "fileName": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "definitions.{{Tag}}", + "searchValue": "", + "expectedValue": "responses definition 'Tag' is used", + "actualValue": "responses definition 'Tag' is not being used", + "issueType": "MissingAttribute", + "similarityID": "62b357cfdbb449c1fb47c46ca2369d803d4bd4d2603ea553aefa8d9fca51f5c9", + "search_line": 0 } ] diff --git a/assets/queries/openAPI/3.0/additional_properties_too_permissive/test/positive_expected_result.json b/assets/queries/openAPI/3.0/additional_properties_too_permissive/test/positive_expected_result.json index 663fbbc97d9..30dd6371c40 100644 --- a/assets/queries/openAPI/3.0/additional_properties_too_permissive/test/positive_expected_result.json +++ b/assets/queries/openAPI/3.0/additional_properties_too_permissive/test/positive_expected_result.json @@ -3,36 +3,90 @@ "queryName": "Additional Properties Too Permissive", "severity": "LOW", "line": 24, - "filename": "positive1.json" + "fileName": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.schema.additionalProperties", + "searchValue": "", + "expectedValue": "'additionalProperties' should be set to false", + "actualValue": "'additionalProperties' is set true", + "issueType": "IncorrectValue", + "similarityID": "0a0ca2678121357a106db48b7c94a1b0bd6753efa2d69a6b28402e82bdbf0162", + "search_line": -1 }, { "queryName": "Additional Properties Too Permissive", "severity": "LOW", - "line": 34, - "filename": "positive3.json" + "line": 19, + "fileName": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.schema.additionalProperties", + "searchValue": "", + "expectedValue": "'additionalProperties' should be set to false", + "actualValue": "'additionalProperties' is set true", + "issueType": "IncorrectValue", + "similarityID": "926ee5ff66278fe1229a9d06ae4a5307c9dfdc5b3bffa65220212ef1442ca9a7", + "search_line": -1 }, { "queryName": "Additional Properties Too Permissive", "severity": "LOW", - "line": 14, - "filename": "positive5.json" + "line": 34, + "fileName": "positive3.json", + "resourceType": "", + "resourceName": "", + "searchKey": "components.schemas.MyObject.oneOf", + "searchValue": "", + "expectedValue": "'additionalProperties' should be set to false", + "actualValue": "'additionalProperties' is set true", + "issueType": "IncorrectValue", + "similarityID": "076ba584273d56459ed8ec441d0584eb89d80bed673e1f6b93cb5a183278fc51", + "search_line": -1 }, { "queryName": "Additional Properties Too Permissive", "severity": "LOW", - "line": 19, - "filename": "positive2.yaml" + "line": 23, + "fileName": "positive4.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "components.schemas.MyObject.oneOf", + "searchValue": "", + "expectedValue": "'additionalProperties' should be set to false", + "actualValue": "'additionalProperties' is set true", + "issueType": "IncorrectValue", + "similarityID": "393b08849d45fe20aef8693ed47ac0f95910b5347938a410fea65151248dd1cb", + "search_line": -1 }, { "queryName": "Additional Properties Too Permissive", "severity": "LOW", - "line": 23, - "filename": "positive4.yaml" + "line": 14, + "fileName": "positive5.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.schema", + "searchValue": "", + "expectedValue": "'additionalProperties' needs to be set and to false", + "actualValue": "'additionalProperties' is not set", + "issueType": "MissingAttribute", + "similarityID": "487131f5badb4a4d57fd2cf4d46880c34b1ad10b868423286c17a23c12e8fad1", + "search_line": -1 }, { "queryName": "Additional Properties Too Permissive", "severity": "LOW", "line": 12, - "filename": "positive6.yaml" + "fileName": "positive6.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.schema", + "searchValue": "", + "expectedValue": "'additionalProperties' needs to be set and to false", + "actualValue": "'additionalProperties' is not set", + "issueType": "MissingAttribute", + "similarityID": "2ac90b0e6861b0fd74bd7e192525f0d69134ce0004be8b8ec160d5904d7190c5", + "search_line": -1 } -] \ No newline at end of file +] diff --git a/assets/queries/openAPI/3.0/additional_properties_too_restrective/test/positive_expected_result.json b/assets/queries/openAPI/3.0/additional_properties_too_restrective/test/positive_expected_result.json index 9abd489058a..16210b17c01 100644 --- a/assets/queries/openAPI/3.0/additional_properties_too_restrective/test/positive_expected_result.json +++ b/assets/queries/openAPI/3.0/additional_properties_too_restrective/test/positive_expected_result.json @@ -3,24 +3,60 @@ "queryName": "Additional Properties Too Restrictive", "severity": "LOW", "line": 41, - "filename": "positive1.json" + "fileName": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "components.schemas.MyObject.oneOf", + "searchValue": "", + "expectedValue": "'additionalProperties' should not be false", + "actualValue": "'additionalProperties' is false", + "issueType": "IncorrectValue", + "similarityID": "7e5743b7deb17b72957462d364c4d770d409b2f1f9d9c7236d68a4507cae60d2", + "search_line": -1 }, { "queryName": "Additional Properties Too Restrictive", "severity": "LOW", - "line": 15, - "filename": "positive3.json" + "line": 25, + "fileName": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "components.schemas.MyObject.oneOf", + "searchValue": "", + "expectedValue": "'additionalProperties' should not be false", + "actualValue": "'additionalProperties' is false", + "issueType": "IncorrectValue", + "similarityID": "b77989d263a1e991a4896a406c45bfe01bb08bc2e3055dcb20a7703d28e78874", + "search_line": -1 }, { "queryName": "Additional Properties Too Restrictive", "severity": "LOW", - "line": 25, - "filename": "positive2.yaml" + "line": 15, + "fileName": "positive3.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.schema.allOf", + "searchValue": "", + "expectedValue": "'additionalProperties' should not be false", + "actualValue": "'additionalProperties' is false", + "issueType": "IncorrectValue", + "similarityID": "9f0326a42c9a5afb0f23f4f10a2e40a8d941eb47592f7f37c7475d0b219bced6", + "search_line": -1 }, { "queryName": "Additional Properties Too Restrictive", "severity": "LOW", "line": 13, - "filename": "positive4.yaml" + "fileName": "positive4.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.schema.allOf", + "searchValue": "", + "expectedValue": "'additionalProperties' should not be false", + "actualValue": "'additionalProperties' is false", + "issueType": "IncorrectValue", + "similarityID": "4b609348c3d0172e7728f5226b78a68ba35cc78d44b164e742e3b9328f129b33", + "search_line": -1 } -] \ No newline at end of file +] diff --git a/assets/queries/openAPI/3.0/api_key_exposed_in_global_security_scheme/test/positive_expected_result.json b/assets/queries/openAPI/3.0/api_key_exposed_in_global_security_scheme/test/positive_expected_result.json index 0ae9ec9454f..fef5222b25c 100644 --- a/assets/queries/openAPI/3.0/api_key_exposed_in_global_security_scheme/test/positive_expected_result.json +++ b/assets/queries/openAPI/3.0/api_key_exposed_in_global_security_scheme/test/positive_expected_result.json @@ -3,36 +3,90 @@ "queryName": "API Key Exposed In Global Security Scheme", "severity": "LOW", "line": 52, - "filename": "positive1.json" + "fileName": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "components.securitySchemes.apiKey1", + "searchValue": "", + "expectedValue": "The API Key should not be transported over network", + "actualValue": "The API Key is transported over network", + "issueType": "IncorrectValue", + "similarityID": "91d441f944df43a0df44e2f20ac3bd1b548ba3a09593a77174ba272f8f816d9b", + "search_line": -1 }, { "queryName": "API Key Exposed In Global Security Scheme", "severity": "LOW", "line": 57, - "filename": "positive1.json" + "fileName": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "components.securitySchemes.apiKey2", + "searchValue": "", + "expectedValue": "The API Key should not be transported over network", + "actualValue": "The API Key is transported over network", + "issueType": "IncorrectValue", + "similarityID": "818fbfb81a4755e18f33eb50c8b0ce56fc648b89276c333a85f47bc8670d5f34", + "search_line": -1 }, { "queryName": "API Key Exposed In Global Security Scheme", "severity": "LOW", "line": 62, - "filename": "positive1.json" + "fileName": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "components.securitySchemes.apiKey3", + "searchValue": "", + "expectedValue": "The API Key should not be transported over network", + "actualValue": "The API Key is transported over network", + "issueType": "IncorrectValue", + "similarityID": "f6304b0912536270a1cc603c884feb61328896dcef3359170c7b3791aa7c405c", + "search_line": -1 }, { "queryName": "API Key Exposed In Global Security Scheme", "severity": "LOW", "line": 31, - "filename": "positive2.yaml" + "fileName": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "components.securitySchemes.apiKey1", + "searchValue": "", + "expectedValue": "The API Key should not be transported over network", + "actualValue": "The API Key is transported over network", + "issueType": "IncorrectValue", + "similarityID": "a8d3432a58d75cac92c15f4b2145489f5cbe0c2f05a10e5eb5faec1857399783", + "search_line": -1 }, { "queryName": "API Key Exposed In Global Security Scheme", "severity": "LOW", "line": 35, - "filename": "positive2.yaml" + "fileName": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "components.securitySchemes.apiKey2", + "searchValue": "", + "expectedValue": "The API Key should not be transported over network", + "actualValue": "The API Key is transported over network", + "issueType": "IncorrectValue", + "similarityID": "80a472f25b6268b1719e2216d139b5472e00149d6d2368f60bca1e15ca638848", + "search_line": -1 }, { "queryName": "API Key Exposed In Global Security Scheme", "severity": "LOW", "line": 39, - "filename": "positive2.yaml" + "fileName": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "components.securitySchemes.apiKey3", + "searchValue": "", + "expectedValue": "The API Key should not be transported over network", + "actualValue": "The API Key is transported over network", + "issueType": "IncorrectValue", + "similarityID": "8dc9b27302b1b9c82565f732cd4c8d279c0864a860d15bdddf655860cdfef765", + "search_line": -1 } -] \ No newline at end of file +] diff --git a/assets/queries/openAPI/3.0/callback_object_incorrect_ref/test/positive_expected_result.json b/assets/queries/openAPI/3.0/callback_object_incorrect_ref/test/positive_expected_result.json index 27b03bfbc60..5b6874d051d 100644 --- a/assets/queries/openAPI/3.0/callback_object_incorrect_ref/test/positive_expected_result.json +++ b/assets/queries/openAPI/3.0/callback_object_incorrect_ref/test/positive_expected_result.json @@ -3,12 +3,30 @@ "queryName": "Callback Object With Incorrect Ref", "severity": "INFO", "line": 19, - "filename": "positive1.json" + "fileName": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.callbacks.{{myEvent}}.$ref", + "searchValue": "", + "expectedValue": "Callback ref points to '#/components/callbacks'", + "actualValue": "Callback ref does not point to '#/components/callbacks'", + "issueType": "IncorrectValue", + "similarityID": "a9518afeda31f11ea262651bd96a669372764ab90d3bb445516b057e89a8d09a", + "search_line": 0 }, { "queryName": "Callback Object With Incorrect Ref", "severity": "INFO", "line": 15, - "filename": "positive2.yaml" + "fileName": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.callbacks.{{myEvent}}.$ref", + "searchValue": "", + "expectedValue": "Callback ref points to '#/components/callbacks'", + "actualValue": "Callback ref does not point to '#/components/callbacks'", + "issueType": "IncorrectValue", + "similarityID": "3df8acaddc5575ae4449bd101f81b4e76a509cb1291d99aa5380a9506f7c7c46", + "search_line": 0 } ] diff --git a/assets/queries/openAPI/3.0/cleartext_credentials_with_basic_auth_for_operation/test/positive_expected_result.json b/assets/queries/openAPI/3.0/cleartext_credentials_with_basic_auth_for_operation/test/positive_expected_result.json index 684dadd9441..eadb969c465 100644 --- a/assets/queries/openAPI/3.0/cleartext_credentials_with_basic_auth_for_operation/test/positive_expected_result.json +++ b/assets/queries/openAPI/3.0/cleartext_credentials_with_basic_auth_for_operation/test/positive_expected_result.json @@ -3,12 +3,30 @@ "queryName": "Cleartext Credentials With Basic Authentication For Operation", "severity": "MEDIUM", "line": 28, - "filename": "positive1.json" + "fileName": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.{{get}}.security.{{regularSecurity}}", + "searchValue": "", + "expectedValue": "paths.{{/}}.{{get}} operation should not allow cleartext credentials over unencrypted channel", + "actualValue": "paths.{{/}}.{{get}} operation allows cleartext credentials over unencrypted channel", + "issueType": "IncorrectValue", + "similarityID": "00a21159986ebf70980c42b1192799f5f80722c9d888d30dd2c0fe96109e620b", + "search_line": -1 }, { "queryName": "Cleartext Credentials With Basic Authentication For Operation", "severity": "MEDIUM", "line": 19, - "filename": "positive2.yaml" + "fileName": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.{{get}}.security.{{regularSecurity}}", + "searchValue": "", + "expectedValue": "paths.{{/}}.{{get}} operation should not allow cleartext credentials over unencrypted channel", + "actualValue": "paths.{{/}}.{{get}} operation allows cleartext credentials over unencrypted channel", + "issueType": "IncorrectValue", + "similarityID": "8d099950b9d2bb9e7bcc8f684da59dcb6cc1d69b9ac1752e875677d63c85c32c", + "search_line": -1 } -] \ No newline at end of file +] diff --git a/assets/queries/openAPI/3.0/components_callback_definition_unused/test/positive_expected_result.json b/assets/queries/openAPI/3.0/components_callback_definition_unused/test/positive_expected_result.json index 2a8e672168c..1550a76049c 100644 --- a/assets/queries/openAPI/3.0/components_callback_definition_unused/test/positive_expected_result.json +++ b/assets/queries/openAPI/3.0/components_callback_definition_unused/test/positive_expected_result.json @@ -3,12 +3,30 @@ "queryName": "Components Callback Definition Is Unused", "severity": "INFO", "line": 22, - "filename": "positive1.json" + "fileName": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "components.callbacks.{{inProgress}}", + "searchValue": "", + "expectedValue": "Callback should be used as reference somewhere", + "actualValue": "Callback is not used as reference", + "issueType": "IncorrectValue", + "similarityID": "165a28aa8735312c16445191ce08253e6a476bc9d53cac055221ccb76bd1da0a", + "search_line": 0 }, { "queryName": "Components Callback Definition Is Unused", "severity": "INFO", "line": 15, - "filename": "positive2.yaml" + "fileName": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "components.callbacks.{{inProgress}}", + "searchValue": "", + "expectedValue": "Callback should be used as reference somewhere", + "actualValue": "Callback is not used as reference", + "issueType": "IncorrectValue", + "similarityID": "72c57c403a5bcc7c1b38d23a8451b00fdc4fb5a024ea423b1d0feeea42b25e14", + "search_line": 0 } ] diff --git a/assets/queries/openAPI/3.0/components_example_definition_unused/test/positive_expected_result.json b/assets/queries/openAPI/3.0/components_example_definition_unused/test/positive_expected_result.json index b56fe3c1bfc..6b178a20822 100644 --- a/assets/queries/openAPI/3.0/components_example_definition_unused/test/positive_expected_result.json +++ b/assets/queries/openAPI/3.0/components_example_definition_unused/test/positive_expected_result.json @@ -3,12 +3,30 @@ "queryName": "Components Example Definition Is Unused", "severity": "INFO", "line": 42, - "filename": "positive1.json" + "fileName": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "components.examples.{{objectExample}}", + "searchValue": "", + "expectedValue": "Example should be used as reference somewhere", + "actualValue": "Example is not used as reference", + "issueType": "IncorrectValue", + "similarityID": "b5c3f2d910a5e40ebdea43e858c9afc47b4c1f33774d950b00a2fcd50c781c84", + "search_line": 0 }, { "queryName": "Components Example Definition Is Unused", "severity": "INFO", "line": 27, - "filename": "positive2.yaml" + "fileName": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "components.examples.{{objectExample}}", + "searchValue": "", + "expectedValue": "Example should be used as reference somewhere", + "actualValue": "Example is not used as reference", + "issueType": "IncorrectValue", + "similarityID": "743622987c7f9df67f3097f7aa98dea1bfb8c9e2dc28a19cdd1ba516279a041a", + "search_line": 0 } ] diff --git a/assets/queries/openAPI/3.0/components_header_definition_unused/test/positive_expected_result.json b/assets/queries/openAPI/3.0/components_header_definition_unused/test/positive_expected_result.json index 00fd9f860f8..4806f7ea221 100644 --- a/assets/queries/openAPI/3.0/components_header_definition_unused/test/positive_expected_result.json +++ b/assets/queries/openAPI/3.0/components_header_definition_unused/test/positive_expected_result.json @@ -3,12 +3,30 @@ "queryName": "Components Header Definition Is Unused", "severity": "INFO", "line": 45, - "filename": "positive1.json" + "fileName": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "components.headers.{{xPages}}", + "searchValue": "", + "expectedValue": "Header should be used as reference somewhere", + "actualValue": "Header is not used as reference", + "issueType": "IncorrectValue", + "similarityID": "7ac6b44d18721892d752104b64dd8d778cc188baf59e88bee65d9105ffee8bfc", + "search_line": 0 }, { "queryName": "Components Header Definition Is Unused", "severity": "INFO", "line": 29, - "filename": "positive2.yaml" + "fileName": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "components.headers.{{xPages}}", + "searchValue": "", + "expectedValue": "Header should be used as reference somewhere", + "actualValue": "Header is not used as reference", + "issueType": "IncorrectValue", + "similarityID": "76d7a3d76c9d3cbe036217d4a2ca4be7c59309f9160ce01250b74452e8c7ee4e", + "search_line": 0 } ] diff --git a/assets/queries/openAPI/3.0/components_link_definition_unused/test/positive_expected_result.json b/assets/queries/openAPI/3.0/components_link_definition_unused/test/positive_expected_result.json index cf760d785ed..83ffeb8ac99 100644 --- a/assets/queries/openAPI/3.0/components_link_definition_unused/test/positive_expected_result.json +++ b/assets/queries/openAPI/3.0/components_link_definition_unused/test/positive_expected_result.json @@ -3,12 +3,30 @@ "queryName": "Components Link Definition Is Unused", "severity": "INFO", "line": 45, - "filename": "positive1.json" + "fileName": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "components.links.{{APIRepository}}", + "searchValue": "", + "expectedValue": "Link should be used as reference somewhere", + "actualValue": "Link is not used as reference", + "issueType": "IncorrectValue", + "similarityID": "b6dc3fca7879096e247c422bc95db00408860d84e3ea54f3241a58cd350da0c6", + "search_line": 0 }, { "queryName": "Components Link Definition Is Unused", "severity": "INFO", "line": 29, - "filename": "positive2.yaml" + "fileName": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "components.links.{{APIRepository}}", + "searchValue": "", + "expectedValue": "Link should be used as reference somewhere", + "actualValue": "Link is not used as reference", + "issueType": "IncorrectValue", + "similarityID": "67532b8030617be429f44769e4aafb3d818c1a05c4b48b5876b1b61954db611b", + "search_line": 0 } ] diff --git a/assets/queries/openAPI/3.0/components_object_fixed_field_key_improperly_named/test/positive_expected_result.json b/assets/queries/openAPI/3.0/components_object_fixed_field_key_improperly_named/test/positive_expected_result.json index f770b39933b..c668fd10b2d 100644 --- a/assets/queries/openAPI/3.0/components_object_fixed_field_key_improperly_named/test/positive_expected_result.json +++ b/assets/queries/openAPI/3.0/components_object_fixed_field_key_improperly_named/test/positive_expected_result.json @@ -3,12 +3,30 @@ "queryName": "Components Object Fixed Field Key Improperly Named", "severity": "INFO", "line": 45, - "filename": "positive1.json" + "fileName": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "components.{{schemas}}.{{General Error}}", + "searchValue": "", + "expectedValue": "components.{{schemas}}.{{General Error}} is properly named", + "actualValue": "components.{{schemas}}.{{General Error}}is improperly named", + "issueType": "IncorrectValue", + "similarityID": "dfb64c8c31794d816130e2fefc09531b121fa68ffe70775681c058e6eb063d50", + "search_line": -1 }, { "queryName": "Components Object Fixed Field Key Improperly Named", "severity": "INFO", "line": 27, - "filename": "positive2.yaml" + "fileName": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "components.{{schemas}}.{{General Error}}", + "searchValue": "", + "expectedValue": "components.{{schemas}}.{{General Error}} is properly named", + "actualValue": "components.{{schemas}}.{{General Error}}is improperly named", + "issueType": "IncorrectValue", + "similarityID": "8e28f5ad1f8234ab4996dfc524ad93d0e883f693df2832a0eada27b0437d340f", + "search_line": -1 } ] diff --git a/assets/queries/openAPI/3.0/components_parameter_definition_unused/test/positive_expected_result.json b/assets/queries/openAPI/3.0/components_parameter_definition_unused/test/positive_expected_result.json index 6265e35f39b..69875e5deba 100644 --- a/assets/queries/openAPI/3.0/components_parameter_definition_unused/test/positive_expected_result.json +++ b/assets/queries/openAPI/3.0/components_parameter_definition_unused/test/positive_expected_result.json @@ -3,12 +3,30 @@ "queryName": "Components Parameter Definition Is Unused", "severity": "INFO", "line": 22, - "filename": "positive1.json" + "fileName": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "components.parameters.{{limitParam}}", + "searchValue": "", + "expectedValue": "Parameter should be used as reference somewhere", + "actualValue": "Parameter is not used as reference", + "issueType": "IncorrectValue", + "similarityID": "064de7cd9831c174aef22b7978c090b66379ba3bee97766a52c3469ad0dbdcb4", + "search_line": 0 }, { "queryName": "Components Parameter Definition Is Unused", "severity": "INFO", "line": 15, - "filename": "positive2.yaml" + "fileName": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "components.parameters.{{limitParam}}", + "searchValue": "", + "expectedValue": "Parameter should be used as reference somewhere", + "actualValue": "Parameter is not used as reference", + "issueType": "IncorrectValue", + "similarityID": "42030b972310d7fb560e7178e3959e1dec7253f452852f1a70e57d076a277a83", + "search_line": 0 } ] diff --git a/assets/queries/openAPI/3.0/components_request_body_definition_unused/test/positive_expected_result.json b/assets/queries/openAPI/3.0/components_request_body_definition_unused/test/positive_expected_result.json index 05391f42f5c..c2dc607ccca 100644 --- a/assets/queries/openAPI/3.0/components_request_body_definition_unused/test/positive_expected_result.json +++ b/assets/queries/openAPI/3.0/components_request_body_definition_unused/test/positive_expected_result.json @@ -3,12 +3,30 @@ "queryName": "Components Request Body Definition Is Unused", "severity": "INFO", "line": 35, - "filename": "positive1.json" + "fileName": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "components.requestBodies.{{MyObjectBody}}", + "searchValue": "", + "expectedValue": "Request body should be used as reference somewhere", + "actualValue": "Request body is not used as reference", + "issueType": "IncorrectValue", + "similarityID": "85d6071c691fbab1da7114f27e6c125f84a2a0a0ee946674b9a8c38cfe42e73a", + "search_line": 0 }, { "queryName": "Components Request Body Definition Is Unused", "severity": "INFO", "line": 23, - "filename": "positive2.yaml" + "fileName": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "components.requestBodies.{{MyObjectBody}}", + "searchValue": "", + "expectedValue": "Request body should be used as reference somewhere", + "actualValue": "Request body is not used as reference", + "issueType": "IncorrectValue", + "similarityID": "4960ef33ddc3e8cc5138c1f1d8dd19da7e0340f1b628c56ed721bdd69bbce0e5", + "search_line": 0 } ] diff --git a/assets/queries/openAPI/3.0/components_response_definition_unused/test/positive_expected_result.json b/assets/queries/openAPI/3.0/components_response_definition_unused/test/positive_expected_result.json index 4216cdede49..124952af3d8 100644 --- a/assets/queries/openAPI/3.0/components_response_definition_unused/test/positive_expected_result.json +++ b/assets/queries/openAPI/3.0/components_response_definition_unused/test/positive_expected_result.json @@ -3,12 +3,30 @@ "queryName": "Components Response Definition Is Unused", "severity": "INFO", "line": 50, - "filename": "positive1.json" + "fileName": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "components.responses.{{NotFound}}", + "searchValue": "", + "expectedValue": "Response should be used as reference somewhere", + "actualValue": "Response is not used as reference", + "issueType": "IncorrectValue", + "similarityID": "09c4b14fab7c499cc60afeb7501863b2768d136f079b195732e850297afbccaf", + "search_line": 0 }, { "queryName": "Components Response Definition Is Unused", "severity": "INFO", "line": 33, - "filename": "positive2.yaml" + "fileName": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "components.responses.{{NotFound}}", + "searchValue": "", + "expectedValue": "Response should be used as reference somewhere", + "actualValue": "Response is not used as reference", + "issueType": "IncorrectValue", + "similarityID": "2b6d0dcd981fa9e8a74573fc31d1e246f56c1da71304eee489bfafa2f5cde77c", + "search_line": 0 } ] diff --git a/assets/queries/openAPI/3.0/components_schema_definition_unused/test/positive_expected_result.json b/assets/queries/openAPI/3.0/components_schema_definition_unused/test/positive_expected_result.json index e1644ffcb35..b2b51c34510 100644 --- a/assets/queries/openAPI/3.0/components_schema_definition_unused/test/positive_expected_result.json +++ b/assets/queries/openAPI/3.0/components_schema_definition_unused/test/positive_expected_result.json @@ -3,12 +3,30 @@ "queryName": "Components Schema Definition Is Unused", "severity": "INFO", "line": 33, - "filename": "positive1.json" + "fileName": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "components.schemas.{{MyObject2}}", + "searchValue": "", + "expectedValue": "Schema should be used as reference somewhere", + "actualValue": "Schema is not used as reference", + "issueType": "IncorrectValue", + "similarityID": "312026cdfeee540fd3d52f8eda109c0e41699c736d04161eb776f4809ca5dc32", + "search_line": 0 }, { "queryName": "Components Schema Definition Is Unused", "severity": "INFO", "line": 22, - "filename": "positive2.yaml" + "fileName": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "components.schemas.{{MyObject2}}", + "searchValue": "", + "expectedValue": "Schema should be used as reference somewhere", + "actualValue": "Schema is not used as reference", + "issueType": "IncorrectValue", + "similarityID": "c8d5d09833058df77e5de17688182c9dd746f2a03765a6d04e2bd932dcb341ab", + "search_line": 0 } ] diff --git a/assets/queries/openAPI/3.0/empty_array/test/positive_expected_result.json b/assets/queries/openAPI/3.0/empty_array/test/positive_expected_result.json index d9ab1c4dd10..6eaf52fea8f 100644 --- a/assets/queries/openAPI/3.0/empty_array/test/positive_expected_result.json +++ b/assets/queries/openAPI/3.0/empty_array/test/positive_expected_result.json @@ -3,12 +3,30 @@ "queryName": "Empty Array", "severity": "INFO", "line": 43, - "filename": "positive1.json" + "fileName": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "security", + "searchValue": "", + "expectedValue": "The array should not be empty", + "actualValue": "The array is empty", + "issueType": "IncorrectValue", + "similarityID": "fd82b65e84464a61d150babb136395506b887b8c73a1125c9ea0cd2cda6bf29f", + "search_line": -1 }, { "queryName": "Empty Array", "severity": "INFO", "line": 25, - "filename": "positive2.yaml" + "fileName": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "security", + "searchValue": "", + "expectedValue": "The array should not be empty", + "actualValue": "The array is empty", + "issueType": "IncorrectValue", + "similarityID": "7a66892cfad376d518ba015315258e277ac50d6141fdfc3c797fe698688f87a6", + "search_line": -1 } ] diff --git a/assets/queries/openAPI/3.0/encoding_header_content_type_improperly_defined/test/positive_expected_result.json b/assets/queries/openAPI/3.0/encoding_header_content_type_improperly_defined/test/positive_expected_result.json index 1b3cc6f9b5c..c9e1bfa385b 100644 --- a/assets/queries/openAPI/3.0/encoding_header_content_type_improperly_defined/test/positive_expected_result.json +++ b/assets/queries/openAPI/3.0/encoding_header_content_type_improperly_defined/test/positive_expected_result.json @@ -3,24 +3,60 @@ "queryName": "Encoding Header 'Content-Type' Improperly Defined", "severity": "INFO", "line": 70, - "filename": "positive1.json" + "fileName": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "components.responses.{{ResponseExample}}.content.{{application/json}}.encoding.{{profileImage}}", + "searchValue": "", + "expectedValue": "components.responses.{{ResponseExample}}.content.{{application/json}}.encoding.{{profileImage}} should not define 'Content-Type' in the 'headers' field", + "actualValue": "components.responses.{{ResponseExample}}.content.{{application/json}}.encoding.{{profileImage}} defines 'Content-Type' in the 'headers' field", + "issueType": "IncorrectValue", + "similarityID": "599394eb34e6b20f90881fa53bf899d6853615c2bf29cd1bac27d0b7f9c962cc", + "search_line": -1 }, { "queryName": "Encoding Header 'Content-Type' Improperly Defined", "severity": "INFO", "line": 36, - "filename": "positive2.json" + "fileName": "positive2.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.{{get}}.responses.{{200}}.content.{{application/json}}.encoding.{{profileImage}}", + "searchValue": "", + "expectedValue": "paths.{{/}}.{{get}}.responses.{{200}}.content.{{application/json}}.encoding.{{profileImage}} should not define 'Content-Type' in the 'headers' field", + "actualValue": "paths.{{/}}.{{get}}.responses.{{200}}.content.{{application/json}}.encoding.{{profileImage}} defines 'Content-Type' in the 'headers' field", + "issueType": "IncorrectValue", + "similarityID": "8736f7085ed38a195a08a6a5e2270d472b932575240ac3248d8dd51f67a4f78f", + "search_line": -1 }, { "queryName": "Encoding Header 'Content-Type' Improperly Defined", "severity": "INFO", "line": 42, - "filename": "positive3.yaml" + "fileName": "positive3.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "components.responses.{{ResponseExample}}.content.{{application/json}}.encoding.{{profileImage}}", + "searchValue": "", + "expectedValue": "components.responses.{{ResponseExample}}.content.{{application/json}}.encoding.{{profileImage}} should not define 'Content-Type' in the 'headers' field", + "actualValue": "components.responses.{{ResponseExample}}.content.{{application/json}}.encoding.{{profileImage}} defines 'Content-Type' in the 'headers' field", + "issueType": "IncorrectValue", + "similarityID": "d2c9e2baef555ead5b5d356ff14df1063490f91eb54efbdb186ac32b126bb86b", + "search_line": -1 }, { "queryName": "Encoding Header 'Content-Type' Improperly Defined", "severity": "INFO", "line": 26, - "filename": "positive4.yaml" + "fileName": "positive4.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.{{get}}.responses.{{200}}.content.{{application/json}}.encoding.{{profileImage}}", + "searchValue": "", + "expectedValue": "paths.{{/}}.{{get}}.responses.{{200}}.content.{{application/json}}.encoding.{{profileImage}} should not define 'Content-Type' in the 'headers' field", + "actualValue": "paths.{{/}}.{{get}}.responses.{{200}}.content.{{application/json}}.encoding.{{profileImage}} defines 'Content-Type' in the 'headers' field", + "issueType": "IncorrectValue", + "similarityID": "c369be5d49348bb857ad87a28c0d639eb4bf49ba281b274cf003a2c6f5fb76ab", + "search_line": -1 } ] diff --git a/assets/queries/openAPI/3.0/encoding_map_key_mismatch_schema_defined_properties/test/positive_expected_result.json b/assets/queries/openAPI/3.0/encoding_map_key_mismatch_schema_defined_properties/test/positive_expected_result.json index e0b95e7d014..6a90695616e 100644 --- a/assets/queries/openAPI/3.0/encoding_map_key_mismatch_schema_defined_properties/test/positive_expected_result.json +++ b/assets/queries/openAPI/3.0/encoding_map_key_mismatch_schema_defined_properties/test/positive_expected_result.json @@ -3,24 +3,60 @@ "queryName": "Encoding Map Key Mismatch Schema Defined Properties", "severity": "INFO", "line": 70, - "filename": "positive1.json" + "fileName": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "components.responses.{{ResponseExample}}.content.{{application/json}}.encoding.{{profileImage}}", + "searchValue": "", + "expectedValue": "components.responses.{{ResponseExample}}.content.{{application/json}}.encoding.{{profileImage}} should be set in schema defined properties", + "actualValue": "components.responses.{{ResponseExample}}.content.{{application/json}}.encoding.{{profileImage}} is not set in schema defined properties", + "issueType": "IncorrectValue", + "similarityID": "f7194441c600073c684d803bc4d0fbd03b96adcdf54da6ae0cbc07c4f3b6fd7a", + "search_line": -1 }, { "queryName": "Encoding Map Key Mismatch Schema Defined Properties", "severity": "INFO", "line": 36, - "filename": "positive2.json" + "fileName": "positive2.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.{{get}}.responses.{{200}}.content.{{application/json}}.encoding.{{profileImage}}", + "searchValue": "", + "expectedValue": "paths.{{/}}.{{get}}.responses.{{200}}.content.{{application/json}}.encoding.{{profileImage}} should be set in schema defined properties", + "actualValue": "paths.{{/}}.{{get}}.responses.{{200}}.content.{{application/json}}.encoding.{{profileImage}} is not set in schema defined properties", + "issueType": "IncorrectValue", + "similarityID": "fc837fca414521eeb3957be1cdfe8639c3ad929006bfbbf638d033bbf54e9941", + "search_line": -1 }, { "queryName": "Encoding Map Key Mismatch Schema Defined Properties", "severity": "INFO", "line": 42, - "filename": "positive3.yaml" + "fileName": "positive3.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "components.responses.{{ResponseExample}}.content.{{application/json}}.encoding.{{profileImage}}", + "searchValue": "", + "expectedValue": "components.responses.{{ResponseExample}}.content.{{application/json}}.encoding.{{profileImage}} should be set in schema defined properties", + "actualValue": "components.responses.{{ResponseExample}}.content.{{application/json}}.encoding.{{profileImage}} is not set in schema defined properties", + "issueType": "IncorrectValue", + "similarityID": "37f1401e48d58fa3e5d893aeb38a7153b2dda6feeb6be9e70bd483ec17d6fb34", + "search_line": -1 }, { "queryName": "Encoding Map Key Mismatch Schema Defined Properties", "severity": "INFO", "line": 26, - "filename": "positive4.yaml" + "fileName": "positive4.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.{{get}}.responses.{{200}}.content.{{application/json}}.encoding.{{profileImage}}", + "searchValue": "", + "expectedValue": "paths.{{/}}.{{get}}.responses.{{200}}.content.{{application/json}}.encoding.{{profileImage}} should be set in schema defined properties", + "actualValue": "paths.{{/}}.{{get}}.responses.{{200}}.content.{{application/json}}.encoding.{{profileImage}} is not set in schema defined properties", + "issueType": "IncorrectValue", + "similarityID": "40979cb51c5ff28d476ca85f5266add97c10f4455b8c897c51f0d4b5cc8528a9", + "search_line": -1 } ] diff --git a/assets/queries/openAPI/3.0/example_json_reference_outside_components_examples/test/positive_expected_result.json b/assets/queries/openAPI/3.0/example_json_reference_outside_components_examples/test/positive_expected_result.json index 570b4c2a338..5f18a00fec1 100644 --- a/assets/queries/openAPI/3.0/example_json_reference_outside_components_examples/test/positive_expected_result.json +++ b/assets/queries/openAPI/3.0/example_json_reference_outside_components_examples/test/positive_expected_result.json @@ -3,12 +3,30 @@ "queryName": "Example JSON Reference Outside Components Examples", "severity": "INFO", "line": 77, - "filename": "positive1.json" + "fileName": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.post.requestBody.content.{{application/json}}.examples.Address.$ref", + "searchValue": "", + "expectedValue": "#/components/schemas/Address should be declared on components.schemas", + "actualValue": "#/components/schemas/Address is not declared on components.schemas", + "issueType": "MissingAttribute", + "similarityID": "65072a7f86fa0210d1549a12bc1c33295dca4e069d5be2b59a50bcf784d0282d", + "search_line": 0 }, { "queryName": "Example JSON Reference Outside Components Examples", "severity": "INFO", "line": 51, - "filename": "positive2.yaml" + "fileName": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.post.requestBody.content.{{application/json}}.examples.Address.$ref", + "searchValue": "", + "expectedValue": "#/components/schemas/Address should be declared on components.schemas", + "actualValue": "#/components/schemas/Address is not declared on components.schemas", + "issueType": "MissingAttribute", + "similarityID": "e3de07fa6e735cf8582cb5799288e5743acd2375c0c8e270d4695b6c8b87a438", + "search_line": 0 } ] diff --git a/assets/queries/openAPI/3.0/global_security_scheme_using_basic_authentication/test/positive_expected_result.json b/assets/queries/openAPI/3.0/global_security_scheme_using_basic_authentication/test/positive_expected_result.json index 4d40c6ecaee..c53a5ada112 100644 --- a/assets/queries/openAPI/3.0/global_security_scheme_using_basic_authentication/test/positive_expected_result.json +++ b/assets/queries/openAPI/3.0/global_security_scheme_using_basic_authentication/test/positive_expected_result.json @@ -3,12 +3,30 @@ "queryName": "Global Security Scheme Using Basic Authentication", "severity": "MEDIUM", "line": 51, - "filename": "positive1.json" + "fileName": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "components.securitySchemes.{{regularSecurity}}", + "searchValue": "", + "expectedValue": "components.securitySchemes.{{regularSecurity}} global security should not allow basic authentication", + "actualValue": "components.securitySchemes.{{regularSecurity}} global security allows basic authentication", + "issueType": "IncorrectValue", + "similarityID": "062ba7610d375ab13a863335b76f70393c16683839ab19d0865addb95955d3ec", + "search_line": -1 }, { "queryName": "Global Security Scheme Using Basic Authentication", "severity": "MEDIUM", "line": 30, - "filename": "positive2.yaml" + "fileName": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "components.securitySchemes.{{regularSecurity}}", + "searchValue": "", + "expectedValue": "components.securitySchemes.{{regularSecurity}} global security should not allow basic authentication", + "actualValue": "components.securitySchemes.{{regularSecurity}} global security allows basic authentication", + "issueType": "IncorrectValue", + "similarityID": "fff221ae078a69c602949090ea0d8bd0bcd881e23a60658edcfe3e8144323909", + "search_line": -1 } -] \ No newline at end of file +] diff --git a/assets/queries/openAPI/3.0/global_server_uses_http/test/positive_expected_result.json b/assets/queries/openAPI/3.0/global_server_uses_http/test/positive_expected_result.json index f828b3df526..d3ddcb89a21 100644 --- a/assets/queries/openAPI/3.0/global_server_uses_http/test/positive_expected_result.json +++ b/assets/queries/openAPI/3.0/global_server_uses_http/test/positive_expected_result.json @@ -3,18 +3,45 @@ "queryName": "Global Server Object Uses HTTP", "severity": "MEDIUM", "line": 13, - "filename": "positive1.json" + "fileName": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "servers.url.http://staging.gigantic-server.com/v1", + "searchValue": "", + "expectedValue": "Global servers' URL should use HTTPS protocol", + "actualValue": "Global servers' URL are not using HTTPS protocol", + "issueType": "IncorrectValue", + "similarityID": "460b56fd2abcbb21027225854a77b7069d96dd4955a81ece7dd2e967636f1029", + "search_line": -1 }, { "queryName": "Global Server Object Uses HTTP", "severity": "MEDIUM", "line": 8, - "filename": "positive2.yaml" + "fileName": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "servers.url.http://staging.gigantic-server.com/v1", + "searchValue": "", + "expectedValue": "Global servers' URL should use HTTPS protocol", + "actualValue": "Global servers' URL are not using HTTPS protocol", + "issueType": "IncorrectValue", + "similarityID": "67d38b07b6fe383622eea9620018ae44fd357ca1811b7586181581d393445b49", + "search_line": -1 }, { "queryName": "Global Server Object Uses HTTP", "severity": "MEDIUM", "line": 1, - "filename": "positive3.yaml" + "fileName": "positive3.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "openapi", + "searchValue": "", + "expectedValue": "Global servers array should be defined", + "actualValue": "Global servers array is not defined", + "issueType": "MissingAttribute", + "similarityID": "24e62432980c7b57fad53ae30030956670f254f70a274eaba9acb62910061804", + "search_line": -1 } ] diff --git a/assets/queries/openAPI/3.0/header_object_with_incorrect_ref/test/positive_expected_result.json b/assets/queries/openAPI/3.0/header_object_with_incorrect_ref/test/positive_expected_result.json index 2c75b617544..c33dbf203df 100644 --- a/assets/queries/openAPI/3.0/header_object_with_incorrect_ref/test/positive_expected_result.json +++ b/assets/queries/openAPI/3.0/header_object_with_incorrect_ref/test/positive_expected_result.json @@ -3,24 +3,60 @@ "queryName": "Header Object With Incorrect Ref", "severity": "INFO", "line": 73, - "filename": "positive1.json" + "fileName": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "components.responses.ResponseExample.content.{{application/json}}.encoding.code.headers.{{X-Rate-Limit-Limit}}.$ref", + "searchValue": "", + "expectedValue": "Response ref points to '#/components/headers'", + "actualValue": "Response ref does not point to '#/components/headers'", + "issueType": "IncorrectValue", + "similarityID": "0a3363efd1a543044a12db98bfb08b52c912dfb3eea7072ee7bf9ded166f6cbc", + "search_line": 0 }, { "queryName": "Header Object With Incorrect Ref", "severity": "INFO", "line": 43, - "filename": "positive2.json" + "fileName": "positive2.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.6xx.headers.{{X-Rate-Limit-Limit}}.$ref", + "searchValue": "", + "expectedValue": "Response ref points to '#/components/headers'", + "actualValue": "Response ref does not point to '#/components/headers'", + "issueType": "IncorrectValue", + "similarityID": "182eabab2ecfd1d0b9f1f4076b5a1013762a298675b100ad5a6303c92d57ffef", + "search_line": 0 }, { "queryName": "Header Object With Incorrect Ref", "severity": "INFO", "line": 45, - "filename": "positive3.yaml" + "fileName": "positive3.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "components.responses.ResponseExample.content.{{application/json}}.encoding.code.headers.{{X-Rate-Limit-Limit}}.$ref", + "searchValue": "", + "expectedValue": "Response ref points to '#/components/headers'", + "actualValue": "Response ref does not point to '#/components/headers'", + "issueType": "IncorrectValue", + "similarityID": "701cc7d6adf3d27b37c77f8193323aa5967c176735caa6703b035c0ae2fed687", + "search_line": 0 }, { "queryName": "Header Object With Incorrect Ref", "severity": "INFO", "line": 29, - "filename": "positive4.yaml" + "fileName": "positive4.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.6xx.headers.{{X-Rate-Limit-Limit}}.$ref", + "searchValue": "", + "expectedValue": "Response ref points to '#/components/headers'", + "actualValue": "Response ref does not point to '#/components/headers'", + "issueType": "IncorrectValue", + "similarityID": "c08549d6807b5a31fc8970cb14e86f35e01edf4206d580855478f93bb443f6c5", + "search_line": 0 } ] diff --git a/assets/queries/openAPI/3.0/header_object_without_schema/test/positive_expected_result.json b/assets/queries/openAPI/3.0/header_object_without_schema/test/positive_expected_result.json index 7e572881c5b..03fa56d2f0c 100644 --- a/assets/queries/openAPI/3.0/header_object_without_schema/test/positive_expected_result.json +++ b/assets/queries/openAPI/3.0/header_object_without_schema/test/positive_expected_result.json @@ -3,24 +3,60 @@ "queryName": "Header Object Without Schema", "severity": "MEDIUM", "line": 72, - "filename": "positive1.json" + "fileName": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "components.responses.ResponseExample.content.{{application/json}}.encoding.code.{{X-Rate-Limit-Limit}}", + "searchValue": "", + "expectedValue": "components.responses.ResponseExample.content.{{application/json}}.encoding.code.{{X-Rate-Limit-Limit}} has schema defined", + "actualValue": "components.responses.ResponseExample.content.{{application/json}}.encoding.code.{{X-Rate-Limit-Limit}} does not have schema defined", + "issueType": "MissingAttribute", + "similarityID": "555bc50a495d3cbd1456211f84623a5cab8aaf5212708ddd9ef0d613235ce038", + "search_line": -1 }, { "queryName": "Header Object Without Schema", "severity": "MEDIUM", "line": 42, - "filename": "positive2.json" + "fileName": "positive2.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.6xx.{{X-Rate-Limit-Limit}}", + "searchValue": "", + "expectedValue": "paths.{{/}}.get.responses.6xx.{{X-Rate-Limit-Limit}} has schema defined", + "actualValue": "paths.{{/}}.get.responses.6xx.{{X-Rate-Limit-Limit}} does not have schema defined", + "issueType": "MissingAttribute", + "similarityID": "7940abefd5e8c6ab6b000b793716463939cdcd1f72190f50d3b580b76df95571", + "search_line": -1 }, { "queryName": "Header Object Without Schema", "severity": "MEDIUM", "line": 44, - "filename": "positive3.yaml" + "fileName": "positive3.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "components.responses.ResponseExample.content.{{application/json}}.encoding.code.{{X-Rate-Limit-Limit}}", + "searchValue": "", + "expectedValue": "components.responses.ResponseExample.content.{{application/json}}.encoding.code.{{X-Rate-Limit-Limit}} has schema defined", + "actualValue": "components.responses.ResponseExample.content.{{application/json}}.encoding.code.{{X-Rate-Limit-Limit}} does not have schema defined", + "issueType": "MissingAttribute", + "similarityID": "539c317da00e2b72016d7eb22fd4dd101fde8c65f6c2c98dbc65f8ffdb3a6a86", + "search_line": -1 }, { "queryName": "Header Object Without Schema", "severity": "MEDIUM", "line": 28, - "filename": "positive4.yaml" + "fileName": "positive4.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.6xx.{{X-Rate-Limit-Limit}}", + "searchValue": "", + "expectedValue": "paths.{{/}}.get.responses.6xx.{{X-Rate-Limit-Limit}} has schema defined", + "actualValue": "paths.{{/}}.get.responses.6xx.{{X-Rate-Limit-Limit}} does not have schema defined", + "issueType": "MissingAttribute", + "similarityID": "ecab43a8e7adcb835b4981fa64abb2ab66039e69eba5ecf4a36ae38dc336baac", + "search_line": -1 } ] diff --git a/assets/queries/openAPI/3.0/invalid_content_type_for_multiple_files_upload/test/positive_expected_result.json b/assets/queries/openAPI/3.0/invalid_content_type_for_multiple_files_upload/test/positive_expected_result.json index 207be6864f4..63015abd787 100644 --- a/assets/queries/openAPI/3.0/invalid_content_type_for_multiple_files_upload/test/positive_expected_result.json +++ b/assets/queries/openAPI/3.0/invalid_content_type_for_multiple_files_upload/test/positive_expected_result.json @@ -3,24 +3,60 @@ "queryName": "Invalid Content Type For Multiple Files Upload", "severity": "INFO", "line": 16, - "filename": "positive1.json" + "fileName": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.{{get}}.requestBody.content.{{application/json}}", + "searchValue": "", + "expectedValue": "paths.{{/}}.{{get}}.requestBody.content.{{application/json}} should be set to 'multipart/form-data'", + "actualValue": "paths.{{/}}.{{get}}.requestBody.content.{{application/json}} is not set to 'multipart/form-data'", + "issueType": "IncorrectValue", + "similarityID": "80c2b5671576d52fbeb48438104fc3df729fb05343361a3a557d46b90b8dbd87", + "search_line": -1 }, { "queryName": "Invalid Content Type For Multiple Files Upload", "severity": "INFO", "line": 16, - "filename": "positive2.json" + "fileName": "positive2.json", + "resourceType": "", + "resourceName": "", + "searchKey": "components.requestBodies.{{CreateCustomer}}.content.{{application/json}}", + "searchValue": "", + "expectedValue": "components.requestBodies.{{CreateCustomer}}.content.{{application/json}} should be set to 'multipart/form-data'", + "actualValue": "components.requestBodies.{{CreateCustomer}}.content.{{application/json}} is not set to 'multipart/form-data'", + "issueType": "IncorrectValue", + "similarityID": "d5b1a9938f53086fa5d272cb7b8c2128624238bb0da8568b2291dc298607b7d2", + "search_line": -1 }, { "queryName": "Invalid Content Type For Multiple Files Upload", "severity": "INFO", "line": 13, - "filename": "positive3.yaml" + "fileName": "positive3.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.{{get}}.requestBody.content.{{application/json}}", + "searchValue": "", + "expectedValue": "paths.{{/}}.{{get}}.requestBody.content.{{application/json}} should be set to 'multipart/form-data'", + "actualValue": "paths.{{/}}.{{get}}.requestBody.content.{{application/json}} is not set to 'multipart/form-data'", + "issueType": "IncorrectValue", + "similarityID": "1711b730b6f6e02696f836a09b8bd96b751d74070cc9105198b8a5d5644bf3d0", + "search_line": -1 }, { "queryName": "Invalid Content Type For Multiple Files Upload", "severity": "INFO", "line": 13, - "filename": "positive4.yaml" + "fileName": "positive4.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "components.requestBodies.{{CreateCustomer}}.content.{{application/json}}", + "searchValue": "", + "expectedValue": "components.requestBodies.{{CreateCustomer}}.content.{{application/json}} should be set to 'multipart/form-data'", + "actualValue": "components.requestBodies.{{CreateCustomer}}.content.{{application/json}} is not set to 'multipart/form-data'", + "issueType": "IncorrectValue", + "similarityID": "d4a3e2aed295c160c573b90260aa02a6b2507db1ed0d50336404d8fe2a3e562b", + "search_line": -1 } ] diff --git a/assets/queries/openAPI/3.0/invalid_media_type_value/test/positive_expected_result.json b/assets/queries/openAPI/3.0/invalid_media_type_value/test/positive_expected_result.json index 289093176e1..efca3f21a82 100644 --- a/assets/queries/openAPI/3.0/invalid_media_type_value/test/positive_expected_result.json +++ b/assets/queries/openAPI/3.0/invalid_media_type_value/test/positive_expected_result.json @@ -3,12 +3,30 @@ "queryName": "Invalid Media Type Value (v3)", "severity": "INFO", "line": 28, - "filename": "positive1.json" + "fileName": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.requestBody.content.multipart/form- data", + "searchValue": "", + "expectedValue": "The Media Type should be a valid value", + "actualValue": "The Media Type is an invalid value", + "issueType": "IncorrectValue", + "similarityID": "c30003e6cbe519f3db99e96974d150f8d7ac996d74b39e604f3189f0add2d54d", + "search_line": -1 }, { "queryName": "Invalid Media Type Value (v3)", "severity": "INFO", "line": 20, - "filename": "positive2.yaml" + "fileName": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.requestBody.content.multipart/form- data", + "searchValue": "", + "expectedValue": "The Media Type should be a valid value", + "actualValue": "The Media Type is an invalid value", + "issueType": "IncorrectValue", + "similarityID": "9a0a65dca182f3cb9ad4e32d377f55af9d79bb8ffd7b7172446069984011e755", + "search_line": -1 } ] diff --git a/assets/queries/openAPI/3.0/invalid_oauth2_token_url/test/positive_expected_result.json b/assets/queries/openAPI/3.0/invalid_oauth2_token_url/test/positive_expected_result.json index 68cd92641b1..60dda9c7bd8 100644 --- a/assets/queries/openAPI/3.0/invalid_oauth2_token_url/test/positive_expected_result.json +++ b/assets/queries/openAPI/3.0/invalid_oauth2_token_url/test/positive_expected_result.json @@ -3,36 +3,90 @@ "queryName": "Invalid OAuth2 Token URL (v3)", "severity": "MEDIUM", "line": 23, - "filename": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "components.securitySchemes.oAuth2AuthCodePos1.flows.authorizationCode.tokenUrl", + "searchValue": "", + "expectedValue": "OAuth2 security schema flow tokenUrl must be set with a valid URL", + "actualValue": "OAuth2 security schema flow tokenUrl has an invalid URL", + "issueType": "IncorrectValue", + "similarityID": "f8d43f2bd56e1d6a14c3625b38836e1497e250e416501e29ae413e151ef63470", + "search_line": -1 }, { "queryName": "Invalid OAuth2 Token URL (v3)", "severity": "MEDIUM", "line": 12, - "filename": "positive2.yaml" + "fileName": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "components.securitySchemes.oAuth2AuthCodePos2.flows.password.tokenUrl", + "searchValue": "", + "expectedValue": "OAuth2 security schema flow tokenUrl must be set with a valid URL", + "actualValue": "OAuth2 security schema flow tokenUrl has an invalid URL", + "issueType": "IncorrectValue", + "similarityID": "53c8e86e61e04a5b06b2f0d2e29336d06e2f0a7df1423e3aa236f3a206cab3fd", + "search_line": -1 }, { "queryName": "Invalid OAuth2 Token URL (v3)", "severity": "MEDIUM", "line": 22, - "filename": "positive3.yaml" + "fileName": "positive3.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "components.securitySchemes.oAuth2AuthCodePos3.flows.clientCredentials.tokenUrl", + "searchValue": "", + "expectedValue": "OAuth2 security schema flow tokenUrl must be set with a valid URL", + "actualValue": "OAuth2 security schema flow tokenUrl has an invalid URL", + "issueType": "IncorrectValue", + "similarityID": "7a3bdd85ab3bc110493a460ee92fbbf9e6852393e23352c170733b1bccf8db74", + "search_line": -1 }, { "queryName": "Invalid OAuth2 Token URL (v3)", "severity": "MEDIUM", "line": 31, - "filename": "positive4.json" + "fileName": "positive4.json", + "resourceType": "", + "resourceName": "", + "searchKey": "components.securitySchemes.oAuth2AuthCodePos1.flows.authorizationCode.tokenUrl", + "searchValue": "", + "expectedValue": "OAuth2 security schema flow tokenUrl must be set with a valid URL", + "actualValue": "OAuth2 security schema flow tokenUrl has an invalid URL", + "issueType": "IncorrectValue", + "similarityID": "3cf060e62bda39582aa7cbdffc97382fe721f9cf5afb8eba2d5475473007cdca", + "search_line": -1 }, { "queryName": "Invalid OAuth2 Token URL (v3)", "severity": "MEDIUM", "line": 14, - "filename": "positive5.json" + "fileName": "positive5.json", + "resourceType": "", + "resourceName": "", + "searchKey": "components.securitySchemes.oAuth2AuthCodePos2.flows.password.tokenUrl", + "searchValue": "", + "expectedValue": "OAuth2 security schema flow tokenUrl must be set with a valid URL", + "actualValue": "OAuth2 security schema flow tokenUrl has an invalid URL", + "issueType": "IncorrectValue", + "similarityID": "01cda8ad5f336dcaa05df495fe31f4b667023174f5655380630b120967e8842c", + "search_line": -1 }, { "queryName": "Invalid OAuth2 Token URL (v3)", "severity": "MEDIUM", "line": 30, - "filename": "positive6.json" + "fileName": "positive6.json", + "resourceType": "", + "resourceName": "", + "searchKey": "components.securitySchemes.oAuth2AuthCodePos3.flows.clientCredentials.tokenUrl", + "searchValue": "", + "expectedValue": "OAuth2 security schema flow tokenUrl must be set with a valid URL", + "actualValue": "OAuth2 security schema flow tokenUrl has an invalid URL", + "issueType": "IncorrectValue", + "similarityID": "b5728ee67df403a49eb5b92475c1afa9bdd124c027eb05bf7bfee9581fc30c6f", + "search_line": -1 } ] diff --git a/assets/queries/openAPI/3.0/invalid_oauth_authorization_url/test/positive_expected_result.json b/assets/queries/openAPI/3.0/invalid_oauth_authorization_url/test/positive_expected_result.json index 88b2c12e4fe..6f61e453097 100644 --- a/assets/queries/openAPI/3.0/invalid_oauth_authorization_url/test/positive_expected_result.json +++ b/assets/queries/openAPI/3.0/invalid_oauth_authorization_url/test/positive_expected_result.json @@ -3,24 +3,60 @@ "queryName": "Invalid OAuth2 Authorization URL (v3)", "severity": "MEDIUM", "line": 50, - "filename": "positive1.json" + "fileName": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "components.securitySchemes.oAuth2AuthCodeNeg2.flows.authorizationCode.authorizationUrl", + "searchValue": "", + "expectedValue": "OAuth2 security schema flow tokenUrl must be set with a valid URL", + "actualValue": "OAuth2 security schema flow tokenUrl has an invalid URL", + "issueType": "IncorrectValue", + "similarityID": "a6304fbf50f04bb5633091331340ed44953ae8f51d83d831c12f7b6e175c0208", + "search_line": -1 }, { "queryName": "Invalid OAuth2 Authorization URL (v3)", "severity": "MEDIUM", "line": 50, - "filename": "positive2.json" + "fileName": "positive2.json", + "resourceType": "", + "resourceName": "", + "searchKey": "components.securitySchemes.oAuth2AuthCodeNeg2.flows.implicit.authorizationUrl", + "searchValue": "", + "expectedValue": "OAuth2 security schema flow tokenUrl must be set with a valid URL", + "actualValue": "OAuth2 security schema flow tokenUrl has an invalid URL", + "issueType": "IncorrectValue", + "similarityID": "e93e49d15d97c6754d0d0f908633e8922b82f8dade43eb931d7c9b87c337d368", + "search_line": -1 }, { "queryName": "Invalid OAuth2 Authorization URL (v3)", "severity": "MEDIUM", "line": 32, - "filename": "positive3.yaml" + "fileName": "positive3.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "components.securitySchemes.oAuth2AuthCodeNeg2.flows.authorizationCode.authorizationUrl", + "searchValue": "", + "expectedValue": "OAuth2 security schema flow tokenUrl must be set with a valid URL", + "actualValue": "OAuth2 security schema flow tokenUrl has an invalid URL", + "issueType": "IncorrectValue", + "similarityID": "2f6283f059affa033ae6a8a28a1ca5cff711dc6391cfe0895a0b3c4f2dbec35d", + "search_line": -1 }, { "queryName": "Invalid OAuth2 Authorization URL (v3)", "severity": "MEDIUM", "line": 32, - "filename": "positive4.yaml" + "fileName": "positive4.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "components.securitySchemes.oAuth2AuthCodeNeg2.flows.implicit.authorizationUrl", + "searchValue": "", + "expectedValue": "OAuth2 security schema flow tokenUrl must be set with a valid URL", + "actualValue": "OAuth2 security schema flow tokenUrl has an invalid URL", + "issueType": "IncorrectValue", + "similarityID": "4b966daa8b777bb9996218f4de89548a39566cc474d24c42dfd5ff0012454513", + "search_line": -1 } ] diff --git a/assets/queries/openAPI/3.0/json_reference_does_not_exists_callback/test/positive_expected_result.json b/assets/queries/openAPI/3.0/json_reference_does_not_exists_callback/test/positive_expected_result.json index 371a7814b73..3c6340c1cff 100644 --- a/assets/queries/openAPI/3.0/json_reference_does_not_exists_callback/test/positive_expected_result.json +++ b/assets/queries/openAPI/3.0/json_reference_does_not_exists_callback/test/positive_expected_result.json @@ -3,12 +3,30 @@ "queryName": "Callback JSON Reference Does Not Exist", "severity": "INFO", "line": 19, - "filename": "positive1.json" + "fileName": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.callbacks.myEvent.$ref", + "searchValue": "", + "expectedValue": "inProgress from #/components/callbacks/inProgress should be declared on components.callbacks", + "actualValue": "inProgress from #/components/callbacks/inProgress is not declared on components.callbacks", + "issueType": "MissingAttribute", + "similarityID": "9da57a9c184538b9a3d304283c02096d3fa26b725da919e28fd65af713e96499", + "search_line": 0 }, { "queryName": "Callback JSON Reference Does Not Exist", "severity": "INFO", "line": 15, - "filename": "positive2.yaml" + "fileName": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.callbacks.myEvent.$ref", + "searchValue": "", + "expectedValue": "inProgress from #/components/callbacks/inProgress should be declared on components.callbacks", + "actualValue": "inProgress from #/components/callbacks/inProgress is not declared on components.callbacks", + "issueType": "MissingAttribute", + "similarityID": "aa9856a17f40833e30cf5a0e47e46b00cf716ac9a79ba38c3641bf6d41c8fbfa", + "search_line": 0 } ] diff --git a/assets/queries/openAPI/3.0/json_reference_does_not_exists_example/test/positive_expected_result.json b/assets/queries/openAPI/3.0/json_reference_does_not_exists_example/test/positive_expected_result.json index 5115e74cc5d..8815a7e260d 100644 --- a/assets/queries/openAPI/3.0/json_reference_does_not_exists_example/test/positive_expected_result.json +++ b/assets/queries/openAPI/3.0/json_reference_does_not_exists_example/test/positive_expected_result.json @@ -3,12 +3,30 @@ "queryName": "Example JSON Reference Does Not Exist", "severity": "INFO", "line": 22, - "filename": "positive1.json" + "fileName": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.examples.objectExample.$ref", + "searchValue": "", + "expectedValue": "wrongExample from #/components/examples/wrongExample should be declared on components.examples", + "actualValue": "wrongExample from #/components/examples/wrongExample is not declared on components.examples", + "issueType": "MissingAttribute", + "similarityID": "77e10f65e9f32bbb455487863b402cba14b5a201409ab1d8f4c62aece1e66d2a", + "search_line": 0 }, { "queryName": "Example JSON Reference Does Not Exist", "severity": "INFO", "line": 19, - "filename": "positive2.yaml" + "fileName": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.examples.objectExample.$ref", + "searchValue": "", + "expectedValue": "wrongExample from #/components/examples/wrongExample should be declared on components.examples", + "actualValue": "wrongExample from #/components/examples/wrongExample is not declared on components.examples", + "issueType": "MissingAttribute", + "similarityID": "ac6438c6b9378d5f62328f4a78af8bc3aab155237d351d796c53405f627054b8", + "search_line": 0 } ] diff --git a/assets/queries/openAPI/3.0/json_reference_does_not_exists_header/test/positive_expected_result.json b/assets/queries/openAPI/3.0/json_reference_does_not_exists_header/test/positive_expected_result.json index 06617655473..adda1e74c00 100644 --- a/assets/queries/openAPI/3.0/json_reference_does_not_exists_header/test/positive_expected_result.json +++ b/assets/queries/openAPI/3.0/json_reference_does_not_exists_header/test/positive_expected_result.json @@ -3,12 +3,30 @@ "queryName": "Header JSON Reference Does Not Exist", "severity": "INFO", "line": 25, - "filename": "positive1.json" + "fileName": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.headers.X-Pages.$ref", + "searchValue": "", + "expectedValue": "wPages from #/components/headers/wPages should be declared on components.headers", + "actualValue": "wPages from #/components/headers/wPages is not declared on components.headers", + "issueType": "MissingAttribute", + "similarityID": "c5bdfde1323ed96d152bf461ada0a2573b4dcfc90bc14c83e4bd6642b2025749", + "search_line": 0 }, { "queryName": "Header JSON Reference Does Not Exist", "severity": "INFO", "line": 21, - "filename": "positive2.yaml" + "fileName": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.headers.X-Pages.$ref", + "searchValue": "", + "expectedValue": "wPages from #/components/headers/wPages should be declared on components.headers", + "actualValue": "wPages from #/components/headers/wPages is not declared on components.headers", + "issueType": "MissingAttribute", + "similarityID": "bc647d905201d417e28d839990f9f81d539c7ac4d8415838a2e42e9448973246", + "search_line": 0 } ] diff --git a/assets/queries/openAPI/3.0/json_reference_does_not_exists_link/test/positive_expected_result.json b/assets/queries/openAPI/3.0/json_reference_does_not_exists_link/test/positive_expected_result.json index 718e08c300a..e538de282ed 100644 --- a/assets/queries/openAPI/3.0/json_reference_does_not_exists_link/test/positive_expected_result.json +++ b/assets/queries/openAPI/3.0/json_reference_does_not_exists_link/test/positive_expected_result.json @@ -3,12 +3,30 @@ "queryName": "Link JSON Reference Does Not Exist", "severity": "INFO", "line": 26, - "filename": "positive1.json" + "fileName": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.links.$ref", + "searchValue": "", + "expectedValue": "APIWrongRepository from #/components/links/APIWrongRepository should be declared on components.links", + "actualValue": "APIWrongRepository from #/components/links/APIWrongRepository is not declared on components.links", + "issueType": "MissingAttribute", + "similarityID": "57755da269496fd6931c4bfa62b73ed0c0c97469f8666fa67957b17e3da012cc", + "search_line": 0 }, { "queryName": "Link JSON Reference Does Not Exist", "severity": "INFO", "line": 20, - "filename": "positive2.yaml" + "fileName": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.links.$ref", + "searchValue": "", + "expectedValue": "APIWrongRepository from #/components/links/APIWrongRepository should be declared on components.links", + "actualValue": "APIWrongRepository from #/components/links/APIWrongRepository is not declared on components.links", + "issueType": "MissingAttribute", + "similarityID": "62a6d999ab8156ef2e5103dc5ff9db9798c2ffd1decc3fdeb5aa53a6a539e359", + "search_line": 0 } ] diff --git a/assets/queries/openAPI/3.0/json_reference_does_not_exists_parameter/test/positive_expected_result.json b/assets/queries/openAPI/3.0/json_reference_does_not_exists_parameter/test/positive_expected_result.json index ed1353b2cd2..a88fcc1f23f 100644 --- a/assets/queries/openAPI/3.0/json_reference_does_not_exists_parameter/test/positive_expected_result.json +++ b/assets/queries/openAPI/3.0/json_reference_does_not_exists_parameter/test/positive_expected_result.json @@ -3,12 +3,30 @@ "queryName": "Parameter JSON Reference Does Not Exist (v3)", "severity": "INFO", "line": 19, - "filename": "positive1.json" + "fileName": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.parameters.$ref={{#/components/parameters/wrongParameter}}", + "searchValue": "", + "expectedValue": "wrongParameter from #/components/parameters/wrongParameter should be declared on components.parameters", + "actualValue": "wrongParameter from #/components/parameters/wrongParameter is not declared on components.parameters", + "issueType": "MissingAttribute", + "similarityID": "5e0cb99e99cbc01db669c239d2b3e599ce5a1c8a56f9eb69e849d5a074f199fa", + "search_line": 0 }, { "queryName": "Parameter JSON Reference Does Not Exist (v3)", "severity": "INFO", "line": 14, - "filename": "positive2.yaml" + "fileName": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.parameters.$ref={{#/components/parameters/wrongParameter}}", + "searchValue": "", + "expectedValue": "wrongParameter from #/components/parameters/wrongParameter should be declared on components.parameters", + "actualValue": "wrongParameter from #/components/parameters/wrongParameter is not declared on components.parameters", + "issueType": "MissingAttribute", + "similarityID": "01022ae5547c45ceccea9b2a5805a9c219390e23c0a867bc67f7f8ae018aa829", + "search_line": 0 } ] diff --git a/assets/queries/openAPI/3.0/json_reference_does_not_exists_request_body/test/positive_expected_result.json b/assets/queries/openAPI/3.0/json_reference_does_not_exists_request_body/test/positive_expected_result.json index bf43445e0fd..7a7ab29b0c9 100644 --- a/assets/queries/openAPI/3.0/json_reference_does_not_exists_request_body/test/positive_expected_result.json +++ b/assets/queries/openAPI/3.0/json_reference_does_not_exists_request_body/test/positive_expected_result.json @@ -3,12 +3,30 @@ "queryName": "Request Body JSON Reference Does Not Exist", "severity": "INFO", "line": 18, - "filename": "positive1.json" + "fileName": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.requestBody.$ref", + "searchValue": "", + "expectedValue": "MyWrongObjectBody from #/components/requestBodies/MyWrongObjectBody should be declared on components.requestBodies", + "actualValue": "MyWrongObjectBody from #/components/requestBodies/MyWrongObjectBody is not declared on components.requestBodies", + "issueType": "MissingAttribute", + "similarityID": "52c0d4dc2625a69b140378799af9295c36850419c66c0b2b3777449c881bdb58", + "search_line": 0 }, { "queryName": "Request Body JSON Reference Does Not Exist", "severity": "INFO", "line": 14, - "filename": "positive2.yaml" + "fileName": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.requestBody.$ref", + "searchValue": "", + "expectedValue": "MyWrongObjectBody from #/components/requestBodies/MyWrongObjectBody should be declared on components.requestBodies", + "actualValue": "MyWrongObjectBody from #/components/requestBodies/MyWrongObjectBody is not declared on components.requestBodies", + "issueType": "MissingAttribute", + "similarityID": "ec97632c401b73dfa84ea6b167436511184af11fe64a11da5eff9942ddd6238c", + "search_line": 0 } ] diff --git a/assets/queries/openAPI/3.0/json_reference_does_not_exists_response/test/positive_expected_result.json b/assets/queries/openAPI/3.0/json_reference_does_not_exists_response/test/positive_expected_result.json index 34b8bd7edd6..c1693827067 100644 --- a/assets/queries/openAPI/3.0/json_reference_does_not_exists_response/test/positive_expected_result.json +++ b/assets/queries/openAPI/3.0/json_reference_does_not_exists_response/test/positive_expected_result.json @@ -3,12 +3,30 @@ "queryName": "Response JSON Reference Does Not Exist (v3)", "severity": "INFO", "line": 14, - "filename": "positive1.json" + "fileName": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.404.$ref", + "searchValue": "", + "expectedValue": "NotRight from #/components/responses/NotRight should be declared on components.responses", + "actualValue": "NotRight from #/components/responses/NotRight is not declared on components.responses", + "issueType": "MissingAttribute", + "similarityID": "56540122a442b6b4a6117705c0dd18dbe009e24d8ea19b170eb9d70f9a14991c", + "search_line": 0 }, { "queryName": "Response JSON Reference Does Not Exist (v3)", "severity": "INFO", "line": 12, - "filename": "positive2.yaml" + "fileName": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.404.$ref", + "searchValue": "", + "expectedValue": "NotRight from #/components/responses/NotRight should be declared on components.responses", + "actualValue": "NotRight from #/components/responses/NotRight is not declared on components.responses", + "issueType": "MissingAttribute", + "similarityID": "3b0b1e119a133a59b353c97660e6a5fe1d6c04154c61ba2e23de324b033c4ca4", + "search_line": 0 } ] diff --git a/assets/queries/openAPI/3.0/json_reference_does_not_exists_schema/test/positive_expected_result.json b/assets/queries/openAPI/3.0/json_reference_does_not_exists_schema/test/positive_expected_result.json index 43ce02549c2..2388f6651a2 100644 --- a/assets/queries/openAPI/3.0/json_reference_does_not_exists_schema/test/positive_expected_result.json +++ b/assets/queries/openAPI/3.0/json_reference_does_not_exists_schema/test/positive_expected_result.json @@ -3,12 +3,30 @@ "queryName": "Schema JSON Reference Does Not Exist (v3)", "severity": "INFO", "line": 14, - "filename": "positive1.json" + "fileName": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.$ref", + "searchValue": "", + "expectedValue": "MyWrongObject from #/components/schemas/MyWrongObject should be declared on components.schemas", + "actualValue": "MyWrongObject from #/components/schemas/MyWrongObject is not declared on components.schemas", + "issueType": "MissingAttribute", + "similarityID": "48bec6aabe9e8229c8dbd6f5b3dbd5c80fd479fd7e50c96227dfc7fbed3519af", + "search_line": 0 }, { "queryName": "Schema JSON Reference Does Not Exist (v3)", "severity": "INFO", "line": 13, - "filename": "positive2.yaml" + "fileName": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.$ref", + "searchValue": "", + "expectedValue": "MyWrongObject from #/components/schemas/MyWrongObject should be declared on components.schemas", + "actualValue": "MyWrongObject from #/components/schemas/MyWrongObject is not declared on components.schemas", + "issueType": "MissingAttribute", + "similarityID": "364b5e3ee1045f69964a8eaab9623a0fc12ffc9e0fd9970044e4227c7b01c593", + "search_line": 0 } ] diff --git a/assets/queries/openAPI/3.0/link_object_incorrect_ref/test/positive_expected_result.json b/assets/queries/openAPI/3.0/link_object_incorrect_ref/test/positive_expected_result.json index e95637f1c8f..61a27455893 100644 --- a/assets/queries/openAPI/3.0/link_object_incorrect_ref/test/positive_expected_result.json +++ b/assets/queries/openAPI/3.0/link_object_incorrect_ref/test/positive_expected_result.json @@ -3,24 +3,60 @@ "queryName": "Link Object Incorrect Ref", "severity": "INFO", "line": 52, - "filename": "positive1.json" + "fileName": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "components.responses.NotFound.links.{{l}}.$ref", + "searchValue": "", + "expectedValue": "Link ref points to '#/components/links'", + "actualValue": "Link ref does not point to '#/components/links'", + "issueType": "IncorrectValue", + "similarityID": "d86abf40b958324c2e82ba1b07cc070692d55cb7c2b1f6fecd3e3d5b9d670e2f", + "search_line": 0 }, { "queryName": "Link Object Incorrect Ref", "severity": "INFO", "line": 27, - "filename": "positive2.json" + "fileName": "positive2.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.links.{{l}}.$ref", + "searchValue": "", + "expectedValue": "Link ref points to '#/components/links'", + "actualValue": "Link ref does not point to '#/components/links'", + "issueType": "IncorrectValue", + "similarityID": "6ed8b0dc8d7c661deae5ae4cab4bb7eccfaaa99e129c68f4cc2570725ee6816f", + "search_line": 0 }, { "queryName": "Link Object Incorrect Ref", "severity": "INFO", "line": 34, - "filename": "positive3.yaml" + "fileName": "positive3.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "components.responses.NotFound.links.{{l}}.$ref", + "searchValue": "", + "expectedValue": "Link ref points to '#/components/links'", + "actualValue": "Link ref does not point to '#/components/links'", + "issueType": "IncorrectValue", + "similarityID": "9a01d146298e799fe88162a5dde930f23a683d2fb36fd0a17442fe43da39b13e", + "search_line": 0 }, { "queryName": "Link Object Incorrect Ref", "severity": "INFO", "line": 21, - "filename": "positive4.yaml" + "fileName": "positive4.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.links.{{l}}.$ref", + "searchValue": "", + "expectedValue": "Link ref points to '#/components/links'", + "actualValue": "Link ref does not point to '#/components/links'", + "issueType": "IncorrectValue", + "similarityID": "6b116bac276c37ef586dcf7ce977793e8385b344c7743c768a36aaed47d1c92a", + "search_line": 0 } ] diff --git a/assets/queries/openAPI/3.0/link_object_operation_id_does_not_target_an_operation_object/test/positive_expected_result.json b/assets/queries/openAPI/3.0/link_object_operation_id_does_not_target_an_operation_object/test/positive_expected_result.json index c082fa90f9c..e2f369fbe77 100644 --- a/assets/queries/openAPI/3.0/link_object_operation_id_does_not_target_an_operation_object/test/positive_expected_result.json +++ b/assets/queries/openAPI/3.0/link_object_operation_id_does_not_target_an_operation_object/test/positive_expected_result.json @@ -3,36 +3,90 @@ "queryName": "Link Object OperationId Does Not Target Operation Object", "severity": "INFO", "line": 71, - "filename": "positive1.json" + "fileName": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "components.responses.{{200}}.links.{{address}}.operationId", + "searchValue": "", + "expectedValue": "components.responses.200.links.address.operationId points to an operationId of an operation object", + "actualValue": "components.responses.200.links.address.operationId does not point to an operationId of an operation object", + "issueType": "IncorrectValue", + "similarityID": "991ea7cc71ede346917412f8a42e398ed3abd40f4082a1098f8a8d0dc1d66767", + "search_line": -1 }, { "queryName": "Link Object OperationId Does Not Target Operation Object", "severity": "INFO", "line": 28, - "filename": "positive2.json" + "fileName": "positive2.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/test}}.{{get}}.responses.{{200}}.links.{{address}}.operationId", + "searchValue": "", + "expectedValue": "paths/test.get.responses.200.links.address.operationId points to an operationId of an operation object", + "actualValue": "paths./test.get.responses.200.links.address.operationId does not point to an operationId of an operation object", + "issueType": "IncorrectValue", + "similarityID": "f3de5389f333a2a9866c6aefbae7a76bacf88785c07d4e3b11154eaea5fb9d85", + "search_line": -1 }, { "queryName": "Link Object OperationId Does Not Target Operation Object", "severity": "INFO", "line": 68, - "filename": "positive3.json" + "fileName": "positive3.json", + "resourceType": "", + "resourceName": "", + "searchKey": "components.links.{{address}}.operationId", + "searchValue": "", + "expectedValue": "components.links.{{address}}.operationId points to an operationId of an operation object", + "actualValue": "components.links.{{address}}.operationId does not point to an operationId of an operation object", + "issueType": "IncorrectValue", + "similarityID": "2decb2a44529bf8c517c895bba42c7afa962855f94e5576ced22e3f7a56c9b2d", + "search_line": -1 }, { "queryName": "Link Object OperationId Does Not Target Operation Object", "severity": "INFO", "line": 51, - "filename": "positive4.yaml" + "fileName": "positive4.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "components.responses.{{200}}.links.{{address}}.operationId", + "searchValue": "", + "expectedValue": "components.responses.200.links.address.operationId points to an operationId of an operation object", + "actualValue": "components.responses.200.links.address.operationId does not point to an operationId of an operation object", + "issueType": "IncorrectValue", + "similarityID": "aab1386eeba2640d6e80d0a68cd6e0da1da58364d81a04ff33299afd8df79700", + "search_line": -1 }, { "queryName": "Link Object OperationId Does Not Target Operation Object", "severity": "INFO", "line": 21, - "filename": "positive5.yaml" + "fileName": "positive5.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/test}}.{{get}}.responses.{{200}}.links.{{address}}.operationId", + "searchValue": "", + "expectedValue": "paths/test.get.responses.200.links.address.operationId points to an operationId of an operation object", + "actualValue": "paths./test.get.responses.200.links.address.operationId does not point to an operationId of an operation object", + "issueType": "IncorrectValue", + "similarityID": "f649bd4e15cbab1dc37dd6a38ab94b2c6b14d4027712202431359328f3dc0169", + "search_line": -1 }, { "queryName": "Link Object OperationId Does Not Target Operation Object", "severity": "INFO", "line": 43, - "filename": "positive6.yaml" + "fileName": "positive6.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "components.links.{{address}}.operationId", + "searchValue": "", + "expectedValue": "components.links.{{address}}.operationId points to an operationId of an operation object", + "actualValue": "components.links.{{address}}.operationId does not point to an operationId of an operation object", + "issueType": "IncorrectValue", + "similarityID": "b8e45d1e3dfaf0fd47afc9aa5b080c24ce448e87f0ddcb702fe7d30bce29531d", + "search_line": -1 } ] diff --git a/assets/queries/openAPI/3.0/link_object_with_both_operation_id_and_operation_ref/test/positive_expected_result.json b/assets/queries/openAPI/3.0/link_object_with_both_operation_id_and_operation_ref/test/positive_expected_result.json index 162537e1ebe..58d95107340 100644 --- a/assets/queries/openAPI/3.0/link_object_with_both_operation_id_and_operation_ref/test/positive_expected_result.json +++ b/assets/queries/openAPI/3.0/link_object_with_both_operation_id_and_operation_ref/test/positive_expected_result.json @@ -3,36 +3,90 @@ "queryName": "Link Object With Both 'operationId' And 'operationRef'", "severity": "INFO", "line": 70, - "filename": "positive1.json" + "fileName": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "components.responses.{{200}}.links.{{address}}", + "searchValue": "", + "expectedValue": "components.responses.200.links.address has both 'operationId' and 'operationRef' defined", + "actualValue": "components.responses.200.links.address does not have both 'operationId' and 'operationRef' defined", + "issueType": "IncorrectValue", + "similarityID": "d8858ce7cef35ca34c36a888ef22484048c3b526ae2541f2b5063cdbc02ed538", + "search_line": -1 }, { "queryName": "Link Object With Both 'operationId' And 'operationRef'", "severity": "INFO", "line": 27, - "filename": "positive2.json" + "fileName": "positive2.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.{{get}}.responses.{{200}}.links.{{address}}", + "searchValue": "", + "expectedValue": "paths/.get.responses.200.links.address has both 'operationId' and 'operationRef' defined", + "actualValue": "paths./.get.responses.200.links.address does not have both 'operationId' and 'operationRef' defined", + "issueType": "IncorrectValue", + "similarityID": "e1d550113a7169e586d3c5e3be1a3dce33e0849b5821c076414e0cd1cf25e9fe", + "search_line": -1 }, { "queryName": "Link Object With Both 'operationId' And 'operationRef'", "severity": "INFO", "line": 67, - "filename": "positive3.json" + "fileName": "positive3.json", + "resourceType": "", + "resourceName": "", + "searchKey": "components.links.{{address}}", + "searchValue": "", + "expectedValue": "components.links.address has both 'operationId' and 'operationRef' defined", + "actualValue": "components.links.address does not have both 'operationId' and 'operationRef' defined", + "issueType": "IncorrectValue", + "similarityID": "e023bdc7a40ab49f6da9346e7ff39d1fb2fed3a9b290a0d5e7dad5550f598d6b", + "search_line": -1 }, { "queryName": "Link Object With Both 'operationId' And 'operationRef'", "severity": "INFO", "line": 50, - "filename": "positive4.yaml" + "fileName": "positive4.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "components.responses.{{200}}.links.{{address}}", + "searchValue": "", + "expectedValue": "components.responses.200.links.address has both 'operationId' and 'operationRef' defined", + "actualValue": "components.responses.200.links.address does not have both 'operationId' and 'operationRef' defined", + "issueType": "IncorrectValue", + "similarityID": "788c05f0b887fc078920bb006cee4f45abfa933b5bf1ec3a2499e530770f2c4e", + "search_line": -1 }, { "queryName": "Link Object With Both 'operationId' And 'operationRef'", "severity": "INFO", "line": 20, - "filename": "positive5.yaml" + "fileName": "positive5.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.{{get}}.responses.{{200}}.links.{{address}}", + "searchValue": "", + "expectedValue": "paths/.get.responses.200.links.address has both 'operationId' and 'operationRef' defined", + "actualValue": "paths./.get.responses.200.links.address does not have both 'operationId' and 'operationRef' defined", + "issueType": "IncorrectValue", + "similarityID": "9c976b196772450144adad5fb0c61a862ae0141e5e6d495bf53d244d96bc56eb", + "search_line": -1 }, { "queryName": "Link Object With Both 'operationId' And 'operationRef'", "severity": "INFO", "line": 42, - "filename": "positive6.yaml" + "fileName": "positive6.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "components.links.{{address}}", + "searchValue": "", + "expectedValue": "components.links.address has both 'operationId' and 'operationRef' defined", + "actualValue": "components.links.address does not have both 'operationId' and 'operationRef' defined", + "issueType": "IncorrectValue", + "similarityID": "503469888959bdaa1acafa70454ace83ebe7bde88f22658ac8e0b05ea5a409c1", + "search_line": -1 } ] diff --git a/assets/queries/openAPI/3.0/media_type_object_without_schema/test/positive_expected_result.json b/assets/queries/openAPI/3.0/media_type_object_without_schema/test/positive_expected_result.json index ec22d4c9219..929eccd44f9 100644 --- a/assets/queries/openAPI/3.0/media_type_object_without_schema/test/positive_expected_result.json +++ b/assets/queries/openAPI/3.0/media_type_object_without_schema/test/positive_expected_result.json @@ -3,60 +3,150 @@ "queryName": "Media Type Object Without Schema", "severity": "MEDIUM", "line": 16, - "filename": "positive1.json" + "fileName": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.content[application/json]", + "searchValue": "", + "expectedValue": "The attribute 'schema' should be set", + "actualValue": "The attribute 'schema' is undefined", + "issueType": "MissingAttribute", + "similarityID": "ab44cab63297f1ca7f8b4129d0d3ec75258faea115c859d7879ca7c1109e5559", + "search_line": 16 }, { "queryName": "Media Type Object Without Schema", "severity": "MEDIUM", "line": 49, - "filename": "positive1.json" + "fileName": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "components.requestBodies.NewItem.content[multipart/data]", + "searchValue": "", + "expectedValue": "The attribute 'schema' should be set", + "actualValue": "The attribute 'schema' is undefined", + "issueType": "MissingAttribute", + "similarityID": "5964a0115ba7eb49352ac1d57097d12aa24f2f1848e53e0d77b010b5e70772e8", + "search_line": 49 }, { "queryName": "Media Type Object Without Schema", "severity": "MEDIUM", "line": 16, - "filename": "positive2.json" + "fileName": "positive2.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.content[application/json]", + "searchValue": "", + "expectedValue": "The attribute 'schema' should be set", + "actualValue": "The attribute 'schema' is undefined", + "issueType": "MissingAttribute", + "similarityID": "dcedd3a372811880d7913fcc15e262e67ebb86f1c42b4e69ff2bbedef3f72b44", + "search_line": 16 }, { "queryName": "Media Type Object Without Schema", "severity": "MEDIUM", "line": 28, - "filename": "positive2.json" + "fileName": "positive2.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.requestBody.content[multipart/form-data]", + "searchValue": "", + "expectedValue": "The attribute 'schema' should be set", + "actualValue": "The attribute 'schema' is undefined", + "issueType": "MissingAttribute", + "similarityID": "7afbf4f470be4e15ee75d989afba9a327f0f478cec35b5d447b34df1b15c61f5", + "search_line": 28 }, { "queryName": "Media Type Object Without Schema", "severity": "MEDIUM", "line": 26, - "filename": "positive3.json" + "fileName": "positive3.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.requestBody.content[text/plain]", + "searchValue": "", + "expectedValue": "The attribute 'schema' should be set", + "actualValue": "The attribute 'schema' is undefined", + "issueType": "MissingAttribute", + "similarityID": "fbd0ab21d9744f4dcd78b816d2d2774720c57654047558d7796e73ffae83205c", + "search_line": 26 }, { "queryName": "Media Type Object Without Schema", "severity": "MEDIUM", "line": 14, - "filename": "positive4.yaml" + "fileName": "positive4.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.content[application/json]", + "searchValue": "", + "expectedValue": "The attribute 'schema' should be set", + "actualValue": "The attribute 'schema' is undefined", + "issueType": "MissingAttribute", + "similarityID": "3ec908833bcacf48e36586db60a8aaadd3c1145c0a5ee06440a7759c97c77095", + "search_line": 14 }, { "queryName": "Media Type Object Without Schema", "severity": "MEDIUM", "line": 31, - "filename": "positive4.yaml" + "fileName": "positive4.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "components.requestBodies.NewItem.content[multipart/form-data]", + "searchValue": "", + "expectedValue": "The attribute 'schema' should be set", + "actualValue": "The attribute 'schema' is undefined", + "issueType": "MissingAttribute", + "similarityID": "43a489ef7104910b34dfb755a15e9ebf6637b265cde9e364d2059907662cd00f", + "search_line": 31 }, { "queryName": "Media Type Object Without Schema", "severity": "MEDIUM", "line": 14, - "filename": "positive5.yaml" + "fileName": "positive5.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.content[application/json]", + "searchValue": "", + "expectedValue": "The attribute 'schema' should be set", + "actualValue": "The attribute 'schema' is undefined", + "issueType": "MissingAttribute", + "similarityID": "ee8eabc75c60441c68f4e7e73cbe4d469678457cdfa9716f3c663b115f043753", + "search_line": 14 }, { "queryName": "Media Type Object Without Schema", "severity": "MEDIUM", "line": 20, - "filename": "positive5.yaml" + "fileName": "positive5.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.requestBody.content[multipart/form-data]", + "searchValue": "", + "expectedValue": "The attribute 'schema' should be set", + "actualValue": "The attribute 'schema' is undefined", + "issueType": "MissingAttribute", + "similarityID": "aa7c0ff4036cee27746652c67951f94cab311a3b9ddb75559ade43ac32656938", + "search_line": 20 }, { "queryName": "Media Type Object Without Schema", "severity": "MEDIUM", "line": 20, - "filename": "positive6.yaml" + "fileName": "positive6.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.requestBody.content[text/plain]", + "searchValue": "", + "expectedValue": "The attribute 'schema' should be set", + "actualValue": "The attribute 'schema' is undefined", + "issueType": "MissingAttribute", + "similarityID": "d37de5a38d751e5afa6800127a5504e525f1909f8d8cc2a5c486ff321b6a52d7", + "search_line": 20 } ] diff --git a/assets/queries/openAPI/3.0/oauth2_with_implicit_flow/test/positive_expected_result.json b/assets/queries/openAPI/3.0/oauth2_with_implicit_flow/test/positive_expected_result.json index c3483dcaf82..02c53b178f7 100644 --- a/assets/queries/openAPI/3.0/oauth2_with_implicit_flow/test/positive_expected_result.json +++ b/assets/queries/openAPI/3.0/oauth2_with_implicit_flow/test/positive_expected_result.json @@ -3,30 +3,75 @@ "queryName": "OAuth2 With Implicit Flow", "severity": "MEDIUM", "line": 58, - "filename": "positive1.json" + "fileName": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "components.securitySchemes.{{petstore_auth}}.flows.implicit", + "searchValue": "", + "expectedValue": "components.securitySchemes.{{petstore_auth}}.flows should not use 'implicit' flow", + "actualValue": "components.securitySchemes.{{petstore_auth}}.flows is using 'implicit' flow", + "issueType": "IncorrectValue", + "similarityID": "5ddcf692053f23caebabb7a7a569b566429d79ad3adb2933ec0755c4185b1e84", + "search_line": -1 }, { "queryName": "OAuth2 With Implicit Flow", "severity": "MEDIUM", "line": 34, - "filename": "positive2.yaml" + "fileName": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "components.securitySchemes.{{petstore_auth}}.flows.implicit", + "searchValue": "", + "expectedValue": "components.securitySchemes.{{petstore_auth}}.flows should not use 'implicit' flow", + "actualValue": "components.securitySchemes.{{petstore_auth}}.flows is using 'implicit' flow", + "issueType": "IncorrectValue", + "similarityID": "67fe7c9a2b8f07d307292567c64f5c04510f7a7c7d5b51322ef2ccc1bdf67603", + "search_line": -1 }, { "queryName": "OAuth2 With Implicit Flow", "severity": "MEDIUM", "line": 37, - "filename": "positive3.json" + "fileName": "positive3.json", + "resourceType": "", + "resourceName": "", + "searchKey": "components.securitySchemes.{{oAuth2AuthCode}}.flows.implicit", + "searchValue": "", + "expectedValue": "components.securitySchemes.{{oAuth2AuthCode}}.flows should not use 'implicit' flow", + "actualValue": "components.securitySchemes.{{oAuth2AuthCode}}.flows is using 'implicit' flow", + "issueType": "IncorrectValue", + "similarityID": "66c637e1d3ebe20e5def334e8283fcfd01579171ff3bd0388abf2516472ee2a4", + "search_line": -1 }, { "queryName": "OAuth2 With Implicit Flow", "severity": "MEDIUM", "line": 27, - "filename": "positive4.yaml" + "fileName": "positive4.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "components.securitySchemes.{{oAuth2AuthCode}}.flows.implicit", + "searchValue": "", + "expectedValue": "components.securitySchemes.{{oAuth2AuthCode}}.flows should not use 'implicit' flow", + "actualValue": "components.securitySchemes.{{oAuth2AuthCode}}.flows is using 'implicit' flow", + "issueType": "IncorrectValue", + "similarityID": "033e935b8a47548a982f643985f27eb6efd3f97016b0c87dd7c011589f60acf9", + "search_line": -1 }, { "queryName": "OAuth2 With Implicit Flow", "severity": "MEDIUM", "line": 31, - "filename": "positive5.yaml" + "fileName": "positive5.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "components.securitySchemes.{{oAuth2AuthCode2}}.flows.implicit", + "searchValue": "", + "expectedValue": "components.securitySchemes.{{oAuth2AuthCode2}}.flows should not use 'implicit' flow", + "actualValue": "components.securitySchemes.{{oAuth2AuthCode2}}.flows is using 'implicit' flow", + "issueType": "IncorrectValue", + "similarityID": "2473c84f68368d49f578b4a1bf626f61de784c636dcfbbac072473b67e69cd06", + "search_line": -1 } ] diff --git a/assets/queries/openAPI/3.0/oauth2_with_password_flow/test/positive_expected_result.json b/assets/queries/openAPI/3.0/oauth2_with_password_flow/test/positive_expected_result.json index 544127a05d8..32a518e7ae1 100644 --- a/assets/queries/openAPI/3.0/oauth2_with_password_flow/test/positive_expected_result.json +++ b/assets/queries/openAPI/3.0/oauth2_with_password_flow/test/positive_expected_result.json @@ -3,12 +3,30 @@ "queryName": "OAuth2 With Password Flow", "severity": "MEDIUM", "line": 58, - "filename": "positive1.json" + "fileName": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "components.securitySchemes.{{petstore_auth}}.flows.password", + "searchValue": "", + "expectedValue": "components.securitySchemes.{{petstore_auth}}.flows do not contain an 'password' flow", + "actualValue": "components.securitySchemes.{{petstore_auth}}.flows contain an 'password' flow", + "issueType": "IncorrectValue", + "similarityID": "18ba0494dd0a0577abbf4d3f71825e4b1f9b910608d623eefd6873c636326764", + "search_line": -1 }, { "queryName": "OAuth2 With Password Flow", "severity": "MEDIUM", "line": 34, - "filename": "positive2.yaml" + "fileName": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "components.securitySchemes.{{petstore_auth}}.flows.password", + "searchValue": "", + "expectedValue": "components.securitySchemes.{{petstore_auth}}.flows do not contain an 'password' flow", + "actualValue": "components.securitySchemes.{{petstore_auth}}.flows contain an 'password' flow", + "issueType": "IncorrectValue", + "similarityID": "f43c0ae899a3f6cc571d3dfbdcd1d384e80a68259b77c21accefe294828ac9ff", + "search_line": -1 } ] diff --git a/assets/queries/openAPI/3.0/object_without_required_property/test/positive_expected_result.json b/assets/queries/openAPI/3.0/object_without_required_property/test/positive_expected_result.json index f156b8ece08..6d78ecb86d0 100644 --- a/assets/queries/openAPI/3.0/object_without_required_property/test/positive_expected_result.json +++ b/assets/queries/openAPI/3.0/object_without_required_property/test/positive_expected_result.json @@ -3,108 +3,270 @@ "queryName": "Object Without Required Property (v3)", "severity": "INFO", "line": 3, - "filename": "positive1.json" + "fileName": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "info", + "searchValue": "", + "expectedValue": "info has all required fields", + "actualValue": "info is missing required fields", + "issueType": "IncorrectValue", + "similarityID": "d93eaa00efe0e81cb947de33519bb595efb2ebb3b037a8e90102f2b9301a78b1", + "search_line": 3 }, { "queryName": "Object Without Required Property (v3)", "severity": "INFO", "line": 2, - "filename": "positive2.yaml" + "fileName": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "info", + "searchValue": "", + "expectedValue": "info has all required fields", + "actualValue": "info is missing required fields", + "issueType": "IncorrectValue", + "similarityID": "0e37cd170d07b8bab6b60671496fcc9f9b3360bee64e3531f93e7a884a9f9641", + "search_line": 2 }, { "queryName": "Object Without Required Property (v3)", "severity": "INFO", "line": 9, - "filename": "positive3.json" + "fileName": "positive3.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get", + "searchValue": "", + "expectedValue": "get has all required fields", + "actualValue": "get is missing required fields", + "issueType": "IncorrectValue", + "similarityID": "a098dff5724f0559cf26561783f23158729cfe12fc994d20190375f139d6d3de", + "search_line": 9 }, { "queryName": "Object Without Required Property (v3)", "severity": "INFO", "line": 12, - "filename": "positive3.json" + "fileName": "positive3.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.servers", + "searchValue": "", + "expectedValue": "servers has all required fields", + "actualValue": "servers is missing required fields", + "issueType": "IncorrectValue", + "similarityID": "b6b004c213563f4940c4a2ccaf29f5c0c8f86c69bf693e6d8727cff974fc7d73", + "search_line": 12 }, { "queryName": "Object Without Required Property (v3)", "severity": "INFO", "line": 7, - "filename": "positive4.yaml" + "fileName": "positive4.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get", + "searchValue": "", + "expectedValue": "get has all required fields", + "actualValue": "get is missing required fields", + "issueType": "IncorrectValue", + "similarityID": "1dc1c86cfc06a707a91b85c07451f6efc902d6ff08b5b10ddd933447a1046af2", + "search_line": 7 }, { "queryName": "Object Without Required Property (v3)", "severity": "INFO", "line": 10, - "filename": "positive4.yaml" + "fileName": "positive4.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.servers", + "searchValue": "", + "expectedValue": "servers has all required fields", + "actualValue": "servers is missing required fields", + "issueType": "IncorrectValue", + "similarityID": "40f063a1d43b16e6fc57b812a99a5990a6be695238479636b6b4b44d2ebd774e", + "search_line": 10 }, { "queryName": "Object Without Required Property (v3)", "severity": "INFO", "line": 54, - "filename": "positive5.json" + "fileName": "positive5.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.requestBody", + "searchValue": "", + "expectedValue": "requestBody has all required fields", + "actualValue": "requestBody is missing required fields", + "issueType": "IncorrectValue", + "similarityID": "556eda74aa0fe5bdd897fcc82d7016c7b6d1669b521ff747c4d6545bc3b5b42c", + "search_line": 54 }, { "queryName": "Object Without Required Property (v3)", "severity": "INFO", "line": 62, - "filename": "positive5.json" + "fileName": "positive5.json", + "resourceType": "", + "resourceName": "", + "searchKey": "components.requestBodies.MyObjectBody", + "searchValue": "", + "expectedValue": "requestBodies has all required fields", + "actualValue": "requestBodies is missing required fields", + "issueType": "IncorrectValue", + "similarityID": "242e0bf605841cdb96813ed37d43f76fa1e8246722f0b3ddafdb08e50a604443", + "search_line": 62 }, { "queryName": "Object Without Required Property (v3)", "severity": "INFO", "line": 65, - "filename": "positive5.json" + "fileName": "positive5.json", + "resourceType": "", + "resourceName": "", + "searchKey": "components.requestBodies.MyObjectBody_2", + "searchValue": "", + "expectedValue": "requestBodies has all required fields", + "actualValue": "requestBodies is missing required fields", + "issueType": "IncorrectValue", + "similarityID": "dcbd25c340d962ede8e9fbf03cfe04ff11a09ff477499ae176e5b3ff5149a7dc", + "search_line": 65 }, { "queryName": "Object Without Required Property (v3)", "severity": "INFO", "line": 32, - "filename": "positive6.yaml" + "fileName": "positive6.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.requestBody", + "searchValue": "", + "expectedValue": "requestBody has all required fields", + "actualValue": "requestBody is missing required fields", + "issueType": "IncorrectValue", + "similarityID": "178eb1e44be4d7b7bd959557f2b453ba700981058a60bbc906362eeaf54ff701", + "search_line": 32 }, { "queryName": "Object Without Required Property (v3)", "severity": "INFO", "line": 36, - "filename": "positive6.yaml" + "fileName": "positive6.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "components.requestBodies.MyObjectBody", + "searchValue": "", + "expectedValue": "requestBodies has all required fields", + "actualValue": "requestBodies is missing required fields", + "issueType": "IncorrectValue", + "similarityID": "9516b7a1e67d27ce39cea3b0aff2fe1b5e1f3b0bcca41ccf18c40a93890d9785", + "search_line": 36 }, { "queryName": "Object Without Required Property (v3)", "severity": "INFO", "line": 38, - "filename": "positive6.yaml" + "fileName": "positive6.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "components.requestBodies.MyObjectBody_2", + "searchValue": "", + "expectedValue": "requestBodies has all required fields", + "actualValue": "requestBodies is missing required fields", + "issueType": "IncorrectValue", + "similarityID": "118b5b7b600d571cbe79dbcfede2acfce858a998cd9c3fa7e00f2d0ca91b2713", + "search_line": 38 }, { "queryName": "Object Without Required Property (v3)", "severity": "INFO", "line": 27, - "filename": "positive7.json" + "fileName": "positive7.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200", + "searchValue": "", + "expectedValue": "responses has all required fields", + "actualValue": "responses is missing required fields", + "issueType": "IncorrectValue", + "similarityID": "92c13a678a9262b37970b358d9f47a507e68e2c03601d33694a1b73bde8e2896", + "search_line": 27 }, { "queryName": "Object Without Required Property (v3)", "severity": "INFO", "line": 55, - "filename": "positive7.json" + "fileName": "positive7.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.parameters", + "searchValue": "", + "expectedValue": "parameters has all required fields", + "actualValue": "parameters is missing required fields", + "issueType": "IncorrectValue", + "similarityID": "f8e3682c398cdc5acbfa00222d2edc54cac8b3152c307fc319f5817b73584b68", + "search_line": 55 }, { "queryName": "Object Without Required Property (v3)", "severity": "INFO", "line": 72, - "filename": "positive7.json" + "fileName": "positive7.json", + "resourceType": "", + "resourceName": "", + "searchKey": "components.parameters.IdParam", + "searchValue": "", + "expectedValue": "parameters has all required fields", + "actualValue": "parameters is missing required fields", + "issueType": "IncorrectValue", + "similarityID": "a38ce8fc2968053543ceb729c5f6b0fd11a272b4e45967711427aec790c42bbc", + "search_line": 72 }, { "queryName": "Object Without Required Property (v3)", "severity": "INFO", "line": 18, - "filename": "positive8.yaml" + "fileName": "positive8.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200", + "searchValue": "", + "expectedValue": "responses has all required fields", + "actualValue": "responses is missing required fields", + "issueType": "IncorrectValue", + "similarityID": "ccdde6b3f16c3f677f30e48a1175eceaf30443102b7e26a9fbdffc7a4a6e95c8", + "search_line": 18 }, { "queryName": "Object Without Required Property (v3)", "severity": "INFO", "line": 32, - "filename": "positive8.yaml" + "fileName": "positive8.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.parameters", + "searchValue": "", + "expectedValue": "parameters has all required fields", + "actualValue": "parameters is missing required fields", + "issueType": "IncorrectValue", + "similarityID": "b7578c4a3350225005c5cb83d9c4950853c6dbf6af5602784e6c484035fae536", + "search_line": 32 }, { "queryName": "Object Without Required Property (v3)", "severity": "INFO", "line": 42, - "filename": "positive8.yaml" + "fileName": "positive8.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "components.parameters.IdParam", + "searchValue": "", + "expectedValue": "parameters has all required fields", + "actualValue": "parameters is missing required fields", + "issueType": "IncorrectValue", + "similarityID": "bb68d91eee0eb352682984c20e390b71c812286e5742182aac56dfb7238927a4", + "search_line": 42 } ] diff --git a/assets/queries/openAPI/3.0/parameter_object_content_with_multiple_entries/test/positive_expected_result.json b/assets/queries/openAPI/3.0/parameter_object_content_with_multiple_entries/test/positive_expected_result.json index 99c86a1a63c..18b95a9f0ea 100644 --- a/assets/queries/openAPI/3.0/parameter_object_content_with_multiple_entries/test/positive_expected_result.json +++ b/assets/queries/openAPI/3.0/parameter_object_content_with_multiple_entries/test/positive_expected_result.json @@ -3,36 +3,90 @@ "queryName": "Parameter Object Content With Multiple Entries", "severity": "INFO", "line": 11, - "filename": "positive1.json" + "fileName": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths./.get.parameters", + "searchValue": "", + "expectedValue": "paths./.get.parameters.0.content has one entry", + "actualValue": "paths./.get.parameters.0.content has multiple entries", + "issueType": "IncorrectValue", + "similarityID": "fae6815cc7229a890c7ed258ed54a8f6aff6000bba49cdd45560d09a3e2f5adc", + "search_line": 0 }, { "queryName": "Parameter Object Content With Multiple Entries", "severity": "INFO", "line": 78, - "filename": "positive1.json" + "fileName": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths./user/{id}.parameters", + "searchValue": "", + "expectedValue": "paths./user/{id}.parameters.0.content has one entry", + "actualValue": "paths./user/{id}.parameters.0.content has multiple entries", + "issueType": "IncorrectValue", + "similarityID": "1a9fe1bf9d0e42924d32336c344e53d27c5b5cfdc98c4aeb33b701c002cbdf05", + "search_line": 0 }, { "queryName": "Parameter Object Content With Multiple Entries", "severity": "INFO", "line": 44, - "filename": "positive2.json" + "fileName": "positive2.json", + "resourceType": "", + "resourceName": "", + "searchKey": "components.parameters", + "searchValue": "", + "expectedValue": "components.parameters.idParam.content has one entry", + "actualValue": "components.parameters.idParam.content has multiple entries", + "issueType": "IncorrectValue", + "similarityID": "e5b4976a428535f50a3ff88ca06332c547e6732155a30653f7d58ec1704db9da", + "search_line": 0 }, { "queryName": "Parameter Object Content With Multiple Entries", "severity": "INFO", "line": 10, - "filename": "positive3.yaml" + "fileName": "positive3.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths./.get.parameters", + "searchValue": "", + "expectedValue": "paths./.get.parameters.0.content has one entry", + "actualValue": "paths./.get.parameters.0.content has multiple entries", + "issueType": "IncorrectValue", + "similarityID": "5c3f56382145da6ee618c5411ba3e93ba6d9c76aa3a0db963e7573075387a28e", + "search_line": 0 }, { "queryName": "Parameter Object Content With Multiple Entries", "severity": "INFO", "line": 48, - "filename": "positive3.yaml" + "fileName": "positive3.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths./user/{id}.parameters", + "searchValue": "", + "expectedValue": "paths./user/{id}.parameters.0.content has one entry", + "actualValue": "paths./user/{id}.parameters.0.content has multiple entries", + "issueType": "IncorrectValue", + "similarityID": "a68a78143f129e6fed460ba266096f7934c71fc79738d0baa1387c1287d7cf4c", + "search_line": 0 }, { "queryName": "Parameter Object Content With Multiple Entries", "severity": "INFO", "line": 26, - "filename": "positive4.yaml" + "fileName": "positive4.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "components.parameters", + "searchValue": "", + "expectedValue": "components.parameters.idParam.content has one entry", + "actualValue": "components.parameters.idParam.content has multiple entries", + "issueType": "IncorrectValue", + "similarityID": "e3300d469147f944100939bd1122ff8369063f59ee96ff629e8487ef2e2ff1a8", + "search_line": 0 } ] diff --git a/assets/queries/openAPI/3.0/parameter_object_incorrect_ref/test/positive_expected_result.json b/assets/queries/openAPI/3.0/parameter_object_incorrect_ref/test/positive_expected_result.json index d2e84125b05..513a96f612e 100644 --- a/assets/queries/openAPI/3.0/parameter_object_incorrect_ref/test/positive_expected_result.json +++ b/assets/queries/openAPI/3.0/parameter_object_incorrect_ref/test/positive_expected_result.json @@ -3,36 +3,90 @@ "queryName": "Parameter Object With Incorrect Ref (v3)", "severity": "INFO", "line": 56, - "filename": "positive1.json" + "fileName": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.parameters.$ref=#path/parameters/idParam", + "searchValue": "", + "expectedValue": "Parameter Object ref points to '#/components/parameters'", + "actualValue": "Parameter Object ref doesn't point to '#/components/parameters'", + "issueType": "IncorrectValue", + "similarityID": "195af19caa4f2f120b280c7aafa90382251dd2e4d4945f3a4808a69e2b68ca74", + "search_line": 0 }, { "queryName": "Parameter Object With Incorrect Ref (v3)", "severity": "INFO", "line": 59, - "filename": "positive1.json" + "fileName": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.parameters.$ref=#components/schemas/idParam", + "searchValue": "", + "expectedValue": "Parameter Object ref points to '#/components/parameters'", + "actualValue": "Parameter Object ref doesn't point to '#/components/parameters'", + "issueType": "IncorrectValue", + "similarityID": "620b4734ca45022adfd6fac2db6428754fe913afa9a7e6dc3ca8fe93e36a7542", + "search_line": 0 }, { "queryName": "Parameter Object With Incorrect Ref (v3)", "severity": "INFO", "line": 67, - "filename": "positive1.json" + "fileName": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/user/id}}.get.parameters.$ref=#path/parameters/idParam", + "searchValue": "", + "expectedValue": "Parameter Object ref points to '#/components/parameters'", + "actualValue": "Parameter Object ref doesn't point to '#/components/parameters'", + "issueType": "IncorrectValue", + "similarityID": "d1424d6b293d08eefb42a3a75f75114ff68855a597ab1f187bd6c2b6f25351cf", + "search_line": 0 }, { "queryName": "Parameter Object With Incorrect Ref (v3)", "severity": "INFO", - "line": 46, - "filename": "positive2.yaml" + "line": 41, + "fileName": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.parameters.$ref=#path/parameters/idParam", + "searchValue": "", + "expectedValue": "Parameter Object ref points to '#/components/parameters'", + "actualValue": "Parameter Object ref doesn't point to '#/components/parameters'", + "issueType": "IncorrectValue", + "similarityID": "49e34af79919d47b379aa479ea8e4b517b9db49d27848b40fdc753d369260638", + "search_line": 0 }, { "queryName": "Parameter Object With Incorrect Ref (v3)", "severity": "INFO", - "line": 41, - "filename": "positive2.yaml" + "line": 42, + "fileName": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.parameters.$ref=#components/schemas/idParam", + "searchValue": "", + "expectedValue": "Parameter Object ref points to '#/components/parameters'", + "actualValue": "Parameter Object ref doesn't point to '#/components/parameters'", + "issueType": "IncorrectValue", + "similarityID": "ca7ea95189aaeedec0d7090392ae568f5964ba9b8a403a0f772500f1890d69dc", + "search_line": 0 }, { "queryName": "Parameter Object With Incorrect Ref (v3)", "severity": "INFO", - "line": 42, - "filename": "positive2.yaml" + "line": 46, + "fileName": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/user/id}}.get.parameters.$ref=#path/parameters/idParam", + "searchValue": "", + "expectedValue": "Parameter Object ref points to '#/components/parameters'", + "actualValue": "Parameter Object ref doesn't point to '#/components/parameters'", + "issueType": "IncorrectValue", + "similarityID": "f2cdf1bcd36d9dac3a59d6cf0c0ff7fcde190b5c7f979793d44a37ac1e58ce9e", + "search_line": 0 } ] diff --git a/assets/queries/openAPI/3.0/parameter_object_schema_content/test/positive_expected_result.json b/assets/queries/openAPI/3.0/parameter_object_schema_content/test/positive_expected_result.json index 31e4d7c7525..0e135125bf5 100644 --- a/assets/queries/openAPI/3.0/parameter_object_schema_content/test/positive_expected_result.json +++ b/assets/queries/openAPI/3.0/parameter_object_schema_content/test/positive_expected_result.json @@ -3,36 +3,90 @@ "queryName": "Parameter Object With Schema And Content", "severity": "INFO", "line": 43, - "filename": "positive1.json" + "fileName": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.parameters.name={{id}}", + "searchValue": "", + "expectedValue": "Parameter Object shouldn't have both 'schema' and 'content' defined", + "actualValue": "Parameter Object has both 'schema' and 'content' defined", + "issueType": "IncorrectValue", + "similarityID": "32d80ccab3347ada96571219745093e35b364bad3bfd6e66a0d707ffe05d89da", + "search_line": -1 }, { "queryName": "Parameter Object With Schema And Content", "severity": "INFO", "line": 73, - "filename": "positive1.json" + "fileName": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths./users/{id}.get.parameters.name={{id}}", + "searchValue": "", + "expectedValue": "Parameter Object shouldn't have both 'schema' and 'content' defined", + "actualValue": "Parameter Object has both 'schema' and 'content' defined", + "issueType": "IncorrectValue", + "similarityID": "59f059557af33e0a3539d071bb67dcbda7e97737dd06b796cc4073e87bfe22a8", + "search_line": -1 }, { "queryName": "Parameter Object With Schema And Content", "severity": "INFO", "line": 26, - "filename": "positive2.yaml" + "fileName": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.parameters.name={{id}}", + "searchValue": "", + "expectedValue": "Parameter Object shouldn't have both 'schema' and 'content' defined", + "actualValue": "Parameter Object has both 'schema' and 'content' defined", + "issueType": "IncorrectValue", + "similarityID": "549c3fcacbef35388f35a53d79cc1166caf2ff03aa3c0def6193ba557ed2deb9", + "search_line": -1 }, { "queryName": "Parameter Object With Schema And Content", "severity": "INFO", "line": 45, - "filename": "positive2.yaml" + "fileName": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths./users/{id}.get.parameters.name={{id}}", + "searchValue": "", + "expectedValue": "Parameter Object shouldn't have both 'schema' and 'content' defined", + "actualValue": "Parameter Object has both 'schema' and 'content' defined", + "issueType": "IncorrectValue", + "similarityID": "897e87f740ced1b497ea570d18187a9cb433b91f5d22d314fa388766933d3af4", + "search_line": -1 }, { "queryName": "Parameter Object With Schema And Content", "severity": "INFO", "line": 20, - "filename": "positive3.json" + "fileName": "positive3.json", + "resourceType": "", + "resourceName": "", + "searchKey": "openapi.components.parameters.name={{limit}}", + "searchValue": "", + "expectedValue": "Parameter Object shouldn't have both 'schema' and 'content' defined", + "actualValue": "Parameter Object has both 'schema' and 'content' defined", + "issueType": "IncorrectValue", + "similarityID": "b1fba4ed6a2494111b50b8cc85027848697fa01f4f2f9828dcff26702424a44b", + "search_line": 0 }, { "queryName": "Parameter Object With Schema And Content", "severity": "INFO", "line": 16, - "filename": "positive4.yaml" + "fileName": "positive4.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "openapi.components.parameters.name={{limit}}", + "searchValue": "", + "expectedValue": "Parameter Object shouldn't have both 'schema' and 'content' defined", + "actualValue": "Parameter Object has both 'schema' and 'content' defined", + "issueType": "IncorrectValue", + "similarityID": "995f7f05206b56723304c7633e132b9d89f5e176dab821932a50086cd9b86261", + "search_line": 0 } ] diff --git a/assets/queries/openAPI/3.0/parameter_object_undefined_type/test/positive_expected_result.json b/assets/queries/openAPI/3.0/parameter_object_undefined_type/test/positive_expected_result.json index 45a055a7e39..389749b48aa 100644 --- a/assets/queries/openAPI/3.0/parameter_object_undefined_type/test/positive_expected_result.json +++ b/assets/queries/openAPI/3.0/parameter_object_undefined_type/test/positive_expected_result.json @@ -3,36 +3,90 @@ "queryName": "Parameter Object With Undefined Type", "severity": "INFO", "line": 43, - "filename": "positive1.json" + "fileName": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.parameters.name={{id}}", + "searchValue": "", + "expectedValue": "paths.{{/}}.parameters type should be defined%!(EXTRA string=id)", + "actualValue": "paths.{{/}}.parameters type is not defined%!(EXTRA string=id)", + "issueType": "MissingAttribute", + "similarityID": "2b15a23723de4331d81d27649e5a70213566b8e52d43ee2b0215ccb33aca0755", + "search_line": -1 }, { "queryName": "Parameter Object With Undefined Type", "severity": "INFO", "line": 55, - "filename": "positive1.json" + "fileName": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/users/{id}}}.{{get}}.parameters.name={{id}}", + "searchValue": "", + "expectedValue": "paths.{{/users/{id}}}.{{get}}.parameters type should be defined%!(EXTRA string=id)", + "actualValue": "paths.{{/users/{id}}}.{{get}}.parameters type is not defined%!(EXTRA string=id)", + "issueType": "MissingAttribute", + "similarityID": "9f8090348aaaf27fd41e43a5da26ca5b734c487b25739fcfebf221492901996c", + "search_line": -1 }, { "queryName": "Parameter Object With Undefined Type", "severity": "INFO", "line": 26, - "filename": "positive2.yaml" + "fileName": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.parameters.name={{id}}", + "searchValue": "", + "expectedValue": "paths.{{/}}.parameters type should be defined%!(EXTRA string=id)", + "actualValue": "paths.{{/}}.parameters type is not defined%!(EXTRA string=id)", + "issueType": "MissingAttribute", + "similarityID": "800673c1d1bbeeafec9b74a29d844d28bd3388d387a20fe86530f63a40716660", + "search_line": -1 }, { "queryName": "Parameter Object With Undefined Type", "severity": "INFO", "line": 40, - "filename": "positive2.yaml" + "fileName": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/users/{id}}}.{{get}}.parameters.name={{id}}", + "searchValue": "", + "expectedValue": "paths.{{/users/{id}}}.{{get}}.parameters type should be defined%!(EXTRA string=id)", + "actualValue": "paths.{{/users/{id}}}.{{get}}.parameters type is not defined%!(EXTRA string=id)", + "issueType": "MissingAttribute", + "similarityID": "911306e5f4adcbd4d0ab8e62177b3d45cf2c22e8787736cae36cc9e32487e5f4", + "search_line": -1 }, { "queryName": "Parameter Object With Undefined Type", "severity": "INFO", "line": 10, - "filename": "positive3.json" + "fileName": "positive3.json", + "resourceType": "", + "resourceName": "", + "searchKey": "openapi.components.parameters.name={{id}}", + "searchValue": "", + "expectedValue": "openapi.components.parameters type should be defined%!(EXTRA string=id)", + "actualValue": "openapi.components.parameters type is not defined%!(EXTRA string=id)", + "issueType": "MissingAttribute", + "similarityID": "266347623d8f972fa745341c4d6d78213d7277dd7fa60c8d82bb14a70abb4353", + "search_line": 0 }, { "queryName": "Parameter Object With Undefined Type", "severity": "INFO", "line": 8, - "filename": "positive4.yaml" + "fileName": "positive4.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "openapi.components.parameters.name={{id}}", + "searchValue": "", + "expectedValue": "openapi.components.parameters type should be defined%!(EXTRA string=id)", + "actualValue": "openapi.components.parameters type is not defined%!(EXTRA string=id)", + "issueType": "MissingAttribute", + "similarityID": "3d0c390820adf30105fa41144bb4ed2bff600939a03379b8c7d628ba48280565", + "search_line": 0 } ] diff --git a/assets/queries/openAPI/3.0/parameter_object_without_schema/test/positive_expected_result.json b/assets/queries/openAPI/3.0/parameter_object_without_schema/test/positive_expected_result.json index b6873a7ca41..a6cac0ea6f9 100644 --- a/assets/queries/openAPI/3.0/parameter_object_without_schema/test/positive_expected_result.json +++ b/assets/queries/openAPI/3.0/parameter_object_without_schema/test/positive_expected_result.json @@ -3,36 +3,90 @@ "queryName": "Parameter Object Without Schema", "severity": "MEDIUM", "line": 11, - "filename": "positive1.json" + "fileName": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.parameters", + "searchValue": "", + "expectedValue": "The attribute 'schema' should be set", + "actualValue": "The attribute 'schema' is undefined", + "issueType": "MissingAttribute", + "similarityID": "bbdb6c2320eb080fb83e2c9b79ff28215aedc68ba357af623d9261fd822b346a", + "search_line": 0 }, { "queryName": "Parameter Object Without Schema", "severity": "MEDIUM", "line": 64, - "filename": "positive1.json" + "fileName": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/user/}}.parameters", + "searchValue": "", + "expectedValue": "The attribute 'schema' should be set", + "actualValue": "The attribute 'schema' is undefined", + "issueType": "MissingAttribute", + "similarityID": "88dadb017358e9267356cd800f527e6889c430632fe204af36705b8f711cda80", + "search_line": 0 }, { "queryName": "Parameter Object Without Schema", "severity": "MEDIUM", "line": 44, - "filename": "positive2.json" + "fileName": "positive2.json", + "resourceType": "", + "resourceName": "", + "searchKey": "components.parameters", + "searchValue": "", + "expectedValue": "The attribute 'schema' should be set", + "actualValue": "The attribute 'schema' is undefined", + "issueType": "MissingAttribute", + "similarityID": "8a78babec0d47479189ac4bfef814528133f847a4c84fa633cdc9782955fe8d0", + "search_line": 0 }, { "queryName": "Parameter Object Without Schema", "severity": "MEDIUM", "line": 10, - "filename": "positive3.yaml" + "fileName": "positive3.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.parameters", + "searchValue": "", + "expectedValue": "The attribute 'schema' should be set", + "actualValue": "The attribute 'schema' is undefined", + "issueType": "MissingAttribute", + "similarityID": "0ee7ac533992138ab8294fa5cc1f58490a36a86f663e38862f389cafa677b910", + "search_line": 0 }, { "queryName": "Parameter Object Without Schema", "severity": "MEDIUM", "line": 39, - "filename": "positive3.yaml" + "fileName": "positive3.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/user/}}.parameters", + "searchValue": "", + "expectedValue": "The attribute 'schema' should be set", + "actualValue": "The attribute 'schema' is undefined", + "issueType": "MissingAttribute", + "similarityID": "94826b271ee96d74d173f161414ad24651f4488ef4415fa7739e43ce444aa9ee", + "search_line": 0 }, { "queryName": "Parameter Object Without Schema", "severity": "MEDIUM", "line": 26, - "filename": "positive4.yaml" + "fileName": "positive4.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "components.parameters", + "searchValue": "", + "expectedValue": "The attribute 'schema' should be set", + "actualValue": "The attribute 'schema' is undefined", + "issueType": "MissingAttribute", + "similarityID": "f5f4cb418b25995448bf0cb60efd3f06086a17848bfe26a8e96cbc580d962def", + "search_line": 0 } ] diff --git a/assets/queries/openAPI/3.0/path_server_uses_http/test/positive_expected_result.json b/assets/queries/openAPI/3.0/path_server_uses_http/test/positive_expected_result.json index e4d4cafd7a9..85ae818c93f 100644 --- a/assets/queries/openAPI/3.0/path_server_uses_http/test/positive_expected_result.json +++ b/assets/queries/openAPI/3.0/path_server_uses_http/test/positive_expected_result.json @@ -3,12 +3,30 @@ "queryName": "Path Server Object Uses HTTP (v3)", "severity": "MEDIUM", "line": 18, - "filename": "positive1.json" + "fileName": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.{{get}}.servers.url={{http://staging.gigantic-server.com/v1}}", + "searchValue": "", + "expectedValue": "Path Server Object url uses 'HTTPS' protocol", + "actualValue": "Path Server Object url uses 'HTTP' protocol", + "issueType": "IncorrectValue", + "similarityID": "f4136dd0135f03cd4821db877ea461bb19da8b283e7fd44a0ef1692d6daf1c8f", + "search_line": -1 }, { "queryName": "Path Server Object Uses HTTP (v3)", "severity": "MEDIUM", "line": 15, - "filename": "positive2.yaml" + "fileName": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.{{get}}.servers.url={{http://api.gigantic-server.com/v1}}", + "searchValue": "", + "expectedValue": "Path Server Object url uses 'HTTPS' protocol", + "actualValue": "Path Server Object url uses 'HTTP' protocol", + "issueType": "IncorrectValue", + "similarityID": "7863ad9ea79ef4c262df97b7f0566a2a757d8ea3377c569a61bae15bac079938", + "search_line": -1 } ] diff --git a/assets/queries/openAPI/3.0/property_allow_empty_value_ignored/test/positive_expected_result.json b/assets/queries/openAPI/3.0/property_allow_empty_value_ignored/test/positive_expected_result.json index a454d70f7e3..8159de72a8c 100644 --- a/assets/queries/openAPI/3.0/property_allow_empty_value_ignored/test/positive_expected_result.json +++ b/assets/queries/openAPI/3.0/property_allow_empty_value_ignored/test/positive_expected_result.json @@ -3,36 +3,90 @@ "queryName": "Property 'allowEmptyValue' Ignored", "severity": "INFO", "line": 47, - "filename": "positive1.json" + "fileName": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.parameters.allowEmptyValue", + "searchValue": "", + "expectedValue": "Property 'allowEmptyValue' should not be ignored", + "actualValue": "Property 'allowEmptyValue' is ignored (due to one of the following cases: {\"sytle\": \"simple\", \"explode\": false}, {\"sytle\": \"simple\", \"explode\": true}, {\"sytle\": \"spaceDelimited\", \"explode\": false}, {\"sytle\": \"pipeDelimited\", \"explode\": false}, or {\"sytle\": \"deepObject\", \"explode\": true})", + "issueType": "IncorrectValue", + "similarityID": "f1ae27c5d0b77f3a6b9ecf02cc8a35f9ea9d701af87b16e958e472b16b36ff24", + "search_line": -1 }, { "queryName": "Property 'allowEmptyValue' Ignored", "severity": "INFO", "line": 30, - "filename": "positive2.yaml" + "fileName": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.parameters.allowEmptyValue", + "searchValue": "", + "expectedValue": "Property 'allowEmptyValue' should not be ignored", + "actualValue": "Property 'allowEmptyValue' is ignored (due to one of the following cases: {\"sytle\": \"simple\", \"explode\": false}, {\"sytle\": \"simple\", \"explode\": true}, {\"sytle\": \"spaceDelimited\", \"explode\": false}, {\"sytle\": \"pipeDelimited\", \"explode\": false}, or {\"sytle\": \"deepObject\", \"explode\": true})", + "issueType": "IncorrectValue", + "similarityID": "aba6e812e9882a20ca848179c23ad7980bd4ea22c2ce51beaab7b489f991e000", + "search_line": -1 }, { "queryName": "Property 'allowEmptyValue' Ignored", "severity": "INFO", "line": 12, - "filename": "positive3.json" + "fileName": "positive3.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.parameters.allowEmptyValue", + "searchValue": "", + "expectedValue": "Property 'allowEmptyValue' should not be ignored", + "actualValue": "Property 'allowEmptyValue' is ignored (due to one of the following cases: {\"sytle\": \"simple\", \"explode\": false}, {\"sytle\": \"simple\", \"explode\": true}, {\"sytle\": \"spaceDelimited\", \"explode\": false}, {\"sytle\": \"pipeDelimited\", \"explode\": false}, or {\"sytle\": \"deepObject\", \"explode\": true})", + "issueType": "IncorrectValue", + "similarityID": "57bd255ba340e8c93106341d27ff11e6fff2c7f76023c56bd92585d95b4967c5", + "search_line": -1 }, { "queryName": "Property 'allowEmptyValue' Ignored", "severity": "INFO", "line": 32, - "filename": "positive4.yaml" + "fileName": "positive4.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.parameters.allowEmptyValue", + "searchValue": "", + "expectedValue": "Property 'allowEmptyValue' should not be ignored", + "actualValue": "Property 'allowEmptyValue' is ignored (due to one of the following cases: {\"sytle\": \"simple\", \"explode\": false}, {\"sytle\": \"simple\", \"explode\": true}, {\"sytle\": \"spaceDelimited\", \"explode\": false}, {\"sytle\": \"pipeDelimited\", \"explode\": false}, or {\"sytle\": \"deepObject\", \"explode\": true})", + "issueType": "IncorrectValue", + "similarityID": "7ee038395a4703b517f903615dc0e35d54ce9f7017bfca7b9959cf7f5e82d83c", + "search_line": -1 }, { "queryName": "Property 'allowEmptyValue' Ignored", "severity": "INFO", "line": 16, - "filename": "positive5.json" + "fileName": "positive5.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.parameters.allowEmptyValue", + "searchValue": "", + "expectedValue": "Property 'allowEmptyValue' should not be ignored", + "actualValue": "Property 'allowEmptyValue' is ignored (due to one of the following cases: {\"sytle\": \"simple\", \"explode\": false}, {\"sytle\": \"simple\", \"explode\": true}, {\"sytle\": \"spaceDelimited\", \"explode\": false}, {\"sytle\": \"pipeDelimited\", \"explode\": false}, or {\"sytle\": \"deepObject\", \"explode\": true})", + "issueType": "IncorrectValue", + "similarityID": "abf47272ec3d7258446e7d770a332112ae6d28480fddaa4a361b761b58773b93", + "search_line": -1 }, { "queryName": "Property 'allowEmptyValue' Ignored", "severity": "INFO", "line": 31, - "filename": "positive6.yaml" + "fileName": "positive6.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.parameters.allowEmptyValue", + "searchValue": "", + "expectedValue": "Property 'allowEmptyValue' should not be ignored", + "actualValue": "Property 'allowEmptyValue' is ignored (due to one of the following cases: {\"sytle\": \"simple\", \"explode\": false}, {\"sytle\": \"simple\", \"explode\": true}, {\"sytle\": \"spaceDelimited\", \"explode\": false}, {\"sytle\": \"pipeDelimited\", \"explode\": false}, or {\"sytle\": \"deepObject\", \"explode\": true})", + "issueType": "IncorrectValue", + "similarityID": "ab07388c9bc9730bfafad46a2fe19442c4b0881e6d5f994d0e15c8472947c20a", + "search_line": -1 } ] diff --git a/assets/queries/openAPI/3.0/property_allow_reserved_encoding_object_ignored/test/positive_expected_result.json b/assets/queries/openAPI/3.0/property_allow_reserved_encoding_object_ignored/test/positive_expected_result.json index cd75a47c8cc..3757a75ba4b 100644 --- a/assets/queries/openAPI/3.0/property_allow_reserved_encoding_object_ignored/test/positive_expected_result.json +++ b/assets/queries/openAPI/3.0/property_allow_reserved_encoding_object_ignored/test/positive_expected_result.json @@ -3,24 +3,60 @@ "queryName": "Property 'allowReserved' of Encoding Object Ignored", "severity": "INFO", "line": 49, - "filename": "positive1.json" + "fileName": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "components.requestBodies.{{NewItem}}.content.{{multipart/data}}", + "searchValue": "", + "expectedValue": "components.requestBodies.{{NewItem}}.content.{{multipart/data}} should be 'application/x-www-form-urlencoded' when 'allowReserved' is set", + "actualValue": "components.requestBodies.{{NewItem}}.content.{{multipart/data}} is not 'application/x-www-form-urlencoded' when 'allowReserved' is set", + "issueType": "IncorrectValue", + "similarityID": "5333cf2b03665701ec1f8b71e664d629a0e9733e2914de54cebcf4fbedb11270", + "search_line": 0 }, { "queryName": "Property 'allowReserved' of Encoding Object Ignored", "severity": "INFO", "line": 43, - "filename": "positive2.json" + "fileName": "positive2.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.{{get}}.requestBody.content.{{multipart/form-data}}", + "searchValue": "", + "expectedValue": "paths.{{/}}.{{get}}.requestBody.content.{{multipart/form-data}} should be 'application/x-www-form-urlencoded' when 'allowReserved' is set", + "actualValue": "paths.{{/}}.{{get}}.requestBody.content.{{multipart/form-data}} is not 'application/x-www-form-urlencoded' when 'allowReserved' is set", + "issueType": "IncorrectValue", + "similarityID": "85b74a930823f59b4ab01329cb79d5573118ee7c52d6cf5fa80969788367cd0b", + "search_line": -1 }, { "queryName": "Property 'allowReserved' of Encoding Object Ignored", "severity": "INFO", "line": 31, - "filename": "positive3.yaml" + "fileName": "positive3.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "components.requestBodies.{{NewItem}}.content.{{multipart/form-data}}", + "searchValue": "", + "expectedValue": "components.requestBodies.{{NewItem}}.content.{{multipart/form-data}} should be 'application/x-www-form-urlencoded' when 'allowReserved' is set", + "actualValue": "components.requestBodies.{{NewItem}}.content.{{multipart/form-data}} is not 'application/x-www-form-urlencoded' when 'allowReserved' is set", + "issueType": "IncorrectValue", + "similarityID": "ca84c4ffbf98b06563083aad99009ae71e364595fe182dab96f7d24542434607", + "search_line": 0 }, { "queryName": "Property 'allowReserved' of Encoding Object Ignored", "severity": "INFO", "line": 30, - "filename": "positive4.yaml" + "fileName": "positive4.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.{{get}}.requestBody.content.{{multipart/form-data}}", + "searchValue": "", + "expectedValue": "paths.{{/}}.{{get}}.requestBody.content.{{multipart/form-data}} should be 'application/x-www-form-urlencoded' when 'allowReserved' is set", + "actualValue": "paths.{{/}}.{{get}}.requestBody.content.{{multipart/form-data}} is not 'application/x-www-form-urlencoded' when 'allowReserved' is set", + "issueType": "IncorrectValue", + "similarityID": "3445d23345d89d8aace05ef8a918af4fdb6c5f3c99b92b8462ce42320fa199a0", + "search_line": -1 } ] diff --git a/assets/queries/openAPI/3.0/property_allow_reserved_improperly_defined/test/positive_expected_result.json b/assets/queries/openAPI/3.0/property_allow_reserved_improperly_defined/test/positive_expected_result.json index cd1698bb853..7c37843ddd9 100644 --- a/assets/queries/openAPI/3.0/property_allow_reserved_improperly_defined/test/positive_expected_result.json +++ b/assets/queries/openAPI/3.0/property_allow_reserved_improperly_defined/test/positive_expected_result.json @@ -2,37 +2,91 @@ { "queryName": "Property 'allowReserved' Improperly Defined", "severity": "INFO", - "line": 59, - "filename": "positive1.json" + "line": 43, + "fileName": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.parameters.name={{id}}", + "searchValue": "", + "expectedValue": "paths.{{/}}.parameters.name={{id}} should have 'in' set to 'query' when 'allowReserved' is set", + "actualValue": "paths.{{/}}.parameters.name={{id}} does not have 'in' set to 'query' when 'allowReserved' is set", + "issueType": "IncorrectValue", + "similarityID": "ad2e0bb7f992c63675bdee8ef8880f2936e6aff2d3c002825cc223ad04efd1e0", + "search_line": -1 }, { "queryName": "Property 'allowReserved' Improperly Defined", "severity": "INFO", - "line": 43, - "filename": "positive1.json" + "line": 59, + "fileName": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths./users/{id}.get.parameters.name={{id}}", + "searchValue": "", + "expectedValue": "paths./users/{id}.get.parameters.name={{id}} should have 'in' set to 'query' when 'allowReserved' is set", + "actualValue": "paths./users/{id}.get.parameters.name={{id}} does not have 'in' set to 'query' when 'allowReserved' is set", + "issueType": "IncorrectValue", + "similarityID": "6867862047ed51ec25d11bc3d75df48fa1bcca0c1a78164458dd9c554f390516", + "search_line": -1 }, { "queryName": "Property 'allowReserved' Improperly Defined", "severity": "INFO", "line": 26, - "filename": "positive2.yaml" + "fileName": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.parameters.name={{id}}", + "searchValue": "", + "expectedValue": "paths.{{/}}.parameters.name={{id}} should have 'in' set to 'query' when 'allowReserved' is set", + "actualValue": "paths.{{/}}.parameters.name={{id}} does not have 'in' set to 'query' when 'allowReserved' is set", + "issueType": "IncorrectValue", + "similarityID": "ca04fe13fc405b17fd34bce05d7069de0b44e9a61466a8a0f1faffe781c31f87", + "search_line": -1 }, { "queryName": "Property 'allowReserved' Improperly Defined", "severity": "INFO", "line": 37, - "filename": "positive2.yaml" + "fileName": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths./users/{id}.get.parameters.name={{id}}", + "searchValue": "", + "expectedValue": "paths./users/{id}.get.parameters.name={{id}} should have 'in' set to 'query' when 'allowReserved' is set", + "actualValue": "paths./users/{id}.get.parameters.name={{id}} does not have 'in' set to 'query' when 'allowReserved' is set", + "issueType": "IncorrectValue", + "similarityID": "f73f947ca2e5c8bae85677733ea700d24d1c2b4cdb239f0cd183e8c56d0f6cc8", + "search_line": -1 }, { "queryName": "Property 'allowReserved' Improperly Defined", "severity": "INFO", "line": 43, - "filename": "positive3.json" + "fileName": "positive3.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.parameters.name={{id}}", + "searchValue": "", + "expectedValue": "paths.{{/}}.parameters.name={{id}} should have 'in' set to 'query' when 'allowReserved' is set", + "actualValue": "paths.{{/}}.parameters.name={{id}} does not have 'in' set to 'query' when 'allowReserved' is set", + "issueType": "IncorrectValue", + "similarityID": "5ca5e00be5c08af6d5add5e946f1f400a1cdfe0181392609162cf89561b69ff8", + "search_line": -1 }, { "queryName": "Property 'allowReserved' Improperly Defined", "severity": "INFO", "line": 26, - "filename": "positive4.yaml" + "fileName": "positive4.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.parameters.name={{id}}", + "searchValue": "", + "expectedValue": "paths.{{/}}.parameters.name={{id}} should have 'in' set to 'query' when 'allowReserved' is set", + "actualValue": "paths.{{/}}.parameters.name={{id}} does not have 'in' set to 'query' when 'allowReserved' is set", + "issueType": "IncorrectValue", + "similarityID": "62973c4250aeeb1288b7bc0b91a13579c7e785c957caa777d93b6e9ee8462a0a", + "search_line": -1 } ] diff --git a/assets/queries/openAPI/3.0/property_explode_encoding_object_ignored/test/positive_expected_result.json b/assets/queries/openAPI/3.0/property_explode_encoding_object_ignored/test/positive_expected_result.json index bf8e259e7a7..2338122a564 100644 --- a/assets/queries/openAPI/3.0/property_explode_encoding_object_ignored/test/positive_expected_result.json +++ b/assets/queries/openAPI/3.0/property_explode_encoding_object_ignored/test/positive_expected_result.json @@ -3,24 +3,60 @@ "queryName": "Property 'explode' of Encoding Object Ignored", "severity": "INFO", "line": 49, - "filename": "positive1.json" + "fileName": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "components.requestBodies.{{NewItem}}.content.{{multipart/data}}", + "searchValue": "", + "expectedValue": "components.requestBodies.{{NewItem}}.content.{{multipart/data}} should be 'application/x-www-form-urlencoded' when 'explode' is set", + "actualValue": "components.requestBodies.{{NewItem}}.content.{{multipart/data}} is not 'application/x-www-form-urlencoded' when 'explode' is set", + "issueType": "IncorrectValue", + "similarityID": "9742843002361b5a60ab7776fb1c941ffa39bd2b0fc59f8e13d998d6bf0d67fa", + "search_line": 0 }, { "queryName": "Property 'explode' of Encoding Object Ignored", "severity": "INFO", "line": 43, - "filename": "positive2.json" + "fileName": "positive2.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.{{get}}.requestBody.content.{{multipart/form-data}}", + "searchValue": "", + "expectedValue": "paths.{{/}}.{{get}}.requestBody.content.{{multipart/form-data}} should be 'application/x-www-form-urlencoded' when 'explode' is set", + "actualValue": "paths.{{/}}.{{get}}.requestBody.content.{{multipart/form-data}} is not 'application/x-www-form-urlencoded' when 'explode' is set", + "issueType": "IncorrectValue", + "similarityID": "5537f09d8fbba0894f7bfe1badfd93cf9e916c4ebb5221a6cefcb10317132a59", + "search_line": -1 }, { "queryName": "Property 'explode' of Encoding Object Ignored", "severity": "INFO", "line": 31, - "filename": "positive3.yaml" + "fileName": "positive3.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "components.requestBodies.{{NewItem}}.content.{{multipart/form-data}}", + "searchValue": "", + "expectedValue": "components.requestBodies.{{NewItem}}.content.{{multipart/form-data}} should be 'application/x-www-form-urlencoded' when 'explode' is set", + "actualValue": "components.requestBodies.{{NewItem}}.content.{{multipart/form-data}} is not 'application/x-www-form-urlencoded' when 'explode' is set", + "issueType": "IncorrectValue", + "similarityID": "66583583c5be1939419e15ed9e2c56be1d16fbef665d003a83e1d05f9c39a83a", + "search_line": 0 }, { "queryName": "Property 'explode' of Encoding Object Ignored", "severity": "INFO", "line": 30, - "filename": "positive4.yaml" + "fileName": "positive4.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.{{get}}.requestBody.content.{{multipart/form-data}}", + "searchValue": "", + "expectedValue": "paths.{{/}}.{{get}}.requestBody.content.{{multipart/form-data}} should be 'application/x-www-form-urlencoded' when 'explode' is set", + "actualValue": "paths.{{/}}.{{get}}.requestBody.content.{{multipart/form-data}} is not 'application/x-www-form-urlencoded' when 'explode' is set", + "issueType": "IncorrectValue", + "similarityID": "dc5e2c62188a8b7672926a97b452dc3bf241f7518028cd454cbd59e402651f73", + "search_line": -1 } ] diff --git a/assets/queries/openAPI/3.0/property_type_encoding_object_ignored/test/positive_expected_result.json b/assets/queries/openAPI/3.0/property_type_encoding_object_ignored/test/positive_expected_result.json index 3d983fd274a..e06e1b1725f 100644 --- a/assets/queries/openAPI/3.0/property_type_encoding_object_ignored/test/positive_expected_result.json +++ b/assets/queries/openAPI/3.0/property_type_encoding_object_ignored/test/positive_expected_result.json @@ -3,24 +3,60 @@ "queryName": "Property 'style' of Encoding Object Ignored", "severity": "INFO", "line": 49, - "filename": "positive1.json" + "fileName": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "components.requestBodies.{{NewItem}}.content.{{multipart/data}}", + "searchValue": "", + "expectedValue": "components.requestBodies.{{NewItem}}.content.{{multipart/data}} should be 'application/x-www-form-urlencoded' when 'style' is set", + "actualValue": "components.requestBodies.{{NewItem}}.content.{{multipart/data}} is not 'application/x-www-form-urlencoded' when 'style' is set", + "issueType": "IncorrectValue", + "similarityID": "0b35c793fc991b46bfabf7e882a961c92cc745bb6f792cd66dff1f50b6db84a5", + "search_line": 0 }, { "queryName": "Property 'style' of Encoding Object Ignored", "severity": "INFO", "line": 43, - "filename": "positive2.json" + "fileName": "positive2.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.{{get}}.requestBody.content.{{multipart/data}}", + "searchValue": "", + "expectedValue": "paths.{{/}}.{{get}}.requestBody.content.{{multipart/data}} should be 'application/x-www-form-urlencoded' when 'style' is set", + "actualValue": "paths.{{/}}.{{get}}.requestBody.content.{{multipart/data}} is not 'application/x-www-form-urlencoded' when 'style' is set", + "issueType": "IncorrectValue", + "similarityID": "796ddc41864879c22a6684360662c480e47342518fa742563cfc1ad42130a972", + "search_line": -1 }, { "queryName": "Property 'style' of Encoding Object Ignored", "severity": "INFO", "line": 31, - "filename": "positive3.yaml" + "fileName": "positive3.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "components.requestBodies.{{NewItem}}.content.{{multipart/data}}", + "searchValue": "", + "expectedValue": "components.requestBodies.{{NewItem}}.content.{{multipart/data}} should be 'application/x-www-form-urlencoded' when 'style' is set", + "actualValue": "components.requestBodies.{{NewItem}}.content.{{multipart/data}} is not 'application/x-www-form-urlencoded' when 'style' is set", + "issueType": "IncorrectValue", + "similarityID": "bb9125c30ec7a8e44cb82c21a56f14f56eb1bf66d953cd3c00179ae9fadfd495", + "search_line": 0 }, { "queryName": "Property 'style' of Encoding Object Ignored", "severity": "INFO", "line": 30, - "filename": "positive4.yaml" + "fileName": "positive4.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.{{get}}.requestBody.content.{{multipart/data}}", + "searchValue": "", + "expectedValue": "paths.{{/}}.{{get}}.requestBody.content.{{multipart/data}} should be 'application/x-www-form-urlencoded' when 'style' is set", + "actualValue": "paths.{{/}}.{{get}}.requestBody.content.{{multipart/data}} is not 'application/x-www-form-urlencoded' when 'style' is set", + "issueType": "IncorrectValue", + "similarityID": "62ad06afd90a3a024814d660d3f030ede4666fff243bb496559637de7165d014", + "search_line": -1 } ] diff --git a/assets/queries/openAPI/3.0/request_body_incorrect_ref/test/positive_expected_result.json b/assets/queries/openAPI/3.0/request_body_incorrect_ref/test/positive_expected_result.json index b3841d340d5..6cd132e13d0 100644 --- a/assets/queries/openAPI/3.0/request_body_incorrect_ref/test/positive_expected_result.json +++ b/assets/queries/openAPI/3.0/request_body_incorrect_ref/test/positive_expected_result.json @@ -3,12 +3,30 @@ "queryName": "Request Body With Incorrect Ref", "severity": "INFO", "line": 30, - "filename": "positive1.json" + "fileName": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.requestBody.$ref", + "searchValue": "", + "expectedValue": "Request body ref points to '#/components/requestBodies'", + "actualValue": "Request body ref doesn't point to '#/components/requestBodies'", + "issueType": "IncorrectValue", + "similarityID": "7efc929f172743cea2d79ff98116709481c841de03b9a05fbeb084a8a21e5f0d", + "search_line": 0 }, { "queryName": "Request Body With Incorrect Ref", "severity": "INFO", "line": 22, - "filename": "positive2.yaml" + "fileName": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.requestBody.$ref", + "searchValue": "", + "expectedValue": "Request body ref points to '#/components/requestBodies'", + "actualValue": "Request body ref doesn't point to '#/components/requestBodies'", + "issueType": "IncorrectValue", + "similarityID": "349a7c3ccfd8efcd89f9a728d0ecbe92c36da2c403991ef4fed26eb522eb2ee6", + "search_line": 0 } ] diff --git a/assets/queries/openAPI/3.0/request_body_object_with_incorrect_media_type/test/positive_expected_result.json b/assets/queries/openAPI/3.0/request_body_object_with_incorrect_media_type/test/positive_expected_result.json index f86cfec9b30..332e855a581 100644 --- a/assets/queries/openAPI/3.0/request_body_object_with_incorrect_media_type/test/positive_expected_result.json +++ b/assets/queries/openAPI/3.0/request_body_object_with_incorrect_media_type/test/positive_expected_result.json @@ -3,24 +3,60 @@ "queryName": "Request Body Object With Incorrect Media Type", "severity": "INFO", "line": 64, - "filename": "positive1.json" + "fileName": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "components.requestBodies.{{NewItem}}.content.{{application/json}}.encoding", + "searchValue": "", + "expectedValue": "components.requestBodies.{{NewItem}}.content.{{application/json}} should be 'multipart' or 'application/x-www-form-urlencoded' when 'encoding' is set", + "actualValue": "components.requestBodies.{{NewItem}}.content.{{application/json}} is not 'multipart' or 'application/x-www-form-urlencoded' when 'encoding' is set", + "issueType": "IncorrectValue", + "similarityID": "a1dea7dc635fe3cee4b273aa379d9d859247e15ad35026b51628d796b9372323", + "search_line": 0 }, { "queryName": "Request Body Object With Incorrect Media Type", "severity": "INFO", "line": 43, - "filename": "positive2.json" + "fileName": "positive2.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.{{get}}.requestBody.content.{{application/octet-stream}}", + "searchValue": "", + "expectedValue": "paths.{{/}}.{{get}}.requestBody.content.{{application/octet-stream}} should be 'multipart' or 'application/x-www-form-urlencoded' when 'encoding' is set", + "actualValue": "paths.{{/}}.{{get}}.requestBody.content.{{application/octet-stream}} is not 'multipart' or 'application/x-www-form-urlencoded' when 'encoding' is set", + "issueType": "IncorrectValue", + "similarityID": "28c0a3f2ea21615f2885fb84077d87026525024503d8b6363d456b620ff1f29c", + "search_line": -1 }, { "queryName": "Request Body Object With Incorrect Media Type", "severity": "INFO", "line": 41, - "filename": "positive3.yaml" + "fileName": "positive3.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "components.requestBodies.{{NewItem}}.content.{{application/json}}.encoding", + "searchValue": "", + "expectedValue": "components.requestBodies.{{NewItem}}.content.{{application/json}} should be 'multipart' or 'application/x-www-form-urlencoded' when 'encoding' is set", + "actualValue": "components.requestBodies.{{NewItem}}.content.{{application/json}} is not 'multipart' or 'application/x-www-form-urlencoded' when 'encoding' is set", + "issueType": "IncorrectValue", + "similarityID": "c0f9101b19b970a61acc6db8c1645a32e7111ee843db0f80a58833c6151a793f", + "search_line": 0 }, { "queryName": "Request Body Object With Incorrect Media Type", "severity": "INFO", "line": 30, - "filename": "positive4.yaml" + "fileName": "positive4.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.{{get}}.requestBody.content.{{application/octet-stream}}", + "searchValue": "", + "expectedValue": "paths.{{/}}.{{get}}.requestBody.content.{{application/octet-stream}} should be 'multipart' or 'application/x-www-form-urlencoded' when 'encoding' is set", + "actualValue": "paths.{{/}}.{{get}}.requestBody.content.{{application/octet-stream}} is not 'multipart' or 'application/x-www-form-urlencoded' when 'encoding' is set", + "issueType": "IncorrectValue", + "similarityID": "0f306070d610bd1f8a04b1fb2a4d6010650581b60a2b8816c676a59ba61883ad", + "search_line": -1 } ] diff --git a/assets/queries/openAPI/3.0/response_object_incorrect_ref/test/positive_expected_result.json b/assets/queries/openAPI/3.0/response_object_incorrect_ref/test/positive_expected_result.json index 620d091d27d..9655d22dcba 100644 --- a/assets/queries/openAPI/3.0/response_object_incorrect_ref/test/positive_expected_result.json +++ b/assets/queries/openAPI/3.0/response_object_incorrect_ref/test/positive_expected_result.json @@ -3,12 +3,30 @@ "queryName": "Response Object With Incorrect Ref (v3)", "severity": "INFO", "line": 44, - "filename": "positive1.json" + "fileName": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.{{200}}.$ref", + "searchValue": "", + "expectedValue": "Response ref points to '#/components/responses'", + "actualValue": "Response ref does not point to '#/components/responses'", + "issueType": "IncorrectValue", + "similarityID": "b90071b5fbbe5a9b3b76efdc82a4e8faae3a812a1d296e62189b195afffcc1bb", + "search_line": 0 }, { "queryName": "Response Object With Incorrect Ref (v3)", "severity": "INFO", "line": 27, - "filename": "positive2.yaml" + "fileName": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.{{200}}.$ref", + "searchValue": "", + "expectedValue": "Response ref points to '#/components/responses'", + "actualValue": "Response ref does not point to '#/components/responses'", + "issueType": "IncorrectValue", + "similarityID": "653a37cb3120033bcb1471f079c97da32afc4195a90bbd3d90a1da8d683e9092", + "search_line": 0 } ] diff --git a/assets/queries/openAPI/3.0/schema_object_incorrect_ref/test/positive_expected_result.json b/assets/queries/openAPI/3.0/schema_object_incorrect_ref/test/positive_expected_result.json index a756e5b90c4..c77f34cd48e 100644 --- a/assets/queries/openAPI/3.0/schema_object_incorrect_ref/test/positive_expected_result.json +++ b/assets/queries/openAPI/3.0/schema_object_incorrect_ref/test/positive_expected_result.json @@ -3,24 +3,60 @@ "queryName": "Schema Object Incorrect Ref (v3)", "severity": "INFO", "line": 76, - "filename": "positive1.json" + "fileName": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "components.requestBodies.NewItem.content.{{multipart/form-data}}.schema.$ref", + "searchValue": "", + "expectedValue": "Schema reference points to '#components/schemas'", + "actualValue": "Schema reference does not point to '#components/schemas'", + "issueType": "IncorrectValue", + "similarityID": "e31866ac23e7bb43fb36a804d4280630e09412e75bec5c9165fe211b97bdb7be", + "search_line": 0 }, { "queryName": "Schema Object Incorrect Ref (v3)", "severity": "INFO", "line": 16, - "filename": "positive2.json" + "fileName": "positive2.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.schema.$ref", + "searchValue": "", + "expectedValue": "Schema reference points to '#components/schemas'", + "actualValue": "Schema reference does not point to '#components/schemas'", + "issueType": "IncorrectValue", + "similarityID": "7c1dfe40cba425f7ae119405e95ad6143acd74bb306dfa65e9009dcdfa6adfde", + "search_line": 0 }, { "queryName": "Schema Object Incorrect Ref (v3)", "severity": "INFO", "line": 46, - "filename": "positive3.yaml" + "fileName": "positive3.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "components.requestBodies.NewItem.content.{{multipart/form-data}}.schema.$ref", + "searchValue": "", + "expectedValue": "Schema reference points to '#components/schemas'", + "actualValue": "Schema reference does not point to '#components/schemas'", + "issueType": "IncorrectValue", + "similarityID": "2eb0e3094fe6a79815371ff8393056e37b22a5fa7619a3a6620afc6ffc84c866", + "search_line": 0 }, { "queryName": "Schema Object Incorrect Ref (v3)", "severity": "INFO", "line": 16, - "filename": "positive4.yaml" + "fileName": "positive4.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.schema.$ref", + "searchValue": "", + "expectedValue": "Schema reference points to '#components/schemas'", + "actualValue": "Schema reference does not point to '#components/schemas'", + "issueType": "IncorrectValue", + "similarityID": "36d2f3dc8e822af6148e6b56f7a3a1643a584d0658573b366dd6c75101651e09", + "search_line": 0 } ] diff --git a/assets/queries/openAPI/3.0/schema_with_both_read_only_and_write_only/test/positive_expected_result.json b/assets/queries/openAPI/3.0/schema_with_both_read_only_and_write_only/test/positive_expected_result.json index 436d3542a45..1843ce2f8d1 100644 --- a/assets/queries/openAPI/3.0/schema_with_both_read_only_and_write_only/test/positive_expected_result.json +++ b/assets/queries/openAPI/3.0/schema_with_both_read_only_and_write_only/test/positive_expected_result.json @@ -3,24 +3,60 @@ "queryName": "Schema With Both ReadOnly And WriteOnly", "severity": "INFO", "line": 50, - "filename": "positive1.json" + "fileName": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "components.schemas.{{GeneralError}}", + "searchValue": "", + "expectedValue": "components.schemas.{{GeneralError}} should not have both 'writeOnly' and 'readOnly' set to true", + "actualValue": "components.schemas.{{GeneralError}} has both 'writeOnly' and 'readOnly' set to true", + "issueType": "IncorrectValue", + "similarityID": "ce9110f7c0dc4e5242ded50e0d824ff0336c4fcd27718d016865d43d43f63be6", + "search_line": -1 }, { "queryName": "Schema With Both ReadOnly And WriteOnly", "severity": "INFO", "line": 22, - "filename": "positive2.json" + "fileName": "positive2.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.{{get}}.responses.{{200}}.content.{{application/json}}.schema", + "searchValue": "", + "expectedValue": "paths.{{/}}.{{get}}.responses.{{200}}.content.{{application/json}}.schema should not have both 'writeOnly' and 'readOnly' set to true", + "actualValue": "paths.{{/}}.{{get}}.responses.{{200}}.content.{{application/json}}.schema has both 'writeOnly' and 'readOnly' set to true", + "issueType": "IncorrectValue", + "similarityID": "693baf5afbfd5eb1f782778d00851c674fabccc9cc6d9b56cce415d45ed12914", + "search_line": -1 }, { "queryName": "Schema With Both ReadOnly And WriteOnly", "severity": "INFO", "line": 27, - "filename": "positive3.yaml" + "fileName": "positive3.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "components.schemas.{{GeneralError}}", + "searchValue": "", + "expectedValue": "components.schemas.{{GeneralError}} should not have both 'writeOnly' and 'readOnly' set to true", + "actualValue": "components.schemas.{{GeneralError}} has both 'writeOnly' and 'readOnly' set to true", + "issueType": "IncorrectValue", + "similarityID": "fd8adff91c0784daca308b9c2ee38192cf04b8a64693353c978b9f7da53fb880", + "search_line": -1 }, { "queryName": "Schema With Both ReadOnly And WriteOnly", "severity": "INFO", "line": 15, - "filename": "positive4.yaml" + "fileName": "positive4.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.{{get}}.responses.{{200}}.content.{{application/json}}.schema", + "searchValue": "", + "expectedValue": "paths.{{/}}.{{get}}.responses.{{200}}.content.{{application/json}}.schema should not have both 'writeOnly' and 'readOnly' set to true", + "actualValue": "paths.{{/}}.{{get}}.responses.{{200}}.content.{{application/json}}.schema has both 'writeOnly' and 'readOnly' set to true", + "issueType": "IncorrectValue", + "similarityID": "66855422e562a43934dfc3c7e7468a0195fbfbe2d3fa4d29821e55fdfc0ffe77", + "search_line": -1 } ] diff --git a/assets/queries/openAPI/3.0/security_field_undefined/test/positive_expected_result.json b/assets/queries/openAPI/3.0/security_field_undefined/test/positive_expected_result.json index 99678c04b86..c7e6abd954c 100644 --- a/assets/queries/openAPI/3.0/security_field_undefined/test/positive_expected_result.json +++ b/assets/queries/openAPI/3.0/security_field_undefined/test/positive_expected_result.json @@ -3,24 +3,60 @@ "queryName": "Security Field Undefined", "severity": "INFO", "line": 45, - "filename": "positive1.json" + "fileName": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "security.petstore_auth", + "searchValue": "", + "expectedValue": "security[0].petstore_auth should be defined in '#/components/securitySchemes'", + "actualValue": "security[0].petstore_auth is not defined in '#/components/securitySchemes'", + "issueType": "MissingAttribute", + "similarityID": "119f851c4fbb90bdeabcd177ce56e8ce1a5be2037d2114845d1399a717f22917", + "search_line": -1 }, { "queryName": "Security Field Undefined", "severity": "INFO", "line": 45, - "filename": "positive2.json" + "fileName": "positive2.json", + "resourceType": "", + "resourceName": "", + "searchKey": "security.petstore_auth", + "searchValue": "", + "expectedValue": "security[0].petstore_auth should be defined in '#/components/securitySchemes'", + "actualValue": "security[0].petstore_auth is not defined in '#/components/securitySchemes'", + "issueType": "MissingAttribute", + "similarityID": "46285a3c01e26d354fb0cc169a68cb69849347ddd91a2489191b95d7a8b39899", + "search_line": -1 }, { "queryName": "Security Field Undefined", "severity": "INFO", "line": 26, - "filename": "positive3.yaml" + "fileName": "positive3.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "security.petstore_auth", + "searchValue": "", + "expectedValue": "security[0].petstore_auth should be defined in '#/components/securitySchemes'", + "actualValue": "security[0].petstore_auth is not defined in '#/components/securitySchemes'", + "issueType": "MissingAttribute", + "similarityID": "ae4c56fe26c5d5cd5c49f4a37e063bc5c16f631b2bdd53ec66a6dea1a55b81d4", + "search_line": -1 }, { "queryName": "Security Field Undefined", "severity": "INFO", "line": 26, - "filename": "positive4.yaml" + "fileName": "positive4.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "security.petstore_auth", + "searchValue": "", + "expectedValue": "security[0].petstore_auth should be defined in '#/components/securitySchemes'", + "actualValue": "security[0].petstore_auth is not defined in '#/components/securitySchemes'", + "issueType": "MissingAttribute", + "similarityID": "1b624911b1dacd6cc2cdad5e3b778229893e7f1290e907cac98faa263eafa650", + "search_line": -1 } ] diff --git a/assets/queries/openAPI/3.0/security_operation_field_undefined/test/positive_expected_result.json b/assets/queries/openAPI/3.0/security_operation_field_undefined/test/positive_expected_result.json index 0592b8d8dc9..cadf6feacdf 100644 --- a/assets/queries/openAPI/3.0/security_operation_field_undefined/test/positive_expected_result.json +++ b/assets/queries/openAPI/3.0/security_operation_field_undefined/test/positive_expected_result.json @@ -3,24 +3,60 @@ "queryName": "Security Operation Field Undefined", "severity": "INFO", "line": 14, - "filename": "positive1.json" + "fileName": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.{{get}}.petstore_auth", + "searchValue": "", + "expectedValue": "paths.{{/}}.{{get}}.security[0].petstore_auth should be defined in '#/components/securitySchemes'", + "actualValue": "paths.{{/}}.{{get}}.security[0].petstore_auth is not defined in '#/components/securitySchemes'", + "issueType": "MissingAttribute", + "similarityID": "0c4fc05340179cd1bff9ecca87132da0129aa4446b611036ec2a36809117860b", + "search_line": 14 }, { "queryName": "Security Operation Field Undefined", "severity": "INFO", "line": 14, - "filename": "positive2.json" + "fileName": "positive2.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.{{get}}.petstore_auth", + "searchValue": "", + "expectedValue": "paths.{{/}}.{{get}}.security[0].petstore_auth should be defined in '#/components/securitySchemes'", + "actualValue": "paths.{{/}}.{{get}}.security[0].petstore_auth is not defined in '#/components/securitySchemes'", + "issueType": "MissingAttribute", + "similarityID": "5c9467777bb14620cf704fc983ba037b738d45c5ceb2008c2e77aef887be5ddd", + "search_line": 14 }, { "queryName": "Security Operation Field Undefined", "severity": "INFO", "line": 11, - "filename": "positive3.yaml" + "fileName": "positive3.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.{{get}}.petstore_auth", + "searchValue": "", + "expectedValue": "paths.{{/}}.{{get}}.security[0].petstore_auth should be defined in '#/components/securitySchemes'", + "actualValue": "paths.{{/}}.{{get}}.security[0].petstore_auth is not defined in '#/components/securitySchemes'", + "issueType": "MissingAttribute", + "similarityID": "00eccb6c4daaff6af4ff0603e9ef94c46145430a59cbb80b1ab115c654fdb7e8", + "search_line": 11 }, { "queryName": "Security Operation Field Undefined", "severity": "INFO", "line": 11, - "filename": "positive4.yaml" + "fileName": "positive4.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.{{get}}.petstore_auth", + "searchValue": "", + "expectedValue": "paths.{{/}}.{{get}}.security[0].petstore_auth should be defined in '#/components/securitySchemes'", + "actualValue": "paths.{{/}}.{{get}}.security[0].petstore_auth is not defined in '#/components/securitySchemes'", + "issueType": "MissingAttribute", + "similarityID": "b5dff7f5b94903c14059b025cc8316d84d468cdf1ec452a50b023e70eec6c0ac", + "search_line": 11 } ] diff --git a/assets/queries/openAPI/3.0/security_requirement_object_with_wrong_scopes/test/positive_expected_result.json b/assets/queries/openAPI/3.0/security_requirement_object_with_wrong_scopes/test/positive_expected_result.json index 855e0f4389d..200dd0c9277 100644 --- a/assets/queries/openAPI/3.0/security_requirement_object_with_wrong_scopes/test/positive_expected_result.json +++ b/assets/queries/openAPI/3.0/security_requirement_object_with_wrong_scopes/test/positive_expected_result.json @@ -3,24 +3,60 @@ "queryName": "Security Requirement Object With Wrong Scopes", "severity": "INFO", "line": 9, - "filename": "positive1.json" + "fileName": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "security.api_key", + "searchValue": "", + "expectedValue": "'security.api_key' has no scopes defined for security scheme of type 'apiKey'", + "actualValue": "'security.api_key' has no scopes defined for security scheme of type 'apiKey'", + "issueType": "IncorrectValue", + "similarityID": "0ab38a1d2649b9fb6fd48bd486167ffc4b1ca9153a6e950ead88b5850727be15", + "search_line": -1 }, { "queryName": "Security Requirement Object With Wrong Scopes", "severity": "INFO", "line": 6, - "filename": "positive2.yaml" + "fileName": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "security.api_key", + "searchValue": "", + "expectedValue": "'security.api_key' has no scopes defined for security scheme of type 'apiKey'", + "actualValue": "'security.api_key' has no scopes defined for security scheme of type 'apiKey'", + "issueType": "IncorrectValue", + "similarityID": "9c8b8d10370cd7079742bfae7aa2aaf93cca17c34e3dd86cb4bf006f726f8339", + "search_line": -1 }, { "queryName": "Security Requirement Object With Wrong Scopes", "severity": "INFO", "line": 28, - "filename": "positive3.json" + "fileName": "positive3.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/pets}}.get.security.api_key", + "searchValue": "", + "expectedValue": "'security.api_key' has no scopes defined for security scheme of type 'apiKey'", + "actualValue": "'security.api_key' has no scopes defined for security scheme of type 'apiKey'", + "issueType": "IncorrectValue", + "similarityID": "60cd531459a6fa309cee5a86075ba10f7749f67272424cceb01c9ae2f668e005", + "search_line": 0 }, { "queryName": "Security Requirement Object With Wrong Scopes", "severity": "INFO", "line": 19, - "filename": "positive4.yaml" + "fileName": "positive4.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/pets}}.get.security.api_key", + "searchValue": "", + "expectedValue": "'security.api_key' has no scopes defined for security scheme of type 'apiKey'", + "actualValue": "'security.api_key' has no scopes defined for security scheme of type 'apiKey'", + "issueType": "IncorrectValue", + "similarityID": "feb56edd7a5ef9721d10fc7e2cb9ebc02ed32f6c64a39dc2edba723cd6009c20", + "search_line": 0 } ] diff --git a/assets/queries/openAPI/3.0/security_scheme_undefined/test/positive_expected_result.json b/assets/queries/openAPI/3.0/security_scheme_undefined/test/positive_expected_result.json index 7fe97f3cda0..7c32afffaf4 100644 --- a/assets/queries/openAPI/3.0/security_scheme_undefined/test/positive_expected_result.json +++ b/assets/queries/openAPI/3.0/security_scheme_undefined/test/positive_expected_result.json @@ -3,36 +3,90 @@ "queryName": "Field 'securityScheme' On Components Is Undefined", "severity": "MEDIUM", "line": 2, - "filename": "positive1.json" + "fileName": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "openapi", + "searchValue": "", + "expectedValue": "A security scheme on components should be defined", + "actualValue": "Components is not defined", + "issueType": "MissingAttribute", + "similarityID": "0fa80851e6de253e79a6078f1914357e134b0ba82fd32bea86426e784c4a2371", + "search_line": -1 }, { "queryName": "Field 'securityScheme' On Components Is Undefined", "severity": "MEDIUM", "line": 43, - "filename": "positive2.json" + "fileName": "positive2.json", + "resourceType": "", + "resourceName": "", + "searchKey": "components", + "searchValue": "", + "expectedValue": "A security scheme on components should be defined", + "actualValue": "A security scheme is not defined", + "issueType": "MissingAttribute", + "similarityID": "20c9997c25c236cea287e0e2d82e6cc48673ff72b0bfd0b472508c156a3e57bd", + "search_line": -1 }, { "queryName": "Field 'securityScheme' On Components Is Undefined", "severity": "MEDIUM", "line": 44, - "filename": "positive3.json" + "fileName": "positive3.json", + "resourceType": "", + "resourceName": "", + "searchKey": "components.securitySchemes", + "searchValue": "", + "expectedValue": "A security scheme on components should be defined", + "actualValue": "A security scheme is an empty object", + "issueType": "IncorrectValue", + "similarityID": "b8aefb64cd0d7ad77d18b9741ab0b9d76d9b68e742d364930dd70926f3ebc78c", + "search_line": -1 }, { "queryName": "Field 'securityScheme' On Components Is Undefined", "severity": "MEDIUM", "line": 1, - "filename": "positive4.yaml" + "fileName": "positive4.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "openapi", + "searchValue": "", + "expectedValue": "A security scheme on components should be defined", + "actualValue": "Components is not defined", + "issueType": "MissingAttribute", + "similarityID": "28b9d377198ade66870bcb25f36230f4f735161c32bf2840d20b2d466896ec7b", + "search_line": -1 }, { "queryName": "Field 'securityScheme' On Components Is Undefined", "severity": "MEDIUM", "line": 25, - "filename": "positive5.yaml" + "fileName": "positive5.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "components", + "searchValue": "", + "expectedValue": "A security scheme on components should be defined", + "actualValue": "A security scheme is not defined", + "issueType": "MissingAttribute", + "similarityID": "bfbad386bb984eba13c42feded27b2598e637161154877fc71b556b45fa6bf30", + "search_line": -1 }, { "queryName": "Field 'securityScheme' On Components Is Undefined", "severity": "MEDIUM", "line": 26, - "filename": "positive6.yaml" + "fileName": "positive6.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "components.securitySchemes", + "searchValue": "", + "expectedValue": "A security scheme on components should be defined", + "actualValue": "A security scheme is an empty object", + "issueType": "IncorrectValue", + "similarityID": "2e8dca1a004cd43964ed51be76ac2e97a6fd696e878ea46661521b4cfb79e1fd", + "search_line": -1 } -] \ No newline at end of file +] diff --git a/assets/queries/openAPI/3.0/security_scheme_using_http_basic/test/positive_expected_result.json b/assets/queries/openAPI/3.0/security_scheme_using_http_basic/test/positive_expected_result.json index aa4a27d8581..c1b4735d207 100644 --- a/assets/queries/openAPI/3.0/security_scheme_using_http_basic/test/positive_expected_result.json +++ b/assets/queries/openAPI/3.0/security_scheme_using_http_basic/test/positive_expected_result.json @@ -3,12 +3,30 @@ "queryName": "Security Scheme Using HTTP Basic", "severity": "LOW", "line": 57, - "filename": "positive1.json" + "fileName": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "components.securitySchemes.{{petstore_auth}}.scheme", + "searchValue": "", + "expectedValue": "components.securitySchemes.{{petstore_auth}} should not use 'basic' authentication", + "actualValue": "components.securitySchemes.{{petstore_auth}} uses 'basic' authentication", + "issueType": "IncorrectValue", + "similarityID": "4c64f9129c8a5c15dd0cc147924acfc38d3d2c03e49b310b5cf35dcd027ccf5f", + "search_line": -1 }, { "queryName": "Security Scheme Using HTTP Basic", "severity": "LOW", "line": 33, - "filename": "positive2.yaml" + "fileName": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "components.securitySchemes.{{petstore_auth}}.scheme", + "searchValue": "", + "expectedValue": "components.securitySchemes.{{petstore_auth}} should not use 'basic' authentication", + "actualValue": "components.securitySchemes.{{petstore_auth}} uses 'basic' authentication", + "issueType": "IncorrectValue", + "similarityID": "b5ea5664eecf7e9c544fe8b8ef3f2e20f19cc549c0d1341efcb94e07bd8f00f1", + "search_line": -1 } -] \ No newline at end of file +] diff --git a/assets/queries/openAPI/3.0/security_scheme_using_http_digest/test/positive_expected_result.json b/assets/queries/openAPI/3.0/security_scheme_using_http_digest/test/positive_expected_result.json index 22356392f89..929ac0a41a6 100644 --- a/assets/queries/openAPI/3.0/security_scheme_using_http_digest/test/positive_expected_result.json +++ b/assets/queries/openAPI/3.0/security_scheme_using_http_digest/test/positive_expected_result.json @@ -3,12 +3,30 @@ "queryName": "Security Scheme Using HTTP Digest", "severity": "LOW", "line": 57, - "filename": "positive1.json" + "fileName": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "components.securitySchemes.{{petstore_auth}}.scheme", + "searchValue": "", + "expectedValue": "components.securitySchemes.{{petstore_auth}} should not use 'digest' authentication", + "actualValue": "components.securitySchemes.{{petstore_auth}} uses 'digest' authentication", + "issueType": "IncorrectValue", + "similarityID": "dd3ff81622421726124d88e2dfc2c21cf498dda6fa719361f342e050d30ad5b0", + "search_line": -1 }, { "queryName": "Security Scheme Using HTTP Digest", "severity": "LOW", "line": 33, - "filename": "positive2.yaml" + "fileName": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "components.securitySchemes.{{petstore_auth}}.scheme", + "searchValue": "", + "expectedValue": "components.securitySchemes.{{petstore_auth}} should not use 'digest' authentication", + "actualValue": "components.securitySchemes.{{petstore_auth}} uses 'digest' authentication", + "issueType": "IncorrectValue", + "similarityID": "98b00dca6111c78f1fff2c12b693121c70e20164b0927fa7f01ea8c681991f8d", + "search_line": -1 } -] \ No newline at end of file +] diff --git a/assets/queries/openAPI/3.0/security_scheme_using_http_negotiate/test/positive_expected_result.json b/assets/queries/openAPI/3.0/security_scheme_using_http_negotiate/test/positive_expected_result.json index fe5a5c177ac..088cbd7e708 100644 --- a/assets/queries/openAPI/3.0/security_scheme_using_http_negotiate/test/positive_expected_result.json +++ b/assets/queries/openAPI/3.0/security_scheme_using_http_negotiate/test/positive_expected_result.json @@ -3,12 +3,30 @@ "queryName": "Security Scheme Using HTTP Negotiate", "severity": "LOW", "line": 57, - "filename": "positive1.json" + "fileName": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "components.securitySchemes.{{petstore_auth}}.scheme", + "searchValue": "", + "expectedValue": "components.securitySchemes.{{petstore_auth}} should not use 'negotiate' authentication", + "actualValue": "components.securitySchemes.{{petstore_auth}} uses 'negotiate' authentication", + "issueType": "IncorrectValue", + "similarityID": "fa353b9c57a428d45e1f4c4422e58e32e6e890e507b672b1fa2dcb81c91bf647", + "search_line": -1 }, { "queryName": "Security Scheme Using HTTP Negotiate", "severity": "LOW", "line": 33, - "filename": "positive2.yaml" + "fileName": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "components.securitySchemes.{{petstore_auth}}.scheme", + "searchValue": "", + "expectedValue": "components.securitySchemes.{{petstore_auth}} should not use 'negotiate' authentication", + "actualValue": "components.securitySchemes.{{petstore_auth}} uses 'negotiate' authentication", + "issueType": "IncorrectValue", + "similarityID": "8072a19ed86ae5b35853a3656a3e73065b2997f5c9fb1806adc58309914a9137", + "search_line": -1 } -] \ No newline at end of file +] diff --git a/assets/queries/openAPI/3.0/security_schemes_http_unknown_scheme/test/positive_expected_result.json b/assets/queries/openAPI/3.0/security_schemes_http_unknown_scheme/test/positive_expected_result.json index 14942d4e108..74bf5fccc87 100644 --- a/assets/queries/openAPI/3.0/security_schemes_http_unknown_scheme/test/positive_expected_result.json +++ b/assets/queries/openAPI/3.0/security_schemes_http_unknown_scheme/test/positive_expected_result.json @@ -3,12 +3,30 @@ "queryName": "Security Scheme HTTP Unknown Scheme", "severity": "MEDIUM", "line": 57, - "filename": "positive1.json" + "fileName": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "components.securitySchemes.{{petstore_auth}}.scheme", + "searchValue": "", + "expectedValue": "components.securitySchemes.{{petstore_auth}}.scheme is registered in the IANA Authentication Scheme registry", + "actualValue": "components.securitySchemes.{{petstore_auth}}.scheme is not registered in the IANA Authentication Scheme registry", + "issueType": "IncorrectValue", + "similarityID": "1b4e74559d20007731bd1c61daf96bc9deab84110fac828922491875bd16f9a7", + "search_line": -1 }, { "queryName": "Security Scheme HTTP Unknown Scheme", "severity": "MEDIUM", "line": 33, - "filename": "positive2.yaml" + "fileName": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "components.securitySchemes.{{petstore_auth}}.scheme", + "searchValue": "", + "expectedValue": "components.securitySchemes.{{petstore_auth}}.scheme is registered in the IANA Authentication Scheme registry", + "actualValue": "components.securitySchemes.{{petstore_auth}}.scheme is not registered in the IANA Authentication Scheme registry", + "issueType": "IncorrectValue", + "similarityID": "549c8b2a365e175997769ad98ed81641c31810da1b4e078e3d4cef14232fbe87", + "search_line": -1 } ] diff --git a/assets/queries/openAPI/3.0/security_schemes_using_oauth/test/positive_expected_result.json b/assets/queries/openAPI/3.0/security_schemes_using_oauth/test/positive_expected_result.json index bab0376f9f5..a9e2f584f57 100644 --- a/assets/queries/openAPI/3.0/security_schemes_using_oauth/test/positive_expected_result.json +++ b/assets/queries/openAPI/3.0/security_schemes_using_oauth/test/positive_expected_result.json @@ -3,12 +3,30 @@ "queryName": "Security Scheme Using Oauth 1.0", "severity": "LOW", "line": 55, - "filename": "positive1.json" + "fileName": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "components.securitySchemes.{{petstore_auth}}", + "searchValue": "", + "expectedValue": "components.securitySchemes.{{petstore_auth}} should not use oauth 1.0 security scheme", + "actualValue": "components.securitySchemes.{{petstore_auth}} uses oauth 1.0 security scheme", + "issueType": "IncorrectValue", + "similarityID": "52bc1b7442f01f01ed7831d6bbb4ea85644c6ec8b0e5d0e39e55e1361340cb76", + "search_line": -1 }, { "queryName": "Security Scheme Using Oauth 1.0", "severity": "LOW", "line": 31, - "filename": "positive2.yaml" + "fileName": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "components.securitySchemes.{{petstore_auth}}", + "searchValue": "", + "expectedValue": "components.securitySchemes.{{petstore_auth}} should not use oauth 1.0 security scheme", + "actualValue": "components.securitySchemes.{{petstore_auth}} uses oauth 1.0 security scheme", + "issueType": "IncorrectValue", + "similarityID": "c64457f72225b84fcb457eacd7d704f107a14674c69c0a9a058c492cce23208a", + "search_line": -1 } ] diff --git a/assets/queries/openAPI/3.0/server_object_variable_not_used/test/positive_expected_result.json b/assets/queries/openAPI/3.0/server_object_variable_not_used/test/positive_expected_result.json index 09f4d215b99..a90b1f6dac5 100644 --- a/assets/queries/openAPI/3.0/server_object_variable_not_used/test/positive_expected_result.json +++ b/assets/queries/openAPI/3.0/server_object_variable_not_used/test/positive_expected_result.json @@ -3,24 +3,60 @@ "queryName": "Server Object Variable Not Used", "severity": "INFO", "line": 38, - "filename": "positive1.json" + "fileName": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.{{get}}.responses.{{200}}.links.{{address}}.server.variables.{{another}}", + "searchValue": "", + "expectedValue": "paths.{{/}}.{{get}}.responses.{{200}}.links.{{address}}.server.variables.{{another}} is used in 'paths.{{/}}.{{get}}.responses.{{200}}.links.{{address}}.server.url'", + "actualValue": "paths.{{/}}.{{get}}.responses.{{200}}.links.{{address}}.server.variables.{{another}} is not used in 'paths.{{/}}.{{get}}.responses.{{200}}.links.{{address}}.server.url'", + "issueType": "IncorrectValue", + "similarityID": "9216c5aa573713b302d50970e9c632fcaac274935bd5102ffc9f1117d9685123", + "search_line": 38 }, { "queryName": "Server Object Variable Not Used", "severity": "INFO", "line": 35, - "filename": "positive2.json" + "fileName": "positive2.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.{{get}}.servers.variables.{{base}}", + "searchValue": "", + "expectedValue": "paths.{{/}}.{{get}}.servers.variables.{{base}} is used in 'paths.{{/}}.{{get}}.servers.{{0}}.url'", + "actualValue": "paths.{{/}}.{{get}}.servers.variables.{{base}} is not used in 'paths.{{/}}.{{get}}.servers.{{0}}.url '", + "issueType": "IncorrectValue", + "similarityID": "e3e651a5fcdecae68edf67b8b9ae3890c42000b164a22846c68a3ba8fb3d6fa9", + "search_line": 35 }, { "queryName": "Server Object Variable Not Used", "severity": "INFO", "line": 30, - "filename": "positive3.yaml" + "fileName": "positive3.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.{{get}}.responses.{{200}}.links.{{address}}.server.variables.{{another}}", + "searchValue": "", + "expectedValue": "paths.{{/}}.{{get}}.responses.{{200}}.links.{{address}}.server.variables.{{another}} is used in 'paths.{{/}}.{{get}}.responses.{{200}}.links.{{address}}.server.url'", + "actualValue": "paths.{{/}}.{{get}}.responses.{{200}}.links.{{address}}.server.variables.{{another}} is not used in 'paths.{{/}}.{{get}}.responses.{{200}}.links.{{address}}.server.url'", + "issueType": "IncorrectValue", + "similarityID": "b42dbd747ef17e6c673c5abe398338fc5b5d0430932ac1b33c93d0123ae0437e", + "search_line": 30 }, { "queryName": "Server Object Variable Not Used", "severity": "INFO", "line": 25, - "filename": "positive4.yaml" + "fileName": "positive4.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.{{get}}.servers.variables.{{base}}", + "searchValue": "", + "expectedValue": "paths.{{/}}.{{get}}.servers.variables.{{base}} is used in 'paths.{{/}}.{{get}}.servers.{{0}}.url'", + "actualValue": "paths.{{/}}.{{get}}.servers.variables.{{base}} is not used in 'paths.{{/}}.{{get}}.servers.{{0}}.url '", + "issueType": "IncorrectValue", + "similarityID": "2ad2ecc5d84cfca0e76dff631661e5b6d86f49ae920dd59725a5e23761d7505b", + "search_line": 25 } ] diff --git a/assets/queries/openAPI/3.0/server_url_not_absolute/test/positive_expected_result.json b/assets/queries/openAPI/3.0/server_url_not_absolute/test/positive_expected_result.json index b7f1e790c41..d74bbef750d 100644 --- a/assets/queries/openAPI/3.0/server_url_not_absolute/test/positive_expected_result.json +++ b/assets/queries/openAPI/3.0/server_url_not_absolute/test/positive_expected_result.json @@ -3,24 +3,60 @@ "queryName": "Server URL Not Absolute", "severity": "INFO", "line": 30, - "filename": "positive1.json" + "fileName": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.{{get}}.responses.{{200}}.links.{{address}}.server.url", + "searchValue": "", + "expectedValue": "paths.{{/}}.{{get}}.responses.{{200}}.links.{{address}}.server.url has an absolute URL", + "actualValue": "paths.{{/}}.{{get}}.responses.{{200}}.links.{{address}}.server.url does not have an absolute URL", + "issueType": "IncorrectValue", + "similarityID": "3b637a7bc99d1df6be3f177435c1c0af3ab7c88824e7b4e69737ff002cade631", + "search_line": 30 }, { "queryName": "Server URL Not Absolute", "severity": "INFO", "line": 32, - "filename": "positive2.json" + "fileName": "positive2.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.{{get}}.servers.url=/development.gigantic-server.com/v1", + "searchValue": "", + "expectedValue": "paths.{{/}}.{{get}}.servers.{{0}}.url has an absolute URL", + "actualValue": "paths.{{/}}.{{get}}.servers.{{0}}.url does not have an absolute URL", + "issueType": "IncorrectValue", + "similarityID": "1958f89cafca799cfa009cce30c0ed64161acfd506748a5ded98dd8d63d3088f", + "search_line": 32 }, { "queryName": "Server URL Not Absolute", "severity": "INFO", "line": 24, - "filename": "positive3.yaml" + "fileName": "positive3.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.{{get}}.responses.{{200}}.links.{{address}}.server.url", + "searchValue": "", + "expectedValue": "paths.{{/}}.{{get}}.responses.{{200}}.links.{{address}}.server.url has an absolute URL", + "actualValue": "paths.{{/}}.{{get}}.responses.{{200}}.links.{{address}}.server.url does not have an absolute URL", + "issueType": "IncorrectValue", + "similarityID": "3c647ec39d705fe421d80cab0c9f304f75d27e6d72aea42905a4c49212572307", + "search_line": 24 }, { "queryName": "Server URL Not Absolute", "severity": "INFO", "line": 22, - "filename": "positive4.yaml" + "fileName": "positive4.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.{{get}}.servers.url=/development.gigantic-server.com/v1", + "searchValue": "", + "expectedValue": "paths.{{/}}.{{get}}.servers.{{0}}.url has an absolute URL", + "actualValue": "paths.{{/}}.{{get}}.servers.{{0}}.url does not have an absolute URL", + "issueType": "IncorrectValue", + "similarityID": "31d689fa8365b0387481082d0045f8f67ffb0af0485fd5e0dcf5a060d9332c48", + "search_line": 22 } ] diff --git a/assets/queries/openAPI/3.0/server_url_uses_undefined_variables/test/positive_expected_result.json b/assets/queries/openAPI/3.0/server_url_uses_undefined_variables/test/positive_expected_result.json index 6816f4e3949..872a811f016 100644 --- a/assets/queries/openAPI/3.0/server_url_uses_undefined_variables/test/positive_expected_result.json +++ b/assets/queries/openAPI/3.0/server_url_uses_undefined_variables/test/positive_expected_result.json @@ -3,24 +3,60 @@ "queryName": "Server URL Uses Undefined Variables", "severity": "INFO", "line": 30, - "filename": "positive1.json" + "fileName": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.{{get}}.responses.{{200}}.links.{{address}}.server.url", + "searchValue": "", + "expectedValue": "paths.{{/}}.{{get}}.responses.{{200}}.links.{{address}}.server.url uses server object variables defined in the server object variables", + "actualValue": "paths.{{/}}.{{get}}.responses.{{200}}.links.{{address}}.server.url does not use server object variables defined in the server object variables", + "issueType": "IncorrectValue", + "similarityID": "f2b5d8bd92932ecc42bc0ff1f3895f451065d8fc5f7f8bdd9c1195be3647e388", + "search_line": -1 }, { "queryName": "Server URL Uses Undefined Variables", "severity": "INFO", "line": 32, - "filename": "positive2.json" + "fileName": "positive2.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.{{get}}.servers.url=https://development.{server}.com/{base}", + "searchValue": "", + "expectedValue": "paths.{{/}}.{{get}}.servers.{{0}}.url uses server object variables defined in the server object variables", + "actualValue": "paths.{{/}}.{{get}}.servers.{{0}}.url does not use server object variables defined in the server object variables", + "issueType": "IncorrectValue", + "similarityID": "c11b4df3536d8c572821b93b95c0a64d87c90895c585881282a1663ec1c44e7b", + "search_line": -1 }, { "queryName": "Server URL Uses Undefined Variables", "severity": "INFO", "line": 24, - "filename": "positive3.yaml" + "fileName": "positive3.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.{{get}}.responses.{{200}}.links.{{address}}.server.url", + "searchValue": "", + "expectedValue": "paths.{{/}}.{{get}}.responses.{{200}}.links.{{address}}.server.url uses server object variables defined in the server object variables", + "actualValue": "paths.{{/}}.{{get}}.responses.{{200}}.links.{{address}}.server.url does not use server object variables defined in the server object variables", + "issueType": "IncorrectValue", + "similarityID": "9440aa939562934e27c81f1a8381b368fe8966101aacff6ccdfa9321abb049db", + "search_line": -1 }, { "queryName": "Server URL Uses Undefined Variables", "severity": "INFO", "line": 22, - "filename": "positive4.yaml" + "fileName": "positive4.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.{{get}}.servers.url=https://development.{server}.com/{base}", + "searchValue": "", + "expectedValue": "paths.{{/}}.{{get}}.servers.{{0}}.url uses server object variables defined in the server object variables", + "actualValue": "paths.{{/}}.{{get}}.servers.{{0}}.url does not use server object variables defined in the server object variables", + "issueType": "IncorrectValue", + "similarityID": "8507e1156f0a439ce219895dfc282d9cc45f3c079cf9bbd84b17fe54b7f3cf06", + "search_line": -1 } ] diff --git a/assets/queries/openAPI/3.0/servers_undefined/test/positive_expected_result.json b/assets/queries/openAPI/3.0/servers_undefined/test/positive_expected_result.json index ac32cb6058d..fe6fc0f4b3a 100644 --- a/assets/queries/openAPI/3.0/servers_undefined/test/positive_expected_result.json +++ b/assets/queries/openAPI/3.0/servers_undefined/test/positive_expected_result.json @@ -3,24 +3,60 @@ "queryName": "Servers Array Undefined", "severity": "INFO", "line": 2, - "filename": "positive1.json" + "fileName": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "openapi", + "searchValue": "", + "expectedValue": "Servers array has at least one server defined", + "actualValue": "Servers array does not have at least one server defined", + "issueType": "MissingAttribute", + "similarityID": "845f418b0bcd2fe9492bab91633df7cb27a55a370385c19f8b1d53d1e4f7a72c", + "search_line": -1 }, { "queryName": "Servers Array Undefined", "severity": "INFO", "line": 43, - "filename": "positive2.json" + "fileName": "positive2.json", + "resourceType": "", + "resourceName": "", + "searchKey": "servers", + "searchValue": "", + "expectedValue": "Servers array has at least one server defined", + "actualValue": "Servers array is empty", + "issueType": "IncorrectValue", + "similarityID": "82a4b6d1c71832fda81f16001a789cfc62b3eca66fa6df5c76b53f16ecd8cf00", + "search_line": -1 }, { "queryName": "Servers Array Undefined", "severity": "INFO", "line": 1, - "filename": "positive3.yaml" + "fileName": "positive3.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "openapi", + "searchValue": "", + "expectedValue": "Servers array has at least one server defined", + "actualValue": "Servers array does not have at least one server defined", + "issueType": "MissingAttribute", + "similarityID": "c8e7b2d7721aaade4506884f40fe1fb94ede10331e758c9403b0a2c4f3d08c96", + "search_line": -1 }, { "queryName": "Servers Array Undefined", "severity": "INFO", "line": 25, - "filename": "positive4.yaml" + "fileName": "positive4.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "servers", + "searchValue": "", + "expectedValue": "Servers array has at least one server defined", + "actualValue": "Servers array is empty", + "issueType": "IncorrectValue", + "similarityID": "3417b58681f4106059f3590f7de462300469700185b1428e1590b3af4b7743eb", + "search_line": -1 } ] diff --git a/assets/queries/openAPI/3.0/success_response_code_undefined_trace_operation/test/positive_expected_result.json b/assets/queries/openAPI/3.0/success_response_code_undefined_trace_operation/test/positive_expected_result.json index ef6cef28d07..c24b2ec3eba 100644 --- a/assets/queries/openAPI/3.0/success_response_code_undefined_trace_operation/test/positive_expected_result.json +++ b/assets/queries/openAPI/3.0/success_response_code_undefined_trace_operation/test/positive_expected_result.json @@ -3,12 +3,30 @@ "queryName": "Success Response Code Undefined for Trace Operation", "severity": "LOW", "line": 12, - "filename": "positive1.json" + "fileName": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/item}}.trace.responses", + "searchValue": "", + "expectedValue": "Trace should have the '200' successful code set", + "actualValue": "Trace does not have the '200' successful code set", + "issueType": "MissingAttribute", + "similarityID": "6ed8a5c8703ab63c9d6cb9a3accc4e1de264e5eda35cedbc4151312a1e095402", + "search_line": 0 }, { "queryName": "Success Response Code Undefined for Trace Operation", "severity": "LOW", "line": 10, - "filename": "positive2.yaml" + "fileName": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/item}}.trace.responses", + "searchValue": "", + "expectedValue": "Trace should have the '200' successful code set", + "actualValue": "Trace does not have the '200' successful code set", + "issueType": "MissingAttribute", + "similarityID": "043686d8ffc696135033666074738853aefa72c8f88f0430e3ecabd3f922aa99", + "search_line": 0 } -] \ No newline at end of file +] diff --git a/assets/queries/openAPI/3.0/undefined_security_scope_global_security/test/positive_expected_result.json b/assets/queries/openAPI/3.0/undefined_security_scope_global_security/test/positive_expected_result.json index f69ced81316..b559d3c5892 100644 --- a/assets/queries/openAPI/3.0/undefined_security_scope_global_security/test/positive_expected_result.json +++ b/assets/queries/openAPI/3.0/undefined_security_scope_global_security/test/positive_expected_result.json @@ -3,24 +3,60 @@ "queryName": "Undefined Scope 'securityScheme' On Global 'security' Field", "severity": "LOW", "line": 26, - "filename": "positive1.json" + "fileName": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "security.{{oAuth2AuthCodeNeg2}}", + "searchValue": "", + "expectedValue": "scope error:api should be defined on 'securityShemes'", + "actualValue": "scope error:api is not defined on 'securityShemes'", + "issueType": "IncorrectValue", + "similarityID": "736e1350c55ecb46b3874598da3e1e01cb7e6a8c5d0efafc6179fe420dba7e49", + "search_line": 26 }, { "queryName": "Undefined Scope 'securityScheme' On Global 'security' Field", "severity": "LOW", "line": 26, - "filename": "positive2.json" + "fileName": "positive2.json", + "resourceType": "", + "resourceName": "", + "searchKey": "security", + "searchValue": "", + "expectedValue": "scope error:api should be defined on 'securityShemes'", + "actualValue": "scope error:api is not defined on 'securityShemes'", + "issueType": "IncorrectValue", + "similarityID": "a202064932d2a0ede8162db056c7f79c20c4c63c7741d84ed38804dc51943545", + "search_line": 26 }, { "queryName": "Undefined Scope 'securityScheme' On Global 'security' Field", "severity": "LOW", "line": 18, - "filename": "positive3.yaml" + "fileName": "positive3.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "security.{{oAuth2AuthCodeNeg2}}", + "searchValue": "", + "expectedValue": "scope error:api should be defined on 'securityShemes'", + "actualValue": "scope error:api is not defined on 'securityShemes'", + "issueType": "IncorrectValue", + "similarityID": "d85a302c1764fa9612a998b3ead1ada964dcb340da2c0d9770dbbdee8ff86aa7", + "search_line": 18 }, { "queryName": "Undefined Scope 'securityScheme' On Global 'security' Field", "severity": "LOW", "line": 17, - "filename": "positive4.yaml" + "fileName": "positive4.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "security", + "searchValue": "", + "expectedValue": "scope error:api should be defined on 'securityShemes'", + "actualValue": "scope error:api is not defined on 'securityShemes'", + "issueType": "IncorrectValue", + "similarityID": "a5afdbba02181a6c2be7c27bf983c9cbd676e75b96b0edb86cd405bdcbcd7884", + "search_line": 17 } ] diff --git a/assets/queries/openAPI/3.0/undefined_security_scope_security_operations/test/positive_expected_result.json b/assets/queries/openAPI/3.0/undefined_security_scope_security_operations/test/positive_expected_result.json index 95d8ff3ab0d..859b40f00f1 100644 --- a/assets/queries/openAPI/3.0/undefined_security_scope_security_operations/test/positive_expected_result.json +++ b/assets/queries/openAPI/3.0/undefined_security_scope_security_operations/test/positive_expected_result.json @@ -3,24 +3,60 @@ "queryName": "Undefined Scope 'securityScheme' On 'security' Field On Operations", "severity": "LOW", "line": 15, - "filename": "positive1.json" + "fileName": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.{{get}}.security.{{oAuth2AuthCodeNeg2}}", + "searchValue": "", + "expectedValue": "scope error:api should be defined on 'securityShemes'", + "actualValue": "scope error:api is not defined on 'securityShemes'", + "issueType": "IncorrectValue", + "similarityID": "9d76f1979759b1160184bad21608842ae866c49bc95ab24227c87796216ac881", + "search_line": 15 }, { "queryName": "Undefined Scope 'securityScheme' On 'security' Field On Operations", "severity": "LOW", "line": 15, - "filename": "positive2.json" + "fileName": "positive2.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.{{get}}.security", + "searchValue": "", + "expectedValue": "scope error:api should be defined on 'securityShemes'", + "actualValue": "scope error:api is not defined on 'securityShemes'", + "issueType": "IncorrectValue", + "similarityID": "572fac81b2f14c724c3833272c06cc4061525ddc43e14c510dd2e32d3f16a79e", + "search_line": 15 }, { "queryName": "Undefined Scope 'securityScheme' On 'security' Field On Operations", "severity": "LOW", "line": 13, - "filename": "positive3.yaml" + "fileName": "positive3.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.{{get}}.security.{{oAuth2AuthCodeNeg2}}", + "searchValue": "", + "expectedValue": "scope error:api should be defined on 'securityShemes'", + "actualValue": "scope error:api is not defined on 'securityShemes'", + "issueType": "IncorrectValue", + "similarityID": "07a77ae508a324565c7f310d621a88dd1dfe80af5abac4abff14565b63774172", + "search_line": 13 }, { "queryName": "Undefined Scope 'securityScheme' On 'security' Field On Operations", "severity": "LOW", "line": 12, - "filename": "positive4.yaml" + "fileName": "positive4.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.{{get}}.security", + "searchValue": "", + "expectedValue": "scope error:api should be defined on 'securityShemes'", + "actualValue": "scope error:api is not defined on 'securityShemes'", + "issueType": "IncorrectValue", + "similarityID": "8b57fa728fd3df04e01c522a5b390a6fbfb75fabddec9f4ec70fdbc573de7e7c", + "search_line": 12 } ] diff --git a/assets/queries/openAPI/3.0/unknown_prefix/test/positive_expected_result.json b/assets/queries/openAPI/3.0/unknown_prefix/test/positive_expected_result.json index 0e4a3242196..f84e7f60153 100644 --- a/assets/queries/openAPI/3.0/unknown_prefix/test/positive_expected_result.json +++ b/assets/queries/openAPI/3.0/unknown_prefix/test/positive_expected_result.json @@ -3,24 +3,60 @@ "queryName": "Unknown Prefix (v3)", "severity": "INFO", "line": 53, - "filename": "positive1.json" + "fileName": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "components.responses.ResponseExample.content.{{applicasdsadtion/json}}", + "searchValue": "", + "expectedValue": "components.responses.ResponseExample.content.{{applicasdsadtion/json}} is a known prefix", + "actualValue": "components.responses.ResponseExample.content.{{applicasdsadtion/json}} is an unknown prefix", + "issueType": "IncorrectValue", + "similarityID": "e6ea689a473f8daec2bd308466e1c3d47367a96b823ad6f33e0a6131ecb626d0", + "search_line": -1 }, { "queryName": "Unknown Prefix (v3)", "severity": "INFO", "line": 19, - "filename": "positive2.json" + "fileName": "positive2.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.content.{{ddddd/json}}", + "searchValue": "", + "expectedValue": "paths.{{/}}.get.responses.200.content.{{ddddd/json}} is a known prefix", + "actualValue": "paths.{{/}}.get.responses.200.content.{{ddddd/json}} is an unknown prefix", + "issueType": "IncorrectValue", + "similarityID": "47f5ffc3aab91a19f54440c53f8f700452a92f6d809d8d4a7405c6bbd3837ee6", + "search_line": -1 }, { "queryName": "Unknown Prefix (v3)", "severity": "INFO", "line": 30, - "filename": "positive3.yaml" + "fileName": "positive3.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "components.responses.ResponseExample.content.{{sssssss/json}}", + "searchValue": "", + "expectedValue": "components.responses.ResponseExample.content.{{sssssss/json}} is a known prefix", + "actualValue": "components.responses.ResponseExample.content.{{sssssss/json}} is an unknown prefix", + "issueType": "IncorrectValue", + "similarityID": "3fd04d41b008c34831531643888a07ddeee3a6942f05d8e5075174259c871255", + "search_line": -1 }, { "queryName": "Unknown Prefix (v3)", "severity": "INFO", "line": 14, - "filename": "positive4.yaml" + "fileName": "positive4.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.content.{{applicatisdsdsdon/json}}", + "searchValue": "", + "expectedValue": "paths.{{/}}.get.responses.200.content.{{applicatisdsdsdon/json}} is a known prefix", + "actualValue": "paths.{{/}}.get.responses.200.content.{{applicatisdsdsdon/json}} is an unknown prefix", + "issueType": "IncorrectValue", + "similarityID": "98bdb22315704128c66d24e8e8a34bf3f0c9834ee17d988c3f7c8954b7bafcb0", + "search_line": -1 } ] diff --git a/assets/queries/openAPI/3.0/unknown_property/test/positive_expected_result.json b/assets/queries/openAPI/3.0/unknown_property/test/positive_expected_result.json index c95c29decd1..1b4c6fcbf02 100644 --- a/assets/queries/openAPI/3.0/unknown_property/test/positive_expected_result.json +++ b/assets/queries/openAPI/3.0/unknown_property/test/positive_expected_result.json @@ -3,60 +3,150 @@ "queryName": "Unknown Property (v3)", "severity": "INFO", "line": 14, - "filename": "positive1.json" + "fileName": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.descrinnption", + "searchValue": "", + "expectedValue": "The field 'descrinnption' is known in the responses object", + "actualValue": "The field 'descrinnption' is unknown in the responses object", + "issueType": "IncorrectValue", + "similarityID": "b3348c3598f12f25118cc3934d4be93b26889e2d4e36779302455566fb7f3345", + "search_line": -1 }, { "queryName": "Unknown Property (v3)", "severity": "INFO", "line": 28, - "filename": "positive1.json" + "fileName": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "tags.desdddcription", + "searchValue": "", + "expectedValue": "The field 'desdddcription' is known in the tags object", + "actualValue": "The field 'desdddcription' is unknown in the tags object", + "issueType": "IncorrectValue", + "similarityID": "2cae14ade56c1daa95c5dc6f518c98f3b9748323a3e95997b3f8317ee7867d25", + "search_line": -1 }, { "queryName": "Unknown Property (v3)", "severity": "INFO", "line": 3, - "filename": "positive2.json" + "fileName": "positive2.json", + "resourceType": "", + "resourceName": "", + "searchKey": "infjnjnjno", + "searchValue": "", + "expectedValue": "The field 'infjnjnjno' is known in the openapi object", + "actualValue": "The field 'infjnjnjno' is unknown in the openapi object", + "issueType": "IncorrectValue", + "similarityID": "defde2ee0ea1091be7e086202d37fa10b68f16e80f14d11c0cede2be661a1b9b", + "search_line": -1 }, { "queryName": "Unknown Property (v3)", "severity": "INFO", "line": 20, - "filename": "positive2.json" + "fileName": "positive2.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.schema.tybhbhbpe:", + "searchValue": "", + "expectedValue": "The field 'tybhbhbpe:' is known in the schema object", + "actualValue": "The field 'tybhbhbpe:' is unknown in the schema object", + "issueType": "IncorrectValue", + "similarityID": "88b5f567b74dc67a6b0d2986aac482c2947e9edf75d6551804416070dd55941f", + "search_line": -1 }, { "queryName": "Unknown Property (v3)", "severity": "INFO", "line": 20, - "filename": "positive3.json" + "fileName": "positive3.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.callbacks.inProgress.{{{$request.body#/inProgressUrl}}}.pbhbhbost", + "searchValue": "", + "expectedValue": "The field 'pbhbhbost' is known in the callbacks object", + "actualValue": "The field 'pbhbhbost' is unknown in the callbacks object", + "issueType": "IncorrectValue", + "similarityID": "b061cf6df98dcf4ed60a8d0497be80ee5a62e77a24ace37b1086057dbbc2198d", + "search_line": 0 }, { "queryName": "Unknown Property (v3)", "severity": "INFO", "line": 12, - "filename": "positive4.yaml" + "fileName": "positive4.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.descrinnption", + "searchValue": "", + "expectedValue": "The field 'descrinnption' is known in the responses object", + "actualValue": "The field 'descrinnption' is unknown in the responses object", + "issueType": "IncorrectValue", + "similarityID": "48611d5a2e69f9528267c58f3fc101da62dcc2723b14d53999a51a9133d7aca5", + "search_line": -1 }, { "queryName": "Unknown Property (v3)", "severity": "INFO", "line": 17, - "filename": "positive4.yaml" + "fileName": "positive4.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "tags.desdddcription", + "searchValue": "", + "expectedValue": "The field 'desdddcription' is known in the tags object", + "actualValue": "The field 'desdddcription' is unknown in the tags object", + "issueType": "IncorrectValue", + "similarityID": "e1de908ce5aa5b18c45becd0bc264b7ce741c9c0a61d80ccb3b56e6ca2754438", + "search_line": -1 }, { "queryName": "Unknown Property (v3)", "severity": "INFO", "line": 2, - "filename": "positive5.yaml" + "fileName": "positive5.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "infjnjnjno", + "searchValue": "", + "expectedValue": "The field 'infjnjnjno' is known in the openapi object", + "actualValue": "The field 'infjnjnjno' is unknown in the openapi object", + "issueType": "IncorrectValue", + "similarityID": "fcf745044bc3fc14cbf77f876046286d11a8ef44bbc1ebe7b2d5c38ad57592fb", + "search_line": -1 }, { "queryName": "Unknown Property (v3)", "severity": "INFO", "line": 19, - "filename": "positive5.yaml" + "fileName": "positive5.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.schema.tybhbhbpe", + "searchValue": "", + "expectedValue": "The field 'tybhbhbpe' is known in the schema object", + "actualValue": "The field 'tybhbhbpe' is unknown in the schema object", + "issueType": "IncorrectValue", + "similarityID": "41074cac26a1512363bb43b0ed807c9f63ba71ae88299c5d9225fcf23c5582a7", + "search_line": -1 }, { "queryName": "Unknown Property (v3)", "severity": "INFO", "line": 16, - "filename": "positive6.yaml" + "fileName": "positive6.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.callbacks.inProgress.{{{$request.body#/inProgressUrl}}}.pbhbhbost", + "searchValue": "", + "expectedValue": "The field 'pbhbhbost' is known in the callbacks object", + "actualValue": "The field 'pbhbhbost' is unknown in the callbacks object", + "issueType": "IncorrectValue", + "similarityID": "d2acee442578dc3437d4fdc2c7bd4ac5e67e29a23505027b7901e469977a7be2", + "search_line": 0 } ] diff --git a/assets/queries/openAPI/general/api_key_exposed_in_global_security/test/positive_expected_result.json b/assets/queries/openAPI/general/api_key_exposed_in_global_security/test/positive_expected_result.json index de1584ca153..4bc944aa0d4 100644 --- a/assets/queries/openAPI/general/api_key_exposed_in_global_security/test/positive_expected_result.json +++ b/assets/queries/openAPI/general/api_key_exposed_in_global_security/test/positive_expected_result.json @@ -3,60 +3,150 @@ "queryName": "API Key Exposed In Global Security (v3)", "severity": "LOW", "line": 45, - "filename": "positive1.json" + "fileName": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "security.apiKey2", + "searchValue": "", + "expectedValue": "The API Key should not be transported over network", + "actualValue": "The API Key is transported over network", + "issueType": "IncorrectValue", + "similarityID": "019762aa77002b695ec1a164259c6e17922aef8d4e6098e8bf1f58cd686f9c48", + "search_line": -1 }, { "queryName": "API Key Exposed In Global Security (v3)", "severity": "LOW", "line": 46, - "filename": "positive1.json" + "fileName": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "security.apiKey3", + "searchValue": "", + "expectedValue": "The API Key should not be transported over network", + "actualValue": "The API Key is transported over network", + "issueType": "IncorrectValue", + "similarityID": "f3d781ad032f2a2b339579bc56509eeadd0101506e87d97f34922943e945e3c9", + "search_line": -1 }, { "queryName": "API Key Exposed In Global Security (v3)", "severity": "LOW", "line": 47, - "filename": "positive1.json" + "fileName": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "security.apiKey1", + "searchValue": "", + "expectedValue": "The API Key should not be transported over network", + "actualValue": "The API Key is transported over network", + "issueType": "IncorrectValue", + "similarityID": "0cf843ad33bb76ae9c2139ce2f6f88093117c3c51dde3559421585339fa71aac", + "search_line": -1 }, { "queryName": "API Key Exposed In Global Security (v3)", "severity": "LOW", "line": 26, - "filename": "positive2.yaml" + "fileName": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "security.apiKey1", + "searchValue": "", + "expectedValue": "The API Key should not be transported over network", + "actualValue": "The API Key is transported over network", + "issueType": "IncorrectValue", + "similarityID": "5bf0235f92a75673f53f5d4ffccb50f20095a59ad667a87a6ba4788bb6f64a4b", + "search_line": -1 }, { "queryName": "API Key Exposed In Global Security (v3)", "severity": "LOW", "line": 27, - "filename": "positive2.yaml" + "fileName": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "security.apiKey2", + "searchValue": "", + "expectedValue": "The API Key should not be transported over network", + "actualValue": "The API Key is transported over network", + "issueType": "IncorrectValue", + "similarityID": "f7ec415ea2c405c22756846bb6414983167827abfab44e44452017888e0d2b21", + "search_line": -1 }, { "queryName": "API Key Exposed In Global Security (v3)", "severity": "LOW", "line": 28, - "filename": "positive2.yaml" + "fileName": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "security.apiKey3", + "searchValue": "", + "expectedValue": "The API Key should not be transported over network", + "actualValue": "The API Key is transported over network", + "issueType": "IncorrectValue", + "similarityID": "9bdacf97bd2d0895f5fa8c6aab44af6b2045b86b6a764c2950c68bf3e0d9f831", + "search_line": -1 }, { "queryName": "API Key Exposed In Global Security (v2)", "severity": "LOW", "line": 22, - "filename": "positive3.json" + "fileName": "positive3.json", + "resourceType": "", + "resourceName": "", + "searchKey": "security.apiKey3", + "searchValue": "", + "expectedValue": "The API Key should not be transported over network", + "actualValue": "The API Key is transported over network", + "issueType": "IncorrectValue", + "similarityID": "4129fde34df00c895f65617eabbb12df8a539158a4348c4e26dd104b830cc68b", + "search_line": -1 }, { "queryName": "API Key Exposed In Global Security (v2)", "severity": "LOW", "line": 23, - "filename": "positive3.json" + "fileName": "positive3.json", + "resourceType": "", + "resourceName": "", + "searchKey": "security.apiKey1", + "searchValue": "", + "expectedValue": "The API Key should not be transported over network", + "actualValue": "The API Key is transported over network", + "issueType": "IncorrectValue", + "similarityID": "29566538f424da5b6b3662c351f4eaf1f3ec79630e6ba75fd3d59af6e46fa9a0", + "search_line": -1 }, { "queryName": "API Key Exposed In Global Security (v2)", "severity": "LOW", "line": 14, - "filename": "positive4.yaml" + "fileName": "positive4.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "security.apiKey1", + "searchValue": "", + "expectedValue": "The API Key should not be transported over network", + "actualValue": "The API Key is transported over network", + "issueType": "IncorrectValue", + "similarityID": "7f6b0ee49ef4c2b2b85358420a4cf820798dc1bd2c58b6834df9c06ac9830dea", + "search_line": -1 }, { "queryName": "API Key Exposed In Global Security (v2)", "severity": "LOW", "line": 15, - "filename": "positive4.yaml" + "fileName": "positive4.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "security.apiKey3", + "searchValue": "", + "expectedValue": "The API Key should not be transported over network", + "actualValue": "The API Key is transported over network", + "issueType": "IncorrectValue", + "similarityID": "78d7264ecb9cbfdde17e75e161ce6eb33e0708aa056d0c1369f99888f9cdcd76", + "search_line": -1 } -] \ No newline at end of file +] diff --git a/assets/queries/openAPI/general/api_key_exposed_in_operation_security/test/positive_expected_result.json b/assets/queries/openAPI/general/api_key_exposed_in_operation_security/test/positive_expected_result.json index 7ecae3a47ac..5162e913cd3 100644 --- a/assets/queries/openAPI/general/api_key_exposed_in_operation_security/test/positive_expected_result.json +++ b/assets/queries/openAPI/general/api_key_exposed_in_operation_security/test/positive_expected_result.json @@ -3,60 +3,150 @@ "queryName": "API Key Exposed In Operation Security (v3)", "severity": "LOW", "line": 14, - "filename": "positive1.json" + "fileName": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths./pets.post.security.apiKey1", + "searchValue": "", + "expectedValue": "The API Key should not be transported over network", + "actualValue": "The API Key is transported over network", + "issueType": "IncorrectValue", + "similarityID": "54e992777417cdd99993ccb5044fa3ec123e4d44567d92d56d138b29a34d1f71", + "search_line": -1 }, { "queryName": "API Key Exposed In Operation Security (v3)", "severity": "LOW", "line": 15, - "filename": "positive1.json" + "fileName": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths./pets.post.security.apiKey2", + "searchValue": "", + "expectedValue": "The API Key should not be transported over network", + "actualValue": "The API Key is transported over network", + "issueType": "IncorrectValue", + "similarityID": "452be46e4946e0447e93b791373431fc8a7c0e015e87f7cc786202f2c8308b97", + "search_line": -1 }, { "queryName": "API Key Exposed In Operation Security (v3)", "severity": "LOW", "line": 16, - "filename": "positive1.json" + "fileName": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths./pets.post.security.apiKey3", + "searchValue": "", + "expectedValue": "The API Key should not be transported over network", + "actualValue": "The API Key is transported over network", + "issueType": "IncorrectValue", + "similarityID": "64067913055dcc425aeab37c37b2c0a35fb05ce9c1c4268778a0dd4970783b32", + "search_line": -1 }, { "queryName": "API Key Exposed In Operation Security (v3)", "severity": "LOW", "line": 11, - "filename": "positive2.yaml" + "fileName": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths./pets.post.security.apiKey1", + "searchValue": "", + "expectedValue": "The API Key should not be transported over network", + "actualValue": "The API Key is transported over network", + "issueType": "IncorrectValue", + "similarityID": "d0fddfe18c88010958fd1d04b09b51c9eaff05ec282c0f173d8f8b86be422a1f", + "search_line": -1 }, { "queryName": "API Key Exposed In Operation Security (v3)", "severity": "LOW", "line": 12, - "filename": "positive2.yaml" + "fileName": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths./pets.post.security.apiKey2", + "searchValue": "", + "expectedValue": "The API Key should not be transported over network", + "actualValue": "The API Key is transported over network", + "issueType": "IncorrectValue", + "similarityID": "a38ea94b1560b025663df01ba9b0a584d2bfd0c2a1815f3ca2f5eaef6a2653d9", + "search_line": -1 }, { "queryName": "API Key Exposed In Operation Security (v3)", "severity": "LOW", "line": 13, - "filename": "positive2.yaml" + "fileName": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths./pets.post.security.apiKey3", + "searchValue": "", + "expectedValue": "The API Key should not be transported over network", + "actualValue": "The API Key is transported over network", + "issueType": "IncorrectValue", + "similarityID": "0e5328e5847e7eba6564e359e82d86355c21a056c2836e47baaf0af92c8031c8", + "search_line": -1 }, { "queryName": "API Key Exposed In Operation Security (v2)", "severity": "LOW", "line": 14, - "filename": "positive3.json" + "fileName": "positive3.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths./pets.post.security.apiKey1", + "searchValue": "", + "expectedValue": "The API Key should not be transported over network", + "actualValue": "The API Key is transported over network", + "issueType": "IncorrectValue", + "similarityID": "fe18955683f2c49850b015712df51bec33b41ee38bea846bea52d5e2b28a7cf9", + "search_line": -1 }, { "queryName": "API Key Exposed In Operation Security (v2)", "severity": "LOW", "line": 15, - "filename": "positive3.json" + "fileName": "positive3.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths./pets.post.security.apiKey3", + "searchValue": "", + "expectedValue": "The API Key should not be transported over network", + "actualValue": "The API Key is transported over network", + "issueType": "IncorrectValue", + "similarityID": "3b14e8ad48255b25644636dce6357c6758f56b39c47347dc57009b5173ab8afd", + "search_line": -1 }, { "queryName": "API Key Exposed In Operation Security (v2)", "severity": "LOW", "line": 11, - "filename": "positive4.yaml" + "fileName": "positive4.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths./pets.post.security.apiKey1", + "searchValue": "", + "expectedValue": "The API Key should not be transported over network", + "actualValue": "The API Key is transported over network", + "issueType": "IncorrectValue", + "similarityID": "49b9cb48986cbdd284d854e646c406e6ec0ea9db3542408cc7602ab90c07b01a", + "search_line": -1 }, { "queryName": "API Key Exposed In Operation Security (v2)", "severity": "LOW", "line": 12, - "filename": "positive4.yaml" + "fileName": "positive4.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths./pets.post.security.apiKey3", + "searchValue": "", + "expectedValue": "The API Key should not be transported over network", + "actualValue": "The API Key is transported over network", + "issueType": "IncorrectValue", + "similarityID": "5da2bc7d893f6d8fd8eb7ed990b16ec10182577d708e89defaddb29741c651a8", + "search_line": -1 } -] \ No newline at end of file +] diff --git a/assets/queries/openAPI/general/array_items_has_no_type/test/positive_expected_result.json b/assets/queries/openAPI/general/array_items_has_no_type/test/positive_expected_result.json index 55fcc467565..e323038ad38 100644 --- a/assets/queries/openAPI/general/array_items_has_no_type/test/positive_expected_result.json +++ b/assets/queries/openAPI/general/array_items_has_no_type/test/positive_expected_result.json @@ -3,48 +3,120 @@ "queryName": "Array Items Has No Type (v3)", "severity": "LOW", "line": 65, - "filename": "positive1.json" + "fileName": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "components.schemas.MyIntArray.items", + "searchValue": "", + "expectedValue": "components.schemas.MyIntArray.items should have type, anyOf.type, $ref or anyOf.$ref should be defined", + "actualValue": "components.schemas.MyIntArray.items have type, anyOf.type, $ref or anyOf.$ref is undefined", + "issueType": "MissingAttribute", + "similarityID": "42272527fe43ac85e353488f0a15f9f4512f36321815de5c6da984c4867302dd", + "search_line": 0 }, { "queryName": "Array Items Has No Type (v3)", "severity": "LOW", "line": 22, - "filename": "positive2.json" + "fileName": "positive2.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.201.content.{{application/x-www-form-urlencoded}}.schema.items", + "searchValue": "", + "expectedValue": "paths.{{/}}.get.responses.201.content.{{application/x-www-form-urlencoded}}.schema.items should have type, anyOf.type, $ref or anyOf.$ref should be defined", + "actualValue": "paths.{{/}}.get.responses.201.content.{{application/x-www-form-urlencoded}}.schema.items have type, anyOf.type, $ref or anyOf.$ref is undefined", + "issueType": "MissingAttribute", + "similarityID": "be4cfd84cfc45ee8b56c0d65c8ab908db947077b0c22283458e7030355e0759e", + "search_line": 0 }, { "queryName": "Array Items Has No Type (v3)", "severity": "LOW", "line": 21, - "filename": "positive3.json" + "fileName": "positive3.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.201.content.{{application/x-www-form-urlencoded}}.schema.items", + "searchValue": "", + "expectedValue": "paths.{{/}}.get.responses.201.content.{{application/x-www-form-urlencoded}}.schema.items should have type, anyOf.type, $ref or anyOf.$ref should be defined", + "actualValue": "paths.{{/}}.get.responses.201.content.{{application/x-www-form-urlencoded}}.schema.items have type, anyOf.type, $ref or anyOf.$ref is undefined", + "issueType": "MissingAttribute", + "similarityID": "560cc43d23d6d8d348ad4e2c642c8d48aafa3dc93d1b54c8e42e70da2e0d1770", + "search_line": 0 }, { "queryName": "Array Items Has No Type (v3)", "severity": "LOW", "line": 42, - "filename": "positive4.yaml" + "fileName": "positive4.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "components.schemas.MyIntArray.items", + "searchValue": "", + "expectedValue": "components.schemas.MyIntArray.items should have type, anyOf.type, $ref or anyOf.$ref should be defined", + "actualValue": "components.schemas.MyIntArray.items have type, anyOf.type, $ref or anyOf.$ref is undefined", + "issueType": "MissingAttribute", + "similarityID": "d169d52c14b7abc01fda12ff4f16820f99028e499a9bd29c3c353be01071d97c", + "search_line": 0 }, { "queryName": "Array Items Has No Type (v3)", "severity": "LOW", "line": 19, - "filename": "positive5.yaml" + "fileName": "positive5.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.201.content.{{application/x-www-form-urlencoded}}.schema.items", + "searchValue": "", + "expectedValue": "paths.{{/}}.get.responses.201.content.{{application/x-www-form-urlencoded}}.schema.items should have type, anyOf.type, $ref or anyOf.$ref should be defined", + "actualValue": "paths.{{/}}.get.responses.201.content.{{application/x-www-form-urlencoded}}.schema.items have type, anyOf.type, $ref or anyOf.$ref is undefined", + "issueType": "MissingAttribute", + "similarityID": "57fefa3a292a4bf4ba26814fc59190ca9c1e432d7f7879aa7e13ce8958367bf2", + "search_line": 0 }, { "queryName": "Array Items Has No Type (v3)", "severity": "LOW", "line": 19, - "filename": "positive6.yaml" + "fileName": "positive6.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.201.content.{{application/x-www-form-urlencoded}}.schema.items", + "searchValue": "", + "expectedValue": "paths.{{/}}.get.responses.201.content.{{application/x-www-form-urlencoded}}.schema.items should have type, anyOf.type, $ref or anyOf.$ref should be defined", + "actualValue": "paths.{{/}}.get.responses.201.content.{{application/x-www-form-urlencoded}}.schema.items have type, anyOf.type, $ref or anyOf.$ref is undefined", + "issueType": "MissingAttribute", + "similarityID": "1b88239860529f5b5116e51b118e3e93ca336fddc86e91a399db5a11b39c7de0", + "search_line": 0 }, { "queryName": "Array Items Has No Type (v2)", "severity": "LOW", "line": 25, - "filename": "positive7.json" + "fileName": "positive7.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.parameters.schema.items", + "searchValue": "", + "expectedValue": "paths.{{/}}.get.parameters.schema.items should have type, anyOf.type, $ref or anyOf.$ref should be defined", + "actualValue": "paths.{{/}}.get.parameters.schema.items have type, anyOf.type, $ref or anyOf.$ref is undefined", + "issueType": "MissingAttribute", + "similarityID": "bde48ffad8a0497549caa79c338cfb349ecb3925b026e7082234ddca13966a70", + "search_line": -1 }, { "queryName": "Array Items Has No Type (v2)", "severity": "LOW", "line": 20, - "filename": "positive8.yaml" + "fileName": "positive8.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.parameters.schema.items", + "searchValue": "", + "expectedValue": "paths.{{/}}.get.parameters.schema.items should have type, anyOf.type, $ref or anyOf.$ref should be defined", + "actualValue": "paths.{{/}}.get.parameters.schema.items have type, anyOf.type, $ref or anyOf.$ref is undefined", + "issueType": "MissingAttribute", + "similarityID": "431086488591149352248c3ab89a27508387cc36d22f9f978c77cc68fcedd94e", + "search_line": -1 } -] \ No newline at end of file +] diff --git a/assets/queries/openAPI/general/array_without_maximum_number_items/test/positive_expected_result.json b/assets/queries/openAPI/general/array_without_maximum_number_items/test/positive_expected_result.json index 656fed9e496..9dbe5f677f4 100644 --- a/assets/queries/openAPI/general/array_without_maximum_number_items/test/positive_expected_result.json +++ b/assets/queries/openAPI/general/array_without_maximum_number_items/test/positive_expected_result.json @@ -3,36 +3,90 @@ "queryName": "Array Without Maximum Number of Items (v3)", "severity": "MEDIUM", "line": 56, - "filename": "positive1.json" + "fileName": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "components.schemas.GeneralError.properties.message.type", + "searchValue": "", + "expectedValue": "Array schema has 'maxItems' set", + "actualValue": "Array schema has 'maxItems' undefined", + "issueType": "MissingAttribute", + "similarityID": "5d2c154a3df17c650ba8c8391a73e7303c6af31c91702848fe663faed8e85a70", + "search_line": 56 }, { "queryName": "Array Without Maximum Number of Items (v3)", "severity": "MEDIUM", "line": 28, - "filename": "positive2.json" + "fileName": "positive2.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.schema.properties.message.type", + "searchValue": "", + "expectedValue": "Array schema has 'maxItems' set", + "actualValue": "Array schema has 'maxItems' undefined", + "issueType": "MissingAttribute", + "similarityID": "c3822993bde0d0738b2f8a7ec70e792ec7a71f509124cec80ea02add23484f8d", + "search_line": 28 }, { "queryName": "Array Without Maximum Number of Items (v3)", "severity": "MEDIUM", "line": 32, - "filename": "positive3.yaml" + "fileName": "positive3.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "components.schemas.GeneralError.properties.message.type", + "searchValue": "", + "expectedValue": "Array schema has 'maxItems' set", + "actualValue": "Array schema has 'maxItems' undefined", + "issueType": "MissingAttribute", + "similarityID": "77ca1bf7f5acd09cbf35f9b77ae39d5447504247e1561612ee7b83aa2305aed2", + "search_line": 32 }, { "queryName": "Array Without Maximum Number of Items (v3)", "severity": "MEDIUM", "line": 20, - "filename": "positive4.yaml" + "fileName": "positive4.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.schema.properties.message.type", + "searchValue": "", + "expectedValue": "Array schema has 'maxItems' set", + "actualValue": "Array schema has 'maxItems' undefined", + "issueType": "MissingAttribute", + "similarityID": "8b123d5dfd830e485665af2d852e3b51d73a0a694d6fb343aeffa3df83521446", + "search_line": 20 }, { "queryName": "Array Without Maximum Number of Items (v2)", "severity": "MEDIUM", "line": 31, - "filename": "positive5.json" + "fileName": "positive5.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.parameters.schema.properties.message.type", + "searchValue": "", + "expectedValue": "Array schema has 'maxItems' set", + "actualValue": "Array schema has 'maxItems' undefined", + "issueType": "MissingAttribute", + "similarityID": "285526637344d6b638eb68d6cc7332ef75828b4be5282cb9508d04b27f449771", + "search_line": 31 }, { "queryName": "Array Without Maximum Number of Items (v2)", "severity": "MEDIUM", "line": 23, - "filename": "positive6.yaml" + "fileName": "positive6.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.parameters.schema.properties.message.type", + "searchValue": "", + "expectedValue": "Array schema has 'maxItems' set", + "actualValue": "Array schema has 'maxItems' undefined", + "issueType": "MissingAttribute", + "similarityID": "a44f5ad1035f5635dcbb75e203c49ef75bcfc4b5fdcb932351bd035a65dbc455", + "search_line": 23 } -] \ No newline at end of file +] diff --git a/assets/queries/openAPI/general/default_invalid/test/positive_expected_result.json b/assets/queries/openAPI/general/default_invalid/test/positive_expected_result.json index 9143a0d4044..a35229c701f 100644 --- a/assets/queries/openAPI/general/default_invalid/test/positive_expected_result.json +++ b/assets/queries/openAPI/general/default_invalid/test/positive_expected_result.json @@ -3,60 +3,150 @@ "queryName": "Default Invalid (v3)", "severity": "INFO", "line": 21, - "filename": "positive1.json" + "fileName": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.schema.default", + "searchValue": "", + "expectedValue": "The field 'default' should be consistent with the type", + "actualValue": "The field 'default' is not consistent with the type", + "issueType": "IncorrectValue", + "similarityID": "e648720e97f8e0b7199292847b7c1bde0f1b9f6908617e2b94b289c6ae4b1ec4", + "search_line": -1 }, { "queryName": "Default Invalid (v3)", "severity": "INFO", "line": 22, - "filename": "positive2.json" + "fileName": "positive2.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.schema.default", + "searchValue": "", + "expectedValue": "The field 'default' should be consistent with the type", + "actualValue": "The field 'default' is not consistent with the type", + "issueType": "IncorrectValue", + "similarityID": "6cbbd8e8cbe04b175631379825dc606e4f1cec60fa89cf41c8e1f1df79e7dd9f", + "search_line": -1 }, { "queryName": "Default Invalid (v3)", "severity": "INFO", "line": 18, - "filename": "positive3.json" + "fileName": "positive3.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.schema.default", + "searchValue": "", + "expectedValue": "The field 'default' should be consistent with the type", + "actualValue": "The field 'default' is not consistent with the type", + "issueType": "IncorrectValue", + "similarityID": "bc3394515fb5619d0831e16d0910a4f02f52a163e54ce9470fad9fa59eacf467", + "search_line": -1 }, { "queryName": "Default Invalid (v3)", "severity": "INFO", "line": 18, - "filename": "positive4.json" + "fileName": "positive4.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.schema.default", + "searchValue": "", + "expectedValue": "The field 'default' should be consistent with the type", + "actualValue": "The field 'default' is not consistent with the type", + "issueType": "IncorrectValue", + "similarityID": "f01b315794c8c486caa37291af8ffb20e1f21fa7547a70807f5e2b3068a4f207", + "search_line": -1 }, { "queryName": "Default Invalid (v3)", "severity": "INFO", "line": 19, - "filename": "positive5.yaml" + "fileName": "positive5.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.schema.default", + "searchValue": "", + "expectedValue": "The field 'default' should be consistent with the type", + "actualValue": "The field 'default' is not consistent with the type", + "issueType": "IncorrectValue", + "similarityID": "9e31e01d0e5570d67340b264ef09b11064a4679d8210ee03220099e5ffdc2953", + "search_line": -1 }, { "queryName": "Default Invalid (v3)", "severity": "INFO", "line": 20, - "filename": "positive6.yaml" + "fileName": "positive6.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.schema.default", + "searchValue": "", + "expectedValue": "The field 'default' should be consistent with the type", + "actualValue": "The field 'default' is not consistent with the type", + "issueType": "IncorrectValue", + "similarityID": "ab6858250a1c880bfc75c5188b8beb66702e99b6d39b3907db8bd92ef40a0695", + "search_line": -1 }, { "queryName": "Default Invalid (v3)", "severity": "INFO", "line": 27, - "filename": "positive7.yaml" + "fileName": "positive7.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.schema.default", + "searchValue": "", + "expectedValue": "The field 'default' should be consistent with the type", + "actualValue": "The field 'default' is not consistent with the type", + "issueType": "IncorrectValue", + "similarityID": "a815c5ef3512c51154f07bee709a8d8296a38309306d6bfadd1448a0097f607c", + "search_line": -1 }, { "queryName": "Default Invalid (v3)", "severity": "INFO", "line": 19, - "filename": "positive8.yaml" + "fileName": "positive8.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.schema.default", + "searchValue": "", + "expectedValue": "The field 'default' should be consistent with the type", + "actualValue": "The field 'default' is not consistent with the type", + "issueType": "IncorrectValue", + "similarityID": "e908358b5df0f91347dc9d67db634b41910dd96b2b54d9b4b28e92f134dfcbe8", + "search_line": -1 }, { "queryName": "Default Invalid (v2)", "severity": "INFO", "line": 16, - "filename": "positive9.json" + "fileName": "positive9.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.schema.default", + "searchValue": "", + "expectedValue": "The field 'default' should be consistent with the type", + "actualValue": "The field 'default' is not consistent with the type", + "issueType": "IncorrectValue", + "similarityID": "778ad55a24791450a08645876831b302d7ce5f19bbca354eb1bbde220bfc5f74", + "search_line": -1 }, { "queryName": "Default Invalid (v2)", "severity": "INFO", "line": 17, - "filename": "positive10.yaml" + "fileName": "positive10.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.schema.default", + "searchValue": "", + "expectedValue": "The field 'default' should be consistent with the type", + "actualValue": "The field 'default' is not consistent with the type", + "issueType": "IncorrectValue", + "similarityID": "bdd6f88d7749825f6fa1ce7656fa07afea0a6f449c5d6f1b0becc2653a0cfc12", + "search_line": -1 } ] diff --git a/assets/queries/openAPI/general/default_response_undefined_operations/test/positive_expected_result.json b/assets/queries/openAPI/general/default_response_undefined_operations/test/positive_expected_result.json index 9e94753493a..1ccae5974c8 100644 --- a/assets/queries/openAPI/general/default_response_undefined_operations/test/positive_expected_result.json +++ b/assets/queries/openAPI/general/default_response_undefined_operations/test/positive_expected_result.json @@ -3,60 +3,150 @@ "queryName": "Default Response Undefined On Operations (v3)", "severity": "LOW", "line": 12, - "filename": "positive1.json" + "fileName": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/item}}.{{patch}}.responses", + "searchValue": "", + "expectedValue": "Default field should be defined on responses", + "actualValue": "Default field is not defined on responses", + "issueType": "MissingAttribute", + "similarityID": "2a050fe0bd5698572ca20a550b46c551c03fdb6416f6c5a6cef03688117d456d", + "search_line": -1 }, { "queryName": "Default Response Undefined On Operations (v3)", "severity": "LOW", "line": 12, - "filename": "positive2.json" + "fileName": "positive2.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/item}}.{{delete}}.responses", + "searchValue": "", + "expectedValue": "Default field should be defined on responses", + "actualValue": "Default field is not defined on responses", + "issueType": "MissingAttribute", + "similarityID": "956c5b9235c4b83a47c03c45e8dc5b5d884cf66c0a03639ad4af0566808b8446", + "search_line": -1 }, { "queryName": "Default Response Undefined On Operations (v3)", "severity": "LOW", "line": 21, - "filename": "positive2.json" + "fileName": "positive2.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/item}}.{{patch}}.responses", + "searchValue": "", + "expectedValue": "Default field should be defined on responses", + "actualValue": "Default field is not defined on responses", + "issueType": "MissingAttribute", + "similarityID": "ff61cfd190e638e12d288013cdc02b1458e7186f4ac70a0b63a83d05546bf448", + "search_line": -1 }, { "queryName": "Default Response Undefined On Operations (v3)", "severity": "LOW", "line": 10, - "filename": "positive3.yaml" + "fileName": "positive3.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/item}}.{{patch}}.responses", + "searchValue": "", + "expectedValue": "Default field should be defined on responses", + "actualValue": "Default field is not defined on responses", + "issueType": "MissingAttribute", + "similarityID": "a38cbee597524be3d3d2034d04020a1911c9112903b67838c7f064f73fbfa178", + "search_line": -1 }, { "queryName": "Default Response Undefined On Operations (v3)", "severity": "LOW", "line": 10, - "filename": "positive4.yaml" + "fileName": "positive4.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/item}}.{{delete}}.responses", + "searchValue": "", + "expectedValue": "Default field should be defined on responses", + "actualValue": "Default field is not defined on responses", + "issueType": "MissingAttribute", + "similarityID": "387c565a802c09748e082ffd95e646c7750e91c09e77b33a808841315806098b", + "search_line": -1 }, { "queryName": "Default Response Undefined On Operations (v3)", "severity": "LOW", "line": 16, - "filename": "positive4.yaml" + "fileName": "positive4.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/item}}.{{patch}}.responses", + "searchValue": "", + "expectedValue": "Default field should be defined on responses", + "actualValue": "Default field is not defined on responses", + "issueType": "MissingAttribute", + "similarityID": "c3e920d67d211bea9aadfd0732320b4bc9aadd9984534e72e6a9e2306dae52ec", + "search_line": -1 }, { "queryName": "Default Response Undefined On Operations (v2)", "severity": "LOW", "line": 12, - "filename": "positive5.json" + "fileName": "positive5.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/item}}.{{delete}}.responses", + "searchValue": "", + "expectedValue": "Default field should be defined on responses", + "actualValue": "Default field is not defined on responses", + "issueType": "MissingAttribute", + "similarityID": "25ea96e3fa7b99c2d245c24467e7ec2b782cdbdb2da234bf47f413d713ddb389", + "search_line": -1 }, { "queryName": "Default Response Undefined On Operations (v2)", "severity": "LOW", "line": 21, - "filename": "positive5.json" + "fileName": "positive5.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/item}}.{{patch}}.responses", + "searchValue": "", + "expectedValue": "Default field should be defined on responses", + "actualValue": "Default field is not defined on responses", + "issueType": "MissingAttribute", + "similarityID": "d950203c3db71fc304641ace6478d1ab54ff23aee15c8718a3ac3e8a7c81f5d0", + "search_line": -1 }, { "queryName": "Default Response Undefined On Operations (v2)", "severity": "LOW", "line": 10, - "filename": "positive6.yaml" + "fileName": "positive6.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/item}}.{{delete}}.responses", + "searchValue": "", + "expectedValue": "Default field should be defined on responses", + "actualValue": "Default field is not defined on responses", + "issueType": "MissingAttribute", + "similarityID": "1f950d6242b6c2edde70f41178b7ff64880fab6140aec03eafa78699b190d3e1", + "search_line": -1 }, { "queryName": "Default Response Undefined On Operations (v2)", "severity": "LOW", "line": 16, - "filename": "positive6.yaml" + "fileName": "positive6.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/item}}.{{patch}}.responses", + "searchValue": "", + "expectedValue": "Default field should be defined on responses", + "actualValue": "Default field is not defined on responses", + "issueType": "MissingAttribute", + "similarityID": "5450be43d633ff01218892b8a3b4240a07339f25339668a9a9e8b6440f1f04f4", + "search_line": -1 } -] \ No newline at end of file +] diff --git a/assets/queries/openAPI/general/example_not_compliant_with_schema_type/test/positive_expected_result.json b/assets/queries/openAPI/general/example_not_compliant_with_schema_type/test/positive_expected_result.json index 36d238dc9f7..3f7697a22a9 100644 --- a/assets/queries/openAPI/general/example_not_compliant_with_schema_type/test/positive_expected_result.json +++ b/assets/queries/openAPI/general/example_not_compliant_with_schema_type/test/positive_expected_result.json @@ -3,84 +3,210 @@ "queryName": "Example Not Compliant With Schema Type (v3)", "severity": "INFO", "line": 21, - "filename": "positive1.json" + "fileName": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.examples.object", + "searchValue": "", + "expectedValue": "paths./.get.responses.200.content.application/json.examples.%!s(MISSING)' should not be compliant with the schema type", + "actualValue": "paths./.get.responses.200.content.application/json.examples.%!s(MISSING) is not compliant with the schema type", + "issueType": "IncorrectValue", + "similarityID": "8c96e36f067c4c2ece06c1a82fbaaef702aa59fd02b2b005113b8028efb91e92", + "search_line": 0 }, { "queryName": "Example Not Compliant With Schema Type (v3)", "severity": "INFO", "line": 18, - "filename": "positive2.yaml" + "fileName": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.examples.object", + "searchValue": "", + "expectedValue": "paths./.get.responses.200.content.application/json.examples.%!s(MISSING)' should not be compliant with the schema type", + "actualValue": "paths./.get.responses.200.content.application/json.examples.%!s(MISSING) is not compliant with the schema type", + "issueType": "IncorrectValue", + "similarityID": "cf24b5d062fd45554209b47d25f6678bae8cfb345ea4e8e624adc2d2c04a0075", + "search_line": 0 }, { "queryName": "Example Not Compliant With Schema Type (v3)", "severity": "INFO", "line": 24, - "filename": "positive3.json" + "fileName": "positive3.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.examples.foo_2", + "searchValue": "", + "expectedValue": "paths./.get.responses.200.content.application/json.examples.%!s(MISSING)' should not be compliant with the schema type", + "actualValue": "paths./.get.responses.200.content.application/json.examples.%!s(MISSING) is not compliant with the schema type", + "issueType": "IncorrectValue", + "similarityID": "8ea38a6c15a7b1172813c427062f0d949de8c293530c69ac43a751f041d68307", + "search_line": 0 }, { "queryName": "Example Not Compliant With Schema Type (v3)", "severity": "INFO", "line": 20, - "filename": "positive4.yaml" + "fileName": "positive4.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.examples.foo_2", + "searchValue": "", + "expectedValue": "paths./.get.responses.200.content.application/json.examples.%!s(MISSING)' should not be compliant with the schema type", + "actualValue": "paths./.get.responses.200.content.application/json.examples.%!s(MISSING) is not compliant with the schema type", + "issueType": "IncorrectValue", + "similarityID": "1255c50197985906bea6e581b31ecaae81cc454dcaeecefd3fbcf9f754189954", + "search_line": 0 }, { "queryName": "Example Not Compliant With Schema Type (v3)", "severity": "INFO", "line": 20, - "filename": "positive5.json" + "fileName": "positive5.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.example", + "searchValue": "", + "expectedValue": "paths./.get.responses.200.content.application/json.example should not be compliant with the schema type", + "actualValue": "paths./.get.responses.200.content.application/json.example is not compliant with the schema type", + "issueType": "IncorrectValue", + "similarityID": "7eb770e92b549da32191d3f4ed074ff7e67481de43633faedeafb9610168c04d", + "search_line": 0 }, { "queryName": "Example Not Compliant With Schema Type (v3)", "severity": "INFO", - "line": 17, - "filename": "positive6.yaml" + "line": 34, + "fileName": "positive5.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.400.content.{{application/json}}.example", + "searchValue": "", + "expectedValue": "paths./.get.responses.400.content.application/json.example should not be compliant with the schema type", + "actualValue": "paths./.get.responses.400.content.application/json.example is not compliant with the schema type", + "issueType": "IncorrectValue", + "similarityID": "d13a3509c26d620604ba571df5ef4809b6eeab627c1f7c562c0c0cf2b9775446", + "search_line": 0 }, { "queryName": "Example Not Compliant With Schema Type (v3)", "severity": "INFO", - "line": 34, - "filename": "positive5.json" + "line": 17, + "fileName": "positive6.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.example", + "searchValue": "", + "expectedValue": "paths./.get.responses.200.content.application/json.example should not be compliant with the schema type", + "actualValue": "paths./.get.responses.200.content.application/json.example is not compliant with the schema type", + "issueType": "IncorrectValue", + "similarityID": "d5fe68d8389710b72b7dd7fee3197581e8a271b570076e1560f4176442898412", + "search_line": 0 }, { "queryName": "Example Not Compliant With Schema Type (v3)", "severity": "INFO", "line": 26, - "filename": "positive6.yaml" + "fileName": "positive6.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.400.content.{{application/json}}.example", + "searchValue": "", + "expectedValue": "paths./.get.responses.400.content.application/json.example should not be compliant with the schema type", + "actualValue": "paths./.get.responses.400.content.application/json.example is not compliant with the schema type", + "issueType": "IncorrectValue", + "similarityID": "f287a43bc5d4b7ba2f6af9c325b9ba6a019a8a0e1837a7dcb7a55d52169ee348", + "search_line": 0 }, { "queryName": "Example Not Compliant With Schema Type (v3)", "severity": "INFO", "line": 24, - "filename": "positive7.json" + "fileName": "positive7.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.examples.foo", + "searchValue": "", + "expectedValue": "paths./.get.responses.200.content.application/json.examples.%!s(MISSING)' should not be compliant with the schema type", + "actualValue": "paths./.get.responses.200.content.application/json.examples.%!s(MISSING) is not compliant with the schema type", + "issueType": "IncorrectValue", + "similarityID": "9b8cc65a1ed73873a086c935cee508ba2ee6ed1e6791a3f239ac044bd7728d2e", + "search_line": -1 }, { "queryName": "Example Not Compliant With Schema Type (v3)", "severity": "INFO", "line": 20, - "filename": "positive8.yaml" + "fileName": "positive8.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.examples.foo", + "searchValue": "", + "expectedValue": "paths./.get.responses.200.content.application/json.examples.%!s(MISSING)' should not be compliant with the schema type", + "actualValue": "paths./.get.responses.200.content.application/json.examples.%!s(MISSING) is not compliant with the schema type", + "issueType": "IncorrectValue", + "similarityID": "5f378b87bce2ce08ffd004bf1248fdfea855c6a9cc542aaef689c5770d4b9d54", + "search_line": -1 }, { "queryName": "Example Not Compliant With Schema Type (v2)", "severity": "INFO", "line": 25, - "filename": "positive9.json" + "fileName": "positive9.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.parameters.example", + "searchValue": "", + "expectedValue": "paths.{{/}}.get.parameters.example should not be compliant with the schema type", + "actualValue": "paths.{{/}}.get.parameters.example is not compliant with the schema type", + "issueType": "IncorrectValue", + "similarityID": "9439724d67042de6c989943dd61f21f43804304f0f4a5b585ea19047467248c0", + "search_line": -1 }, { "queryName": "Example Not Compliant With Schema Type (v2)", "severity": "INFO", "line": 20, - "filename": "positive10.yaml" + "fileName": "positive10.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.parameters.example", + "searchValue": "", + "expectedValue": "paths.{{/}}.get.parameters.example should not be compliant with the schema type", + "actualValue": "paths.{{/}}.get.parameters.example is not compliant with the schema type", + "issueType": "IncorrectValue", + "similarityID": "798d7299dc97163ee16bf9215d873687ed4dd779f744504647d22d31e4db6338", + "search_line": -1 }, { "queryName": "Example Not Compliant With Schema Type (v2)", "severity": "INFO", "line": 44, - "filename": "positive11.json" + "fileName": "positive11.json", + "resourceType": "", + "resourceName": "", + "searchKey": "definitions.Tag.example", + "searchValue": "", + "expectedValue": "definitions.Tag.example should not be compliant with the schema type", + "actualValue": "definitions.Tag.example is not compliant with the schema type", + "issueType": "IncorrectValue", + "similarityID": "a8b0d96865ef971f9ff6d6509ed9c7b2058d5ffbc215e7a757f49ddc35a5bde8", + "search_line": -1 }, { "queryName": "Example Not Compliant With Schema Type (v2)", "severity": "INFO", "line": 30, - "filename": "positive12.yaml" + "fileName": "positive12.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "definitions.Tag.example", + "searchValue": "", + "expectedValue": "definitions.Tag.example should not be compliant with the schema type", + "actualValue": "definitions.Tag.example is not compliant with the schema type", + "issueType": "IncorrectValue", + "similarityID": "2a5a6e802f36493f4cf5ca75eeb8a6dc88ea9f9e3f6dcf57852c62f3981b00de", + "search_line": -1 } ] diff --git a/assets/queries/openAPI/general/global_security_field_undefined/test/positive_expected_result.json b/assets/queries/openAPI/general/global_security_field_undefined/test/positive_expected_result.json index c7de883faf8..c2ee5b4e1b3 100644 --- a/assets/queries/openAPI/general/global_security_field_undefined/test/positive_expected_result.json +++ b/assets/queries/openAPI/general/global_security_field_undefined/test/positive_expected_result.json @@ -3,24 +3,60 @@ "queryName": "Global Security Field Is Undefined (v3)", "severity": "HIGH", "line": 2, - "filename": "positive1.json" + "fileName": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "openapi", + "searchValue": "", + "expectedValue": "A default security property should be defined", + "actualValue": "A default security property is not defined", + "issueType": "MissingAttribute", + "similarityID": "655d306a94183e342f275affbadf53bb7bd1282d2bc90ade1082289859a68596", + "search_line": -1 }, { "queryName": "Global Security Field Is Undefined (v3)", "severity": "HIGH", "line": 1, - "filename": "positive2.yaml" + "fileName": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "openapi", + "searchValue": "", + "expectedValue": "A default security property should be defined", + "actualValue": "A default security property is not defined", + "issueType": "MissingAttribute", + "similarityID": "a7b20a8ae2b5fae9fdc107533f226c15af912fc9a2f44e612651f99d8885263c", + "search_line": -1 }, { "queryName": "Global Security Field Is Undefined (v2)", "severity": "HIGH", "line": 2, - "filename": "positive3.json" + "fileName": "positive3.json", + "resourceType": "", + "resourceName": "", + "searchKey": "swagger", + "searchValue": "", + "expectedValue": "A default security property should be defined", + "actualValue": "A default security property is not defined", + "issueType": "MissingAttribute", + "similarityID": "1eca2507e3c7ba5ef9f371cd0ca2185cced3abea0587d5fbc49d6ad6b7ee6530", + "search_line": -1 }, { "queryName": "Global Security Field Is Undefined (v2)", "severity": "HIGH", "line": 1, - "filename": "positive4.yaml" + "fileName": "positive4.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "swagger", + "searchValue": "", + "expectedValue": "A default security property should be defined", + "actualValue": "A default security property is not defined", + "issueType": "MissingAttribute", + "similarityID": "e6be9049cb01eeb7dd6679e5e7237bab8560cbd78911ec2bfeb523ae5c91bfa0", + "search_line": -1 } ] diff --git a/assets/queries/openAPI/general/header_parameter_named_as_accept/test/positive_expected_result.json b/assets/queries/openAPI/general/header_parameter_named_as_accept/test/positive_expected_result.json index fc1a58f1c29..0caeb3c0894 100644 --- a/assets/queries/openAPI/general/header_parameter_named_as_accept/test/positive_expected_result.json +++ b/assets/queries/openAPI/general/header_parameter_named_as_accept/test/positive_expected_result.json @@ -3,60 +3,150 @@ "queryName": "Header Parameter Named as 'Accept' (v3)", "severity": "INFO", "line": 43, - "filename": "positive1.json" + "fileName": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.parameters.name=Accept", + "searchValue": "", + "expectedValue": "paths.{{/}}.parameters.name=Accept should not be 'Accept'", + "actualValue": "paths.{{/}}.parameters.name=Accept is 'Accept'", + "issueType": "IncorrectValue", + "similarityID": "08567541e21146d103db6ccf8a0058191e731c45b05c797ec57a26e1a7150c03", + "search_line": -1 }, { "queryName": "Header Parameter Named as 'Accept' (v3)", "severity": "INFO", "line": 58, - "filename": "positive1.json" + "fileName": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/users/{id}}}.get.parameters.name=Accept", + "searchValue": "", + "expectedValue": "paths.{{/users/{id}}}.get.parameters.name=Accept should not be 'Accept'", + "actualValue": "paths.{{/users/{id}}}.get.parameters.name=Accept is 'Accept'", + "issueType": "IncorrectValue", + "similarityID": "023d10b2e9da5952528f49451cff32f7ca81b6dbef52dcc87622a17f56ea0225", + "search_line": -1 }, { "queryName": "Header Parameter Named as 'Accept' (v3)", "severity": "INFO", "line": 26, - "filename": "positive2.yaml" + "fileName": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.parameters.name=Accept", + "searchValue": "", + "expectedValue": "paths.{{/}}.parameters.name=Accept should not be 'Accept'", + "actualValue": "paths.{{/}}.parameters.name=Accept is 'Accept'", + "issueType": "IncorrectValue", + "similarityID": "fbe14530acfb47bcc5461f955bc771c56cdfebb02fc2cd152003e295d31ea098", + "search_line": -1 }, { "queryName": "Header Parameter Named as 'Accept' (v3)", "severity": "INFO", "line": 36, - "filename": "positive2.yaml" + "fileName": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/users/{id}}}.get.parameters.name=Accept", + "searchValue": "", + "expectedValue": "paths.{{/users/{id}}}.get.parameters.name=Accept should not be 'Accept'", + "actualValue": "paths.{{/users/{id}}}.get.parameters.name=Accept is 'Accept'", + "issueType": "IncorrectValue", + "similarityID": "d9e564a0cef9836cf7c3654b988ec6d4b7f5d3c49f59a63ed60ef0a52ece6f29", + "search_line": -1 }, { "queryName": "Header Parameter Named as 'Accept' (v3)", "severity": "INFO", "line": 43, - "filename": "positive3.json" + "fileName": "positive3.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.parameters.name=Accept", + "searchValue": "", + "expectedValue": "paths.{{/}}.parameters.name=Accept should not be 'Accept'", + "actualValue": "paths.{{/}}.parameters.name=Accept is 'Accept'", + "issueType": "IncorrectValue", + "similarityID": "25402426416001311ad469695c362d84a63856e700a9b1836bf740f396a59ab6", + "search_line": -1 }, { "queryName": "Header Parameter Named as 'Accept' (v3)", "severity": "INFO", "line": 26, - "filename": "positive4.yaml" + "fileName": "positive4.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.parameters.name=Accept", + "searchValue": "", + "expectedValue": "paths.{{/}}.parameters.name=Accept should not be 'Accept'", + "actualValue": "paths.{{/}}.parameters.name=Accept is 'Accept'", + "issueType": "IncorrectValue", + "similarityID": "ebfc353eab31fbb1a3ce9d5498b79d8fa0fb0d7ad9602d6603517b4224d51c6d", + "search_line": -1 }, { "queryName": "Header Parameter Named as 'Accept' (v2)", "severity": "INFO", "line": 11, - "filename": "positive5.json" + "fileName": "positive5.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.parameters.name=Accept", + "searchValue": "", + "expectedValue": "paths.{{/}}.parameters.name=Accept should not be 'Accept'", + "actualValue": "paths.{{/}}.parameters.name=Accept is 'Accept'", + "issueType": "IncorrectValue", + "similarityID": "c4857d0abd98cd2eb5247b198f45eeb1856772bc5c750c395163bc6053d9fdef", + "search_line": -1 }, { "queryName": "Header Parameter Named as 'Accept' (v2)", "severity": "INFO", "line": 38, - "filename": "positive5.json" + "fileName": "positive5.json", + "resourceType": "", + "resourceName": "", + "searchKey": "parameters.limitParam.name=Accept", + "searchValue": "", + "expectedValue": "parameters.limitParam.name=Accept should not be 'Accept'", + "actualValue": "parameters.limitParam.name=Accept is 'Accept'", + "issueType": "IncorrectValue", + "similarityID": "83e609b4aa7d3dea86280ec79fe69e0ec51837e2c9071888b84ea08585b4911c", + "search_line": -1 }, { "queryName": "Header Parameter Named as 'Accept' (v2)", "severity": "INFO", "line": 14, - "filename": "positive6.yaml" + "fileName": "positive6.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.parameters.name=Accept", + "searchValue": "", + "expectedValue": "paths.{{/}}.parameters.name=Accept should not be 'Accept'", + "actualValue": "paths.{{/}}.parameters.name=Accept is 'Accept'", + "issueType": "IncorrectValue", + "similarityID": "8664f08ac9896b3771b71527dca8c2f6f7512f360eb82f24bf1c2503b4e24c1d", + "search_line": -1 }, { "queryName": "Header Parameter Named as 'Accept' (v2)", "severity": "INFO", "line": 21, - "filename": "positive6.yaml" + "fileName": "positive6.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "parameters.limitParam.name=Accept", + "searchValue": "", + "expectedValue": "parameters.limitParam.name=Accept should not be 'Accept'", + "actualValue": "parameters.limitParam.name=Accept is 'Accept'", + "issueType": "IncorrectValue", + "similarityID": "bb911587990bbadd9ed03a8a419b99c549e5a9ee13a3999e3e7f47afb3340b75", + "search_line": -1 } ] diff --git a/assets/queries/openAPI/general/header_parameter_named_as_authorization/test/positive_expected_result.json b/assets/queries/openAPI/general/header_parameter_named_as_authorization/test/positive_expected_result.json index 91bf763ed24..f1045a9c96f 100644 --- a/assets/queries/openAPI/general/header_parameter_named_as_authorization/test/positive_expected_result.json +++ b/assets/queries/openAPI/general/header_parameter_named_as_authorization/test/positive_expected_result.json @@ -3,60 +3,150 @@ "queryName": "Header Parameter Named as 'Authorization' (v3)", "severity": "INFO", "line": 43, - "filename": "positive1.json" + "fileName": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.parameters.name=Authorization", + "searchValue": "", + "expectedValue": "paths.{{/}}.parameters.name=Authorization should not be 'Authorization", + "actualValue": "paths.{{/}}.parameters.name=Authorization is 'Authorization'", + "issueType": "IncorrectValue", + "similarityID": "2958f0e8ca3a428bef82a88ba5e5e2fa9ea9dd52b45a56139bc9911f46aab54c", + "search_line": -1 }, { "queryName": "Header Parameter Named as 'Authorization' (v3)", "severity": "INFO", "line": 58, - "filename": "positive1.json" + "fileName": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/users/{id}}}.get.parameters.name=Authorization", + "searchValue": "", + "expectedValue": "paths.{{/users/{id}}}.get.parameters.name=Authorization should not be 'Authorization", + "actualValue": "paths.{{/users/{id}}}.get.parameters.name=Authorization is 'Authorization'", + "issueType": "IncorrectValue", + "similarityID": "39c896be2009b684ef00bc9c8b2be0fa684f60026e9ca3eeda9d2ed9ec898fe3", + "search_line": -1 }, { "queryName": "Header Parameter Named as 'Authorization' (v3)", "severity": "INFO", "line": 26, - "filename": "positive2.yaml" + "fileName": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.parameters.name=Authorization", + "searchValue": "", + "expectedValue": "paths.{{/}}.parameters.name=Authorization should not be 'Authorization", + "actualValue": "paths.{{/}}.parameters.name=Authorization is 'Authorization'", + "issueType": "IncorrectValue", + "similarityID": "4838b4093fb4a7daab703b0473b2249cecd0011e64f0c890a8896caf476cde76", + "search_line": -1 }, { "queryName": "Header Parameter Named as 'Authorization' (v3)", "severity": "INFO", "line": 36, - "filename": "positive2.yaml" + "fileName": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/users/{id}}}.get.parameters.name=Authorization", + "searchValue": "", + "expectedValue": "paths.{{/users/{id}}}.get.parameters.name=Authorization should not be 'Authorization", + "actualValue": "paths.{{/users/{id}}}.get.parameters.name=Authorization is 'Authorization'", + "issueType": "IncorrectValue", + "similarityID": "846131deeb5878cfcecb2bd34d48b97423763d85f58f35f123e4855349f39dfd", + "search_line": -1 }, { "queryName": "Header Parameter Named as 'Authorization' (v3)", "severity": "INFO", "line": 43, - "filename": "positive3.json" + "fileName": "positive3.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.parameters.name=Authorization", + "searchValue": "", + "expectedValue": "paths.{{/}}.parameters.name=Authorization should not be 'Authorization", + "actualValue": "paths.{{/}}.parameters.name=Authorization is 'Authorization'", + "issueType": "IncorrectValue", + "similarityID": "6643d7a19b2620476da08bc5b7b4b5e37bf5bb7b8ed8ca104437fd36cd474e67", + "search_line": -1 }, { "queryName": "Header Parameter Named as 'Authorization' (v3)", "severity": "INFO", "line": 26, - "filename": "positive4.yaml" + "fileName": "positive4.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.parameters.name=Authorization", + "searchValue": "", + "expectedValue": "paths.{{/}}.parameters.name=Authorization should not be 'Authorization", + "actualValue": "paths.{{/}}.parameters.name=Authorization is 'Authorization'", + "issueType": "IncorrectValue", + "similarityID": "6da74ddd69dbe8d8347e9f7c1d100136ed207e83b3dd37d5cdc9761db3957a34", + "search_line": -1 }, { "queryName": "Header Parameter Named as 'Authorization' (v2)", "severity": "INFO", "line": 11, - "filename": "positive5.json" + "fileName": "positive5.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.parameters.name=Authorization", + "searchValue": "", + "expectedValue": "paths.{{/}}.parameters.name=Authorization should not be 'Authorization", + "actualValue": "paths.{{/}}.parameters.name=Authorization is 'Authorization'", + "issueType": "IncorrectValue", + "similarityID": "95c30f563472221a0d4b71fe8703fae02ed79f0d2246bed56bbd87f2d627e810", + "search_line": -1 }, { "queryName": "Header Parameter Named as 'Authorization' (v2)", "severity": "INFO", - "line": 14, - "filename": "positive6.yaml" + "line": 38, + "fileName": "positive5.json", + "resourceType": "", + "resourceName": "", + "searchKey": "parameters.limitParam.name=Authorization", + "searchValue": "", + "expectedValue": "parameters.limitParam.name=Authorization should not be 'Authorization", + "actualValue": "parameters.limitParam.name=Authorization is 'Authorization'", + "issueType": "IncorrectValue", + "similarityID": "93ed15fcc8edd50974768ed3135c106a1855372c37d879981d01cda46233b11a", + "search_line": -1 }, { "queryName": "Header Parameter Named as 'Authorization' (v2)", "severity": "INFO", - "line": 38, - "filename": "positive5.json" + "line": 14, + "fileName": "positive6.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.parameters.name=Authorization", + "searchValue": "", + "expectedValue": "paths.{{/}}.parameters.name=Authorization should not be 'Authorization", + "actualValue": "paths.{{/}}.parameters.name=Authorization is 'Authorization'", + "issueType": "IncorrectValue", + "similarityID": "3536df1b785b3f1db1c83099859918708260cd6b5c98a41a15668ba9e518e907", + "search_line": -1 }, { "queryName": "Header Parameter Named as 'Authorization' (v2)", "severity": "INFO", "line": 23, - "filename": "positive6.yaml" + "fileName": "positive6.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "parameters.limitParam.name=Authorization", + "searchValue": "", + "expectedValue": "parameters.limitParam.name=Authorization should not be 'Authorization", + "actualValue": "parameters.limitParam.name=Authorization is 'Authorization'", + "issueType": "IncorrectValue", + "similarityID": "cb788b8cf60ebde9a12dae8e6ab619062122d158973555354738d76ae819307f", + "search_line": -1 } ] diff --git a/assets/queries/openAPI/general/header_parameter_named_as_content_type/test/positive_expected_result.json b/assets/queries/openAPI/general/header_parameter_named_as_content_type/test/positive_expected_result.json index f88a1ce07e1..b760808d75d 100644 --- a/assets/queries/openAPI/general/header_parameter_named_as_content_type/test/positive_expected_result.json +++ b/assets/queries/openAPI/general/header_parameter_named_as_content_type/test/positive_expected_result.json @@ -3,60 +3,150 @@ "queryName": "Header Parameter Named as 'Content-Type' (v3)", "severity": "INFO", "line": 43, - "filename": "positive1.json" + "fileName": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.parameters.name=Content-Type", + "searchValue": "", + "expectedValue": "paths.{{/}}.parameters.name=Content-Type should not be 'Content-Type", + "actualValue": "paths.{{/}}.parameters.name=Content-Type is 'Content-Type'", + "issueType": "IncorrectValue", + "similarityID": "aa6cae0bf7455547d0b913a0fe0da37ec7fe4fc28011a672504c7ff7ccfb97bf", + "search_line": -1 }, { "queryName": "Header Parameter Named as 'Content-Type' (v3)", "severity": "INFO", "line": 58, - "filename": "positive1.json" + "fileName": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/users/{id}}}.get.parameters.name=Content-Type", + "searchValue": "", + "expectedValue": "paths.{{/users/{id}}}.get.parameters.name=Content-Type should not be 'Content-Type", + "actualValue": "paths.{{/users/{id}}}.get.parameters.name=Content-Type is 'Content-Type'", + "issueType": "IncorrectValue", + "similarityID": "8c67764efdb2b47a4404dd9da8643e651f2812e93d6094f859334a81eea15cfe", + "search_line": -1 }, { "queryName": "Header Parameter Named as 'Content-Type' (v3)", "severity": "INFO", "line": 26, - "filename": "positive2.yaml" + "fileName": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.parameters.name=Content-Type", + "searchValue": "", + "expectedValue": "paths.{{/}}.parameters.name=Content-Type should not be 'Content-Type", + "actualValue": "paths.{{/}}.parameters.name=Content-Type is 'Content-Type'", + "issueType": "IncorrectValue", + "similarityID": "3ff444c3fb76c5ff2de53463c442d450d0b201edc566c3ec384c45ba560fb54a", + "search_line": -1 }, { "queryName": "Header Parameter Named as 'Content-Type' (v3)", "severity": "INFO", "line": 36, - "filename": "positive2.yaml" + "fileName": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/users/{id}}}.get.parameters.name=Content-Type", + "searchValue": "", + "expectedValue": "paths.{{/users/{id}}}.get.parameters.name=Content-Type should not be 'Content-Type", + "actualValue": "paths.{{/users/{id}}}.get.parameters.name=Content-Type is 'Content-Type'", + "issueType": "IncorrectValue", + "similarityID": "62da76b405b119ffcdba94863669ae2749af37dded410fe1281bfa16ccf71a31", + "search_line": -1 }, { "queryName": "Header Parameter Named as 'Content-Type' (v3)", "severity": "INFO", "line": 43, - "filename": "positive3.json" + "fileName": "positive3.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.parameters.name=Content-Type", + "searchValue": "", + "expectedValue": "paths.{{/}}.parameters.name=Content-Type should not be 'Content-Type", + "actualValue": "paths.{{/}}.parameters.name=Content-Type is 'Content-Type'", + "issueType": "IncorrectValue", + "similarityID": "914b4ee52362e46d03aac745c15d76ad3255b762747380cf4411320389068016", + "search_line": -1 }, { "queryName": "Header Parameter Named as 'Content-Type' (v3)", "severity": "INFO", "line": 26, - "filename": "positive4.yaml" + "fileName": "positive4.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.parameters.name=Content-Type", + "searchValue": "", + "expectedValue": "paths.{{/}}.parameters.name=Content-Type should not be 'Content-Type", + "actualValue": "paths.{{/}}.parameters.name=Content-Type is 'Content-Type'", + "issueType": "IncorrectValue", + "similarityID": "28924938b8091f7821783cd120ea3cc46b6e1befd3ae2b179410a1d7ffeb3f7e", + "search_line": -1 }, { "queryName": "Header Parameter Named as 'Content-Type' (v2)", "severity": "INFO", "line": 11, - "filename": "positive5.json" + "fileName": "positive5.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.parameters.name=Content-Type", + "searchValue": "", + "expectedValue": "paths.{{/}}.parameters.name=Content-Type should not be 'Content-Type", + "actualValue": "paths.{{/}}.parameters.name=Content-Type is 'Content-Type'", + "issueType": "IncorrectValue", + "similarityID": "98e036ae41bf6af1c9ceeb74752a830651fd00ae29de2b1d4b64c942998aace9", + "search_line": -1 }, { "queryName": "Header Parameter Named as 'Content-Type' (v2)", "severity": "INFO", - "line": 14, - "filename": "positive6.yaml" + "line": 38, + "fileName": "positive5.json", + "resourceType": "", + "resourceName": "", + "searchKey": "parameters.limitParam.name=Content-Type", + "searchValue": "", + "expectedValue": "parameters.limitParam.name=Content-Type should not be 'Content-Type", + "actualValue": "parameters.limitParam.name=Content-Type is 'Content-Type'", + "issueType": "IncorrectValue", + "similarityID": "77363926d736aeb1443ed7ddcb48662d65abd01e17fa45d3be08a83923f33bd3", + "search_line": -1 }, { "queryName": "Header Parameter Named as 'Content-Type' (v2)", "severity": "INFO", - "line": 38, - "filename": "positive5.json" + "line": 14, + "fileName": "positive6.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.parameters.name=Content-Type", + "searchValue": "", + "expectedValue": "paths.{{/}}.parameters.name=Content-Type should not be 'Content-Type", + "actualValue": "paths.{{/}}.parameters.name=Content-Type is 'Content-Type'", + "issueType": "IncorrectValue", + "similarityID": "d949da4adcf135d2b57ff9570269f5f07398aa876a7bc2170cdeede65957abf7", + "search_line": -1 }, { "queryName": "Header Parameter Named as 'Content-Type' (v2)", "severity": "INFO", "line": 23, - "filename": "positive6.yaml" + "fileName": "positive6.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "parameters.limitParam.name=Content-Type", + "searchValue": "", + "expectedValue": "parameters.limitParam.name=Content-Type should not be 'Content-Type", + "actualValue": "parameters.limitParam.name=Content-Type is 'Content-Type'", + "issueType": "IncorrectValue", + "similarityID": "800ed0a472c2604b454106c617ee235c2d43f9b78e076e9d66b246ed02a4f62d", + "search_line": -1 } ] diff --git a/assets/queries/openAPI/general/header_response_name_is_invalid/test/positive_expected_result.json b/assets/queries/openAPI/general/header_response_name_is_invalid/test/positive_expected_result.json index 59f411c5bbd..1a830229a4c 100644 --- a/assets/queries/openAPI/general/header_response_name_is_invalid/test/positive_expected_result.json +++ b/assets/queries/openAPI/general/header_response_name_is_invalid/test/positive_expected_result.json @@ -3,36 +3,90 @@ "queryName": "Header Response Name Is Invalid (v3)", "severity": "INFO", "line": 42, - "filename": "positive1.json" + "fileName": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.{{get}}.responses.{{6xx}}.headers.{{Content-Type}}", + "searchValue": "", + "expectedValue": "paths.{{/}}.{{get}}.responses.{{6xx}}.headers should not contain 'Content-Type'", + "actualValue": "paths.{{/}}.{{get}}.responses.{{6xx}}.headers contains 'Content-Type'", + "issueType": "IncorrectValue", + "similarityID": "c9dbfd94f9c35835a0fd515c8726482d2e6e2b8448a46b20173d33d8c430d927", + "search_line": 0 }, { "queryName": "Header Response Name Is Invalid (v3)", "severity": "INFO", "line": 28, - "filename": "positive2.yaml" + "fileName": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.{{get}}.responses.{{6xx}}.headers.{{Content-Type}}", + "searchValue": "", + "expectedValue": "paths.{{/}}.{{get}}.responses.{{6xx}}.headers should not contain 'Content-Type'", + "actualValue": "paths.{{/}}.{{get}}.responses.{{6xx}}.headers contains 'Content-Type'", + "issueType": "IncorrectValue", + "similarityID": "e1668ca54064b9decdd07dc7c738b8b038167265e0b4a25a324b475dd8d6424b", + "search_line": 0 }, { "queryName": "Header Response Name Is Invalid (v2)", "severity": "INFO", - "line": 32, - "filename": "positive3.json" + "line": 14, + "fileName": "positive3.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.{{get}}.responses.{{200}}.$ref=#/responses/Success", + "searchValue": "", + "expectedValue": "paths.{{/}}.{{get}}.responses.{{200}}.headers should not contain 'Accept'", + "actualValue": "paths.{{/}}.{{get}}.responses.{{200}}.headers contains 'Accept'", + "issueType": "IncorrectValue", + "similarityID": "f1a2101d74d09cb56bfdeac88c12161581c58d6349523eba949d4bc6f58573d6", + "search_line": 0 }, { "queryName": "Header Response Name Is Invalid (v2)", "severity": "INFO", - "line": 14, - "filename": "positive3.json" + "line": 32, + "fileName": "positive3.json", + "resourceType": "", + "resourceName": "", + "searchKey": "responses.{{Success}}.headers.{{Accept}}", + "searchValue": "", + "expectedValue": "responses.{{Success}}.headers should not contain 'Accept'", + "actualValue": "responses.{{Success}}.headers contains 'Accept'", + "issueType": "IncorrectValue", + "similarityID": "07ce252d6c2a164792456076cd421f6d7b8fb4a639fa417826d4b88591b1e6af", + "search_line": 0 }, { "queryName": "Header Response Name Is Invalid (v2)", "severity": "INFO", - "line": 21, - "filename": "positive4.yaml" + "line": 12, + "fileName": "positive4.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.{{get}}.responses.{{200}}.$ref=#/responses/Success", + "searchValue": "", + "expectedValue": "paths.{{/}}.{{get}}.responses.{{200}}.headers should not contain 'Accept'", + "actualValue": "paths.{{/}}.{{get}}.responses.{{200}}.headers contains 'Accept'", + "issueType": "IncorrectValue", + "similarityID": "cf7c4d96bcf9f29128643d112497d6121f6133aa41d02041a2f8286f9c170a72", + "search_line": 0 }, { "queryName": "Header Response Name Is Invalid (v2)", "severity": "INFO", - "line": 12, - "filename": "positive4.yaml" + "line": 21, + "fileName": "positive4.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "responses.{{Success}}.headers.{{Accept}}", + "searchValue": "", + "expectedValue": "responses.{{Success}}.headers should not contain 'Accept'", + "actualValue": "responses.{{Success}}.headers contains 'Accept'", + "issueType": "IncorrectValue", + "similarityID": "bfa3dfde064e9a1dfc8099a11be1f09f6e623c036be89a7530bbc8d9adf10b29", + "search_line": 0 } ] diff --git a/assets/queries/openAPI/general/invalid_contact_email/test/positive_expected_result.json b/assets/queries/openAPI/general/invalid_contact_email/test/positive_expected_result.json index 02355545843..bd580aafe78 100644 --- a/assets/queries/openAPI/general/invalid_contact_email/test/positive_expected_result.json +++ b/assets/queries/openAPI/general/invalid_contact_email/test/positive_expected_result.json @@ -3,24 +3,60 @@ "queryName": "Invalid Contact Email (v3)", "severity": "INFO", "line": 9, - "filename": "positive1.json" + "fileName": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "info.contact.email", + "searchValue": "", + "expectedValue": "info.contact.email has a valid email", + "actualValue": "info.contact.email has an invalid email", + "issueType": "IncorrectValue", + "similarityID": "4367bad5c0e56f1304fbfc24b340d56b57a7693e2dba18f9438652e36cf2a563", + "search_line": -1 }, { "queryName": "Invalid Contact Email (v3)", "severity": "INFO", "line": 8, - "filename": "positive2.yaml" + "fileName": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "info.contact.email", + "searchValue": "", + "expectedValue": "info.contact.email has a valid email", + "actualValue": "info.contact.email has an invalid email", + "issueType": "IncorrectValue", + "similarityID": "df5e673edf07535e1c62ce90aebf07caba83122f43f87947bec27853843c8a03", + "search_line": -1 }, { "queryName": "Invalid Contact Email (v2)", "severity": "INFO", "line": 9, - "filename": "positive3.json" + "fileName": "positive3.json", + "resourceType": "", + "resourceName": "", + "searchKey": "info.contact.email", + "searchValue": "", + "expectedValue": "info.contact.email has a valid email", + "actualValue": "info.contact.email has an invalid email", + "issueType": "IncorrectValue", + "similarityID": "b14bc588b94b5b6a6d65ec570790ec8b96c894c7c2a604d05c29c979ba61405c", + "search_line": -1 }, { "queryName": "Invalid Contact Email (v2)", "severity": "INFO", "line": 8, - "filename": "positive4.yaml" + "fileName": "positive4.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "info.contact.email", + "searchValue": "", + "expectedValue": "info.contact.email has a valid email", + "actualValue": "info.contact.email has an invalid email", + "issueType": "IncorrectValue", + "similarityID": "431032600899cba5938a58a15e5b0fa433314c10654141294e5af24c75538b80", + "search_line": -1 } ] diff --git a/assets/queries/openAPI/general/invalid_contact_url/test/positive_expected_result.json b/assets/queries/openAPI/general/invalid_contact_url/test/positive_expected_result.json index be38431be9a..9b2a21f9706 100644 --- a/assets/queries/openAPI/general/invalid_contact_url/test/positive_expected_result.json +++ b/assets/queries/openAPI/general/invalid_contact_url/test/positive_expected_result.json @@ -3,24 +3,60 @@ "queryName": "Invalid Contact URL (v3)", "severity": "INFO", "line": 8, - "filename": "positive1.json" + "fileName": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "info.contact.url", + "searchValue": "", + "expectedValue": "info.contact.url has a valid URL", + "actualValue": "info.contact.url has an invalid URL", + "issueType": "IncorrectValue", + "similarityID": "f740ab493d07e3838e24c709cc664b2da3638112313e9b7bdbe421892187fce8", + "search_line": -1 }, { "queryName": "Invalid Contact URL (v3)", "severity": "INFO", "line": 7, - "filename": "positive2.yaml" + "fileName": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "info.contact.url", + "searchValue": "", + "expectedValue": "info.contact.url has a valid URL", + "actualValue": "info.contact.url has an invalid URL", + "issueType": "IncorrectValue", + "similarityID": "4c57da358074320411eb15f1c1afb66b5820ceab2d73978a2f1d3399cb99427f", + "search_line": -1 }, { "queryName": "Invalid Contact URL (v2)", "severity": "INFO", "line": 8, - "filename": "positive3.json" + "fileName": "positive3.json", + "resourceType": "", + "resourceName": "", + "searchKey": "info.contact.url", + "searchValue": "", + "expectedValue": "info.contact.url has a valid URL", + "actualValue": "info.contact.url has an invalid URL", + "issueType": "IncorrectValue", + "similarityID": "30aa161c10a655c903a647e906e7757301846ac19ef3065b3e685b55f2547d04", + "search_line": -1 }, { "queryName": "Invalid Contact URL (v2)", "severity": "INFO", "line": 7, - "filename": "positive4.yaml" + "fileName": "positive4.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "info.contact.url", + "searchValue": "", + "expectedValue": "info.contact.url has a valid URL", + "actualValue": "info.contact.url has an invalid URL", + "issueType": "IncorrectValue", + "similarityID": "bea07759f4458317c8093a56cb3ec85f71403f525e94ef4c5adf675d90dd6352", + "search_line": -1 } ] diff --git a/assets/queries/openAPI/general/invalid_format/test/positive_expected_result.json b/assets/queries/openAPI/general/invalid_format/test/positive_expected_result.json index 20563981948..38f1769deb0 100644 --- a/assets/queries/openAPI/general/invalid_format/test/positive_expected_result.json +++ b/assets/queries/openAPI/general/invalid_format/test/positive_expected_result.json @@ -3,96 +3,240 @@ "queryName": "Invalid Format (v3)", "severity": "LOW", "line": 14, - "filename": "positive1.json" + "fileName": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.$ref=#/components/schemas/MyObject", + "searchValue": "", + "expectedValue": "integer is int32 or int64 formats", + "actualValue": "integer is double format", + "issueType": "IncorrectValue", + "similarityID": "4691b1d3b329d9d5409291a85f3aebd6f246bb76eaa31fb80003651e0ed98167", + "search_line": 0 }, { "queryName": "Invalid Format (v3)", "severity": "LOW", "line": 14, - "filename": "positive1.json" + "fileName": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.$ref=#/components/schemas/MyObject", + "searchValue": "", + "expectedValue": "number is float or double formats", + "actualValue": "number is int32 format", + "issueType": "IncorrectValue", + "similarityID": "6c6e7825aef61c182620fabe287e575acc33d41a92e925d5e6bae7e36245b9d2", + "search_line": 0 }, { "queryName": "Invalid Format (v3)", "severity": "LOW", "line": 33, - "filename": "positive1.json" + "fileName": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.parameters.schema.items.properties.myObject.$ref=#/components/schemas/MyObject", + "searchValue": "", + "expectedValue": "integer is int32 or int64 formats", + "actualValue": "integer is double format", + "issueType": "IncorrectValue", + "similarityID": "eb4ca24b0c5832c7945dad5e53ca7074f4589f62a71ceec462cc543821989bd3", + "search_line": 0 }, { "queryName": "Invalid Format (v3)", "severity": "LOW", "line": 33, - "filename": "positive1.json" + "fileName": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.parameters.schema.items.properties.myObject.$ref=#/components/schemas/MyObject", + "searchValue": "", + "expectedValue": "number is float or double formats", + "actualValue": "number is int32 format", + "issueType": "IncorrectValue", + "similarityID": "a478394bd8df3d1b522b266369c6d5c9c2db475b2b24695fcf76b763f9ac4a51", + "search_line": 0 }, { "queryName": "Invalid Format (v3)", "severity": "LOW", "line": 37, - "filename": "positive1.json" + "fileName": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.parameters.schema.items.properties.length.format=float", + "searchValue": "", + "expectedValue": "integer is int32 or int64 formats", + "actualValue": "integer is float format", + "issueType": "IncorrectValue", + "similarityID": "e4319904e152494d0ce5fd94014bfa772bd8c6dd927236f0e9de18ab0ba66360", + "search_line": 0 }, { "queryName": "Invalid Format (v3)", "severity": "LOW", "line": 53, - "filename": "positive1.json" + "fileName": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "components.schemas.MyObject.properties.id.format=double", + "searchValue": "", + "expectedValue": "integer is int32 or int64 formats", + "actualValue": "integer is double format", + "issueType": "IncorrectValue", + "similarityID": "d3c5cc38957ddc8367f4a0e2723c5f227968521e4bd853b4cf20658f641eaa3e", + "search_line": 0 }, { "queryName": "Invalid Format (v3)", "severity": "LOW", "line": 61, - "filename": "positive1.json" + "fileName": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "components.schemas.MyObject.properties.percentage.format=int32", + "searchValue": "", + "expectedValue": "number is float or double formats", + "actualValue": "number is int32 format", + "issueType": "IncorrectValue", + "similarityID": "3ab22bd1ff2c80fda013d63ce89337af889865470f31dbf74c221e7ae169d3e3", + "search_line": 0 }, { "queryName": "Invalid Format (v3)", "severity": "LOW", "line": 12, - "filename": "positive2.yaml" + "fileName": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.$ref=#/components/schemas/MyObject", + "searchValue": "", + "expectedValue": "integer is int32 or int64 formats", + "actualValue": "integer is double format", + "issueType": "IncorrectValue", + "similarityID": "6ae54940bd3ebc742f7aa76cd6c7bf384b3481603be64a4b02c5a8f7a40e8cb8", + "search_line": 0 }, { "queryName": "Invalid Format (v3)", "severity": "LOW", "line": 12, - "filename": "positive2.yaml" + "fileName": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.$ref=#/components/schemas/MyObject", + "searchValue": "", + "expectedValue": "number is float or double formats", + "actualValue": "number is int32 format", + "issueType": "IncorrectValue", + "similarityID": "f63db49e5836b57ea49c094c788463774a78ee062748dd3c920e12464f56ec4b", + "search_line": 0 }, { "queryName": "Invalid Format (v3)", "severity": "LOW", "line": 26, - "filename": "positive2.yaml" + "fileName": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.parameters.schema.items.properties.myObject.$ref=#/components/schemas/MyObject", + "searchValue": "", + "expectedValue": "integer is int32 or int64 formats", + "actualValue": "integer is double format", + "issueType": "IncorrectValue", + "similarityID": "973750b8b1be6f6f80aada50946354c45f35b136d0f05fc78ee76d52058e1c46", + "search_line": 0 }, { "queryName": "Invalid Format (v3)", "severity": "LOW", "line": 26, - "filename": "positive2.yaml" + "fileName": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.parameters.schema.items.properties.myObject.$ref=#/components/schemas/MyObject", + "searchValue": "", + "expectedValue": "number is float or double formats", + "actualValue": "number is int32 format", + "issueType": "IncorrectValue", + "similarityID": "6737b57d47cba3e1c271059b0b7b18a5caeb7c5ce3bc41755da53e710b19557b", + "search_line": 0 }, { "queryName": "Invalid Format (v3)", "severity": "LOW", "line": 29, - "filename": "positive2.yaml" + "fileName": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.parameters.schema.items.properties.length.format=float", + "searchValue": "", + "expectedValue": "integer is int32 or int64 formats", + "actualValue": "integer is float format", + "issueType": "IncorrectValue", + "similarityID": "4a191aec35533090416a0c4fe6c67f81278888bf6c04c84f209ac2289951ccd2", + "search_line": 0 }, { "queryName": "Invalid Format (v3)", "severity": "LOW", "line": 37, - "filename": "positive2.yaml" + "fileName": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "components.schemas.MyObject.properties.id.format=double", + "searchValue": "", + "expectedValue": "integer is int32 or int64 formats", + "actualValue": "integer is double format", + "issueType": "IncorrectValue", + "similarityID": "7c06ee8296626a926bd653fbf29c1ed40ecd393066fe2236cdf4b2770efe3d2f", + "search_line": 0 }, { "queryName": "Invalid Format (v3)", "severity": "LOW", "line": 43, - "filename": "positive2.yaml" + "fileName": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "components.schemas.MyObject.properties.percentage.format=int32", + "searchValue": "", + "expectedValue": "number is float or double formats", + "actualValue": "number is int32 format", + "issueType": "IncorrectValue", + "similarityID": "0733a83811cc465eeca433f3fd664852c38ff4321fbed7dd2eade32765a90989", + "search_line": 0 }, { "queryName": "Invalid Format (v2)", "severity": "LOW", "line": 42, - "filename": "positive3.json" + "fileName": "positive3.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.parameters.schema.items.properties.percentage.format=int32", + "searchValue": "", + "expectedValue": "number is float or double formats", + "actualValue": "number is int32 format", + "issueType": "IncorrectValue", + "similarityID": "187ce68cc1baa6bad1131150cd049579be804300c512589d4cd5700944c3ae2d", + "search_line": -1 }, { "queryName": "Invalid Format (v2)", "severity": "LOW", "line": 33, - "filename": "positive4.yaml" + "fileName": "positive4.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.parameters.schema.items.properties.percentage.format=int32", + "searchValue": "", + "expectedValue": "number is float or double formats", + "actualValue": "number is int32 format", + "issueType": "IncorrectValue", + "similarityID": "b399d675d4abfd940a060642e830fe871dec3b9ef5ca0839d7f01699ee7f9358", + "search_line": -1 } ] diff --git a/assets/queries/openAPI/general/invalid_global_external_documentation_url/test/positive_expected_result.json b/assets/queries/openAPI/general/invalid_global_external_documentation_url/test/positive_expected_result.json index 1d7fb0622da..30e9227cea5 100644 --- a/assets/queries/openAPI/general/invalid_global_external_documentation_url/test/positive_expected_result.json +++ b/assets/queries/openAPI/general/invalid_global_external_documentation_url/test/positive_expected_result.json @@ -3,24 +3,60 @@ "queryName": "Invalid Global External Documentation URL (v3)", "severity": "INFO", "line": 49, - "filename": "positive1.json" + "fileName": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "externalDocs.url", + "searchValue": "", + "expectedValue": "externalDocs.url has a valid URL", + "actualValue": "externalDocs.url does not have a valid URL", + "issueType": "IncorrectValue", + "similarityID": "67e9448c038ae988eccc99f71af8ee93c63a507e015e8420c618c3aacb2ff7ac", + "search_line": -1 }, { "queryName": "Invalid Global External Documentation URL (v3)", "severity": "INFO", "line": 26, - "filename": "positive2.yaml" + "fileName": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "externalDocs.url", + "searchValue": "", + "expectedValue": "externalDocs.url has a valid URL", + "actualValue": "externalDocs.url does not have a valid URL", + "issueType": "IncorrectValue", + "similarityID": "6200f00b4f0c669865efe0e8aeab65a95fdead19a845d4376ae6712c44306fb3", + "search_line": -1 }, { "queryName": "Invalid Global External Documentation URL (v2)", "severity": "INFO", "line": 26, - "filename": "positive3.json" + "fileName": "positive3.json", + "resourceType": "", + "resourceName": "", + "searchKey": "externalDocs.url", + "searchValue": "", + "expectedValue": "externalDocs.url has a valid URL", + "actualValue": "externalDocs.url does not have a valid URL", + "issueType": "IncorrectValue", + "similarityID": "f423c220e7288b34de360d8f0cdc8fc8043fcc1816ebe16c1b14a952eeced659", + "search_line": -1 }, { "queryName": "Invalid Global External Documentation URL (v2)", "severity": "INFO", "line": 14, - "filename": "positive4.yaml" + "fileName": "positive4.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "externalDocs.url", + "searchValue": "", + "expectedValue": "externalDocs.url has a valid URL", + "actualValue": "externalDocs.url does not have a valid URL", + "issueType": "IncorrectValue", + "similarityID": "cc74ccb3d3b0a60f0011abaf1ca6e4c90a23361b222ed67c87e60e10b0a86d0a", + "search_line": -1 } ] diff --git a/assets/queries/openAPI/general/invalid_license_url/test/positive_expected_result.json b/assets/queries/openAPI/general/invalid_license_url/test/positive_expected_result.json index ec8f7d58e7c..c0ed370a500 100644 --- a/assets/queries/openAPI/general/invalid_license_url/test/positive_expected_result.json +++ b/assets/queries/openAPI/general/invalid_license_url/test/positive_expected_result.json @@ -3,24 +3,60 @@ "queryName": "Invalid License URL (v3)", "severity": "INFO", "line": 8, - "filename": "positive1.json" + "fileName": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "info.license.url", + "searchValue": "", + "expectedValue": "info.license.url has a valid URL", + "actualValue": "info.license.url has an invalid URL", + "issueType": "IncorrectValue", + "similarityID": "846ee2a172bd14f791afb93a36a126dc8e29ddbce8aece2613adbb512b77be4a", + "search_line": -1 }, { "queryName": "Invalid License URL (v3)", "severity": "INFO", "line": 7, - "filename": "positive2.yaml" + "fileName": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "info.license.url", + "searchValue": "", + "expectedValue": "info.license.url has a valid URL", + "actualValue": "info.license.url has an invalid URL", + "issueType": "IncorrectValue", + "similarityID": "493bdeecbb6c6c92d5ee82cea57fdc5e343bc0ac5596caeba0056b90c5d5fecc", + "search_line": -1 }, { "queryName": "Invalid License URL (v2)", "severity": "INFO", "line": 8, - "filename": "positive3.json" + "fileName": "positive3.json", + "resourceType": "", + "resourceName": "", + "searchKey": "info.license.url", + "searchValue": "", + "expectedValue": "info.license.url has a valid URL", + "actualValue": "info.license.url has an invalid URL", + "issueType": "IncorrectValue", + "similarityID": "860d99eb27cddfcc095bb5feade3b95929ce949fac1cb6f9c667bb9ead21214e", + "search_line": -1 }, { "queryName": "Invalid License URL (v2)", "severity": "INFO", "line": 7, - "filename": "positive4.yaml" + "fileName": "positive4.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "info.license.url", + "searchValue": "", + "expectedValue": "info.license.url has a valid URL", + "actualValue": "info.license.url has an invalid URL", + "issueType": "IncorrectValue", + "similarityID": "d32aab121cb232824d1b642e33c7c6bd9499bf90455db49dea0da1c204ad03c3", + "search_line": -1 } ] diff --git a/assets/queries/openAPI/general/invalid_operation_external_documentation_url/test/positive_expected_result.json b/assets/queries/openAPI/general/invalid_operation_external_documentation_url/test/positive_expected_result.json index cebaacbd067..1da61280003 100644 --- a/assets/queries/openAPI/general/invalid_operation_external_documentation_url/test/positive_expected_result.json +++ b/assets/queries/openAPI/general/invalid_operation_external_documentation_url/test/positive_expected_result.json @@ -3,24 +3,60 @@ "queryName": "Invalid Operation External Documentation URL (v3)", "severity": "INFO", "line": 18, - "filename": "positive1.json" + "fileName": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.{{get}}.externalDocs.url", + "searchValue": "", + "expectedValue": "paths.{{/}}.{{get}}.externalDocs.url has a valid URL", + "actualValue": "paths.{{/}}.{{get}}.externalDocs.url has a invalid URL", + "issueType": "IncorrectValue", + "similarityID": "02085feab0ae182d5e0d1a91798f37424c3b47302367b37bff863b0fb5789d02", + "search_line": -1 }, { "queryName": "Invalid Operation External Documentation URL (v3)", "severity": "INFO", "line": 11, - "filename": "positive2.yaml" + "fileName": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.{{get}}.externalDocs.url", + "searchValue": "", + "expectedValue": "paths.{{/}}.{{get}}.externalDocs.url has a valid URL", + "actualValue": "paths.{{/}}.{{get}}.externalDocs.url has a invalid URL", + "issueType": "IncorrectValue", + "similarityID": "8d8099194f104a88c6ead6d703d9824332c78399c7fb5fa3b681ba5e3c9474cf", + "search_line": -1 }, { "queryName": "Invalid Operation External Documentation URL (v2)", "severity": "INFO", "line": 18, - "filename": "positive3.json" + "fileName": "positive3.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.{{get}}.externalDocs.url", + "searchValue": "", + "expectedValue": "paths.{{/}}.{{get}}.externalDocs.url has a valid URL", + "actualValue": "paths.{{/}}.{{get}}.externalDocs.url has a invalid URL", + "issueType": "IncorrectValue", + "similarityID": "717a8e85124a5a6517a33d512321f059bff273f1bbf683cb9c1210f8664a1ade", + "search_line": -1 }, { "queryName": "Invalid Operation External Documentation URL (v2)", "severity": "INFO", "line": 15, - "filename": "positive4.yaml" + "fileName": "positive4.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.{{get}}.externalDocs.url", + "searchValue": "", + "expectedValue": "paths.{{/}}.{{get}}.externalDocs.url has a valid URL", + "actualValue": "paths.{{/}}.{{get}}.externalDocs.url has a invalid URL", + "issueType": "IncorrectValue", + "similarityID": "1e7d7e9b96eff666646e8d4ca36a73060fc8f1e2ff0d69941331a08033d6cae9", + "search_line": -1 } ] diff --git a/assets/queries/openAPI/general/invalid_schema_external_documentation_url/test/positive_expected_result.json b/assets/queries/openAPI/general/invalid_schema_external_documentation_url/test/positive_expected_result.json index bb4b1586ea2..63ab9bd1bd9 100644 --- a/assets/queries/openAPI/general/invalid_schema_external_documentation_url/test/positive_expected_result.json +++ b/assets/queries/openAPI/general/invalid_schema_external_documentation_url/test/positive_expected_result.json @@ -3,48 +3,120 @@ "queryName": "Invalid Schema External Documentation URL (v3)", "severity": "INFO", "line": 61, - "filename": "positive1.json" + "fileName": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "components.schemas.{{User}}.externalDocs.url", + "searchValue": "", + "expectedValue": "Schema External Documentation URL should be a valid URL", + "actualValue": "Schema External Documentation URL is not a valid URL", + "issueType": "IncorrectValue", + "similarityID": "6624fbf6a4ff334207a7f4aebc178c4905d34f27613e1272b155ff0508a8a771", + "search_line": -1 }, { "queryName": "Invalid Schema External Documentation URL (v3)", "severity": "INFO", "line": 24, - "filename": "positive2.json" + "fileName": "positive2.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.schema.externalDocs.url", + "searchValue": "", + "expectedValue": "Schema External Documentation URL should be a valid URL", + "actualValue": "Schema External Documentation URL is not a valid URL", + "issueType": "IncorrectValue", + "similarityID": "c2b8ef73aafac56f034870f3fe79fe8c283d22901962950a2ca0d96d785ac58d", + "search_line": -1 }, { "queryName": "Invalid Schema External Documentation URL (v3)", "severity": "INFO", "line": 35, - "filename": "positive3.yaml" + "fileName": "positive3.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "components.schemas.{{User}}.externalDocs.url", + "searchValue": "", + "expectedValue": "Schema External Documentation URL should be a valid URL", + "actualValue": "Schema External Documentation URL is not a valid URL", + "issueType": "IncorrectValue", + "similarityID": "17de66754adff03a73c9b4527fd1ab48f2cffe231ed858f595382ea2efec38e9", + "search_line": -1 }, { "queryName": "Invalid Schema External Documentation URL (v3)", "severity": "INFO", "line": 17, - "filename": "positive4.yaml" + "fileName": "positive4.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.schema.externalDocs.url", + "searchValue": "", + "expectedValue": "Schema External Documentation URL should be a valid URL", + "actualValue": "Schema External Documentation URL is not a valid URL", + "issueType": "IncorrectValue", + "similarityID": "fccb5fdfff7f5f8e4845961c81929629982fa61b52e936287c30934c6e9ef1a2", + "search_line": -1 }, { "queryName": "Invalid Schema External Documentation URL (v2)", "severity": "INFO", "line": 22, - "filename": "positive5.json" + "fileName": "positive5.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.schema.externalDocs.url", + "searchValue": "", + "expectedValue": "Schema External Documentation URL should be a valid URL", + "actualValue": "Schema External Documentation URL is not a valid URL", + "issueType": "IncorrectValue", + "similarityID": "4d4ad6304b94b6d3a818c574cde180f6dc8e677058c7e4fbb09ebe5419308d5a", + "search_line": -1 }, { "queryName": "Invalid Schema External Documentation URL (v2)", "severity": "INFO", - "line": 37, - "filename": "positive7.json" + "line": 15, + "fileName": "positive6.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.schema.externalDocs.url", + "searchValue": "", + "expectedValue": "Schema External Documentation URL should be a valid URL", + "actualValue": "Schema External Documentation URL is not a valid URL", + "issueType": "IncorrectValue", + "similarityID": "2e0c7ce38fa6e6378663e6e960136a1f6e9edf73cfc870cf6abbccb626047201", + "search_line": -1 }, { "queryName": "Invalid Schema External Documentation URL (v2)", "severity": "INFO", - "line": 15, - "filename": "positive6.yaml" + "line": 37, + "fileName": "positive7.json", + "resourceType": "", + "resourceName": "", + "searchKey": "definitions.{{User}}.externalDocs.url", + "searchValue": "", + "expectedValue": "Schema External Documentation URL should be a valid URL", + "actualValue": "Schema External Documentation URL is not a valid URL", + "issueType": "IncorrectValue", + "similarityID": "f753337472952e2ce88c537354665f3c0dbe481bc7752e4e2bf877ae0f3d3860", + "search_line": -1 }, { "queryName": "Invalid Schema External Documentation URL (v2)", "severity": "INFO", "line": 22, - "filename": "positive8.yaml" + "fileName": "positive8.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "definitions.{{User}}.externalDocs.url", + "searchValue": "", + "expectedValue": "Schema External Documentation URL should be a valid URL", + "actualValue": "Schema External Documentation URL is not a valid URL", + "issueType": "IncorrectValue", + "similarityID": "de5ba1906112ddd454dcebee02fd476bc2556a6f11afdad90252afc886696088", + "search_line": -1 } ] diff --git a/assets/queries/openAPI/general/invalid_tag_external_documentation_url/test/positive_expected_result.json b/assets/queries/openAPI/general/invalid_tag_external_documentation_url/test/positive_expected_result.json index 7dd0106fbc0..5e558cc4af5 100644 --- a/assets/queries/openAPI/general/invalid_tag_external_documentation_url/test/positive_expected_result.json +++ b/assets/queries/openAPI/general/invalid_tag_external_documentation_url/test/positive_expected_result.json @@ -3,48 +3,120 @@ "queryName": "Invalid Tag External Documentation URL (v3)", "severity": "INFO", "line": 53, - "filename": "positive1.json" + "fileName": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "tags.name=pets", + "searchValue": "", + "expectedValue": "tags[0].externalDocs.url has a valid URL", + "actualValue": "tags[0].externalDocs.url has an invalid URL", + "issueType": "IncorrectValue", + "similarityID": "2838909c77cb1aa5dd3981719c6f7832ed3e3be2261a67dd946998349fa3e71d", + "search_line": -1 }, { "queryName": "Invalid Tag External Documentation URL (v3)", "severity": "INFO", "line": 57, - "filename": "positive1.json" + "fileName": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "tags.name=store", + "searchValue": "", + "expectedValue": "tags[1].externalDocs.url has a valid URL", + "actualValue": "tags[1].externalDocs.url has an invalid URL", + "issueType": "IncorrectValue", + "similarityID": "6aed712ae5af21e89fe26bc055767c80bfe91237e7e89c66c2e2783f5731e079", + "search_line": -1 }, { "queryName": "Invalid Tag External Documentation URL (v3)", "severity": "INFO", "line": 26, - "filename": "positive2.yaml" + "fileName": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "tags.name=pets", + "searchValue": "", + "expectedValue": "tags[0].externalDocs.url has a valid URL", + "actualValue": "tags[0].externalDocs.url has an invalid URL", + "issueType": "IncorrectValue", + "similarityID": "7911be4c4ca3828827627da1582172c0e762bc281783ef1179ac9af0270f4e6f", + "search_line": -1 }, { "queryName": "Invalid Tag External Documentation URL (v3)", "severity": "INFO", "line": 30, - "filename": "positive2.yaml" + "fileName": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "tags.name=store", + "searchValue": "", + "expectedValue": "tags[1].externalDocs.url has a valid URL", + "actualValue": "tags[1].externalDocs.url has an invalid URL", + "issueType": "IncorrectValue", + "similarityID": "4a945862079115555c239cd504d91e531048f6b4db46a26e395003acff56b57d", + "search_line": -1 }, { "queryName": "Invalid Tag External Documentation URL (v2)", "severity": "INFO", "line": 30, - "filename": "positive3.json" + "fileName": "positive3.json", + "resourceType": "", + "resourceName": "", + "searchKey": "tags.name=pets", + "searchValue": "", + "expectedValue": "tags[0].externalDocs.url has a valid URL", + "actualValue": "tags[0].externalDocs.url has an invalid URL", + "issueType": "IncorrectValue", + "similarityID": "121498b4d9597151116b77955039536cca509ca4d32f2b87b3ea5c3c68c385f6", + "search_line": -1 }, { "queryName": "Invalid Tag External Documentation URL (v2)", "severity": "INFO", "line": 34, - "filename": "positive3.json" + "fileName": "positive3.json", + "resourceType": "", + "resourceName": "", + "searchKey": "tags.name=store", + "searchValue": "", + "expectedValue": "tags[1].externalDocs.url has a valid URL", + "actualValue": "tags[1].externalDocs.url has an invalid URL", + "issueType": "IncorrectValue", + "similarityID": "1b899c2e5d4864f00bbf520cdb779e88de4a774c2cc21625c30cf88053653d7a", + "search_line": -1 }, { "queryName": "Invalid Tag External Documentation URL (v2)", "severity": "INFO", "line": 18, - "filename": "positive4.yaml" + "fileName": "positive4.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "tags.name=pets", + "searchValue": "", + "expectedValue": "tags[0].externalDocs.url has a valid URL", + "actualValue": "tags[0].externalDocs.url has an invalid URL", + "issueType": "IncorrectValue", + "similarityID": "1fe083fcf953a54fbd563f29b320bdf1a32e2bd667756b8c50f3e962e936119d", + "search_line": -1 }, { "queryName": "Invalid Tag External Documentation URL (v2)", "severity": "INFO", "line": 22, - "filename": "positive4.yaml" + "fileName": "positive4.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "tags.name=store", + "searchValue": "", + "expectedValue": "tags[1].externalDocs.url has a valid URL", + "actualValue": "tags[1].externalDocs.url has an invalid URL", + "issueType": "IncorrectValue", + "similarityID": "b09096fc5122d26d66e5f81405776701fdd89c53db93a0588a0b01859bb7db15", + "search_line": -1 } ] diff --git a/assets/queries/openAPI/general/items_undefined/test/positive_expected_result.json b/assets/queries/openAPI/general/items_undefined/test/positive_expected_result.json index 7b8e7e75477..33d6c8cc837 100644 --- a/assets/queries/openAPI/general/items_undefined/test/positive_expected_result.json +++ b/assets/queries/openAPI/general/items_undefined/test/positive_expected_result.json @@ -3,36 +3,90 @@ "queryName": "Items Undefined (v3)", "severity": "INFO", "line": 50, - "filename": "positive1.json" + "fileName": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "components.schemas.GeneralError", + "searchValue": "", + "expectedValue": "Array items property should be defined", + "actualValue": "Array items property is undefined", + "issueType": "MissingAttribute", + "similarityID": "8b6308f1cbeb1fa71f66048feeb65c19da841d1966c4549589fa98bb64a5d159", + "search_line": -1 }, { "queryName": "Items Undefined (v3)", "severity": "INFO", "line": 22, - "filename": "positive2.json" + "fileName": "positive2.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.schema", + "searchValue": "", + "expectedValue": "Array items property should be defined", + "actualValue": "Array items property is undefined", + "issueType": "MissingAttribute", + "similarityID": "736b5f69475dea074c450e879bf85b34b207d333f8868aaab15c218f0c122723", + "search_line": -1 }, { "queryName": "Items Undefined (v3)", "severity": "INFO", "line": 27, - "filename": "positive3.yaml" + "fileName": "positive3.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "components.schemas.GeneralError", + "searchValue": "", + "expectedValue": "Array items property should be defined", + "actualValue": "Array items property is undefined", + "issueType": "MissingAttribute", + "similarityID": "b3e1867ccd0ee818ade70935dc0e0e53c5bd44fe4fca004ee2a714b0906dbf96", + "search_line": -1 }, { "queryName": "Items Undefined (v3)", "severity": "INFO", "line": 15, - "filename": "positive4.yaml" + "fileName": "positive4.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.schema", + "searchValue": "", + "expectedValue": "Array items property should be defined", + "actualValue": "Array items property is undefined", + "issueType": "MissingAttribute", + "similarityID": "0e050b6b45b0dd1e0a73656b28057a414d6a06f3e4e646e9b29e109a3b682ecc", + "search_line": -1 }, { "queryName": "Items Undefined (v2)", "severity": "INFO", "line": 19, - "filename": "positive5.json" + "fileName": "positive5.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/users}}.get.responses.200.schema", + "searchValue": "", + "expectedValue": "Array items property should be defined", + "actualValue": "Array items property is undefined", + "issueType": "MissingAttribute", + "similarityID": "3b514befb14a32ebd900d415c7323f4d3682ab4b908271717a52fc4ebc36c008", + "search_line": -1 }, { "queryName": "Items Undefined (v2)", "severity": "INFO", "line": 16, - "filename": "positive6.yaml" + "fileName": "positive6.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/users}}.get.responses.200.schema", + "searchValue": "", + "expectedValue": "Array items property should be defined", + "actualValue": "Array items property is undefined", + "issueType": "MissingAttribute", + "similarityID": "0a32b2a7d5f4cb3b1f2c16221d1916e7c0a74beec65f8ce23b1baf0857ea2d36", + "search_line": -1 } ] diff --git a/assets/queries/openAPI/general/json_object_schema_without_properties/test/positive_expected_result.json b/assets/queries/openAPI/general/json_object_schema_without_properties/test/positive_expected_result.json index 8e6db880f46..60fbe177e16 100644 --- a/assets/queries/openAPI/general/json_object_schema_without_properties/test/positive_expected_result.json +++ b/assets/queries/openAPI/general/json_object_schema_without_properties/test/positive_expected_result.json @@ -3,36 +3,90 @@ "queryName": "JSON Object Schema Without Properties (v3)", "severity": "MEDIUM", "line": 67, - "filename": "positive1.json" + "fileName": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "components.requestBodies.NewItem.content.{{multipart/form-data}}.schema.$ref", + "searchValue": "", + "expectedValue": "Schema of the JSON object should have 'properties' defined", + "actualValue": "Schema of the JSON object does not have 'properties' defined", + "issueType": "MissingAttribute", + "similarityID": "0060a4350e08499f9065beb6cfb29f8546ccc80332286e5a6a052cbea868b690", + "search_line": 0 }, { "queryName": "JSON Object Schema Without Properties (v3)", "severity": "MEDIUM", "line": 16, - "filename": "positive2.json" + "fileName": "positive2.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.schema.$ref", + "searchValue": "", + "expectedValue": "Schema of the JSON object should have 'properties' defined", + "actualValue": "Schema of the JSON object does not have 'properties' defined", + "issueType": "MissingAttribute", + "similarityID": "5012552f4cf4572ed153847509f7da0ca2f2ef20c5d1bb213cdfd8d138b09287", + "search_line": 0 }, { "queryName": "JSON Object Schema Without Properties (v3)", "severity": "MEDIUM", "line": 40, - "filename": "positive3.yaml" + "fileName": "positive3.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "components.requestBodies.NewItem.content.{{multipart/form-data}}.schema.$ref", + "searchValue": "", + "expectedValue": "Schema of the JSON object should have 'properties' defined", + "actualValue": "Schema of the JSON object does not have 'properties' defined", + "issueType": "MissingAttribute", + "similarityID": "ff16df684fecb8d1ec594c7e02f393d03aa8afec299f29d9cc12251aaa5753c0", + "search_line": 0 }, { "queryName": "JSON Object Schema Without Properties (v3)", "severity": "MEDIUM", "line": 16, - "filename": "positive4.yaml" + "fileName": "positive4.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.schema.$ref", + "searchValue": "", + "expectedValue": "Schema of the JSON object should have 'properties' defined", + "actualValue": "Schema of the JSON object does not have 'properties' defined", + "issueType": "MissingAttribute", + "similarityID": "41dbf1529851e1141ab61dfa04fadb0d909d98198887c0bbd12c9afd7b4275e0", + "search_line": 0 }, { "queryName": "JSON Object Schema Without Properties (v2)", "severity": "MEDIUM", "line": 16, - "filename": "positive5.json" + "fileName": "positive5.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.schema.$ref", + "searchValue": "", + "expectedValue": "Schema of the JSON object should have 'properties' defined", + "actualValue": "Schema of the JSON object does not have 'properties' defined", + "issueType": "MissingAttribute", + "similarityID": "93f7aa201192910e5c609493fb94bf7789bacaed3a916fa24fa9a9a9b04b0ba9", + "search_line": 0 }, { "queryName": "JSON Object Schema Without Properties (v2)", "severity": "MEDIUM", "line": 14, - "filename": "positive6.yaml" + "fileName": "positive6.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.schema.$ref", + "searchValue": "", + "expectedValue": "Schema of the JSON object should have 'properties' defined", + "actualValue": "Schema of the JSON object does not have 'properties' defined", + "issueType": "MissingAttribute", + "similarityID": "945f885a8a97d0196f53041fbfbed012e3ffaf6941df091dcbb2d6f1c83d7fca", + "search_line": 0 } ] diff --git a/assets/queries/openAPI/general/json_object_schema_without_type/test/positive_expected_result.json b/assets/queries/openAPI/general/json_object_schema_without_type/test/positive_expected_result.json index e3a9d38a52e..b313d46e5fd 100644 --- a/assets/queries/openAPI/general/json_object_schema_without_type/test/positive_expected_result.json +++ b/assets/queries/openAPI/general/json_object_schema_without_type/test/positive_expected_result.json @@ -3,36 +3,90 @@ "queryName": "JSON Object Schema Without Type (v3)", "severity": "MEDIUM", "line": 75, - "filename": "positive1.json" + "fileName": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "components.requestBodies.NewItem.content.{{multipart/form-data}}.schema.$ref", + "searchValue": "", + "expectedValue": "Schema of the JSON object should have 'type' defined", + "actualValue": "Schema of the JSON object does not have 'type' defined", + "issueType": "MissingAttribute", + "similarityID": "b158b7d22b5313b7a8edcd88471db06a81366bd69c76cc1800a3f9c4c712b3e8", + "search_line": 0 }, { "queryName": "JSON Object Schema Without Type (v3)", "severity": "MEDIUM", "line": 16, - "filename": "positive2.json" + "fileName": "positive2.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.schema.$ref", + "searchValue": "", + "expectedValue": "Schema of the JSON object should have 'type' defined", + "actualValue": "Schema of the JSON object does not have 'type' defined", + "issueType": "MissingAttribute", + "similarityID": "3e2c0dbe65af802fdcdd8716e501862bb4eea7a27a8c2cab2b22cdf7e4f5caa2", + "search_line": 0 }, { "queryName": "JSON Object Schema Without Type (v3)", "severity": "MEDIUM", "line": 45, - "filename": "positive3.yaml" + "fileName": "positive3.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "components.requestBodies.NewItem.content.{{multipart/form-data}}.schema.$ref", + "searchValue": "", + "expectedValue": "Schema of the JSON object should have 'type' defined", + "actualValue": "Schema of the JSON object does not have 'type' defined", + "issueType": "MissingAttribute", + "similarityID": "aa54e75cf7e178df3964183b381110662b2ef8f70ac9057923771ed52071c467", + "search_line": 0 }, { "queryName": "JSON Object Schema Without Type (v3)", "severity": "MEDIUM", "line": 16, - "filename": "positive4.yaml" + "fileName": "positive4.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.schema.$ref", + "searchValue": "", + "expectedValue": "Schema of the JSON object should have 'type' defined", + "actualValue": "Schema of the JSON object does not have 'type' defined", + "issueType": "MissingAttribute", + "similarityID": "15f7591c3c4dbf5f7872122119df1f8cbdcf1be35a869c060118ec6db5f9c092", + "search_line": 0 }, { "queryName": "JSON Object Schema Without Type (v2)", "severity": "MEDIUM", "line": 16, - "filename": "positive5.json" + "fileName": "positive5.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.schema.$ref", + "searchValue": "", + "expectedValue": "Schema of the JSON object should have 'type' defined", + "actualValue": "Schema of the JSON object does not have 'type' defined", + "issueType": "MissingAttribute", + "similarityID": "ab1288df20635b2dea71651861379a56361066872a597098c5e93164f238494c", + "search_line": 0 }, { "queryName": "JSON Object Schema Without Type (v2)", "severity": "MEDIUM", "line": 14, - "filename": "positive6.yaml" + "fileName": "positive6.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.schema.$ref", + "searchValue": "", + "expectedValue": "Schema of the JSON object should have 'type' defined", + "actualValue": "Schema of the JSON object does not have 'type' defined", + "issueType": "MissingAttribute", + "similarityID": "3328e22a99cdf0c94a2edda0107afa80dfb4d695ed28c79ae36c49db176ede81", + "search_line": 0 } ] diff --git a/assets/queries/openAPI/general/json_ref_alongside_properties/test/positive_expected_result.json b/assets/queries/openAPI/general/json_ref_alongside_properties/test/positive_expected_result.json index acf698353a8..416526399fd 100644 --- a/assets/queries/openAPI/general/json_ref_alongside_properties/test/positive_expected_result.json +++ b/assets/queries/openAPI/general/json_ref_alongside_properties/test/positive_expected_result.json @@ -3,24 +3,60 @@ "queryName": "JSON '$ref' alongside other properties (v3)", "severity": "INFO", "line": 17, - "filename": "positive1.json" + "fileName": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.schema", + "searchValue": "", + "expectedValue": "Only '$ref' property should be declared or other properties declared without '$ref'", + "actualValue": "Property '$ref'alongside other properties", + "issueType": "MissingAttribute", + "similarityID": "f0bdc42f606fbbe8348ebb4ac9da13d7f42a576b2f1f52d0331672f6ed9d9b18", + "search_line": 0 }, { "queryName": "JSON '$ref' alongside other properties (v3)", "severity": "INFO", "line": 15, - "filename": "positive2.yaml" + "fileName": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.schema", + "searchValue": "", + "expectedValue": "Only '$ref' property should be declared or other properties declared without '$ref'", + "actualValue": "Property '$ref'alongside other properties", + "issueType": "MissingAttribute", + "similarityID": "c43c06eea97e355f523d9993a0a55ccb79fcf5cf3a0e78b2ada688cec3714692", + "search_line": 0 }, { "queryName": "JSON '$ref' alongside other properties (v2)", "severity": "INFO", "line": 13, - "filename": "positive3.json" + "fileName": "positive3.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.schema", + "searchValue": "", + "expectedValue": "Only '$ref' property should be declared or other properties declared without '$ref'", + "actualValue": "Property '$ref'alongside other properties", + "issueType": "MissingAttribute", + "similarityID": "4fe32df438e59a0ac025f25303bb85e7db354ee20dd42de92ee0f0d69c848ca6", + "search_line": 0 }, { "queryName": "JSON '$ref' alongside other properties (v2)", "severity": "INFO", "line": 13, - "filename": "positive4.yaml" + "fileName": "positive4.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.schema", + "searchValue": "", + "expectedValue": "Only '$ref' property should be declared or other properties declared without '$ref'", + "actualValue": "Property '$ref'alongside other properties", + "issueType": "MissingAttribute", + "similarityID": "05902df004e4fd71cf3ed8e121034fa3bd8328a30dd2f35f4826f549919588b9", + "search_line": 0 } ] diff --git a/assets/queries/openAPI/general/maximum_length_undefined/test/positive_expected_result.json b/assets/queries/openAPI/general/maximum_length_undefined/test/positive_expected_result.json index 5db48637405..7ab46fafffd 100644 --- a/assets/queries/openAPI/general/maximum_length_undefined/test/positive_expected_result.json +++ b/assets/queries/openAPI/general/maximum_length_undefined/test/positive_expected_result.json @@ -3,126 +3,315 @@ "queryName": "Maximum Length Undefined (v3)", "severity": "LOW", "line": 58, - "filename": "positive1.json" + "fileName": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "components.schemas.GeneralError.properties.code.type", + "searchValue": "", + "expectedValue": "'maxLength' should be defined", + "actualValue": "'maxLength' is undefined", + "issueType": "MissingAttribute", + "similarityID": "08543d83acff69485f4d52de59be577ab28d6a4916ae0166783d5426f2ed927e", + "search_line": 0 }, { "queryName": "Maximum Length Undefined (v3)", "severity": "LOW", "line": 62, - "filename": "positive1.json" + "fileName": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "components.schemas.GeneralError.properties.message.type", + "searchValue": "", + "expectedValue": "'maxLength' should be defined", + "actualValue": "'maxLength' is undefined", + "issueType": "MissingAttribute", + "similarityID": "0c4f6b48ab744479c5ce2beef5777ede6069e3f573ab2df182cafd91982b46f7", + "search_line": 0 }, { "queryName": "Maximum Length Undefined (v3)", "severity": "LOW", "line": 77, - "filename": "positive1.json" + "fileName": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "components.requestBodies.NewItem.content.{{multipart/form-data}}.schema.$ref=#/components/schemas/GeneralError", + "searchValue": "", + "expectedValue": "'maxLength' should be defined", + "actualValue": "'maxLength' is undefined", + "issueType": "MissingAttribute", + "similarityID": "a9d29366efa35c5df7133b3ca23232c779fb701b01a34db46d76b457177fa467", + "search_line": 0 }, { "queryName": "Maximum Length Undefined (v3)", "severity": "LOW", "line": 77, - "filename": "positive1.json" + "fileName": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "components.requestBodies.NewItem.content.{{multipart/form-data}}.schema.$ref=#/components/schemas/GeneralError", + "searchValue": "", + "expectedValue": "'maxLength' should be defined", + "actualValue": "'maxLength' is undefined", + "issueType": "MissingAttribute", + "similarityID": "b0ca62ccdc9ff8ff0cb5d0516b355ccd332d260ee8a2d2cccf6186f5c4374d31", + "search_line": 0 }, { "queryName": "Maximum Length Undefined (v3)", "severity": "LOW", "line": 27, - "filename": "positive2.json" + "fileName": "positive2.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.schema.properties.code.type", + "searchValue": "", + "expectedValue": "'maxLength' should be defined", + "actualValue": "'maxLength' is undefined", + "issueType": "MissingAttribute", + "similarityID": "e3549fbe28638dcfd933cc15ef0f8edb50d969983a9f28eea0d6e885f1d4e1de", + "search_line": 27 }, { "queryName": "Maximum Length Undefined (v3)", "severity": "LOW", "line": 31, - "filename": "positive2.json" + "fileName": "positive2.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.schema.properties.message.type", + "searchValue": "", + "expectedValue": "'maxLength' should be defined", + "actualValue": "'maxLength' is undefined", + "issueType": "MissingAttribute", + "similarityID": "97203d4ebfb0f113481e8e560189faa487b1d34a7df5318effbf55590bc98c6e", + "search_line": 31 }, { "queryName": "Maximum Length Undefined (v3)", "severity": "LOW", "line": 34, - "filename": "positive3.yaml" + "fileName": "positive3.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "components.schemas.GeneralError.properties.code.type", + "searchValue": "", + "expectedValue": "'maxLength' should be defined", + "actualValue": "'maxLength' is undefined", + "issueType": "MissingAttribute", + "similarityID": "a01cc9cc4c409b52c315f91d704fc2272121c533c9e49d14a1c923f9046612a1", + "search_line": 0 }, { "queryName": "Maximum Length Undefined (v3)", "severity": "LOW", "line": 37, - "filename": "positive3.yaml" + "fileName": "positive3.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "components.schemas.GeneralError.properties.message.type", + "searchValue": "", + "expectedValue": "'maxLength' should be defined", + "actualValue": "'maxLength' is undefined", + "issueType": "MissingAttribute", + "similarityID": "aa3596c4866533b3e2b4144e4a0ccb793940900d1704e6f9336abf71cd68204b", + "search_line": 0 }, { "queryName": "Maximum Length Undefined (v3)", "severity": "LOW", "line": 47, - "filename": "positive3.yaml" + "fileName": "positive3.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "components.requestBodies.NewItem.content.{{multipart/form-data}}.schema.$ref=#/components/schemas/GeneralError", + "searchValue": "", + "expectedValue": "'maxLength' should be defined", + "actualValue": "'maxLength' is undefined", + "issueType": "MissingAttribute", + "similarityID": "24226b9d8857f0a185c650bf01bb019c139fcfbd03e6d266a7d70d403098ccc2", + "search_line": 0 }, { "queryName": "Maximum Length Undefined (v3)", "severity": "LOW", "line": 47, - "filename": "positive3.yaml" + "fileName": "positive3.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "components.requestBodies.NewItem.content.{{multipart/form-data}}.schema.$ref=#/components/schemas/GeneralError", + "searchValue": "", + "expectedValue": "'maxLength' should be defined", + "actualValue": "'maxLength' is undefined", + "issueType": "MissingAttribute", + "similarityID": "5bc6e934e9428294366105d6919efd718a794279766abe771a7bfe2419de9df2", + "search_line": 0 }, { "queryName": "Maximum Length Undefined (v3)", "severity": "LOW", "line": 22, - "filename": "positive4.yaml" + "fileName": "positive4.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.schema.properties.code.type", + "searchValue": "", + "expectedValue": "'maxLength' should be defined", + "actualValue": "'maxLength' is undefined", + "issueType": "MissingAttribute", + "similarityID": "2c3e2ef2bb766eced6a270537994ae11b8026cb14a7db03ce1c661aab25cc6df", + "search_line": 22 }, { "queryName": "Maximum Length Undefined (v3)", "severity": "LOW", "line": 25, - "filename": "positive4.yaml" + "fileName": "positive4.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.schema.properties.message.type", + "searchValue": "", + "expectedValue": "'maxLength' should be defined", + "actualValue": "'maxLength' is undefined", + "issueType": "MissingAttribute", + "similarityID": "db99057ed4c78e32790f8033193a69463daa7d43dc926943a430f1dcd49a983c", + "search_line": 25 }, { "queryName": "Maximum Length Undefined (v2)", "severity": "LOW", "line": 23, - "filename": "positive5.json" + "fileName": "positive5.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.schema.properties.code.type", + "searchValue": "", + "expectedValue": "'maxLength' should be defined", + "actualValue": "'maxLength' is undefined", + "issueType": "MissingAttribute", + "similarityID": "5d338e06e8c40347962f2b786d29b7ba87867fd4b83dd6b3c436683cb6c5e34b", + "search_line": 23 }, { "queryName": "Maximum Length Undefined (v2)", "severity": "LOW", "line": 27, - "filename": "positive5.json" + "fileName": "positive5.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.schema.properties.message.type", + "searchValue": "", + "expectedValue": "'maxLength' should be defined", + "actualValue": "'maxLength' is undefined", + "issueType": "MissingAttribute", + "similarityID": "5eadbc3d1fc4d426fc5a9bf59d6d6f5383a3577824a5a8383ad43f338bbe68a3", + "search_line": 27 }, { "queryName": "Maximum Length Undefined (v2)", "severity": "LOW", "line": 19, - "filename": "positive6.yaml" + "fileName": "positive6.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.schema.properties.code.type", + "searchValue": "", + "expectedValue": "'maxLength' should be defined", + "actualValue": "'maxLength' is undefined", + "issueType": "MissingAttribute", + "similarityID": "91b7483266dd9154b95eda12728d16ae557fd5d7c5e6a255057c4205a3fbb8fc", + "search_line": 19 }, { "queryName": "Maximum Length Undefined (v2)", "severity": "LOW", "line": 22, - "filename": "positive6.yaml" + "fileName": "positive6.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.schema.properties.message.type", + "searchValue": "", + "expectedValue": "'maxLength' should be defined", + "actualValue": "'maxLength' is undefined", + "issueType": "MissingAttribute", + "similarityID": "bd1308682e759a87392c7020c7bbe8ce8882bfa172eda4c273077970681278bb", + "search_line": 22 }, { "queryName": "Maximum Length Undefined (v2)", "severity": "LOW", "line": 23, - "filename": "positive7.json" + "fileName": "positive7.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.schema.properties.code.type", + "searchValue": "", + "expectedValue": "'maxLength' should be defined", + "actualValue": "'maxLength' is undefined", + "issueType": "MissingAttribute", + "similarityID": "acc4ae71ba3dbf711d145fdcbf0f0ccf0d450637ce7ed98bdcab308c4029032d", + "search_line": 23 }, { "queryName": "Maximum Length Undefined (v2)", "severity": "LOW", "line": 28, - "filename": "positive7.json" + "fileName": "positive7.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.schema.properties.message.type", + "searchValue": "", + "expectedValue": "'maxLength' should be defined", + "actualValue": "'maxLength' is undefined", + "issueType": "MissingAttribute", + "similarityID": "a628f1c59b743987e61d56241dffb093e495319279a65f1b9c8a5c4cf46d1551", + "search_line": 28 }, { "queryName": "Maximum Length Undefined (v2)", "severity": "LOW", "line": 28, - "filename": "positive8.json" + "fileName": "positive8.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.schema.properties.message.type", + "searchValue": "", + "expectedValue": "'maxLength' should be defined", + "actualValue": "'maxLength' is undefined", + "issueType": "MissingAttribute", + "similarityID": "63e0f8884d7276e888a8bff2455971e27f2aad669115a8a45c75847f84952185", + "search_line": 28 }, { "queryName": "Maximum Length Undefined (v3)", "severity": "LOW", "line": 46, - "filename": "positive9.json" + "fileName": "positive9.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/api/adjectives}}.get.parameters.schema.type", + "searchValue": "", + "expectedValue": "'maxLength' should be defined", + "actualValue": "'maxLength' is undefined", + "issueType": "MissingAttribute", + "similarityID": "afd9d97aba922b5d8043f5f3974023f52521ff03ba9f984a12116a8f8b21a288", + "search_line": 46 }, { "queryName": "Maximum Length Undefined (v3)", "severity": "LOW", "line": 55, - "filename": "positive9.json" + "fileName": "positive9.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/api/adjectives}}.get.parameters.schema.type", + "searchValue": "", + "expectedValue": "'maxLength' should be defined", + "actualValue": "'maxLength' is undefined", + "issueType": "MissingAttribute", + "similarityID": "b88c602f2b69cc16b99217a72d9579005ebabab798b12e5c7ace95d290dc2810", + "search_line": 55 } -] \ No newline at end of file +] diff --git a/assets/queries/openAPI/general/no_global_and_operation_security_defined/test/positive_expected_result.json b/assets/queries/openAPI/general/no_global_and_operation_security_defined/test/positive_expected_result.json index a993a6d228d..a9b9a065410 100644 --- a/assets/queries/openAPI/general/no_global_and_operation_security_defined/test/positive_expected_result.json +++ b/assets/queries/openAPI/general/no_global_and_operation_security_defined/test/positive_expected_result.json @@ -3,36 +3,90 @@ "queryName": "No Global And Operation Security Defined (v3)", "severity": "HIGH", "line": 9, - "filename": "positive1.json" + "fileName": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.{{get}}", + "searchValue": "", + "expectedValue": "A security schema should be used", + "actualValue": "No security schema is used", + "issueType": "MissingAttribute", + "similarityID": "a0bae0068fe767cbb53b157fef5339e4f3304a4ada43e4c789ad1ac1a1018735", + "search_line": -1 }, { "queryName": "No Global And Operation Security Defined (v3)", "severity": "HIGH", "line": 46, - "filename": "positive2.json" + "fileName": "positive2.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.{{patch}}", + "searchValue": "", + "expectedValue": "A security schema should be used", + "actualValue": "No security schema is used", + "issueType": "MissingAttribute", + "similarityID": "6277196a3877d206c108a4b2ddf963a3cef4384247b061a8a609ae2497f649ef", + "search_line": -1 }, { "queryName": "No Global And Operation Security Defined (v3)", "severity": "HIGH", "line": 7, - "filename": "positive3.yaml" + "fileName": "positive3.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.{{get}}", + "searchValue": "", + "expectedValue": "A security schema should be used", + "actualValue": "No security schema is used", + "issueType": "MissingAttribute", + "similarityID": "8f45857d4f0c7edd2e6a256a0a071b9a70d06d00f73484c415efea04f7378c0a", + "search_line": -1 }, { "queryName": "No Global And Operation Security Defined (v3)", "severity": "HIGH", "line": 27, - "filename": "positive4.yaml" + "fileName": "positive4.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.{{patch}}", + "searchValue": "", + "expectedValue": "A security schema should be used", + "actualValue": "No security schema is used", + "issueType": "MissingAttribute", + "similarityID": "2f9e811d917f705a1f565f418a89f2b073c8e44622616e356eb08ca9aaa35611", + "search_line": -1 }, { "queryName": "No Global And Operation Security Defined (v2)", "severity": "HIGH", "line": 7, - "filename": "positive5.yaml" + "fileName": "positive5.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.{{get}}", + "searchValue": "", + "expectedValue": "A security schema should be used", + "actualValue": "No security schema is used", + "issueType": "MissingAttribute", + "similarityID": "0c68baf656a57df6232bd8752023a6265327f8749d31ad00b0b13ac9a7243245", + "search_line": 0 }, { "queryName": "No Global And Operation Security Defined (v2)", "severity": "HIGH", "line": 9, - "filename": "positive6.json" + "fileName": "positive6.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.{{get}}", + "searchValue": "", + "expectedValue": "A security schema should be used", + "actualValue": "No security schema is used", + "issueType": "MissingAttribute", + "similarityID": "bd849b7ede5e3fcbfefb9f10d414b089c30c5dd37cee58dcdd5dabe44b4988b8", + "search_line": 0 } ] diff --git a/assets/queries/openAPI/general/non_array_schema_with_items/test/positive_expected_result.json b/assets/queries/openAPI/general/non_array_schema_with_items/test/positive_expected_result.json index 24f9f0d6019..2a37d2a86fc 100644 --- a/assets/queries/openAPI/general/non_array_schema_with_items/test/positive_expected_result.json +++ b/assets/queries/openAPI/general/non_array_schema_with_items/test/positive_expected_result.json @@ -3,48 +3,120 @@ "queryName": "Non-Array Schema With Items (v3)", "severity": "INFO", "line": 52, - "filename": "positive1.json" + "fileName": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "components.schemas.GeneralError.items", + "searchValue": "", + "expectedValue": "Schema items property should be undefined", + "actualValue": "Schema items property is defined", + "issueType": "IncorrectValue", + "similarityID": "505808003621ec9aee3de49aa3b8392db4bfe2eef363171f17c4116f62e2bc68", + "search_line": -1 }, { "queryName": "Non-Array Schema With Items (v3)", "severity": "INFO", "line": 24, - "filename": "positive2.json" + "fileName": "positive2.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.schema.items", + "searchValue": "", + "expectedValue": "Schema items property should be undefined", + "actualValue": "Schema items property is defined", + "issueType": "IncorrectValue", + "similarityID": "e2031543575bc157e2bcd13975a6d1b4b87aeec1261a38a7153c011130f08d54", + "search_line": -1 }, { "queryName": "Non-Array Schema With Items (v3)", "severity": "INFO", "line": 29, - "filename": "positive3.yaml" + "fileName": "positive3.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "components.schemas.GeneralError.items", + "searchValue": "", + "expectedValue": "Schema items property should be undefined", + "actualValue": "Schema items property is defined", + "issueType": "IncorrectValue", + "similarityID": "8c64e7693070e400372ace4e58eab6374436cfafa8b87cce5ba832dda87c2acb", + "search_line": -1 }, { "queryName": "Non-Array Schema With Items (v3)", "severity": "INFO", "line": 17, - "filename": "positive4.yaml" + "fileName": "positive4.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.schema.items", + "searchValue": "", + "expectedValue": "Schema items property should be undefined", + "actualValue": "Schema items property is defined", + "issueType": "IncorrectValue", + "similarityID": "20fa3a220f2347556288bc4b9f80b2746bd42cb3f40115b7db319c45b8c8f16b", + "search_line": -1 }, { "queryName": "Non-Array Schema With Items (v2)", "severity": "INFO", - "line": 44, - "filename": "positive5.json" + "line": 22, + "fileName": "positive5.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/users}}.get.responses.200.schema.items.$ref=#/definitions/User", + "searchValue": "", + "expectedValue": "Schema items property should be undefined", + "actualValue": "Schema items property is defined", + "issueType": "IncorrectValue", + "similarityID": "718a399a326190244248933ae421e5b348cc9fd6ae6bbc773b670d88e3bf5c13", + "search_line": 0 }, { "queryName": "Non-Array Schema With Items (v2)", "severity": "INFO", - "line": 32, - "filename": "positive6.yaml" + "line": 44, + "fileName": "positive5.json", + "resourceType": "", + "resourceName": "", + "searchKey": "definitions.User.properties.name.items", + "searchValue": "", + "expectedValue": "Schema items property should be undefined", + "actualValue": "Schema items property is defined", + "issueType": "IncorrectValue", + "similarityID": "e958292cc7c9b69d1bc79c7ec21843e744bdc2d155dfcaf908e812097ce78ea2", + "search_line": 0 }, { "queryName": "Non-Array Schema With Items (v2)", "severity": "INFO", - "line": 22, - "filename": "positive5.json" + "line": 19, + "fileName": "positive6.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/users}}.get.responses.200.schema.items.$ref=#/definitions/User", + "searchValue": "", + "expectedValue": "Schema items property should be undefined", + "actualValue": "Schema items property is defined", + "issueType": "IncorrectValue", + "similarityID": "fc0797806aba0a78449e161d193b2fc746a6146bba321ab61d3f0c83d2346012", + "search_line": 0 }, { "queryName": "Non-Array Schema With Items (v2)", "severity": "INFO", - "line": 19, - "filename": "positive6.yaml" + "line": 32, + "fileName": "positive6.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "definitions.User.properties.name.items", + "searchValue": "", + "expectedValue": "Schema items property should be undefined", + "actualValue": "Schema items property is defined", + "issueType": "IncorrectValue", + "similarityID": "ccffc4d214a3d16bef7c4d13ba74ff0a30eebfceb20252c5905edc4e0281f5fe", + "search_line": 0 } ] diff --git a/assets/queries/openAPI/general/numeric_schema_without_format/test/positive_expected_result.json b/assets/queries/openAPI/general/numeric_schema_without_format/test/positive_expected_result.json index 86c83d955eb..ac6f17389d2 100644 --- a/assets/queries/openAPI/general/numeric_schema_without_format/test/positive_expected_result.json +++ b/assets/queries/openAPI/general/numeric_schema_without_format/test/positive_expected_result.json @@ -3,48 +3,120 @@ "queryName": "Numeric Schema Without Format (v3)", "severity": "LOW", "line": 58, - "filename": "positive1.json" + "fileName": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "components.schemas.GeneralError.properties.code.type", + "searchValue": "", + "expectedValue": "Numeric schema should have 'format' defined", + "actualValue": "Numeric schema does not have 'format' defined", + "issueType": "MissingAttribute", + "similarityID": "dd1eab92456d9fdf0aea78fa622e03427e1e7f2a6feac0d9e7cb079dc0326bce", + "search_line": 0 }, { "queryName": "Numeric Schema Without Format (v3)", "severity": "LOW", "line": 75, - "filename": "positive1.json" + "fileName": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "components.requestBodies.NewItem.content.{{multipart/form-data}}.schema.$ref=#/components/schemas/GeneralError", + "searchValue": "", + "expectedValue": "Numeric schema should have 'format' defined", + "actualValue": "Numeric schema does not have 'format' defined", + "issueType": "MissingAttribute", + "similarityID": "08a5af090c405dd6e3599fc05e525e39314ce7a6cebc8637614378329b362ea8", + "search_line": 0 }, { "queryName": "Numeric Schema Without Format (v3)", "severity": "LOW", "line": 27, - "filename": "positive2.json" + "fileName": "positive2.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.schema.properties.code.type", + "searchValue": "", + "expectedValue": "Numeric schema should have 'format' defined", + "actualValue": "Numeric schema does not have 'format' defined", + "issueType": "MissingAttribute", + "similarityID": "c92cd992954af61d2596e08cf096bb63427253083caf496d3aad10f54c628f57", + "search_line": -1 }, { "queryName": "Numeric Schema Without Format (v3)", "severity": "LOW", "line": 34, - "filename": "positive3.yaml" + "fileName": "positive3.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "components.schemas.GeneralError.properties.code.type", + "searchValue": "", + "expectedValue": "Numeric schema should have 'format' defined", + "actualValue": "Numeric schema does not have 'format' defined", + "issueType": "MissingAttribute", + "similarityID": "77f6a0d04d72264cf01f3565bd5b2fced2fdb4f4c3912ddee1e9dd10cfcded09", + "search_line": 0 }, { "queryName": "Numeric Schema Without Format (v3)", "severity": "LOW", "line": 46, - "filename": "positive3.yaml" + "fileName": "positive3.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "components.requestBodies.NewItem.content.{{multipart/form-data}}.schema.$ref=#/components/schemas/GeneralError", + "searchValue": "", + "expectedValue": "Numeric schema should have 'format' defined", + "actualValue": "Numeric schema does not have 'format' defined", + "issueType": "MissingAttribute", + "similarityID": "ef4b2e0ca251cc37cd8b37e1fae0340654f7d83fcfedd15602460e62bfb786dc", + "search_line": 0 }, { "queryName": "Numeric Schema Without Format (v3)", "severity": "LOW", "line": 22, - "filename": "positive4.yaml" + "fileName": "positive4.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.schema.properties.code.type", + "searchValue": "", + "expectedValue": "Numeric schema should have 'format' defined", + "actualValue": "Numeric schema does not have 'format' defined", + "issueType": "MissingAttribute", + "similarityID": "2d77614507c69f401da12188b81ad7b34f1421ec87712ff1ef682c5b5fd93b72", + "search_line": -1 }, { "queryName": "Numeric Schema Without Format (v2)", "severity": "LOW", "line": 23, - "filename": "positive5.json" + "fileName": "positive5.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.schema.properties.code.type", + "searchValue": "", + "expectedValue": "Numeric schema should have 'format' defined", + "actualValue": "Numeric schema does not have 'format' defined", + "issueType": "MissingAttribute", + "similarityID": "c6f8392124590a3cd0e8ca59d3bf5a1fded67199b3bfa154d7d97f068583d115", + "search_line": -1 }, { "queryName": "Numeric Schema Without Format (v2)", "severity": "LOW", "line": 20, - "filename": "positive6.yaml" + "fileName": "positive6.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.schema.properties.code.type", + "searchValue": "", + "expectedValue": "Numeric schema should have 'format' defined", + "actualValue": "Numeric schema does not have 'format' defined", + "issueType": "MissingAttribute", + "similarityID": "18e1edce527322fdcf336cd89625dadb5f0e38a5d714d5cdd37c19fc0d048ee7", + "search_line": -1 } -] \ No newline at end of file +] diff --git a/assets/queries/openAPI/general/numeric_schema_without_maximum/test/positive_expected_result.json b/assets/queries/openAPI/general/numeric_schema_without_maximum/test/positive_expected_result.json index 544f422d0eb..f1a12a69144 100644 --- a/assets/queries/openAPI/general/numeric_schema_without_maximum/test/positive_expected_result.json +++ b/assets/queries/openAPI/general/numeric_schema_without_maximum/test/positive_expected_result.json @@ -3,48 +3,120 @@ "queryName": "Numeric Schema Without Maximum (v3)", "severity": "LOW", "line": 58, - "filename": "positive1.json" + "fileName": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "components.schemas.GeneralError.properties.code.type", + "searchValue": "", + "expectedValue": "Numeric schema should have 'maximum' defined", + "actualValue": "Numeric schema does not have 'maximum' defined", + "issueType": "MissingAttribute", + "similarityID": "fa9decaa74fae2383d06178f45bc3637f33587bd1b53aaf472581f3356114239", + "search_line": 0 }, { "queryName": "Numeric Schema Without Maximum (v3)", "severity": "LOW", "line": 75, - "filename": "positive1.json" + "fileName": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "components.requestBodies.NewItem.content.{{multipart/form-data}}.schema.$ref=#/components/schemas/GeneralError", + "searchValue": "", + "expectedValue": "Numeric schema should have 'maximum' defined", + "actualValue": "Numeric schema does not have 'maximum' defined", + "issueType": "MissingAttribute", + "similarityID": "f6612dcaa41bdd248d8642bb6322dbc52c45a69d4276fcdb15c7a36a63ce149d", + "search_line": 0 }, { "queryName": "Numeric Schema Without Maximum (v3)", "severity": "LOW", "line": 27, - "filename": "positive2.json" + "fileName": "positive2.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.schema.properties.code.type", + "searchValue": "", + "expectedValue": "Numeric schema should have 'maximum' defined", + "actualValue": "Numeric schema does not have 'maximum' defined", + "issueType": "MissingAttribute", + "similarityID": "2258c2b5e886a9926bef1cfaf1c43a500ef61f394b1be937eb2867413b857245", + "search_line": -1 }, { "queryName": "Numeric Schema Without Maximum (v3)", "severity": "LOW", "line": 34, - "filename": "positive3.yaml" + "fileName": "positive3.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "components.schemas.GeneralError.properties.code.type", + "searchValue": "", + "expectedValue": "Numeric schema should have 'maximum' defined", + "actualValue": "Numeric schema does not have 'maximum' defined", + "issueType": "MissingAttribute", + "similarityID": "2d5c4111d0b26a965ff01f7c85fabfa5dcfc256060001e6700e2a316ec6c03da", + "search_line": 0 }, { "queryName": "Numeric Schema Without Maximum (v3)", "severity": "LOW", "line": 46, - "filename": "positive3.yaml" + "fileName": "positive3.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "components.requestBodies.NewItem.content.{{multipart/form-data}}.schema.$ref=#/components/schemas/GeneralError", + "searchValue": "", + "expectedValue": "Numeric schema should have 'maximum' defined", + "actualValue": "Numeric schema does not have 'maximum' defined", + "issueType": "MissingAttribute", + "similarityID": "ae33eb4281620d1b0592669cdce36794a146aa3f91af98c53171c69bc317bb4c", + "search_line": 0 }, { "queryName": "Numeric Schema Without Maximum (v3)", "severity": "LOW", "line": 22, - "filename": "positive4.yaml" + "fileName": "positive4.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.schema.properties.code.type", + "searchValue": "", + "expectedValue": "Numeric schema should have 'maximum' defined", + "actualValue": "Numeric schema does not have 'maximum' defined", + "issueType": "MissingAttribute", + "similarityID": "30fe3ba8861b0d62e7b33df27c7ebc85221d0ccf51e339e20510431a09852d51", + "search_line": -1 }, { "queryName": "Numeric Schema Without Maximum (v2)", "severity": "LOW", "line": 23, - "filename": "positive5.json" + "fileName": "positive5.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.schema.properties.code.type", + "searchValue": "", + "expectedValue": "Numeric schema should have 'maximum' defined", + "actualValue": "Numeric schema does not have 'maximum' defined", + "issueType": "MissingAttribute", + "similarityID": "c1b9fd25ddd49366f4a7cfc459da9186b84874245a92b92e54e84c174af506cd", + "search_line": -1 }, { "queryName": "Numeric Schema Without Maximum (v2)", "severity": "LOW", "line": 20, - "filename": "positive6.yaml" + "fileName": "positive6.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.schema.properties.code.type", + "searchValue": "", + "expectedValue": "Numeric schema should have 'maximum' defined", + "actualValue": "Numeric schema does not have 'maximum' defined", + "issueType": "MissingAttribute", + "similarityID": "8280b9fab03bcc4295b9eaeadf0e63bb37743e3c6899bbf0dae1e9cdc3dade12", + "search_line": -1 } -] \ No newline at end of file +] diff --git a/assets/queries/openAPI/general/numeric_schema_without_minimum/test/positive_expected_result.json b/assets/queries/openAPI/general/numeric_schema_without_minimum/test/positive_expected_result.json index d33e3fd50ff..7eeba855706 100644 --- a/assets/queries/openAPI/general/numeric_schema_without_minimum/test/positive_expected_result.json +++ b/assets/queries/openAPI/general/numeric_schema_without_minimum/test/positive_expected_result.json @@ -3,48 +3,120 @@ "queryName": "Numeric Schema Without Minimum (v3)", "severity": "LOW", "line": 58, - "filename": "positive1.json" + "fileName": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "components.schemas.GeneralError.properties.code.type", + "searchValue": "", + "expectedValue": "Numeric schema should have 'minimum' defined", + "actualValue": "Numeric schema does not have 'minimum' defined", + "issueType": "MissingAttribute", + "similarityID": "3183803b69c7f240eb0deaca000b37962a2038b3cd0eee5dfc76788cc2e99248", + "search_line": 0 }, { "queryName": "Numeric Schema Without Minimum (v3)", "severity": "LOW", "line": 74, - "filename": "positive1.json" + "fileName": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "components.requestBodies.NewItem.content.{{multipart/form-data}}.schema.$ref=#/components/schemas/GeneralError", + "searchValue": "", + "expectedValue": "Numeric schema should have 'minimum' defined", + "actualValue": "Numeric schema does not have 'minimum' defined", + "issueType": "MissingAttribute", + "similarityID": "caa258a4d0b71a8ee8875ff492dde8cf0fd24a4d0264f8204ba079a1d2bdf6de", + "search_line": 0 }, { "queryName": "Numeric Schema Without Minimum (v3)", "severity": "LOW", "line": 27, - "filename": "positive2.json" + "fileName": "positive2.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.schema.properties.code.type", + "searchValue": "", + "expectedValue": "Numeric schema should have 'minimum' defined", + "actualValue": "Numeric schema does not have 'minimum' defined", + "issueType": "MissingAttribute", + "similarityID": "e6c6fd98dc3c3e33ae53dc1d48d608e39d8bf9b38c7de80316923ecf63a1c17d", + "search_line": -1 }, { "queryName": "Numeric Schema Without Minimum (v3)", "severity": "LOW", "line": 34, - "filename": "positive3.yaml" + "fileName": "positive3.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "components.schemas.GeneralError.properties.code.type", + "searchValue": "", + "expectedValue": "Numeric schema should have 'minimum' defined", + "actualValue": "Numeric schema does not have 'minimum' defined", + "issueType": "MissingAttribute", + "similarityID": "5e0ae21991a25de3c0b760814eb801fc14b066258fc435060a590975fd451894", + "search_line": 0 }, { "queryName": "Numeric Schema Without Minimum (v3)", "severity": "LOW", "line": 45, - "filename": "positive3.yaml" + "fileName": "positive3.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "components.requestBodies.NewItem.content.{{multipart/form-data}}.schema.$ref=#/components/schemas/GeneralError", + "searchValue": "", + "expectedValue": "Numeric schema should have 'minimum' defined", + "actualValue": "Numeric schema does not have 'minimum' defined", + "issueType": "MissingAttribute", + "similarityID": "aa8e9804cc114b0585ce8525445a11042c29a3fab3ef004d9043904cbd0c628f", + "search_line": 0 }, { "queryName": "Numeric Schema Without Minimum (v3)", "severity": "LOW", "line": 22, - "filename": "positive4.yaml" + "fileName": "positive4.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.schema.properties.code.type", + "searchValue": "", + "expectedValue": "Numeric schema should have 'minimum' defined", + "actualValue": "Numeric schema does not have 'minimum' defined", + "issueType": "MissingAttribute", + "similarityID": "09b1cd476ef186175b3b673cc1ea74aeedbe468a7c70ad455500da85d44fd5c9", + "search_line": -1 }, { "queryName": "Numeric Schema Without Minimum (v2)", "severity": "LOW", "line": 23, - "filename": "positive5.json" + "fileName": "positive5.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.schema.properties.code.type", + "searchValue": "", + "expectedValue": "Numeric schema should have 'minimum' defined", + "actualValue": "Numeric schema does not have 'minimum' defined", + "issueType": "MissingAttribute", + "similarityID": "c83f3af92096d6568b5a5c229cd211ebde059c9427a0397ea4525a0a1e7c6b91", + "search_line": -1 }, { "queryName": "Numeric Schema Without Minimum (v2)", "severity": "LOW", "line": 20, - "filename": "positive6.yaml" + "fileName": "positive6.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.schema.properties.code.type", + "searchValue": "", + "expectedValue": "Numeric schema should have 'minimum' defined", + "actualValue": "Numeric schema does not have 'minimum' defined", + "issueType": "MissingAttribute", + "similarityID": "567c45fc30320cf064304dfc6e3db5ab6d8505bd5114c71eb23d2d86f0a47368", + "search_line": -1 } -] \ No newline at end of file +] diff --git a/assets/queries/openAPI/general/object_using_enum_with_keyword/test/positive_expected_result.json b/assets/queries/openAPI/general/object_using_enum_with_keyword/test/positive_expected_result.json index 7768016a5b1..fcc134caf34 100644 --- a/assets/queries/openAPI/general/object_using_enum_with_keyword/test/positive_expected_result.json +++ b/assets/queries/openAPI/general/object_using_enum_with_keyword/test/positive_expected_result.json @@ -3,36 +3,90 @@ "queryName": "Object Using Enum With Keyword (v3)", "severity": "INFO", "line": 42, - "filename": "positive1.json" + "fileName": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "components.schemas.Cat.allOf.huntingSkill", + "searchValue": "", + "expectedValue": "Cat.allOf.components.schemas.properties.huntingSkill should not contain 'enum' and schema keyword", + "actualValue": "Cat.allOf.components.schemas.properties.huntingSkill contains 'enum' and schema keyword 'minLength'", + "issueType": "IncorrectValue", + "similarityID": "dd2d899684a6592f6b0faa2c12a0285874a27d2aed87c3bd951bc88d85f442a1", + "search_line": 0 }, { "queryName": "Object Using Enum With Keyword (v3)", "severity": "INFO", "line": 32, - "filename": "positive2.yaml" + "fileName": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "components.schemas.Cat.allOf.huntingSkill", + "searchValue": "", + "expectedValue": "Cat.allOf.components.schemas.properties.huntingSkill should not contain 'enum' and schema keyword", + "actualValue": "Cat.allOf.components.schemas.properties.huntingSkill contains 'enum' and schema keyword 'minLength'", + "issueType": "IncorrectValue", + "similarityID": "bc974c4f155fc1bd0488163ce5f55db8d1b0531a501d6fcd03520b6514b70948", + "search_line": 0 }, { "queryName": "Object Using Enum With Keyword (v2)", "severity": "INFO", "line": 39, - "filename": "positive3.json" + "fileName": "positive3.json", + "resourceType": "", + "resourceName": "", + "searchKey": "definitions.Cat.allOf.huntingSkill", + "searchValue": "", + "expectedValue": "Cat.allOf.definitions.properties.huntingSkill should not contain 'enum' and schema keyword", + "actualValue": "Cat.allOf.definitions.properties.huntingSkill contains 'enum' and schema keyword 'minLength'", + "issueType": "IncorrectValue", + "similarityID": "e3a7d673c0d9a8c3c1e3cbfe885eca19d4bb1a2b4f32ec0840fef4bd40b6506c", + "search_line": 0 }, { "queryName": "Object Using Enum With Keyword (v2)", "severity": "INFO", "line": 29, - "filename": "positive4.yaml" + "fileName": "positive4.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "definitions.Cat.allOf.huntingSkill", + "searchValue": "", + "expectedValue": "Cat.allOf.definitions.properties.huntingSkill should not contain 'enum' and schema keyword", + "actualValue": "Cat.allOf.definitions.properties.huntingSkill contains 'enum' and schema keyword 'minLength'", + "issueType": "IncorrectValue", + "similarityID": "96636c546f440569d5a0c23ba081f14e07885035131fe51efa095a2e5421aaed", + "search_line": 0 }, { "queryName": "Object Using Enum With Keyword (v2)", "severity": "INFO", "line": 29, - "filename": "positive5.json" + "fileName": "positive5.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.parameters.schema.huntingSkill", + "searchValue": "", + "expectedValue": "/.get.parameters.paths.schema.properties.huntingSkill should not contain 'enum' and schema keyword", + "actualValue": "/.get.parameters.paths.schema.properties.huntingSkill contains 'enum' and schema keyword 'minLength'", + "issueType": "IncorrectValue", + "similarityID": "460318ffe96e96f3e93a8fd5be6520a18ef51b5a9b9b53e73ef6f68013fa9d4e", + "search_line": 29 }, { "queryName": "Object Using Enum With Keyword (v2)", "severity": "INFO", "line": 31, - "filename": "positive6.yaml" + "fileName": "positive6.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.parameters.schema.huntingSkill", + "searchValue": "", + "expectedValue": "/.get.parameters.paths.schema.properties.huntingSkill should not contain 'enum' and schema keyword", + "actualValue": "/.get.parameters.paths.schema.properties.huntingSkill contains 'enum' and schema keyword 'minLength'", + "issueType": "IncorrectValue", + "similarityID": "87428d238cc1892f855bbfea093df05d043332122355f9243995412f2326e93f", + "search_line": 31 } ] diff --git a/assets/queries/openAPI/general/operation_id_not_unique/test/positive_expected_result.json b/assets/queries/openAPI/general/operation_id_not_unique/test/positive_expected_result.json index 9d062f0bb69..f55eb07dfd8 100644 --- a/assets/queries/openAPI/general/operation_id_not_unique/test/positive_expected_result.json +++ b/assets/queries/openAPI/general/operation_id_not_unique/test/positive_expected_result.json @@ -3,48 +3,120 @@ "queryName": "OperationId Not Unique (v3)", "severity": "INFO", "line": 15, - "filename": "positive1.json" + "fileName": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.{{get}}.operationId", + "searchValue": "", + "expectedValue": "paths.{{/}}.{{get}}.operationId is unique", + "actualValue": "paths.{{/}}.{{get}}.operationId is not unique", + "issueType": "IncorrectValue", + "similarityID": "d0203eebcd337a6ace42bacdddf05f4fd3d285e926cd27e1780d33d9b4abb6e8", + "search_line": -1 }, { "queryName": "OperationId Not Unique (v3)", "severity": "INFO", "line": 46, - "filename": "positive1.json" + "fileName": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.{{post}}.operationId", + "searchValue": "", + "expectedValue": "paths.{{/}}.{{post}}.operationId is unique", + "actualValue": "paths.{{/}}.{{post}}.operationId is not unique", + "issueType": "IncorrectValue", + "similarityID": "4e77bcab5f3dd45fdb31b727a40c76dc38b33925515ad7d9d32f93e89474c045", + "search_line": -1 }, { "queryName": "OperationId Not Unique (v3)", "severity": "INFO", "line": 8, - "filename": "positive2.yaml" + "fileName": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.{{get}}.operationId", + "searchValue": "", + "expectedValue": "paths.{{/}}.{{get}}.operationId is unique", + "actualValue": "paths.{{/}}.{{get}}.operationId is not unique", + "issueType": "IncorrectValue", + "similarityID": "2a702c8a40071414d267ce77a2c47adbe03ce54f97f9d8ca1b99507b431c24e1", + "search_line": -1 }, { "queryName": "OperationId Not Unique (v3)", "severity": "INFO", "line": 25, - "filename": "positive2.yaml" + "fileName": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.{{post}}.operationId", + "searchValue": "", + "expectedValue": "paths.{{/}}.{{post}}.operationId is unique", + "actualValue": "paths.{{/}}.{{post}}.operationId is not unique", + "issueType": "IncorrectValue", + "similarityID": "deaee8a473ac0b4e219e41d07b99ef94d65794dc273b13669e4c6e18086500c1", + "search_line": -1 }, { "queryName": "OperationId Not Unique (v2)", "severity": "INFO", "line": 15, - "filename": "positive3.json" + "fileName": "positive3.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.{{get}}.operationId", + "searchValue": "", + "expectedValue": "paths.{{/}}.{{get}}.operationId is unique", + "actualValue": "paths.{{/}}.{{get}}.operationId is not unique", + "issueType": "IncorrectValue", + "similarityID": "03cdb95e7ee4371dd151e174a13277d8b2af8358d18bb31a68f03294df982a43", + "search_line": -1 }, { "queryName": "OperationId Not Unique (v2)", "severity": "INFO", "line": 23, - "filename": "positive3.json" + "fileName": "positive3.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.{{post}}.operationId", + "searchValue": "", + "expectedValue": "paths.{{/}}.{{post}}.operationId is unique", + "actualValue": "paths.{{/}}.{{post}}.operationId is not unique", + "issueType": "IncorrectValue", + "similarityID": "961a02873e52dbf38cfb95e1ad6e300de9073476ac432c772c2bade900c9cb38", + "search_line": -1 }, { "queryName": "OperationId Not Unique (v2)", "severity": "INFO", "line": 8, - "filename": "positive4.yaml" + "fileName": "positive4.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.{{get}}.operationId", + "searchValue": "", + "expectedValue": "paths.{{/}}.{{get}}.operationId is unique", + "actualValue": "paths.{{/}}.{{get}}.operationId is not unique", + "issueType": "IncorrectValue", + "similarityID": "6f7b82e25a7a59ae09156a896af4cb3872928007feabe0086b70496a5559e709", + "search_line": -1 }, { "queryName": "OperationId Not Unique (v2)", "severity": "INFO", "line": 13, - "filename": "positive4.yaml" + "fileName": "positive4.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.{{post}}.operationId", + "searchValue": "", + "expectedValue": "paths.{{/}}.{{post}}.operationId is unique", + "actualValue": "paths.{{/}}.{{post}}.operationId is not unique", + "issueType": "IncorrectValue", + "similarityID": "a64f0f81d64900a0199436741f4865075900158a391b1addd924b05f8ea8e734", + "search_line": -1 } ] diff --git a/assets/queries/openAPI/general/operation_without_successful_http_status_code/test/positive_expected_result.json b/assets/queries/openAPI/general/operation_without_successful_http_status_code/test/positive_expected_result.json index f00373706ce..3926ec03534 100644 --- a/assets/queries/openAPI/general/operation_without_successful_http_status_code/test/positive_expected_result.json +++ b/assets/queries/openAPI/general/operation_without_successful_http_status_code/test/positive_expected_result.json @@ -3,24 +3,60 @@ "queryName": "Operation Without Successful HTTP Status Code (v3)", "severity": "INFO", "line": 12, - "filename": "positive1.json" + "fileName": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.{{get}}.responses", + "searchValue": "", + "expectedValue": "paths.{{/}}.{{get}}.responses has at least one successful HTTP status code defined", + "actualValue": "paths.{{/}}.{{get}}.responses does not have at least one successful HTTP status code defined", + "issueType": "MissingAttribute", + "similarityID": "f37a0dd0b5f2f3702497ee7ab455b2b621c3515a4aba3a653a4d38f15dfcbcd9", + "search_line": 12 }, { "queryName": "Operation Without Successful HTTP Status Code (v3)", "severity": "INFO", "line": 10, - "filename": "positive2.yaml" + "fileName": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.{{get}}.responses", + "searchValue": "", + "expectedValue": "paths.{{/}}.{{get}}.responses has at least one successful HTTP status code defined", + "actualValue": "paths.{{/}}.{{get}}.responses does not have at least one successful HTTP status code defined", + "issueType": "MissingAttribute", + "similarityID": "f0caa090b68bcd4d166f5a45b44de9a7386e7977cfbc74281d431632651ac753", + "search_line": 10 }, { "queryName": "Operation Without Successful HTTP Status Code (v2)", "severity": "INFO", "line": 12, - "filename": "positive3.json" + "fileName": "positive3.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.{{get}}.responses", + "searchValue": "", + "expectedValue": "paths.{{/}}.{{get}}.responses has at least one successful HTTP status code defined", + "actualValue": "paths.{{/}}.{{get}}.responses does not have at least one successful HTTP status code defined", + "issueType": "MissingAttribute", + "similarityID": "d5860a8601aadff4d8d64ddafc47cef2c4b00acaf5c0797bb3995241138e538e", + "search_line": 12 }, { "queryName": "Operation Without Successful HTTP Status Code (v2)", "severity": "INFO", "line": 10, - "filename": "positive4.yaml" + "fileName": "positive4.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.{{get}}.responses", + "searchValue": "", + "expectedValue": "paths.{{/}}.{{get}}.responses has at least one successful HTTP status code defined", + "actualValue": "paths.{{/}}.{{get}}.responses does not have at least one successful HTTP status code defined", + "issueType": "MissingAttribute", + "similarityID": "51b5e6d739af756370b5e41c6ffb57aadd6c203b0e5dfd19232f5b84dedbbcb5", + "search_line": 10 } ] diff --git a/assets/queries/openAPI/general/parameter_objects_headers_dup_name/test/positive_expected_result.json b/assets/queries/openAPI/general/parameter_objects_headers_dup_name/test/positive_expected_result.json index 89ef84063db..be358dff273 100644 --- a/assets/queries/openAPI/general/parameter_objects_headers_dup_name/test/positive_expected_result.json +++ b/assets/queries/openAPI/general/parameter_objects_headers_dup_name/test/positive_expected_result.json @@ -2,121 +2,301 @@ { "queryName": "Parameter Objects Headers With Duplicated Name (v3)", "severity": "INFO", - "line": 68, - "filename": "positive1.json" + "line": 14, + "fileName": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.parameters.name=id", + "searchValue": "", + "expectedValue": "", + "actualValue": "Parameter Object with location 'header' has duplicate names (name=id)", + "issueType": "IncorrectValue", + "similarityID": "055990ec8345735d84bef2958aad18ecae56d683de5803bbe796ae24cfe7ca9e", + "search_line": -1 }, { "queryName": "Parameter Objects Headers With Duplicated Name (v3)", "severity": "INFO", - "line": 82, - "filename": "positive1.json" + "line": 28, + "fileName": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.parameters.name=ID", + "searchValue": "", + "expectedValue": "", + "actualValue": "Parameter Object with location 'header' has duplicate names (name=ID)", + "issueType": "IncorrectValue", + "similarityID": "772e35033303391ff4bc724510d43d8ca185ec308684d09b43b306a150a0c856", + "search_line": -1 }, { "queryName": "Parameter Objects Headers With Duplicated Name (v3)", "severity": "INFO", - "line": 14, - "filename": "positive1.json" + "line": 68, + "fileName": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.parameters.name=token", + "searchValue": "", + "expectedValue": "", + "actualValue": "Parameter Object with location 'header' has duplicate names (name=token)", + "issueType": "IncorrectValue", + "similarityID": "06663b012eecd1b353f493d8348aeb50415c02e774a833a6506e94e0d09fa865", + "search_line": -1 }, { "queryName": "Parameter Objects Headers With Duplicated Name (v3)", "severity": "INFO", - "line": 28, - "filename": "positive1.json" + "line": 82, + "fileName": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.parameters.name=Token", + "searchValue": "", + "expectedValue": "", + "actualValue": "Parameter Object with location 'header' has duplicate names (name=Token)", + "issueType": "IncorrectValue", + "similarityID": "1914e70d2a7300cf91b173578745b02b18c98bd2a00330c80c9fb333a5a71803", + "search_line": -1 }, { "queryName": "Parameter Objects Headers With Duplicated Name (v3)", "severity": "INFO", - "line": 10, - "filename": "positive3.json" + "line": 11, + "fileName": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.parameters.name=id", + "searchValue": "", + "expectedValue": "", + "actualValue": "Parameter Object with location 'header' has duplicate names (name=id)", + "issueType": "IncorrectValue", + "similarityID": "4a37bf15edc0ff2fb046db292cf55a9eadfc425f9495238ddc4d4236647ea782", + "search_line": -1 }, { "queryName": "Parameter Objects Headers With Duplicated Name (v3)", "severity": "INFO", - "line": 24, - "filename": "positive3.json" + "line": 21, + "fileName": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.parameters.name=ID", + "searchValue": "", + "expectedValue": "", + "actualValue": "Parameter Object with location 'header' has duplicate names (name=ID)", + "issueType": "IncorrectValue", + "similarityID": "affc4b99cf2b0bcd6f5e547ec7e6c5957844f437ce5d7a77cc7c5d4729a37fc1", + "search_line": -1 }, { "queryName": "Parameter Objects Headers With Duplicated Name (v3)", "severity": "INFO", - "line": 53, - "filename": "positive2.yaml" + "line": 43, + "fileName": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.parameters.name=token", + "searchValue": "", + "expectedValue": "", + "actualValue": "Parameter Object with location 'header' has duplicate names (name=token)", + "issueType": "IncorrectValue", + "similarityID": "9d173dd2d03930433033442fce9aaae5463ab5dafe2697e8cd40617c436f563c", + "search_line": -1 }, { "queryName": "Parameter Objects Headers With Duplicated Name (v3)", "severity": "INFO", - "line": 43, - "filename": "positive2.yaml" + "line": 53, + "fileName": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.parameters.name=Token", + "searchValue": "", + "expectedValue": "", + "actualValue": "Parameter Object with location 'header' has duplicate names (name=Token)", + "issueType": "IncorrectValue", + "similarityID": "5cfb32d0ee39e8d5e52e6dfe3181f927f1804aa836a27566a841701f95fadeb9", + "search_line": -1 }, { "queryName": "Parameter Objects Headers With Duplicated Name (v3)", "severity": "INFO", - "line": 11, - "filename": "positive2.yaml" + "line": 10, + "fileName": "positive3.json", + "resourceType": "", + "resourceName": "", + "searchKey": "components.parameters.token.name=token", + "searchValue": "", + "expectedValue": "", + "actualValue": "Parameter Object with location 'header' has duplicate names (name=token)", + "issueType": "IncorrectValue", + "similarityID": "98ade7171414b37dd612e663d07a29029fe2c21ee1d3c732c5231c60c34aea9f", + "search_line": -1 }, { "queryName": "Parameter Objects Headers With Duplicated Name (v3)", "severity": "INFO", - "line": 21, - "filename": "positive2.yaml" + "line": 24, + "fileName": "positive3.json", + "resourceType": "", + "resourceName": "", + "searchKey": "components.parameters.Token.name=Token", + "searchValue": "", + "expectedValue": "", + "actualValue": "Parameter Object with location 'header' has duplicate names (name=Token)", + "issueType": "IncorrectValue", + "similarityID": "818554b91cb75819f5c100978a06e53b9c6c63b780c3f967adf566419c070879", + "search_line": -1 }, { "queryName": "Parameter Objects Headers With Duplicated Name (v3)", "severity": "INFO", "line": 8, - "filename": "positive4.yaml" + "fileName": "positive4.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "components.parameters.token.name=token", + "searchValue": "", + "expectedValue": "", + "actualValue": "Parameter Object with location 'header' has duplicate names (name=token)", + "issueType": "IncorrectValue", + "similarityID": "2c253155934f54fd95ed9dc2fa9e8262e0de7562adc556c7f9298d7d1fef8e03", + "search_line": -1 }, { "queryName": "Parameter Objects Headers With Duplicated Name (v3)", "severity": "INFO", "line": 19, - "filename": "positive4.yaml" + "fileName": "positive4.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "components.parameters.Token.name=Token", + "searchValue": "", + "expectedValue": "", + "actualValue": "Parameter Object with location 'header' has duplicate names (name=Token)", + "issueType": "IncorrectValue", + "similarityID": "bf7e83ebba46f3a83a922819ba118ac6ca45152e214f23f6d944c33a660918c5", + "search_line": -1 }, { "queryName": "Parameter Objects Headers With Duplicated Name (v2)", "severity": "INFO", - "line": 39, - "filename": "positive5.json" + "line": 11, + "fileName": "positive5.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.parameters.name=Token", + "searchValue": "", + "expectedValue": "", + "actualValue": "Parameter Object with location 'header' has duplicate names (name=Token)", + "issueType": "IncorrectValue", + "similarityID": "8ac89bf55bd0610e313239eb3f81f8def95e43d8464f144a5ca9d3fd5834129a", + "search_line": -1 }, { "queryName": "Parameter Objects Headers With Duplicated Name (v2)", "severity": "INFO", - "line": 47, - "filename": "positive5.json" + "line": 18, + "fileName": "positive5.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.parameters.name=token", + "searchValue": "", + "expectedValue": "", + "actualValue": "Parameter Object with location 'header' has duplicate names (name=token)", + "issueType": "IncorrectValue", + "similarityID": "b8f6ab236e3e9faa9ddf28893ea63987234e8f428569158eeb21996095eee104", + "search_line": -1 }, { "queryName": "Parameter Objects Headers With Duplicated Name (v2)", "severity": "INFO", - "line": 11, - "filename": "positive5.json" + "line": 39, + "fileName": "positive5.json", + "resourceType": "", + "resourceName": "", + "searchKey": "parameters.oneParam.name=Token2", + "searchValue": "", + "expectedValue": "", + "actualValue": "Parameter Object with location 'header' has duplicate names (name=Token2)", + "issueType": "IncorrectValue", + "similarityID": "6ab13ac64fe53169548145b55dc065979dad7aeacb095e77ccdddf2fb5a276d7", + "search_line": -1 }, { "queryName": "Parameter Objects Headers With Duplicated Name (v2)", "severity": "INFO", - "line": 18, - "filename": "positive5.json" + "line": 47, + "fileName": "positive5.json", + "resourceType": "", + "resourceName": "", + "searchKey": "parameters.anotherParam.name=token2", + "searchValue": "", + "expectedValue": "", + "actualValue": "Parameter Object with location 'header' has duplicate names (name=token2)", + "issueType": "IncorrectValue", + "similarityID": "6b2a81e4aaed85d9624efc2bbbea39370ce4a0c0e975a031b75ace7240d9022a", + "search_line": -1 }, { "queryName": "Parameter Objects Headers With Duplicated Name (v2)", "severity": "INFO", - "line": 32, - "filename": "positive6.yaml" + "line": 14, + "fileName": "positive6.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.parameters.name=Token", + "searchValue": "", + "expectedValue": "", + "actualValue": "Parameter Object with location 'header' has duplicate names (name=Token)", + "issueType": "IncorrectValue", + "similarityID": "8df478c15e3b5d51c967a3e7b998d35e37abd2fd55a7052087a27721bd4046f3", + "search_line": -1 }, { "queryName": "Parameter Objects Headers With Duplicated Name (v2)", "severity": "INFO", - "line": 26, - "filename": "positive6.yaml" + "line": 19, + "fileName": "positive6.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.parameters.name=token", + "searchValue": "", + "expectedValue": "", + "actualValue": "Parameter Object with location 'header' has duplicate names (name=token)", + "issueType": "IncorrectValue", + "similarityID": "7c6b72ad212bfa70ada9250c97feecdd859baa1b9fb3f4149070e8a78e6d63f3", + "search_line": -1 }, { "queryName": "Parameter Objects Headers With Duplicated Name (v2)", "severity": "INFO", - "line": 14, - "filename": "positive6.yaml" + "line": 26, + "fileName": "positive6.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "parameters.oneParam.name=Token2", + "searchValue": "", + "expectedValue": "", + "actualValue": "Parameter Object with location 'header' has duplicate names (name=Token2)", + "issueType": "IncorrectValue", + "similarityID": "513ff40d47fffe2210ac494fdf3d729cabbaa46076e3e1889260b1beda17f4ef", + "search_line": -1 }, { "queryName": "Parameter Objects Headers With Duplicated Name (v2)", "severity": "INFO", - "line": 19, - "filename": "positive6.yaml" + "line": 32, + "fileName": "positive6.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "parameters.anotherParam.name=token2", + "searchValue": "", + "expectedValue": "", + "actualValue": "Parameter Object with location 'header' has duplicate names (name=token2)", + "issueType": "IncorrectValue", + "similarityID": "43cefaeac12467e768027f968139e4ba8b14bab308b486ab094d8afba7790e65", + "search_line": -1 } ] diff --git a/assets/queries/openAPI/general/parameters_name_in_not_unique/test/positive_expected_result.json b/assets/queries/openAPI/general/parameters_name_in_not_unique/test/positive_expected_result.json index 1ae56a9527b..391f0eb42c3 100644 --- a/assets/queries/openAPI/general/parameters_name_in_not_unique/test/positive_expected_result.json +++ b/assets/queries/openAPI/general/parameters_name_in_not_unique/test/positive_expected_result.json @@ -3,36 +3,90 @@ "queryName": "Parameters Name In Combination Not Unique (v3)", "severity": "INFO", "line": 28, - "filename": "positive1.json" + "fileName": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "components.parameters.limitJSONParam.name", + "searchValue": "", + "expectedValue": "Parameter has unique 'name' and 'in' combinations", + "actualValue": "Parameter does not have unique 'name' and 'in' combinations", + "issueType": "IncorrectValue", + "similarityID": "e9b72bfaca9a4f4446ef169e84aa7d40163b66d6151c1fc879a0bb349e81e0b6", + "search_line": 0 }, { "queryName": "Parameters Name In Combination Not Unique (v3)", "severity": "INFO", - "line": 18, - "filename": "positive2.yaml" + "line": 37, + "fileName": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "components.parameters.otherJSONParam.name", + "searchValue": "", + "expectedValue": "Parameter has unique 'name' and 'in' combinations", + "actualValue": "Parameter does not have unique 'name' and 'in' combinations", + "issueType": "IncorrectValue", + "similarityID": "ab5bf1de39f65ba3907c343f5e9d9fc229997abcc94bd213eaa2ab115375377d", + "search_line": 0 }, { "queryName": "Parameters Name In Combination Not Unique (v3)", "severity": "INFO", - "line": 37, - "filename": "positive1.json" + "line": 18, + "fileName": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "components.parameters.limitParam.name", + "searchValue": "", + "expectedValue": "Parameter has unique 'name' and 'in' combinations", + "actualValue": "Parameter does not have unique 'name' and 'in' combinations", + "issueType": "IncorrectValue", + "similarityID": "a4a5975b22e20836f83061ae94a7d0182ac3b907afe41a7519ce2673e0ba5ca6", + "search_line": 0 }, { "queryName": "Parameters Name In Combination Not Unique (v3)", "severity": "INFO", "line": 25, - "filename": "positive2.yaml" + "fileName": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "components.parameters.otherParam.name", + "searchValue": "", + "expectedValue": "Parameter has unique 'name' and 'in' combinations", + "actualValue": "Parameter does not have unique 'name' and 'in' combinations", + "issueType": "IncorrectValue", + "similarityID": "4cf7298b6b417b1a9e7c80c1d2041ae67a4fcda395ac78ae8de3efc35f67a15c", + "search_line": 0 }, { "queryName": "Parameters Name In Combination Not Unique (v2)", "severity": "INFO", "line": 21, - "filename": "positive3.json" + "fileName": "positive3.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.parameters.name", + "searchValue": "", + "expectedValue": "Parameter has unique 'name' and 'in' combinations", + "actualValue": "Parameter does not have unique 'name' and 'in' combinations", + "issueType": "IncorrectValue", + "similarityID": "ca354d412853a071bad8f89aab70ab4cf888d66db0ab4e423ab0ed4bbfe9bb89", + "search_line": -1 }, { "queryName": "Parameters Name In Combination Not Unique (v2)", "severity": "INFO", "line": 14, - "filename": "positive4.yaml" + "fileName": "positive4.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.parameters.name", + "searchValue": "", + "expectedValue": "Parameter has unique 'name' and 'in' combinations", + "actualValue": "Parameter does not have unique 'name' and 'in' combinations", + "issueType": "IncorrectValue", + "similarityID": "acd9da963bb300a2a60d854ff6627a4db3064311263092f3a2515bba6d69229c", + "search_line": -1 } ] diff --git a/assets/queries/openAPI/general/path_ambiguous/test/positive_expected_result.json b/assets/queries/openAPI/general/path_ambiguous/test/positive_expected_result.json index 3b35fce7422..8277a480b6e 100644 --- a/assets/queries/openAPI/general/path_ambiguous/test/positive_expected_result.json +++ b/assets/queries/openAPI/general/path_ambiguous/test/positive_expected_result.json @@ -3,48 +3,120 @@ "queryName": "Path Is Ambiguous (v3)", "severity": "INFO", "line": 6, - "filename": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths./users/{id}", + "searchValue": "", + "expectedValue": "There shouldn't be ambiguous path", + "actualValue": "There is ambiguous path", + "issueType": "IncorrectValue", + "similarityID": "ee9c4f500266aa62f847668e4386f03989d1f55d439d2e119b07ed81aa5fb930", + "search_line": -1 }, { "queryName": "Path Is Ambiguous (v3)", "severity": "INFO", "line": 19, - "filename": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths./users/{ids}", + "searchValue": "", + "expectedValue": "There shouldn't be ambiguous path", + "actualValue": "There is ambiguous path", + "issueType": "IncorrectValue", + "similarityID": "d378e78df4a376c4b80f196f85e00d318a2cf6a5e3ffb6e9f10c85b5335f27ef", + "search_line": -1 }, { "queryName": "Path Is Ambiguous (v3)", "severity": "INFO", "line": 8, - "filename": "positive2.json" + "fileName": "positive2.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths./users/{id}", + "searchValue": "", + "expectedValue": "There shouldn't be ambiguous path", + "actualValue": "There is ambiguous path", + "issueType": "IncorrectValue", + "similarityID": "2639137869955267dddc09478b74ff5a255eb2073018e0789a7a7a8a67b551fb", + "search_line": -1 }, { "queryName": "Path Is Ambiguous (v3)", "severity": "INFO", "line": 29, - "filename": "positive2.json" + "fileName": "positive2.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths./users/{ids}", + "searchValue": "", + "expectedValue": "There shouldn't be ambiguous path", + "actualValue": "There is ambiguous path", + "issueType": "IncorrectValue", + "similarityID": "f0b3370dd0868ccd46244654f32988f1a84c0aa160a5156b82b84017fc480ae4", + "search_line": -1 }, { "queryName": "Path Is Ambiguous (v2)", "severity": "INFO", "line": 10, - "filename": "positive3.yaml" + "fileName": "positive3.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths./users/{id}", + "searchValue": "", + "expectedValue": "There shouldn't be ambiguous path", + "actualValue": "There is ambiguous path", + "issueType": "IncorrectValue", + "similarityID": "b8871f4686df9e14491902a05214c7a867d9cdd98e92667dc8236f2533305411", + "search_line": -1 }, { "queryName": "Path Is Ambiguous (v2)", "severity": "INFO", "line": 21, - "filename": "positive3.yaml" + "fileName": "positive3.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths./users/{ids}", + "searchValue": "", + "expectedValue": "There shouldn't be ambiguous path", + "actualValue": "There is ambiguous path", + "issueType": "IncorrectValue", + "similarityID": "aacfd8f553a483f9a4298e85dd9df22a57a3e9f6f7323f800643ef4f174e5f20", + "search_line": -1 }, { "queryName": "Path Is Ambiguous (v2)", "severity": "INFO", "line": 13, - "filename": "positive4.json" + "fileName": "positive4.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths./users/{id}", + "searchValue": "", + "expectedValue": "There shouldn't be ambiguous path", + "actualValue": "There is ambiguous path", + "issueType": "IncorrectValue", + "similarityID": "133d13892b8bd0de894a7f0dfb1847d92155d0c0328d5f4182265e76dc62cf9b", + "search_line": -1 }, { "queryName": "Path Is Ambiguous (v2)", "severity": "INFO", "line": 31, - "filename": "positive4.json" + "fileName": "positive4.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths./users/{ids}", + "searchValue": "", + "expectedValue": "There shouldn't be ambiguous path", + "actualValue": "There is ambiguous path", + "issueType": "IncorrectValue", + "similarityID": "4258b159263c459647ae0e4ecffcc9a7bdd50cf8e522ef08ff0a185106437220", + "search_line": -1 } ] diff --git a/assets/queries/openAPI/general/path_parameter_not_required/test/positive_expected_result.json b/assets/queries/openAPI/general/path_parameter_not_required/test/positive_expected_result.json index 624a401ce69..b028650ba32 100644 --- a/assets/queries/openAPI/general/path_parameter_not_required/test/positive_expected_result.json +++ b/assets/queries/openAPI/general/path_parameter_not_required/test/positive_expected_result.json @@ -3,60 +3,150 @@ "queryName": "Path Parameter Not Required (v3)", "severity": "INFO", "line": 43, - "filename": "positive1.json" + "fileName": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.parameters.name={{id}}", + "searchValue": "", + "expectedValue": "Path parameter should have the field 'required' set to 'true' for location 'path'", + "actualValue": "Path parameter does not have the field 'required' set to 'true' for location 'path'", + "issueType": "IncorrectValue", + "similarityID": "18f5421aea5a93da4fdf4e6c28134a640df7065b7a325148320878d6fa686d05", + "search_line": -1 }, { "queryName": "Path Parameter Not Required (v3)", "severity": "INFO", "line": 26, - "filename": "positive2.yaml" + "fileName": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.parameters.name={{id}}", + "searchValue": "", + "expectedValue": "Path parameter should have the field 'required' set to 'true' for location 'path'", + "actualValue": "Path parameter does not have the field 'required' set to 'true' for location 'path'", + "issueType": "IncorrectValue", + "similarityID": "a801be006dbf59a609624528cb572603e65ba0ce0b0c1c169f10aa8126789b44", + "search_line": -1 }, { "queryName": "Path Parameter Not Required (v3)", "severity": "INFO", "line": 43, - "filename": "positive3.json" + "fileName": "positive3.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.parameters.name={{id}}", + "searchValue": "", + "expectedValue": "Path parameter should have the field 'required' set to 'true' for location 'path'", + "actualValue": "Path parameter does not have the field 'required' set to 'true' for location 'path'", + "issueType": "MissingAttribute", + "similarityID": "5565a18790d8bb57184917a4d6fa696f9c15cdd844e591ab30858b444389e99e", + "search_line": -1 }, { "queryName": "Path Parameter Not Required (v3)", "severity": "INFO", "line": 26, - "filename": "positive4.yaml" + "fileName": "positive4.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.parameters.name={{id}}", + "searchValue": "", + "expectedValue": "Path parameter should have the field 'required' set to 'true' for location 'path'", + "actualValue": "Path parameter does not have the field 'required' set to 'true' for location 'path'", + "issueType": "MissingAttribute", + "similarityID": "40539c65aad1ccbeb54080f534a4a9b9b470a64fedf5ddbe42a9b6a6e0dc6a8e", + "search_line": -1 }, { "queryName": "Path Parameter Not Required (v3)", "severity": "INFO", "line": 10, - "filename": "positive5.json" + "fileName": "positive5.json", + "resourceType": "", + "resourceName": "", + "searchKey": "components.parameters.name={{id}}", + "searchValue": "", + "expectedValue": "Path parameter should have the field 'required' set to 'true' for location 'path'", + "actualValue": "Path parameter does not have the field 'required' set to 'true' for location 'path'", + "issueType": "IncorrectValue", + "similarityID": "9e91875cc12f95f8de7acaa24e712d00d621dfc03524a69ce1d7457a5b94e8e6", + "search_line": 0 }, { "queryName": "Path Parameter Not Required (v3)", "severity": "INFO", - "line": 8, - "filename": "positive6.yaml" + "line": 19, + "fileName": "positive5.json", + "resourceType": "", + "resourceName": "", + "searchKey": "components.parameters.name={{nameAPI}}", + "searchValue": "", + "expectedValue": "Path parameter should have the field 'required' set to 'true' for location 'path'", + "actualValue": "Path parameter does not have the field 'required' set to 'true' for location 'path'", + "issueType": "MissingAttribute", + "similarityID": "3c7bbfbb1a9f23f2edd74031256a2bc70facaf245c27cf2751fcf01c2be4388a", + "search_line": 0 }, { "queryName": "Path Parameter Not Required (v3)", "severity": "INFO", - "line": 19, - "filename": "positive5.json" + "line": 8, + "fileName": "positive6.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "components.parameters.name={{id}}", + "searchValue": "", + "expectedValue": "Path parameter should have the field 'required' set to 'true' for location 'path'", + "actualValue": "Path parameter does not have the field 'required' set to 'true' for location 'path'", + "issueType": "IncorrectValue", + "similarityID": "e10fe13d2c2b14600714884ab8c4d5ff731a702d96fa4e3f79eb241d29703cf7", + "search_line": 0 }, { "queryName": "Path Parameter Not Required (v3)", "severity": "INFO", "line": 15, - "filename": "positive6.yaml" + "fileName": "positive6.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "components.parameters.name={{nameAPI}}", + "searchValue": "", + "expectedValue": "Path parameter should have the field 'required' set to 'true' for location 'path'", + "actualValue": "Path parameter does not have the field 'required' set to 'true' for location 'path'", + "issueType": "MissingAttribute", + "similarityID": "2fc365917b106447fee71d1db632b798f3fcb6687f6107ca1de4f356a67ef7f9", + "search_line": 0 }, { "queryName": "Path Parameter Not Required (v2)", "severity": "INFO", "line": 20, - "filename": "positive7.json" + "fileName": "positive7.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.parameters.name={{id}}", + "searchValue": "", + "expectedValue": "Path parameter should have the field 'required' set to 'true' for location 'path'", + "actualValue": "Path parameter does not have the field 'required' set to 'true' for location 'path'", + "issueType": "MissingAttribute", + "similarityID": "a93f62c5937f75657088cd5a8923dcd29ae9e582728cb6d25a92c54cdb1d9298", + "search_line": -1 }, { "queryName": "Path Parameter Not Required (v2)", "severity": "INFO", "line": 14, - "filename": "positive8.yaml" + "fileName": "positive8.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.parameters.name={{id}}", + "searchValue": "", + "expectedValue": "Path parameter should have the field 'required' set to 'true' for location 'path'", + "actualValue": "Path parameter does not have the field 'required' set to 'true' for location 'path'", + "issueType": "MissingAttribute", + "similarityID": "8d7b489651d9af89218e4665aedda0b69a99333f38561f2ab770dca13841f3a7", + "search_line": -1 } ] diff --git a/assets/queries/openAPI/general/path_parameter_with_no_corresponding_template_path/test/positive_expected_result.json b/assets/queries/openAPI/general/path_parameter_with_no_corresponding_template_path/test/positive_expected_result.json index f7549912a32..09c549df964 100644 --- a/assets/queries/openAPI/general/path_parameter_with_no_corresponding_template_path/test/positive_expected_result.json +++ b/assets/queries/openAPI/general/path_parameter_with_no_corresponding_template_path/test/positive_expected_result.json @@ -3,24 +3,60 @@ "queryName": "Path Parameter With No Corresponding Template Path (v3)", "severity": "INFO", "line": 37, - "filename": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths./yada/foo.get.parameters.name={{id}}", + "searchValue": "", + "expectedValue": "Path parameter 'id' should have an template path parameter with the same name and 'in' set to 'path'", + "actualValue": "Path parameter 'id' does not have an template path parameter with the same name and 'in' set to 'path'", + "issueType": "IncorrectValue", + "similarityID": "e424d0052c1c8f403b9e37167ce17f7131cf8a673e16b16ddd48b1d20f3f3049", + "search_line": 37 }, { "queryName": "Path Parameter With No Corresponding Template Path (v3)", "severity": "INFO", "line": 59, - "filename": "positive2.json" + "fileName": "positive2.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths./.get.parameters.name={{id}}", + "searchValue": "", + "expectedValue": "Path parameter 'id' should have an template path parameter with the same name and 'in' set to 'path'", + "actualValue": "Path parameter 'id' does not have an template path parameter with the same name and 'in' set to 'path'", + "issueType": "IncorrectValue", + "similarityID": "a1c1777de0c946ebbecbf727dd351be7738e67fce10a994360e9119aac14d6f8", + "search_line": 59 }, { "queryName": "Path Parameter With No Corresponding Template Path (v2)", "severity": "INFO", "line": 32, - "filename": "positive3.yaml" + "fileName": "positive3.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths./people/foo.get.parameters.name={{id}}", + "searchValue": "", + "expectedValue": "Path parameter 'id' should have an template path parameter with the same name and 'in' set to 'path'", + "actualValue": "Path parameter 'id' does not have an template path parameter with the same name and 'in' set to 'path'", + "issueType": "IncorrectValue", + "similarityID": "2d3ec3ea3b649f19f2f98211e384b007f6453770b5d881bc7c7aab5cd2561cb1", + "search_line": 32 }, { "queryName": "Path Parameter With No Corresponding Template Path (v2)", "severity": "INFO", "line": 51, - "filename": "positive4.json" + "fileName": "positive4.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths./people/foo.get.parameters.name={{id}}", + "searchValue": "", + "expectedValue": "Path parameter 'id' should have an template path parameter with the same name and 'in' set to 'path'", + "actualValue": "Path parameter 'id' does not have an template path parameter with the same name and 'in' set to 'path'", + "issueType": "IncorrectValue", + "similarityID": "4b7abbbd62e5707b30cddb393c6a2eb49e8ce3f875b336acf3c7991f5a38be72", + "search_line": 51 } ] diff --git a/assets/queries/openAPI/general/path_template_empty/test/positive_expected_result.json b/assets/queries/openAPI/general/path_template_empty/test/positive_expected_result.json index 020d02d1f96..021d91d8b1c 100644 --- a/assets/queries/openAPI/general/path_template_empty/test/positive_expected_result.json +++ b/assets/queries/openAPI/general/path_template_empty/test/positive_expected_result.json @@ -3,24 +3,60 @@ "queryName": "Path Template is Empty (v3)", "severity": "INFO", "line": 32, - "filename": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths./users/{}", + "searchValue": "", + "expectedValue": "The path template should not be empty", + "actualValue": "The path template is empty", + "issueType": "MissingAttribute", + "similarityID": "3ad63ff66214c8a6cf794b68102aaf20c817d0d2c39cbf827fdf1d9feb78455e", + "search_line": -1 }, { "queryName": "Path Template is Empty (v3)", "severity": "INFO", "line": 53, - "filename": "positive2.json" + "fileName": "positive2.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths./users/{}", + "searchValue": "", + "expectedValue": "The path template should not be empty", + "actualValue": "The path template is empty", + "issueType": "MissingAttribute", + "similarityID": "f089ae9fbdf3e520a84213ff64d276ef6b6464ceb021beb07deba81781cca77a", + "search_line": -1 }, { "queryName": "Path Template is Empty (v2)", "severity": "INFO", "line": 10, - "filename": "positive3.yaml" + "fileName": "positive3.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths./users/{}", + "searchValue": "", + "expectedValue": "The path template should not be empty", + "actualValue": "The path template is empty", + "issueType": "MissingAttribute", + "similarityID": "476eb3b1eba85fac90f0fe9448958dce1883b24f2311f99823ebe48c7d6d42e9", + "search_line": -1 }, { "queryName": "Path Template is Empty (v2)", "severity": "INFO", "line": 13, - "filename": "positive4.json" + "fileName": "positive4.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths./users/{}", + "searchValue": "", + "expectedValue": "The path template should not be empty", + "actualValue": "The path template is empty", + "issueType": "MissingAttribute", + "similarityID": "e84d3a47f5ade0f1def8cc1edb4ca325340579b93445ee61f0b714c34e0ea6c7", + "search_line": -1 } ] diff --git a/assets/queries/openAPI/general/path_without_operation/test/positive_expected_result.json b/assets/queries/openAPI/general/path_without_operation/test/positive_expected_result.json index a2b1f1bb729..dfe185f8f8f 100644 --- a/assets/queries/openAPI/general/path_without_operation/test/positive_expected_result.json +++ b/assets/queries/openAPI/general/path_without_operation/test/positive_expected_result.json @@ -3,24 +3,60 @@ "queryName": "Path Without Operation (v3)", "severity": "INFO", "line": 8, - "filename": "positive1.json" + "fileName": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}", + "searchValue": "", + "expectedValue": "paths.{{/}} has at least one operation object defined", + "actualValue": "paths.{{/}} does not have at least one operation object defined", + "issueType": "MissingAttribute", + "similarityID": "be04fcc762f86e888693f23747519a08aee1b61e06253647932a016416bf19fe", + "search_line": -1 }, { "queryName": "Path Without Operation (v3)", "severity": "INFO", "line": 6, - "filename": "positive2.yaml" + "fileName": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}", + "searchValue": "", + "expectedValue": "paths.{{/}} has at least one operation object defined", + "actualValue": "paths.{{/}} does not have at least one operation object defined", + "issueType": "MissingAttribute", + "similarityID": "1eed1de4f53c89df128354afa14742120fc9dcc6ef3cd71df924493dce72e039", + "search_line": -1 }, { "queryName": "Path Without Operation (v2)", "severity": "INFO", "line": 8, - "filename": "positive3.json" + "fileName": "positive3.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}", + "searchValue": "", + "expectedValue": "paths.{{/}} has at least one operation object defined", + "actualValue": "paths.{{/}} does not have at least one operation object defined", + "issueType": "MissingAttribute", + "similarityID": "56d88c7eeb052dcb005cc50fd9769d56ea50940958537ec407219c11718faa43", + "search_line": -1 }, { "queryName": "Path Without Operation (v2)", "severity": "INFO", "line": 6, - "filename": "positive4.yaml" + "fileName": "positive4.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}", + "searchValue": "", + "expectedValue": "paths.{{/}} has at least one operation object defined", + "actualValue": "paths.{{/}} does not have at least one operation object defined", + "issueType": "MissingAttribute", + "similarityID": "52d4ccf53f1825fe4c1b3987613ea3c87724cc9f3c476dfe7b28f0c9b79930ac", + "search_line": -1 } ] diff --git a/assets/queries/openAPI/general/paths_object_empty/test/positive_expected_result.json b/assets/queries/openAPI/general/paths_object_empty/test/positive_expected_result.json index 1e448ad9fca..ae8955a419a 100644 --- a/assets/queries/openAPI/general/paths_object_empty/test/positive_expected_result.json +++ b/assets/queries/openAPI/general/paths_object_empty/test/positive_expected_result.json @@ -3,24 +3,60 @@ "queryName": "Paths Object is Empty (v3)", "severity": "INFO", "line": 7, - "filename": "positive1.json" + "fileName": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths", + "searchValue": "", + "expectedValue": "The Paths Object should should not be empty", + "actualValue": "The Paths Object is empty", + "issueType": "IncorrectValue", + "similarityID": "6144e22c2e1e23172f2c8017040353145c12c93fa1dd6e2f9d08bd816dd7cf9a", + "search_line": -1 }, { "queryName": "Paths Object is Empty (v2)", "severity": "INFO", "line": 7, - "filename": "positive2.json" + "fileName": "positive2.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths", + "searchValue": "", + "expectedValue": "The Paths Object should should not be empty", + "actualValue": "The Paths Object is empty", + "issueType": "IncorrectValue", + "similarityID": "e7c8c80a91c8b11880652252f36063f19782e85773ca3f0da727c2d13918e7a7", + "search_line": -1 }, { "queryName": "Paths Object is Empty (v3)", "severity": "INFO", "line": 5, - "filename": "positive3.yaml" + "fileName": "positive3.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths", + "searchValue": "", + "expectedValue": "The Paths Object should should not be empty", + "actualValue": "The Paths Object is empty", + "issueType": "IncorrectValue", + "similarityID": "1ba0999d02db7f55c947f8f68ea32a50ff853b5ab959a4b50f45005e533567fd", + "search_line": -1 }, { "queryName": "Paths Object is Empty (v2)", "severity": "INFO", "line": 5, - "filename": "positive4.yaml" + "fileName": "positive4.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths", + "searchValue": "", + "expectedValue": "The Paths Object should should not be empty", + "actualValue": "The Paths Object is empty", + "issueType": "IncorrectValue", + "similarityID": "7a4c1b963cadde29a4c63b2bf4ddc1532a0e776df658725c39ff1658e611feca", + "search_line": -1 } ] diff --git a/assets/queries/openAPI/general/pattern_undefined/test/positive_expected_result.json b/assets/queries/openAPI/general/pattern_undefined/test/positive_expected_result.json index 7ac7f3a8171..22ba7069c62 100644 --- a/assets/queries/openAPI/general/pattern_undefined/test/positive_expected_result.json +++ b/assets/queries/openAPI/general/pattern_undefined/test/positive_expected_result.json @@ -2,97 +2,241 @@ { "queryName": "Pattern Undefined (v3)", "severity": "MEDIUM", - "line": 63, - "filename": "positive1.json" + "line": 58, + "fileName": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "components.schemas.GeneralError.properties.code.type", + "searchValue": "", + "expectedValue": "'pattern' should be defined", + "actualValue": "'pattern' is undefined", + "issueType": "MissingAttribute", + "similarityID": "37ccc38e539f60e7583ab64d29362e82c90b29c18e2225b3d199791592f40934", + "search_line": 0 }, { "queryName": "Pattern Undefined (v3)", "severity": "MEDIUM", - "line": 58, - "filename": "positive1.json" + "line": 63, + "fileName": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "components.schemas.GeneralError.properties.message.type", + "searchValue": "", + "expectedValue": "'pattern' should be defined", + "actualValue": "'pattern' is undefined", + "issueType": "MissingAttribute", + "similarityID": "29ee3c43a913d3b18c54c08821c4c2eab8125958b716c00f23d6b5c4c7668dd3", + "search_line": 0 }, { "queryName": "Pattern Undefined (v3)", "severity": "MEDIUM", "line": 79, - "filename": "positive1.json" + "fileName": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "components.requestBodies.NewItem.content.{{multipart/form-data}}.schema.$ref=#/components/schemas/GeneralError", + "searchValue": "", + "expectedValue": "'pattern' should be defined", + "actualValue": "'pattern' is undefined", + "issueType": "MissingAttribute", + "similarityID": "7a5c8275e21c9e68a5592989f2d47d7b045ab4c86559764a887b48194b194588", + "search_line": 0 }, { "queryName": "Pattern Undefined (v3)", "severity": "MEDIUM", "line": 79, - "filename": "positive1.json" + "fileName": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "components.requestBodies.NewItem.content.{{multipart/form-data}}.schema.$ref=#/components/schemas/GeneralError", + "searchValue": "", + "expectedValue": "'pattern' should be defined", + "actualValue": "'pattern' is undefined", + "issueType": "MissingAttribute", + "similarityID": "eecf8433ba032014306f644a85dae76bd8f7d1da6b9c549326617e7924484708", + "search_line": 0 }, { "queryName": "Pattern Undefined (v3)", "severity": "MEDIUM", "line": 27, - "filename": "positive2.json" + "fileName": "positive2.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.schema.properties.code.type", + "searchValue": "", + "expectedValue": "'pattern' should be defined", + "actualValue": "'pattern' is undefined", + "issueType": "MissingAttribute", + "similarityID": "39c8b35feb8ed20d2fa660656d5cc66b45105ea381d4a24830d93b24864d08e8", + "search_line": 27 }, { "queryName": "Pattern Undefined (v3)", "severity": "MEDIUM", "line": 32, - "filename": "positive2.json" + "fileName": "positive2.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.schema.properties.message.type", + "searchValue": "", + "expectedValue": "'pattern' should be defined", + "actualValue": "'pattern' is undefined", + "issueType": "MissingAttribute", + "similarityID": "263ffea12aea4df437f03db581e764e021fa3151d5c6ee6588b26c2f0cdb62f1", + "search_line": 32 }, { "queryName": "Pattern Undefined (v3)", "severity": "MEDIUM", "line": 34, - "filename": "positive3.yaml" + "fileName": "positive3.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "components.schemas.GeneralError.properties.code.type", + "searchValue": "", + "expectedValue": "'pattern' should be defined", + "actualValue": "'pattern' is undefined", + "issueType": "MissingAttribute", + "similarityID": "a35d6659e0b59a83a1219e73c60589fa5b77a3cde342001528ee96a9d6016c7a", + "search_line": 0 }, { "queryName": "Pattern Undefined (v3)", "severity": "MEDIUM", "line": 38, - "filename": "positive3.yaml" + "fileName": "positive3.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "components.schemas.GeneralError.properties.message.type", + "searchValue": "", + "expectedValue": "'pattern' should be defined", + "actualValue": "'pattern' is undefined", + "issueType": "MissingAttribute", + "similarityID": "3e84c71c98ef3c3c911609cb444706fdfaf2b3a18f647df6f4f54294b078a2df", + "search_line": 0 }, { "queryName": "Pattern Undefined (v3)", "severity": "MEDIUM", "line": 49, - "filename": "positive3.yaml" + "fileName": "positive3.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "components.requestBodies.NewItem.content.{{multipart/form-data}}.schema.$ref=#/components/schemas/GeneralError", + "searchValue": "", + "expectedValue": "'pattern' should be defined", + "actualValue": "'pattern' is undefined", + "issueType": "MissingAttribute", + "similarityID": "59c43fc507c3cc25a1945eaf40f3527ccf9306f7746b08bb390124613d8b273f", + "search_line": 0 }, { "queryName": "Pattern Undefined (v3)", "severity": "MEDIUM", "line": 49, - "filename": "positive3.yaml" + "fileName": "positive3.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "components.requestBodies.NewItem.content.{{multipart/form-data}}.schema.$ref=#/components/schemas/GeneralError", + "searchValue": "", + "expectedValue": "'pattern' should be defined", + "actualValue": "'pattern' is undefined", + "issueType": "MissingAttribute", + "similarityID": "ebb3422181c5c0b114e3f0113fafb6595842862cdcb0f4f9d52da0ebafcb0dcf", + "search_line": 0 }, { "queryName": "Pattern Undefined (v3)", "severity": "MEDIUM", "line": 22, - "filename": "positive4.yaml" + "fileName": "positive4.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.schema.properties.code.type", + "searchValue": "", + "expectedValue": "'pattern' should be defined", + "actualValue": "'pattern' is undefined", + "issueType": "MissingAttribute", + "similarityID": "06cf658d646de6ed09162b603a39759bc387c072b5fb57abbd5dd91f75dba22a", + "search_line": 22 }, { "queryName": "Pattern Undefined (v3)", "severity": "MEDIUM", "line": 26, - "filename": "positive4.yaml" + "fileName": "positive4.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.schema.properties.message.type", + "searchValue": "", + "expectedValue": "'pattern' should be defined", + "actualValue": "'pattern' is undefined", + "issueType": "MissingAttribute", + "similarityID": "6a7d3f0ada86af6b10b65380502fff689429f972795d18c449a29f9a1947eb3b", + "search_line": 26 }, { "queryName": "Pattern Undefined (v2)", "severity": "MEDIUM", "line": 23, - "filename": "positive5.json" + "fileName": "positive5.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.schema.properties.code.type", + "searchValue": "", + "expectedValue": "'pattern' should be defined", + "actualValue": "'pattern' is undefined", + "issueType": "MissingAttribute", + "similarityID": "60817fcc4fe2f1818786d4cb54699acb4ead3085f99744e1707b18f5a13cec0c", + "search_line": 23 }, { "queryName": "Pattern Undefined (v2)", "severity": "MEDIUM", "line": 28, - "filename": "positive5.json" + "fileName": "positive5.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.schema.properties.message.type", + "searchValue": "", + "expectedValue": "'pattern' should be defined", + "actualValue": "'pattern' is undefined", + "issueType": "MissingAttribute", + "similarityID": "6f53e2280a3bda395cb38e6d22d2e6092a9a64cdf05074329b20280bef929a40", + "search_line": 28 }, { "queryName": "Pattern Undefined (v2)", "severity": "MEDIUM", "line": 19, - "filename": "positive6.yaml" + "fileName": "positive6.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.schema.properties.code.type", + "searchValue": "", + "expectedValue": "'pattern' should be defined", + "actualValue": "'pattern' is undefined", + "issueType": "MissingAttribute", + "similarityID": "251946cb25d887dc1c6d9e669e4f83cba98afbaa732247279d2efc06f96a4336", + "search_line": 19 }, { "queryName": "Pattern Undefined (v2)", "severity": "MEDIUM", "line": 23, - "filename": "positive6.yaml" + "fileName": "positive6.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.schema.properties.message.type", + "searchValue": "", + "expectedValue": "'pattern' should be defined", + "actualValue": "'pattern' is undefined", + "issueType": "MissingAttribute", + "similarityID": "4b5f13ede65417d93ca1fe62eb9b42d69c871029b03624f055004f2ac6553080", + "search_line": 23 } ] diff --git a/assets/queries/openAPI/general/properties_missing_required_property/test/positive_expected_result.json b/assets/queries/openAPI/general/properties_missing_required_property/test/positive_expected_result.json index 0c00d106449..7faa06c2c23 100644 --- a/assets/queries/openAPI/general/properties_missing_required_property/test/positive_expected_result.json +++ b/assets/queries/openAPI/general/properties_missing_required_property/test/positive_expected_result.json @@ -3,36 +3,90 @@ "queryName": "Properties Missing Required Property (v3)", "severity": "INFO", "line": 56, - "filename": "positive1.json" + "fileName": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "components.requestBodies.NewItem.content.{{application/x-www-form-urlencoded}}.schema.properties.code.required.name", + "searchValue": "", + "expectedValue": "components.requestBodies.NewItem.content.{{application/x-www-form-urlencoded}}.schema.properties.code.required.name should be defined", + "actualValue": "components.requestBodies.NewItem.content.{{application/x-www-form-urlencoded}}.schema.properties.code.required.name is missing", + "issueType": "MissingAttribute", + "similarityID": "d8ab3ee03851198753d21c60bea649cdb033e685043522d4b9731183556eebfb", + "search_line": -1 }, { "queryName": "Properties Missing Required Property (v3)", "severity": "INFO", "line": 38, - "filename": "positive2.yaml" + "fileName": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "components.requestBodies.NewItem.content.{{application/x-www-form-urlencoded}}.schema.properties.code.required.name", + "searchValue": "", + "expectedValue": "components.requestBodies.NewItem.content.{{application/x-www-form-urlencoded}}.schema.properties.code.required.name should be defined", + "actualValue": "components.requestBodies.NewItem.content.{{application/x-www-form-urlencoded}}.schema.properties.code.required.name is missing", + "issueType": "MissingAttribute", + "similarityID": "45dbb3e6819afa2b361a008efa438bef2ab853131d9c1a800f95e008df07959b", + "search_line": -1 }, { "queryName": "Properties Missing Required Property (v3)", "severity": "INFO", "line": 54, - "filename": "positive3.json" + "fileName": "positive3.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.parameters.schema.properties.code.required.name", + "searchValue": "", + "expectedValue": "paths.{{/}}.parameters.schema.properties.code.required.name should be defined", + "actualValue": "paths.{{/}}.parameters.schema.properties.code.required.name is missing", + "issueType": "MissingAttribute", + "similarityID": "3156298b13727cbb4a9d57faf7ab47b3369d05e17dd0b4d469424365276d7a7e", + "search_line": -1 }, { "queryName": "Properties Missing Required Property (v3)", "severity": "INFO", "line": 37, - "filename": "positive4.yaml" + "fileName": "positive4.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.parameters.schema.properties.code.required.name", + "searchValue": "", + "expectedValue": "paths.{{/}}.parameters.schema.properties.code.required.name should be defined", + "actualValue": "paths.{{/}}.parameters.schema.properties.code.required.name is missing", + "issueType": "MissingAttribute", + "similarityID": "9dd1585cb770ea725ab4390ae09537c82dc5a632fc61cba6a97632aa6a492e96", + "search_line": -1 }, { "queryName": "Properties Missing Required Property (v2)", "severity": "INFO", "line": 27, - "filename": "positive5.json" + "fileName": "positive5.json", + "resourceType": "", + "resourceName": "", + "searchKey": "definitions.MyObject.properties.code.required.name", + "searchValue": "", + "expectedValue": "definitions.MyObject.properties.code.required.name should be defined", + "actualValue": "definitions.MyObject.properties.code.required.name is missing", + "issueType": "MissingAttribute", + "similarityID": "edc31e6de5c437fff1ea967d2d82d22b80c6b8b9d6348f1219e7c0a9e39565ea", + "search_line": -1 }, { "queryName": "Properties Missing Required Property (v2)", "severity": "INFO", "line": 20, - "filename": "positive6.yaml" + "fileName": "positive6.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "definitions.MyObject.properties.code.required.name", + "searchValue": "", + "expectedValue": "definitions.MyObject.properties.code.required.name should be defined", + "actualValue": "definitions.MyObject.properties.code.required.name is missing", + "issueType": "MissingAttribute", + "similarityID": "3f0069688c75e20085e285aa8d11abebf731c078df1698bf75fbb5ddbab8abc0", + "search_line": -1 } ] diff --git a/assets/queries/openAPI/general/property_allow_empty_value_improperly_defined/test/positive_expected_result.json b/assets/queries/openAPI/general/property_allow_empty_value_improperly_defined/test/positive_expected_result.json index 9bd4bcc59f3..26cb6216a1c 100644 --- a/assets/queries/openAPI/general/property_allow_empty_value_improperly_defined/test/positive_expected_result.json +++ b/assets/queries/openAPI/general/property_allow_empty_value_improperly_defined/test/positive_expected_result.json @@ -2,49 +2,121 @@ { "queryName": "Property 'allowEmptyValue' Improperly Defined (v3)", "severity": "INFO", - "line": 59, - "filename": "positive1.json" + "line": 43, + "fileName": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.parameters.name={{id}}", + "searchValue": "", + "expectedValue": "'parameters' should have 'in' set to 'query'/'formData' when 'allowEmptyValue' is set", + "actualValue": "'parameters' does not have 'in' set to 'query'/'formData' when 'allowEmptyValue' is set", + "issueType": "IncorrectValue", + "similarityID": "15cf86268233614cb3f6a23ed86f8d3eb4fc9523bb009fe81b13d23c013c39b0", + "search_line": -1 }, { "queryName": "Property 'allowEmptyValue' Improperly Defined (v3)", "severity": "INFO", - "line": 43, - "filename": "positive1.json" + "line": 59, + "fileName": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/users/{id}}}.get.parameters.name={{id}}", + "searchValue": "", + "expectedValue": "'parameters' should have 'in' set to 'query'/'formData' when 'allowEmptyValue' is set", + "actualValue": "'parameters' does not have 'in' set to 'query'/'formData' when 'allowEmptyValue' is set", + "issueType": "IncorrectValue", + "similarityID": "0bfdf42346d49e46422fff49f09a1bd0fbfcd59693800e552f32a62cfb9fa1ce", + "search_line": -1 }, { "queryName": "Property 'allowEmptyValue' Improperly Defined (v3)", "severity": "INFO", "line": 26, - "filename": "positive2.yaml" + "fileName": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.parameters.name={{id}}", + "searchValue": "", + "expectedValue": "'parameters' should have 'in' set to 'query'/'formData' when 'allowEmptyValue' is set", + "actualValue": "'parameters' does not have 'in' set to 'query'/'formData' when 'allowEmptyValue' is set", + "issueType": "IncorrectValue", + "similarityID": "d6863fdfe326f82cc44bc71befb516bbc7c9247a993d981ba5f361c8455109b8", + "search_line": -1 }, { "queryName": "Property 'allowEmptyValue' Improperly Defined (v3)", "severity": "INFO", "line": 37, - "filename": "positive2.yaml" + "fileName": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/users/{id}}}.get.parameters.name={{id}}", + "searchValue": "", + "expectedValue": "'parameters' should have 'in' set to 'query'/'formData' when 'allowEmptyValue' is set", + "actualValue": "'parameters' does not have 'in' set to 'query'/'formData' when 'allowEmptyValue' is set", + "issueType": "IncorrectValue", + "similarityID": "adbec3d934f30acfc20d716f004c54e71f209e47e3e002b7a0e1b0107aa75081", + "search_line": -1 }, { "queryName": "Property 'allowEmptyValue' Improperly Defined (v3)", "severity": "INFO", "line": 43, - "filename": "positive3.json" + "fileName": "positive3.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.parameters.name={{id}}", + "searchValue": "", + "expectedValue": "'parameters' should have 'in' set to 'query'/'formData' when 'allowEmptyValue' is set", + "actualValue": "'parameters' does not have 'in' set to 'query'/'formData' when 'allowEmptyValue' is set", + "issueType": "IncorrectValue", + "similarityID": "faf41a336bb60a834aa14d62ab218999b91db71f9a3d2a29afbd833834b245e6", + "search_line": -1 }, { "queryName": "Property 'allowEmptyValue' Improperly Defined (v3)", "severity": "INFO", "line": 26, - "filename": "positive4.yaml" + "fileName": "positive4.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.parameters.name={{id}}", + "searchValue": "", + "expectedValue": "'parameters' should have 'in' set to 'query'/'formData' when 'allowEmptyValue' is set", + "actualValue": "'parameters' does not have 'in' set to 'query'/'formData' when 'allowEmptyValue' is set", + "issueType": "IncorrectValue", + "similarityID": "81040601ec96b1d2a3421a8e511f97f68e4079ed423737be9facedcf804ef5b5", + "search_line": -1 }, { "queryName": "Property 'allowEmptyValue' Improperly Defined (v2)", "severity": "INFO", "line": 20, - "filename": "positive5.json" + "fileName": "positive5.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.parameters.name={{metadata}}", + "searchValue": "", + "expectedValue": "'parameters' should have 'in' set to 'query'/'formData' when 'allowEmptyValue' is set", + "actualValue": "'parameters' does not have 'in' set to 'query'/'formData' when 'allowEmptyValue' is set", + "issueType": "IncorrectValue", + "similarityID": "317b387b02749800baff6d4558f46e47d90bedc9f01a959112354e2f3a726fae", + "search_line": -1 }, { "queryName": "Property 'allowEmptyValue' Improperly Defined (v2)", "severity": "INFO", "line": 15, - "filename": "positive6.yaml" + "fileName": "positive6.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.parameters.name={{metadata}}", + "searchValue": "", + "expectedValue": "'parameters' should have 'in' set to 'query'/'formData' when 'allowEmptyValue' is set", + "actualValue": "'parameters' does not have 'in' set to 'query'/'formData' when 'allowEmptyValue' is set", + "issueType": "IncorrectValue", + "similarityID": "c9892b771c4b6c9159fd0650b29114d475209730022b0a2db78d03917f8cd69b", + "search_line": -1 } ] diff --git a/assets/queries/openAPI/general/property_defining_maximum_not_greater_than_minimum/test/positive_expected_result.json b/assets/queries/openAPI/general/property_defining_maximum_not_greater_than_minimum/test/positive_expected_result.json index 5b419b8ba0f..f99182d791b 100644 --- a/assets/queries/openAPI/general/property_defining_maximum_not_greater_than_minimum/test/positive_expected_result.json +++ b/assets/queries/openAPI/general/property_defining_maximum_not_greater_than_minimum/test/positive_expected_result.json @@ -3,60 +3,150 @@ "queryName": "Property Defining Minimum Greater Than Maximum (v3)", "severity": "INFO", "line": 52, - "filename": "positive1.json" + "fileName": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "components.schemas.GeneralError.properties.code", + "searchValue": "", + "expectedValue": "Numeric schema value should not have 'minimum' larger than 'maximum'", + "actualValue": "Numeric schema value has 'minimum' larger than 'maximum'", + "issueType": "IncorrectValue", + "similarityID": "0774bc074e27163f70d5461890ff58f6f258a9a08b7deeda74ac017854c8f686", + "search_line": 0 }, { "queryName": "Property Defining Minimum Greater Than Maximum (v3)", "severity": "INFO", "line": 71, - "filename": "positive1.json" + "fileName": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "components.requestBodies.NewItem.content.{{multipart/form-data}}.schema.$ref=#/components/schemas/GeneralError", + "searchValue": "", + "expectedValue": "Numeric schema value should not have 'minimum' larger than 'maximum'", + "actualValue": "Numeric schema value has 'minimum' larger than 'maximum'", + "issueType": "IncorrectValue", + "similarityID": "f07bbab747fc4e7517da97f0270c564ff73014a413c690a3229b3548c2c8d481", + "search_line": 0 }, { "queryName": "Property Defining Minimum Greater Than Maximum (v3)", "severity": "INFO", "line": 24, - "filename": "positive2.json" + "fileName": "positive2.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.schema.properties.code", + "searchValue": "", + "expectedValue": "Numeric schema value should not have 'minimum' larger than 'maximum'", + "actualValue": "Numeric schema value has 'minimum' larger than 'maximum'", + "issueType": "IncorrectValue", + "similarityID": "26657f10f0a299d838426405b5e62732e748bb3d57c1b2845cf4f387eee6a820", + "search_line": -1 }, { "queryName": "Property Defining Minimum Greater Than Maximum (v3)", "severity": "INFO", "line": 33, - "filename": "positive3.yaml" + "fileName": "positive3.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "components.schemas.GeneralError.properties.code", + "searchValue": "", + "expectedValue": "Numeric schema value should not have 'minimum' larger than 'maximum'", + "actualValue": "Numeric schema value has 'minimum' larger than 'maximum'", + "issueType": "IncorrectValue", + "similarityID": "c580f709bcf9ae3bba305954f071109304610fb30cd4386d857792c62ec71464", + "search_line": 0 }, { "queryName": "Property Defining Minimum Greater Than Maximum (v3)", "severity": "INFO", "line": 47, - "filename": "positive3.yaml" + "fileName": "positive3.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "components.requestBodies.NewItem.content.{{multipart/form-data}}.schema.$ref=#/components/schemas/GeneralError", + "searchValue": "", + "expectedValue": "Numeric schema value should not have 'minimum' larger than 'maximum'", + "actualValue": "Numeric schema value has 'minimum' larger than 'maximum'", + "issueType": "IncorrectValue", + "similarityID": "aeb6afd89c2caa8c9855a195a9f8d6cc8961f803df9216422ec8a2c33c5a4f28", + "search_line": 0 }, { "queryName": "Property Defining Minimum Greater Than Maximum (v3)", "severity": "INFO", "line": 21, - "filename": "positive4.yaml" + "fileName": "positive4.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.schema.properties.code", + "searchValue": "", + "expectedValue": "Numeric schema value should not have 'minimum' larger than 'maximum'", + "actualValue": "Numeric schema value has 'minimum' larger than 'maximum'", + "issueType": "IncorrectValue", + "similarityID": "9a2f011aa5c6fdbf369ac6d224114c3572443fd65ff7bef1a9385d644a470d7a", + "search_line": -1 }, { "queryName": "Property Defining Minimum Greater Than Maximum (v3)", "severity": "INFO", "line": 33, - "filename": "positive5.yaml" + "fileName": "positive5.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "components.schemas.GeneralError.properties.code", + "searchValue": "", + "expectedValue": "String schema value should not have 'minLength' larger than 'maxLength'", + "actualValue": "String schema value has 'minLength' larger than 'maxLength'", + "issueType": "IncorrectValue", + "similarityID": "4719890c478b5d5c977c19e85ce8c6b393078920ee07bd065dff051df81c4253", + "search_line": 0 }, { "queryName": "Property Defining Minimum Greater Than Maximum (v3)", "severity": "INFO", "line": 50, - "filename": "positive5.yaml" + "fileName": "positive5.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "components.requestBodies.NewItem.content.{{multipart/form-data}}.schema.$ref=#/components/schemas/GeneralError", + "searchValue": "", + "expectedValue": "String schema value should not have 'minLength' larger than 'maxLength'", + "actualValue": "String schema value has 'minLength' larger than 'maxLength'", + "issueType": "IncorrectValue", + "similarityID": "a1ef4bfb7ca308fc11688c658f7220f7c8d17fb4007750d6e089adc49a9d0f1f", + "search_line": 0 }, { "queryName": "Property Defining Minimum Greater Than Maximum (v3)", "severity": "INFO", "line": 32, - "filename": "positive6.yaml" + "fileName": "positive6.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "components.schemas.GeneralError.properties.message", + "searchValue": "", + "expectedValue": "Array schema value should not have 'minItems' larger than 'maxItems'", + "actualValue": "Array schema value has 'minItems' larger than 'maxItems'", + "issueType": "IncorrectValue", + "similarityID": "2ed30bef3b2a88947c0088da48579726a401c72de4590c0c51d57ca1f2869f0a", + "search_line": -1 }, { "queryName": "Property Defining Minimum Greater Than Maximum (v2)", "severity": "INFO", "line": 25, - "filename": "positive7.json" + "fileName": "positive7.json", + "resourceType": "", + "resourceName": "", + "searchKey": "definitions.GeneralError.properties.code", + "searchValue": "", + "expectedValue": "Numeric schema value should not have 'minimum' larger than 'maximum'", + "actualValue": "Numeric schema value has 'minimum' larger than 'maximum'", + "issueType": "IncorrectValue", + "similarityID": "5486f82499b829aec11f46cbd7311508f202e1dc1b997e6c7e5db3839d906b7e", + "search_line": -1 } ] diff --git a/assets/queries/openAPI/general/required_property_default_value/test/positive_expected_result.json b/assets/queries/openAPI/general/required_property_default_value/test/positive_expected_result.json index 8eca405487b..7a8efcdbd6f 100644 --- a/assets/queries/openAPI/general/required_property_default_value/test/positive_expected_result.json +++ b/assets/queries/openAPI/general/required_property_default_value/test/positive_expected_result.json @@ -2,49 +2,121 @@ { "queryName": "Required Property With Default Value (v3)", "severity": "INFO", - "line": 30, - "filename": "positive1.json" + "line": 14, + "fileName": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.$ref=#/components/schemas/MyObject", + "searchValue": "", + "expectedValue": "Required properties should not have default defined", + "actualValue": "Required properties with default defined", + "issueType": "IncorrectValue", + "similarityID": "3f3541fca1f520a49fbfa2522a76d7b0e6957b4ce4742fa05e293b001c0e0019", + "search_line": 0 }, { "queryName": "Required Property With Default Value (v3)", "severity": "INFO", - "line": 14, - "filename": "positive1.json" + "line": 30, + "fileName": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "components.schemas.MyObject.properties.{{id}}.default", + "searchValue": "", + "expectedValue": "Required properties should not have default defined", + "actualValue": "Required properties with default defined", + "issueType": "IncorrectValue", + "similarityID": "b6c8672fcb8a3b10ea6b33992cb85d1f59b870170b8a68b08b86ae99b35f8efa", + "search_line": 0 }, { "queryName": "Required Property With Default Value (v3)", "severity": "INFO", "line": 25, - "filename": "positive2.json" + "fileName": "positive2.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.schema.properties.{{id}}.default", + "searchValue": "", + "expectedValue": "Required properties should not have default defined", + "actualValue": "Required properties with default defined", + "issueType": "IncorrectValue", + "similarityID": "0441e4dbaa6a44b7528fa5b60d639b4fe0a85d5ab765fdca46d2d109d945ba70", + "search_line": -1 }, { "queryName": "Required Property With Default Value (v3)", "severity": "INFO", "line": 12, - "filename": "positive3.yaml" + "fileName": "positive3.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.$ref=#/components/schemas/MyObject", + "searchValue": "", + "expectedValue": "Required properties should not have default defined", + "actualValue": "Required properties with default defined", + "issueType": "IncorrectValue", + "similarityID": "59c5b59fa33d088118186a38d73507eeccc0e96e48fa687bdbe1b39a2cfbac71", + "search_line": 0 }, { "queryName": "Required Property With Default Value (v3)", "severity": "INFO", "line": 22, - "filename": "positive3.yaml" + "fileName": "positive3.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "components.schemas.MyObject.properties.{{id}}.default", + "searchValue": "", + "expectedValue": "Required properties should not have default defined", + "actualValue": "Required properties with default defined", + "issueType": "IncorrectValue", + "similarityID": "80dc0cc72ae3788a59e021efc888fa272ce691706f86e1e345490efb76ab562a", + "search_line": 0 }, { "queryName": "Required Property With Default Value (v3)", "severity": "INFO", "line": 23, - "filename": "positive4.yaml" + "fileName": "positive4.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.schema.properties.{{id}}.default", + "searchValue": "", + "expectedValue": "Required properties should not have default defined", + "actualValue": "Required properties with default defined", + "issueType": "IncorrectValue", + "similarityID": "7e9d21c808ba5ddc5ab943492a60d6ad6a85555092348b95f80302f56b31d934", + "search_line": -1 }, { "queryName": "Required Property With Default Value (v2)", "severity": "INFO", "line": 23, - "filename": "positive5.json" + "fileName": "positive5.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.post.parameters.schema.properties.{{id}}.default", + "searchValue": "", + "expectedValue": "Required properties should not have default defined", + "actualValue": "Required properties with default defined", + "issueType": "IncorrectValue", + "similarityID": "9f6127cf7eb45237a2f6ca489e3ca720a28264e3ce366690c5338fd4bcc3896a", + "search_line": -1 }, { "queryName": "Required Property With Default Value (v2)", "severity": "INFO", "line": 19, - "filename": "positive6.yaml" + "fileName": "positive6.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.post.parameters.schema.properties.{{id}}.default", + "searchValue": "", + "expectedValue": "Required properties should not have default defined", + "actualValue": "Required properties with default defined", + "issueType": "IncorrectValue", + "similarityID": "046a0b3d3baeb441dc083485d77f9ca3d600989a8904dd2b98dcdf1942fbf19c", + "search_line": -1 } ] diff --git a/assets/queries/openAPI/general/response_code_missing/test/positive_expected_result.json b/assets/queries/openAPI/general/response_code_missing/test/positive_expected_result.json index fff2d20fb17..5e7e336fa6e 100644 --- a/assets/queries/openAPI/general/response_code_missing/test/positive_expected_result.json +++ b/assets/queries/openAPI/general/response_code_missing/test/positive_expected_result.json @@ -3,156 +3,390 @@ "queryName": "Response Code Missing (v3)", "severity": "LOW", "line": 12, - "filename": "positive1.json" + "fileName": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/item}}.{{put}}.responses", + "searchValue": "400 response", + "expectedValue": "400 response should be set", + "actualValue": "400 response is undefined", + "issueType": "MissingAttribute", + "similarityID": "3d947ddc82c467534b07dc1271d01735305a53eea2d61d1e0374ae89473e4b2c", + "search_line": 12 }, { "queryName": "Response Code Missing (v3)", "severity": "LOW", "line": 12, - "filename": "positive1.json" + "fileName": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/item}}.{{put}}.responses", + "searchValue": "404 response", + "expectedValue": "404 response should be set", + "actualValue": "404 response is undefined", + "issueType": "MissingAttribute", + "similarityID": "7760ef870634b477f453287417acc85dbd38c1dde43435b6f773d3f8c2811961", + "search_line": 12 }, { "queryName": "Response Code Missing (v3)", "severity": "LOW", "line": 12, - "filename": "positive1.json" + "fileName": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/item}}.{{put}}.responses", + "searchValue": "415 response", + "expectedValue": "415 response should be set", + "actualValue": "415 response is undefined", + "issueType": "MissingAttribute", + "similarityID": "b4ebc573ea59315b8ece320d7059bcc822b5922ac9d13f73aad1d1496872bfe9", + "search_line": 12 }, { "queryName": "Response Code Missing (v3)", "severity": "LOW", "line": 12, - "filename": "positive1.json" + "fileName": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/item}}.{{put}}.responses", + "searchValue": "429 response", + "expectedValue": "429 response should be set", + "actualValue": "429 response is undefined", + "issueType": "MissingAttribute", + "similarityID": "a4f58e1dbb1780ca8fd4bee77ba56aa02971817aa985a2817075d0e70eae2044", + "search_line": 12 }, { "queryName": "Response Code Missing (v3)", "severity": "LOW", "line": 12, - "filename": "positive1.json" + "fileName": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/item}}.{{put}}.responses", + "searchValue": "500 response", + "expectedValue": "500 response should be set", + "actualValue": "500 response is undefined", + "issueType": "MissingAttribute", + "similarityID": "49db436139be14209354b39e461ea5aeea4f8990702d568c2f72b60e366a247e", + "search_line": 12 }, { "queryName": "Response Code Missing (v3)", "severity": "LOW", "line": 21, - "filename": "positive1.json" + "fileName": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/item}}.{{options}}.responses", + "searchValue": "200 response", + "expectedValue": "200 response should be set", + "actualValue": "200 response is undefined", + "issueType": "MissingAttribute", + "similarityID": "b9a0ee615e5262af7082c21f18436245f3348dee9b211b9f94ab313523fb5017", + "search_line": 21 }, { "queryName": "Response Code Missing (v3)", "severity": "LOW", "line": 21, - "filename": "positive1.json" + "fileName": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/item}}.{{options}}.responses", + "searchValue": "400 response", + "expectedValue": "400 response should be set", + "actualValue": "400 response is undefined", + "issueType": "MissingAttribute", + "similarityID": "32c44222754d21d56dd4aa166752ed998e66b333965eeb0d1cdadeb5c8dff683", + "search_line": 21 }, { "queryName": "Response Code Missing (v3)", "severity": "LOW", "line": 21, - "filename": "positive1.json" + "fileName": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/item}}.{{options}}.responses", + "searchValue": "429 response", + "expectedValue": "429 response should be set", + "actualValue": "429 response is undefined", + "issueType": "MissingAttribute", + "similarityID": "3e74a25c00ee94c6948b1b76ca6088d9af1b571bc595e550b2c27ae6094c9c01", + "search_line": 21 }, { "queryName": "Response Code Missing (v3)", "severity": "LOW", "line": 21, - "filename": "positive1.json" + "fileName": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/item}}.{{options}}.responses", + "searchValue": "500 response", + "expectedValue": "500 response should be set", + "actualValue": "500 response is undefined", + "issueType": "MissingAttribute", + "similarityID": "15e72f53e6185365aae982a4c9298f27aebe28fe8e0d75465704612fa8cc264d", + "search_line": 21 }, { "queryName": "Response Code Missing (v3)", "severity": "LOW", "line": 12, - "filename": "positive2.json" + "fileName": "positive2.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/item}}.{{put}}.responses", + "searchValue": "401 response", + "expectedValue": "401 response should be set when security field is defined", + "actualValue": "401 response is undefined when security field is defined", + "issueType": "MissingAttribute", + "similarityID": "cdee62c8236eff2762400691d50be58709e0baf86386f1c347bf68950dafd929", + "search_line": 12 }, { "queryName": "Response Code Missing (v3)", "severity": "LOW", "line": 12, - "filename": "positive2.json" + "fileName": "positive2.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/item}}.{{put}}.responses", + "searchValue": "403 response", + "expectedValue": "403 response should be set when security field is defined", + "actualValue": "403 response is undefined when security field is defined", + "issueType": "MissingAttribute", + "similarityID": "5c0babea2b8d33e94b73026e00ecba29d6a46ec21d216d64e8be831410ff1b10", + "search_line": 12 }, { "queryName": "Response Code Missing (v3)", "severity": "LOW", "line": 10, - "filename": "positive3.yaml" + "fileName": "positive3.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/item}}.{{put}}.responses", + "searchValue": "400 response", + "expectedValue": "400 response should be set", + "actualValue": "400 response is undefined", + "issueType": "MissingAttribute", + "similarityID": "10d0fe7cfe7b505d51f6589f997b559ca7587ce739df9baf4844e9781de49a28", + "search_line": 10 }, { "queryName": "Response Code Missing (v3)", "severity": "LOW", "line": 10, - "filename": "positive3.yaml" + "fileName": "positive3.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/item}}.{{put}}.responses", + "searchValue": "404 response", + "expectedValue": "404 response should be set", + "actualValue": "404 response is undefined", + "issueType": "MissingAttribute", + "similarityID": "1632b15a8f306df71efe4344fc3feb696ac3c9ae512ee4f56be0b8c4ec034fa9", + "search_line": 10 }, { "queryName": "Response Code Missing (v3)", "severity": "LOW", "line": 10, - "filename": "positive3.yaml" + "fileName": "positive3.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/item}}.{{put}}.responses", + "searchValue": "415 response", + "expectedValue": "415 response should be set", + "actualValue": "415 response is undefined", + "issueType": "MissingAttribute", + "similarityID": "5628350ea2a4c8f065382a4a5db90bc8c91adae03c07de9971d1dfc9df190cee", + "search_line": 10 }, { "queryName": "Response Code Missing (v3)", "severity": "LOW", "line": 10, - "filename": "positive3.yaml" + "fileName": "positive3.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/item}}.{{put}}.responses", + "searchValue": "429 response", + "expectedValue": "429 response should be set", + "actualValue": "429 response is undefined", + "issueType": "MissingAttribute", + "similarityID": "41e7d8f82b77aac51f1ab37a1d00f31b9606485d3d8d65dc4931618f3a225372", + "search_line": 10 }, { "queryName": "Response Code Missing (v3)", "severity": "LOW", "line": 10, - "filename": "positive3.yaml" + "fileName": "positive3.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/item}}.{{put}}.responses", + "searchValue": "500 response", + "expectedValue": "500 response should be set", + "actualValue": "500 response is undefined", + "issueType": "MissingAttribute", + "similarityID": "a20e3a4f9c23eeebba6a522c53d73a9e9e0291e468aa156d0fec45eb35224b1b", + "search_line": 10 }, { "queryName": "Response Code Missing (v3)", "severity": "LOW", "line": 16, - "filename": "positive3.yaml" + "fileName": "positive3.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/item}}.{{options}}.responses", + "searchValue": "200 response", + "expectedValue": "200 response should be set", + "actualValue": "200 response is undefined", + "issueType": "MissingAttribute", + "similarityID": "e0b1490186f49bca6f0d339a4c62184f1c8e85df7e21a9a4eef47861c134efe5", + "search_line": 16 }, { "queryName": "Response Code Missing (v3)", "severity": "LOW", "line": 16, - "filename": "positive3.yaml" + "fileName": "positive3.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/item}}.{{options}}.responses", + "searchValue": "400 response", + "expectedValue": "400 response should be set", + "actualValue": "400 response is undefined", + "issueType": "MissingAttribute", + "similarityID": "874353441cb5d8b0933fa63eac114fc920cf623dae5ea9187a4608fd7826f709", + "search_line": 16 }, { "queryName": "Response Code Missing (v3)", "severity": "LOW", "line": 16, - "filename": "positive3.yaml" + "fileName": "positive3.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/item}}.{{options}}.responses", + "searchValue": "429 response", + "expectedValue": "429 response should be set", + "actualValue": "429 response is undefined", + "issueType": "MissingAttribute", + "similarityID": "a44a974c03ef8756e8dbaebd63476d96009b53c29471e7823519082f1bd551f0", + "search_line": 16 }, { "queryName": "Response Code Missing (v3)", "severity": "LOW", "line": 16, - "filename": "positive3.yaml" + "fileName": "positive3.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/item}}.{{options}}.responses", + "searchValue": "500 response", + "expectedValue": "500 response should be set", + "actualValue": "500 response is undefined", + "issueType": "MissingAttribute", + "similarityID": "11ab84a320a6942365791bd414251aec15d3a404974ff779d1bba9baaefc1bf1", + "search_line": 16 }, { "queryName": "Response Code Missing (v3)", "severity": "LOW", "line": 10, - "filename": "positive4.yaml" + "fileName": "positive4.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/item}}.{{put}}.responses", + "searchValue": "401 response", + "expectedValue": "401 response should be set when security field is defined", + "actualValue": "401 response is undefined when security field is defined", + "issueType": "MissingAttribute", + "similarityID": "d0af5ded5dab6c6e733f27c9d89cf9d16585432b9305dda4acc955919d41a651", + "search_line": 10 }, { "queryName": "Response Code Missing (v3)", "severity": "LOW", "line": 10, - "filename": "positive4.yaml" + "fileName": "positive4.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/item}}.{{put}}.responses", + "searchValue": "403 response", + "expectedValue": "403 response should be set when security field is defined", + "actualValue": "403 response is undefined when security field is defined", + "issueType": "MissingAttribute", + "similarityID": "cb3676925c564a64b31411336d02d30011e680de528083fc599992ae06ac4bba", + "search_line": 10 }, { "queryName": "Response Code Missing (v2)", "severity": "LOW", "line": 12, - "filename": "positive5.json" + "fileName": "positive5.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/item}}.{{put}}.responses", + "searchValue": "401 response", + "expectedValue": "401 response should be set when security field is defined", + "actualValue": "401 response is undefined when security field is defined", + "issueType": "MissingAttribute", + "similarityID": "b5379be7f8978020a598655bb50a4325770bb6619cf97e501da8edf2ca1dbdd6", + "search_line": 12 }, { "queryName": "Response Code Missing (v2)", "severity": "LOW", "line": 12, - "filename": "positive5.json" + "fileName": "positive5.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/item}}.{{put}}.responses", + "searchValue": "403 response", + "expectedValue": "403 response should be set when security field is defined", + "actualValue": "403 response is undefined when security field is defined", + "issueType": "MissingAttribute", + "similarityID": "0f01ba9d80ec758dcf1a883dc3792c8f9ad0290f2bdea0ce9307d227b365d740", + "search_line": 12 }, { "queryName": "Response Code Missing (v2)", "severity": "LOW", "line": 10, - "filename": "positive6.yaml" + "fileName": "positive6.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/item}}.{{put}}.responses", + "searchValue": "401 response", + "expectedValue": "401 response should be set when security field is defined", + "actualValue": "401 response is undefined when security field is defined", + "issueType": "MissingAttribute", + "similarityID": "46081cfb98ed492b6c4b6f6553592b7937448dab33442f31cbb3464e148e8fa8", + "search_line": 10 }, { "queryName": "Response Code Missing (v2)", "severity": "LOW", "line": 10, - "filename": "positive6.yaml" + "fileName": "positive6.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/item}}.{{put}}.responses", + "searchValue": "403 response", + "expectedValue": "403 response should be set when security field is defined", + "actualValue": "403 response is undefined when security field is defined", + "issueType": "MissingAttribute", + "similarityID": "e8ed271a40d22d37e0bcdef788ee5d3abc4983a159d67cd716bce7386ee43025", + "search_line": 10 } -] \ No newline at end of file +] diff --git a/assets/queries/openAPI/general/response_operations_body_schema_incorrect_defined/test/positive_expected_result.json b/assets/queries/openAPI/general/response_operations_body_schema_incorrect_defined/test/positive_expected_result.json index a5b288523c3..90d00102777 100644 --- a/assets/queries/openAPI/general/response_operations_body_schema_incorrect_defined/test/positive_expected_result.json +++ b/assets/queries/openAPI/general/response_operations_body_schema_incorrect_defined/test/positive_expected_result.json @@ -3,36 +3,90 @@ "queryName": "Response on operations that should not have a body has declared content (v3)", "severity": "LOW", "line": 29, - "filename": "positive1.json" + "fileName": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.{{delete}}.responses.{{204}}.content", + "searchValue": "", + "expectedValue": "paths.{{/}}.{{delete}}.responses.{{204}}.content should not be defined", + "actualValue": "paths.{{/}}.{{delete}}.responses.{{204}}.content is defined", + "issueType": "IncorrectValue", + "similarityID": "3ee09c705cccd9184431b2e7c934e40c19a0ea755ceba90a024b1d8451c01ea8", + "search_line": 0 }, { "queryName": "Response on operations that should not have a body has declared content (v3)", "severity": "LOW", "line": 20, - "filename": "positive2.json" + "fileName": "positive2.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.responses.{{200}}.content", + "searchValue": "", + "expectedValue": "paths.{{/}}.responses.{{200}}.content should not be defined", + "actualValue": "paths.{{/}}.responses.{{200}}.content is defined", + "issueType": "IncorrectValue", + "similarityID": "a5cdcd48ac6725caacb88174e7015fd50f2842d25d36ff52172d2daeb08a5248", + "search_line": 0 }, { "queryName": "Response on operations that should not have a body has declared content (v3)", "severity": "LOW", "line": 23, - "filename": "positive3.yaml" + "fileName": "positive3.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.{{delete}}.responses.{{204}}.content", + "searchValue": "", + "expectedValue": "paths.{{/}}.{{delete}}.responses.{{204}}.content should not be defined", + "actualValue": "paths.{{/}}.{{delete}}.responses.{{204}}.content is defined", + "issueType": "IncorrectValue", + "similarityID": "a86bb1c6e12f73b3eeed0671d40c97955a271f3e64001e8e5ed509597ddf6c5b", + "search_line": 0 }, { "queryName": "Response on operations that should not have a body has declared content (v3)", "severity": "LOW", "line": 17, - "filename": "positive4.yaml" + "fileName": "positive4.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.responses.{{200}}.content", + "searchValue": "", + "expectedValue": "paths.{{/}}.responses.{{200}}.content should not be defined", + "actualValue": "paths.{{/}}.responses.{{200}}.content is defined", + "issueType": "IncorrectValue", + "similarityID": "abfb30c556aeabcee9d57fdcde5a23efc29ddb3d2be0fc4919580209d2dccd92", + "search_line": 0 }, { "queryName": "Response on operations that should not have a body has declared content (v2)", "severity": "LOW", "line": 13, - "filename": "positive5.yaml" + "fileName": "positive5.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.responses.{{200}}.schema", + "searchValue": "", + "expectedValue": "paths.{{/}}.responses.{{200}}.schema should not be defined", + "actualValue": "paths.{{/}}.responses.{{200}}.schema is defined", + "issueType": "IncorrectValue", + "similarityID": "ff9ac85677cdb2ceda70a4714042f58bd87d4d82633c07b44cd7a010bfa73291", + "search_line": -1 }, { "queryName": "Response on operations that should not have a body has declared content (v2)", "severity": "LOW", "line": 15, - "filename": "positive6.json" + "fileName": "positive6.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.responses.{{200}}.schema", + "searchValue": "", + "expectedValue": "paths.{{/}}.responses.{{200}}.schema should not be defined", + "actualValue": "paths.{{/}}.responses.{{200}}.schema is defined", + "issueType": "IncorrectValue", + "similarityID": "9355e86e3a5a30ed224158c60198e85d9005af429cc17be74dee1f2711ca5d45", + "search_line": -1 } -] \ No newline at end of file +] diff --git a/assets/queries/openAPI/general/response_operations_body_schema_undefined/test/positive_expected_result.json b/assets/queries/openAPI/general/response_operations_body_schema_undefined/test/positive_expected_result.json index 8f1c35ed02e..0fc8530d0c7 100644 --- a/assets/queries/openAPI/general/response_operations_body_schema_undefined/test/positive_expected_result.json +++ b/assets/queries/openAPI/general/response_operations_body_schema_undefined/test/positive_expected_result.json @@ -3,72 +3,180 @@ "queryName": "Response on operations that should have a body has undefined schema (v3)", "severity": "MEDIUM", "line": 18, - "filename": "positive1.json" + "fileName": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths./.get.responses.200", + "searchValue": "", + "expectedValue": "paths./.get.responses.200.content should be defined", + "actualValue": "paths./.get.responses.200.content is undefined", + "issueType": "MissingAttribute", + "similarityID": "689264129e2ab66dffd585b683c46d53f87773f0142354e9246f046831e66acc", + "search_line": -1 }, { "queryName": "Response on operations that should have a body has undefined schema (v3)", "severity": "MEDIUM", "line": 21, - "filename": "positive2.json" + "fileName": "positive2.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.{{get}}.responses.{{200}}.content.{{application/json}}", + "searchValue": "", + "expectedValue": "paths.{{/}}.{{get}}.responses.{{200}}.content.{{application/json}}.schema should be defined", + "actualValue": "paths.{{/}}.{{get}}.responses.{{200}}.content.{{application/json}}.schema is undefined", + "issueType": "MissingAttribute", + "similarityID": "987eb0bdd84de511c4279e085049bc6489f98290c7a845625d3b00b24a862c97", + "search_line": -1 }, { "queryName": "Response on operations that should have a body has undefined schema (v3)", "severity": "MEDIUM", "line": 21, - "filename": "positive3.json" + "fileName": "positive3.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.{{get}}.responses.{{200}}.content.{{application/pdf}}", + "searchValue": "", + "expectedValue": "paths.{{/}}.{{get}}.responses.{{200}}.content.{{application/pdf}}.schema should be defined", + "actualValue": "paths.{{/}}.{{get}}.responses.{{200}}.content.{{application/pdf}}.schema is undefined", + "issueType": "MissingAttribute", + "similarityID": "4cdfc4ad71fb4c2fc044ba7f4c077fd2f266780a7a9b845091690bd586222622", + "search_line": 0 }, { "queryName": "Response on operations that should have a body has undefined schema (v3)", "severity": "MEDIUM", "line": 22, - "filename": "positive3.json" + "fileName": "positive3.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.{{get}}.responses.{{200}}.content.{{application/json}}", + "searchValue": "", + "expectedValue": "paths.{{/}}.{{get}}.responses.{{200}}.content.{{application/json}}.schema should be defined", + "actualValue": "paths.{{/}}.{{get}}.responses.{{200}}.content.{{application/json}}.schema is undefined", + "issueType": "MissingAttribute", + "similarityID": "b8744b16258e55e06836c94ffa4d00b40b49714e0ca74e2cf5f88e527c78533e", + "search_line": 0 }, { "queryName": "Response on operations that should have a body has undefined schema (v3)", "severity": "MEDIUM", "line": 20, - "filename": "positive4.json" + "fileName": "positive4.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.{{get}}.responses.{{200}}.content", + "searchValue": "", + "expectedValue": "paths.{{/}}.{{get}}.responses.{{200}}.content should have at least one content-type defined", + "actualValue": "paths.{{/}}.{{get}}.responses.{{200}}.content has no content-type defined", + "issueType": "MissingAttribute", + "similarityID": "e80f36367f914541d37ec20690b75b995fcce818b6f3d4989a013ed9b033983f", + "search_line": -1 }, { "queryName": "Response on operations that should have a body has undefined schema (v3)", "severity": "MEDIUM", "line": 15, - "filename": "positive5.yaml" + "fileName": "positive5.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths./.get.responses.200", + "searchValue": "", + "expectedValue": "paths./.get.responses.200.content should be defined", + "actualValue": "paths./.get.responses.200.content is undefined", + "issueType": "MissingAttribute", + "similarityID": "d10ee3f1809a541634efe1069e72c5f317d8ceced409540502d3beb21e2572dc", + "search_line": -1 }, { "queryName": "Response on operations that should have a body has undefined schema (v3)", "severity": "MEDIUM", "line": 18, - "filename": "positive6.yaml" + "fileName": "positive6.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.{{get}}.responses.{{200}}.content.{{application/json}}", + "searchValue": "", + "expectedValue": "paths.{{/}}.{{get}}.responses.{{200}}.content.{{application/json}}.schema should be defined", + "actualValue": "paths.{{/}}.{{get}}.responses.{{200}}.content.{{application/json}}.schema is undefined", + "issueType": "MissingAttribute", + "similarityID": "0226c51207ab7bfed5808ee380fc4bb81e57166f5b71ead2105d91a7cdbc61c1", + "search_line": -1 }, { "queryName": "Response on operations that should have a body has undefined schema (v3)", "severity": "MEDIUM", "line": 18, - "filename": "positive7.yaml" + "fileName": "positive7.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.{{get}}.responses.{{200}}.content.{{application/pdf}}", + "searchValue": "", + "expectedValue": "paths.{{/}}.{{get}}.responses.{{200}}.content.{{application/pdf}}.schema should be defined", + "actualValue": "paths.{{/}}.{{get}}.responses.{{200}}.content.{{application/pdf}}.schema is undefined", + "issueType": "MissingAttribute", + "similarityID": "9ac7f78bc267e9ec0715756fba749ee1bbb149fe78c05c767cb2e352d433765f", + "search_line": 0 }, { "queryName": "Response on operations that should have a body has undefined schema (v3)", "severity": "MEDIUM", "line": 19, - "filename": "positive7.yaml" + "fileName": "positive7.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.{{get}}.responses.{{200}}.content.{{application/json}}", + "searchValue": "", + "expectedValue": "paths.{{/}}.{{get}}.responses.{{200}}.content.{{application/json}}.schema should be defined", + "actualValue": "paths.{{/}}.{{get}}.responses.{{200}}.content.{{application/json}}.schema is undefined", + "issueType": "MissingAttribute", + "similarityID": "f1c4c23c0c6775113096178390fed5a41908d22220fad4b498d6f06c04a1c6d3", + "search_line": 0 }, { "queryName": "Response on operations that should have a body has undefined schema (v3)", "severity": "MEDIUM", "line": 17, - "filename": "positive8.yaml" + "fileName": "positive8.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.{{get}}.responses.{{200}}.content", + "searchValue": "", + "expectedValue": "paths.{{/}}.{{get}}.responses.{{200}}.content should have at least one content-type defined", + "actualValue": "paths.{{/}}.{{get}}.responses.{{200}}.content has no content-type defined", + "issueType": "MissingAttribute", + "similarityID": "be62ff0d12c68910e15b8d1a0c27a0232632d0c9a3eabb46883eb2f9c9a6b5df", + "search_line": -1 }, { "queryName": "Response on operations that should have a body has undefined schema (v2)", "severity": "MEDIUM", "line": 18, - "filename": "positive9.json" + "fileName": "positive9.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths./.get.responses.200", + "searchValue": "", + "expectedValue": "paths./.get.responses.200.schema should be defined", + "actualValue": "paths./.get.responses.200.schema is undefined", + "issueType": "MissingAttribute", + "similarityID": "24978cac01bb7724563f8b192a9d1da471de213371e7ed165a358465e28a4e82", + "search_line": -1 }, { "queryName": "Response on operations that should have a body has undefined schema (v2)", "severity": "MEDIUM", "line": 15, - "filename": "positive10.yaml" + "fileName": "positive10.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths./.get.responses.200", + "searchValue": "", + "expectedValue": "paths./.get.responses.200.schema should be defined", + "actualValue": "paths./.get.responses.200.schema is undefined", + "issueType": "MissingAttribute", + "similarityID": "f452ffdfa0eafca01d0bcf5788a4cc93e6c04c9192d4ad72255ac25ea30210fb", + "search_line": -1 } ] diff --git a/assets/queries/openAPI/general/responses_object_is_empty/test/positive_expected_result.json b/assets/queries/openAPI/general/responses_object_is_empty/test/positive_expected_result.json index bdae2a7033f..aef7c45f271 100644 --- a/assets/queries/openAPI/general/responses_object_is_empty/test/positive_expected_result.json +++ b/assets/queries/openAPI/general/responses_object_is_empty/test/positive_expected_result.json @@ -3,36 +3,90 @@ "queryName": "Responses Object Is Empty (v3)", "severity": "INFO", "line": 12, - "filename": "positive1.json" + "fileName": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses", + "searchValue": "", + "expectedValue": "'responses' should not be empty", + "actualValue": "'responses' is empty", + "issueType": "IncorrectValue", + "similarityID": "bcbe1ec3785598a2ff24e9f01bfb77f9efb107200f054d888eeb52aac7008efc", + "search_line": -1 }, { "queryName": "Responses Object Is Empty (v3)", "severity": "INFO", "line": 21, - "filename": "positive2.json" + "fileName": "positive2.json", + "resourceType": "", + "resourceName": "", + "searchKey": "components.responses", + "searchValue": "", + "expectedValue": "'responses' should not be empty", + "actualValue": "'responses' is empty", + "issueType": "IncorrectValue", + "similarityID": "320169df9f69fa430678b5b19ea0b335358d678fcec257f6af36475adddcdf19", + "search_line": -1 }, { "queryName": "Responses Object Is Empty (v3)", "severity": "INFO", "line": 10, - "filename": "positive3.yaml" + "fileName": "positive3.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses", + "searchValue": "", + "expectedValue": "'responses' should not be empty", + "actualValue": "'responses' is empty", + "issueType": "IncorrectValue", + "similarityID": "e11cad42c2d7c6595af1d453bbbcbc559efab31bbb4d192d02ec208525e6ea8d", + "search_line": -1 }, { "queryName": "Responses Object Is Empty (v3)", "severity": "INFO", "line": 14, - "filename": "positive4.yaml" + "fileName": "positive4.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "components.responses", + "searchValue": "", + "expectedValue": "'responses' should not be empty", + "actualValue": "'responses' is empty", + "issueType": "IncorrectValue", + "similarityID": "f36616a1ba1d2b74c605d6f3b7a80b081f047e31265cc7a7f98bbcb8ba84fd57", + "search_line": -1 }, { "queryName": "Responses Object Is Empty (v2)", "severity": "INFO", "line": 12, - "filename": "positive5.json" + "fileName": "positive5.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses", + "searchValue": "", + "expectedValue": "'responses' should not be empty", + "actualValue": "'responses' is empty", + "issueType": "IncorrectValue", + "similarityID": "5d721f099a70da4104329c99ca6c2dbd5b1444c19b7cd35e5bba88b3db1bd4ae", + "search_line": -1 }, { "queryName": "Responses Object Is Empty (v2)", "severity": "INFO", "line": 10, - "filename": "positive6.yaml" + "fileName": "positive6.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses", + "searchValue": "", + "expectedValue": "'responses' should not be empty", + "actualValue": "'responses' is empty", + "issueType": "IncorrectValue", + "similarityID": "12ced33abf13b283abbd26f6eedaa77b102730e349e004d67720d3b4301fbd01", + "search_line": -1 } ] diff --git a/assets/queries/openAPI/general/responses_wrong_http_status_code/test/positive_expected_result.json b/assets/queries/openAPI/general/responses_wrong_http_status_code/test/positive_expected_result.json index e80d64f6c04..c0fd35e4bd5 100644 --- a/assets/queries/openAPI/general/responses_wrong_http_status_code/test/positive_expected_result.json +++ b/assets/queries/openAPI/general/responses_wrong_http_status_code/test/positive_expected_result.json @@ -3,48 +3,120 @@ "queryName": "Responses With Wrong HTTP Status Code (v3)", "severity": "INFO", "line": 13, - "filename": "positive1.json" + "fileName": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.{{get}}.responses.{{50}}", + "searchValue": "", + "expectedValue": "HTTP responses status codes should be in range of [200-599]", + "actualValue": "HTTP responses status codes are not in range of [200-599]", + "issueType": "IncorrectValue", + "similarityID": "e9afadde017590cbbc90148df8cc56efb47f9d932f32839ce9106f5f883c86f2", + "search_line": -1 }, { "queryName": "Responses With Wrong HTTP Status Code (v3)", "severity": "INFO", "line": 39, - "filename": "positive1.json" + "fileName": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.{{get}}.responses.{{6xx}}", + "searchValue": "", + "expectedValue": "HTTP responses status codes should be in range of [200-599]", + "actualValue": "HTTP responses status codes are not in range of [200-599]", + "issueType": "IncorrectValue", + "similarityID": "f8a0dd40c1cdac2cc8f73bb4d01338d2e03025a1510064e9911dfefb77ae629d", + "search_line": -1 }, { "queryName": "Responses With Wrong HTTP Status Code (v3)", "severity": "INFO", "line": 11, - "filename": "positive2.yaml" + "fileName": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.{{get}}.responses.{{50}}", + "searchValue": "", + "expectedValue": "HTTP responses status codes should be in range of [200-599]", + "actualValue": "HTTP responses status codes are not in range of [200-599]", + "issueType": "IncorrectValue", + "similarityID": "6e52bb4bdf71c4802cca3568b41f39c7d9b3416973be857d2b83c3872690b208", + "search_line": -1 }, { "queryName": "Responses With Wrong HTTP Status Code (v3)", "severity": "INFO", "line": 25, - "filename": "positive2.yaml" + "fileName": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.{{get}}.responses.{{6xx}}", + "searchValue": "", + "expectedValue": "HTTP responses status codes should be in range of [200-599]", + "actualValue": "HTTP responses status codes are not in range of [200-599]", + "issueType": "IncorrectValue", + "similarityID": "42cdb6f90fc381c7786a8357434eb1f1baa68fbbd03d7df22f022043ddd250bb", + "search_line": -1 }, { "queryName": "Responses With Wrong HTTP Status Code (v2)", "severity": "INFO", "line": 13, - "filename": "positive3.json" + "fileName": "positive3.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.{{get}}.responses.{{50}}", + "searchValue": "", + "expectedValue": "HTTP responses status codes should be in range of [200-599]", + "actualValue": "HTTP responses status codes are not in range of [200-599]", + "issueType": "IncorrectValue", + "similarityID": "46df87ab1eb2c4fd893af5f4a0fdcb1029e8d368298c404a762a81a16b73b894", + "search_line": -1 }, { "queryName": "Responses With Wrong HTTP Status Code (v2)", "severity": "INFO", "line": 39, - "filename": "positive3.json" + "fileName": "positive3.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.{{get}}.responses.{{6xx}}", + "searchValue": "", + "expectedValue": "HTTP responses status codes should be in range of [200-599]", + "actualValue": "HTTP responses status codes are not in range of [200-599]", + "issueType": "IncorrectValue", + "similarityID": "a2b0bf9341cbdc6477bcd2303893df486ef93dce1831922479d43627d278aa57", + "search_line": -1 }, { "queryName": "Responses With Wrong HTTP Status Code (v2)", "severity": "INFO", "line": 11, - "filename": "positive4.yaml" + "fileName": "positive4.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.{{get}}.responses.{{50}}", + "searchValue": "", + "expectedValue": "HTTP responses status codes should be in range of [200-599]", + "actualValue": "HTTP responses status codes are not in range of [200-599]", + "issueType": "IncorrectValue", + "similarityID": "07ffc4f588fa42887962f1550ab98d2ad01934f560124f40efd5b1c36d76cdda", + "search_line": -1 }, { "queryName": "Responses With Wrong HTTP Status Code (v2)", "severity": "INFO", "line": 25, - "filename": "positive4.yaml" + "fileName": "positive4.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.{{get}}.responses.{{6xx}}", + "searchValue": "", + "expectedValue": "HTTP responses status codes should be in range of [200-599]", + "actualValue": "HTTP responses status codes are not in range of [200-599]", + "issueType": "IncorrectValue", + "similarityID": "fa7a5a6d7610cda562372369044f03e1a441406bc4f814673b4b94a72e7cd3e1", + "search_line": -1 } ] diff --git a/assets/queries/openAPI/general/schema_discriminator_mismatch_defined_properties/test/positive_expected_result.json b/assets/queries/openAPI/general/schema_discriminator_mismatch_defined_properties/test/positive_expected_result.json index 9a7428a8c86..b7eee2869b4 100644 --- a/assets/queries/openAPI/general/schema_discriminator_mismatch_defined_properties/test/positive_expected_result.json +++ b/assets/queries/openAPI/general/schema_discriminator_mismatch_defined_properties/test/positive_expected_result.json @@ -3,48 +3,120 @@ "queryName": "Schema Discriminator Mismatch Defined Properties (v3)", "severity": "INFO", "line": 53, - "filename": "positive1.json" + "fileName": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "components.schemas.{{GeneralError}}.discriminator.propertyName", + "searchValue": "", + "expectedValue": "components.schemas.{{GeneralError}}.discriminator.propertyName should be set in 'properties'", + "actualValue": "components.schemas.{{GeneralError}}.discriminator.propertyName is not set in 'properties'", + "issueType": "IncorrectValue", + "similarityID": "97da3ee820c058adbffee5e1cf9500bb243f48ad8e583685313b7f27a16c2c8b", + "search_line": -1 }, { "queryName": "Schema Discriminator Mismatch Defined Properties (v3)", "severity": "INFO", "line": 25, - "filename": "positive2.json" + "fileName": "positive2.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.discriminator.propertyName", + "searchValue": "", + "expectedValue": "paths.{{/}}.get.responses.200.content.{{application/json}}.{{discriminator.propertyName}}.%!s(MISSING) should be set in 'properties'", + "actualValue": "paths.{{/}}.get.responses.200.content.{{application/json}}.{{discriminator.propertyName}}.%!s(MISSING) is not set in 'properties'", + "issueType": "IncorrectValue", + "similarityID": "00be89997feadcaf58bf13934aa8594457873bbcd44b84cf13139047705d6be6", + "search_line": -1 }, { "queryName": "Schema Discriminator Mismatch Defined Properties (v3)", "severity": "INFO", "line": 32, - "filename": "positive3.yaml" + "fileName": "positive3.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "components.schemas.{{GeneralError}}.discriminator.propertyName", + "searchValue": "", + "expectedValue": "components.schemas.{{GeneralError}}.discriminator.propertyName should be set in 'properties'", + "actualValue": "components.schemas.{{GeneralError}}.discriminator.propertyName is not set in 'properties'", + "issueType": "IncorrectValue", + "similarityID": "d8b0cf0736f9ff52cd97303ef013fbf0f740ed261183488d0f106480030a7ea6", + "search_line": -1 }, { "queryName": "Schema Discriminator Mismatch Defined Properties (v3)", "severity": "INFO", "line": 18, - "filename": "positive4.yaml" + "fileName": "positive4.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.discriminator.propertyName", + "searchValue": "", + "expectedValue": "paths.{{/}}.get.responses.200.content.{{application/json}}.{{discriminator.propertyName}}.%!s(MISSING) should be set in 'properties'", + "actualValue": "paths.{{/}}.get.responses.200.content.{{application/json}}.{{discriminator.propertyName}}.%!s(MISSING) is not set in 'properties'", + "issueType": "IncorrectValue", + "similarityID": "f92aa24485936c83167edcdefd280b43ae18472d741c0ded06ba1ad11337c7d7", + "search_line": -1 }, { "queryName": "Schema Discriminator Mismatch Defined Properties (v2)", "severity": "INFO", "line": 28, - "filename": "positive5.json" + "fileName": "positive5.json", + "resourceType": "", + "resourceName": "", + "searchKey": "definitions.{{GeneralError}}.discriminator", + "searchValue": "", + "expectedValue": "definitions.{{GeneralError}}.discriminator should be set in 'properties'", + "actualValue": "definitions.{{GeneralError}}.discriminator is not set in 'properties'", + "issueType": "IncorrectValue", + "similarityID": "b03b2e2103b9811c5ae9a73152af625dbe06509f79bd4040a8a46b7b76e284c5", + "search_line": -1 }, { "queryName": "Schema Discriminator Mismatch Defined Properties (v2)", "severity": "INFO", "line": 16, - "filename": "positive6.yaml" + "fileName": "positive6.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "definitions.{{GeneralError}}.discriminator", + "searchValue": "", + "expectedValue": "definitions.{{GeneralError}}.discriminator should be set in 'properties'", + "actualValue": "definitions.{{GeneralError}}.discriminator is not set in 'properties'", + "issueType": "IncorrectValue", + "similarityID": "69482ec3a273adaf84f4f321aab81ddbf2e88572d95f52790639ad40ce2b0024", + "search_line": -1 }, { "queryName": "Schema Discriminator Mismatch Defined Properties (v2)", "severity": "INFO", "line": 25, - "filename": "positive7.json" + "fileName": "positive7.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.discriminator", + "searchValue": "", + "expectedValue": "paths.{{/}}.get.responses.200.{{discriminator}}.%!s(MISSING) should be set in 'properties'", + "actualValue": "paths.{{/}}.get.responses.200.{{discriminator}}.%!s(MISSING) is not set in 'properties'", + "issueType": "IncorrectValue", + "similarityID": "0cd625e009d73080e4818191a9e903ede8fde38fb8527a51b9af945d3f4632d2", + "search_line": -1 }, { "queryName": "Schema Discriminator Mismatch Defined Properties (v2)", "severity": "INFO", "line": 15, - "filename": "positive8.yaml" + "fileName": "positive8.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.discriminator", + "searchValue": "", + "expectedValue": "paths.{{/}}.get.responses.200.{{discriminator}}.%!s(MISSING) should be set in 'properties'", + "actualValue": "paths.{{/}}.get.responses.200.{{discriminator}}.%!s(MISSING) is not set in 'properties'", + "issueType": "IncorrectValue", + "similarityID": "b852940cc920c164196fe4f052232ade42f225d09d74e706fd6f4b62c031d6b2", + "search_line": -1 } ] diff --git a/assets/queries/openAPI/general/schema_discriminator_not_required/test/positive_expected_result.json b/assets/queries/openAPI/general/schema_discriminator_not_required/test/positive_expected_result.json index f486155aa9a..b950d48749c 100644 --- a/assets/queries/openAPI/general/schema_discriminator_not_required/test/positive_expected_result.json +++ b/assets/queries/openAPI/general/schema_discriminator_not_required/test/positive_expected_result.json @@ -3,48 +3,120 @@ "queryName": "Schema Discriminator Not Required (v3)", "severity": "INFO", "line": 53, - "filename": "positive1.json" + "fileName": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "components.schemas.{{GeneralError}}.discriminator.propertyName", + "searchValue": "", + "expectedValue": "components.schemas.{{GeneralError}}.discriminator.propertyName is a required property", + "actualValue": "components.schemas.{{GeneralError}}.discriminator.propertyName is not a required property", + "issueType": "IncorrectValue", + "similarityID": "a75cedf72d8890f43dcd0a10de7a4c15b7de6e842f723c12ea21b82d11267b50", + "search_line": -1 }, { "queryName": "Schema Discriminator Not Required (v3)", "severity": "INFO", "line": 25, - "filename": "positive2.json" + "fileName": "positive2.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.discriminator.propertyName", + "searchValue": "", + "expectedValue": "paths.{{/}}.get.responses.200.content.{{application/json}}.{{discriminator.propertyName}}.%!s(MISSING) is a required property", + "actualValue": "paths.{{/}}.get.responses.200.content.{{application/json}}.{{discriminator.propertyName}}.%!s(MISSING) is not a required property", + "issueType": "IncorrectValue", + "similarityID": "8d814d903243c1c004c67ff0cea60ad4eaed71d6e7a884fcda69b7f8b23ae8b2", + "search_line": -1 }, { "queryName": "Schema Discriminator Not Required (v3)", "severity": "INFO", "line": 32, - "filename": "positive3.yaml" + "fileName": "positive3.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "components.schemas.{{GeneralError}}.discriminator.propertyName", + "searchValue": "", + "expectedValue": "components.schemas.{{GeneralError}}.discriminator.propertyName is a required property", + "actualValue": "components.schemas.{{GeneralError}}.discriminator.propertyName is not a required property", + "issueType": "IncorrectValue", + "similarityID": "aeb63f5d03e4929a51631ccbc942c0d903576ffc829a67b92d9c735264b0e8ed", + "search_line": -1 }, { "queryName": "Schema Discriminator Not Required (v3)", "severity": "INFO", "line": 18, - "filename": "positive4.yaml" + "fileName": "positive4.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.discriminator.propertyName", + "searchValue": "", + "expectedValue": "paths.{{/}}.get.responses.200.content.{{application/json}}.{{discriminator.propertyName}}.%!s(MISSING) is a required property", + "actualValue": "paths.{{/}}.get.responses.200.content.{{application/json}}.{{discriminator.propertyName}}.%!s(MISSING) is not a required property", + "issueType": "IncorrectValue", + "similarityID": "ee6bd9895865de80f599944852534414bea71fd6e410ec94df333ab601de22ea", + "search_line": -1 }, { "queryName": "Schema Discriminator Not Required (v2)", "severity": "INFO", "line": 35, - "filename": "positive5.json" + "fileName": "positive5.json", + "resourceType": "", + "resourceName": "", + "searchKey": "definitions.{{GeneralError}}.discriminator", + "searchValue": "", + "expectedValue": "definitions.{{GeneralError}}.discriminator is a required property", + "actualValue": "definitions.{{GeneralError}}.discriminator is not a required property", + "issueType": "IncorrectValue", + "similarityID": "b9dbad5ed11f4373da8a145349a58b85f4038d6ad217748d90d3d74bcc866fab", + "search_line": -1 }, { "queryName": "Schema Discriminator Not Required (v2)", "severity": "INFO", "line": 16, - "filename": "positive6.yaml" + "fileName": "positive6.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "definitions.{{GeneralError}}.discriminator", + "searchValue": "", + "expectedValue": "definitions.{{GeneralError}}.discriminator is a required property", + "actualValue": "definitions.{{GeneralError}}.discriminator is not a required property", + "issueType": "IncorrectValue", + "similarityID": "8dfc3d69976cbe1049b6d577e84b0fba12e48d3eaadd23d49534ae6121ef76b2", + "search_line": -1 }, { "queryName": "Schema Discriminator Not Required (v2)", "severity": "INFO", "line": 16, - "filename": "positive7.json" + "fileName": "positive7.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.discriminator", + "searchValue": "", + "expectedValue": "paths.{{/}}.get.responses.200.{{discriminator}}.%!s(MISSING) is a required property", + "actualValue": "paths.{{/}}.get.responses.200.{{discriminator}}.%!s(MISSING) is not a required property", + "issueType": "IncorrectValue", + "similarityID": "fb850ab470257e0525a9e7098c1876358be4f5bc2edbc4dd8057c97d233f415f", + "search_line": -1 }, { "queryName": "Schema Discriminator Not Required (v2)", "severity": "INFO", "line": 15, - "filename": "positive8.yaml" + "fileName": "positive8.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.discriminator", + "searchValue": "", + "expectedValue": "paths.{{/}}.get.responses.200.{{discriminator}}.%!s(MISSING) is a required property", + "actualValue": "paths.{{/}}.get.responses.200.{{discriminator}}.%!s(MISSING) is not a required property", + "issueType": "IncorrectValue", + "similarityID": "b96f23af0b3588c6667c26f32dde495001c91afb9c1e22962052e2e0ed7f67bc", + "search_line": -1 } ] diff --git a/assets/queries/openAPI/general/schema_discriminator_property_not_string/test/positive_expected_result.json b/assets/queries/openAPI/general/schema_discriminator_property_not_string/test/positive_expected_result.json index c74b919f275..673ae79e6b0 100644 --- a/assets/queries/openAPI/general/schema_discriminator_property_not_string/test/positive_expected_result.json +++ b/assets/queries/openAPI/general/schema_discriminator_property_not_string/test/positive_expected_result.json @@ -3,48 +3,120 @@ "queryName": "Schema Discriminator Property Not String (v3)", "severity": "INFO", "line": 53, - "filename": "positive1.json" + "fileName": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "components.schemas.{{GeneralError}}.discriminator.propertyName", + "searchValue": "", + "expectedValue": "components.schemas.{{GeneralError}}.discriminator.propertyName should be set to string", + "actualValue": "components.schemas.{{GeneralError}}.discriminator.propertyName is not set to string", + "issueType": "IncorrectValue", + "similarityID": "2770e35dfbab026bc6a6d8456bff86180662b904a93b8719df72f8af600f0957", + "search_line": -1 }, { "queryName": "Schema Discriminator Property Not String (v3)", "severity": "INFO", "line": 25, - "filename": "positive2.json" + "fileName": "positive2.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.discriminator.propertyName", + "searchValue": "", + "expectedValue": "paths.{{/}}.get.responses.200.content.{{application/json}}.{{discriminator.propertyName}}.%!s(MISSING) should be set to string", + "actualValue": "paths.{{/}}.get.responses.200.content.{{application/json}}.{{discriminator.propertyName}}.%!s(MISSING) is not set to string", + "issueType": "IncorrectValue", + "similarityID": "5bafd8e4b1e558808a3dac3b5e4054f044ca8a8b0cce92e0b32b586277f4d35f", + "search_line": -1 }, { "queryName": "Schema Discriminator Property Not String (v3)", "severity": "INFO", "line": 32, - "filename": "positive3.yaml" + "fileName": "positive3.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "components.schemas.{{GeneralError}}.discriminator.propertyName", + "searchValue": "", + "expectedValue": "components.schemas.{{GeneralError}}.discriminator.propertyName should be set to string", + "actualValue": "components.schemas.{{GeneralError}}.discriminator.propertyName is not set to string", + "issueType": "IncorrectValue", + "similarityID": "08e08106b44bf253f9d12cd960abe267d296ddc2129ac064e9b92f77284cfac0", + "search_line": -1 }, { "queryName": "Schema Discriminator Property Not String (v3)", "severity": "INFO", "line": 18, - "filename": "positive4.yaml" + "fileName": "positive4.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.discriminator.propertyName", + "searchValue": "", + "expectedValue": "paths.{{/}}.get.responses.200.content.{{application/json}}.{{discriminator.propertyName}}.%!s(MISSING) should be set to string", + "actualValue": "paths.{{/}}.get.responses.200.content.{{application/json}}.{{discriminator.propertyName}}.%!s(MISSING) is not set to string", + "issueType": "IncorrectValue", + "similarityID": "c4073da3f17b3b57e317c609275e2462e37fde7ba4001d095e65c76521457cce", + "search_line": -1 }, { "queryName": "Schema Discriminator Property Not String (v2)", "severity": "INFO", "line": 28, - "filename": "positive5.json" + "fileName": "positive5.json", + "resourceType": "", + "resourceName": "", + "searchKey": "definitions.{{GeneralError}}.discriminator", + "searchValue": "", + "expectedValue": "definitions.{{GeneralError}}.discriminator should be set to string", + "actualValue": "definitions.{{GeneralError}}.discriminator is not set to string", + "issueType": "IncorrectValue", + "similarityID": "1c4186d3403c2a3c0621318a89084a58ce0e3e312db5c6ec20e1f883088111a4", + "search_line": -1 }, { "queryName": "Schema Discriminator Property Not String (v2)", "severity": "INFO", "line": 16, - "filename": "positive6.yaml" + "fileName": "positive6.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "definitions.{{GeneralError}}.discriminator", + "searchValue": "", + "expectedValue": "definitions.{{GeneralError}}.discriminator should be set to string", + "actualValue": "definitions.{{GeneralError}}.discriminator is not set to string", + "issueType": "IncorrectValue", + "similarityID": "3950f87b0d165ae0ab9494c6f2cee67008956314975d2372e2feb256796cc29c", + "search_line": -1 }, { "queryName": "Schema Discriminator Property Not String (v2)", "severity": "INFO", "line": 22, - "filename": "positive7.json" + "fileName": "positive7.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.discriminator", + "searchValue": "", + "expectedValue": "paths.{{/}}.get.responses.200.{{discriminator}}.%!s(MISSING) should be set to string", + "actualValue": "paths.{{/}}.get.responses.200.{{discriminator}}.%!s(MISSING) is not set to string", + "issueType": "IncorrectValue", + "similarityID": "36386fbd87d837a002e967486509dc865951c40020720d06df405173096f8f26", + "search_line": -1 }, { "queryName": "Schema Discriminator Property Not String (v2)", "severity": "INFO", "line": 15, - "filename": "positive8.yaml" + "fileName": "positive8.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.discriminator", + "searchValue": "", + "expectedValue": "paths.{{/}}.get.responses.200.{{discriminator}}.%!s(MISSING) should be set to string", + "actualValue": "paths.{{/}}.get.responses.200.{{discriminator}}.%!s(MISSING) is not set to string", + "issueType": "IncorrectValue", + "similarityID": "e8d0f48b93ef93fa57868112fb29c1dfb034cedb4c71b6bdfef57d1039304860", + "search_line": -1 } ] diff --git a/assets/queries/openAPI/general/schema_enum_invalid/test/positive_expected_result.json b/assets/queries/openAPI/general/schema_enum_invalid/test/positive_expected_result.json index 4a384929bae..73101be5fe5 100644 --- a/assets/queries/openAPI/general/schema_enum_invalid/test/positive_expected_result.json +++ b/assets/queries/openAPI/general/schema_enum_invalid/test/positive_expected_result.json @@ -3,48 +3,120 @@ "queryName": "Schema Enum Invalid (v3)", "severity": "INFO", "line": 20, - "filename": "positive1.json" + "fileName": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.201.content.{{text/html}}.schema.enum", + "searchValue": "", + "expectedValue": "The field 'enum' should be consistent with the schema's type", + "actualValue": "The field 'enum' is not consistent with the schema's type", + "issueType": "IncorrectValue", + "similarityID": "cd71c95703b1be6786d43fe56dbce6634e41c7051eab3e62509bf0b72c4d16b9", + "search_line": 20 }, { "queryName": "Schema Enum Invalid (v3)", "severity": "INFO", "line": 20, - "filename": "positive2.json" + "fileName": "positive2.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.201.content.{{text/html}}.schema.enum", + "searchValue": "", + "expectedValue": "The field 'enum' should be consistent with the schema's type", + "actualValue": "The field 'enum' is not consistent with the schema's type", + "issueType": "IncorrectValue", + "similarityID": "8e1340e6c8c13e7b4ae61d4c554db0aa23d4c84c3b31920546a16b2341b9d0a0", + "search_line": 20 }, { "queryName": "Schema Enum Invalid (v3)", "severity": "INFO", "line": 18, - "filename": "positive3.yaml" + "fileName": "positive3.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.201.content.{{text/html}}.schema.enum", + "searchValue": "", + "expectedValue": "The field 'enum' should be consistent with the schema's type", + "actualValue": "The field 'enum' is not consistent with the schema's type", + "issueType": "IncorrectValue", + "similarityID": "e82d31b8f42ea9aae0e33a52ed2653729217a951ebd9b16efc683c892d624cc4", + "search_line": 18 }, { "queryName": "Schema Enum Invalid (v3)", "severity": "INFO", "line": 18, - "filename": "positive4.yaml" + "fileName": "positive4.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.201.content.{{text/html}}.schema.enum", + "searchValue": "", + "expectedValue": "The field 'enum' should be consistent with the schema's type", + "actualValue": "The field 'enum' is not consistent with the schema's type", + "issueType": "IncorrectValue", + "similarityID": "c75210ca0f423c0d4eb3d3e15639cb09e581cab2a31e0c5a227006682f9ede23", + "search_line": 18 }, { "queryName": "Schema Enum Invalid (v2)", "severity": "INFO", - "line": 50, - "filename": "positive5.json" + "line": 14, + "fileName": "positive5.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.$ref=#/definitions/User", + "searchValue": "", + "expectedValue": "The field 'enum' should be consistent with the schema's type", + "actualValue": "The field 'enum' is not consistent with the schema's type", + "issueType": "IncorrectValue", + "similarityID": "5346b84d1b3b5f46f79d5b074fa0b623c2d5d49249f42fc9e3ccfdfa4b6f9dad", + "search_line": 0 }, { "queryName": "Schema Enum Invalid (v2)", "severity": "INFO", - "line": 35, - "filename": "positive6.yaml" + "line": 50, + "fileName": "positive5.json", + "resourceType": "", + "resourceName": "", + "searchKey": "definitions.User.properties.name.enum", + "searchValue": "", + "expectedValue": "The field 'enum' should be consistent with the schema's type", + "actualValue": "The field 'enum' is not consistent with the schema's type", + "issueType": "IncorrectValue", + "similarityID": "a9fd8f1fd68a9e62aa01d8b6406ddcfbc409a577e347df64cc1265e992a22de8", + "search_line": 0 }, { "queryName": "Schema Enum Invalid (v2)", "severity": "INFO", - "line": 14, - "filename": "positive5.json" + "line": 12, + "fileName": "positive6.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.$ref=#/definitions/User", + "searchValue": "", + "expectedValue": "The field 'enum' should be consistent with the schema's type", + "actualValue": "The field 'enum' is not consistent with the schema's type", + "issueType": "IncorrectValue", + "similarityID": "da78df03bd162393b7c3ebbf87e4308532fefefb2cc13c4bcdacba5e9e67ced4", + "search_line": 0 }, { "queryName": "Schema Enum Invalid (v2)", "severity": "INFO", - "line": 12, - "filename": "positive6.yaml" + "line": 35, + "fileName": "positive6.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "definitions.User.properties.name.enum", + "searchValue": "", + "expectedValue": "The field 'enum' should be consistent with the schema's type", + "actualValue": "The field 'enum' is not consistent with the schema's type", + "issueType": "IncorrectValue", + "similarityID": "6b60c858da4c536b15cade340ad7781308ef2337698286fa7c28af205c56b6a7", + "search_line": 0 } ] diff --git a/assets/queries/openAPI/general/schema_object_empty/test/positive_expected_result.json b/assets/queries/openAPI/general/schema_object_empty/test/positive_expected_result.json index 28f8a049e58..c236105ee07 100644 --- a/assets/queries/openAPI/general/schema_object_empty/test/positive_expected_result.json +++ b/assets/queries/openAPI/general/schema_object_empty/test/positive_expected_result.json @@ -3,48 +3,120 @@ "queryName": "Schema Object is Empty (v3)", "severity": "MEDIUM", "line": 50, - "filename": "positive1.json" + "fileName": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "components.schemas.{{GeneralError}}", + "searchValue": "", + "expectedValue": "The Schema Object should not be empty", + "actualValue": "The Schema Object is empty", + "issueType": "IncorrectValue", + "similarityID": "7b8839982dae47c7f5e02c970e7aa0f87fc1995f4fd30f4eed2c864f18269c83", + "search_line": -1 }, { "queryName": "Schema Object is Empty (v3)", "severity": "MEDIUM", "line": 22, - "filename": "positive2.json" + "fileName": "positive2.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.schema", + "searchValue": "", + "expectedValue": "The Schema Object should not be empty", + "actualValue": "The Schema Object is empty", + "issueType": "IncorrectValue", + "similarityID": "c4b70c3f1a16f09b9781e02166865f9ef34977be22f054fe1305ad7e2a246b3c", + "search_line": -1 }, { "queryName": "Schema Object is Empty (v3)", "severity": "MEDIUM", "line": 27, - "filename": "positive3.yaml" + "fileName": "positive3.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "components.schemas.{{GeneralError}}", + "searchValue": "", + "expectedValue": "The Schema Object should not be empty", + "actualValue": "The Schema Object is empty", + "issueType": "IncorrectValue", + "similarityID": "63683e360ec22afed9bb5ac5c09701af3194aa8cb7cfebaef4946e9c5ddf84c2", + "search_line": -1 }, { "queryName": "Schema Object is Empty (v3)", "severity": "MEDIUM", "line": 15, - "filename": "positive4.yaml" + "fileName": "positive4.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.schema", + "searchValue": "", + "expectedValue": "The Schema Object should not be empty", + "actualValue": "The Schema Object is empty", + "issueType": "IncorrectValue", + "similarityID": "685ff8d5979172a46c84813c26554382219151857a601a56d65c5ae412d771b4", + "search_line": -1 }, { "queryName": "Schema Object is Empty (v2)", "severity": "MEDIUM", "line": 20, - "filename": "positive5.json" + "fileName": "positive5.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.schema", + "searchValue": "", + "expectedValue": "The Schema Object should not be empty", + "actualValue": "The Schema Object is empty", + "issueType": "IncorrectValue", + "similarityID": "56a0fe46b3a479a89b498215ffffd3272fcb4d74dcf206c87cffa4b8892088b3", + "search_line": -1 }, { "queryName": "Schema Object is Empty (v2)", "severity": "MEDIUM", - "line": 26, - "filename": "positive7.json" + "line": 13, + "fileName": "positive6.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.schema", + "searchValue": "", + "expectedValue": "The Schema Object should not be empty", + "actualValue": "The Schema Object is empty", + "issueType": "IncorrectValue", + "similarityID": "04fd052dfcdf632fe8fbbf216664f6fe6096c347ed9806551ae64e64e5ac75fc", + "search_line": -1 }, { "queryName": "Schema Object is Empty (v2)", "severity": "MEDIUM", - "line": 13, - "filename": "positive6.yaml" + "line": 26, + "fileName": "positive7.json", + "resourceType": "", + "resourceName": "", + "searchKey": "definitions.{{GeneralError}}", + "searchValue": "", + "expectedValue": "The Schema Object should not be empty", + "actualValue": "The Schema Object is empty", + "issueType": "IncorrectValue", + "similarityID": "08c729c69dedb072e79d10831656eaf943c63f5c7b1d07155f0077e4ad149d64", + "search_line": -1 }, { "queryName": "Schema Object is Empty (v2)", "severity": "MEDIUM", "line": 14, - "filename": "positive8.yaml" + "fileName": "positive8.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "definitions.{{GeneralError}}", + "searchValue": "", + "expectedValue": "The Schema Object should not be empty", + "actualValue": "The Schema Object is empty", + "issueType": "IncorrectValue", + "similarityID": "bd305321b724c2beda0d9dd276b40363d63f89989071a413080c4a3978ef2291", + "search_line": -1 } ] diff --git a/assets/queries/openAPI/general/schema_object_properties_with_duplicated_keys/test/positive_expected_result.json b/assets/queries/openAPI/general/schema_object_properties_with_duplicated_keys/test/positive_expected_result.json index b651764ca9b..9dcc7d3a75a 100644 --- a/assets/queries/openAPI/general/schema_object_properties_with_duplicated_keys/test/positive_expected_result.json +++ b/assets/queries/openAPI/general/schema_object_properties_with_duplicated_keys/test/positive_expected_result.json @@ -3,108 +3,270 @@ "queryName": "Schema Object Properties With Duplicated Keys (v3)", "severity": "INFO", "line": 19, - "filename": "positive1.json" + "fileName": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "components.schemas.ErrorModel.code", + "searchValue": "", + "expectedValue": "'code' is unique through out the fields 'properties', 'allOf' and 'additionalProperties'", + "actualValue": "'code' is not unique through out the fields 'properties', 'allOf' and 'additionalProperties'", + "issueType": "IncorrectValue", + "similarityID": "cb1d59cf149f8c43299ac70a64eaf0d5e1102f6eeece6ba373a61e27323e6d19", + "search_line": 0 }, { "queryName": "Schema Object Properties With Duplicated Keys (v3)", "severity": "INFO", "line": 38, - "filename": "positive1.json" + "fileName": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "components.schemas.ErrorModel.allOf.code", + "searchValue": "", + "expectedValue": "'code' is unique through out the fields 'properties', 'allOf' and 'additionalProperties'", + "actualValue": "'code' is not unique through out the fields 'properties', 'allOf' and 'additionalProperties'", + "issueType": "IncorrectValue", + "similarityID": "03163f915ee8428ae2f18e8e09c80d29b6bd436000b91b9d7d97fa2dafc07603", + "search_line": 0 }, { "queryName": "Schema Object Properties With Duplicated Keys (v3)", "severity": "INFO", "line": 53, - "filename": "positive1.json" + "fileName": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "components.schemas.ErrorModel.additionalProperties.code", + "searchValue": "", + "expectedValue": "'code' is unique through out the fields 'properties', 'allOf' and 'additionalProperties'", + "actualValue": "'code' is not unique through out the fields 'properties', 'allOf' and 'additionalProperties'", + "issueType": "IncorrectValue", + "similarityID": "ddc1451c7ebc482fe4e32e834a2c745ba39c7e56ffa7942cf9207e325f018710", + "search_line": 0 }, { "queryName": "Schema Object Properties With Duplicated Keys (v3)", "severity": "INFO", "line": 16, - "filename": "positive2.yaml" + "fileName": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "components.schemas.ErrorModel.code", + "searchValue": "", + "expectedValue": "'code' is unique through out the fields 'properties', 'allOf' and 'additionalProperties'", + "actualValue": "'code' is not unique through out the fields 'properties', 'allOf' and 'additionalProperties'", + "issueType": "IncorrectValue", + "similarityID": "efa04675549b42df6606d8bbbb265188de13bc366ddd1132db48a0639b0a4701", + "search_line": 0 }, { "queryName": "Schema Object Properties With Duplicated Keys (v3)", "severity": "INFO", "line": 28, - "filename": "positive2.yaml" + "fileName": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "components.schemas.ErrorModel.allOf.code", + "searchValue": "", + "expectedValue": "'code' is unique through out the fields 'properties', 'allOf' and 'additionalProperties'", + "actualValue": "'code' is not unique through out the fields 'properties', 'allOf' and 'additionalProperties'", + "issueType": "IncorrectValue", + "similarityID": "3f19b4f4fe40505b7cbe64659596f933c03827e21f088d6a2b352248d1b951dd", + "search_line": 0 }, { "queryName": "Schema Object Properties With Duplicated Keys (v3)", "severity": "INFO", "line": 37, - "filename": "positive2.yaml" + "fileName": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "components.schemas.ErrorModel.additionalProperties.code", + "searchValue": "", + "expectedValue": "'code' is unique through out the fields 'properties', 'allOf' and 'additionalProperties'", + "actualValue": "'code' is not unique through out the fields 'properties', 'allOf' and 'additionalProperties'", + "issueType": "IncorrectValue", + "similarityID": "45155210f5ad016203cd942b80db06fd44ee47ea94be870dcbbfcc383f4c1c44", + "search_line": 0 }, { "queryName": "Schema Object Properties With Duplicated Keys (v3)", "severity": "INFO", "line": 28, - "filename": "positive3.json" + "fileName": "positive3.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.message", + "searchValue": "", + "expectedValue": "'message' is unique through out the fields 'properties', 'allOf' and 'additionalProperties'", + "actualValue": "'message' is not unique through out the fields 'properties', 'allOf' and 'additionalProperties'", + "issueType": "IncorrectValue", + "similarityID": "9670614e4fe125a0d5951fd74aecfd304e0e0d30b6ef9daaf434ba18e843da59", + "search_line": 0 }, { "queryName": "Schema Object Properties With Duplicated Keys (v3)", "severity": "INFO", "line": 44, - "filename": "positive3.json" + "fileName": "positive3.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.allOf.message", + "searchValue": "", + "expectedValue": "'message' is unique through out the fields 'properties', 'allOf' and 'additionalProperties'", + "actualValue": "'message' is not unique through out the fields 'properties', 'allOf' and 'additionalProperties'", + "issueType": "IncorrectValue", + "similarityID": "b852ef9de3c9c07d091d755eb327014ea65f8d73c73cda5ae30c52cc53bb424d", + "search_line": 0 }, { "queryName": "Schema Object Properties With Duplicated Keys (v3)", "severity": "INFO", "line": 57, - "filename": "positive3.json" + "fileName": "positive3.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.additionalProperties.message", + "searchValue": "", + "expectedValue": "'message' is unique through out the fields 'properties', 'allOf' and 'additionalProperties'", + "actualValue": "'message' is not unique through out the fields 'properties', 'allOf' and 'additionalProperties'", + "issueType": "IncorrectValue", + "similarityID": "60adf6137a67497c81ce3edfc899ea3f33c0e6e55fc13c2328f8348be0e606e7", + "search_line": 0 }, { "queryName": "Schema Object Properties With Duplicated Keys (v3)", "severity": "INFO", "line": 24, - "filename": "positive4.yaml" + "fileName": "positive4.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.message", + "searchValue": "", + "expectedValue": "'message' is unique through out the fields 'properties', 'allOf' and 'additionalProperties'", + "actualValue": "'message' is not unique through out the fields 'properties', 'allOf' and 'additionalProperties'", + "issueType": "IncorrectValue", + "similarityID": "b023f08aa0e48bfd9552ea85be2c75b8e96f2c4de5148e094bc37021d66c9bb4", + "search_line": 0 }, { "queryName": "Schema Object Properties With Duplicated Keys (v3)", "severity": "INFO", "line": 34, - "filename": "positive4.yaml" + "fileName": "positive4.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.allOf.message", + "searchValue": "", + "expectedValue": "'message' is unique through out the fields 'properties', 'allOf' and 'additionalProperties'", + "actualValue": "'message' is not unique through out the fields 'properties', 'allOf' and 'additionalProperties'", + "issueType": "IncorrectValue", + "similarityID": "7ff7fddecb430d64c710c905798df7798906d0dbda46114c6307cffd92da8f79", + "search_line": 0 }, { "queryName": "Schema Object Properties With Duplicated Keys (v3)", "severity": "INFO", "line": 41, - "filename": "positive4.yaml" + "fileName": "positive4.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.additionalProperties.message", + "searchValue": "", + "expectedValue": "'message' is unique through out the fields 'properties', 'allOf' and 'additionalProperties'", + "actualValue": "'message' is not unique through out the fields 'properties', 'allOf' and 'additionalProperties'", + "issueType": "IncorrectValue", + "similarityID": "5994db833d13c2e57431e32d557a57686be2e0ac02818fb156d97b84e7333d73", + "search_line": 0 }, { "queryName": "Schema Object Properties With Duplicated Keys (v2)", "severity": "INFO", "line": 28, - "filename": "positive5.json" + "fileName": "positive5.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.message", + "searchValue": "", + "expectedValue": "'message' is unique through out the fields 'properties', 'allOf' and 'additionalProperties'", + "actualValue": "'message' is not unique through out the fields 'properties', 'allOf' and 'additionalProperties'", + "issueType": "IncorrectValue", + "similarityID": "3220f0a86f6cf1529f66c6938cd88d86d889a45fa4f688d96b4aded0e6309794", + "search_line": 0 }, { "queryName": "Schema Object Properties With Duplicated Keys (v2)", "severity": "INFO", "line": 44, - "filename": "positive5.json" + "fileName": "positive5.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.allOf.message", + "searchValue": "", + "expectedValue": "'message' is unique through out the fields 'properties', 'allOf' and 'additionalProperties'", + "actualValue": "'message' is not unique through out the fields 'properties', 'allOf' and 'additionalProperties'", + "issueType": "IncorrectValue", + "similarityID": "500e43e730769a08241b9a32bfdc4f6f16b2e30e53e336f48448fddd82f0c188", + "search_line": 0 }, { "queryName": "Schema Object Properties With Duplicated Keys (v2)", "severity": "INFO", "line": 57, - "filename": "positive5.json" + "fileName": "positive5.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.additionalProperties.message", + "searchValue": "", + "expectedValue": "'message' is unique through out the fields 'properties', 'allOf' and 'additionalProperties'", + "actualValue": "'message' is not unique through out the fields 'properties', 'allOf' and 'additionalProperties'", + "issueType": "IncorrectValue", + "similarityID": "7bfa193bb71613d9539c1a6b33044724efb04e745f55ffd6083a7fa8e9568321", + "search_line": 0 }, { "queryName": "Schema Object Properties With Duplicated Keys (v2)", "severity": "INFO", "line": 24, - "filename": "positive6.yaml" + "fileName": "positive6.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.message", + "searchValue": "", + "expectedValue": "'message' is unique through out the fields 'properties', 'allOf' and 'additionalProperties'", + "actualValue": "'message' is not unique through out the fields 'properties', 'allOf' and 'additionalProperties'", + "issueType": "IncorrectValue", + "similarityID": "16c82e850b2d996d64a8e22729a12a5eee84481aa2c24d75fac2210e7f8cf1a0", + "search_line": 0 }, { "queryName": "Schema Object Properties With Duplicated Keys (v2)", "severity": "INFO", "line": 34, - "filename": "positive6.yaml" + "fileName": "positive6.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.allOf.message", + "searchValue": "", + "expectedValue": "'message' is unique through out the fields 'properties', 'allOf' and 'additionalProperties'", + "actualValue": "'message' is not unique through out the fields 'properties', 'allOf' and 'additionalProperties'", + "issueType": "IncorrectValue", + "similarityID": "9c25619432a61bf3451b8adf120d9166eb97d8fa02527c07ab1a3467688194eb", + "search_line": 0 }, { "queryName": "Schema Object Properties With Duplicated Keys (v2)", "severity": "INFO", "line": 41, - "filename": "positive6.yaml" + "fileName": "positive6.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.additionalProperties.message", + "searchValue": "", + "expectedValue": "'message' is unique through out the fields 'properties', 'allOf' and 'additionalProperties'", + "actualValue": "'message' is not unique through out the fields 'properties', 'allOf' and 'additionalProperties'", + "issueType": "IncorrectValue", + "similarityID": "2fb568b1a51dcab966351a04ef066e30da966af35144f437853d972a661ebd6c", + "search_line": 0 } ] diff --git a/assets/queries/openAPI/general/schema_object_with_circular_ref/test/positive_expected_result.json b/assets/queries/openAPI/general/schema_object_with_circular_ref/test/positive_expected_result.json index 483a7ba23c6..8ca17263a17 100644 --- a/assets/queries/openAPI/general/schema_object_with_circular_ref/test/positive_expected_result.json +++ b/assets/queries/openAPI/general/schema_object_with_circular_ref/test/positive_expected_result.json @@ -3,24 +3,60 @@ "queryName": "Schema Object With Circular Ref (v3)", "severity": "INFO", "line": 70, - "filename": "positive1.json" + "fileName": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "components.schemas.ExtendedErrorModel.allOf.$ref=#/components/schemas/ExtendedErrorModel", + "searchValue": "", + "expectedValue": "components.schemas.ExtendedErrorModel.allOf should not reference own schema", + "actualValue": "components.schemas.ExtendedErrorModel.allOf reference own schema", + "issueType": "IncorrectValue", + "similarityID": "c0db68c0382d32e230a0ecbf5fcec7a99a5097229a0aef0e27e32e77de6c167e", + "search_line": 0 }, { "queryName": "Schema Object With Circular Ref (v2)", "severity": "INFO", "line": 46, - "filename": "positive2.json" + "fileName": "positive2.json", + "resourceType": "", + "resourceName": "", + "searchKey": "definitions.ExtendedErrorModel.allOf.$ref=#/definitions/ExtendedErrorModel", + "searchValue": "", + "expectedValue": "definitions.ExtendedErrorModel.allOf should not reference own schema", + "actualValue": "definitions.ExtendedErrorModel.allOf reference own schema", + "issueType": "IncorrectValue", + "similarityID": "fe87a3143a00ecda6b1f1debfc8fbde58e5f8ccc3ea65de82756868d4e9f42af", + "search_line": 0 }, { "queryName": "Schema Object With Circular Ref (v3)", "severity": "INFO", "line": 45, - "filename": "positive3.yaml" + "fileName": "positive3.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "components.schemas.ExtendedErrorModel.allOf.$ref=#/components/schemas/ExtendedErrorModel", + "searchValue": "", + "expectedValue": "components.schemas.ExtendedErrorModel.allOf should not reference own schema", + "actualValue": "components.schemas.ExtendedErrorModel.allOf reference own schema", + "issueType": "IncorrectValue", + "similarityID": "f96a1d4598210b4fb2acd61cb5dd07d1cde1e0be4e57fd1d2c89cb56a1caf658", + "search_line": 0 }, { "queryName": "Schema Object With Circular Ref (v2)", "severity": "INFO", "line": 32, - "filename": "positive4.yaml" + "fileName": "positive4.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "definitions.ExtendedErrorModel.allOf.$ref=#/definitions/ExtendedErrorModel", + "searchValue": "", + "expectedValue": "definitions.ExtendedErrorModel.allOf should not reference own schema", + "actualValue": "definitions.ExtendedErrorModel.allOf reference own schema", + "issueType": "IncorrectValue", + "similarityID": "0040b183b67bc97330264e68cbbd733ff2a25fe0d033d561db7c33e4078e4be0", + "search_line": 0 } ] diff --git a/assets/queries/openAPI/general/schema_required_property_undefined/test/positive_expected_result.json b/assets/queries/openAPI/general/schema_required_property_undefined/test/positive_expected_result.json index b7d43de1e87..e7e09d19da2 100644 --- a/assets/queries/openAPI/general/schema_required_property_undefined/test/positive_expected_result.json +++ b/assets/queries/openAPI/general/schema_required_property_undefined/test/positive_expected_result.json @@ -3,36 +3,90 @@ "queryName": "Schema Has A Required Property Undefined (v3)", "severity": "INFO", "line": 50, - "filename": "positive1.json" + "fileName": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "components.GeneralError.schema", + "searchValue": "", + "expectedValue": "Schema should have all required properties defined", + "actualValue": "Schema has required properties that are not defined", + "issueType": "MissingAttribute", + "similarityID": "a27ef6cda28cc31749aafaf0dfc36aa1aaacdcdf0925e25aa438115a303bd3f8", + "search_line": -1 }, { "queryName": "Schema Has A Required Property Undefined (v3)", "severity": "INFO", "line": 22, - "filename": "positive2.json" + "fileName": "positive2.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.schema", + "searchValue": "", + "expectedValue": "Schema should have all required properties defined", + "actualValue": "Schema has required properties that are not defined", + "issueType": "MissingAttribute", + "similarityID": "17c645a1ee767f9dba2c59c2560bcb92114441971d399b74dbb8da84a28ed910", + "search_line": -1 }, { "queryName": "Schema Has A Required Property Undefined (v3)", "severity": "INFO", "line": 31, - "filename": "positive3.yaml" + "fileName": "positive3.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "components.GeneralError.schema", + "searchValue": "", + "expectedValue": "Schema should have all required properties defined", + "actualValue": "Schema has required properties that are not defined", + "issueType": "MissingAttribute", + "similarityID": "6f4215e1cbcb1e98bca2c6ef57bf56edf8f001bd3efa79f47f00f67a0654de14", + "search_line": -1 }, { "queryName": "Schema Has A Required Property Undefined (v3)", "severity": "INFO", "line": 19, - "filename": "positive4.yaml" + "fileName": "positive4.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.schema", + "searchValue": "", + "expectedValue": "Schema should have all required properties defined", + "actualValue": "Schema has required properties that are not defined", + "issueType": "MissingAttribute", + "similarityID": "7a2a37cff3114d68dcf32333ab2849581641eb6fa3a8ac03f8897ff71ac32529", + "search_line": -1 }, { "queryName": "Schema Has A Required Property Undefined (v2)", "severity": "INFO", "line": 20, - "filename": "positive5.json" + "fileName": "positive5.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.schema", + "searchValue": "", + "expectedValue": "Schema should have all required properties defined", + "actualValue": "Schema has required properties that are not defined", + "issueType": "MissingAttribute", + "similarityID": "41d33b879b5a504e78746ab0e683cb07e79e6658d0bb7acc18d62b577fdeb583", + "search_line": -1 }, { "queryName": "Schema Has A Required Property Undefined (v2)", "severity": "INFO", "line": 17, - "filename": "positive6.yaml" + "fileName": "positive6.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.schema", + "searchValue": "", + "expectedValue": "Schema should have all required properties defined", + "actualValue": "Schema has required properties that are not defined", + "issueType": "MissingAttribute", + "similarityID": "d7797b14fe7656383de04a412fa3c86eba63ae533441e2c7899e134cd870d4d9", + "search_line": -1 } ] diff --git a/assets/queries/openAPI/general/security_empty_array/test/positive_expected_result.json b/assets/queries/openAPI/general/security_empty_array/test/positive_expected_result.json index 19bea1c594e..2c2685d4234 100644 --- a/assets/queries/openAPI/general/security_empty_array/test/positive_expected_result.json +++ b/assets/queries/openAPI/general/security_empty_array/test/positive_expected_result.json @@ -3,24 +3,60 @@ "queryName": "Global Security Field Has An Empty Array (v3)", "severity": "HIGH", "line": 43, - "filename": "positive1.json" + "fileName": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "security", + "searchValue": "", + "expectedValue": "A default security schema should be defined", + "actualValue": "A default security schema is not defined", + "issueType": "IncorrectValue", + "similarityID": "6620543135490e32232be5668ae6887766b244a006e61067f6f2a4f721513c9b", + "search_line": -1 }, { "queryName": "Global Security Field Has An Empty Array (v3)", "severity": "HIGH", "line": 25, - "filename": "positive2.yaml" + "fileName": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "security", + "searchValue": "", + "expectedValue": "A default security schema should be defined", + "actualValue": "A default security schema is not defined", + "issueType": "IncorrectValue", + "similarityID": "d398d1ec0d124c95c1dafd2c39844262662b4ea982b1daf4807618e071f9322d", + "search_line": -1 }, { "queryName": "Global Security Field Has An Empty Array (v2)", "severity": "HIGH", - "line": 60, - "filename": "positive4.json" + "line": 38, + "fileName": "positive3.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "security", + "searchValue": "", + "expectedValue": "A default security schema should be defined", + "actualValue": "A default security schema is not defined", + "issueType": "IncorrectValue", + "similarityID": "5a176f3808dce666042f64e0c40f9c00b2842ee5e11bc2c50548c73e6517acaa", + "search_line": -1 }, { "queryName": "Global Security Field Has An Empty Array (v2)", "severity": "HIGH", - "line": 38, - "filename": "positive3.yaml" + "line": 60, + "fileName": "positive4.json", + "resourceType": "", + "resourceName": "", + "searchKey": "security", + "searchValue": "", + "expectedValue": "A default security schema should be defined", + "actualValue": "A default security schema is not defined", + "issueType": "IncorrectValue", + "similarityID": "269bcf7cdabb0d415431ba9d642a97449d5dd59546e47dd92cd17fbe24604bb9", + "search_line": -1 } ] diff --git a/assets/queries/openAPI/general/security_empty_object_definition/test/positive_expected_result.json b/assets/queries/openAPI/general/security_empty_object_definition/test/positive_expected_result.json index 62c6149c85d..c5fa340cb86 100644 --- a/assets/queries/openAPI/general/security_empty_object_definition/test/positive_expected_result.json +++ b/assets/queries/openAPI/general/security_empty_object_definition/test/positive_expected_result.json @@ -3,72 +3,180 @@ "queryName": "Global security field has an empty object (v3)", "severity": "HIGH", "line": 43, - "filename": "positive1.json" + "fileName": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "security", + "searchValue": "", + "expectedValue": "Global security field definition should not have an empty object", + "actualValue": "Global security field definition has an empty object", + "issueType": "IncorrectValue", + "similarityID": "d1cb95a3beb850489729285c7dbbf7ce5591fcc4f9a427153a1bfc6359c0c53c", + "search_line": -1 }, { "queryName": "Global security field has an empty object (v3)", "severity": "HIGH", "line": 43, - "filename": "positive2.json" + "fileName": "positive2.json", + "resourceType": "", + "resourceName": "", + "searchKey": "security", + "searchValue": "", + "expectedValue": "Global security field definition should not have an empty object", + "actualValue": "Global security field definition has an empty object", + "issueType": "IncorrectValue", + "similarityID": "8debad644ad0973dff1e169dce70be128ca975d917215425797b5b227e85a189", + "search_line": -1 }, { "queryName": "Global security field has an empty object (v3)", "severity": "HIGH", "line": 43, - "filename": "positive3.json" + "fileName": "positive3.json", + "resourceType": "", + "resourceName": "", + "searchKey": "security", + "searchValue": "", + "expectedValue": "Global security field definition should not have an empty object", + "actualValue": "Global security field definition has an empty object", + "issueType": "IncorrectValue", + "similarityID": "e6c3856cacdeba429f1d5b9978b9d548d0b0b971ae172b3465f9b9168d91d3c3", + "search_line": -1 }, { "queryName": "Global security field has an empty object (v3)", "severity": "HIGH", "line": 43, - "filename": "positive4.json" + "fileName": "positive4.json", + "resourceType": "", + "resourceName": "", + "searchKey": "security", + "searchValue": "", + "expectedValue": "Global security field definition should not have an empty object", + "actualValue": "Global security field definition has an empty object", + "issueType": "IncorrectValue", + "similarityID": "4c3716863e6a3f4f5c630779da8b9282292d6734b2a484496b2117575b82b501", + "search_line": -1 }, { "queryName": "Global security field has an empty object (v3)", "severity": "HIGH", "line": 25, - "filename": "positive5.yaml" + "fileName": "positive5.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "security", + "searchValue": "", + "expectedValue": "Global security field definition should not have an empty object", + "actualValue": "Global security field definition has an empty object", + "issueType": "IncorrectValue", + "similarityID": "28c91f0d18cbad885a3adfde8c2026091f433868985e4f6498465bdc4b955821", + "search_line": -1 }, { "queryName": "Global security field has an empty object (v3)", "severity": "HIGH", "line": 25, - "filename": "positive6.yaml" + "fileName": "positive6.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "security", + "searchValue": "", + "expectedValue": "Global security field definition should not have an empty object", + "actualValue": "Global security field definition has an empty object", + "issueType": "IncorrectValue", + "similarityID": "18cd086c95a8c80d2aaed96b940c3171f0f8930de792e25ae2dffb146880446d", + "search_line": -1 }, { "queryName": "Global security field has an empty object (v3)", "severity": "HIGH", "line": 25, - "filename": "positive7.yaml" + "fileName": "positive7.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "security", + "searchValue": "", + "expectedValue": "Global security field definition should not have an empty object", + "actualValue": "Global security field definition has an empty object", + "issueType": "IncorrectValue", + "similarityID": "45c46808055b74efef0d1a6b6b2dcaf25cf1bbd7565fbd38ef72ce3a9b6abef3", + "search_line": -1 }, { "queryName": "Global security field has an empty object (v3)", "severity": "HIGH", "line": 25, - "filename": "positive8.yaml" + "fileName": "positive8.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "security", + "searchValue": "", + "expectedValue": "Global security field definition should not have an empty object", + "actualValue": "Global security field definition has an empty object", + "issueType": "IncorrectValue", + "similarityID": "4c18e02b37177761864cbb31d31c3c61ec85b490ebf0f5639860f0c23a9edb81", + "search_line": -1 }, { "queryName": "Global security field has an empty object (v2)", "severity": "HIGH", "line": 38, - "filename": "positive9.yaml" + "fileName": "positive9.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "security", + "searchValue": "", + "expectedValue": "Global security field definition should not have an empty object", + "actualValue": "Global security field definition has an empty object", + "issueType": "IncorrectValue", + "similarityID": "4e44ae9a2e234871df77f88b35a86024f0fe1e6d4ae9a170a00d8c72a7c65bd8", + "search_line": -1 }, { "queryName": "Global security field has an empty object (v2)", "severity": "HIGH", "line": 60, - "filename": "positive10.json" + "fileName": "positive10.json", + "resourceType": "", + "resourceName": "", + "searchKey": "security", + "searchValue": "", + "expectedValue": "Global security field definition should not have an empty object", + "actualValue": "Global security field definition has an empty object", + "issueType": "IncorrectValue", + "similarityID": "8f537b1de0bfbdf027012cfe80df9b36b07f2717418a1f353eecbfc41515ac45", + "search_line": -1 }, { "queryName": "Global security field has an empty object (v2)", "severity": "HIGH", "line": 38, - "filename": "positive11.yaml" + "fileName": "positive11.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "security", + "searchValue": "", + "expectedValue": "Global security field definition should not have an empty object", + "actualValue": "Global security field definition has an empty object", + "issueType": "IncorrectValue", + "similarityID": "adf5cd15dd9964b5f5542c6b3170e4e68d57a20f5271d6d7750de5d079120e44", + "search_line": -1 }, { "queryName": "Global security field has an empty object (v2)", "severity": "HIGH", "line": 60, - "filename": "positive12.json" + "fileName": "positive12.json", + "resourceType": "", + "resourceName": "", + "searchKey": "security", + "searchValue": "", + "expectedValue": "Global security field definition should not have an empty object", + "actualValue": "Global security field definition has an empty object", + "issueType": "IncorrectValue", + "similarityID": "b86815d4a2a3497ece59485fff825ed589a6f8ae139cfd5353f8f5335f748115", + "search_line": -1 } ] diff --git a/assets/queries/openAPI/general/security_operations_empty_array/test/positive_expected_result.json b/assets/queries/openAPI/general/security_operations_empty_array/test/positive_expected_result.json index 962ab661032..7b7c097919c 100644 --- a/assets/queries/openAPI/general/security_operations_empty_array/test/positive_expected_result.json +++ b/assets/queries/openAPI/general/security_operations_empty_array/test/positive_expected_result.json @@ -3,60 +3,150 @@ "queryName": "Security Field On Operations Has An Empty Array (v3)", "severity": "HIGH", "line": 12, - "filename": "positive1.json" + "fileName": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.{{get}}.security", + "searchValue": "", + "expectedValue": "Security operation field array, when declared, should not be empty", + "actualValue": "Security operation field array is declared and empty", + "issueType": "IncorrectValue", + "similarityID": "7f49d21e4130619cc0d61c1cc3a1788db07ea5f893721c044cf030b3846f74f7", + "search_line": -1 }, { "queryName": "Security Field On Operations Has An Empty Array (v3)", "severity": "HIGH", "line": 51, - "filename": "positive2.json" + "fileName": "positive2.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.{{patch}}.security", + "searchValue": "", + "expectedValue": "Security operation field array, when declared, should not be empty", + "actualValue": "Security operation field array is declared and empty", + "issueType": "IncorrectValue", + "similarityID": "19e0539cae3e51c29c22f394642afa4364b0f4379f30a9fc2160e92a9d0a3349", + "search_line": -1 }, { "queryName": "Security Field On Operations Has An Empty Array (v3)", "severity": "HIGH", "line": 51, - "filename": "positive3.json" + "fileName": "positive3.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.{{patch}}.security", + "searchValue": "", + "expectedValue": "Security operation field array, when declared, should not be empty", + "actualValue": "Security operation field array is declared and empty", + "issueType": "IncorrectValue", + "similarityID": "37feb38985199cc29264e73a19bb3f37ab52edb2aab8f65215e813a6fe671941", + "search_line": -1 }, { "queryName": "Security Field On Operations Has An Empty Array (v3)", "severity": "HIGH", "line": 53, - "filename": "positive4.json" + "fileName": "positive4.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/apis}}.{{get}}.security", + "searchValue": "", + "expectedValue": "Security operation field array, when declared, should not be empty", + "actualValue": "Security operation field array is declared and empty", + "issueType": "IncorrectValue", + "similarityID": "e1997077d69ebf8f53aafcf47dada9f42fc96098d4a174d3d8f68c36afdf0023", + "search_line": -1 }, { "queryName": "Security Field On Operations Has An Empty Array (v3)", "severity": "HIGH", "line": 10, - "filename": "positive5.yaml" + "fileName": "positive5.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.{{get}}.security", + "searchValue": "", + "expectedValue": "Security operation field array, when declared, should not be empty", + "actualValue": "Security operation field array is declared and empty", + "issueType": "IncorrectValue", + "similarityID": "04d310061a724ed8bd846b82b8e302bb6503e919478a687946b9799f09123e75", + "search_line": -1 }, { "queryName": "Security Field On Operations Has An Empty Array (v3)", "severity": "HIGH", "line": 31, - "filename": "positive6.yaml" + "fileName": "positive6.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.{{patch}}.security", + "searchValue": "", + "expectedValue": "Security operation field array, when declared, should not be empty", + "actualValue": "Security operation field array is declared and empty", + "issueType": "IncorrectValue", + "similarityID": "515522e629d862599c1258313c3e15d2a5740932ca3493f74788f44689468e4e", + "search_line": -1 }, { "queryName": "Security Field On Operations Has An Empty Array (v3)", "severity": "HIGH", "line": 31, - "filename": "positive7.yaml" + "fileName": "positive7.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.{{patch}}.security", + "searchValue": "", + "expectedValue": "Security operation field array, when declared, should not be empty", + "actualValue": "Security operation field array is declared and empty", + "issueType": "IncorrectValue", + "similarityID": "9d921e9c4765b76d629af4172081b38d10bb3abb22b94cff25c51c9a3dcde6ec", + "search_line": -1 }, { "queryName": "Security Field On Operations Has An Empty Array (v3)", "severity": "HIGH", "line": 32, - "filename": "positive8.yaml" + "fileName": "positive8.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/apis}}.{{get}}.security", + "searchValue": "", + "expectedValue": "Security operation field array, when declared, should not be empty", + "actualValue": "Security operation field array is declared and empty", + "issueType": "IncorrectValue", + "similarityID": "47b89e6886348c54f2c0fb9822e1f8c0c033a40949ad06f9a1654962566609d3", + "search_line": -1 }, { "queryName": "Security Field On Operations Has An Empty Array (v2)", "severity": "HIGH", - "line": 17, - "filename": "positive10.json" + "line": 14, + "fileName": "positive9.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.{{get}}.security", + "searchValue": "", + "expectedValue": "Security operation field array, when declared, should not be empty", + "actualValue": "Security operation field array is declared and empty", + "issueType": "IncorrectValue", + "similarityID": "3276179ad6ceb54640aed84433d5033398e927dc7773dc12ff097ed0ac850669", + "search_line": -1 }, { "queryName": "Security Field On Operations Has An Empty Array (v2)", "severity": "HIGH", - "line": 14, - "filename": "positive9.yaml" + "line": 17, + "fileName": "positive10.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.{{get}}.security", + "searchValue": "", + "expectedValue": "Security operation field array, when declared, should not be empty", + "actualValue": "Security operation field array is declared and empty", + "issueType": "IncorrectValue", + "similarityID": "37bfcabf922b8f913169bee78eb80396bbf2655e1cc21c26e166c75ecd00641e", + "search_line": -1 } ] diff --git a/assets/queries/openAPI/general/security_operations_empty_object_definition/test/positive_expected_result.json b/assets/queries/openAPI/general/security_operations_empty_object_definition/test/positive_expected_result.json index c63557f7866..21304e3acb6 100644 --- a/assets/queries/openAPI/general/security_operations_empty_object_definition/test/positive_expected_result.json +++ b/assets/queries/openAPI/general/security_operations_empty_object_definition/test/positive_expected_result.json @@ -3,60 +3,150 @@ "queryName": "Security Field On Operations Has An Empty Object Definition (v3)", "severity": "HIGH", "line": 12, - "filename": "positive1.json" + "fileName": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.{{get}}.security", + "searchValue": "", + "expectedValue": "Security operation field should not be empty object", + "actualValue": "Security operation field is an empty object", + "issueType": "IncorrectValue", + "similarityID": "5729a9f3ff9890616de9fa8b74fba91adf914f918e87672c3349c047f52ec664", + "search_line": -1 }, { "queryName": "Security Field On Operations Has An Empty Object Definition (v3)", "severity": "HIGH", "line": 51, - "filename": "positive2.json" + "fileName": "positive2.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.{{patch}}.security", + "searchValue": "", + "expectedValue": "Security operation field array should not have an empty object", + "actualValue": "Security operation field array has an empty object", + "issueType": "IncorrectValue", + "similarityID": "b4b94305201496f0a9bc966db1569392c592021a1ddc4f9527a05df5f7621e7f", + "search_line": -1 }, { "queryName": "Security Field On Operations Has An Empty Object Definition (v3)", "severity": "HIGH", "line": 44, - "filename": "positive3.json" + "fileName": "positive3.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.{{patch}}.security", + "searchValue": "", + "expectedValue": "Security operation field array should not have an empty object", + "actualValue": "Security operation field array has an empty object", + "issueType": "IncorrectValue", + "similarityID": "7d303a40f51b75fbdbd160fd8c50da658f3ba126957cdeb64b5cdf177356a160", + "search_line": -1 }, { "queryName": "Security Field On Operations Has An Empty Object Definition (v3)", "severity": "HIGH", "line": 53, - "filename": "positive4.json" + "fileName": "positive4.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/apis}}.{{get}}.security", + "searchValue": "", + "expectedValue": "Security operation field should not be empty object", + "actualValue": "Security operation field is an empty object", + "issueType": "IncorrectValue", + "similarityID": "23edeaa112c681864a9873a52e9f71cc29207632234f8aa03ed7aac9498b4a85", + "search_line": -1 }, { "queryName": "Security Field On Operations Has An Empty Object Definition (v3)", "severity": "HIGH", "line": 10, - "filename": "positive5.yaml" + "fileName": "positive5.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.{{get}}.security", + "searchValue": "", + "expectedValue": "Security operation field should not be empty object", + "actualValue": "Security operation field is an empty object", + "issueType": "IncorrectValue", + "similarityID": "23f68a0450cecdbdb4b21260500e39e9eb33f6059e599221a17930f7b1476a97", + "search_line": -1 }, { "queryName": "Security Field On Operations Has An Empty Object Definition (v3)", "severity": "HIGH", "line": 31, - "filename": "positive6.yaml" + "fileName": "positive6.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.{{patch}}.security", + "searchValue": "", + "expectedValue": "Security operation field array should not have an empty object", + "actualValue": "Security operation field array has an empty object", + "issueType": "IncorrectValue", + "similarityID": "bc0401a9e0c9eaa15e61159b35933cfd8248d1321b651a2ebcb9f7846afb3c97", + "search_line": -1 }, { "queryName": "Security Field On Operations Has An Empty Object Definition (v3)", "severity": "HIGH", "line": 28, - "filename": "positive7.yaml" + "fileName": "positive7.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.{{patch}}.security", + "searchValue": "", + "expectedValue": "Security operation field array should not have an empty object", + "actualValue": "Security operation field array has an empty object", + "issueType": "IncorrectValue", + "similarityID": "43453a26077627489ae377498a7331accf97ec1dab70fbce00c1518821839b10", + "search_line": -1 }, { "queryName": "Security Field On Operations Has An Empty Object Definition (v3)", "severity": "HIGH", "line": 32, - "filename": "positive8.yaml" + "fileName": "positive8.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/apis}}.{{get}}.security", + "searchValue": "", + "expectedValue": "Security operation field should not be empty object", + "actualValue": "Security operation field is an empty object", + "issueType": "IncorrectValue", + "similarityID": "60dd473180192bebb93f421981d54b21c95228c1b18553d3c50c11d0a3a4c132", + "search_line": -1 }, { "queryName": "Security Field On Operations Has An Empty Object Definition (v2)", "severity": "HIGH", "line": 14, - "filename": "positive9.yaml" + "fileName": "positive9.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.{{get}}.security", + "searchValue": "", + "expectedValue": "Security operation field should not be empty object", + "actualValue": "Security operation field is an empty object", + "issueType": "IncorrectValue", + "similarityID": "9baafd04cadf694aca90beee415017649a379132c61c5bfcc356275099b87c56", + "search_line": -1 }, { "queryName": "Security Field On Operations Has An Empty Object Definition (v2)", "severity": "HIGH", "line": 17, - "filename": "positive10.json" + "fileName": "positive10.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.{{get}}.security", + "searchValue": "", + "expectedValue": "Security operation field should not be empty object", + "actualValue": "Security operation field is an empty object", + "issueType": "IncorrectValue", + "similarityID": "dcf6c1355682c4f92a6240d9756c8adc7876e8d283b250795c90617c09cec235", + "search_line": -1 } ] diff --git a/assets/queries/openAPI/general/string_schema_with_broad_pattern/test/positive_expected_result.json b/assets/queries/openAPI/general/string_schema_with_broad_pattern/test/positive_expected_result.json index a74d7ffee20..c58ed889dd1 100644 --- a/assets/queries/openAPI/general/string_schema_with_broad_pattern/test/positive_expected_result.json +++ b/assets/queries/openAPI/general/string_schema_with_broad_pattern/test/positive_expected_result.json @@ -3,48 +3,120 @@ "queryName": "String Schema with Broad Pattern (v3)", "severity": "LOW", "line": 61, - "filename": "positive1.json" + "fileName": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "components.schemas.GeneralError.properties.code.pattern", + "searchValue": "", + "expectedValue": "String schema has 'pattern' restricted", + "actualValue": "String schema does not have 'pattern' restricted", + "issueType": "IncorrectValue", + "similarityID": "14d519e92a8371fc16f363ca2b4b50a9ac24e8b6426681365f088d9161a939e9", + "search_line": 0 }, { "queryName": "String Schema with Broad Pattern (v3)", "severity": "LOW", "line": 81, - "filename": "positive1.json" + "fileName": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "components.requestBodies.NewItem.content.{{multipart/form-data}}.schema.$ref=#/components/schemas/GeneralError", + "searchValue": "", + "expectedValue": "String schema has 'pattern' restricted", + "actualValue": "String schema does not have 'pattern' restricted", + "issueType": "IncorrectValue", + "similarityID": "0e6fb1dc88175ea62438081710cdeda787e67c9e1416da66112f67347f506ce4", + "search_line": 0 }, { "queryName": "String Schema with Broad Pattern (v3)", "severity": "LOW", "line": 30, - "filename": "positive2.json" + "fileName": "positive2.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.schema.properties.code.pattern", + "searchValue": "", + "expectedValue": "String schema has 'pattern' restricted", + "actualValue": "String schema does not have 'pattern' restricted", + "issueType": "IncorrectValue", + "similarityID": "c5ade9f4b88a2ece6c27a5cbbd80cb8a39affea88757825773e8850c6d7a5e39", + "search_line": -1 }, { "queryName": "String Schema with Broad Pattern (v3)", "severity": "LOW", "line": 37, - "filename": "positive3.yaml" + "fileName": "positive3.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "components.schemas.GeneralError.properties.code.pattern", + "searchValue": "", + "expectedValue": "String schema has 'pattern' restricted", + "actualValue": "String schema does not have 'pattern' restricted", + "issueType": "IncorrectValue", + "similarityID": "6cd7166964d37739f9d9a5b646e39c7e5cd2aafc378ddf8f54e08c404bbb143c", + "search_line": 0 }, { "queryName": "String Schema with Broad Pattern (v3)", "severity": "LOW", "line": 51, - "filename": "positive3.yaml" + "fileName": "positive3.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "components.requestBodies.NewItem.content.{{multipart/form-data}}.schema.$ref=#/components/schemas/GeneralError", + "searchValue": "", + "expectedValue": "String schema has 'pattern' restricted", + "actualValue": "String schema does not have 'pattern' restricted", + "issueType": "IncorrectValue", + "similarityID": "8b20b7ac6a9c5c5c7a084de4672f4d0bc8926409c8c15717eafb51a5e23791e0", + "search_line": 0 }, { "queryName": "String Schema with Broad Pattern (v3)", "severity": "LOW", "line": 25, - "filename": "positive4.yaml" + "fileName": "positive4.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.schema.properties.code.pattern", + "searchValue": "", + "expectedValue": "String schema has 'pattern' restricted", + "actualValue": "String schema does not have 'pattern' restricted", + "issueType": "IncorrectValue", + "similarityID": "75004389bb1793c55cc0309ddfbb191298176dc95c1234dc023ed078a08003fc", + "search_line": -1 }, { "queryName": "String Schema with Broad Pattern (v2)", "severity": "LOW", - "line": 30, - "filename": "positive6.json" + "line": 26, + "fileName": "positive5.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.schema.properties.message.pattern", + "searchValue": "", + "expectedValue": "String schema has 'pattern' restricted", + "actualValue": "String schema does not have 'pattern' restricted", + "issueType": "IncorrectValue", + "similarityID": "fb477f3cd3cf0e7de3c5be0fcdeaba94c1cd7106ef19232b4b8384ff36f37e85", + "search_line": -1 }, { "queryName": "String Schema with Broad Pattern (v2)", "severity": "LOW", - "line": 26, - "filename": "positive5.yaml" + "line": 30, + "fileName": "positive6.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.schema.properties.message.pattern", + "searchValue": "", + "expectedValue": "String schema has 'pattern' restricted", + "actualValue": "String schema does not have 'pattern' restricted", + "issueType": "IncorrectValue", + "similarityID": "64d955c142b29807141f25aa7ac10a8ad858564d7fa4af8fad97bd0624ecbf8d", + "search_line": -1 } -] \ No newline at end of file +] diff --git a/assets/queries/openAPI/general/success_response_code_undefined_delete_operation/test/positive_expected_result.json b/assets/queries/openAPI/general/success_response_code_undefined_delete_operation/test/positive_expected_result.json index 085eab862bb..f8249941c9a 100644 --- a/assets/queries/openAPI/general/success_response_code_undefined_delete_operation/test/positive_expected_result.json +++ b/assets/queries/openAPI/general/success_response_code_undefined_delete_operation/test/positive_expected_result.json @@ -3,36 +3,90 @@ "queryName": "Success Response Code Undefined for Delete Operation (v3)", "severity": "LOW", "line": 12, - "filename": "positive1.json" + "fileName": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/item}}.delete.responses", + "searchValue": "", + "expectedValue": "Delete should have at least one successful code (200, 201, 202 or 204)", + "actualValue": "Delete does not have any successful code", + "issueType": "MissingAttribute", + "similarityID": "3c3228755551dbc4498d442895f7fbff88221172ad9c4fd7c8b49effb0529899", + "search_line": -1 }, { "queryName": "Success Response Code Undefined for Delete Operation (v3)", "severity": "LOW", "line": 12, - "filename": "positive2.json" + "fileName": "positive2.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/item}}.delete.responses", + "searchValue": "", + "expectedValue": "Delete should have at least one successful code (200, 201, 202 or 204)", + "actualValue": "Delete does not have any successful code", + "issueType": "MissingAttribute", + "similarityID": "21a83b02dc73ab81085660af09e1d68d42f44aae5899ada2c7803ca2057df7b7", + "search_line": -1 }, { "queryName": "Success Response Code Undefined for Delete Operation (v3)", "severity": "LOW", "line": 10, - "filename": "positive3.yaml" + "fileName": "positive3.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/item}}.delete.responses", + "searchValue": "", + "expectedValue": "Delete should have at least one successful code (200, 201, 202 or 204)", + "actualValue": "Delete does not have any successful code", + "issueType": "MissingAttribute", + "similarityID": "b0a9cb8db97a35cc60f9eefb80d3f47f8464fa998d4236c9492e5d908a57a7f5", + "search_line": -1 }, { "queryName": "Success Response Code Undefined for Delete Operation (v3)", "severity": "LOW", "line": 10, - "filename": "positive4.yaml" + "fileName": "positive4.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/item}}.delete.responses", + "searchValue": "", + "expectedValue": "Delete should have at least one successful code (200, 201, 202 or 204)", + "actualValue": "Delete does not have any successful code", + "issueType": "MissingAttribute", + "similarityID": "d7401bf333ddc715745419d4b40d24f4f77af836331a13d22e2f845fcc202a89", + "search_line": -1 }, { "queryName": "Success Response Code Undefined for Delete Operation (v2)", "severity": "LOW", "line": 12, - "filename": "positive5.json" + "fileName": "positive5.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/item}}.delete.responses", + "searchValue": "", + "expectedValue": "Delete should have at least one successful code (200, 201, 202 or 204)", + "actualValue": "Delete does not have any successful code", + "issueType": "MissingAttribute", + "similarityID": "4425ecee87c425b4c287c664df5d2c461d98aa796f4227bc35112dd1fd8afa07", + "search_line": -1 }, { "queryName": "Success Response Code Undefined for Delete Operation (v2)", "severity": "LOW", "line": 10, - "filename": "positive6.yaml" + "fileName": "positive6.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/item}}.delete.responses", + "searchValue": "", + "expectedValue": "Delete should have at least one successful code (200, 201, 202 or 204)", + "actualValue": "Delete does not have any successful code", + "issueType": "MissingAttribute", + "similarityID": "b6d2bf1980e7430257e414f84eb13ecf98b7aa8f61dd0de0a74a17efc55534f0", + "search_line": -1 } -] \ No newline at end of file +] diff --git a/assets/queries/openAPI/general/success_response_code_undefined_get_operation/test/positive_expected_result.json b/assets/queries/openAPI/general/success_response_code_undefined_get_operation/test/positive_expected_result.json index 64cbed3c1b1..abbefd63695 100644 --- a/assets/queries/openAPI/general/success_response_code_undefined_get_operation/test/positive_expected_result.json +++ b/assets/queries/openAPI/general/success_response_code_undefined_get_operation/test/positive_expected_result.json @@ -3,24 +3,60 @@ "queryName": "Success Response Code Undefined for Get Operation (v2)", "severity": "LOW", "line": 12, - "filename": "positive1.json" + "fileName": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/item}}.get.responses", + "searchValue": "", + "expectedValue": "Get should have at least one successful code (200 or 202)", + "actualValue": "Get does not have any successful code", + "issueType": "MissingAttribute", + "similarityID": "86b2ca84117245001b9e4a70cedf4389e172e018395143c045357fd9d6bf3f2c", + "search_line": -1 }, { "queryName": "Success Response Code Undefined for Get Operation (v2)", "severity": "LOW", "line": 10, - "filename": "positive2.yaml" + "fileName": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/item}}.get.responses", + "searchValue": "", + "expectedValue": "Get should have at least one successful code (200 or 202)", + "actualValue": "Get does not have any successful code", + "issueType": "MissingAttribute", + "similarityID": "01d79aeba965780854cf3318153df63a7fcc6bc0bc7fa36d34a0fd44decd9f5b", + "search_line": -1 }, { "queryName": "Success Response Code Undefined for Get Operation (v3)", "severity": "LOW", "line": 12, - "filename": "positive3.json" + "fileName": "positive3.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/item}}.get.responses", + "searchValue": "", + "expectedValue": "Get should have at least one successful code (200 or 202)", + "actualValue": "Get does not have any successful code", + "issueType": "MissingAttribute", + "similarityID": "7e4a0cc7cb20b05746c53a0ed2fe80f88f5fb306ef4cac4a98be530cb0824d6b", + "search_line": -1 }, { "queryName": "Success Response Code Undefined for Get Operation (v3)", "severity": "LOW", "line": 10, - "filename": "positive4.yaml" + "fileName": "positive4.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/item}}.get.responses", + "searchValue": "", + "expectedValue": "Get should have at least one successful code (200 or 202)", + "actualValue": "Get does not have any successful code", + "issueType": "MissingAttribute", + "similarityID": "72e5398bc7651b8dcd4787ee48740787e00ee991821c7d8712982beabf33fd31", + "search_line": -1 } -] \ No newline at end of file +] diff --git a/assets/queries/openAPI/general/success_response_code_undefined_head_operation/test/positive_expected_result.json b/assets/queries/openAPI/general/success_response_code_undefined_head_operation/test/positive_expected_result.json index 1f6c14dc8f6..925467989da 100644 --- a/assets/queries/openAPI/general/success_response_code_undefined_head_operation/test/positive_expected_result.json +++ b/assets/queries/openAPI/general/success_response_code_undefined_head_operation/test/positive_expected_result.json @@ -3,24 +3,60 @@ "queryName": "Success Response Code Undefined for Head Operation (v3)", "severity": "LOW", "line": 12, - "filename": "positive1.json" + "fileName": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/item}}.head.responses", + "searchValue": "", + "expectedValue": "Head should have at least one successful code (200 or 202)", + "actualValue": "Head does not have any successful code", + "issueType": "MissingAttribute", + "similarityID": "7e69db27bbd3cee73d4496c1471f7c9684324aee811146373ef97a9612247505", + "search_line": -1 }, { "queryName": "Success Response Code Undefined for Head Operation (v3)", "severity": "LOW", "line": 10, - "filename": "positive2.yaml" + "fileName": "positive2.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/item}}.head.responses", + "searchValue": "", + "expectedValue": "Head should have at least one successful code (200 or 202)", + "actualValue": "Head does not have any successful code", + "issueType": "MissingAttribute", + "similarityID": "a4e0606d1b6bef162221552f57fba5e7addaafed105cc9a3d06d79e1a6f37f19", + "search_line": -1 }, { "queryName": "Success Response Code Undefined for Head Operation (v2)", "severity": "LOW", "line": 12, - "filename": "positive3.json" + "fileName": "positive3.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/item}}.head.responses", + "searchValue": "", + "expectedValue": "Head should have at least one successful code (200 or 202)", + "actualValue": "Head does not have any successful code", + "issueType": "MissingAttribute", + "similarityID": "6766f6a62e4d10c50db71065df2a7d764035b7ef1233ffca1dd713fb87550e06", + "search_line": -1 }, { "queryName": "Success Response Code Undefined for Head Operation (v2)", "severity": "LOW", "line": 10, - "filename": "positive4.yaml" + "fileName": "positive4.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/item}}.head.responses", + "searchValue": "", + "expectedValue": "Head should have at least one successful code (200 or 202)", + "actualValue": "Head does not have any successful code", + "issueType": "MissingAttribute", + "similarityID": "1a06e8df6afcd72877d29e25aedf87f188fea4b3e76cfed5d8b96a6468060236", + "search_line": -1 } -] \ No newline at end of file +] diff --git a/assets/queries/openAPI/general/success_response_code_undefined_patch_operation/test/positive_expected_result.json b/assets/queries/openAPI/general/success_response_code_undefined_patch_operation/test/positive_expected_result.json index 5350ccdf0e7..a599cac6d54 100644 --- a/assets/queries/openAPI/general/success_response_code_undefined_patch_operation/test/positive_expected_result.json +++ b/assets/queries/openAPI/general/success_response_code_undefined_patch_operation/test/positive_expected_result.json @@ -3,36 +3,90 @@ "queryName": "Success Response Code Undefined for Patch Operation (v3)", "severity": "LOW", "line": 12, - "filename": "positive1.json" + "fileName": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/item}}.patch.responses", + "searchValue": "", + "expectedValue": "Patch should have at least one successful code (200, 201, 202 or 204)", + "actualValue": "Patch does not have any successful code", + "issueType": "MissingAttribute", + "similarityID": "104a4d45d7b74c39f031f6c870a22f34165c69b223e15525b44abed4decc2cf9", + "search_line": -1 }, { "queryName": "Success Response Code Undefined for Patch Operation (v3)", "severity": "LOW", "line": 24, - "filename": "positive2.json" + "fileName": "positive2.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/item}}.patch.responses", + "searchValue": "", + "expectedValue": "Patch should have at least one successful code (200, 201, 202 or 204)", + "actualValue": "Patch does not have any successful code", + "issueType": "MissingAttribute", + "similarityID": "7290728eb89ded076b8b3122a7756f511085ea1b01512169bc75d4c283d1f6ae", + "search_line": -1 }, { "queryName": "Success Response Code Undefined for Patch Operation (v3)", "severity": "LOW", "line": 10, - "filename": "positive3.yaml" + "fileName": "positive3.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/item}}.patch.responses", + "searchValue": "", + "expectedValue": "Patch should have at least one successful code (200, 201, 202 or 204)", + "actualValue": "Patch does not have any successful code", + "issueType": "MissingAttribute", + "similarityID": "44a52487062cf74ad5615f50224a83efdd2cf4fb2825c646256f584bc08c6882", + "search_line": -1 }, { "queryName": "Success Response Code Undefined for Patch Operation (v3)", "severity": "LOW", "line": 18, - "filename": "positive4.yaml" + "fileName": "positive4.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/item}}.patch.responses", + "searchValue": "", + "expectedValue": "Patch should have at least one successful code (200, 201, 202 or 204)", + "actualValue": "Patch does not have any successful code", + "issueType": "MissingAttribute", + "similarityID": "3c270ded3179cbb39c692f371694f805ec41fc1f8fb1de071036b5110bfc4ab4", + "search_line": -1 }, { "queryName": "Success Response Code Undefined for Patch Operation (v2)", "severity": "LOW", "line": 24, - "filename": "positive5.json" + "fileName": "positive5.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/item}}.patch.responses", + "searchValue": "", + "expectedValue": "Patch should have at least one successful code (200, 201, 202 or 204)", + "actualValue": "Patch does not have any successful code", + "issueType": "MissingAttribute", + "similarityID": "19490f0bc7c09cc9e4667afbb598eca69e0c399b0175ca64fd5d309fb093841f", + "search_line": -1 }, { "queryName": "Success Response Code Undefined for Patch Operation (v2)", "severity": "LOW", "line": 18, - "filename": "positive6.yaml" + "fileName": "positive6.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/item}}.patch.responses", + "searchValue": "", + "expectedValue": "Patch should have at least one successful code (200, 201, 202 or 204)", + "actualValue": "Patch does not have any successful code", + "issueType": "MissingAttribute", + "similarityID": "7d68052840503001e835ea8f8499cc323656f85c1c79baf2ded797f4652f724b", + "search_line": -1 } -] \ No newline at end of file +] diff --git a/assets/queries/openAPI/general/success_response_code_undefined_post_operation/test/positive_expected_result.json b/assets/queries/openAPI/general/success_response_code_undefined_post_operation/test/positive_expected_result.json index f5959207758..6ca7e774030 100644 --- a/assets/queries/openAPI/general/success_response_code_undefined_post_operation/test/positive_expected_result.json +++ b/assets/queries/openAPI/general/success_response_code_undefined_post_operation/test/positive_expected_result.json @@ -3,36 +3,90 @@ "queryName": "Success Response Code Undefined for Post Operation (v3)", "severity": "LOW", "line": 12, - "filename": "positive1.json" + "fileName": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/item}}.post.responses", + "searchValue": "", + "expectedValue": "Post should have at least one successful code (200, 201, 202 or 204)", + "actualValue": "Post does not have any successful code", + "issueType": "MissingAttribute", + "similarityID": "c62e1c8e62b607d71f917a8b26080d812b23f5080e86c14e515e625b65d2cc76", + "search_line": -1 }, { "queryName": "Success Response Code Undefined for Post Operation (v3)", "severity": "LOW", "line": 24, - "filename": "positive2.json" + "fileName": "positive2.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/item}}.post.responses", + "searchValue": "", + "expectedValue": "Post should have at least one successful code (200, 201, 202 or 204)", + "actualValue": "Post does not have any successful code", + "issueType": "MissingAttribute", + "similarityID": "b5554470627ebcb49f526661b4bdc94cc65dc109ba4da75d64d0e6569eda74a2", + "search_line": -1 }, { "queryName": "Success Response Code Undefined for Post Operation (v3)", "severity": "LOW", "line": 10, - "filename": "positive3.yaml" + "fileName": "positive3.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/item}}.post.responses", + "searchValue": "", + "expectedValue": "Post should have at least one successful code (200, 201, 202 or 204)", + "actualValue": "Post does not have any successful code", + "issueType": "MissingAttribute", + "similarityID": "f957d46094d59cd0e00fe9d4c452b904eb54fa5afd4c9ef701cf6ad6efc0e24d", + "search_line": -1 }, { "queryName": "Success Response Code Undefined for Post Operation (v3)", "severity": "LOW", "line": 18, - "filename": "positive4.yaml" + "fileName": "positive4.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/item}}.post.responses", + "searchValue": "", + "expectedValue": "Post should have at least one successful code (200, 201, 202 or 204)", + "actualValue": "Post does not have any successful code", + "issueType": "MissingAttribute", + "similarityID": "f0efb8b5c3d5f22805f167cefc498c20571ca6458253357889f210de2be8ec8e", + "search_line": -1 }, { "queryName": "Success Response Code Undefined for Post Operation (v2)", "severity": "LOW", "line": 24, - "filename": "positive5.json" + "fileName": "positive5.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/item}}.post.responses", + "searchValue": "", + "expectedValue": "Post should have at least one successful code (200, 201, 202 or 204)", + "actualValue": "Post does not have any successful code", + "issueType": "MissingAttribute", + "similarityID": "f241b6dd60859707ee1ac07e253ce7d6e695d7f958cc0747d633debf4b3796f5", + "search_line": -1 }, { "queryName": "Success Response Code Undefined for Post Operation (v2)", "severity": "LOW", "line": 18, - "filename": "positive6.yaml" + "fileName": "positive6.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/item}}.post.responses", + "searchValue": "", + "expectedValue": "Post should have at least one successful code (200, 201, 202 or 204)", + "actualValue": "Post does not have any successful code", + "issueType": "MissingAttribute", + "similarityID": "ecf7e026eb1a82c4881fa870f7eb3009ddc1c2026a9d9996b729092e4410a9b8", + "search_line": -1 } -] \ No newline at end of file +] diff --git a/assets/queries/openAPI/general/success_response_code_undefined_put_operation/test/positive_expected_result.json b/assets/queries/openAPI/general/success_response_code_undefined_put_operation/test/positive_expected_result.json index ba164e0af40..4ede65db15f 100644 --- a/assets/queries/openAPI/general/success_response_code_undefined_put_operation/test/positive_expected_result.json +++ b/assets/queries/openAPI/general/success_response_code_undefined_put_operation/test/positive_expected_result.json @@ -3,36 +3,90 @@ "queryName": "Success Response Code Undefined for Put Operation (v3)", "severity": "LOW", "line": 12, - "filename": "positive1.json" + "fileName": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/item}}.put.responses", + "searchValue": "", + "expectedValue": "Put should have at least one successful code (200, 201, 202 or 204)", + "actualValue": "Put does not have any successful code", + "issueType": "MissingAttribute", + "similarityID": "9f8796147fd07206b833757655d6407a1cfbc2caba7ad96b282a770984c33ce3", + "search_line": -1 }, { "queryName": "Success Response Code Undefined for Put Operation (v3)", "severity": "LOW", "line": 24, - "filename": "positive2.json" + "fileName": "positive2.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/item}}.put.responses", + "searchValue": "", + "expectedValue": "Put should have at least one successful code (200, 201, 202 or 204)", + "actualValue": "Put does not have any successful code", + "issueType": "MissingAttribute", + "similarityID": "c78ad00db0d7244e93a57bbe136f4393a2d5f0e7a129387cbb302551ddb1106c", + "search_line": -1 }, { "queryName": "Success Response Code Undefined for Put Operation (v3)", "severity": "LOW", "line": 10, - "filename": "positive3.yaml" + "fileName": "positive3.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/item}}.put.responses", + "searchValue": "", + "expectedValue": "Put should have at least one successful code (200, 201, 202 or 204)", + "actualValue": "Put does not have any successful code", + "issueType": "MissingAttribute", + "similarityID": "8c80855a552a8489f08a451772e10af1dbc9e081be557e9550d614810cae577f", + "search_line": -1 }, { "queryName": "Success Response Code Undefined for Put Operation (v3)", "severity": "LOW", "line": 18, - "filename": "positive4.yaml" + "fileName": "positive4.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/item}}.put.responses", + "searchValue": "", + "expectedValue": "Put should have at least one successful code (200, 201, 202 or 204)", + "actualValue": "Put does not have any successful code", + "issueType": "MissingAttribute", + "similarityID": "9411bded58844f1c97fefb590cd3ebe3d25ed00c26c5e5ac4df25b18440fc4a6", + "search_line": -1 }, { "queryName": "Success Response Code Undefined for Put Operation (v2)", "severity": "LOW", "line": 24, - "filename": "positive5.json" + "fileName": "positive5.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/item}}.put.responses", + "searchValue": "", + "expectedValue": "Put should have at least one successful code (200, 201, 202 or 204)", + "actualValue": "Put does not have any successful code", + "issueType": "MissingAttribute", + "similarityID": "5017966e032b00b20a8f257fa06e0fded67f968b3931a3be1266974df1e357c9", + "search_line": -1 }, { "queryName": "Success Response Code Undefined for Put Operation (v2)", "severity": "LOW", "line": 18, - "filename": "positive6.yaml" + "fileName": "positive6.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/item}}.put.responses", + "searchValue": "", + "expectedValue": "Put should have at least one successful code (200, 201, 202 or 204)", + "actualValue": "Put does not have any successful code", + "issueType": "MissingAttribute", + "similarityID": "e2ec4561303c27d9d0ec5d85829f75c4bcccafb670a4637e349176c5ce2944c8", + "search_line": -1 } -] \ No newline at end of file +] diff --git a/assets/queries/openAPI/general/template_path_parameter_with_no_corresponding_path_parameter/test/positive_expected_result.json b/assets/queries/openAPI/general/template_path_parameter_with_no_corresponding_path_parameter/test/positive_expected_result.json index 1fa501a7423..eedb03b73d4 100644 --- a/assets/queries/openAPI/general/template_path_parameter_with_no_corresponding_path_parameter/test/positive_expected_result.json +++ b/assets/queries/openAPI/general/template_path_parameter_with_no_corresponding_path_parameter/test/positive_expected_result.json @@ -3,72 +3,180 @@ "queryName": "Template Path With No Corresponding Path Parameter (v3)", "severity": "INFO", "line": 10, - "filename": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths./users/{test-id}.get.parameters.name=test-id", + "searchValue": "", + "expectedValue": "Template path parameter should have an operation parameter with the same name and 'in' set to 'path'", + "actualValue": "Template path parameter does not have an operation parameter with the same name and 'in' set to 'path'", + "issueType": "IncorrectValue", + "similarityID": "ff61c01a43f8511dc3a018610a4bf7138f188eff4af4a8d2d1b37d663fc7f0a2", + "search_line": -1 }, { "queryName": "Template Path With No Corresponding Path Parameter (v3)", "severity": "INFO", "line": 58, - "filename": "positive2.json" + "fileName": "positive2.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths./users/{blabla}.get.parameters.name=id", + "searchValue": "", + "expectedValue": "Template path parameter should have an operation parameter with the same name and 'in' set to 'path'", + "actualValue": "Template path parameter does not have an operation parameter with the same name and 'in' set to 'path'", + "issueType": "IncorrectValue", + "similarityID": "10e64ff8189883ad307c71a030a59d31580a26d478800c333103431a111b22b8", + "search_line": -1 }, { "queryName": "Template Path With No Corresponding Path Parameter (v3)", "severity": "INFO", "line": 34, - "filename": "positive3.yaml" + "fileName": "positive3.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths./people/{id}.get.parameters", + "searchValue": "", + "expectedValue": "Template path parameters should be defined for operation", + "actualValue": "Template path parameters is not defined for operation", + "issueType": "MissingAttribute", + "similarityID": "ccf6eaecda812b0068870f6f63411e9f2825bd21c597e5f999b77c245e2695d1", + "search_line": -1 }, { "queryName": "Template Path With No Corresponding Path Parameter (v3)", "severity": "INFO", "line": 40, - "filename": "positive3.yaml" + "fileName": "positive3.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths./users/{id}.get.parameters", + "searchValue": "", + "expectedValue": "Template path parameters should be defined for operation", + "actualValue": "Template path parameters is not defined for operation", + "issueType": "MissingAttribute", + "similarityID": "6e10a4a37e5f7ceebd0f1e2f79dc1618be2b3018362c0fcc358ee1c58dce2bb7", + "search_line": -1 }, { "queryName": "Template Path With No Corresponding Path Parameter (v3)", "severity": "INFO", "line": 55, - "filename": "positive4.json" + "fileName": "positive4.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths./people/{id}.get.parameters", + "searchValue": "", + "expectedValue": "Template path parameters should be defined for operation", + "actualValue": "Template path parameters is not defined for operation", + "issueType": "MissingAttribute", + "similarityID": "a39fabe87cb758feaf9e67da6e7ae2c16c0beef0fd1d57a5939a8edb05e92796", + "search_line": -1 }, { "queryName": "Template Path With No Corresponding Path Parameter (v3)", "severity": "INFO", "line": 65, - "filename": "positive4.json" + "fileName": "positive4.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths./users/{id}.get.parameters", + "searchValue": "", + "expectedValue": "Template path parameters should be defined for operation", + "actualValue": "Template path parameters is not defined for operation", + "issueType": "MissingAttribute", + "similarityID": "10c568febb0c417d24bb510e85c9facc30e629b55d2f84f75683a933e396fe99", + "search_line": -1 }, { "queryName": "Template Path With No Corresponding Path Parameter (v2)", "severity": "INFO", "line": 14, - "filename": "positive5.yaml" + "fileName": "positive5.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths./users/{test-id}.get.parameters.name=test-id", + "searchValue": "", + "expectedValue": "Template path parameter should have an operation parameter with the same name and 'in' set to 'path'", + "actualValue": "Template path parameter does not have an operation parameter with the same name and 'in' set to 'path'", + "issueType": "IncorrectValue", + "similarityID": "fc1288e3b2627a7ec2fd6abaed8b2b35b36253d86daf591b9f3b255c50446111", + "search_line": -1 }, { "queryName": "Template Path With No Corresponding Path Parameter (v2)", "severity": "INFO", "line": 38, - "filename": "positive6.json" + "fileName": "positive6.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths./users/{blabla}.get.parameters.name=id", + "searchValue": "", + "expectedValue": "Template path parameter should have an operation parameter with the same name and 'in' set to 'path'", + "actualValue": "Template path parameter does not have an operation parameter with the same name and 'in' set to 'path'", + "issueType": "IncorrectValue", + "similarityID": "c04402dbda50d757aa9336a80e3e0d727df2b7f568d2da84e2160649ee5e662f", + "search_line": -1 }, { "queryName": "Template Path With No Corresponding Path Parameter (v2)", "severity": "INFO", "line": 25, - "filename": "positive7.yaml" + "fileName": "positive7.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths./people/{id}.get.parameters", + "searchValue": "", + "expectedValue": "Template path parameters should be defined for operation", + "actualValue": "Template path parameters is not defined for operation", + "issueType": "MissingAttribute", + "similarityID": "43eab410f6de78c2c98f97ddfbe2cd7df446d9c9a3bcd6c7db06a7d8f6ce6577", + "search_line": -1 }, { "queryName": "Template Path With No Corresponding Path Parameter (v2)", "severity": "INFO", "line": 31, - "filename": "positive7.yaml" + "fileName": "positive7.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths./users/{id}.get.parameters", + "searchValue": "", + "expectedValue": "Template path parameters should be defined for operation", + "actualValue": "Template path parameters is not defined for operation", + "issueType": "MissingAttribute", + "similarityID": "e8d95fc664b1ed964cb2dc08b7d0886bfceb2a8ad1472745ed6fcfaf64283af7", + "search_line": -1 }, { "queryName": "Template Path With No Corresponding Path Parameter (v2)", "severity": "INFO", "line": 35, - "filename": "positive8.json" + "fileName": "positive8.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths./people/{id}.get.parameters", + "searchValue": "", + "expectedValue": "Template path parameters should be defined for operation", + "actualValue": "Template path parameters is not defined for operation", + "issueType": "MissingAttribute", + "similarityID": "94a9076124f0d4d65b10bee306e6b745b465128ca95854d5bd3611fd34716fab", + "search_line": -1 }, { "queryName": "Template Path With No Corresponding Path Parameter (v2)", "severity": "INFO", "line": 45, - "filename": "positive8.json" + "fileName": "positive8.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths./users/{id}.get.parameters", + "searchValue": "", + "expectedValue": "Template path parameters should be defined for operation", + "actualValue": "Template path parameters is not defined for operation", + "issueType": "MissingAttribute", + "similarityID": "ad797e32c71d8361026389c9ef0f85cc51bfe143a563d515ffe84abffb395227", + "search_line": -1 } ] diff --git a/assets/queries/openAPI/general/type_has_invalid_keyword/test/positive_expected_result.json b/assets/queries/openAPI/general/type_has_invalid_keyword/test/positive_expected_result.json index 8050e654697..f8ae2fb4ec4 100644 --- a/assets/queries/openAPI/general/type_has_invalid_keyword/test/positive_expected_result.json +++ b/assets/queries/openAPI/general/type_has_invalid_keyword/test/positive_expected_result.json @@ -3,120 +3,300 @@ "queryName": "Type Has Invalid Keyword (v3)", "severity": "INFO", "line": 18, - "filename": "positive1.json" + "fileName": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.schema.$ref=#/components/schemas/MyObject", + "searchValue": "", + "expectedValue": "There shouldn't be any invalid keywords", + "actualValue": "Keyword pattern is not valid for type number", + "issueType": "IncorrectValue", + "similarityID": "7a714637f7423d16a89a8e7cd13d814c098427ca5af039bdd6c6b3163c033e3e", + "search_line": 0 }, { "queryName": "Type Has Invalid Keyword (v3)", "severity": "INFO", "line": 52, - "filename": "positive1.json" + "fileName": "positive1.json", + "resourceType": "", + "resourceName": "", + "searchKey": "components.schemas.MyObject.properties.phones.items.pattern", + "searchValue": "", + "expectedValue": "There shouldn't be any invalid keywords", + "actualValue": "Keyword pattern is not valid for type number", + "issueType": "IncorrectValue", + "similarityID": "1ad3d3123fbd2f9e91000c85dfd5f49c42bffb49b4647a1fa6301bdf4206624f", + "search_line": 0 }, { "queryName": "Type Has Invalid Keyword (v3)", "severity": "INFO", "line": 18, - "filename": "positive2.json" + "fileName": "positive2.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.schema.$ref=#/components/schemas/MyObject", + "searchValue": "", + "expectedValue": "There shouldn't be any invalid keywords", + "actualValue": "Keyword minLength is not valid for type integer", + "issueType": "IncorrectValue", + "similarityID": "f5dd85092ac99f0839e0df11d683a8833864fbd3b963ca036a5bbb9ed278cb21", + "search_line": 0 }, { "queryName": "Type Has Invalid Keyword (v3)", "severity": "INFO", "line": 42, - "filename": "positive2.json" + "fileName": "positive2.json", + "resourceType": "", + "resourceName": "", + "searchKey": "components.schemas.MyObject.properties.id.minLength", + "searchValue": "", + "expectedValue": "There shouldn't be any invalid keywords", + "actualValue": "Keyword minLength is not valid for type integer", + "issueType": "IncorrectValue", + "similarityID": "05f354560c5cf5e361ad10f5c535f99354988c939ccc7f488459978f5b264ee9", + "search_line": 0 }, { "queryName": "Type Has Invalid Keyword (v3)", "severity": "INFO", "line": 18, - "filename": "positive3.json" + "fileName": "positive3.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.schema.$ref=#/components/schemas/MyObject", + "searchValue": "", + "expectedValue": "There shouldn't be any invalid keywords", + "actualValue": "Keyword required is not valid for type string", + "issueType": "IncorrectValue", + "similarityID": "999a42337f9076a41bd7664914919124c81da68eb51df3e2581996bb9faf83c4", + "search_line": 0 }, { "queryName": "Type Has Invalid Keyword (v3)", "severity": "INFO", "line": 46, - "filename": "positive3.json" + "fileName": "positive3.json", + "resourceType": "", + "resourceName": "", + "searchKey": "components.schemas.MyObject.properties.name.required", + "searchValue": "", + "expectedValue": "There shouldn't be any invalid keywords", + "actualValue": "Keyword required is not valid for type string", + "issueType": "IncorrectValue", + "similarityID": "073b12ee0ceee9d5c70f7cd1f4574c124b6b49f5bb7737bc838af28915d24818", + "search_line": 0 }, { "queryName": "Type Has Invalid Keyword (v3)", "severity": "INFO", "line": 16, - "filename": "positive4.yaml" + "fileName": "positive4.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.schema.$ref=#/components/schemas/MyObject", + "searchValue": "", + "expectedValue": "There shouldn't be any invalid keywords", + "actualValue": "Keyword pattern is not valid for type number", + "issueType": "IncorrectValue", + "similarityID": "a9ca12e5dfbc7fe562b0b04d8ac17f8562bc7e2b46efc152bbde35cf43a7a428", + "search_line": 0 }, { "queryName": "Type Has Invalid Keyword (v3)", "severity": "INFO", "line": 37, - "filename": "positive4.yaml" + "fileName": "positive4.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "components.schemas.MyObject.properties.phones.items.pattern", + "searchValue": "", + "expectedValue": "There shouldn't be any invalid keywords", + "actualValue": "Keyword pattern is not valid for type number", + "issueType": "IncorrectValue", + "similarityID": "c5e8047087951d17d34f99797987413e024931fd6a872453b88c205d0157d48e", + "search_line": 0 }, { "queryName": "Type Has Invalid Keyword (v3)", "severity": "INFO", "line": 16, - "filename": "positive5.yaml" + "fileName": "positive5.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.schema.$ref=#/components/schemas/MyObject", + "searchValue": "", + "expectedValue": "There shouldn't be any invalid keywords", + "actualValue": "Keyword minLength is not valid for type integer", + "issueType": "IncorrectValue", + "similarityID": "b6177ccc5ec6d28716b90c4fddc9693dd0da5ca502efc4915351759900818bcf", + "search_line": 0 }, { "queryName": "Type Has Invalid Keyword (v3)", "severity": "INFO", "line": 29, - "filename": "positive5.yaml" + "fileName": "positive5.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "components.schemas.MyObject.properties.id.minLength", + "searchValue": "", + "expectedValue": "There shouldn't be any invalid keywords", + "actualValue": "Keyword minLength is not valid for type integer", + "issueType": "IncorrectValue", + "similarityID": "e038bb849e288e75c579cb0d76a53991af497331e1a17df096bb231de7f3b015", + "search_line": 0 }, { "queryName": "Type Has Invalid Keyword (v3)", "severity": "INFO", "line": 16, - "filename": "positive6.yaml" + "fileName": "positive6.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.content.{{application/json}}.schema.$ref=#/components/schemas/MyObject", + "searchValue": "", + "expectedValue": "There shouldn't be any invalid keywords", + "actualValue": "Keyword pattern is not valid for type number", + "issueType": "IncorrectValue", + "similarityID": "9434cfbd8c31edbd61ff96b20491b9ba0f0071267123925c02382d63db32d690", + "search_line": 0 }, { "queryName": "Type Has Invalid Keyword (v3)", "severity": "INFO", "line": 37, - "filename": "positive6.yaml" + "fileName": "positive6.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "components.schemas.MyObject.properties.phones.items.pattern", + "searchValue": "", + "expectedValue": "There shouldn't be any invalid keywords", + "actualValue": "Keyword pattern is not valid for type number", + "issueType": "IncorrectValue", + "similarityID": "09be52dea6bb4d88c8a0a8412ebea76f8df37ba1ebe5f92c35e7ac99bb3c8b04", + "search_line": 0 }, { "queryName": "Type Has Invalid Keyword (v2)", "severity": "INFO", "line": 41, - "filename": "positive7.json" + "fileName": "positive7.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.parameters.schema.properties.phones.items.pattern", + "searchValue": "", + "expectedValue": "There shouldn't be any invalid keywords", + "actualValue": "Keyword pattern is not valid for type number", + "issueType": "IncorrectValue", + "similarityID": "7fa7192a29cf641fc65f2ed4be31d843454890c0d6420c6624f78ea222d84a0b", + "search_line": 41 }, { "queryName": "Type Has Invalid Keyword (v2)", "severity": "INFO", "line": 55, - "filename": "positive7.json" + "fileName": "positive7.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.parameters.maximum", + "searchValue": "", + "expectedValue": "There shouldn't be any invalid keywords", + "actualValue": "Keyword maximum is not valid for type string", + "issueType": "IncorrectValue", + "similarityID": "5d5f8bd0fbbf1c6113c6376901d3e321290529cec392fe241eec38d24d5d5d80", + "search_line": 55 }, { "queryName": "Type Has Invalid Keyword (v2)", "severity": "INFO", "line": 33, - "filename": "positive8.yaml" + "fileName": "positive8.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.parameters.schema.properties.phones.items.pattern", + "searchValue": "", + "expectedValue": "There shouldn't be any invalid keywords", + "actualValue": "Keyword pattern is not valid for type number", + "issueType": "IncorrectValue", + "similarityID": "6c257378626cee4bb6fdb39c98f50802d8d32959d8c8ca7df67eb0e19fb28628", + "search_line": 33 }, { "queryName": "Type Has Invalid Keyword (v2)", "severity": "INFO", "line": 42, - "filename": "positive8.yaml" + "fileName": "positive8.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.parameters.maximum", + "searchValue": "", + "expectedValue": "There shouldn't be any invalid keywords", + "actualValue": "Keyword maximum is not valid for type string", + "issueType": "IncorrectValue", + "similarityID": "695ac393a7235764594fad3fb6a22f39213265663d82fd286bffd8d6d1aca0a8", + "search_line": 42 }, { "queryName": "Type Has Invalid Keyword (v2)", "severity": "INFO", "line": 19, - "filename": "positive9.json" + "fileName": "positive9.json", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.headers.X-Rate-Limit-Limit.minLength", + "searchValue": "", + "expectedValue": "There shouldn't be any invalid keywords", + "actualValue": "Keyword minLength is not valid for type integer", + "issueType": "IncorrectValue", + "similarityID": "b63fc04287e352fe0d8d068a26e473f502aaed977c4dcdb609d7cf42454babba", + "search_line": 19 }, { "queryName": "Type Has Invalid Keyword (v2)", "severity": "INFO", "line": 17, - "filename": "positive10.yaml" + "fileName": "positive10.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "paths.{{/}}.get.responses.200.headers.X-Rate-Limit-Limit.minLength", + "searchValue": "", + "expectedValue": "There shouldn't be any invalid keywords", + "actualValue": "Keyword minLength is not valid for type integer", + "issueType": "IncorrectValue", + "similarityID": "f29d71a0a92dbb1385da736a067cf80d587582c27afc49d4c2287a8630a35764", + "search_line": 17 }, { "queryName": "Type Has Invalid Keyword (v3)", "severity": "INFO", "line": 14, - "filename": "positive11.yaml" + "fileName": "positive11.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "components.schemas.PointGenre.minimum", + "searchValue": "", + "expectedValue": "There shouldn't be any invalid keywords", + "actualValue": "Keyword minimum is not valid for type string", + "issueType": "IncorrectValue", + "similarityID": "0b8aeb7c83c4720afc7dabbaae162b250343d7dac7c3cf4dbee10ac0499d787b", + "search_line": 14 }, { "queryName": "Type Has Invalid Keyword (v3)", "severity": "INFO", "line": 15, - "filename": "positive11.yaml" + "fileName": "positive11.yaml", + "resourceType": "", + "resourceName": "", + "searchKey": "components.schemas.PointGenre.maximum", + "searchValue": "", + "expectedValue": "There shouldn't be any invalid keywords", + "actualValue": "Keyword maximum is not valid for type string", + "issueType": "IncorrectValue", + "similarityID": "f2d28471dfb7edba6d748217b575e9bc34d68c2ef4067e4cfaebdcc76a3a4cb0", + "search_line": 15 } ] diff --git a/assets/queries/pulumi/aws/amazon_dms_replication_instance_is_publicly_accessible/test/positive_expected_result.json b/assets/queries/pulumi/aws/amazon_dms_replication_instance_is_publicly_accessible/test/positive_expected_result.json index 6618f3802ee..c29e7f7b727 100644 --- a/assets/queries/pulumi/aws/amazon_dms_replication_instance_is_publicly_accessible/test/positive_expected_result.json +++ b/assets/queries/pulumi/aws/amazon_dms_replication_instance_is_publicly_accessible/test/positive_expected_result.json @@ -3,12 +3,30 @@ "queryName": "Amazon DMS Replication Instance Is Publicly Accessible", "severity": "CRITICAL", "line": 44, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "aws:dms:ReplicationInstance", + "resourceName": "test", + "searchKey": "resources[test].properties.publiclyAccessible", + "searchValue": "", + "expectedValue": "Attribute 'publiclyAccessible' is should be set to 'false'", + "actualValue": "Attribute 'publiclyAccessible' is defined to 'true'", + "issueType": "IncorrectValue", + "similarityID": "4100151b5ae77aa2d404847b6639892fa01a7ec41c69bb9e2c94eded3dad9ed7", + "search_line": 44 }, { "queryName": "Amazon DMS Replication Instance Is Publicly Accessible", "severity": "CRITICAL", "line": 35, - "fileName": "positive2.yaml" + "fileName": "positive2.yaml", + "resourceType": "aws:dms:ReplicationInstance", + "resourceName": "test", + "searchKey": "resources[test].properties", + "searchValue": "", + "expectedValue": "Attribute 'publiclyAccessible' should be defined", + "actualValue": "Attribute 'publiclyAccessible' is not defined", + "issueType": "MissingAttribute", + "similarityID": "d3d0c736e58e836b633160bef96717b2b3eef7833ef780fda2a9bc574de1d8a7", + "search_line": 35 } -] \ No newline at end of file +] diff --git a/assets/queries/pulumi/aws/api_gateway_access_logging_disabled/test/positive_expected_result.json b/assets/queries/pulumi/aws/api_gateway_access_logging_disabled/test/positive_expected_result.json index d93f28a1060..8e701e48a9e 100644 --- a/assets/queries/pulumi/aws/api_gateway_access_logging_disabled/test/positive_expected_result.json +++ b/assets/queries/pulumi/aws/api_gateway_access_logging_disabled/test/positive_expected_result.json @@ -1,8 +1,17 @@ [ - { - "queryName": "API Gateway Access Logging Disabled", - "severity": "MEDIUM", - "line": 7, - "fileName": "positive.yaml" - } + { + "queryName": "API Gateway Access Logging Disabled", + "severity": "MEDIUM", + "line": 7, + "fileName": "positive.yaml", + "resourceType": "aws:apigatewayv2:Stage", + "resourceName": "example", + "searchKey": "resources[example].properties", + "searchValue": "", + "expectedValue": "Attribute 'accessLogSettings' should be defined", + "actualValue": "Attribute 'accessLogSettings' is not defined", + "issueType": "MissingAttribute", + "similarityID": "7b8f569921e9748f397531cb7c0c033b0cff6726b45ceb5908ae144c96d6eeab", + "search_line": 7 + } ] diff --git a/assets/queries/pulumi/aws/api_gateway_without_ssl_certificate/test/positive_expected_result.json b/assets/queries/pulumi/aws/api_gateway_without_ssl_certificate/test/positive_expected_result.json index 3b55e916d68..8581a41aeeb 100644 --- a/assets/queries/pulumi/aws/api_gateway_without_ssl_certificate/test/positive_expected_result.json +++ b/assets/queries/pulumi/aws/api_gateway_without_ssl_certificate/test/positive_expected_result.json @@ -1,8 +1,17 @@ [ - { - "queryName": "API Gateway Without SSL Certificate", - "severity": "MEDIUM", - "line": 7, - "fileName": "positive.yaml" - } + { + "queryName": "API Gateway Without SSL Certificate", + "severity": "MEDIUM", + "line": 7, + "fileName": "positive.yaml", + "resourceType": "aws:apigatewayv2:Stage", + "resourceName": "example", + "searchKey": "resources[example].properties", + "searchValue": "", + "expectedValue": "Attribute 'clientCertificateId' should be defined", + "actualValue": "Attribute 'clientCertificateId' is not defined", + "issueType": "MissingAttribute", + "similarityID": "7e07eebe96f13ea778923ae26d8138a4f429a2113cbf230c7c3528a2b58748a2", + "search_line": 7 + } ] diff --git a/assets/queries/pulumi/aws/docdb_logging_disabled/test/positive_expected_result.json b/assets/queries/pulumi/aws/docdb_logging_disabled/test/positive_expected_result.json index ec989d87754..88593d0627f 100644 --- a/assets/queries/pulumi/aws/docdb_logging_disabled/test/positive_expected_result.json +++ b/assets/queries/pulumi/aws/docdb_logging_disabled/test/positive_expected_result.json @@ -3,18 +3,45 @@ "queryName": "DocDB Logging Is Disabled", "severity": "MEDIUM", "line": 10, - "filename": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "aws:docdb:Cluster", + "resourceName": "aws:docdb/cluster", + "searchKey": "resources[aws:docdb/cluster].properties", + "searchValue": "", + "expectedValue": "aws:docdb:Cluster.enabledCloudwatchLogsExports should be defined", + "actualValue": "aws:docdb:Cluster.enabledCloudwatchLogsExports is undefined", + "issueType": "MissingAttribute", + "similarityID": "947371b3792acadf72ad5445e039061711c5980474b6e076cf4ce411ea2469ad", + "search_line": 10 }, { "queryName": "DocDB Logging Is Disabled", "severity": "MEDIUM", "line": 18, - "filename": "positive2.yaml" + "fileName": "positive2.yaml", + "resourceType": "aws:docdb:Cluster", + "resourceName": "aws:docdb/cluster", + "searchKey": "resources[aws:docdb/cluster].properties.enabledCloudwatchLogsExports", + "searchValue": "", + "expectedValue": "aws:docdb:Cluster.enabledCloudwatchLogsExports should have all following values: audit, profiler", + "actualValue": "aws:docdb:Cluster.enabledCloudwatchLogsExports has the following missing values: audit, profiler", + "issueType": "IncorrectValue", + "similarityID": "a0e2e2021e6a06c7d9f3fec82516102c5913551bc41a5762ed72ba7432ffd2fc", + "search_line": 18 }, { "queryName": "DocDB Logging Is Disabled", "severity": "MEDIUM", "line": 18, - "filename": "positive3.yaml" + "fileName": "positive3.yaml", + "resourceType": "aws:docdb:Cluster", + "resourceName": "aws:docdb/cluster", + "searchKey": "resources[aws:docdb/cluster].properties.enabledCloudwatchLogsExports", + "searchValue": "", + "expectedValue": "aws:docdb:Cluster.enabledCloudwatchLogsExports should have all following values: audit, profiler", + "actualValue": "aws:docdb:Cluster.enabledCloudwatchLogsExports has the following missing values: profiler", + "issueType": "IncorrectValue", + "similarityID": "4e93d87cdb6e6a5778f69346b30879c1bce439c78a7e98f49b5686041a287713", + "search_line": 18 } -] \ No newline at end of file +] diff --git a/assets/queries/pulumi/aws/dynamodb_table_not_encrypted/test/positive_expected_result.json b/assets/queries/pulumi/aws/dynamodb_table_not_encrypted/test/positive_expected_result.json index e6fa49800c1..51fc0edb1de 100644 --- a/assets/queries/pulumi/aws/dynamodb_table_not_encrypted/test/positive_expected_result.json +++ b/assets/queries/pulumi/aws/dynamodb_table_not_encrypted/test/positive_expected_result.json @@ -3,12 +3,30 @@ "queryName": "DynamoDB Table Not Encrypted", "severity": "HIGH", "line": 7, - "fileName": "positive.yaml" + "fileName": "positive.yaml", + "resourceType": "aws:dynamodb:Table", + "resourceName": "example", + "searchKey": "resources[example].properties", + "searchValue": "", + "expectedValue": "Attribute 'serverSideEncryption' should be defined", + "actualValue": "Attribute 'serverSideEncryption' is not defined", + "issueType": "MissingAttribute", + "similarityID": "ef09555104d643b791c3e996bdb229e786e911c56b3189f7340105adc086d14d", + "search_line": 7 }, { "queryName": "DynamoDB Table Not Encrypted", "severity": "HIGH", "line": 17, - "fileName": "positive.yaml" + "fileName": "positive.yaml", + "resourceType": "aws:dynamodb:Table", + "resourceName": "example", + "searchKey": "resources[example].properties.serverSideEncryption.enabled", + "searchValue": "", + "expectedValue": "Attribute 'enabled' in 'serverSideEncryption' should be set to true", + "actualValue": "Attribute 'enabled' in 'serverSideEncryption' is set to false", + "issueType": "IncorrectValue", + "similarityID": "c7a963c8418437d6ba99090c82732691e0734faa8c4f282e4372eb5d07ea959b", + "search_line": 17 } -] \ No newline at end of file +] diff --git a/assets/queries/pulumi/aws/dynamodb_table_point_in_time_recovery_disabled/test/positive_expected_result.json b/assets/queries/pulumi/aws/dynamodb_table_point_in_time_recovery_disabled/test/positive_expected_result.json index a258509974c..8089fbbba22 100644 --- a/assets/queries/pulumi/aws/dynamodb_table_point_in_time_recovery_disabled/test/positive_expected_result.json +++ b/assets/queries/pulumi/aws/dynamodb_table_point_in_time_recovery_disabled/test/positive_expected_result.json @@ -3,12 +3,30 @@ "queryName": "DynamoDB Table Point In Time Recovery Disabled", "severity": "INFO", "line": 7, - "fileName": "positive.yaml" + "fileName": "positive.yaml", + "resourceType": "aws:dynamodb:Table", + "resourceName": "example", + "searchKey": "resources[example].properties", + "searchValue": "", + "expectedValue": "Attribute 'pointInTimeRecovery' should be defined", + "actualValue": "Attribute 'pointInTimeRecovery' is not defined", + "issueType": "MissingAttribute", + "similarityID": "d2b4b1449d8909278d86df1e67056fb7a569bf7a57837d5d10148674017970ab", + "search_line": 7 }, { "queryName": "DynamoDB Table Point In Time Recovery Disabled", "severity": "INFO", "line": 21, - "fileName": "positive.yaml" + "fileName": "positive.yaml", + "resourceType": "aws:dynamodb:Table", + "resourceName": "example", + "searchKey": "resources[example].properties.pointInTimeRecovery.enabled", + "searchValue": "", + "expectedValue": "Attribute 'enabled' in 'pointInTimeRecovery' should be set to true", + "actualValue": "Attribute 'enabled' in 'pointInTimeRecovery' is set to false", + "issueType": "IncorrectValue", + "similarityID": "0ed1855170bad4d6b07159bd420c2e68ae7cc3232aa9165828185ff855552b2f", + "search_line": 21 } -] \ No newline at end of file +] diff --git a/assets/queries/pulumi/aws/ec2_instance_monitoring_disabled/test/positive_expected_result.json b/assets/queries/pulumi/aws/ec2_instance_monitoring_disabled/test/positive_expected_result.json index 50322c323b5..f49344f7f7f 100644 --- a/assets/queries/pulumi/aws/ec2_instance_monitoring_disabled/test/positive_expected_result.json +++ b/assets/queries/pulumi/aws/ec2_instance_monitoring_disabled/test/positive_expected_result.json @@ -3,12 +3,30 @@ "queryName": "EC2 Instance Monitoring Disabled", "severity": "MEDIUM", "line": 7, - "fileName": "positive.yaml" + "fileName": "positive.yaml", + "resourceType": "aws:ec2:Instance", + "resourceName": "example", + "searchKey": "resources[example].properties", + "searchValue": "", + "expectedValue": "Attribute 'monitoring' should be defined and set to true", + "actualValue": "Attribute 'monitoring' is not defined", + "issueType": "MissingAttribute", + "similarityID": "6424ea29d4a7fe638a1e0c92e00e9917b0b1567a22551eb7598814915a2550d0", + "search_line": 7 }, { "queryName": "EC2 Instance Monitoring Disabled", "severity": "MEDIUM", "line": 16, - "fileName": "positive.yaml" + "fileName": "positive.yaml", + "resourceType": "aws:ec2:Instance", + "resourceName": "example", + "searchKey": "resources[example].properties.monitoring", + "searchValue": "", + "expectedValue": "Attribute 'monitoring' should be set to true", + "actualValue": "Attribute 'monitoring' is set to false", + "issueType": "IncorrectValue", + "similarityID": "b7798b65c72be4a2e21b04b97cdf3b4ba10fd17be6d4e8017385f014df6f799f", + "search_line": 16 } -] \ No newline at end of file +] diff --git a/assets/queries/pulumi/aws/ec2_not_ebs_optimized/test/positive_expected_result.json b/assets/queries/pulumi/aws/ec2_not_ebs_optimized/test/positive_expected_result.json index 05f043b1d1b..8ca0aa26801 100644 --- a/assets/queries/pulumi/aws/ec2_not_ebs_optimized/test/positive_expected_result.json +++ b/assets/queries/pulumi/aws/ec2_not_ebs_optimized/test/positive_expected_result.json @@ -1,14 +1,32 @@ [ - { - "queryName": "EC2 Not EBS Optimized", - "severity": "INFO", - "line": 10, - "fileName": "positive.yaml" - }, - { - "queryName": "EC2 Not EBS Optimized", - "severity": "INFO", - "line": 18, - "fileName": "positive.yaml" - } + { + "queryName": "EC2 Not EBS Optimized", + "severity": "INFO", + "line": 10, + "fileName": "positive.yaml", + "resourceType": "aws:ec2:Instance", + "resourceName": "example", + "searchKey": "resources[example].properties.ebsOptimized", + "searchValue": "", + "expectedValue": "Attribute 'ebsOptimized' should be set to true", + "actualValue": "Attribute 'ebsOptimized' is set to false", + "issueType": "IncorrectValue", + "similarityID": "1f9aa3142bb4ffa22ff1b9aed7156e46199b945fcbeeacb2da0ee9d949a3c563", + "search_line": 10 + }, + { + "queryName": "EC2 Not EBS Optimized", + "severity": "INFO", + "line": 18, + "fileName": "positive.yaml", + "resourceType": "aws:ec2:Instance", + "resourceName": "example", + "searchKey": "resources[example].properties", + "searchValue": "", + "expectedValue": "Attribute 'ebsOptimized' should be defined and set to true", + "actualValue": "Attribute 'ebsOptimized' is not defined", + "issueType": "MissingAttribute", + "similarityID": "124dcf1e0374378bcacd405b6703fecc97b5c53d6bd7b13898bf7acb136d9878", + "search_line": 18 + } ] diff --git a/assets/queries/pulumi/aws/ecs_cluster_container_insights_disabled/test/positive_expected_result.json b/assets/queries/pulumi/aws/ecs_cluster_container_insights_disabled/test/positive_expected_result.json index 601fa6515b7..16db1eff70d 100644 --- a/assets/queries/pulumi/aws/ecs_cluster_container_insights_disabled/test/positive_expected_result.json +++ b/assets/queries/pulumi/aws/ecs_cluster_container_insights_disabled/test/positive_expected_result.json @@ -1,20 +1,47 @@ [ - { - "queryName": "ECS Cluster with Container Insights Disabled", - "severity": "LOW", - "line": 8, - "fileName": "positive1.yaml" - }, - { - "queryName": "ECS Cluster with Container Insights Disabled", - "severity": "LOW", - "line": 8, - "fileName": "positive2.yaml" - }, - { - "queryName": "ECS Cluster with Container Insights Disabled", - "severity": "LOW", - "line": 7, - "fileName": "positive3.yaml" - } + { + "queryName": "ECS Cluster with Container Insights Disabled", + "severity": "LOW", + "line": 8, + "fileName": "positive1.yaml", + "resourceType": "aws:ecs:Cluster", + "resourceName": "foo", + "searchKey": "resources[foo].properties.settings", + "searchValue": "", + "expectedValue": "Attribute 'settings' should have a ClusterSetting named 'containerInsights' which value is 'enabled'", + "actualValue": "Attribute 'settings' doesn't have a ClusterSetting named 'containerInsights' which value is 'enabled'", + "issueType": "IncorrectValue", + "similarityID": "a36c8e716e7c817a61c0aa4809ce898d3220c557ecd68e0545a07eaf174b9191", + "search_line": 8 + }, + { + "queryName": "ECS Cluster with Container Insights Disabled", + "severity": "LOW", + "line": 8, + "fileName": "positive2.yaml", + "resourceType": "aws:ecs:Cluster", + "resourceName": "foo", + "searchKey": "resources[foo].properties.settings", + "searchValue": "", + "expectedValue": "Attribute 'settings' should have a ClusterSetting named 'containerInsights' which value is 'enabled'", + "actualValue": "Attribute 'settings' doesn't have a ClusterSetting named 'containerInsights' which value is 'enabled'", + "issueType": "IncorrectValue", + "similarityID": "6de9d2fcd1cdbfa5d468d3e733c748a4ef3a05c8ffd7b736688ae91517b8f9c4", + "search_line": 8 + }, + { + "queryName": "ECS Cluster with Container Insights Disabled", + "severity": "LOW", + "line": 7, + "fileName": "positive3.yaml", + "resourceType": "aws:ecs:Cluster", + "resourceName": "foo", + "searchKey": "resources[foo].properties", + "searchValue": "", + "expectedValue": "Attribute 'settings' should be defined and have a ClusterSetting named 'containerInsights' which value is 'enabled'", + "actualValue": "Attribute 'settings' is not defined", + "issueType": "MissingAttribute", + "similarityID": "efe05f4ae3fbaabe16c2ea2405e06ac8a7e14460a02c446c8bd4f47a5f787a18", + "search_line": 7 + } ] diff --git a/assets/queries/pulumi/aws/elasticache_nodes_not_created_across_multi_az/test/positive_expected_result.json b/assets/queries/pulumi/aws/elasticache_nodes_not_created_across_multi_az/test/positive_expected_result.json index f1cf8a75933..4179352ef2b 100644 --- a/assets/queries/pulumi/aws/elasticache_nodes_not_created_across_multi_az/test/positive_expected_result.json +++ b/assets/queries/pulumi/aws/elasticache_nodes_not_created_across_multi_az/test/positive_expected_result.json @@ -1,14 +1,32 @@ [ - { - "queryName": "ElastiCache Nodes Not Created Across Multi AZ", - "severity": "MEDIUM", - "line": 10, - "fileName": "positive.yaml" - }, - { - "queryName": "ElastiCache Nodes Not Created Across Multi AZ", - "severity": "MEDIUM", - "line": 18, - "fileName": "positive.yaml" - } + { + "queryName": "ElastiCache Nodes Not Created Across Multi AZ", + "severity": "MEDIUM", + "line": 10, + "fileName": "positive.yaml", + "resourceType": "aws:elasticache:Cluster", + "resourceName": "example", + "searchKey": "resources[example].properties.azMode", + "searchValue": "", + "expectedValue": "Attribute 'azMode' should be set to 'cross-az' in multi nodes cluster", + "actualValue": "Attribute 'azMode' is set to single-az", + "issueType": "IncorrectValue", + "similarityID": "00c6d2edb0de573e6647519f39ed309e674a4943adacd8f955a795e0eb8226fc", + "search_line": 10 + }, + { + "queryName": "ElastiCache Nodes Not Created Across Multi AZ", + "severity": "MEDIUM", + "line": 18, + "fileName": "positive.yaml", + "resourceType": "aws:elasticache:Cluster", + "resourceName": "example", + "searchKey": "resources[example].properties", + "searchValue": "", + "expectedValue": "Attribute 'azMode' should be defined and set to 'cross-az' in multi nodes cluster", + "actualValue": "Attribute 'azMode' is not defined", + "issueType": "MissingAttribute", + "similarityID": "36f0c838bdabc111eab72662649fe44111a6304874fed8f3985ef97801e44ebc", + "search_line": 18 + } ] diff --git a/assets/queries/pulumi/aws/elasticache_redis_cluster_without_backup/test/positive_expected_result.json b/assets/queries/pulumi/aws/elasticache_redis_cluster_without_backup/test/positive_expected_result.json index f3eb496129c..f12862e0277 100644 --- a/assets/queries/pulumi/aws/elasticache_redis_cluster_without_backup/test/positive_expected_result.json +++ b/assets/queries/pulumi/aws/elasticache_redis_cluster_without_backup/test/positive_expected_result.json @@ -1,14 +1,32 @@ [ - { - "queryName": "ElastiCache Redis Cluster Without Backup", - "severity": "MEDIUM", - "line": 9, - "fileName": "positive.yaml" - }, - { - "queryName": "ElastiCache Redis Cluster Without Backup", - "severity": "MEDIUM", - "line": 17, - "fileName": "positive.yaml" - } + { + "queryName": "ElastiCache Redis Cluster Without Backup", + "severity": "MEDIUM", + "line": 9, + "fileName": "positive.yaml", + "resourceType": "aws:elasticache:Cluster", + "resourceName": "example", + "searchKey": "resources[example].properties.snapshotRetentionLimit", + "searchValue": "", + "expectedValue": "Attribute 'snapshotRetentionLimit' should be set to higher than 0", + "actualValue": "Attribute 'snapshotRetentionLimit' is set to 0", + "issueType": "IncorrectValue", + "similarityID": "933c03265526b346b1a15e70b87071d92b1422590fc8b8135d8dd467f7436b0a", + "search_line": 9 + }, + { + "queryName": "ElastiCache Redis Cluster Without Backup", + "severity": "MEDIUM", + "line": 17, + "fileName": "positive.yaml", + "resourceType": "aws:elasticache:Cluster", + "resourceName": "example", + "searchKey": "resources[example].properties", + "searchValue": "", + "expectedValue": "Attribute 'snapshotRetentionLimit' should be defined and set to higher than 0", + "actualValue": "Attribute 'snapshotRetentionLimit' is not defined", + "issueType": "MissingAttribute", + "similarityID": "40126329df3de65ce0deff34e99fc706cd87fb868bc8a6b0d6d0e8172473f4df", + "search_line": 17 + } ] diff --git a/assets/queries/pulumi/aws/elasticsearch_logs_disabled/test/positive_expected_result.json b/assets/queries/pulumi/aws/elasticsearch_logs_disabled/test/positive_expected_result.json index f71a9571173..62b1410fe40 100644 --- a/assets/queries/pulumi/aws/elasticsearch_logs_disabled/test/positive_expected_result.json +++ b/assets/queries/pulumi/aws/elasticsearch_logs_disabled/test/positive_expected_result.json @@ -1,20 +1,47 @@ [ - { - "queryName": "Elasticsearch Logs Disabled", - "severity": "MEDIUM", - "line": 14, - "fileName": "positive1.yaml" - }, - { - "queryName": "Elasticsearch Logs Disabled", - "severity": "MEDIUM", - "line": 17, - "fileName": "positive2.yaml" - }, - { - "queryName": "Elasticsearch Logs Disabled", - "severity": "MEDIUM", - "line": 18, - "fileName": "positive3.yaml" - } + { + "queryName": "Elasticsearch Logs Disabled", + "severity": "MEDIUM", + "line": 14, + "fileName": "positive1.yaml", + "resourceType": "aws:elasticsearch:Domain", + "resourceName": "exampleDomain", + "searchKey": "resources.exampleDomain.properties", + "searchValue": "", + "expectedValue": "Attribute 'logPublishingOptions' should be defined", + "actualValue": "Attribute 'logPublishingOptions' is not defined", + "issueType": "MissingAttribute", + "similarityID": "d66a467de5c017718c0fd7e5d518e33db4ae2d8e5957c6c07cf5c6984d1db07a", + "search_line": 14 + }, + { + "queryName": "Elasticsearch Logs Disabled", + "severity": "MEDIUM", + "line": 17, + "fileName": "positive2.yaml", + "resourceType": "aws:elasticsearch:Domain", + "resourceName": "exampleDomain", + "searchKey": "resources.exampleDomain.properties.logPublishingOptions[0].logType", + "searchValue": "", + "expectedValue": "Attribute 'enabled' should be defined and set to 'true'", + "actualValue": "Attribute 'enabled' is not defined", + "issueType": "MissingAttribute", + "similarityID": "e868e1588511d3a8b263d5b2d1b08bf77858bb9968476d25db9bed9d1cfa07d9", + "search_line": 17 + }, + { + "queryName": "Elasticsearch Logs Disabled", + "severity": "MEDIUM", + "line": 18, + "fileName": "positive3.yaml", + "resourceType": "aws:elasticsearch:Domain", + "resourceName": "exampleDomain", + "searchKey": "resources.exampleDomain.properties.logPublishingOptions[0].logType", + "searchValue": "", + "expectedValue": "Attribute 'enabled' should be set to 'true'", + "actualValue": "Attribute 'enabled' is set to 'false'", + "issueType": "IncorrectValue", + "similarityID": "53bf4e5d01e69eafe010ca56b8844e0f883bcc7981f205079ae8701ac0e2bfdf", + "search_line": 18 + } ] diff --git a/assets/queries/pulumi/aws/elasticsearch_with_https_disabled/test/positive_expected_result.json b/assets/queries/pulumi/aws/elasticsearch_with_https_disabled/test/positive_expected_result.json index 4a76d1cc1b0..a30022badb2 100644 --- a/assets/queries/pulumi/aws/elasticsearch_with_https_disabled/test/positive_expected_result.json +++ b/assets/queries/pulumi/aws/elasticsearch_with_https_disabled/test/positive_expected_result.json @@ -3,6 +3,15 @@ "queryName": "Elasticsearch with HTTPS disabled", "severity": "MEDIUM", "line": 31, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "aws.elasticsearch.Domain", + "resourceName": "0", + "searchKey": "resources[%!s(int=0)].properties.domainEndpointOptions.enforceHTTPS", + "searchValue": "", + "expectedValue": "resources[%!s(int=0)].properties.domainEndpointOptions.enforceHTTPS should be set to 'true'", + "actualValue": "resources[%!s(int=0)].properties.domainEndpointOptions.enforceHTTPS is set to 'false'", + "issueType": "IncorrectValue", + "similarityID": "405a6a93c9a041ba1b2b1d9a12dabe579884edd8804fd9e225e3689e91279fec", + "search_line": 31 } -] \ No newline at end of file +] diff --git a/assets/queries/pulumi/aws/iam_password_without_minimum_length/test/positive_expected_result.json b/assets/queries/pulumi/aws/iam_password_without_minimum_length/test/positive_expected_result.json index 152fb7347ec..bbcfa3e6cdb 100644 --- a/assets/queries/pulumi/aws/iam_password_without_minimum_length/test/positive_expected_result.json +++ b/assets/queries/pulumi/aws/iam_password_without_minimum_length/test/positive_expected_result.json @@ -3,12 +3,30 @@ "queryName": "IAM Password Without Minimum Length", "severity": "LOW", "line": 7, - "fileName": "positive.yaml" + "fileName": "positive.yaml", + "resourceType": "aws:iam:AccountPasswordPolicy", + "resourceName": "example", + "searchKey": "resources[example].properties", + "searchValue": "", + "expectedValue": "Attribute 'minimumPasswordLength' should be defined and set to 14 or higher", + "actualValue": "Attribute 'minimumPasswordLength' is not defined", + "issueType": "MissingAttribute", + "similarityID": "bd14c5379e30cf4d50fa95cf25a2eb15af92f62741c759783fb3b982e10e35af", + "search_line": 7 }, { "queryName": "IAM Password Without Minimum Length", "severity": "LOW", "line": 16, - "fileName": "positive.yaml" + "fileName": "positive.yaml", + "resourceType": "aws:iam:AccountPasswordPolicy", + "resourceName": "example", + "searchKey": "resources[example].properties.minimumPasswordLength", + "searchValue": "", + "expectedValue": "Attribute 'minimumPasswordLength' should be set to 14 or higher", + "actualValue": "Attribute 'minimumPasswordLength' is set to less than 14", + "issueType": "IncorrectValue", + "similarityID": "cd333add54b64e779f61b9070eff6ed95e10778f376f4da73a6ef89331352d1c", + "search_line": 16 } -] \ No newline at end of file +] diff --git a/assets/queries/pulumi/aws/rds_db_instance_publicly_accessible/test/positive_expected_result.json b/assets/queries/pulumi/aws/rds_db_instance_publicly_accessible/test/positive_expected_result.json index 3a0189f4d2f..80a18e32a0e 100644 --- a/assets/queries/pulumi/aws/rds_db_instance_publicly_accessible/test/positive_expected_result.json +++ b/assets/queries/pulumi/aws/rds_db_instance_publicly_accessible/test/positive_expected_result.json @@ -3,6 +3,15 @@ "queryName": "RDS DB Instance Publicly Accessible", "severity": "CRITICAL", "line": 17, - "fileName": "positive1.yaml" + "fileName": "positive1.yaml", + "resourceType": "aws:rds:Instance", + "resourceName": "default", + "searchKey": "resources[default].properties.publiclyAccessible", + "searchValue": "", + "expectedValue": "'resources.default.properties.publiclyAccessible' should be set to 'false'", + "actualValue": "'resources.default.properties.publiclyAccessible' is set to 'true'", + "issueType": "IncorrectValue", + "similarityID": "f2aca6cfd3132391466760146abb5fb5a1034477d800f5b078cf780ca67ed4bd", + "search_line": 17 } ] diff --git a/assets/queries/pulumi/azure/redis_cache_allows_non_ssl_connections/test/positive_expected_result.json b/assets/queries/pulumi/azure/redis_cache_allows_non_ssl_connections/test/positive_expected_result.json index 74ec4256eda..668f4cd396c 100644 --- a/assets/queries/pulumi/azure/redis_cache_allows_non_ssl_connections/test/positive_expected_result.json +++ b/assets/queries/pulumi/azure/redis_cache_allows_non_ssl_connections/test/positive_expected_result.json @@ -1,8 +1,17 @@ [ - { - "queryName": "Redis Cache Allows Non SSL Connections", - "severity": "MEDIUM", - "line": 8, - "fileName": "positive.yaml" - } + { + "queryName": "Redis Cache Allows Non SSL Connections", + "severity": "MEDIUM", + "line": 8, + "fileName": "positive.yaml", + "resourceType": "azure-native:cache:Redis", + "resourceName": "redis", + "searchKey": "resources[redis].properties.enableNonSslPort", + "searchValue": "", + "expectedValue": "Redis Cache should have attribute 'enableNonSslPort' set to false", + "actualValue": "Redis Cache has attribute 'enableNonSslPort' set to true", + "issueType": "IncorrectValue", + "similarityID": "f1796a83b6067f3c99d74ab9cc49d41dc09154414fe2350ffad7b20d5e03c375", + "search_line": 8 + } ] diff --git a/assets/queries/pulumi/azure/storage_account_not_forcing_https/test/positive_expected_result.json b/assets/queries/pulumi/azure/storage_account_not_forcing_https/test/positive_expected_result.json index c6ab89b625e..2ebe3031244 100644 --- a/assets/queries/pulumi/azure/storage_account_not_forcing_https/test/positive_expected_result.json +++ b/assets/queries/pulumi/azure/storage_account_not_forcing_https/test/positive_expected_result.json @@ -3,6 +3,15 @@ "queryName": "Storage Account Not Forcing HTTPS", "severity": "MEDIUM", "line": 9, - "fileName": "positive.yaml" + "fileName": "positive.yaml", + "resourceType": "azure-native:storage:StorageAccount", + "resourceName": "storageAccount", + "searchKey": "resources[storageAccount].properties.enableHttpsTrafficOnly", + "searchValue": "", + "expectedValue": "Storage Account should have attribute 'enableHttpsTrafficOnly' set to true", + "actualValue": "Storage Account has attribute 'enableHttpsTrafficOnly' set to false", + "issueType": "IncorrectValue", + "similarityID": "eb0472a1bf1e832d5957e5eec23565a3964a48f7a0cafe3137f96241a9893733", + "search_line": 9 } -] \ No newline at end of file +] diff --git a/assets/queries/pulumi/gcp/cloud_storage_bucket_logging_not_enabled/test/positive_expected_result.json b/assets/queries/pulumi/gcp/cloud_storage_bucket_logging_not_enabled/test/positive_expected_result.json index cdc97e3eab8..7fc969c317f 100644 --- a/assets/queries/pulumi/gcp/cloud_storage_bucket_logging_not_enabled/test/positive_expected_result.json +++ b/assets/queries/pulumi/gcp/cloud_storage_bucket_logging_not_enabled/test/positive_expected_result.json @@ -3,6 +3,15 @@ "queryName": "Cloud Storage Bucket Logging Not Enabled", "severity": "MEDIUM", "line": 7, - "fileName": "positive.yaml" + "fileName": "positive.yaml", + "resourceType": "gcp:storage:Bucket", + "resourceName": "example", + "searchKey": "resources[example].properties", + "searchValue": "", + "expectedValue": "Storage Bucket should have attribute 'logging' defined", + "actualValue": "Storage Bucket attribute 'logging' is not defined", + "issueType": "MissingAttribute", + "similarityID": "a241e12e192e68c237f8eb47d10d74609f559380a2d27db179a452fe36e0f060", + "search_line": 7 } -] \ No newline at end of file +] diff --git a/assets/queries/pulumi/gcp/google_compute_ssl_policy_weak_cipher_in_use/test/positive_expected_result.json b/assets/queries/pulumi/gcp/google_compute_ssl_policy_weak_cipher_in_use/test/positive_expected_result.json index 1075917af2f..b72929bcee3 100644 --- a/assets/queries/pulumi/gcp/google_compute_ssl_policy_weak_cipher_in_use/test/positive_expected_result.json +++ b/assets/queries/pulumi/gcp/google_compute_ssl_policy_weak_cipher_in_use/test/positive_expected_result.json @@ -1,14 +1,32 @@ [ - { - "queryName": "Google Compute SSL Policy Weak Cipher In Use", - "severity": "MEDIUM", - "line": 7, - "fileName": "positive.yaml" - }, - { - "queryName": "Google Compute SSL Policy Weak Cipher In Use", - "severity": "MEDIUM", - "line": 16, - "fileName": "positive.yaml" - } + { + "queryName": "Google Compute SSL Policy Weak Cipher In Use", + "severity": "MEDIUM", + "line": 7, + "fileName": "positive.yaml", + "resourceType": "gcp:compute:SSLPolicy", + "resourceName": "example", + "searchKey": "resources[example].properties", + "searchValue": "", + "expectedValue": "SSLPolicy should have 'minTlsVersion' defined and set to 'TLS_1_2'", + "actualValue": "SSLPolicy 'minTlsVersion' attribute is not defined", + "issueType": "MissingAttribute", + "similarityID": "2fd803a384fe45498255e6dffb5de542e94ff73c41537f8bbb10005f9c827e9f", + "search_line": 7 + }, + { + "queryName": "Google Compute SSL Policy Weak Cipher In Use", + "severity": "MEDIUM", + "line": 16, + "fileName": "positive.yaml", + "resourceType": "gcp:compute:SSLPolicy", + "resourceName": "example", + "searchKey": "resources[example].properties.minTlsVersion", + "searchValue": "", + "expectedValue": "SSLPolicy should have 'minTlsVersion' set to 'TLS_1_2'", + "actualValue": "SSLPolicy 'minTlsVersion' attribute is set to TLS_1_1", + "issueType": "IncorrectValue", + "similarityID": "c5a4a4440b9f3b1f15f63dc9afd41335960ea3fec0e1dce6c8c8ce13383569d1", + "search_line": 16 + } ] diff --git a/assets/queries/pulumi/kubernetes/missing_app_armor_config/test/positive_expected_result.json b/assets/queries/pulumi/kubernetes/missing_app_armor_config/test/positive_expected_result.json index bb03452d61c..be403b44787 100644 --- a/assets/queries/pulumi/kubernetes/missing_app_armor_config/test/positive_expected_result.json +++ b/assets/queries/pulumi/kubernetes/missing_app_armor_config/test/positive_expected_result.json @@ -3,18 +3,45 @@ "queryName": "Missing App Armor Config", "severity": "MEDIUM", "line": 8, - "fileName": "positive.yaml" + "fileName": "positive.yaml", + "resourceType": "kubernetes:core/v1:Pod", + "resourceName": "pod", + "searchKey": "resources[pod].properties.metadata", + "searchValue": "", + "expectedValue": "Pod should have annotation 'container.apparmor.security.beta.kubernetes.io' defined", + "actualValue": "Pod does not have annotations defined in metadata", + "issueType": "MissingAttribute", + "similarityID": "e4d8e2b4e6dec18ebca1901498d6f811c82eb9ffec533643ead733f61d9b864f", + "search_line": 8 }, { "queryName": "Missing App Armor Config", "severity": "MEDIUM", "line": 25, - "fileName": "positive.yaml" + "fileName": "positive.yaml", + "resourceType": "kubernetes:core/v1:Pod", + "resourceName": "pod", + "searchKey": "resources[pod].properties.metadata", + "searchValue": "", + "expectedValue": "Pod should have annotation 'container.apparmor.security.beta.kubernetes.io' defined", + "actualValue": "Pod does not have annotations defined in metadata", + "issueType": "MissingAttribute", + "similarityID": "c9cae73b0e9763a2b0170a0e96307d65ee2bc3b338cab817007bb4b4b5d25315", + "search_line": 25 }, { "queryName": "Missing App Armor Config", "severity": "MEDIUM", "line": 42, - "fileName": "positive.yaml" + "fileName": "positive.yaml", + "resourceType": "kubernetes:core/v1:Pod", + "resourceName": "pod", + "searchKey": "resources[pod].properties.metadata.annotations", + "searchValue": "", + "expectedValue": "Pod should have annotation 'container.apparmor.security.beta.kubernetes.io' defined", + "actualValue": "Pod does not have annotation 'container.apparmor.security.beta.kubernetes.io' defined", + "issueType": "MissingAttribute", + "similarityID": "7e2803fb9f4d20662c5cbda8a95ec0015fd3cc65dee064b2727ae9eec374eddd", + "search_line": 42 } -] \ No newline at end of file +] diff --git a/assets/queries/pulumi/kubernetes/psp_set_to_privileged/test/positive_expected_result.json b/assets/queries/pulumi/kubernetes/psp_set_to_privileged/test/positive_expected_result.json index d68ff20ecd3..2c3983b642d 100644 --- a/assets/queries/pulumi/kubernetes/psp_set_to_privileged/test/positive_expected_result.json +++ b/assets/queries/pulumi/kubernetes/psp_set_to_privileged/test/positive_expected_result.json @@ -3,6 +3,15 @@ "queryName": "PSP Set To Privileged", "severity": "HIGH", "line": 11, - "fileName": "positive.yaml" + "fileName": "positive.yaml", + "resourceType": "kubernetes:policy/v1beta1:PodSecurityPolicy", + "resourceName": "example", + "searchKey": "resources[example].properties.spec.privileged", + "searchValue": "", + "expectedValue": "PSP should have 'privileged' set to false or not defined", + "actualValue": "PSP has 'privileged' set to true", + "issueType": "IncorrectValue", + "similarityID": "23345219cd274d0369b83056146e4147afefc3705dc33b4066cdf18537e88fc9", + "search_line": 11 } -] \ No newline at end of file +] diff --git a/assets/queries/serverlessFW/serverless_api_access_logging_setting_undefined/test/positive_expected_result.json b/assets/queries/serverlessFW/serverless_api_access_logging_setting_undefined/test/positive_expected_result.json index 951599524db..3a54983abfd 100644 --- a/assets/queries/serverlessFW/serverless_api_access_logging_setting_undefined/test/positive_expected_result.json +++ b/assets/queries/serverlessFW/serverless_api_access_logging_setting_undefined/test/positive_expected_result.json @@ -3,6 +3,15 @@ "queryName": "Serverless API Access Logging Setting Undefined", "severity": "MEDIUM", "line": 17, - "fileName": "positive1.yml" + "fileName": "positive1.yml", + "resourceType": "AWS::ApiGateway", + "resourceName": "myservice", + "searchKey": "provider.logs.restApi.accessLogging", + "searchValue": "", + "expectedValue": "provider.logs.restApi should have 'accessLogging' set to true", + "actualValue": "provider.logs.restApi has 'accessLogging' set to false", + "issueType": "IncorrectValue", + "similarityID": "a31ba858095b9093d9b4766f92545699fd4206dd311da42f3baadd2b6e1c21ce", + "search_line": 17 } ] diff --git a/assets/queries/serverlessFW/serverless_api_endpoint_config_not_private/test/positive_expected_result.json b/assets/queries/serverlessFW/serverless_api_endpoint_config_not_private/test/positive_expected_result.json index 3681cfe75d3..c1a3ff4021c 100644 --- a/assets/queries/serverlessFW/serverless_api_endpoint_config_not_private/test/positive_expected_result.json +++ b/assets/queries/serverlessFW/serverless_api_endpoint_config_not_private/test/positive_expected_result.json @@ -3,12 +3,30 @@ "queryName": "Serverless API Endpoint Config Not Private", "severity": "MEDIUM", "line": 3, - "fileName": "positive1.yml" + "fileName": "positive1.yml", + "resourceType": "AWS::ApiGateway", + "resourceName": "my-service", + "searchKey": "provider", + "searchValue": "", + "expectedValue": "endpointType should be defined and set to PRIVATE", + "actualValue": "endpointType is not defined", + "issueType": "MissingAttribute", + "similarityID": "b8f8d02c9e47b664ae625d8286fc44910586aeddbcc5d55e1e3ed987c5bcdc70", + "search_line": 3 }, { "queryName": "Serverless API Endpoint Config Not Private", "severity": "MEDIUM", "line": 5, - "fileName": "positive2.yml" + "fileName": "positive2.yml", + "resourceType": "AWS::ApiGateway", + "resourceName": "my-service", + "searchKey": "provider.endpointType", + "searchValue": "", + "expectedValue": "endpointType should be set to PRIVATE", + "actualValue": "endpointType is not set to PRIVATE", + "issueType": "IncorrectValue", + "similarityID": "7aa30dbd57d621c457c10c0e2752944a8a7363e7174b1135dea20e4d0551e022", + "search_line": 5 } ] diff --git a/assets/queries/serverlessFW/serverless_api_without_content_encoding/test/positive_expected_result.json b/assets/queries/serverlessFW/serverless_api_without_content_encoding/test/positive_expected_result.json index 3e2ab32bd5a..a5044356ef9 100644 --- a/assets/queries/serverlessFW/serverless_api_without_content_encoding/test/positive_expected_result.json +++ b/assets/queries/serverlessFW/serverless_api_without_content_encoding/test/positive_expected_result.json @@ -3,12 +3,30 @@ "queryName": "Serverless API Without Content Encoding", "severity": "LOW", "line": 5, - "fileName": "positive1.yml" + "fileName": "positive1.yml", + "resourceType": "AWS::ApiGateway", + "resourceName": "my-service", + "searchKey": "provider.apiGateway", + "searchValue": "", + "expectedValue": "apiGateway should have 'minimumCompressionSize' defined and set to a recommended value", + "actualValue": "apiGateway does not have 'minimumCompressionSize' defined", + "issueType": "MissingAttribute", + "similarityID": "a50232119bb51e908e536fbb201dc429759e43a50a8c7c3d0d186b94ae2ecb2a", + "search_line": 5 }, { "queryName": "Serverless API Without Content Encoding", "severity": "LOW", "line": 6, - "fileName": "positive2.yml" + "fileName": "positive2.yml", + "resourceType": "AWS::ApiGateway", + "resourceName": "my-service", + "searchKey": "provider.apiGateway.minimumCompressionSize", + "searchValue": "", + "expectedValue": "'minimumCompressionSize' should be set to a recommended value", + "actualValue": "'minimumCompressionSize' is set a unrecommended value", + "issueType": "IncorrectValue", + "similarityID": "9b80dad27a27ade5d3f4fbf69a36799c9fd9829e93f83f26889ca6bb1487dd50", + "search_line": 6 } -] \ No newline at end of file +] diff --git a/assets/queries/serverlessFW/serverless_api_xray_tracing_disabled/test/positive_expected_result.json b/assets/queries/serverlessFW/serverless_api_xray_tracing_disabled/test/positive_expected_result.json index 6e81798ca68..de692d4bf3a 100644 --- a/assets/queries/serverlessFW/serverless_api_xray_tracing_disabled/test/positive_expected_result.json +++ b/assets/queries/serverlessFW/serverless_api_xray_tracing_disabled/test/positive_expected_result.json @@ -3,12 +3,30 @@ "queryName": "Serverless API X-Ray Tracing Disabled", "severity": "MEDIUM", "line": 8, - "fileName": "positive1.yml" + "fileName": "positive1.yml", + "resourceType": "AWS::ApiGateway", + "resourceName": "my-service", + "searchKey": "provider.tracing.apiGateway", + "searchValue": "", + "expectedValue": "tracing should have 'apiGateway' set to true", + "actualValue": "'apiGateway' is set to false", + "issueType": "IncorrectValue", + "similarityID": "431ae2a7668cb699bbe6dc8f3b43ec1e0cf2fe7d3dee1559f7bcbff39850c20f", + "search_line": 8 }, { "queryName": "Serverless API X-Ray Tracing Disabled", "severity": "MEDIUM", "line": 7, - "fileName": "positive2.yml" + "fileName": "positive2.yml", + "resourceType": "AWS::ApiGateway", + "resourceName": "my-service", + "searchKey": "provider.tracing", + "searchValue": "", + "expectedValue": "tracing should have 'apiGateway' defined and set to true", + "actualValue": "'apiGateway' is not defined within tracing", + "issueType": "MissingAttribute", + "similarityID": "5a0a4ef1c4ae66411c769c29dad2e91335e4a5bccd6e501e959fbe58dc99d4fc", + "search_line": 7 } ] diff --git a/assets/queries/serverlessFW/serverless_function_environment_variables_not_encrypted/test/positive_expected_result.json b/assets/queries/serverlessFW/serverless_function_environment_variables_not_encrypted/test/positive_expected_result.json index 8cf9e285b5c..183f571f24c 100644 --- a/assets/queries/serverlessFW/serverless_function_environment_variables_not_encrypted/test/positive_expected_result.json +++ b/assets/queries/serverlessFW/serverless_function_environment_variables_not_encrypted/test/positive_expected_result.json @@ -3,18 +3,45 @@ "queryName": "Serverless Function Environment Variables Not Encrypted", "severity": "MEDIUM", "line": 6, - "fileName": "positive1.yml" + "fileName": "positive1.yml", + "resourceType": "", + "resourceName": "", + "searchKey": "provider", + "searchValue": "", + "expectedValue": "'kmsKeyArn' should be defined inside the provider", + "actualValue": "'kmsKeyArn' is not defined", + "issueType": "MissingAttribute", + "similarityID": "f061409c087327f0a5777c36fe3cceffe58ea98fbd79b00afa7374e3c42a84f2", + "search_line": 6 }, { "queryName": "Serverless Function Environment Variables Not Encrypted", "severity": "MEDIUM", "line": 12, - "fileName": "positive1.yml" + "fileName": "positive1.yml", + "resourceType": "AWS::Lambda", + "resourceName": "hello", + "searchKey": "functions.hello", + "searchValue": "", + "expectedValue": "'kmsKeyArn' should be defined inside the function", + "actualValue": "'kmsKeyArn' is not defined", + "issueType": "MissingAttribute", + "similarityID": "2fedb181cd860b24240c9c01162d2a03be7165d7068c5ad0f9f04a38e371b22b", + "search_line": 12 }, { "queryName": "Serverless Function Environment Variables Not Encrypted", "severity": "MEDIUM", "line": 6, - "fileName": "positive2.yml" + "fileName": "positive2.yml", + "resourceType": "", + "resourceName": "", + "searchKey": "provider", + "searchValue": "", + "expectedValue": "'kmsKeyArn' should be defined inside the provider", + "actualValue": "'kmsKeyArn' is not defined", + "issueType": "MissingAttribute", + "similarityID": "80dfcfc779fab8edc6a71bc41763f5ce00e2564d547d1a7d13f7384ceb5e7d5a", + "search_line": 6 } -] \ No newline at end of file +] diff --git a/assets/queries/serverlessFW/serverless_function_without_dead_letter_queue/test/positive_expected_result.json b/assets/queries/serverlessFW/serverless_function_without_dead_letter_queue/test/positive_expected_result.json index 73f4f272ff6..5bb17114936 100644 --- a/assets/queries/serverlessFW/serverless_function_without_dead_letter_queue/test/positive_expected_result.json +++ b/assets/queries/serverlessFW/serverless_function_without_dead_letter_queue/test/positive_expected_result.json @@ -3,6 +3,15 @@ "queryName": "Serverless Function Without Dead Letter Queue", "severity": "LOW", "line": 8, - "fileName": "positive1.yml" + "fileName": "positive1.yml", + "resourceType": "AWS::Lambda", + "resourceName": "hello", + "searchKey": "functions.hello", + "searchValue": "", + "expectedValue": "'onError' should be defined inside the function", + "actualValue": "'onError' is not defined", + "issueType": "MissingAttribute", + "similarityID": "a926c22c2509b4f87cf17c22f61d2a1804843891bb457d8f14d73004456d0e27", + "search_line": 8 } ] diff --git a/assets/queries/serverlessFW/serverless_function_without_tags/test/positive_expected_result.json b/assets/queries/serverlessFW/serverless_function_without_tags/test/positive_expected_result.json index 741020c2f46..6d2e48760ff 100644 --- a/assets/queries/serverlessFW/serverless_function_without_tags/test/positive_expected_result.json +++ b/assets/queries/serverlessFW/serverless_function_without_tags/test/positive_expected_result.json @@ -3,6 +3,15 @@ "queryName": "Serverless Function Without Tags", "severity": "LOW", "line": 8, - "fileName": "positive1.yml" + "fileName": "positive1.yml", + "resourceType": "AWS::Lambda", + "resourceName": "hello", + "searchKey": "functions.hello", + "searchValue": "", + "expectedValue": "'tags' should be defined inside the function", + "actualValue": "'tags' is not defined", + "issueType": "MissingAttribute", + "similarityID": "e37f1b581854a2965b73b4255ef09da78a48e81fcb0516d253ecd884b6ba0650", + "search_line": 8 } -] \ No newline at end of file +] diff --git a/assets/queries/serverlessFW/serverless_function_without_unique_iam_role/test/positive_expected_result.json b/assets/queries/serverlessFW/serverless_function_without_unique_iam_role/test/positive_expected_result.json index ecd2c6cc8e9..f8277bca68a 100644 --- a/assets/queries/serverlessFW/serverless_function_without_unique_iam_role/test/positive_expected_result.json +++ b/assets/queries/serverlessFW/serverless_function_without_unique_iam_role/test/positive_expected_result.json @@ -3,12 +3,30 @@ "queryName": "Serverless Function Without Unique IAM Role", "severity": "HIGH", "line": 8, - "fileName": "positive1.yml" + "fileName": "positive1.yml", + "resourceType": "AWS::Lambda", + "resourceName": "hello", + "searchKey": "functions.hello", + "searchValue": "", + "expectedValue": "'role' should be defined inside the function", + "actualValue": "'role' is not defined", + "issueType": "MissingAttribute", + "similarityID": "6eed7e292b81cc619e50ece9b9d0b15e9dc01a236af88bc00dc446443bce7f58", + "search_line": 8 }, { "queryName": "Serverless Function Without Unique IAM Role", "severity": "HIGH", "line": 8, - "fileName": "positive2.yml" + "fileName": "positive2.yml", + "resourceType": "AWS::Lambda", + "resourceName": "hello", + "searchKey": "functions[%!s(int=0)].hello", + "searchValue": "", + "expectedValue": "'role' should be defined inside the function", + "actualValue": "'role' is not defined", + "issueType": "MissingAttribute", + "similarityID": "f17c86d2552b48821022b7862f8d9a7852feae038ceb23fdc95a9254f0c6f033", + "search_line": 8 } -] \ No newline at end of file +] diff --git a/assets/queries/serverlessFW/serverless_function_without_x-ray_tracing/test/positive_expected_result.json b/assets/queries/serverlessFW/serverless_function_without_x-ray_tracing/test/positive_expected_result.json index 9f0f7fb945f..22659c98f2f 100644 --- a/assets/queries/serverlessFW/serverless_function_without_x-ray_tracing/test/positive_expected_result.json +++ b/assets/queries/serverlessFW/serverless_function_without_x-ray_tracing/test/positive_expected_result.json @@ -3,12 +3,30 @@ "queryName": "Serverless Function Without X-Ray Tracing", "severity": "LOW", "line": 14, - "fileName": "positive1.yml" + "fileName": "positive1.yml", + "resourceType": "AWS::Lambda", + "resourceName": "hello", + "searchKey": "functions.hello.tracing", + "searchValue": "", + "expectedValue": "'tracing' should be set to Active", + "actualValue": "'tracing' is not set to Active", + "issueType": "IncorrectValue", + "similarityID": "3d030b5b1c11d69497934a223fb12f0681a889dc0d959858beaed46a00c3e9db", + "search_line": 14 }, { "queryName": "Serverless Function Without X-Ray Tracing", "severity": "LOW", "line": 8, - "fileName": "positive2.yml" + "fileName": "positive2.yml", + "resourceType": "AWS::Lambda", + "resourceName": "hello", + "searchKey": "functions.hello", + "searchValue": "", + "expectedValue": "'tracing' should be defined and set to Active", + "actualValue": "'tracing' is not defined", + "issueType": "MissingAttribute", + "similarityID": "4de1055550da66bec27171b2e2cd020e112c0a37bd3a17a6cd3abb260d204966", + "search_line": 8 } ] diff --git a/assets/queries/serverlessFW/serverless_role_with_full_privileges/test/positive_expected_result.json b/assets/queries/serverlessFW/serverless_role_with_full_privileges/test/positive_expected_result.json index b3f9f663401..e1d2d0f8b9c 100644 --- a/assets/queries/serverlessFW/serverless_role_with_full_privileges/test/positive_expected_result.json +++ b/assets/queries/serverlessFW/serverless_role_with_full_privileges/test/positive_expected_result.json @@ -3,6 +3,15 @@ "queryName": "Serverless Role With Full Privileges", "severity": "HIGH", "line": 11, - "fileName": "positive1.yml" + "fileName": "positive1.yml", + "resourceType": "AWS::IAM", + "resourceName": "custom-role-name", + "searchKey": "provider.iam.role.statements[0]", + "searchValue": "", + "expectedValue": "Statement should not give admin privileges", + "actualValue": "Statement gives admin privileges", + "issueType": "IncorrectValue", + "similarityID": "99749a65daebf8151dd62e40bfa13d226a005eb8c7e5b8a75dc5242245870e27", + "search_line": 11 } ] diff --git a/assets/queries/terraform/alicloud/action_trail_logging_all_regions_disabled/test/positive_expected_result.json b/assets/queries/terraform/alicloud/action_trail_logging_all_regions_disabled/test/positive_expected_result.json index 0565aeb415a..258196c4b57 100644 --- a/assets/queries/terraform/alicloud/action_trail_logging_all_regions_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/alicloud/action_trail_logging_all_regions_disabled/test/positive_expected_result.json @@ -3,84 +3,210 @@ "queryName": "Action Trail Logging For All Regions Disabled", "severity": "MEDIUM", "line": 6, - "fileName": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "alicloud_actiontrail_trail", + "resourceName": "action-trail", + "searchKey": "alicloud_actiontrail_trail[actiontrail2].trail_region", + "searchValue": "", + "expectedValue": "'trail_region' should be set to All", + "actualValue": "'trail_region' is not set to All", + "issueType": "IncorrectValue", + "similarityID": "c7a3b279b9abc0326e918abde97ed051969029abe67a8b550b8bc11a6b1463eb", + "search_line": 6 }, { "queryName": "Action Trail Logging For All Regions Disabled", "severity": "MEDIUM", - "line": 6, - "fileName": "positive2.tf" + "line": 5, + "fileName": "positive2.tf", + "resourceType": "alicloud_actiontrail_trail", + "resourceName": "action-trail", + "searchKey": "alicloud_actiontrail_trail[actiontrail3].event_rw", + "searchValue": "", + "expectedValue": "'event_rw' should be set to All", + "actualValue": "'event_rw' is not set to All", + "issueType": "IncorrectValue", + "similarityID": "56e5398d6fd0cabfa7e3a20504660d228c7ece4e291f788a17d8e6242ce2ca15", + "search_line": 5 }, { "queryName": "Action Trail Logging For All Regions Disabled", "severity": "MEDIUM", - "line": 5, - "fileName": "positive2.tf" + "line": 6, + "fileName": "positive2.tf", + "resourceType": "alicloud_actiontrail_trail", + "resourceName": "action-trail", + "searchKey": "alicloud_actiontrail_trail[actiontrail3].trail_region", + "searchValue": "", + "expectedValue": "'trail_region' should be set to All", + "actualValue": "'trail_region' is not set to All", + "issueType": "IncorrectValue", + "similarityID": "93c08d36f843e881ccfec078f3fde65bd0e78d2526bde7c0da7287833ed7c4ac", + "search_line": 6 }, { "queryName": "Action Trail Logging For All Regions Disabled", "severity": "MEDIUM", - "line": 6, - "fileName": "positive3.tf" + "line": 5, + "fileName": "positive3.tf", + "resourceType": "alicloud_actiontrail_trail", + "resourceName": "action-trail", + "searchKey": "alicloud_actiontrail_trail[actiontrail4].event_rw", + "searchValue": "", + "expectedValue": "'event_rw' should be set to All", + "actualValue": "'event_rw' is not set to All", + "issueType": "IncorrectValue", + "similarityID": "67eaf7770b3fdf221d2c2495a75d6e0f70bb0906a4e9fe13f6d5c849cf3742f7", + "search_line": 5 }, { "queryName": "Action Trail Logging For All Regions Disabled", "severity": "MEDIUM", - "line": 5, - "fileName": "positive3.tf" + "line": 6, + "fileName": "positive3.tf", + "resourceType": "alicloud_actiontrail_trail", + "resourceName": "action-trail", + "searchKey": "alicloud_actiontrail_trail[actiontrail4].trail_region", + "searchValue": "", + "expectedValue": "'trail_region' should be set to All", + "actualValue": "'trail_region' is not set to All", + "issueType": "IncorrectValue", + "similarityID": "be3bfea8a989efc62c6ddbc224af7a6215d9af1f005f44c195a957e0f15f3218", + "search_line": 6 }, { "queryName": "Action Trail Logging For All Regions Disabled", "severity": "MEDIUM", "line": 6, - "fileName": "positive4.tf" + "fileName": "positive4.tf", + "resourceType": "alicloud_actiontrail_trail", + "resourceName": "action-trail", + "searchKey": "alicloud_actiontrail_trail[actiontrail5].trail_region", + "searchValue": "", + "expectedValue": "'trail_region' should be set to All", + "actualValue": "'trail_region' is not set to All", + "issueType": "IncorrectValue", + "similarityID": "c6ac1552c3a3a74c6caf6483c66b70a665c8b4d5270bf532bbe5ca3a47827d1e", + "search_line": 6 }, { "queryName": "Action Trail Logging For All Regions Disabled", "severity": "MEDIUM", "line": 5, - "fileName": "positive5.tf" + "fileName": "positive5.tf", + "resourceType": "alicloud_actiontrail_trail", + "resourceName": "action-trail", + "searchKey": "alicloud_actiontrail_trail[actiontrail6].event_rw", + "searchValue": "", + "expectedValue": "'event_rw' should be set to All", + "actualValue": "'event_rw' is not set to All", + "issueType": "IncorrectValue", + "similarityID": "09689743d76b63ff1a3446c72d5dca2430a5676231b990557b24d96528fb0e11", + "search_line": 5 }, { "queryName": "Action Trail Logging For All Regions Disabled", "severity": "MEDIUM", "line": 6, - "fileName": "positive5.tf" + "fileName": "positive5.tf", + "resourceType": "alicloud_actiontrail_trail", + "resourceName": "action-trail", + "searchKey": "alicloud_actiontrail_trail[actiontrail6].trail_region", + "searchValue": "", + "expectedValue": "'trail_region' should be set to All", + "actualValue": "'trail_region' is not set to All", + "issueType": "IncorrectValue", + "similarityID": "48af17372a508026183251edbfc6a910f0aedcb1ffdcdff26b980e44d1c2747a", + "search_line": 6 }, { "queryName": "Action Trail Logging For All Regions Disabled", "severity": "MEDIUM", "line": 5, - "fileName": "positive6.tf" + "fileName": "positive6.tf", + "resourceType": "alicloud_actiontrail_trail", + "resourceName": "action-trail", + "searchKey": "alicloud_actiontrail_trail[actiontrail7].event_rw", + "searchValue": "", + "expectedValue": "'event_rw' should be set to All", + "actualValue": "'event_rw' is not set to All", + "issueType": "IncorrectValue", + "similarityID": "9cf6b39f13ebef276ff2d31aaa978c819db8d9b5ca5190540dac2bf78f35572e", + "search_line": 5 }, { "queryName": "Action Trail Logging For All Regions Disabled", "severity": "MEDIUM", "line": 6, - "fileName": "positive6.tf" + "fileName": "positive6.tf", + "resourceType": "alicloud_actiontrail_trail", + "resourceName": "action-trail", + "searchKey": "alicloud_actiontrail_trail[actiontrail7].trail_region", + "searchValue": "", + "expectedValue": "'trail_region' should be set to All", + "actualValue": "'trail_region' is not set to All", + "issueType": "IncorrectValue", + "similarityID": "118efa4493d6295c2b46c8c5285ac81ab550e6792ed1a879ca98e3eed65bdc2a", + "search_line": 6 }, { "queryName": "Action Trail Logging For All Regions Disabled", "severity": "MEDIUM", "line": 1, - "fileName": "positive7.tf" + "fileName": "positive7.tf", + "resourceType": "alicloud_actiontrail_trail", + "resourceName": "action-trail", + "searchKey": "alicloud_actiontrail_trail[actiontrail8]", + "searchValue": "trail_region", + "expectedValue": "'trail_region' should be set.", + "actualValue": "'trail_region' is not set.", + "issueType": "MissingAttribute", + "similarityID": "b249d89b6d01ff7f03f8c4f785170876cc709d8b6d535b7c42b3faf2fbf56e43", + "search_line": 1 }, { "queryName": "Action Trail Logging For All Regions Disabled", "severity": "MEDIUM", "line": 1, - "fileName": "positive8.tf" + "fileName": "positive8.tf", + "resourceType": "alicloud_actiontrail_trail", + "resourceName": "action-trail", + "searchKey": "alicloud_actiontrail_trail[actiontrail9]", + "searchValue": "event_rw", + "expectedValue": "'event_rw' should be set.", + "actualValue": "'event_rw' is not set.", + "issueType": "MissingAttribute", + "similarityID": "76f0cee61a964f4f74fb4ba046fdfa34fd1dc7ef38bf3ee44c5b3428adb32c0e", + "search_line": 1 }, { "queryName": "Action Trail Logging For All Regions Disabled", "severity": "MEDIUM", "line": 1, - "fileName": "positive9.tf" + "fileName": "positive9.tf", + "resourceType": "alicloud_actiontrail_trail", + "resourceName": "action-trail", + "searchKey": "alicloud_actiontrail_trail[actiontrail10]", + "searchValue": "event_rw", + "expectedValue": "'event_rw' should be set.", + "actualValue": "'event_rw' is not set.", + "issueType": "MissingAttribute", + "similarityID": "1ab5e80531655fe94c4c1c02d197112d6c47d98d7500c3944f33bab561a565d5", + "search_line": 1 }, { "queryName": "Action Trail Logging For All Regions Disabled", "severity": "MEDIUM", "line": 1, - "fileName": "positive9.tf" + "fileName": "positive9.tf", + "resourceType": "alicloud_actiontrail_trail", + "resourceName": "action-trail", + "searchKey": "alicloud_actiontrail_trail[actiontrail10]", + "searchValue": "oss_bucket_name", + "expectedValue": "oss_bucket_name should be set.", + "actualValue": "oss_bucket_name is not set.", + "issueType": "MissingAttribute", + "similarityID": "2a95abaff83354ec0619f8d0f185fa0111a7c9b1b973bf24bf151e6be6efe1b9", + "search_line": 1 } ] diff --git a/assets/queries/terraform/alicloud/actiontrail_trail_oss_bucket_is_publicly_accessible/test/positive_expected_result.json b/assets/queries/terraform/alicloud/actiontrail_trail_oss_bucket_is_publicly_accessible/test/positive_expected_result.json index 2928f9afc52..f5b85e7b414 100644 --- a/assets/queries/terraform/alicloud/actiontrail_trail_oss_bucket_is_publicly_accessible/test/positive_expected_result.json +++ b/assets/queries/terraform/alicloud/actiontrail_trail_oss_bucket_is_publicly_accessible/test/positive_expected_result.json @@ -3,12 +3,30 @@ "queryName": "ActionTrail Trail OSS Bucket is Publicly Accessible", "severity": "HIGH", "line": 3, - "fileName": "positive2.tf" + "fileName": "positive1.tf", + "resourceType": "alicloud_oss_bucket", + "resourceName": "actiontrail3", + "searchKey": "alicloud_oss_bucket[actiontrail3].acl", + "searchValue": "", + "expectedValue": "'alicloud_oss_bucket[actiontrail3].oss_bucket_name' is private", + "actualValue": "'alicloud_oss_bucket[actiontrail3].oss_bucket_name' is public-read", + "issueType": "IncorrectValue", + "similarityID": "a8c7414f4fa1f4da6ea837cf9d2abe1cdd991077f1c14b3942b36e842e1fb634", + "search_line": -1 }, { "queryName": "ActionTrail Trail OSS Bucket is Publicly Accessible", "severity": "HIGH", "line": 3, - "fileName": "positive1.tf" + "fileName": "positive2.tf", + "resourceType": "alicloud_oss_bucket", + "resourceName": "actiontrail4", + "searchKey": "alicloud_oss_bucket[actiontrail4].acl", + "searchValue": "", + "expectedValue": "'alicloud_oss_bucket[actiontrail4].oss_bucket_name' is private", + "actualValue": "'alicloud_oss_bucket[actiontrail4].oss_bucket_name' is public-read-write", + "issueType": "IncorrectValue", + "similarityID": "990cd0dfdd6900cac5b70d7e9f94ac52cd1a5b7376d3106470a36453c81f3f69", + "search_line": -1 } ] diff --git a/assets/queries/terraform/alicloud/alb_listening_on_http/test/positive_expected_result.json b/assets/queries/terraform/alicloud/alb_listening_on_http/test/positive_expected_result.json index 04690e063a8..bf9b174079e 100644 --- a/assets/queries/terraform/alicloud/alb_listening_on_http/test/positive_expected_result.json +++ b/assets/queries/terraform/alicloud/alb_listening_on_http/test/positive_expected_result.json @@ -3,6 +3,15 @@ "queryName": "ALB Listening on HTTP", "severity": "MEDIUM", "line": 3, - "fileName": "positive.tf" + "fileName": "positive.tf", + "resourceType": "alicloud_alb_listener", + "resourceName": "positive", + "searchKey": "alicloud_alb_listener[positive].listener_protocol", + "searchValue": "", + "expectedValue": "'alicloud_alb_listener[positive].listener_protocol' should not be 'HTTP'", + "actualValue": "'alicloud_alb_listener[positive].listener_protocol' is 'HTTP'", + "issueType": "IncorrectValue", + "similarityID": "7f3b25bc551e693203b09fc89aeeba453991d5a4a4d9d6df41cbd038660d2d7a", + "search_line": 3 } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/alicloud/api_gateway_api_protocol_not_https/test/positive_expected_result.json b/assets/queries/terraform/alicloud/api_gateway_api_protocol_not_https/test/positive_expected_result.json index 557e90971b5..be7d1856940 100644 --- a/assets/queries/terraform/alicloud/api_gateway_api_protocol_not_https/test/positive_expected_result.json +++ b/assets/queries/terraform/alicloud/api_gateway_api_protocol_not_https/test/positive_expected_result.json @@ -3,18 +3,45 @@ "queryName": "API Gateway API Protocol Not HTTPS", "severity": "MEDIUM", "line": 14, - "fileName": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "alicloud_api_gateway_api", + "resourceName": "${alicloud_api_gateway_group.apiGroup.name}", + "searchKey": "alicloud_api_gateway_api[apiGatewayApi].request_config.protocol", + "searchValue": "", + "expectedValue": "'protocol' value should be 'HTTPS'", + "actualValue": "'protocol' value is 'HTTP' or 'HTTP,HTTPS'", + "issueType": "IncorrectValue", + "similarityID": "f48a2bab6685e564d9a8caaaa984a30914b3857d020ae6313fc8fdc98eab471d", + "search_line": 14 }, { "queryName": "API Gateway API Protocol Not HTTPS", "severity": "MEDIUM", "line": 14, - "fileName": "positive2.tf" + "fileName": "positive2.tf", + "resourceType": "alicloud_api_gateway_api", + "resourceName": "${alicloud_api_gateway_group.apiGroup.name}", + "searchKey": "alicloud_api_gateway_api[apiGatewayApi].request_config.protocol", + "searchValue": "", + "expectedValue": "'protocol' value should be 'HTTPS'", + "actualValue": "'protocol' value is 'HTTP' or 'HTTP,HTTPS'", + "issueType": "IncorrectValue", + "similarityID": "82cbe27641eff2e78fabedc6807c5c8c6bae4d3ad3d95892048cf9aa4a78d7a2", + "search_line": 14 }, { "queryName": "API Gateway API Protocol Not HTTPS", "severity": "MEDIUM", "line": 21, - "fileName": "positive2.tf" + "fileName": "positive2.tf", + "resourceType": "alicloud_api_gateway_api", + "resourceName": "${alicloud_api_gateway_group.apiGroup.name}", + "searchKey": "alicloud_api_gateway_api[apiGatewayApi].request_config.protocol", + "searchValue": "", + "expectedValue": "'protocol' value should be 'HTTPS'", + "actualValue": "'protocol' value is 'HTTP' or 'HTTP,HTTPS'", + "issueType": "IncorrectValue", + "similarityID": "63da34ddfb9b7cc2d49feec8b95b71c484c280971137d2bf0edc38075dc559b5", + "search_line": 21 } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/alicloud/cmk_is_unusable/test/positive_expected_result.json b/assets/queries/terraform/alicloud/cmk_is_unusable/test/positive_expected_result.json index 3c0a7d0dbae..ab5caade587 100644 --- a/assets/queries/terraform/alicloud/cmk_is_unusable/test/positive_expected_result.json +++ b/assets/queries/terraform/alicloud/cmk_is_unusable/test/positive_expected_result.json @@ -1,14 +1,32 @@ [ - { - "queryName": "CMK Is Unusable", - "severity": "MEDIUM", - "line": 1, - "fileName": "positive1.tf" - }, - { - "queryName": "CMK Is Unusable", - "severity": "MEDIUM", - "line": 5, - "fileName": "positive2.tf" - } + { + "queryName": "CMK Is Unusable", + "severity": "MEDIUM", + "line": 1, + "fileName": "positive1.tf", + "resourceType": "alicloud_kms_key", + "resourceName": "key", + "searchKey": "alicloud_kms_key[key]", + "searchValue": "", + "expectedValue": "alicloud_kms_key[key].is_enabled should be set to true", + "actualValue": "alicloud_kms_key[key].is_enabled is not set", + "issueType": "MissingAttribute", + "similarityID": "c8fec98bf54f6864a4721beb606f396daca33b100cfc654b341aabdbb8f22ee8", + "search_line": 1 + }, + { + "queryName": "CMK Is Unusable", + "severity": "MEDIUM", + "line": 5, + "fileName": "positive2.tf", + "resourceType": "alicloud_kms_key", + "resourceName": "key", + "searchKey": "alicloud_kms_key[key].is_enabled", + "searchValue": "", + "expectedValue": "alicloud_kms_key[key].is_enabled should be set to true", + "actualValue": "alicloud_kms_key[key].is_enabled is set to false", + "issueType": "IncorrectValue", + "similarityID": "73e8edad73ff4d893cf94941814f3fde14f424c4ac30db32c6ad29e506c56c7b", + "search_line": 5 + } ] diff --git a/assets/queries/terraform/alicloud/cs_kubernetes_node_pool_auto_repair_disabled/test/positive_expected_result.json b/assets/queries/terraform/alicloud/cs_kubernetes_node_pool_auto_repair_disabled/test/positive_expected_result.json index 77089e414f3..6a60e741a01 100644 --- a/assets/queries/terraform/alicloud/cs_kubernetes_node_pool_auto_repair_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/alicloud/cs_kubernetes_node_pool_auto_repair_disabled/test/positive_expected_result.json @@ -1,20 +1,47 @@ [ - { - "queryName": "CS Kubernetes Node Pool Auto Repair Disabled", - "severity": "MEDIUM", - "line": 1, - "fileName": "positive1.tf" - }, - { - "queryName": "CS Kubernetes Node Pool Auto Repair Disabled", - "severity": "MEDIUM", - "line": 17, - "fileName": "positive2.tf" - }, - { - "queryName": "CS Kubernetes Node Pool Auto Repair Disabled", - "severity": "MEDIUM", - "line": 16, - "fileName": "positive3.tf" - } + { + "queryName": "CS Kubernetes Node Pool Auto Repair Disabled", + "severity": "MEDIUM", + "line": 1, + "fileName": "positive1.tf", + "resourceType": "alicloud_cs_kubernetes_node_pool", + "resourceName": "${var.name}", + "searchKey": "alicloud_cs_kubernetes_node_pool[default2]", + "searchValue": "", + "expectedValue": "For the resource alicloud_cs_kubernetes_node_pool[default2] to have a 'management' block containing 'auto_repair' set to true.", + "actualValue": "The resource alicloud_cs_kubernetes_node_pool[default2] does not have a 'management' block.", + "issueType": "MissingAttribute", + "similarityID": "35cb63b6034341f4a94c247d5faf0a876d0117fec49339abeeb20a86a3be490f", + "search_line": 1 + }, + { + "queryName": "CS Kubernetes Node Pool Auto Repair Disabled", + "severity": "MEDIUM", + "line": 17, + "fileName": "positive2.tf", + "resourceType": "alicloud_cs_kubernetes_node_pool", + "resourceName": "${var.name}", + "searchKey": "alicloud_cs_kubernetes_node_pool[default3].resource.management.auto_repair ", + "searchValue": "", + "expectedValue": "For the resource alicloud_cs_kubernetes_node_pool[default3] to have 'auto_repair' set to true.", + "actualValue": "The resource alicloud_cs_kubernetes_node_pool[default3] has 'auto_repair' set to false.", + "issueType": "IncorrectValue", + "similarityID": "6a5e0639e09b99898924fef95d49eefad273d6673bc3b9b8bc0bd928c14c73f5", + "search_line": 17 + }, + { + "queryName": "CS Kubernetes Node Pool Auto Repair Disabled", + "severity": "MEDIUM", + "line": 16, + "fileName": "positive3.tf", + "resourceType": "alicloud_cs_kubernetes_node_pool", + "resourceName": "${var.name}", + "searchKey": "alicloud_cs_kubernetes_node_pool[default4].management", + "searchValue": "", + "expectedValue": "For the resource alicloud_cs_kubernetes_node_pool[default4] to have a 'management' block containing 'auto_repair' set to true.", + "actualValue": "The resource alicloud_cs_kubernetes_node_pool[default4] has a 'management' block but it doesn't contain 'auto_repair' ", + "issueType": "MissingAttribute", + "similarityID": "e783bfa0473e90ce46be4a26e1ba89e10bffdd7c5cdae4652d80d3bc8a33cfdd", + "search_line": 16 + } ] diff --git a/assets/queries/terraform/alicloud/disk_encryption_disabled/test/positive_expected_result.json b/assets/queries/terraform/alicloud/disk_encryption_disabled/test/positive_expected_result.json index 308fd94b288..362c431088e 100644 --- a/assets/queries/terraform/alicloud/disk_encryption_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/alicloud/disk_encryption_disabled/test/positive_expected_result.json @@ -2,13 +2,31 @@ { "queryName": "Disk Encryption Disabled", "severity": "MEDIUM", - "line": 8, - "fileName": "positive2.tf" + "line": 1, + "fileName": "positive1.tf", + "resourceType": "alicloud_disk", + "resourceName": "New-disk", + "searchKey": "alicloud_disk[disk_encryption1]", + "searchValue": "", + "expectedValue": "[disk_encryption1] has encryption enabled", + "actualValue": "[disk_encryption1] does not have encryption enabled", + "issueType": "MissingAttribute", + "similarityID": "d224aafb4949b66defb01b9070e438d41428e9802da400081b833004cc68e9dc", + "search_line": 1 }, { "queryName": "Disk Encryption Disabled", "severity": "MEDIUM", - "line": 1, - "fileName": "positive1.tf" + "line": 8, + "fileName": "positive2.tf", + "resourceType": "alicloud_disk", + "resourceName": "New-disk", + "searchKey": "alicloud_disk[disk_encryption2].encrypted", + "searchValue": "", + "expectedValue": "[disk_encryption2] has encryption set to true", + "actualValue": "[disk_encryption2] has encryption set to false", + "issueType": "IncorrectValue", + "similarityID": "d1cd0bb49ec1dd8e7a96aec820f7397948aa1177e171eb0e62fc2ac4d6159d9f", + "search_line": 8 } ] diff --git a/assets/queries/terraform/alicloud/ecs_data_disk_kms_key_id_undefined/test/positive_expected_result.json b/assets/queries/terraform/alicloud/ecs_data_disk_kms_key_id_undefined/test/positive_expected_result.json index 960092e47e1..b787ac0a96b 100644 --- a/assets/queries/terraform/alicloud/ecs_data_disk_kms_key_id_undefined/test/positive_expected_result.json +++ b/assets/queries/terraform/alicloud/ecs_data_disk_kms_key_id_undefined/test/positive_expected_result.json @@ -3,6 +3,15 @@ "queryName": "Ecs Data Disk Kms Key Id Undefined", "severity": "HIGH", "line": 2, - "fileName": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "alicloud_disk", + "resourceName": "New-disk", + "searchKey": "alicloud_disk[ecs_disk]", + "searchValue": "", + "expectedValue": "[ecs_disk] has kms key id defined", + "actualValue": "[ecs_disk] does not have kms key id defined", + "issueType": "MissingAttribute", + "similarityID": "5ff4dc7b1b6bc72b04ff9b2e5920870846747f4a377f607d969fe4bdd2c4440c", + "search_line": 2 } ] diff --git a/assets/queries/terraform/alicloud/high_kms_key_rotation_period/test/positive_expected_result.json b/assets/queries/terraform/alicloud/high_kms_key_rotation_period/test/positive_expected_result.json index 1d05db81692..42cd66b0916 100644 --- a/assets/queries/terraform/alicloud/high_kms_key_rotation_period/test/positive_expected_result.json +++ b/assets/queries/terraform/alicloud/high_kms_key_rotation_period/test/positive_expected_result.json @@ -2,25 +2,61 @@ { "queryName": "High KMS Key Rotation Period", "severity": "MEDIUM", - "line": 5, - "fileName": "positive.tf" + "line": 6, + "fileName": "positive2.tf", + "resourceType": "alicloud_kms_key", + "resourceName": "keypos1", + "searchKey": "alicloud_kms_key[keypos1].rotation_interval", + "searchValue": "", + "expectedValue": "'rotation_interval' value should not be higher than a year", + "actualValue": "'rotation_interval' value is higher than a year", + "issueType": "IncorrectValue", + "similarityID": "bb64e7acabfc1f8a996a206810a24b15347a1b2b8a01bc4fcd0d45d62b2f79f7", + "search_line": 6 }, { "queryName": "High KMS Key Rotation Period", "severity": "MEDIUM", "line": 6, - "fileName": "positive2.tf" + "fileName": "positive3.tf", + "resourceType": "alicloud_kms_key", + "resourceName": "keypos1", + "searchKey": "alicloud_kms_key[keypos1].rotation_interval", + "searchValue": "", + "expectedValue": "'rotation_interval' value should not be higher than a year", + "actualValue": "'rotation_interval' value is higher than a year", + "issueType": "IncorrectValue", + "similarityID": "d7a1eabd26342bdfa7dc3a55f7f4baf1fafb34221e3a78ed0c7413d00813c5cf", + "search_line": 6 }, { "queryName": "High KMS Key Rotation Period", "severity": "MEDIUM", - "line": 6, - "fileName": "positive3.tf" + "line": 1, + "fileName": "positive4.tf", + "resourceType": "alicloud_kms_key", + "resourceName": "keypos1", + "searchKey": "alicloud_kms_key[keypos1].rotation_interval", + "searchValue": "", + "expectedValue": "'automatic_rotation' should be defined and set to Enabled", + "actualValue": "'automatic_rotation' is not defined", + "issueType": "MissingAttribute", + "similarityID": "8a05653c5bed28c9a61b215aa3a89f4669e764c56b53f3e85be6110a69776549", + "search_line": 1 }, { "queryName": "High KMS Key Rotation Period", "severity": "MEDIUM", - "line": 1, - "fileName": "positive4.tf" + "line": 5, + "fileName": "positive.tf", + "resourceType": "alicloud_kms_key", + "resourceName": "keypos1", + "searchKey": "alicloud_kms_key[keypos1].rotation_interval", + "searchValue": "", + "expectedValue": "'automatic_rotation' should be set to Enabled", + "actualValue": "'automatic_rotation' is set to Disabled", + "issueType": "IncorrectValue", + "similarityID": "c3d12420bac2176ef3fa9e4c81d582acad36859579d220436e199c80ef410f49", + "search_line": 5 } ] diff --git a/assets/queries/terraform/alicloud/kubernetes_cluster_without_terway_as_cni_network_plugin/test/positive_expected_result.json b/assets/queries/terraform/alicloud/kubernetes_cluster_without_terway_as_cni_network_plugin/test/positive_expected_result.json index d8a89d699eb..f7804d3dbaf 100644 --- a/assets/queries/terraform/alicloud/kubernetes_cluster_without_terway_as_cni_network_plugin/test/positive_expected_result.json +++ b/assets/queries/terraform/alicloud/kubernetes_cluster_without_terway_as_cni_network_plugin/test/positive_expected_result.json @@ -3,24 +3,60 @@ "queryName": "Kubernetes Cluster Without Terway as CNI Network Plugin", "severity": "LOW", "line": 15, - "fileName": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "alicloud_cs_kubernetes", + "resourceName": "positive1", + "searchKey": "alicloud_cs_kubernetes[positive1]", + "searchValue": "pod_vswitch_ids", + "expectedValue": "alicloud_cs_kubernetes[positive1].pod_vswitch_ids should be defined and not null", + "actualValue": "alicloud_cs_kubernetes[positive1].pod_vswitch_ids is undefined or null", + "issueType": "MissingAttribute", + "similarityID": "c2c704812e811a652868492113cccc7804fdbc91b56cc1dcbf70071bc443cdff", + "search_line": 15 }, { "queryName": "Kubernetes Cluster Without Terway as CNI Network Plugin", "severity": "LOW", "line": 15, - "fileName": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "alicloud_cs_kubernetes", + "resourceName": "positive1", + "searchKey": "alicloud_cs_kubernetes[positive1]", + "searchValue": "terway-eniip", + "expectedValue": "alicloud_cs_kubernetes[positive1].addons specifies the terway-eniip", + "actualValue": "alicloud_cs_kubernetes[positive1].addons does not specify the terway-eniip", + "issueType": "MissingAttribute", + "similarityID": "7f90e416759a454be8d14c6d8347d983f6d88967c79a46c98c121d41a60ab172", + "search_line": 15 }, { "queryName": "Kubernetes Cluster Without Terway as CNI Network Plugin", "severity": "LOW", "line": 15, - "fileName": "positive2.tf" + "fileName": "positive2.tf", + "resourceType": "alicloud_cs_kubernetes", + "resourceName": "positive2", + "searchKey": "alicloud_cs_kubernetes[positive2]", + "searchValue": "pod_vswitch_ids", + "expectedValue": "alicloud_cs_kubernetes[positive2].pod_vswitch_ids should be defined and not null", + "actualValue": "alicloud_cs_kubernetes[positive2].pod_vswitch_ids is undefined or null", + "issueType": "MissingAttribute", + "similarityID": "57bdf072548ed875bee08fdadbe9830a253ac2d18432803bc77a2dcc3c093683", + "search_line": 15 }, { "queryName": "Kubernetes Cluster Without Terway as CNI Network Plugin", "severity": "LOW", "line": 15, - "fileName": "positive3.tf" + "fileName": "positive3.tf", + "resourceType": "alicloud_cs_kubernetes", + "resourceName": "positive3", + "searchKey": "alicloud_cs_kubernetes[positive3]", + "searchValue": "terway-eniip", + "expectedValue": "alicloud_cs_kubernetes[positive3].addons specifies the terway-eniip", + "actualValue": "alicloud_cs_kubernetes[positive3].addons does not specify the terway-eniip", + "issueType": "MissingAttribute", + "similarityID": "68088d7814ddddbf59646590ae4606329d10b16968f7ed94f4a6c8b85e0e8e5c", + "search_line": 15 } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/alicloud/launch_template_is_not_encrypted/test/positive_expected_result.json b/assets/queries/terraform/alicloud/launch_template_is_not_encrypted/test/positive_expected_result.json index 22668d31663..a4f40d0ad4f 100644 --- a/assets/queries/terraform/alicloud/launch_template_is_not_encrypted/test/positive_expected_result.json +++ b/assets/queries/terraform/alicloud/launch_template_is_not_encrypted/test/positive_expected_result.json @@ -3,12 +3,30 @@ "queryName": "Launch Template Is Not Encrypted", "severity": "HIGH", "line": 36, - "fileName": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "alicloud_launch_template", + "resourceName": "tf-test-template", + "searchKey": "alicloud_launch_template[templatepos1].encrypted", + "searchValue": "", + "expectedValue": "alicloud_launch_template[templatepos1].encrypted should be true", + "actualValue": "alicloud_launch_template[templatepos1].encrypted is false", + "issueType": "IncorrectValue", + "similarityID": "dfa01e40312d702089552e5a78599abd9a890881905963ae1025b4f8d6229d5d", + "search_line": 36 }, { "queryName": "Launch Template Is Not Encrypted", "severity": "HIGH", "line": 8, - "fileName": "positive2.tf" + "fileName": "positive2.tf", + "resourceType": "alicloud_launch_template", + "resourceName": "tf-test-template", + "searchKey": "alicloud_launch_template[templatepos2]", + "searchValue": "", + "expectedValue": "alicloud_launch_template[templatepos2] 'encrypted' should be defined and set to true", + "actualValue": "alicloud_launch_template[templatepos2] 'encrypted' argument is not defined", + "issueType": "MissingAttribute", + "similarityID": "86155c62ac8b91fd939d9b36ef8240bd536fe0e4f0f609af3eb7d7643a93aab3", + "search_line": 8 } ] diff --git a/assets/queries/terraform/alicloud/log_retention_is_not_greater_than_90_days/test/positive_expected_result.json b/assets/queries/terraform/alicloud/log_retention_is_not_greater_than_90_days/test/positive_expected_result.json index 328dd55e0fd..aac91172231 100644 --- a/assets/queries/terraform/alicloud/log_retention_is_not_greater_than_90_days/test/positive_expected_result.json +++ b/assets/queries/terraform/alicloud/log_retention_is_not_greater_than_90_days/test/positive_expected_result.json @@ -3,12 +3,30 @@ "queryName": "Log Retention Is Not Greater Than 90 Days", "severity": "LOW", "line": 6, - "fileName": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "alicloud_log_store", + "resourceName": "tf-log-store", + "searchKey": "alicloud_log_store[example2]", + "searchValue": "", + "expectedValue": "For attribute 'retention_period' should be set and over 90 days.", + "actualValue": "The attribute 'retention_period' is undefined. The default duration when undefined is 30 days, which is too short.", + "issueType": "MissingAttribute", + "similarityID": "4ff527d23d47cf1ae5652adebd5c3aed1e8250dcfd6190c7282382d87768c14f", + "search_line": 6 }, { "queryName": "Log Retention Is Not Greater Than 90 Days", "severity": "LOW", "line": 9, - "fileName": "positive2.tf" + "fileName": "positive2.tf", + "resourceType": "alicloud_log_store", + "resourceName": "tf-log-store", + "searchKey": "alicloud_log_store[example4].retention_period", + "searchValue": "", + "expectedValue": "For the attribite 'retention_period' should be set to 90+ days", + "actualValue": "The attribute 'retention_period' is not set to 90+ days", + "issueType": "IncorrectValue", + "similarityID": "40c5aae8ce44e8ed7c3d5a8e37f236eb90464268e057a79e6dec5c4d67a3fafa", + "search_line": 9 } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/alicloud/nas_file_system_not_encrypted/test/positive_expected_result.json b/assets/queries/terraform/alicloud/nas_file_system_not_encrypted/test/positive_expected_result.json index be95c4a5441..337905bbd07 100644 --- a/assets/queries/terraform/alicloud/nas_file_system_not_encrypted/test/positive_expected_result.json +++ b/assets/queries/terraform/alicloud/nas_file_system_not_encrypted/test/positive_expected_result.json @@ -2,13 +2,31 @@ { "queryName": "NAS File System Not Encrypted", "severity": "HIGH", - "line": 5, - "fileName": "positive.tf" + "line": 1, + "fileName": "positive2.tf", + "resourceType": "alicloud_nas_file_system", + "resourceName": "foopos2", + "searchKey": "alicloud_nas_file_system[foopos2]", + "searchValue": "", + "expectedValue": "alicloud_nas_file_system[foopos2].encrypt_type' should be defined and the value different from 0 ", + "actualValue": "alicloud_nas_file_system[foopos2].encrypt_type' is undefined", + "issueType": "MissingAttribute", + "similarityID": "d76feea117a5f67397fa1af14796ceca6c86fdbcace61c786bc149149daa328f", + "search_line": 1 }, { "queryName": "NAS File System Not Encrypted", "severity": "HIGH", - "line": 1, - "fileName": "positive2.tf" + "line": 5, + "fileName": "positive.tf", + "resourceType": "alicloud_nas_file_system", + "resourceName": "foopos", + "searchKey": "alicloud_nas_file_system[foopos].encrypt_type", + "searchValue": "", + "expectedValue": "alicloud_nas_file_system[foopos].encrypt_type' should not be 0", + "actualValue": "alicloud_nas_file_system[foopos].encrypt_type' is 0", + "issueType": "IncorrectValue", + "similarityID": "a16f88e942158bc0b1d436dfda1472948fa8c1d55f87d916a07609deb17efb9d", + "search_line": 5 } ] diff --git a/assets/queries/terraform/alicloud/nas_file_system_without_kms/test/positive_expected_result.json b/assets/queries/terraform/alicloud/nas_file_system_without_kms/test/positive_expected_result.json index 21c252eb2f3..36d6e792343 100644 --- a/assets/queries/terraform/alicloud/nas_file_system_without_kms/test/positive_expected_result.json +++ b/assets/queries/terraform/alicloud/nas_file_system_without_kms/test/positive_expected_result.json @@ -1,14 +1,32 @@ [ - { - "queryName": "NAS File System Without KMS", - "severity": "HIGH", - "line": 1, - "fileName": "positive.tf" - }, - { - "queryName": "NAS File System Without KMS", - "severity": "HIGH", - "line": 5, - "fileName": "positive2.tf" - } + { + "queryName": "NAS File System Without KMS", + "severity": "HIGH", + "line": 5, + "fileName": "positive2.tf", + "resourceType": "alicloud_nas_file_system", + "resourceName": "fooabr", + "searchKey": "alicloud_nas_file_system[fooabr]", + "searchValue": "", + "expectedValue": "alicloud_nas_file_system[fooabr].encrypt_type' should be set to 2'", + "actualValue": "alicloud_nas_file_system[fooabr].encrypt_type' is not set to 2 ", + "issueType": "IncorrectValue", + "similarityID": "122598feb1c472fe70b37b93def27aa255f847f3d4be9c2b6350f48bc84952b3", + "search_line": 5 + }, + { + "queryName": "NAS File System Without KMS", + "severity": "HIGH", + "line": 1, + "fileName": "positive.tf", + "resourceType": "alicloud_nas_file_system", + "resourceName": "foo", + "searchKey": "alicloud_nas_file_system[foo]", + "searchValue": "", + "expectedValue": "alicloud_nas_file_system[foo].encrypt_type' should be defined and set to 2'", + "actualValue": "alicloud_nas_file_system[foo].encrypt_type' is not defined", + "issueType": "MissingAttribute", + "similarityID": "a5f4ae1ed54e815d9ed012b84eba5ff94b810531a04b508026209ddbac9f0ffa", + "search_line": 1 + } ] diff --git a/assets/queries/terraform/alicloud/no_ros_stack_policy/test/positive_expected_result.json b/assets/queries/terraform/alicloud/no_ros_stack_policy/test/positive_expected_result.json index 3c52d537f01..65d742c28ef 100644 --- a/assets/queries/terraform/alicloud/no_ros_stack_policy/test/positive_expected_result.json +++ b/assets/queries/terraform/alicloud/no_ros_stack_policy/test/positive_expected_result.json @@ -3,24 +3,60 @@ "queryName": "No ROS Stack Policy", "severity": "MEDIUM", "line": 1, - "fileName": "positive.tf" + "fileName": "positive2.tf", + "resourceType": "alicloud_ros_stack", + "resourceName": "tf-testaccstack", + "searchKey": "alicloud_ros_stack[pos2]", + "searchValue": "stack_policy_during_update", + "expectedValue": "The stack should have the attribute 'stack_policy_during_update_body' or 'stack_policy_during_update_url' defined", + "actualValue": "The stack has neither 'stack_policy_during_update_body' nor 'stack_policy_during_update_url' defined", + "issueType": "MissingAttribute", + "similarityID": "c67b02db9fd5d6ee52784afa7a07be4d7b23b98beaa682eab1cee0026f8697a9", + "search_line": 1 }, { "queryName": "No ROS Stack Policy", "severity": "MEDIUM", "line": 1, - "fileName": "positive.tf" + "fileName": "positive3.tf", + "resourceType": "alicloud_ros_stack", + "resourceName": "tf-testaccstack", + "searchKey": "alicloud_ros_stack[pos3]", + "searchValue": "stack_policy", + "expectedValue": "The stack should have the attribute 'stack_policy_body' or 'stack_policy_url' defined", + "actualValue": "The stack has neither 'stack_policy_body' nor 'stack_policy_url' defined", + "issueType": "MissingAttribute", + "similarityID": "d439d20ffc5cba6f03b2b97ec7af75eb5b82e98c10e053c353850d2a2bafad4b", + "search_line": 1 }, { "queryName": "No ROS Stack Policy", "severity": "MEDIUM", "line": 1, - "fileName": "positive2.tf" + "fileName": "positive.tf", + "resourceType": "alicloud_ros_stack", + "resourceName": "tf-testaccstack", + "searchKey": "alicloud_ros_stack[pos]", + "searchValue": "stack_policy", + "expectedValue": "The stack should have the attribute 'stack_policy_body' or 'stack_policy_url' defined", + "actualValue": "The stack has neither 'stack_policy_body' nor 'stack_policy_url' defined", + "issueType": "MissingAttribute", + "similarityID": "a6d3ac570d9cb3ee1a627a6d99f0d3d976600d56687bc2d86de3997734238e23", + "search_line": 1 }, { "queryName": "No ROS Stack Policy", "severity": "MEDIUM", "line": 1, - "fileName": "positive3.tf" + "fileName": "positive.tf", + "resourceType": "alicloud_ros_stack", + "resourceName": "tf-testaccstack", + "searchKey": "alicloud_ros_stack[pos]", + "searchValue": "stack_policy_during_update", + "expectedValue": "The stack should have the attribute 'stack_policy_during_update_body' or 'stack_policy_during_update_url' defined", + "actualValue": "The stack has neither 'stack_policy_during_update_body' nor 'stack_policy_during_update_url' defined", + "issueType": "MissingAttribute", + "similarityID": "35a08826f9b3f1bc9035b52f821f3c5c9f2ebd748d4a537fcf4c2d947c7a08f5", + "search_line": 1 } ] diff --git a/assets/queries/terraform/alicloud/oss_bucket_allows_all_actions_from_all_principals/test/positive_expected_result.json b/assets/queries/terraform/alicloud/oss_bucket_allows_all_actions_from_all_principals/test/positive_expected_result.json index 505f27742ab..00aafc498af 100644 --- a/assets/queries/terraform/alicloud/oss_bucket_allows_all_actions_from_all_principals/test/positive_expected_result.json +++ b/assets/queries/terraform/alicloud/oss_bucket_allows_all_actions_from_all_principals/test/positive_expected_result.json @@ -3,6 +3,15 @@ "queryName": "OSS Bucket Allows All Actions From All Principals", "severity": "CRITICAL", "line": 5, - "fileName": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "alicloud_oss_bucket", + "resourceName": "bucket-policy1", + "searchKey": "alicloud_oss_bucket[bucket-policy1].policy", + "searchValue": "", + "expectedValue": "alicloud_oss_bucket[bucket-policy1].policy to not accept delete action from all principals", + "actualValue": "alicloud_oss_bucket[bucket-policy1].policy accepts delete action from all principals", + "issueType": "IncorrectValue", + "similarityID": "723773c1ebf74317b2fae93e4007d4a09235ff5181b66b97874e34eef2e99ee0", + "search_line": 5 } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/alicloud/oss_bucket_allows_delete_from_all_principals/test/positive_expected_result.json b/assets/queries/terraform/alicloud/oss_bucket_allows_delete_from_all_principals/test/positive_expected_result.json index 50ab8630f18..af2eb3d65e4 100644 --- a/assets/queries/terraform/alicloud/oss_bucket_allows_delete_from_all_principals/test/positive_expected_result.json +++ b/assets/queries/terraform/alicloud/oss_bucket_allows_delete_from_all_principals/test/positive_expected_result.json @@ -3,6 +3,15 @@ "queryName": "OSS Bucket Allows Delete Action From All Principals", "severity": "CRITICAL", "line": 5, - "fileName": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "alicloud_oss_bucket", + "resourceName": "bucket-1-policy", + "searchKey": "alicloud_oss_bucket[bucket-policy1].policy", + "searchValue": "", + "expectedValue": "alicloud_oss_bucket[bucket-policy1].policy to not accept delete action from all principals", + "actualValue": "alicloud_oss_bucket[bucket-policy1].policy accepts delete action from all principals", + "issueType": "IncorrectValue", + "similarityID": "cb6787063c3a41f67d7afbc606ce6032c9dfe3ac3e35f8fff0e0832418c31ff0", + "search_line": 5 } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/alicloud/oss_bucket_allows_list_action_from_all_principals/test/positive_expected_result.json b/assets/queries/terraform/alicloud/oss_bucket_allows_list_action_from_all_principals/test/positive_expected_result.json index 738e8a0babd..640763ca6c0 100644 --- a/assets/queries/terraform/alicloud/oss_bucket_allows_list_action_from_all_principals/test/positive_expected_result.json +++ b/assets/queries/terraform/alicloud/oss_bucket_allows_list_action_from_all_principals/test/positive_expected_result.json @@ -1,14 +1,32 @@ [ - { - "queryName": "OSS Bucket Allows List Action From All Principals", - "severity": "HIGH", - "line": 5, - "fileName": "positive1.tf" - }, - { - "queryName": "OSS Bucket Allows List Action From All Principals", - "severity": "HIGH", - "line": 5, - "fileName": "positive2.tf" - } + { + "queryName": "OSS Bucket Allows List Action From All Principals", + "severity": "HIGH", + "line": 5, + "fileName": "positive1.tf", + "resourceType": "alicloud_oss_bucket", + "resourceName": "bucket-1-policy", + "searchKey": "alicloud_oss_bucket[bucket-policy1].policy", + "searchValue": "", + "expectedValue": "alicloud_oss_bucket[bucket-policy1].policy to not accept list action from all principals", + "actualValue": "alicloud_oss_bucket[bucket-policy1].policy accepts list action from all principals", + "issueType": "IncorrectValue", + "similarityID": "d83dcfd875490053853f2251acc410dabbbfeedda34ed20e60ac6e48d5542df2", + "search_line": 5 + }, + { + "queryName": "OSS Bucket Allows List Action From All Principals", + "severity": "HIGH", + "line": 5, + "fileName": "positive2.tf", + "resourceType": "alicloud_oss_bucket", + "resourceName": "bucket-5-policy", + "searchKey": "alicloud_oss_bucket[bucket-policy5].policy", + "searchValue": "", + "expectedValue": "alicloud_oss_bucket[bucket-policy5].policy to not accept list action from all principals", + "actualValue": "alicloud_oss_bucket[bucket-policy5].policy accepts list action from all principals", + "issueType": "IncorrectValue", + "similarityID": "6d826a5694d0d9fd2017e7da8fb9b6770ea5721fc72aba2d7522fbdf90ac4381", + "search_line": 5 + } ] diff --git a/assets/queries/terraform/alicloud/oss_bucket_allows_put_action_from_all_principals/test/positive_expected_result.json b/assets/queries/terraform/alicloud/oss_bucket_allows_put_action_from_all_principals/test/positive_expected_result.json index 2678e6b27c3..6e9ac3d7e9f 100644 --- a/assets/queries/terraform/alicloud/oss_bucket_allows_put_action_from_all_principals/test/positive_expected_result.json +++ b/assets/queries/terraform/alicloud/oss_bucket_allows_put_action_from_all_principals/test/positive_expected_result.json @@ -3,12 +3,30 @@ "queryName": "OSS Bucket Allows Put Action From All Principals", "severity": "CRITICAL", "line": 5, - "fileName": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "alicloud_oss_bucket", + "resourceName": "bucket-4-policy", + "searchKey": "alicloud_oss_bucket[bucket-policy4].policy", + "searchValue": "", + "expectedValue": "alicloud_oss_bucket[bucket-policy4].policy to not accept put action from all principals", + "actualValue": "alicloud_oss_bucket[bucket-policy4].policy accepts put action from all principals", + "issueType": "IncorrectValue", + "similarityID": "bdc07255cdd50c7775003b2d450188956169a86273cde92d0fdbd7777ed99608", + "search_line": 5 }, { "queryName": "OSS Bucket Allows Put Action From All Principals", "severity": "CRITICAL", "line": 5, - "fileName": "positive2.tf" + "fileName": "positive2.tf", + "resourceType": "alicloud_oss_bucket", + "resourceName": "bucket-5-policy", + "searchKey": "alicloud_oss_bucket[bucket-policy5].policy", + "searchValue": "", + "expectedValue": "alicloud_oss_bucket[bucket-policy5].policy to not accept put action from all principals", + "actualValue": "alicloud_oss_bucket[bucket-policy5].policy accepts put action from all principals", + "issueType": "IncorrectValue", + "similarityID": "94c0fbecd96fd6428f58abfd36cfd27f0ef65b15fd3259e3498853a9b86032ed", + "search_line": 5 } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/alicloud/oss_bucket_cmk_encryption_disabled/test/positive_expected_result.json b/assets/queries/terraform/alicloud/oss_bucket_cmk_encryption_disabled/test/positive_expected_result.json index 459adb57314..28b6a44e9c8 100644 --- a/assets/queries/terraform/alicloud/oss_bucket_cmk_encryption_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/alicloud/oss_bucket_cmk_encryption_disabled/test/positive_expected_result.json @@ -3,12 +3,30 @@ "queryName": "OSS Bucket Encryption Using CMK Disabled", "severity": "MEDIUM", "line": 5, - "fileName": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "alicloud_oss_bucket", + "resourceName": "bucket-170309-sserule", + "searchKey": "alicloud_oss_bucket[bucket_cmk_encryption2].server_side_encryption_rule", + "searchValue": "", + "expectedValue": "[bucket_cmk_encryption2].policy has kms master key id defined", + "actualValue": "[bucket_cmk_encryption2].policy does not kms master key id defined", + "issueType": "MissingAttribute", + "similarityID": "e04aece04e5a911b6921885d353600f94f722cde02cf0c31525ee5ae7fd8b2da", + "search_line": -1 }, { "queryName": "OSS Bucket Encryption Using CMK Disabled", "severity": "MEDIUM", "line": 1, - "fileName": "positive2.tf" + "fileName": "positive2.tf", + "resourceType": "alicloud_oss_bucket", + "resourceName": "bucket-170309-sserule", + "searchKey": "alicloud_oss_bucket[bucket_cmk_encryption3]", + "searchValue": "", + "expectedValue": "[bucket_cmk_encryption3].policy has server side encryption rule and kms master key id defined", + "actualValue": "[bucket_cmk_encryption3].policy does not have server side encryption rule and kms master key id defined", + "issueType": "MissingAttribute", + "similarityID": "f6ef290c1eec9f66e29f63d51f2de15a661303e9d167199801f03c485339932f", + "search_line": 1 } ] diff --git a/assets/queries/terraform/alicloud/oss_bucket_has_static_website/test/positive_expected_result.json b/assets/queries/terraform/alicloud/oss_bucket_has_static_website/test/positive_expected_result.json index 53fa9eee657..958b5235298 100644 --- a/assets/queries/terraform/alicloud/oss_bucket_has_static_website/test/positive_expected_result.json +++ b/assets/queries/terraform/alicloud/oss_bucket_has_static_website/test/positive_expected_result.json @@ -1,8 +1,17 @@ [ - { - "queryName": "OSS Bucket Has Static Website", - "severity": "HIGH", - "line": 4, - "fileName": "positive1.tf" - } + { + "queryName": "OSS Bucket Has Static Website", + "severity": "HIGH", + "line": 4, + "fileName": "positive1.tf", + "resourceType": "alicloud_oss_bucket", + "resourceName": "bucket-1-website", + "searchKey": "alicloud_oss_bucket[bucket-website1].website", + "searchValue": "", + "expectedValue": "'website' to not be used.", + "actualValue": "'website' is being used.", + "issueType": "IncorrectValue", + "similarityID": "5376773809d196c22de8355a4cf6711330fcc47dfdd9c548249742a4f9df2a74", + "search_line": 4 + } ] diff --git a/assets/queries/terraform/alicloud/oss_bucket_ip_restriction_disabled/test/positive_expected_result.json b/assets/queries/terraform/alicloud/oss_bucket_ip_restriction_disabled/test/positive_expected_result.json index 4c7b05e217f..66b42ac6a70 100644 --- a/assets/queries/terraform/alicloud/oss_bucket_ip_restriction_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/alicloud/oss_bucket_ip_restriction_disabled/test/positive_expected_result.json @@ -3,6 +3,15 @@ "queryName": "OSS Bucket Ip Restriction Disabled", "severity": "HIGH", "line": 5, - "fileName": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "alicloud_oss_bucket", + "resourceName": "bucket-170309-policy", + "searchKey": "alicloud_oss_bucket[bucket-policy].policy", + "searchValue": "", + "expectedValue": "[bucket-policy].policy has restricted ip access", + "actualValue": "[bucket-policy].policy does not restrict access via ip", + "issueType": "MissingAttribute", + "similarityID": "05dac5a3945782a10aacfac5b7fb685b86ced3db1327526d99e3f51823ed7141", + "search_line": 5 } ] diff --git a/assets/queries/terraform/alicloud/oss_bucket_lifecycle_disabled/test/positive_expected_result.json b/assets/queries/terraform/alicloud/oss_bucket_lifecycle_disabled/test/positive_expected_result.json index d6955f3438d..ccdb879b6e6 100644 --- a/assets/queries/terraform/alicloud/oss_bucket_lifecycle_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/alicloud/oss_bucket_lifecycle_disabled/test/positive_expected_result.json @@ -1,15 +1,32 @@ [ - { - "queryName": "OSS Bucket Lifecycle Rule Disabled", - "severity": "LOW", - "line": 8, - "fileName": "positive1.tf" - }, - { - "queryName": "OSS Bucket Lifecycle Rule Disabled", - "severity": "LOW", - "line": 1, - "fileName": "positive2.tf" - } - ] - \ No newline at end of file + { + "queryName": "OSS Bucket Lifecycle Rule Disabled", + "severity": "LOW", + "line": 8, + "fileName": "positive1.tf", + "resourceType": "alicloud_oss_bucket", + "resourceName": "oss_bucket_lifecycle_enabled2", + "searchKey": "alicloud_oss_bucket[oss_bucket_lifecycle_enabled2].lifecycle_rule.enabled", + "searchValue": "", + "expectedValue": "'lifecycle_rule' should be set and enabled", + "actualValue": "'lifecycle_rule' is set but disabled", + "issueType": "IncorrectValue", + "similarityID": "f1c2451eab7bfa0eeb7595294e318602ef98288c64d53f114c37a76771604f2d", + "search_line": -1 + }, + { + "queryName": "OSS Bucket Lifecycle Rule Disabled", + "severity": "LOW", + "line": 1, + "fileName": "positive2.tf", + "resourceType": "alicloud_oss_bucket", + "resourceName": "bucket-170309-versioning", + "searchKey": "alicloud_oss_bucket[oss_bucket_lifecycle_enabled3]", + "searchValue": "", + "expectedValue": "'lifecycle_rule' should be set and enabled", + "actualValue": "'lifecycle_rule' is not set", + "issueType": "MissingAttribute", + "similarityID": "7c9e888367724426a7ebe5733bf87d264dec407386f27e668656a4f9a3066f1e", + "search_line": 1 + } +] diff --git a/assets/queries/terraform/alicloud/oss_bucket_logging_disabled/test/positive_expected_result.json b/assets/queries/terraform/alicloud/oss_bucket_logging_disabled/test/positive_expected_result.json index ccde2242e31..3372d3d4dad 100644 --- a/assets/queries/terraform/alicloud/oss_bucket_logging_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/alicloud/oss_bucket_logging_disabled/test/positive_expected_result.json @@ -3,12 +3,30 @@ "queryName": "OSS Bucket Logging Disabled", "severity": "MEDIUM", "line": 1, - "fileName": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "alicloud_oss_bucket", + "resourceName": "bucket-170309-acl", + "searchKey": "alicloud_oss_bucket[bucket_logging2]", + "searchValue": "", + "expectedValue": "bucket_logging2 has logging enabled", + "actualValue": "bucket_logging2 does not have logging enabled", + "issueType": "IncorrectValue", + "similarityID": "b768fddb2309f2467c47c590ecbc6d034e2dd8bc0827bf54f5873fab096a7215", + "search_line": 1 }, { "queryName": "OSS Bucket Logging Disabled", "severity": "MEDIUM", "line": 3, - "fileName": "positive2.tf" + "fileName": "positive2.tf", + "resourceType": "alicloud_oss_bucket", + "resourceName": "bucket-170309-logging", + "searchKey": "alicloud_oss_bucket[bucket_logging1].logging_isenable", + "searchValue": "", + "expectedValue": "bucket_logging1 'logging_isenable' argument should be set to true", + "actualValue": "bucket_logging1 'logging_isenable' argument is set to false", + "issueType": "IncorrectValue", + "similarityID": "f778f70d8dab367afdb937ab1d298c8be232cc3224a4a85f31d2290907afb877", + "search_line": 3 } ] diff --git a/assets/queries/terraform/alicloud/oss_bucket_public_access_enabled/test/positive_expected_result.json b/assets/queries/terraform/alicloud/oss_bucket_public_access_enabled/test/positive_expected_result.json index 8c58dcc7975..69a109cfe22 100644 --- a/assets/queries/terraform/alicloud/oss_bucket_public_access_enabled/test/positive_expected_result.json +++ b/assets/queries/terraform/alicloud/oss_bucket_public_access_enabled/test/positive_expected_result.json @@ -3,12 +3,30 @@ "queryName": "OSS Bucket Public Access Enabled", "severity": "HIGH", "line": 3, - "fileName": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "alicloud_oss_bucket", + "resourceName": "bucket-170309-acl", + "searchKey": "alicloud_oss_bucket[bucket_public_access_enabled2].acl", + "searchValue": "", + "expectedValue": "'acl' should be set to private or not set", + "actualValue": "'acl' is public-read", + "issueType": "IncorrectValue", + "similarityID": "60c4da933328ec43376633feeb9bac7fab65d66d0e3a731e10d7e4e6a4cb8db2", + "search_line": 3 }, { "queryName": "OSS Bucket Public Access Enabled", "severity": "HIGH", "line": 3, - "fileName": "positive2.tf" + "fileName": "positive2.tf", + "resourceType": "alicloud_oss_bucket", + "resourceName": "bucket-170309-acl", + "searchKey": "alicloud_oss_bucket[bucket_public_access_enabled3].acl", + "searchValue": "", + "expectedValue": "'acl' should be set to private or not set", + "actualValue": "'acl' is public-read-write", + "issueType": "IncorrectValue", + "similarityID": "c5e2d9ea6a2acd7cb4d5c5a7047d90171bdf038d5f172305e5558d5c542787fd", + "search_line": 3 } ] diff --git a/assets/queries/terraform/alicloud/oss_bucket_transfer_acceleration_disabled/test/positive_expected_result.json b/assets/queries/terraform/alicloud/oss_bucket_transfer_acceleration_disabled/test/positive_expected_result.json index 0c791280fca..3105b3a540e 100644 --- a/assets/queries/terraform/alicloud/oss_bucket_transfer_acceleration_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/alicloud/oss_bucket_transfer_acceleration_disabled/test/positive_expected_result.json @@ -3,12 +3,30 @@ "queryName": "OSS Bucket Transfer Acceleration Disabled", "severity": "LOW", "line": 5, - "fileName": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "alicloud_oss_bucket", + "resourceName": "bucket_name", + "searchKey": "alicloud_oss_bucket[bucket-accelerate].transfer_acceleration.enabled", + "searchValue": "", + "expectedValue": "'transfer_acceleration.enabled' should be defined and set to true", + "actualValue": "'transfer_acceleration.enabled' is false", + "issueType": "IncorrectValue", + "similarityID": "f97bb1f83d74d5e50504a93e92ffb346338f29e0a39cf9542563992aea242a6c", + "search_line": 5 }, { "queryName": "OSS Bucket Transfer Acceleration Disabled", "severity": "LOW", "line": 1, - "fileName": "positive2.tf" + "fileName": "positive2.tf", + "resourceType": "alicloud_oss_bucket", + "resourceName": "bucket_name", + "searchKey": "alicloud_oss_bucket[bucket-accelerate2]", + "searchValue": "", + "expectedValue": "'transfer_acceleration.enabled' should be defined and set to true", + "actualValue": "'transfer_acceleration' is missing", + "issueType": "MissingAttribute", + "similarityID": "6df1cc087a299935ce27c02f1af82d959568d7addb6a2b6e3006e7c988560de6", + "search_line": 1 } ] diff --git a/assets/queries/terraform/alicloud/oss_bucket_versioning_disabled/test/positive_expected_result.json b/assets/queries/terraform/alicloud/oss_bucket_versioning_disabled/test/positive_expected_result.json index 23c3f111df9..abde25d8fbb 100644 --- a/assets/queries/terraform/alicloud/oss_bucket_versioning_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/alicloud/oss_bucket_versioning_disabled/test/positive_expected_result.json @@ -1,14 +1,32 @@ [ - { - "queryName": "OSS Bucket Versioning Disabled", - "severity": "MEDIUM", - "line": 6, - "fileName": "positive1.tf" - }, - { - "queryName": "OSS Bucket Versioning Disabled", - "severity": "MEDIUM", - "line": 1, - "fileName": "positive2.tf" - } - ] + { + "queryName": "OSS Bucket Versioning Disabled", + "severity": "MEDIUM", + "line": 6, + "fileName": "positive1.tf", + "resourceType": "alicloud_oss_bucket", + "resourceName": "bucket-170309-versioning", + "searchKey": "alicloud_oss_bucket[bucket-versioning2].versioning.status", + "searchValue": "", + "expectedValue": "'versioning.status' should be enabled", + "actualValue": "'versioning.status' is suspended", + "issueType": "IncorrectValue", + "similarityID": "c764bbff0eafedaa53e7046351f9fa451a2cb1489e121d083ed5262a20a944d0", + "search_line": 6 + }, + { + "queryName": "OSS Bucket Versioning Disabled", + "severity": "MEDIUM", + "line": 1, + "fileName": "positive2.tf", + "resourceType": "alicloud_oss_bucket", + "resourceName": "bucket-170309-versioning", + "searchKey": "alicloud_oss_bucket[bucket-versioning3]", + "searchValue": "", + "expectedValue": "'versioning.status' should be defined and set to enabled", + "actualValue": "'versioning' is missing", + "issueType": "MissingAttribute", + "similarityID": "70b0cdda098b54b038cfc4d51432351cfe45ba7341da4fd945f61c5761a9e763", + "search_line": 1 + } +] diff --git a/assets/queries/terraform/alicloud/oss_buckets_securetransport_disabled/test/positive_expected_result.json b/assets/queries/terraform/alicloud/oss_buckets_securetransport_disabled/test/positive_expected_result.json index abd80438ad1..2574b192ff0 100644 --- a/assets/queries/terraform/alicloud/oss_buckets_securetransport_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/alicloud/oss_buckets_securetransport_disabled/test/positive_expected_result.json @@ -3,12 +3,30 @@ "queryName": "OSS Buckets Secure Transport Disabled", "severity": "MEDIUM", "line": 2, - "fileName": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "alicloud_oss_bucket", + "resourceName": "bucket-securetransport1", + "searchKey": "alicloud_oss_bucket[bucket-securetransport1].policy", + "searchValue": "", + "expectedValue": "bucket-securetransport1[%!s(MISSING)].policy should not accept HTTP Requests", + "actualValue": "bucket-securetransport1[%!s(MISSING)].policy accepts HTTP Requests", + "issueType": "IncorrectValue", + "similarityID": "14fc1c83830b5059856f53c5bae0fdd153a8e305709dfe4eaac503d82f5c8bd7", + "search_line": 2 }, { "queryName": "OSS Buckets Secure Transport Disabled", "severity": "MEDIUM", "line": 5, - "fileName": "positive2.tf" + "fileName": "positive2.tf", + "resourceType": "alicloud_oss_bucket", + "resourceName": "bucket-170309-policy", + "searchKey": "alicloud_oss_bucket[bucket-securetransport3].policy", + "searchValue": "", + "expectedValue": "bucket-securetransport3[%!s(MISSING)].policy should not accept HTTP Requests", + "actualValue": "bucket-securetransport3[%!s(MISSING)].policy accepts HTTP Requests", + "issueType": "IncorrectValue", + "similarityID": "3525d0e76de11f6aabd5da184c3d963011815e906a04a2ad39e909f767a7a3fe", + "search_line": 5 } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/alicloud/public_security_group_rule_all_ports_or_protocols/test/positive_expected_result.json b/assets/queries/terraform/alicloud/public_security_group_rule_all_ports_or_protocols/test/positive_expected_result.json index d98699c04c7..47967172ecc 100644 --- a/assets/queries/terraform/alicloud/public_security_group_rule_all_ports_or_protocols/test/positive_expected_result.json +++ b/assets/queries/terraform/alicloud/public_security_group_rule_all_ports_or_protocols/test/positive_expected_result.json @@ -1,20 +1,47 @@ [ - { - "queryName": "Public Security Group Rule All Ports or Protocols", - "severity": "HIGH", - "line": 13, - "fileName": "positive1.tf" - }, - { - "queryName": "Public Security Group Rule All Ports or Protocols", - "severity": "HIGH", - "line": 13, - "fileName": "positive2.tf" - }, - { - "queryName": "Public Security Group Rule All Ports or Protocols", - "severity": "HIGH", - "line": 13, - "fileName": "positive3.tf" - } + { + "queryName": "Public Security Group Rule All Ports or Protocols", + "severity": "HIGH", + "line": 13, + "fileName": "positive1.tf", + "resourceType": "alicloud_security_group_rule", + "resourceName": "allow_all_tcp", + "searchKey": "alicloud_security_group_rule[allow_all_tcp].cidr_ip", + "searchValue": "", + "expectedValue": "cidr_ip should not be '0.0.0.0/0' when ip_protocol is equal to all", + "actualValue": "cidr_ip is '0.0.0.0/0' when ip_protocol is equal to all", + "issueType": "IncorrectValue", + "similarityID": "c301fe9adae9c2afc8168113fca171c6c35ac9518d2b6cfb5c8111ef9f466e52", + "search_line": 13 + }, + { + "queryName": "Public Security Group Rule All Ports or Protocols", + "severity": "HIGH", + "line": 13, + "fileName": "positive2.tf", + "resourceType": "alicloud_security_group_rule", + "resourceName": "allow_all_tcp", + "searchKey": "alicloud_security_group_rule[allow_all_tcp].cidr_ip", + "searchValue": "", + "expectedValue": "cidr_ip should not be '0.0.0.0/0' for the specified protocol", + "actualValue": "cidr_ip '0.0.0.0/0' exposes all ports for the gre protocol", + "issueType": "IncorrectValue", + "similarityID": "87237f75bddb95b42d0d3c58bd9daf939a9703d1aacdf584147e00352581e659", + "search_line": 13 + }, + { + "queryName": "Public Security Group Rule All Ports or Protocols", + "severity": "HIGH", + "line": 13, + "fileName": "positive3.tf", + "resourceType": "alicloud_security_group_rule", + "resourceName": "allow_all_tcp", + "searchKey": "alicloud_security_group_rule[allow_all_tcp].cidr_ip", + "searchValue": "", + "expectedValue": "cidr_ip should not be '0.0.0.0/0' for the specified protocol", + "actualValue": "cidr_ip '0.0.0.0/0' exposes all ports for the tcp protocol", + "issueType": "IncorrectValue", + "similarityID": "150d6ec3267a8ac00391069e23e0f3ebb65e29c351360f8153cfa4e68aa0da65", + "search_line": 13 + } ] diff --git a/assets/queries/terraform/alicloud/public_security_group_rule_sensitive_port/test/positive_expected_result.json b/assets/queries/terraform/alicloud/public_security_group_rule_sensitive_port/test/positive_expected_result.json index 8cd21f4cb92..41df30ba91b 100644 --- a/assets/queries/terraform/alicloud/public_security_group_rule_sensitive_port/test/positive_expected_result.json +++ b/assets/queries/terraform/alicloud/public_security_group_rule_sensitive_port/test/positive_expected_result.json @@ -1,20 +1,47 @@ [ - { - "queryName": "Public Security Group Rule Sensitive Port", - "severity": "HIGH", - "line": 10, - "fileName": "positive1.tf" - }, - { - "queryName": "Public Security Group Rule Sensitive Port", - "severity": "HIGH", - "line": 10, - "fileName": "positive2.tf" - }, - { - "queryName": "Public Security Group Rule Sensitive Port", - "severity": "HIGH", - "line": 10, - "fileName": "positive3.tf" - } + { + "queryName": "Public Security Group Rule Sensitive Port", + "severity": "HIGH", + "line": 10, + "fileName": "positive1.tf", + "resourceType": "alicloud_security_group_rule", + "resourceName": "allow_all_tcp", + "searchKey": "alicloud_security_group_rule[allow_all_tcp].port_range", + "searchValue": "20", + "expectedValue": "tcp:20 port should not be allowed", + "actualValue": "tcp:20 port is allowed", + "issueType": "IncorrectValue", + "similarityID": "356b87dc646dccf941ef3d7fca2cf6839edeb7beca06ce83b8e116dd8165548d", + "search_line": 10 + }, + { + "queryName": "Public Security Group Rule Sensitive Port", + "severity": "HIGH", + "line": 10, + "fileName": "positive2.tf", + "resourceType": "alicloud_security_group_rule", + "resourceName": "allow_all_tcp", + "searchKey": "alicloud_security_group_rule[allow_all_tcp].port_range", + "searchValue": "4333", + "expectedValue": "udp:4333 port should not be allowed", + "actualValue": "udp:4333 port is allowed", + "issueType": "IncorrectValue", + "similarityID": "8394146fbc871ca77a5481c7c36039ff6200be77e1188fddefc1a654429fd832", + "search_line": 10 + }, + { + "queryName": "Public Security Group Rule Sensitive Port", + "severity": "HIGH", + "line": 10, + "fileName": "positive3.tf", + "resourceType": "alicloud_security_group_rule", + "resourceName": "allow_all_tcp", + "searchKey": "alicloud_security_group_rule[allow_all_tcp].port_range", + "searchValue": "445", + "expectedValue": "all:445 port should not be allowed", + "actualValue": "all:445 port is allowed", + "issueType": "IncorrectValue", + "similarityID": "5a4fd17477b72dfa2bb292deb401f60e5968a4b632ab18c77e07ff7c6f9ea319", + "search_line": 10 + } ] diff --git a/assets/queries/terraform/alicloud/public_security_group_rule_unknown_port/test/positive_expected_result.json b/assets/queries/terraform/alicloud/public_security_group_rule_unknown_port/test/positive_expected_result.json index 80a2c2a200c..d8bcb64c3d5 100644 --- a/assets/queries/terraform/alicloud/public_security_group_rule_unknown_port/test/positive_expected_result.json +++ b/assets/queries/terraform/alicloud/public_security_group_rule_unknown_port/test/positive_expected_result.json @@ -3,12 +3,30 @@ "queryName": "Public Security Group Rule Unknown Port", "severity": "HIGH", "line": 10, - "fileName": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "alicloud_security_group_rule", + "resourceName": "allow_all_tcp", + "searchKey": "alicloud_security_group_rule[allow_all_tcp].port_range", + "searchValue": "", + "expectedValue": "port_range should not contain unknown ports and should not be exposed to the entire Internet", + "actualValue": "port_range contains unknown ports and are exposed to the entire Internet", + "issueType": "IncorrectValue", + "similarityID": "4432ce69ff4e6a472778edc73632ce6822b4c5e91ed7cc7e1eafd6504693b984", + "search_line": 10 }, { "queryName": "Public Security Group Rule Unknown Port", "severity": "HIGH", "line": 10, - "fileName": "positive2.tf" + "fileName": "positive2.tf", + "resourceType": "alicloud_security_group_rule", + "resourceName": "allow_all_tcp", + "searchKey": "alicloud_security_group_rule[allow_all_tcp].port_range", + "searchValue": "", + "expectedValue": "port_range should not contain ports unknown and should not be exposed to the entire Internet", + "actualValue": "port_range contains ports unknown and are exposed to the entire Internet", + "issueType": "IncorrectValue", + "similarityID": "d6fe041bc14de9e24cd1f7479fcbb405d33d0337805109eac1b3164efab09ecb", + "search_line": 10 } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/alicloud/ram_account_password_policy_max_login_attempts_unrecommended/test/positive_expected_result.json b/assets/queries/terraform/alicloud/ram_account_password_policy_max_login_attempts_unrecommended/test/positive_expected_result.json index d14c93ba305..59bf6f6cd01 100644 --- a/assets/queries/terraform/alicloud/ram_account_password_policy_max_login_attempts_unrecommended/test/positive_expected_result.json +++ b/assets/queries/terraform/alicloud/ram_account_password_policy_max_login_attempts_unrecommended/test/positive_expected_result.json @@ -3,6 +3,15 @@ "queryName": "Ram Account Password Policy Max Login Attempts Unrecommended", "severity": "MEDIUM", "line": 10, - "fileName": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "alicloud_ram_account_password_policy", + "resourceName": "corporate", + "searchKey": "alicloud_ram_account_password_policy[corporate].max_login_attempts", + "searchValue": "", + "expectedValue": "'max_login_attempts' should be set to 5 or less", + "actualValue": "'max_login_attempts' is above than 5", + "issueType": "IncorrectValue", + "similarityID": "7bb7203fba60d8de504c07e1b479dca872936a802a94302d0e94378cd63a0d81", + "search_line": 10 } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/alicloud/ram_account_password_policy_max_password_age_unrecommended/test/positive_expected_result.json b/assets/queries/terraform/alicloud/ram_account_password_policy_max_password_age_unrecommended/test/positive_expected_result.json index cfc7756ec85..85f103e71f6 100644 --- a/assets/queries/terraform/alicloud/ram_account_password_policy_max_password_age_unrecommended/test/positive_expected_result.json +++ b/assets/queries/terraform/alicloud/ram_account_password_policy_max_password_age_unrecommended/test/positive_expected_result.json @@ -1,20 +1,47 @@ [ - { - "queryName": "Ram Account Password Policy Max Password Age Unrecommended", - "severity": "MEDIUM", - "line": 1, - "fileName": "positive1.tf" - }, - { - "queryName": "Ram Account Password Policy Max Password Age Unrecommended", - "severity": "MEDIUM", - "line": 8, - "fileName": "positive2.tf" - }, - { - "queryName": "Ram Account Password Policy Max Password Age Unrecommended", - "severity": "MEDIUM", - "line": 8, - "fileName": "positive3.tf" - } - ] + { + "queryName": "Ram Account Password Policy Max Password Age Unrecommended", + "severity": "MEDIUM", + "line": 1, + "fileName": "positive1.tf", + "resourceType": "alicloud_ram_account_password_policy", + "resourceName": "corporate", + "searchKey": "alicloud_ram_account_password_policy[corporate]", + "searchValue": "", + "expectedValue": "'max_password_age' should be higher than 0 and lower than 91", + "actualValue": "'max_password_age' is not defined", + "issueType": "MissingAttribute", + "similarityID": "7710ce82cf698b8e351a82769c691003ece67db355adabe69f5ed4b13b08e860", + "search_line": 1 + }, + { + "queryName": "Ram Account Password Policy Max Password Age Unrecommended", + "severity": "MEDIUM", + "line": 8, + "fileName": "positive2.tf", + "resourceType": "alicloud_ram_account_password_policy", + "resourceName": "corporate", + "searchKey": "alicloud_ram_account_password_policy[corporate].max_password_age", + "searchValue": "", + "expectedValue": "'max_password_age' should be higher than 0 and lower than 91", + "actualValue": "'max_password_age' is higher than 90", + "issueType": "IncorrectValue", + "similarityID": "4fec20462c4c0887e93dfb8cd55d0dc53cc05eed3490f912aec39d05045d52b4", + "search_line": 8 + }, + { + "queryName": "Ram Account Password Policy Max Password Age Unrecommended", + "severity": "MEDIUM", + "line": 8, + "fileName": "positive3.tf", + "resourceType": "alicloud_ram_account_password_policy", + "resourceName": "corporate", + "searchKey": "alicloud_ram_account_password_policy[corporate].max_password_age", + "searchValue": "", + "expectedValue": "'max_password_age' should be higher than 0 and lower than 91", + "actualValue": "'max_password_age' is equal to 0", + "issueType": "IncorrectValue", + "similarityID": "a5cdf7fcdf876d21f7590de8632a55333bb443612981ca0d8c357e1b23bcd3d9", + "search_line": 8 + } +] diff --git a/assets/queries/terraform/alicloud/ram_account_password_policy_not_required_minimum_length/test/positive_expected_result.json b/assets/queries/terraform/alicloud/ram_account_password_policy_not_required_minimum_length/test/positive_expected_result.json index 8c9c0f8181b..d146a86c17a 100644 --- a/assets/queries/terraform/alicloud/ram_account_password_policy_not_required_minimum_length/test/positive_expected_result.json +++ b/assets/queries/terraform/alicloud/ram_account_password_policy_not_required_minimum_length/test/positive_expected_result.json @@ -3,12 +3,30 @@ "queryName": "Ram Account Password Policy Not Required Minimum Length", "severity": "LOW", "line": 2, - "fileName": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "alicloud_ram_account_password_policy", + "resourceName": "corporate", + "searchKey": "alicloud_ram_account_password_policy[corporate].minimum_password_length", + "searchValue": "", + "expectedValue": "'minimum_password_length' should be defined and set to 14 or above", + "actualValue": "'minimum_password_length' is lower than 14", + "issueType": "IncorrectValue", + "similarityID": "b4586a3ca91942d824bcc39f3c93ae44974e04d4e836c80d510e1fb0b574ab2e", + "search_line": 2 }, { "queryName": "Ram Account Password Policy Not Required Minimum Length", "severity": "LOW", "line": 1, - "fileName": "positive2.tf" + "fileName": "positive2.tf", + "resourceType": "alicloud_ram_account_password_policy", + "resourceName": "corporate", + "searchKey": "alicloud_ram_account_password_policy[corporate]", + "searchValue": "", + "expectedValue": "'minimum_password_length' should be defined and set to 14 or above ", + "actualValue": "'minimum_password_length' is not defined", + "issueType": "MissingAttribute", + "similarityID": "2f3395dbb151cba1f367085c5a7d4a7e9543938a7dd65a42a132ddc656de82ce", + "search_line": 1 } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/alicloud/ram_account_password_policy_not_required_numbers/test/positive_expected_result.json b/assets/queries/terraform/alicloud/ram_account_password_policy_not_required_numbers/test/positive_expected_result.json index de07152d6ee..b38dd95b618 100644 --- a/assets/queries/terraform/alicloud/ram_account_password_policy_not_required_numbers/test/positive_expected_result.json +++ b/assets/queries/terraform/alicloud/ram_account_password_policy_not_required_numbers/test/positive_expected_result.json @@ -3,6 +3,15 @@ "queryName": "Ram Account Password Policy Not Required Numbers", "severity": "LOW", "line": 5, - "fileName": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "alicloud_ram_account_password_policy", + "resourceName": "corporate", + "searchKey": "alicloud_ram_account_password_policy[corporate].require_numbers", + "searchValue": "", + "expectedValue": "'require_numbers' should be defined and set to true", + "actualValue": "'require_numbers' is false", + "issueType": "IncorrectValue", + "similarityID": "f291b1675e5b0d4598619904b80fdf9bfe684f53cd16ddb5ba61c9f30f365ab3", + "search_line": 5 } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/alicloud/ram_account_password_policy_not_required_symbols/test/positive_expected_result.json b/assets/queries/terraform/alicloud/ram_account_password_policy_not_required_symbols/test/positive_expected_result.json index 46255c5cc41..e3bc806c0a1 100644 --- a/assets/queries/terraform/alicloud/ram_account_password_policy_not_required_symbols/test/positive_expected_result.json +++ b/assets/queries/terraform/alicloud/ram_account_password_policy_not_required_symbols/test/positive_expected_result.json @@ -3,6 +3,15 @@ "queryName": "RAM Account Password Policy Not Required Symbols", "severity": "LOW", "line": 6, - "fileName": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "alicloud_ram_account_password_policy", + "resourceName": "corporate2", + "searchKey": "resource.alicloud_ram_account_password_policy[corporate2].require_symbols", + "searchValue": "", + "expectedValue": "resource.alicloud_ram_account_password_policy[corporate2].require_symbols should be set to 'true'", + "actualValue": "resource.alicloud_ram_account_password_policy[corporate2].require_symbols is configured as 'false'", + "issueType": "IncorrectValue", + "similarityID": "b95d6ccd10adf6c3e79d8aec9a37a25fbca09226daff90160fcccebf74ab04c6", + "search_line": 6 } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/alicloud/ram_account_password_policy_without_reuse_prevention/test/positive_expected_result.json b/assets/queries/terraform/alicloud/ram_account_password_policy_without_reuse_prevention/test/positive_expected_result.json index fe5728ac173..282ac9b6c4f 100644 --- a/assets/queries/terraform/alicloud/ram_account_password_policy_without_reuse_prevention/test/positive_expected_result.json +++ b/assets/queries/terraform/alicloud/ram_account_password_policy_without_reuse_prevention/test/positive_expected_result.json @@ -3,12 +3,30 @@ "queryName": "RAM Account Password Policy without Reuse Prevention", "severity": "MEDIUM", "line": 1, - "fileName": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "alicloud_ram_account_password_policy", + "resourceName": "corporate", + "searchKey": "alicloud_ram_account_password_policy[corporate]", + "searchValue": "", + "expectedValue": "'password_reuse_prevention' should be defined and equal or lower than 24", + "actualValue": "'password_reuse_prevention' is not defined", + "issueType": "MissingAttribute", + "similarityID": "a6c69071beca060e73769591a6be5d006d0747ff3a80ee55a1e0c720729dcd8f", + "search_line": 1 }, { - "queryName": "RAM Account Password Policy without Reuse Prevention", - "severity": "MEDIUM", - "line": 9, - "fileName": "positive2.tf" - } + "queryName": "RAM Account Password Policy without Reuse Prevention", + "severity": "MEDIUM", + "line": 9, + "fileName": "positive2.tf", + "resourceType": "alicloud_ram_account_password_policy", + "resourceName": "corporate", + "searchKey": "alicloud_ram_account_password_policy[corporate].password_reuse_prevention", + "searchValue": "", + "expectedValue": "'password_reuse_prevention' should be equal or less 24", + "actualValue": "'password_reuse_prevention' is higher than 24", + "issueType": "IncorrectValue", + "similarityID": "24a5996cea1a736293102b81bd68e7bee2de34ac3dfa85b52966279fbc3a9841", + "search_line": 9 + } ] diff --git a/assets/queries/terraform/alicloud/ram_password_security_policy_not_require_at_least_one_lowercase_character/test/positive_expected_result.json b/assets/queries/terraform/alicloud/ram_password_security_policy_not_require_at_least_one_lowercase_character/test/positive_expected_result.json index 6ff9fbdede7..29c7dd42b52 100644 --- a/assets/queries/terraform/alicloud/ram_password_security_policy_not_require_at_least_one_lowercase_character/test/positive_expected_result.json +++ b/assets/queries/terraform/alicloud/ram_password_security_policy_not_require_at_least_one_lowercase_character/test/positive_expected_result.json @@ -3,6 +3,15 @@ "queryName": "Ram Account Password Policy Not Require At Least one Lowercase Character", "severity": "LOW", "line": 3, - "fileName": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "alicloud_ram_account_password_policy", + "resourceName": "corporate", + "searchKey": "alicloud_ram_account_password_policy[corporate].require_lowercase_characters", + "searchValue": "", + "expectedValue": "'require_lowercase_characters' should be defined and set to true", + "actualValue": "'require_lowercase_characters' is false", + "issueType": "IncorrectValue", + "similarityID": "16dce26eadc713ac77cadcde33849b15c91a64d85c7dfc66f0dac82d0b72bc2c", + "search_line": 3 } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/alicloud/ram_password_security_policy_not_require_at_least_one_uppercase_character/test/positive_expected_result.json b/assets/queries/terraform/alicloud/ram_password_security_policy_not_require_at_least_one_uppercase_character/test/positive_expected_result.json index c1582b50b4a..4ea8e5e3f5d 100644 --- a/assets/queries/terraform/alicloud/ram_password_security_policy_not_require_at_least_one_uppercase_character/test/positive_expected_result.json +++ b/assets/queries/terraform/alicloud/ram_password_security_policy_not_require_at_least_one_uppercase_character/test/positive_expected_result.json @@ -3,6 +3,15 @@ "queryName": "RAM Account Password Policy Not Require at Least one Uppercase Character", "severity": "LOW", "line": 4, - "fileName": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "alicloud_ram_account_password_policy", + "resourceName": "corporate", + "searchKey": "alicloud_ram_account_password_policy[corporate].require_uppercase_characters", + "searchValue": "", + "expectedValue": "'require_uppercase_characters' should be defined and set to true", + "actualValue": "'require_uppercase_characters' is false", + "issueType": "IncorrectValue", + "similarityID": "888baf79f31986afcb00db5f50116d52ef689cedcecc3f7661b98877ace2bc0a", + "search_line": 4 } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/alicloud/ram_policy_admin_access_not_attached_to_users_groups_roles/test/positive_expected_result.json b/assets/queries/terraform/alicloud/ram_policy_admin_access_not_attached_to_users_groups_roles/test/positive_expected_result.json index 497637249cc..ca269587e8b 100644 --- a/assets/queries/terraform/alicloud/ram_policy_admin_access_not_attached_to_users_groups_roles/test/positive_expected_result.json +++ b/assets/queries/terraform/alicloud/ram_policy_admin_access_not_attached_to_users_groups_roles/test/positive_expected_result.json @@ -3,18 +3,45 @@ "queryName": "Ram Policy Admin Access Not Attached to Users Groups Roles", "severity": "MEDIUM", "line": 35, - "fileName": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "alicloud_ram_user_policy_attachment", + "resourceName": "attach", + "searchKey": "alicloud_ram_user_policy_attachment[attach].policy_name", + "searchValue": "", + "expectedValue": "alicloud_ram_policy[policy4] should not give admin access to any user, group or role", + "actualValue": "alicloud_ram_policy[policy4] is attached to a user, group or role and gives admin access", + "issueType": "IncorrectValue", + "similarityID": "bcad3b514615fa742f181c628e90fdac61516b4ac69286528fea8733ed30e887", + "search_line": -1 }, { "queryName": "Ram Policy Admin Access Not Attached to Users Groups Roles", "severity": "MEDIUM", "line": 32, - "fileName": "positive2.tf" + "fileName": "positive2.tf", + "resourceType": "alicloud_ram_group_policy_attachment", + "resourceName": "attach", + "searchKey": "alicloud_ram_group_policy_attachment[attach].policy_name", + "searchValue": "", + "expectedValue": "alicloud_ram_policy[policy5] should not give admin access to any user, group or role", + "actualValue": "alicloud_ram_policy[policy5] is attached to a user, group or role and gives admin access", + "issueType": "IncorrectValue", + "similarityID": "ac79285ff5a1dc14508be20ccd96d992e79557d57a346b2b937a843e95a25404", + "search_line": -1 }, { "queryName": "Ram Policy Admin Access Not Attached to Users Groups Roles", "severity": "MEDIUM", "line": 49, - "fileName": "positive3.tf" + "fileName": "positive3.tf", + "resourceType": "alicloud_ram_role_policy_attachment", + "resourceName": "attach", + "searchKey": "alicloud_ram_role_policy_attachment[attach].policy_name", + "searchValue": "", + "expectedValue": "alicloud_ram_policy[policy6] should not give admin access to any user, group or role", + "actualValue": "alicloud_ram_policy[policy6] is attached to a user, group or role and gives admin access", + "issueType": "IncorrectValue", + "similarityID": "e9023141d00edc5047547cd9fb6b08d852faefd745e36f6fbb468cc9d9bf45c1", + "search_line": -1 } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/alicloud/ram_policy_attached_to_user/test/positive_expected_result.json b/assets/queries/terraform/alicloud/ram_policy_attached_to_user/test/positive_expected_result.json index 3404fe656f2..5dcdf4b7389 100644 --- a/assets/queries/terraform/alicloud/ram_policy_attached_to_user/test/positive_expected_result.json +++ b/assets/queries/terraform/alicloud/ram_policy_attached_to_user/test/positive_expected_result.json @@ -3,6 +3,15 @@ "queryName": "Ram Policy Attached to User", "severity": "MEDIUM", "line": 35, - "fileName": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "alicloud_ram_user_policy_attachment", + "resourceName": "attach", + "searchKey": "alicloud_ram_user_policy_attachment[attach]", + "searchValue": "", + "expectedValue": "alicloud_ram_user_policy_attachment[attach] should be undefined", + "actualValue": "alicloud_ram_user_policy_attachment[attach] is defined", + "issueType": "IncorrectValue", + "similarityID": "6133204632552094612bfb67cf63448298b6f680f4d6837daf17d300a58e9e72", + "search_line": -1 } ] diff --git a/assets/queries/terraform/alicloud/ram_security_preference_not_enforce_mfa/test/positive_expected_result.json b/assets/queries/terraform/alicloud/ram_security_preference_not_enforce_mfa/test/positive_expected_result.json index 7215cbff00d..98133dbae37 100644 --- a/assets/queries/terraform/alicloud/ram_security_preference_not_enforce_mfa/test/positive_expected_result.json +++ b/assets/queries/terraform/alicloud/ram_security_preference_not_enforce_mfa/test/positive_expected_result.json @@ -3,12 +3,30 @@ "queryName": "RAM Security Preference Not Enforce MFA Login", "severity": "LOW", "line": 11, - "fileName": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "alicloud_ram_security_preference", + "resourceName": "example1", + "searchKey": "alicloud_ram_security_preference[example1]", + "searchValue": "", + "expectedValue": "'enforce_mfa_for_login' should be defined and set to true", + "actualValue": "'enforce_mfa_for_login' is not defined", + "issueType": "MissingAttribute", + "similarityID": "63b573027873567ee23d2169398dfe5a5275d95b77b171bd3326b61a46ffcec8", + "search_line": 11 }, { "queryName": "RAM Security Preference Not Enforce MFA Login", "severity": "LOW", "line": 14, - "fileName": "positive2.tf" + "fileName": "positive2.tf", + "resourceType": "alicloud_ram_security_preference", + "resourceName": "example2", + "searchKey": "alicloud_ram_security_preference[example2]", + "searchValue": "", + "expectedValue": "'enforce_mfa_for_login' should be set to true", + "actualValue": "'enforce_mfa_for_login' is set to 'false'", + "issueType": "IncorrectValue", + "similarityID": "edce69e3176866b1f4485bf8c47f03d067b86f9400994d3cd7c2a78a348e7741", + "search_line": 14 } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/alicloud/rds_instance_address_publicly_accessible/test/positive_expected_result.json b/assets/queries/terraform/alicloud/rds_instance_address_publicly_accessible/test/positive_expected_result.json index 32a9bcec0b0..01e8d7ca0c9 100644 --- a/assets/queries/terraform/alicloud/rds_instance_address_publicly_accessible/test/positive_expected_result.json +++ b/assets/queries/terraform/alicloud/rds_instance_address_publicly_accessible/test/positive_expected_result.json @@ -3,6 +3,15 @@ "queryName": "RDS DB Instance Publicly Accessible", "severity": "CRITICAL", "line": 10, - "fileName": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "alicloud_db_instance", + "resourceName": "example", + "searchKey": "alicloud_db_instance[example].address", + "searchValue": "", + "expectedValue": "'address' should not be set to '0.0.0.0/0'", + "actualValue": "'address' is set to '0.0.0.0/0'", + "issueType": "IncorrectValue", + "similarityID": "0e0f6ed24c0e42d857e490d445a40f7acab617c6dd986cc3df4848b1a1ff30c3", + "search_line": 10 } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/alicloud/rds_instance_events_not_logged/test/positive_expected_result.json b/assets/queries/terraform/alicloud/rds_instance_events_not_logged/test/positive_expected_result.json index d06825af75c..4f660342a72 100644 --- a/assets/queries/terraform/alicloud/rds_instance_events_not_logged/test/positive_expected_result.json +++ b/assets/queries/terraform/alicloud/rds_instance_events_not_logged/test/positive_expected_result.json @@ -3,12 +3,30 @@ "queryName": "RDS Instance Events Not Logged", "severity": "MEDIUM", "line": 15, - "fileName": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "alicloud_log_audit", + "resourceName": "tf-audit-test", + "searchKey": "alicloud_log_audit[example].variable_map.rds_enabled", + "searchValue": "", + "expectedValue": "'rds_enabled' parameter value should be 'true'", + "actualValue": "'rds_enabled' parameter value is 'false'", + "issueType": "IncorrectValue", + "similarityID": "95e4539ec597b9ff8d9a5f7725783ca6ffedb584075ff0209f4ce9bf68f79453", + "search_line": -1 }, { "queryName": "RDS Instance Events Not Logged", "severity": "MEDIUM", "line": 4, - "fileName": "positive2.tf" + "fileName": "positive2.tf", + "resourceType": "alicloud_log_audit", + "resourceName": "tf-audit-test", + "searchKey": "alicloud_log_audit[example].variable_map", + "searchValue": "", + "expectedValue": "'rds_enabled' parameter value should be 'true'", + "actualValue": "'rds_enabled' parameter is not defined", + "issueType": "MissingAttribute", + "similarityID": "fa114c65680b864ab90e27ad7e5ae82e9e165642593d750a9cfe449b4baaabf9", + "search_line": 4 } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/alicloud/rds_instance_log_connections_disabled/test/positive_expected_result.json b/assets/queries/terraform/alicloud/rds_instance_log_connections_disabled/test/positive_expected_result.json index ba86d6a30eb..842d58bebeb 100644 --- a/assets/queries/terraform/alicloud/rds_instance_log_connections_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/alicloud/rds_instance_log_connections_disabled/test/positive_expected_result.json @@ -3,18 +3,45 @@ "queryName": "RDS Instance Log Connections Disabled", "severity": "MEDIUM", "line": 6, - "fileName": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "alicloud_db_instance", + "resourceName": "default", + "searchKey": "alicloud_db_instance[default].parameters", + "searchValue": "", + "expectedValue": "'log_connections' parameter should be defined and value should be 'ON'", + "actualValue": "'log_connections' parameter is not defined", + "issueType": "MissingAttribute", + "similarityID": "196aa45cc743dbeb915b30c455cf598f321f386f9279e25de2c8575a27798d83", + "search_line": 6 }, { "queryName": "RDS Instance Log Connections Disabled", "severity": "MEDIUM", "line": 14, - "fileName": "positive2.tf" + "fileName": "positive2.tf", + "resourceType": "alicloud_db_instance", + "resourceName": "default", + "searchKey": "alicloud_db_instance[default].parameters[2].value", + "searchValue": "", + "expectedValue": "'log_connections' parameter value should be 'ON'", + "actualValue": "'log_connections' parameter value is 'OFF'", + "issueType": "IncorrectValue", + "similarityID": "9d659a10e8caf8308296b6331edb5dc30974a0431322090537d428ff3167235a", + "search_line": 14 }, { "queryName": "RDS Instance Log Connections Disabled", "severity": "MEDIUM", "line": 1, - "fileName": "positive3.tf" + "fileName": "positive3.tf", + "resourceType": "alicloud_db_instance", + "resourceName": "default", + "searchKey": "alicloud_db_instance[default]", + "searchValue": "", + "expectedValue": "'log_connections' parameter should be defined and value should be 'ON' in parameters array", + "actualValue": "'log_connections' parameter is not defined in parameters array", + "issueType": "MissingAttribute", + "similarityID": "efd2c2d39b555294bdaf3b04973861c2dc38dccb712aa0e47d6caf471298de83", + "search_line": 1 } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/alicloud/rds_instance_log_disconnections_disabled/test/positive_expected_result.json b/assets/queries/terraform/alicloud/rds_instance_log_disconnections_disabled/test/positive_expected_result.json index f75edb57cb9..6f6ae104d5b 100644 --- a/assets/queries/terraform/alicloud/rds_instance_log_disconnections_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/alicloud/rds_instance_log_disconnections_disabled/test/positive_expected_result.json @@ -3,18 +3,45 @@ "queryName": "RDS Instance Log Disconnections Disabled", "severity": "MEDIUM", "line": 14, - "fileName": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "alicloud_db_instance", + "resourceName": "default", + "searchKey": "alicloud_db_instance[default].parameters[2].value", + "searchValue": "", + "expectedValue": "'log_disconnections' parameter value should be 'ON'", + "actualValue": "'log_disconnections' parameter value is 'OFF'", + "issueType": "IncorrectValue", + "similarityID": "f71c5ae261063ca2b1ab7fedcdfad61c0e63e09fbfa60d3c81491287d6a1f4e2", + "search_line": 14 }, { "queryName": "RDS Instance Log Disconnections Disabled", "severity": "MEDIUM", "line": 6, - "fileName": "positive2.tf" + "fileName": "positive2.tf", + "resourceType": "alicloud_db_instance", + "resourceName": "default", + "searchKey": "alicloud_db_instance[default].parameters", + "searchValue": "", + "expectedValue": "'log_disconnections' parameter should be defined and value should be 'ON'", + "actualValue": "'log_disconnections' parameter is not defined", + "issueType": "MissingAttribute", + "similarityID": "72bb74f425e5790a121903d60d9fdfe1e24919dd4b53a370587159320b0d28cd", + "search_line": 6 }, { "queryName": "RDS Instance Log Disconnections Disabled", "severity": "MEDIUM", "line": 1, - "fileName": "positive3.tf" + "fileName": "positive3.tf", + "resourceType": "alicloud_db_instance", + "resourceName": "default", + "searchKey": "alicloud_db_instance[default]]", + "searchValue": "", + "expectedValue": "'log_disconnections' parameter should be defined and value should be 'ON' in parametes array", + "actualValue": "'log_disconnections' parameter is not defined in parametes array", + "issueType": "MissingAttribute", + "similarityID": "31aea0923467333070f6bfa6f2106ecfccb7246559456a897dfd25897a841f37", + "search_line": 1 } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/alicloud/rds_instance_log_duration_disabled/test/positive_expected_result.json b/assets/queries/terraform/alicloud/rds_instance_log_duration_disabled/test/positive_expected_result.json index fbf1412ab90..fb326821f25 100644 --- a/assets/queries/terraform/alicloud/rds_instance_log_duration_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/alicloud/rds_instance_log_duration_disabled/test/positive_expected_result.json @@ -3,18 +3,45 @@ "queryName": "RDS Instance Log Duration Disabled", "severity": "MEDIUM", "line": 14, - "fileName": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "alicloud_db_instance", + "resourceName": "default", + "searchKey": "alicloud_db_instance[default].parameters[2].value", + "searchValue": "", + "expectedValue": "'log_duration' parameter value should be 'ON'", + "actualValue": "'log_duration' parameter value is 'OFF'", + "issueType": "IncorrectValue", + "similarityID": "6280cc5c2cc9c8a6298b5d79b809d933da8f0c7dfae97f446b965836ceca8704", + "search_line": 14 }, { "queryName": "RDS Instance Log Duration Disabled", "severity": "MEDIUM", "line": 6, - "fileName": "positive2.tf" + "fileName": "positive2.tf", + "resourceType": "alicloud_db_instance", + "resourceName": "default", + "searchKey": "alicloud_db_instance[default].parameters", + "searchValue": "", + "expectedValue": "'log_duration' parameter should be defined and value should be 'ON'", + "actualValue": "'log_duration' parameter is not defined", + "issueType": "MissingAttribute", + "similarityID": "bfbe52ef293110edb8283bdcc4725b69db3108ea7ff4ab09906b6f2c05504bff", + "search_line": 6 }, { "queryName": "RDS Instance Log Duration Disabled", "severity": "MEDIUM", "line": 1, - "fileName": "positive3.tf" + "fileName": "positive3.tf", + "resourceType": "alicloud_db_instance", + "resourceName": "default", + "searchKey": "alicloud_db_instance[default]]", + "searchValue": "", + "expectedValue": "'log_duration' parameter should be defined and value should be 'ON' in parameters array", + "actualValue": "'log_duration' parameter is not defined in parameters array", + "issueType": "MissingAttribute", + "similarityID": "9a7ad0f3450eafb188bac838f88c6e7b9a1f702074be4fcfd113b8ee9f645160", + "search_line": 1 } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/alicloud/rds_instance_publicly_accessible/test/positive_expected_result.json b/assets/queries/terraform/alicloud/rds_instance_publicly_accessible/test/positive_expected_result.json index 2fa2c88c80a..596c990c4d6 100644 --- a/assets/queries/terraform/alicloud/rds_instance_publicly_accessible/test/positive_expected_result.json +++ b/assets/queries/terraform/alicloud/rds_instance_publicly_accessible/test/positive_expected_result.json @@ -3,12 +3,30 @@ "queryName": "RDS DB Instance Publicly Accessible", "severity": "CRITICAL", "line": 7, - "fileName": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "alicloud_db_instance", + "resourceName": "default", + "searchKey": "alicloud_db_instance[default].security_ips[0]", + "searchValue": "", + "expectedValue": "'0.0.0.0' should not be in 'security_ips' list", + "actualValue": "'0.0.0.0' is in 'security_ips' list", + "issueType": "IncorrectValue", + "similarityID": "1aee1c59ec3b136bbcc0ef89762a500d0fba1489679de4a7ffb265a797f8180c", + "search_line": 7 }, { "queryName": "RDS DB Instance Publicly Accessible", "severity": "CRITICAL", "line": 7, - "fileName": "positive2.tf" + "fileName": "positive2.tf", + "resourceType": "alicloud_db_instance", + "resourceName": "default", + "searchKey": "alicloud_db_instance[default].security_ips[0]", + "searchValue": "", + "expectedValue": "'0.0.0.0/0' should not be in 'security_ips' list", + "actualValue": "'0.0.0.0/0' is in 'security_ips' list", + "issueType": "IncorrectValue", + "similarityID": "8ef000b0449f4ad399e99947c208133fcaec4dd5a7bd2c78be7811bc73bb959c", + "search_line": 7 } ] diff --git a/assets/queries/terraform/alicloud/rds_instance_retention_not_recommended/test/positive_expected_result.json b/assets/queries/terraform/alicloud/rds_instance_retention_not_recommended/test/positive_expected_result.json index 516ef3469b8..b31033b47a6 100644 --- a/assets/queries/terraform/alicloud/rds_instance_retention_not_recommended/test/positive_expected_result.json +++ b/assets/queries/terraform/alicloud/rds_instance_retention_not_recommended/test/positive_expected_result.json @@ -3,36 +3,90 @@ "queryName": "RDS Instance Retention Period Not Recommended", "severity": "LOW", "line": 1, - "fileName": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "alicloud_db_instance", + "resourceName": "default", + "searchKey": "alicloud_db_instance[default]", + "searchValue": "sql_collector_config_value", + "expectedValue": "'sql_collector_status' should be defined and set to Enabled and 'sql_collector_config_value' should be defined and set to 180 or more", + "actualValue": "'sql_collector_config_value' is not defined", + "issueType": "MissingAttribute", + "similarityID": "5bd0ee49ff68cdcec396cb74c125cf18f00b4cf9de13b7308cf34b6ff05a4c5a", + "search_line": 1 }, { "queryName": "RDS Instance Retention Period Not Recommended", "severity": "LOW", "line": 1, - "fileName": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "alicloud_db_instance", + "resourceName": "default", + "searchKey": "alicloud_db_instance[default]", + "searchValue": "sql_collector_status", + "expectedValue": "'sql_collector_status' should be defined and set to Enabled and 'sql_collector_config_value' should be defined and set to 180 or more", + "actualValue": "'sql_collector_status' is not defined", + "issueType": "MissingAttribute", + "similarityID": "219147773c74fad22edebba528c21149856eb2e98da5e6f3a14d788f985b3b46", + "search_line": 1 }, { "queryName": "RDS Instance Retention Period Not Recommended", "severity": "LOW", "line": 1, - "fileName": "positive2.tf" + "fileName": "positive2.tf", + "resourceType": "alicloud_db_instance", + "resourceName": "default", + "searchKey": "alicloud_db_instance[default]", + "searchValue": "sql_collector_config_value", + "expectedValue": "'sql_collector_status' should be defined and set to Enabled and 'sql_collector_config_value' should be defined and set to 180 or more", + "actualValue": "'sql_collector_config_value' is not defined", + "issueType": "MissingAttribute", + "similarityID": "fad17f84deff2c23134b6869023dee665b0d772f48eefb3e7f613e85ef673505", + "search_line": 1 }, { "queryName": "RDS Instance Retention Period Not Recommended", "severity": "LOW", "line": 6, - "fileName": "positive2.tf" + "fileName": "positive2.tf", + "resourceType": "alicloud_db_instance", + "resourceName": "default", + "searchKey": "alicloud_db_instance[default].sql_collector_status", + "searchValue": "", + "expectedValue": "'sql_collector_status' should be defined and set to Enabled and 'sql_collector_config_value' should be defined and set to 180 or more", + "actualValue": "'sql_collector_status' is set to 'Disabled'", + "issueType": "IncorrectValue", + "similarityID": "cdf4bb16e4a64106aa978dcfda19b65300125207995e233a8f03ce7427f8de96", + "search_line": 6 }, { "queryName": "RDS Instance Retention Period Not Recommended", "severity": "LOW", "line": 1, - "fileName": "positive3.tf" + "fileName": "positive3.tf", + "resourceType": "alicloud_db_instance", + "resourceName": "default", + "searchKey": "alicloud_db_instance[default]", + "searchValue": "sql_collector_config_value", + "expectedValue": "'sql_collector_status' should be defined and set to Enabled and 'sql_collector_config_value' should be defined and set to 180 or more", + "actualValue": "'sql_collector_config_value' is not defined", + "issueType": "MissingAttribute", + "similarityID": "8951e4d9e288f60b01fc35726328ad21e93db0bd6995b550fbc25ecd271687ee", + "search_line": 1 }, { "queryName": "RDS Instance Retention Period Not Recommended", "severity": "LOW", "line": 7, - "fileName": "positive4.tf" + "fileName": "positive4.tf", + "resourceType": "alicloud_db_instance", + "resourceName": "default", + "searchKey": "alicloud_db_instance[default].sql_collector_config_value", + "searchValue": "", + "expectedValue": "'sql_collector_status' should be defined and set to Enabled and 'sql_collector_config_value' should be defined and set to 180 or more", + "actualValue": "'sql_collector_config_value' is set to 30", + "issueType": "IncorrectValue", + "similarityID": "3ff2fa5ef0ccd4e6080154e39d1f23c043df22b6f4722c9123fa44fb584d5d19", + "search_line": 7 } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/alicloud/rds_instance_ssl_action_disabled/test/positive_expected_result.json b/assets/queries/terraform/alicloud/rds_instance_ssl_action_disabled/test/positive_expected_result.json index 884e34ebed6..f12027e0fcc 100644 --- a/assets/queries/terraform/alicloud/rds_instance_ssl_action_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/alicloud/rds_instance_ssl_action_disabled/test/positive_expected_result.json @@ -3,12 +3,30 @@ "queryName": "RDS Instance SSL Action Disabled", "severity": "MEDIUM", "line": 6, - "fileName": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "alicloud_db_instance", + "resourceName": "default", + "searchKey": "alicloud_db_instance[default].ssl_action", + "searchValue": "", + "expectedValue": "'ssl_action' value should be 'Open'", + "actualValue": "'ssl_action' value is 'Close'", + "issueType": "IncorrectValue", + "similarityID": "d103bf2bbccee856aecf93cb9ae60bd896bc4e9e5d1307cdceacde2c4e9e7ace", + "search_line": 6 }, { "queryName": "RDS Instance SSL Action Disabled", "severity": "MEDIUM", "line": 1, - "fileName": "positive2.tf" + "fileName": "positive2.tf", + "resourceType": "alicloud_db_instance", + "resourceName": "default", + "searchKey": "alicloud_db_instance[default]", + "searchValue": "", + "expectedValue": "'ssl_action' value should be 'Open'", + "actualValue": "'ssl_action' is not defined", + "issueType": "MissingAttribute", + "similarityID": "d32220121c329aca878454ddef40bcc79810069a07efad5d8ad605b0be960367", + "search_line": 1 } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/alicloud/rds_instance_tde_status_disabled/test/positive_expected_result.json b/assets/queries/terraform/alicloud/rds_instance_tde_status_disabled/test/positive_expected_result.json index f9aac5a2630..d265b02a051 100644 --- a/assets/queries/terraform/alicloud/rds_instance_tde_status_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/alicloud/rds_instance_tde_status_disabled/test/positive_expected_result.json @@ -3,24 +3,60 @@ "queryName": "RDS Instance TDE Status Disabled", "severity": "HIGH", "line": 6, - "fileName": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "alicloud_db_instance", + "resourceName": "default", + "searchKey": "alicloud_db_instance[default].tde_status", + "searchValue": "", + "expectedValue": "'tde_status' value should be 'Enabled'", + "actualValue": "'tde_status' value is set to 'Disabled'", + "issueType": "IncorrectValue", + "similarityID": "b38e1490747da8aea60028bd82c72be3115944400b2b4b6107a3b36280e643d9", + "search_line": 6 }, { "queryName": "RDS Instance TDE Status Disabled", "severity": "HIGH", "line": 1, - "fileName": "positive2.tf" + "fileName": "positive2.tf", + "resourceType": "alicloud_db_instance", + "resourceName": "default", + "searchKey": "alicloud_db_instance[default]", + "searchValue": "", + "expectedValue": "'tde_status' value should be 'Enabled'", + "actualValue": "'tde_status' is not declared", + "issueType": "MissingAttribute", + "similarityID": "67bf46c8e92bd2ae16b8509137ce260136f88b07ad8785b79410fa0a23c59d9f", + "search_line": 1 }, { "queryName": "RDS Instance TDE Status Disabled", "severity": "HIGH", "line": 6, - "fileName": "positive3.tf" + "fileName": "positive3.tf", + "resourceType": "alicloud_db_instance", + "resourceName": "default", + "searchKey": "alicloud_db_instance[default].tde_status", + "searchValue": "", + "expectedValue": "'tde_status' value should be 'Enabled'", + "actualValue": "'tde_status' value is set to 'Disabled'", + "issueType": "IncorrectValue", + "similarityID": "1d8fccb9e3ff5b8a3ee08cb1f47d474b423d3a7c802e2246784313edb27be1c5", + "search_line": 6 }, { "queryName": "RDS Instance TDE Status Disabled", "severity": "HIGH", "line": 1, - "fileName": "positive4.tf" + "fileName": "positive4.tf", + "resourceType": "alicloud_db_instance", + "resourceName": "default", + "searchKey": "alicloud_db_instance[default]", + "searchValue": "", + "expectedValue": "'tde_status' value should be 'Enabled'", + "actualValue": "'tde_status' is not declared", + "issueType": "MissingAttribute", + "similarityID": "767fa4b18f7736be7c1e1d74b6053d3b259b2190196e31fb0e28457e772f9964", + "search_line": 1 } ] diff --git a/assets/queries/terraform/alicloud/ros_stack_notifications_disabled/test/positive_expected_result.json b/assets/queries/terraform/alicloud/ros_stack_notifications_disabled/test/positive_expected_result.json index 8d96395e757..c8ed5ec99e7 100644 --- a/assets/queries/terraform/alicloud/ros_stack_notifications_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/alicloud/ros_stack_notifications_disabled/test/positive_expected_result.json @@ -2,13 +2,31 @@ { "queryName": "ROS Stack Notifications Disabled", "severity": "LOW", - "line": 3, - "fileName": "positive.tf" + "line": 1, + "fileName": "positive2.tf", + "resourceType": "alicloud_ros_stack", + "resourceName": "tf-testaccstack", + "searchKey": "alicloud_ros_stack[example]", + "searchValue": "", + "expectedValue": "stack 'notification_urls' should be defined", + "actualValue": "stack 'notification_urls' is not defined", + "issueType": "MissingAttribute", + "similarityID": "bc42264597e71aee98dfa9a0b58b3fbd70fbd5776e795e31e0988ee4b4d4e480", + "search_line": 1 }, { "queryName": "ROS Stack Notifications Disabled", "severity": "LOW", - "line": 1, - "fileName": "positive2.tf" + "line": 3, + "fileName": "positive.tf", + "resourceType": "alicloud_ros_stack", + "resourceName": "tf-testaccstack", + "searchKey": "alicloud_ros_stack[example]", + "searchValue": "", + "expectedValue": "stack 'notification_urls' should have urls", + "actualValue": "stack 'notification_urls' is empty", + "issueType": "IncorrectValue", + "similarityID": "8dc2dc73c776f4d5438e2b4b17549ca7be88d1355b0923d7d4298ccc2fe85af6", + "search_line": 3 } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/alicloud/ros_stack_retention_disabled/test/positive_expected_result.json b/assets/queries/terraform/alicloud/ros_stack_retention_disabled/test/positive_expected_result.json index b347e2dd2b1..bdf76e7745b 100644 --- a/assets/queries/terraform/alicloud/ros_stack_retention_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/alicloud/ros_stack_retention_disabled/test/positive_expected_result.json @@ -2,13 +2,31 @@ { "queryName": "ROS Stack Retention Disabled", "severity": "MEDIUM", - "line": 6, - "fileName": "positive.tf" + "line": 1, + "fileName": "positive2.tf", + "resourceType": "alicloud_ros_stack_instance", + "resourceName": "example", + "searchKey": "alicloud_ros_stack_instance[example]", + "searchValue": "", + "expectedValue": "alicloud_ros_stack_instance[example].retain_stacks should be defined and not null", + "actualValue": "alicloud_ros_stack_instance[example].retain_stacks is undefined", + "issueType": "MissingAttribute", + "similarityID": "f4dea785f91f946d4ba5c3ce86ecbe88ee17d6094db3ce4cdbfccaadb6447307", + "search_line": 1 }, { "queryName": "ROS Stack Retention Disabled", "severity": "MEDIUM", - "line": 1, - "fileName": "positive2.tf" + "line": 6, + "fileName": "positive.tf", + "resourceType": "alicloud_ros_stack_instance", + "resourceName": "example", + "searchKey": "alicloud_ros_stack_instance[example].retain_stacks", + "searchValue": "", + "expectedValue": "alicloud_ros_stack_instance[example].retain_stacks should be true ", + "actualValue": "alicloud_ros_stack_instance[example].retain_stacks is false", + "issueType": "IncorrectValue", + "similarityID": "018c8abf5f2f02b92a9a5c4345c5b27fb38438e8e64e4891c9479834c478600f", + "search_line": 6 } ] diff --git a/assets/queries/terraform/alicloud/ros_stack_without_template/test/positive_expected_result.json b/assets/queries/terraform/alicloud/ros_stack_without_template/test/positive_expected_result.json index d53d3d5cbf8..0eb5c68b4a1 100644 --- a/assets/queries/terraform/alicloud/ros_stack_without_template/test/positive_expected_result.json +++ b/assets/queries/terraform/alicloud/ros_stack_without_template/test/positive_expected_result.json @@ -1,8 +1,17 @@ [ - { - "queryName": "ROS Stack Without Template", - "severity": "MEDIUM", - "line": 1, - "fileName": "positive1.tf" - } - ] + { + "queryName": "ROS Stack Without Template", + "severity": "MEDIUM", + "line": 1, + "fileName": "positive1.tf", + "resourceType": "alicloud_ros_stack", + "resourceName": "tf-testaccstack", + "searchKey": "alicloud_ros_stack[example]", + "searchValue": "", + "expectedValue": "Attribute 'template_body' or Attribute 'template_url' should be set.", + "actualValue": "Both Attribute 'template_body' and Attribute 'template_url' are undefined.", + "issueType": "MissingAttribute", + "similarityID": "f05bfdead5291bdcdd802f80a888dad30fe8695f6e3b4f317e2e8e774fde2a47", + "search_line": 1 + } +] diff --git a/assets/queries/terraform/alicloud/slb_policy_with_insecure_tls_version_in_use/test/positive_expected_result.json b/assets/queries/terraform/alicloud/slb_policy_with_insecure_tls_version_in_use/test/positive_expected_result.json index 0787eeaa125..b36829a9818 100644 --- a/assets/queries/terraform/alicloud/slb_policy_with_insecure_tls_version_in_use/test/positive_expected_result.json +++ b/assets/queries/terraform/alicloud/slb_policy_with_insecure_tls_version_in_use/test/positive_expected_result.json @@ -3,6 +3,15 @@ "queryName": "SLB Policy With Insecure TLS Version In Use", "severity": "MEDIUM", "line": 3, - "fileName": "positive.tf" + "fileName": "positive.tf", + "resourceType": "alicloud_slb_tls_cipher_policy", + "resourceName": "positive", + "searchKey": "alicloud_slb_tls_cipher_policy[positive].tls_versions", + "searchValue": "", + "expectedValue": "alicloud_slb_tls_cipher_policy[positive].tls_versions to use secure TLS versions", + "actualValue": "alicloud_slb_tls_cipher_policy[positive].tls_versions uses insecure TLS versions", + "issueType": "IncorrectValue", + "similarityID": "d3331d4b1cbf1892f175dc1f7f04d515774bbde099a75c42875879968f1d8f94", + "search_line": 3 } ] diff --git a/assets/queries/terraform/alicloud/vpc_flow_logs_disabled/test/positive_expected_result.json b/assets/queries/terraform/alicloud/vpc_flow_logs_disabled/test/positive_expected_result.json index 42b4e6f8dec..374166a57ff 100644 --- a/assets/queries/terraform/alicloud/vpc_flow_logs_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/alicloud/vpc_flow_logs_disabled/test/positive_expected_result.json @@ -3,6 +3,15 @@ "queryName": "VPC Flow Logs Disabled", "severity": "MEDIUM", "line": 1, - "fileName": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "alicloud_vpc", + "resourceName": "main", + "searchKey": "alicloud_vpc[main]", + "searchValue": "", + "expectedValue": "alicloud_vpc[main] is associated with an 'alicloud_vpc_flow_log'", + "actualValue": "alicloud_vpc[main] is not associated with an 'alicloud_vpc_flow_log'", + "issueType": "IncorrectValue", + "similarityID": "98afdc5c9768d51987e94865e830b6f582cbe5561a39c6838ee7dd15bfdc4bd6", + "search_line": 1 } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/alb_deletion_protection_disabled/test/positive_expected_result.json b/assets/queries/terraform/aws/alb_deletion_protection_disabled/test/positive_expected_result.json index e663004ce62..8162985559b 100644 --- a/assets/queries/terraform/aws/alb_deletion_protection_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/alb_deletion_protection_disabled/test/positive_expected_result.json @@ -3,36 +3,90 @@ "queryName": "ALB Deletion Protection Disabled", "severity": "MEDIUM", "line": 7, - "fileName": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "aws_alb", + "resourceName": "test-lb-tf", + "searchKey": "aws_alb[positive1].enable_deletion_protection", + "searchValue": "", + "expectedValue": "'enable_deletion_protection' should be set to true", + "actualValue": "'enable_deletion_protection' is set to false", + "issueType": "IncorrectValue", + "similarityID": "5aaad6cd94edb2a2ef8b50d228fa2fc454f8dd26f33fa2e1284ab306ca6a0c2a", + "search_line": 7 }, { "queryName": "ALB Deletion Protection Disabled", "severity": "MEDIUM", "line": 1, - "fileName": "positive2.tf" + "fileName": "positive2.tf", + "resourceType": "aws_alb", + "resourceName": "test-lb-tf", + "searchKey": "aws_alb[positive2]", + "searchValue": "", + "expectedValue": "'enable_deletion_protection' should be defined and set to true", + "actualValue": "'enable_deletion_protection' is undefined or null", + "issueType": "MissingAttribute", + "similarityID": "6b7aada979ceb196eb73858cb5edc9eb9834ac3f4e6a5f53a176c2a8cc85ecc6", + "search_line": 1 }, { "queryName": "ALB Deletion Protection Disabled", "severity": "MEDIUM", "line": 7, - "fileName": "positive3.tf" + "fileName": "positive3.tf", + "resourceType": "aws_lb", + "resourceName": "test-lb-tf", + "searchKey": "aws_lb[positive3].enable_deletion_protection", + "searchValue": "", + "expectedValue": "'enable_deletion_protection' should be set to true", + "actualValue": "'enable_deletion_protection' is set to false", + "issueType": "IncorrectValue", + "similarityID": "a8de2c151ae26099380254a65087898d8ed67c051cb0d4afdd1c71c2f5aa32a2", + "search_line": 7 }, { "queryName": "ALB Deletion Protection Disabled", "severity": "MEDIUM", "line": 1, - "fileName": "positive4.tf" + "fileName": "positive4.tf", + "resourceType": "aws_lb", + "resourceName": "test-lb-tf", + "searchKey": "aws_lb[positive4]", + "searchValue": "", + "expectedValue": "'enable_deletion_protection' should be defined and set to true", + "actualValue": "'enable_deletion_protection' is undefined or null", + "issueType": "MissingAttribute", + "similarityID": "1d3bea95909fde2bf72d22b10ecb32b29218e1d78cf9d5102aa08fa422feb043", + "search_line": 1 }, { "queryName": "ALB Deletion Protection Disabled", "severity": "MEDIUM", "line": 9, - "fileName": "positive5.tf" + "fileName": "positive5.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[alb].enable_deletion_protection", + "searchValue": "", + "expectedValue": "'enable_deletion_protection' should be set to true", + "actualValue": "'enable_deletion_protection' is set to false", + "issueType": "IncorrectValue", + "similarityID": "84a50095049b5bf5cbf78d6c4140ad163a2894924d19c471e051dea3fbadfa13", + "search_line": 9 }, { "queryName": "ALB Deletion Protection Disabled", "severity": "MEDIUM", "line": 1, - "fileName": "positive6.tf" + "fileName": "positive6.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[alb]", + "searchValue": "", + "expectedValue": "'enable_deletion_protection' should be defined and set to true", + "actualValue": "'enable_deletion_protection' is undefined or null", + "issueType": "MissingAttribute", + "similarityID": "5a7d668a762e98d1f62c79bcd27c6539bd56c7a38cc122636d5f4455486f5386", + "search_line": 1 } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/alb_is_not_integrated_with_waf/test/positive_expected_result.json b/assets/queries/terraform/aws/alb_is_not_integrated_with_waf/test/positive_expected_result.json index 412dc085a1f..243858ca63a 100644 --- a/assets/queries/terraform/aws/alb_is_not_integrated_with_waf/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/alb_is_not_integrated_with_waf/test/positive_expected_result.json @@ -3,12 +3,30 @@ "queryName": "ALB Is Not Integrated With WAF", "severity": "MEDIUM", "line": 1, - "filename": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "aws_alb", + "resourceName": "foo", + "searchKey": "aws_alb[foo]", + "searchValue": "", + "expectedValue": "'aws_alb[foo]' should not be 'internal' and has a 'aws_wafregional_web_acl_association' associated", + "actualValue": "'aws_alb[foo]' is not 'internal' and does not have a 'aws_wafregional_web_acl_association' associated", + "issueType": "MissingAttribute", + "similarityID": "b33d55a182d1ab6d16c419fe459e09f8560f5947acacd19b87f940c012055cbd", + "search_line": -1 }, { "queryName": "ALB Is Not Integrated With WAF", "severity": "MEDIUM", "line": 1, - "filename": "positive2.tf" + "fileName": "positive2.tf", + "resourceType": "aws_lb", + "resourceName": "test-lb-tf", + "searchKey": "aws_lb[alb]", + "searchValue": "", + "expectedValue": "'aws_lb[alb]' should not be 'internal' and has a 'aws_wafregional_web_acl_association' associated", + "actualValue": "'aws_lb[alb]' is not 'internal' and does not have a 'aws_wafregional_web_acl_association' associated", + "issueType": "MissingAttribute", + "similarityID": "2271993c6a2a87b5c95e9016952071bc2c07171ad77b9c1f4b503d4edac1ef0b", + "search_line": -1 } ] diff --git a/assets/queries/terraform/aws/alb_listening_on_http/test/positive_expected_result.json b/assets/queries/terraform/aws/alb_listening_on_http/test/positive_expected_result.json index 8a0e258e845..b37687ec6d7 100644 --- a/assets/queries/terraform/aws/alb_listening_on_http/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/alb_listening_on_http/test/positive_expected_result.json @@ -3,12 +3,30 @@ "queryName": "ALB Listening on HTTP", "severity": "MEDIUM", "line": 9, - "fileName": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "aws_lb_listener", + "resourceName": "listener5", + "searchKey": "aws_lb_listener[listener5].default_action.redirect.protocol", + "searchValue": "", + "expectedValue": "'default_action.redirect.protocol' should be equal to 'HTTPS'", + "actualValue": "'default_action.redirect.protocol' is equal 'HTTP'", + "issueType": "IncorrectValue", + "similarityID": "49ed37f2f2aebdb26d6ac7f8750b37c2402b2677b692878870c4cea3cc3913d0", + "search_line": 9 }, { "queryName": "ALB Listening on HTTP", "severity": "MEDIUM", "line": 70, - "fileName": "positive2.tf" + "fileName": "positive2.tf", + "resourceType": "aws_lb_listener", + "resourceName": "listener", + "searchKey": "aws_lb_listener[listener].default_action", + "searchValue": "", + "expectedValue": "'default_action.redirect.protocol' should be equal to 'HTTPS'", + "actualValue": "'default_action.redirect' is missing", + "issueType": "MissingAttribute", + "similarityID": "365bd11c2c64f5e1ef3c3048d471c711e3f95c440997d2e6b5830797ace8d280", + "search_line": 70 } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/alb_not_dropping_invalid_headers/test/positive_expected_result.json b/assets/queries/terraform/aws/alb_not_dropping_invalid_headers/test/positive_expected_result.json index 1f97c90fd36..5376b2d5a5b 100644 --- a/assets/queries/terraform/aws/alb_not_dropping_invalid_headers/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/alb_not_dropping_invalid_headers/test/positive_expected_result.json @@ -3,54 +3,135 @@ "queryName": "ALB Not Dropping Invalid Headers", "severity": "MEDIUM", "line": 1, - "filename": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "aws_alb", + "resourceName": "alb", + "searchKey": "aws_alb[{{disabled_1}}]", + "searchValue": "", + "expectedValue": "aws_alb[{{disabled_1}}].drop_invalid_header_fields should be set to true", + "actualValue": "aws_alb[{{disabled_1}}].drop_invalid_header_fields is missing", + "issueType": "MissingAttribute", + "similarityID": "b9b96177ed337bf8af09d48174dcbfd5c8befdffc124c8d1eafae8149b0a8d66", + "search_line": 1 }, { "queryName": "ALB Not Dropping Invalid Headers", "severity": "MEDIUM", "line": 14, - "filename": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "aws_alb", + "resourceName": "alb", + "searchKey": "aws_alb[{{disabled_2}}].drop_invalid_header_fields", + "searchValue": "", + "expectedValue": "aws_alb[{{disabled_2}}].drop_invalid_header_fields should be set to true", + "actualValue": "aws_alb[{{disabled_2}}].drop_invalid_header_fields is set to false", + "issueType": "IncorrectValue", + "similarityID": "c2f9770c565b6e06cb80e5966dcb79b7a888a3da4d9f7cee2d9c1f026910a317", + "search_line": 14 }, { "queryName": "ALB Not Dropping Invalid Headers", "severity": "MEDIUM", "line": 1, - "filename": "positive2.tf" + "fileName": "positive2.tf", + "resourceType": "aws_lb", + "resourceName": "alb", + "searchKey": "aws_lb[{{disabled_1}}]", + "searchValue": "", + "expectedValue": "aws_lb[{{disabled_1}}].drop_invalid_header_fields should be set to true", + "actualValue": "aws_lb[{{disabled_1}}].drop_invalid_header_fields is missing", + "issueType": "MissingAttribute", + "similarityID": "d1c4b0ae4541f50f342efb2b6fdf2621fed71fe965c5c98dac50b1e46a7fbc28", + "search_line": 1 }, { "queryName": "ALB Not Dropping Invalid Headers", "severity": "MEDIUM", "line": 14, - "filename": "positive2.tf" + "fileName": "positive2.tf", + "resourceType": "aws_lb", + "resourceName": "alb", + "searchKey": "aws_lb[{{disabled_2}}].drop_invalid_header_fields", + "searchValue": "", + "expectedValue": "aws_lb[{{disabled_2}}].drop_invalid_header_fields should be set to true", + "actualValue": "aws_lb[{{disabled_2}}].drop_invalid_header_fields is set to false", + "issueType": "IncorrectValue", + "similarityID": "3c068d4792a7664e5e1c8a3e7fb26d055dc2fafa677920ccc1a4b952acce10a2", + "search_line": 14 }, { "queryName": "ALB Not Dropping Invalid Headers", "severity": "MEDIUM", "line": 1, - "filename": "positive3.tf" + "fileName": "positive3.tf", + "resourceType": "aws_alb", + "resourceName": "alb", + "searchKey": "aws_alb[{{disabled_1}}]", + "searchValue": "", + "expectedValue": "aws_alb[{{disabled_1}}].drop_invalid_header_fields should be set to true", + "actualValue": "aws_alb[{{disabled_1}}].drop_invalid_header_fields is missing", + "issueType": "MissingAttribute", + "similarityID": "947545950aca24b7b504a405f2fdb84e261e0eb55ae89e020a1c282139f3db45", + "search_line": 1 }, { "queryName": "ALB Not Dropping Invalid Headers", "severity": "MEDIUM", "line": 12, - "filename": "positive3.tf" + "fileName": "positive3.tf", + "resourceType": "aws_lb", + "resourceName": "alb", + "searchKey": "aws_lb[{{disabled_2}}].drop_invalid_header_fields", + "searchValue": "", + "expectedValue": "aws_lb[{{disabled_2}}].drop_invalid_header_fields should be set to true", + "actualValue": "aws_lb[{{disabled_2}}].drop_invalid_header_fields is set to false", + "issueType": "IncorrectValue", + "similarityID": "8687b4924f20971aedc987f6367d7759ff98b51c8f7be376ef4a70e6e303d1d3", + "search_line": 12 }, { "queryName": "ALB Not Dropping Invalid Headers", "severity": "MEDIUM", "line": 8, - "filename": "positive4.tf" + "fileName": "positive4.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[alb].drop_invalid_header_fields", + "searchValue": "", + "expectedValue": "module[alb].drop_invalid_header_fields should be set to true", + "actualValue": "module[alb].drop_invalid_header_fields is set to false", + "issueType": "IncorrectValue", + "similarityID": "dd45278188764720bdabb71cd9b384dddb2cdde78c8588c6e97fe81eb4fdf0ea", + "search_line": 8 }, { "queryName": "ALB Not Dropping Invalid Headers", "severity": "MEDIUM", "line": 1, - "filename": "positive5.tf" + "fileName": "positive5.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[alb]", + "searchValue": "", + "expectedValue": "module[alb].drop_invalid_header_fields should be set to true", + "actualValue": "module[alb].drop_invalid_header_fields is missing", + "issueType": "MissingAttribute", + "similarityID": "44ee6fc5ddc47a04f0472b5013db326bcbba3121549af132b538155eb4574fcc", + "search_line": 1 }, { "queryName": "ALB Not Dropping Invalid Headers", "severity": "MEDIUM", "line": 1, - "filename": "positive6.tf" + "fileName": "positive6.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[alb]", + "searchValue": "", + "expectedValue": "module[alb].drop_invalid_header_fields should be set to true", + "actualValue": "module[alb].drop_invalid_header_fields is missing", + "issueType": "MissingAttribute", + "similarityID": "f6965b9f1f07f3a2adc11a581592c0449a94bde6e414381edaa116ba256855d1", + "search_line": 1 } ] diff --git a/assets/queries/terraform/aws/amazon_dms_replication_instance_is_publicly_accessible/test/positive_expected_result.json b/assets/queries/terraform/aws/amazon_dms_replication_instance_is_publicly_accessible/test/positive_expected_result.json index 2497e484f40..bc1eae149b0 100644 --- a/assets/queries/terraform/aws/amazon_dms_replication_instance_is_publicly_accessible/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/amazon_dms_replication_instance_is_publicly_accessible/test/positive_expected_result.json @@ -3,6 +3,15 @@ "queryName": "Amazon DMS Replication Instance Is Publicly Accessible", "severity": "CRITICAL", "line": 10, - "filename": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "aws_dms_replication_instance", + "resourceName": "test", + "searchKey": "aws_dms_replication_instance[test].publicly_accessible", + "searchValue": "", + "expectedValue": "aws_dms_replication_instance[test].publicly_accessible should be set to false", + "actualValue": "aws_dms_replication_instance[test].publicly_accessible is set to true", + "issueType": "IncorrectValue", + "similarityID": "56b93e34f86c231482ec61e0eb464974d8c9ef1e1f24af95772ef208a5299012", + "search_line": -1 } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/amazon_mq_broker_encryption_disabled/test/positive_expected_result.json b/assets/queries/terraform/aws/amazon_mq_broker_encryption_disabled/test/positive_expected_result.json index f2d96094196..ea363e7e289 100644 --- a/assets/queries/terraform/aws/amazon_mq_broker_encryption_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/amazon_mq_broker_encryption_disabled/test/positive_expected_result.json @@ -2,6 +2,16 @@ { "queryName": "AmazonMQ Broker Encryption Disabled", "severity": "HIGH", - "line": 1 + "line": 1, + "fileName": "positive.tf", + "resourceType": "aws_mq_broker", + "resourceName": "example", + "searchKey": "resource.aws_mq_broker[positive1]", + "searchValue": "", + "expectedValue": "resource.aws_mq_broker[positive1].encryption_options should be defined", + "actualValue": "resource.aws_mq_broker[positive1].encryption_options is not defined", + "issueType": "MissingAttribute", + "similarityID": "e95ea89232cbc83a4a02a21a6ed565fdc92a93230821359dd59646bcdbfac6eb", + "search_line": -1 } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/ami_not_encrypted/test/positive_expected_result.json b/assets/queries/terraform/aws/ami_not_encrypted/test/positive_expected_result.json index c602b4411df..d86db5f3806 100644 --- a/assets/queries/terraform/aws/ami_not_encrypted/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/ami_not_encrypted/test/positive_expected_result.json @@ -2,19 +2,46 @@ { "queryName": "AMI Not Encrypted", "severity": "MEDIUM", - "line": 29, - "fileName": "positive.tf" + "line": 7, + "fileName": "positive.tf", + "resourceType": "aws_ami", + "resourceName": "terraform-example", + "searchKey": "aws_ami[positive1].ebs_block_device", + "searchValue": "", + "expectedValue": "One of 'rule.ebs_block_device.encrypted' should be 'true'", + "actualValue": "'rule.ebs_block_device' is undefined", + "issueType": "MissingAttribute", + "similarityID": "c2cbc72b6be78c6ff7baaae070f8720d878e5e12c93f54e98cd1661319b775c8", + "search_line": 7 }, { "queryName": "AMI Not Encrypted", "severity": "MEDIUM", "line": 25, - "fileName": "positive.tf" + "fileName": "positive.tf", + "resourceType": "aws_ami", + "resourceName": "terraform-example", + "searchKey": "aws_ami[positive2].ebs_block_device.encrypted", + "searchValue": "", + "expectedValue": "One of 'rule.ebs_block_device.encrypted' should be 'true'", + "actualValue": "One of 'rule.ebs_block_device.encrypted' is not 'true'", + "issueType": "IncorrectValue", + "similarityID": "7d59992cd8d0ddda4c16d5a8820e6b6b1c5f3d8add5798295e0622ddc9875b73", + "search_line": 25 }, { "queryName": "AMI Not Encrypted", "severity": "MEDIUM", - "line": 7, - "fileName": "positive.tf" + "line": 29, + "fileName": "positive.tf", + "resourceType": "aws_ami", + "resourceName": "terraform-example", + "searchKey": "aws_ami[positive3]", + "searchValue": "", + "expectedValue": "One of 'rule.ebs_block_device.encrypted' should be 'true'", + "actualValue": "One of 'rule.ebs_block_device' is undefined", + "issueType": "MissingAttribute", + "similarityID": "d107063ac80f2e7d7624c1540bd60d13846444d0810fa5f3eb1f7378330ed280", + "search_line": 29 } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/ami_shared_with_multiple_accounts/test/positive_expected_result.json b/assets/queries/terraform/aws/ami_shared_with_multiple_accounts/test/positive_expected_result.json index e24986c08b3..ace45fbfcd9 100644 --- a/assets/queries/terraform/aws/ami_shared_with_multiple_accounts/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/ami_shared_with_multiple_accounts/test/positive_expected_result.json @@ -2,11 +2,31 @@ { "queryName": "AMI Shared With Multiple Accounts", "severity": "MEDIUM", - "line": 3 + "line": 3, + "fileName": "positive.tf", + "resourceType": "aws_ami_launch_permission", + "resourceName": "positive1", + "searchKey": "aws_ami_launch_permission[positive1].image_id", + "searchValue": "", + "expectedValue": "'aws_ami_launch_permission[positive1].image_id' should not be shared with multiple accounts", + "actualValue": "'aws_ami_launch_permission[positive1].image_id' is shared with multiple accounts", + "issueType": "IncorrectValue", + "similarityID": "b979fa278955228e2f43a29edb078249d7e105b75338f788d4d539f1dd67026d", + "search_line": -1 }, { "queryName": "AMI Shared With Multiple Accounts", "severity": "MEDIUM", - "line": 11 + "line": 11, + "fileName": "positive.tf", + "resourceType": "aws_ami_launch_permission", + "resourceName": "positive2", + "searchKey": "aws_ami_launch_permission[positive2].image_id", + "searchValue": "", + "expectedValue": "'aws_ami_launch_permission[positive2].image_id' should not be shared with multiple accounts", + "actualValue": "'aws_ami_launch_permission[positive2].image_id' is shared with multiple accounts", + "issueType": "IncorrectValue", + "similarityID": "eaf240c05d4cfe4cbbb5cc70c0a60f124c0d7802f94086ce53f80703ef58fa66", + "search_line": -1 } ] diff --git a/assets/queries/terraform/aws/api_gateway_access_logging_disabled/test/positive_expected_result.json b/assets/queries/terraform/aws/api_gateway_access_logging_disabled/test/positive_expected_result.json index 1e3d8fd2c04..46ffb6da11d 100644 --- a/assets/queries/terraform/aws/api_gateway_access_logging_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/api_gateway_access_logging_disabled/test/positive_expected_result.json @@ -3,78 +3,195 @@ "queryName": "API Gateway Access Logging Disabled", "severity": "MEDIUM", "line": 1, - "filename": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "aws_api_gateway_stage", + "resourceName": "positive10", + "searchKey": "aws_api_gateway_stage[positive10]", + "searchValue": "access_log_settings", + "expectedValue": "'access_log_settings' should be defined", + "actualValue": "'access_log_settings' is not defined", + "issueType": "MissingAttribute", + "similarityID": "0ad0efed31c812bbb41e5a047fff86e5fcc00337a43e9f2ea62ab8ab60e2df11", + "search_line": 1 }, { "queryName": "API Gateway Access Logging Disabled", "severity": "MEDIUM", "line": 15, - "filename": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "aws_apigatewayv2_stage", + "resourceName": "positive11", + "searchKey": "aws_apigatewayv2_stage[positive11]", + "searchValue": "access_log_settings", + "expectedValue": "'access_log_settings' should be defined", + "actualValue": "'access_log_settings' is not defined", + "issueType": "MissingAttribute", + "similarityID": "d635514c94a2a794257c370c8fb9c3a062680a9c0f5832a7b0abc44bfa8cf8e3", + "search_line": 15 }, { "queryName": "API Gateway Access Logging Disabled", "severity": "MEDIUM", "line": 15, - "filename": "positive2.tf" + "fileName": "positive2.tf", + "resourceType": "aws_api_gateway_stage", + "resourceName": "positive20", + "searchKey": "aws_api_gateway_method_settings[allpositive2].settings.logging_level", + "searchValue": "", + "expectedValue": "aws_api_gateway_method_settings[allpositive2].settings.logging_level should be defined and not null", + "actualValue": "aws_api_gateway_method_settings[allpositive2].settings.logging_level isn't defined or is null", + "issueType": "IncorrectValue", + "similarityID": "1711c3591eda0c7d7a51b14cc4c5bab566fedcce84adc21971b979fa3107c5c0", + "search_line": 15 }, { "queryName": "API Gateway Access Logging Disabled", "severity": "MEDIUM", "line": 28, - "filename": "positive2.tf" + "fileName": "positive2.tf", + "resourceType": "aws_apigatewayv2_stage", + "resourceName": "positive21", + "searchKey": "aws_apigatewayv2_stage[positive21].default_route_settings.logging_level", + "searchValue": "", + "expectedValue": "aws_apigatewayv2_stage[positive21].default_route_settings.logging_level should be defined and not null", + "actualValue": "aws_apigatewayv2_stage[positive21].default_route_settings.logging_level isn't defined or is null", + "issueType": "IncorrectValue", + "similarityID": "a75f080fe15d220a13bc06c41e06cabb01f5e35ee29111ce8b2bb72aa6c55ed4", + "search_line": 28 }, { "queryName": "API Gateway Access Logging Disabled", "severity": "MEDIUM", "line": 14, - "filename": "positive3.tf" + "fileName": "positive3.tf", + "resourceType": "aws_api_gateway_stage", + "resourceName": "positive30", + "searchKey": "aws_api_gateway_method_settings[allpositive3].settings", + "searchValue": "", + "expectedValue": "aws_api_gateway_method_settings[allpositive3].settings.logging_level should be defined and not null", + "actualValue": "aws_api_gateway_method_settings[allpositive3].settings.logging_level isn't defined or is null", + "issueType": "MissingAttribute", + "similarityID": "9e5600eabdd40af33a7828434ba91a964c524a085704730951775f6e541f95db", + "search_line": 14 }, { "queryName": "API Gateway Access Logging Disabled", "severity": "MEDIUM", "line": 27, - "filename": "positive3.tf" + "fileName": "positive3.tf", + "resourceType": "aws_apigatewayv2_stage", + "resourceName": "positive31", + "searchKey": "aws_apigatewayv2_stage[positive31].default_route_settings", + "searchValue": "", + "expectedValue": "aws_apigatewayv2_stage[positive31].default_route_settings.logging_level should be defined and not null", + "actualValue": "aws_apigatewayv2_stage[positive31].default_route_settings.logging_level isn't defined or is null", + "issueType": "MissingAttribute", + "similarityID": "11a3725a560e6b77b4ea4e532c5790da1ab87bf295cc04ec9c7cee88c799a546", + "search_line": 27 }, { "queryName": "API Gateway Access Logging Disabled", "severity": "MEDIUM", "line": 10, - "filename": "positive4.tf" + "fileName": "positive4.tf", + "resourceType": "aws_api_gateway_stage", + "resourceName": "positive40", + "searchKey": "aws_api_gateway_method_settings[allpositive4]", + "searchValue": "", + "expectedValue": "aws_api_gateway_method_settings[allpositive4].settings should be defined and not null", + "actualValue": "aws_api_gateway_method_settings[allpositive4].settings isn't defined or is null", + "issueType": "MissingAttribute", + "similarityID": "ed35ea3625f682a9135d78f29365722bd09b90b33e7befe554a26e5f86c8559c", + "search_line": 10 }, { "queryName": "API Gateway Access Logging Disabled", "severity": "MEDIUM", "line": 15, - "filename": "positive4.tf" + "fileName": "positive4.tf", + "resourceType": "aws_apigatewayv2_stage", + "resourceName": "positive41", + "searchKey": "aws_apigatewayv2_stage[positive41]", + "searchValue": "default_route_settings", + "expectedValue": "aws_apigatewayv2_stage[positive41].default_route_settings should be defined and not null", + "actualValue": "aws_apigatewayv2_stage[positive41].default_route_settings isn't defined or is null", + "issueType": "MissingAttribute", + "similarityID": "657a7ebe09243d5866c11e6040e3da911f8a2ba7b35fe7a1d664a1613353a9c7", + "search_line": 15 }, { "queryName": "API Gateway Access Logging Disabled", "severity": "MEDIUM", "line": 15, - "filename": "positive5.tf" + "fileName": "positive5.tf", + "resourceType": "aws_api_gateway_stage", + "resourceName": "positive50", + "searchKey": "aws_api_gateway_method_settings[allpositive5].settings.logging_level", + "searchValue": "", + "expectedValue": "aws_api_gateway_method_settings[allpositive5].settings.logging_level should not be set to OFF", + "actualValue": "aws_api_gateway_method_settings[allpositive5].settings.logging_level is set to OFF", + "issueType": "IncorrectValue", + "similarityID": "972c4558608cfecca65f33ee26a700110b7eb0a92ffcc13d0ce2477646aa9b49", + "search_line": 15 }, { "queryName": "API Gateway Access Logging Disabled", "severity": "MEDIUM", "line": 28, - "filename": "positive5.tf" + "fileName": "positive5.tf", + "resourceType": "aws_apigatewayv2_stage", + "resourceName": "positive51", + "searchKey": "aws_apigatewayv2_stage[positive51].default_route_settings.logging_level", + "searchValue": "", + "expectedValue": "aws_apigatewayv2_stage[positive51].default_route_settings.logging_level should not be set to OFF", + "actualValue": "aws_apigatewayv2_stage[positive51].default_route_settings.logging_level is set to OFF", + "issueType": "IncorrectValue", + "similarityID": "666b6ae8c492253731bf3f7869265068578cbce73200c0753c42b44b032cc31c", + "search_line": 28 }, { "queryName": "API Gateway Access Logging Disabled", "severity": "MEDIUM", "line": 14, - "filename": "positive6.tf" + "fileName": "positive6.tf", + "resourceType": "aws_api_gateway_stage", + "resourceName": "positive60", + "searchKey": "aws_api_gateway_method_settings[allpositive6].settings", + "searchValue": "", + "expectedValue": "aws_api_gateway_method_settings[allpositive6].settings.logging_level should be defined and not null", + "actualValue": "aws_api_gateway_method_settings[allpositive6].settings.logging_level isn't defined or is null", + "issueType": "MissingAttribute", + "similarityID": "b5ba10c9495c196ae85de82a6d747f16b4fa2d793cca9da463eb184789e71609", + "search_line": 14 }, { "queryName": "API Gateway Access Logging Disabled", "severity": "MEDIUM", "line": 27, - "filename": "positive6.tf" + "fileName": "positive6.tf", + "resourceType": "aws_apigatewayv2_stage", + "resourceName": "positive61", + "searchKey": "aws_apigatewayv2_stage[positive61].default_route_settings", + "searchValue": "", + "expectedValue": "aws_apigatewayv2_stage[positive61].default_route_settings.logging_level should be defined and not null", + "actualValue": "aws_apigatewayv2_stage[positive61].default_route_settings.logging_level isn't defined or is null", + "issueType": "MissingAttribute", + "similarityID": "ee46e36a8e055e8ec4cf632b8c5071cd713939180c9826b1fb400e2f74346735", + "search_line": 27 }, { "queryName": "API Gateway Access Logging Disabled", "severity": "MEDIUM", "line": 1, - "filename": "positive7.tf" + "fileName": "positive7.tf", + "resourceType": "aws_api_gateway_stage", + "resourceName": "positive70", + "searchKey": "aws_api_gateway_stage[positive70]", + "searchValue": "aws_api_gateway_method_settings", + "expectedValue": "aws_api_gateway_stage[positive70]'s corresponding aws_api_gateway_method_settings should be defined and not null", + "actualValue": "aws_api_gateway_stage[positive70]'s corresponding aws_api_gateway_method_settings isn't defined or is null", + "issueType": "MissingAttribute", + "similarityID": "d0310a2e2aa8a9407b4f391bdaf46810b199346a049a12b6403c02d0f640488a", + "search_line": 1 } ] diff --git a/assets/queries/terraform/aws/api_gateway_deployment_without_access_log_setting/test/positive_expected_result.json b/assets/queries/terraform/aws/api_gateway_deployment_without_access_log_setting/test/positive_expected_result.json index c77dbf0991b..b7888d5c90b 100644 --- a/assets/queries/terraform/aws/api_gateway_deployment_without_access_log_setting/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/api_gateway_deployment_without_access_log_setting/test/positive_expected_result.json @@ -3,18 +3,45 @@ "queryName": "API Gateway Deployment Without Access Log Setting", "severity": "MEDIUM", "line": 1, - "fileName": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "aws_api_gateway_deployment", + "resourceName": "examplee", + "searchKey": "aws_api_gateway_deployment[examplee]", + "searchValue": "", + "expectedValue": "aws_api_gateway_deployment[examplee] has a 'aws_api_gateway_stage' resource associated with 'access_log_settings' set", + "actualValue": "aws_api_gateway_deployment[examplee] doesn't have a 'aws_api_gateway_stage' resource associated with 'access_log_settings' set", + "issueType": "IncorrectValue", + "similarityID": "5ff70ab47bd25323086c4e799339369da8ea1f2c0bc44fade229eeb3f26bb861", + "search_line": -1 }, { "queryName": "API Gateway Deployment Without Access Log Setting", "severity": "MEDIUM", "line": 1, - "fileName": "positive2.tf" + "fileName": "positive2.tf", + "resourceType": "aws_api_gateway_deployment", + "resourceName": "example3", + "searchKey": "aws_api_gateway_deployment[example3]", + "searchValue": "", + "expectedValue": "aws_api_gateway_deployment[example3] has a 'aws_api_gateway_stage' resource associated with 'access_log_settings' set", + "actualValue": "aws_api_gateway_deployment[example3] doesn't have a 'aws_api_gateway_stage' resource associated with 'access_log_settings' set", + "issueType": "IncorrectValue", + "similarityID": "0908fb21e9ef147a4fa299dc5c72d13b76a998ecd0c7b2dcfbc4124d0a330506", + "search_line": -1 }, { "queryName": "API Gateway Deployment Without Access Log Setting", "severity": "MEDIUM", "line": 1, - "fileName": "positive3.tf" + "fileName": "positive3.tf", + "resourceType": "aws_api_gateway_deployment", + "resourceName": "example4", + "searchKey": "aws_api_gateway_deployment[example4]", + "searchValue": "", + "expectedValue": "aws_api_gateway_deployment[example4].stage_description should be set", + "actualValue": "aws_api_gateway_deployment[example4].stage_description is undefined", + "issueType": "MissingAttribute", + "similarityID": "62de7bfbe7ef792dc70c582ce1ba8febc207e4e9ce8ddadca9a5b948b2bff28d", + "search_line": -1 } ] diff --git a/assets/queries/terraform/aws/api_gateway_deployment_without_api_gateway_usage_plan_associated/test/positive_expected_result.json b/assets/queries/terraform/aws/api_gateway_deployment_without_api_gateway_usage_plan_associated/test/positive_expected_result.json index c90c5d51934..5858074850e 100644 --- a/assets/queries/terraform/aws/api_gateway_deployment_without_api_gateway_usage_plan_associated/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/api_gateway_deployment_without_api_gateway_usage_plan_associated/test/positive_expected_result.json @@ -3,24 +3,60 @@ "queryName": "API Gateway Deployment Without API Gateway UsagePlan Associated", "severity": "LOW", "line": 1, - "filename": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "aws_api_gateway_deployment", + "resourceName": "positive1", + "searchKey": "aws_api_gateway_deployment[positive1]", + "searchValue": "", + "expectedValue": "aws_api_gateway_deployment[positive1] has a 'aws_api_gateway_usage_plan' resource associated. ", + "actualValue": "aws_api_gateway_deployment[positive1] doesn't have a 'aws_api_gateway_usage_plan' resource associated.", + "issueType": "IncorrectValue", + "similarityID": "971a59288bc6805a254e7ba2c46417cf5a24b9464fd84bbaff02f1d830791894", + "search_line": 1 }, { "queryName": "API Gateway Deployment Without API Gateway UsagePlan Associated", "severity": "LOW", "line": 9, - "filename": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "aws_api_gateway_deployment", + "resourceName": "positive2", + "searchKey": "aws_api_gateway_deployment[positive2]", + "searchValue": "", + "expectedValue": "aws_api_gateway_deployment[positive2] has a 'aws_api_gateway_usage_plan' resource associated. ", + "actualValue": "aws_api_gateway_deployment[positive2] doesn't have a 'aws_api_gateway_usage_plan' resource associated.", + "issueType": "IncorrectValue", + "similarityID": "56cb3fa413fee55bdddf27516f5b11322fd9b82406f10d2104cfa062f97d773d", + "search_line": 9 }, { "queryName": "API Gateway Deployment Without API Gateway UsagePlan Associated", "severity": "LOW", "line": 14, - "filename": "positive2.json" + "fileName": "positive2.json", + "resourceType": "aws_api_gateway_deployment", + "resourceName": "aws_api_gateway_deployment.positive1", + "searchKey": "aws_api_gateway_deployment[aws_api_gateway_deployment.positive1]", + "searchValue": "", + "expectedValue": "aws_api_gateway_deployment[aws_api_gateway_deployment.positive1] has a 'aws_api_gateway_usage_plan' resource associated. ", + "actualValue": "aws_api_gateway_deployment[aws_api_gateway_deployment.positive1] doesn't have a 'aws_api_gateway_usage_plan' resource associated.", + "issueType": "IncorrectValue", + "similarityID": "0fea02836af59323ee937b2c0c855e622e93b9283cd1693916f923c403de1c8c", + "search_line": 14 }, { "queryName": "API Gateway Deployment Without API Gateway UsagePlan Associated", "severity": "LOW", "line": 31, - "filename": "positive2.json" + "fileName": "positive2.json", + "resourceType": "aws_api_gateway_deployment", + "resourceName": "aws_api_gateway_deployment.positive2", + "searchKey": "aws_api_gateway_deployment[aws_api_gateway_deployment.positive2]", + "searchValue": "", + "expectedValue": "aws_api_gateway_deployment[aws_api_gateway_deployment.positive2] has a 'aws_api_gateway_usage_plan' resource associated. ", + "actualValue": "aws_api_gateway_deployment[aws_api_gateway_deployment.positive2] doesn't have a 'aws_api_gateway_usage_plan' resource associated.", + "issueType": "IncorrectValue", + "similarityID": "bf7894fad979c7389aaa8d563550f3af2ac0347e3258badce197ae5269ffc4f3", + "search_line": 31 } ] diff --git a/assets/queries/terraform/aws/api_gateway_endpoint_config_is_not_private/test/positive_expected_result.json b/assets/queries/terraform/aws/api_gateway_endpoint_config_is_not_private/test/positive_expected_result.json index 312133f896e..26ef9630c6e 100644 --- a/assets/queries/terraform/aws/api_gateway_endpoint_config_is_not_private/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/api_gateway_endpoint_config_is_not_private/test/positive_expected_result.json @@ -2,6 +2,16 @@ { "queryName": "API Gateway Endpoint Config is Not Private", "severity": "MEDIUM", - "line": 5 + "line": 5, + "fileName": "positive.tf", + "resourceType": "aws_api_gateway_rest_api", + "resourceName": "positive1", + "searchKey": "aws_api_gateway_rest_api[positive1].endpoint_configuration.types[%!s(int=0)]", + "searchValue": "", + "expectedValue": "'aws_api_gateway_rest_api.aws_api_gateway_rest_api.types' should be 'PRIVATE'.", + "actualValue": "'aws_api_gateway_rest_api.aws_api_gateway_rest_api.types' is not 'PRIVATE'.", + "issueType": "IncorrectValue", + "similarityID": "f4afb7d2c6db90e72d33603544ee3850b7f5a11500eab706459a459db6367821", + "search_line": 5 } ] diff --git a/assets/queries/terraform/aws/api_gateway_method_does_not_contains_an_api_key/test/positive_expected_result.json b/assets/queries/terraform/aws/api_gateway_method_does_not_contains_an_api_key/test/positive_expected_result.json index 96be3ea7103..89f21eb7e3d 100644 --- a/assets/queries/terraform/aws/api_gateway_method_does_not_contains_an_api_key/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/api_gateway_method_does_not_contains_an_api_key/test/positive_expected_result.json @@ -1,12 +1,32 @@ [ { - "line": 1, "queryName": "API Gateway Method Does Not Contains An API Key", - "severity": "MEDIUM" + "severity": "MEDIUM", + "line": 1, + "fileName": "positive.tf", + "resourceType": "aws_api_gateway_method", + "resourceName": "positive1", + "searchKey": "resource.aws_api_gateway_method[positive1]", + "searchValue": "", + "expectedValue": "resource.aws_api_gateway_method[positive1].api_key_required should be defined", + "actualValue": "resource.aws_api_gateway_method[positive1].api_key_required is undefined", + "issueType": "MissingAttribute", + "similarityID": "6cb6b65bca81bcef4a9da7b5091869eefd250451e7931d76373292507b80b3d6", + "search_line": 1 }, { - "line": 13, "queryName": "API Gateway Method Does Not Contains An API Key", - "severity": "MEDIUM" + "severity": "MEDIUM", + "line": 13, + "fileName": "positive.tf", + "resourceType": "aws_api_gateway_method", + "resourceName": "positive2", + "searchKey": "resource.aws_api_gateway_method[positive2].api_key_required", + "searchValue": "", + "expectedValue": "resource.aws_api_gateway_method[positive2].api_key_required should be 'true'", + "actualValue": "resource.aws_api_gateway_method[positive2].api_key_required is 'false'", + "issueType": "IncorrectValue", + "similarityID": "060d65cb9959e89ef391d8ee1585f86c8af66174a45141d723958bcad50683e5", + "search_line": 13 } ] diff --git a/assets/queries/terraform/aws/api_gateway_method_settings_cache_not_encrypted/test/positive_expected_result.json b/assets/queries/terraform/aws/api_gateway_method_settings_cache_not_encrypted/test/positive_expected_result.json index e8ac44bb382..bbcead5fea7 100644 --- a/assets/queries/terraform/aws/api_gateway_method_settings_cache_not_encrypted/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/api_gateway_method_settings_cache_not_encrypted/test/positive_expected_result.json @@ -3,12 +3,30 @@ "queryName": "API Gateway Method Settings Cache Not Encrypted", "severity": "HIGH", "line": 40, - "filename": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "aws_api_gateway_method_settings", + "resourceName": "path_specific", + "searchKey": "aws_api_gateway_method_settings[{{path_specific}}].settings.cache_data_encrypted", + "searchValue": "", + "expectedValue": "aws_api_gateway_method_settings.settings.cache_data_encrypted should be set to true", + "actualValue": "aws_api_gateway_method_settings.settings.cache_data_encrypted is set to false", + "issueType": "IncorrectValue", + "similarityID": "869486058e3d24ee42205e5cc33835a053cba325a2f4c4ae85854bf8d7018f50", + "search_line": 40 }, { "queryName": "API Gateway Method Settings Cache Not Encrypted", "severity": "HIGH", "line": 48, - "filename": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "aws_api_gateway_method_settings", + "resourceName": "path_specific_2", + "searchKey": "aws_api_gateway_method_settings[{{path_specific_2}}].settings", + "searchValue": "", + "expectedValue": "aws_api_gateway_method_settings.settings.cache_data_encrypted should be set to true", + "actualValue": "aws_api_gateway_method_settings.settings.cache_data_encrypted is missing", + "issueType": "MissingAttribute", + "similarityID": "8ddb79c8b565b373b168cf67b2a3137c7ca8afd4fc83f76b57d300fca99875ed", + "search_line": 48 } ] diff --git a/assets/queries/terraform/aws/api_gateway_stage_without_api_gateway_usage_plan_associated/test/positive_expected_result.json b/assets/queries/terraform/aws/api_gateway_stage_without_api_gateway_usage_plan_associated/test/positive_expected_result.json index 622bd75d7de..4e7bad162a5 100644 --- a/assets/queries/terraform/aws/api_gateway_stage_without_api_gateway_usage_plan_associated/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/api_gateway_stage_without_api_gateway_usage_plan_associated/test/positive_expected_result.json @@ -2,11 +2,31 @@ { "queryName": "API Gateway Stage Without API Gateway UsagePlan Associated", "severity": "LOW", - "line": 1 + "line": 1, + "fileName": "positive.tf", + "resourceType": "aws_api_gateway_stage", + "resourceName": "positive1", + "searchKey": "aws_api_gateway_stage[positive1]", + "searchValue": "", + "expectedValue": "aws_api_gateway_stage[positive1] has a 'aws_api_gateway_usage_plan' resource associated. ", + "actualValue": "aws_api_gateway_stage[positive1] doesn't have a 'aws_api_gateway_usage_plan' resource associated.", + "issueType": "IncorrectValue", + "similarityID": "80dafc8b65a6ada9f21edcd36cb7d5eab8079193f0657b48798c784d924f8395", + "search_line": -1 }, { "queryName": "API Gateway Stage Without API Gateway UsagePlan Associated", "severity": "LOW", - "line": 10 + "line": 10, + "fileName": "positive.tf", + "resourceType": "aws_api_gateway_stage", + "resourceName": "positive2", + "searchKey": "aws_api_gateway_stage[positive2]", + "searchValue": "", + "expectedValue": "aws_api_gateway_stage[positive2] has a 'aws_api_gateway_usage_plan' resource associated. ", + "actualValue": "aws_api_gateway_stage[positive2] doesn't have a 'aws_api_gateway_usage_plan' resource associated.", + "issueType": "IncorrectValue", + "similarityID": "3165726482d810e306333ff9cc77875f7a1bd38e3acd199107778147284c6315", + "search_line": -1 } ] diff --git a/assets/queries/terraform/aws/api_gateway_with_cloudwatch_logging_disabled/test/positive_expected_result.json b/assets/queries/terraform/aws/api_gateway_with_cloudwatch_logging_disabled/test/positive_expected_result.json index 4b6ad1bccab..7703c1616a6 100644 --- a/assets/queries/terraform/aws/api_gateway_with_cloudwatch_logging_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/api_gateway_with_cloudwatch_logging_disabled/test/positive_expected_result.json @@ -3,24 +3,60 @@ "queryName": "API Gateway With CloudWatch Logging Disabled", "severity": "MEDIUM", "line": 14, - "fileName": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "aws_api_gateway_stage", + "resourceName": "positive1", + "searchKey": "aws_api_gateway_stage[positive1]", + "searchValue": "", + "expectedValue": "'aws_cloudwatch_log_group' for 'aws_api_gateway_stage[positive1]' should be defined and use the correct naming convention", + "actualValue": "'aws_cloudwatch_log_group' for 'aws_api_gateway_stage[positive1]' is undefined or is not using the correct naming convention", + "issueType": "MissingAttribute", + "similarityID": "50addda95bcc99191bc8a3964f11aa66cd4b48b3504e2db5cd68bce0adeb8355", + "search_line": 14 }, { "queryName": "API Gateway With CloudWatch Logging Disabled", "severity": "MEDIUM", "line": 9, - "fileName": "positive2.tf" + "fileName": "positive2.tf", + "resourceType": "aws_api_gateway_stage", + "resourceName": "positive2", + "searchKey": "aws_api_gateway_stage[positive2].access_log_settings.destination_arn", + "searchValue": "", + "expectedValue": "'aws_api_gateway_stage[positive2].access_log_settings.destination_arn' should reference a valid 'aws_cloudwatch_log_group' arn", + "actualValue": "'aws_api_gateway_stage[positive2].access_log_settings.destination_arn' does not reference a valid 'aws_cloudwatch_log_group' arn", + "issueType": "MissingAttribute", + "similarityID": "1782ed2394f6e9bca9ac3b73689270df4ba8560e1f6ac6f24374efb2ac24a4db", + "search_line": 9 }, { "queryName": "API Gateway With CloudWatch Logging Disabled", "severity": "MEDIUM", "line": 9, - "fileName": "positive3.tf" + "fileName": "positive3.tf", + "resourceType": "aws_api_gateway_stage", + "resourceName": "positive3", + "searchKey": "aws_api_gateway_stage[positive3].access_log_settings.destination_arn", + "searchValue": "", + "expectedValue": "'aws_api_gateway_stage[positive3].access_log_settings.destination_arn' should reference a valid 'aws_cloudwatch_log_group' arn", + "actualValue": "'aws_api_gateway_stage[positive3].access_log_settings.destination_arn' does not reference a valid 'aws_cloudwatch_log_group' arn", + "issueType": "MissingAttribute", + "similarityID": "1128a90854a1f0a9ff0c3411051d8d2cc9d2041951fb1f1c4a2f388036c4dbb7", + "search_line": 9 }, { "queryName": "API Gateway With CloudWatch Logging Disabled", "severity": "MEDIUM", "line": 5, - "fileName": "positive4.tf" + "fileName": "positive4.tf", + "resourceType": "aws_api_gateway_stage", + "resourceName": "positive4", + "searchKey": "aws_api_gateway_stage[positive4]", + "searchValue": "", + "expectedValue": "'aws_cloudwatch_log_group' for 'aws_api_gateway_stage[positive4]' should be defined and use the correct naming convention", + "actualValue": "'aws_cloudwatch_log_group' for 'aws_api_gateway_stage[positive4]' is undefined or is not using the correct naming convention", + "issueType": "MissingAttribute", + "similarityID": "4c2d357d511afae18a0b1d9f6baafdf8ab16007828d55c81537b2ad62ef1c1ae", + "search_line": 5 } ] diff --git a/assets/queries/terraform/aws/api_gateway_with_invalid_compression/test/positive_expected_result.json b/assets/queries/terraform/aws/api_gateway_with_invalid_compression/test/positive_expected_result.json index 173ab08fb39..5cf8ceb9ad1 100644 --- a/assets/queries/terraform/aws/api_gateway_with_invalid_compression/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/api_gateway_with_invalid_compression/test/positive_expected_result.json @@ -2,16 +2,46 @@ { "queryName": "API Gateway With Invalid Compression", "severity": "LOW", - "line": 1 + "line": 1, + "fileName": "positive.tf", + "resourceType": "aws_api_gateway_rest_api", + "resourceName": "regional-example", + "searchKey": "aws_api_gateway_rest_api[positive1]", + "searchValue": "", + "expectedValue": "Attribute 'minimum_compression_size' should be set and have a value greater than -1 and smaller than 10485760", + "actualValue": "Attribute 'minimum_compression_size' is undefined", + "issueType": "MissingAttribute", + "similarityID": "95c643ba88c863929317e9de1fc94f7472674593718b4942cd4a81fc6274beee", + "search_line": 1 }, { "queryName": "API Gateway With Invalid Compression", "severity": "LOW", - "line": 17 + "line": 17, + "fileName": "positive.tf", + "resourceType": "aws_api_gateway_rest_api", + "resourceName": "regional-example", + "searchKey": "aws_api_gateway_rest_api[positive2].minimum_compression_size", + "searchValue": "", + "expectedValue": "Attribute 'minimum_compression_size' should be greater than -1 and smaller than 10485760", + "actualValue": "Attribute 'minimum_compression_size' is -1", + "issueType": "IncorrectValue", + "similarityID": "dc4e3cd32eae23b620500f1f30e4d02a6e242271f14f2f222151d7c82f99bbc5", + "search_line": 17 }, { "queryName": "API Gateway With Invalid Compression", "severity": "LOW", - "line": 28 + "line": 28, + "fileName": "positive.tf", + "resourceType": "aws_api_gateway_rest_api", + "resourceName": "regional-example", + "searchKey": "aws_api_gateway_rest_api[positive3].minimum_compression_size", + "searchValue": "", + "expectedValue": "Attribute 'minimum_compression_size' should be greater than -1 and smaller than 10485760", + "actualValue": "Attribute 'minimum_compression_size' is 10485760", + "issueType": "IncorrectValue", + "similarityID": "f7de1823379352b3017db1e899e11ac015a09b5c06affca52be1be433349f0f8", + "search_line": 28 } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/api_gateway_with_open_access/test/positive_expected_result.json b/assets/queries/terraform/aws/api_gateway_with_open_access/test/positive_expected_result.json index ca54d5a0e5d..dbf1c7b10a6 100644 --- a/assets/queries/terraform/aws/api_gateway_with_open_access/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/api_gateway_with_open_access/test/positive_expected_result.json @@ -2,6 +2,16 @@ { "queryName": "API Gateway With Open Access", "severity": "MEDIUM", - "line": 4 + "line": 4, + "fileName": "positive.tf", + "resourceType": "aws_api_gateway_method", + "resourceName": "positive1", + "searchKey": "aws_api_gateway_method[positive1].http_method", + "searchValue": "", + "expectedValue": "aws_api_gateway_method.authorization should only be 'NONE' if http_method is 'OPTIONS'", + "actualValue": "aws_api_gateway_method[positive1].authorization type is 'NONE' and http_method is not ''OPTIONS'", + "issueType": "IncorrectValue", + "similarityID": "6ed0e990341b958a37ed0a4e7f9a4ac10ac59f031647b1db75aae89e1bf46748", + "search_line": 4 } ] diff --git a/assets/queries/terraform/aws/api_gateway_without_configured_authorizer/test/positive_expected_result.json b/assets/queries/terraform/aws/api_gateway_without_configured_authorizer/test/positive_expected_result.json index 1f2ddd7d112..d57e6c3abe0 100644 --- a/assets/queries/terraform/aws/api_gateway_without_configured_authorizer/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/api_gateway_without_configured_authorizer/test/positive_expected_result.json @@ -3,6 +3,15 @@ "queryName": "API Gateway Without Configured Authorizer", "severity": "MEDIUM", "line": 8, - "fileName": "positive.tf" + "fileName": "positive.tf", + "resourceType": "aws_api_gateway_rest_api", + "resourceName": "auth-demo", + "searchKey": "aws_api_gateway_rest_api[demo2]", + "searchValue": "", + "expectedValue": "API Gateway REST API should be associated with an API Gateway Authorizer", + "actualValue": "API Gateway REST API is not associated with an API Gateway Authorizer", + "issueType": "IncorrectValue", + "similarityID": "d21b4209a408edc97cb094f54391a87339408b8d87db6cc8749a4b46cd1fe1b3", + "search_line": 8 } ] diff --git a/assets/queries/terraform/aws/api_gateway_without_security_policy/test/positive_expected_result.json b/assets/queries/terraform/aws/api_gateway_without_security_policy/test/positive_expected_result.json index dabda1db530..49d5dd8e117 100644 --- a/assets/queries/terraform/aws/api_gateway_without_security_policy/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/api_gateway_without_security_policy/test/positive_expected_result.json @@ -3,12 +3,30 @@ "queryName": "API Gateway Without Security Policy", "severity": "MEDIUM", "line": 1, - "fileName": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "aws_api_gateway_domain_name", + "resourceName": "example", + "searchKey": "aws_api_gateway_domain_name[example]", + "searchValue": "", + "expectedValue": "aws_api_gateway_domain_name[example].security_policy should be set", + "actualValue": "aws_api_gateway_domain_name[example].security_policy is undefined", + "issueType": "MissingAttribute", + "similarityID": "8e601eb2e3ede7365ee7310e414b01fd838c8b18d82a6c9c4fe0735ebdc8fb8c", + "search_line": 1 }, { "queryName": "API Gateway Without Security Policy", "severity": "MEDIUM", "line": 3, - "fileName": "positive2.tf" + "fileName": "positive2.tf", + "resourceType": "aws_api_gateway_domain_name", + "resourceName": "example2", + "searchKey": "aws_api_gateway_domain_name[example2].security_policy", + "searchValue": "", + "expectedValue": "aws_api_gateway_domain_name[example2].security_policy should be set to TLS_1_2", + "actualValue": "aws_api_gateway_domain_name[example2].security_policy is set to TLS_1_0", + "issueType": "IncorrectValue", + "similarityID": "bafae8f671aca3c4b66101dd0de0e4e9f09019f13ba30bd40c1eb0d097db68cd", + "search_line": 3 } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/api_gateway_without_ssl_certificate/test/positive_expected_result.json b/assets/queries/terraform/aws/api_gateway_without_ssl_certificate/test/positive_expected_result.json index f463395207b..5f534aa3f54 100644 --- a/assets/queries/terraform/aws/api_gateway_without_ssl_certificate/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/api_gateway_without_ssl_certificate/test/positive_expected_result.json @@ -1,7 +1,17 @@ [ - { - "queryName": "API Gateway Without SSL Certificate", - "severity": "MEDIUM", - "line": 1 - } + { + "queryName": "API Gateway Without SSL Certificate", + "severity": "MEDIUM", + "line": 1, + "fileName": "positive.tf", + "resourceType": "aws_api_gateway_stage", + "resourceName": "positive1", + "searchKey": "aws_api_gateway_stage[positive1]", + "searchValue": "", + "expectedValue": "Attribute 'client_certificate_id' should be set", + "actualValue": "Attribute 'client_certificate_id' is undefined", + "issueType": "MissingAttribute", + "similarityID": "624ced6ab5f48cac9a2e45f90bffc3eecb9beb07dfe4e05fe733578948616545", + "search_line": -1 + } ] diff --git a/assets/queries/terraform/aws/api_gateway_without_waf/test/positive_expected_result.json b/assets/queries/terraform/aws/api_gateway_without_waf/test/positive_expected_result.json index f27dbae4e51..7cc646d83b9 100644 --- a/assets/queries/terraform/aws/api_gateway_without_waf/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/api_gateway_without_waf/test/positive_expected_result.json @@ -1,8 +1,17 @@ [ - { - "queryName": "API Gateway without WAF", - "severity": "MEDIUM", - "line": 75, - "fileName": "positive.tf" - } + { + "queryName": "API Gateway without WAF", + "severity": "MEDIUM", + "line": 75, + "fileName": "positive.tf", + "resourceType": "aws_api_gateway_stage", + "resourceName": "positive1", + "searchKey": "aws_api_gateway_stage[positive1]", + "searchValue": "", + "expectedValue": "API Gateway Stage should be associated with a Web Application Firewall", + "actualValue": "API Gateway Stage is not associated with a Web Application Firewall", + "issueType": "IncorrectValue", + "similarityID": "5d998ce0c31ff4d6acf3b689a9d9c4ed7ccce8996af9bb3a5c7198b0ac4063a6", + "search_line": 75 + } ] diff --git a/assets/queries/terraform/aws/api_gateway_xray_disabled/test/positive_expected_result.json b/assets/queries/terraform/aws/api_gateway_xray_disabled/test/positive_expected_result.json index 1af365e3611..01dca69a8f7 100644 --- a/assets/queries/terraform/aws/api_gateway_xray_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/api_gateway_xray_disabled/test/positive_expected_result.json @@ -2,11 +2,31 @@ { "queryName": "API Gateway X-Ray Disabled", "severity": "LOW", - "line": 5 + "line": 5, + "fileName": "positive.tf", + "resourceType": "aws_api_gateway_stage", + "resourceName": "positive1", + "searchKey": "aws_api_gateway_stage[positive1].xray_tracing_enabled", + "searchValue": "", + "expectedValue": "'aws_api_gateway_stage[positive1].xray_tracing_enabled' should be true", + "actualValue": "'aws_api_gateway_stage[positive1].xray_tracing_enabled' is false", + "issueType": "IncorrectValue", + "similarityID": "5b4adf71f5963cd22226619028b3299e87bf9230d833737b80ef67afd37eb0d8", + "search_line": 5 }, { "queryName": "API Gateway X-Ray Disabled", "severity": "LOW", - "line": 8 + "line": 8, + "fileName": "positive.tf", + "resourceType": "aws_api_gateway_stage", + "resourceName": "positive2", + "searchKey": "aws_api_gateway_stage[positive2].xray_tracing_enabled", + "searchValue": "", + "expectedValue": "'aws_api_gateway_stage[positive2].xray_tracing_enabled' should be set", + "actualValue": "'aws_api_gateway_stage[positive2].xray_tracing_enabled' is undefined", + "issueType": "MissingAttribute", + "similarityID": "a9f78991b80d9088987db1af08fb8cb59aa383fffce6f4964dcaef444ec4ea11", + "search_line": 8 } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/athena_database_not_encrypted/test/positive_expected_result.json b/assets/queries/terraform/aws/athena_database_not_encrypted/test/positive_expected_result.json index 18c66e3bef2..51b2284b98e 100644 --- a/assets/queries/terraform/aws/athena_database_not_encrypted/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/athena_database_not_encrypted/test/positive_expected_result.json @@ -3,6 +3,15 @@ "queryName": "Athena Database Not Encrypted", "severity": "HIGH", "line": 5, - "filename": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "aws_athena_database", + "resourceName": "database_name", + "searchKey": "aws_athena_database[{{hoge}}]", + "searchValue": "", + "expectedValue": "aws_athena_database[{{hoge}}] encryption_configuration should be defined", + "actualValue": "aws_athena_database[{{hoge}}] encryption_configuration is missing", + "issueType": "MissingAttribute", + "similarityID": "fd8ca5d948c70dc7499a17ef4171b3cb832115f8fcfe1a3074899da0733c225d", + "search_line": -1 } ] diff --git a/assets/queries/terraform/aws/athena_workgroup_not_encrypted/test/positive_expected_result.json b/assets/queries/terraform/aws/athena_workgroup_not_encrypted/test/positive_expected_result.json index 20026ebe822..a9fc45a3330 100644 --- a/assets/queries/terraform/aws/athena_workgroup_not_encrypted/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/athena_workgroup_not_encrypted/test/positive_expected_result.json @@ -3,18 +3,45 @@ "queryName": "Athena Workgroup Not Encrypted", "severity": "HIGH", "line": 1, - "filename": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "aws_athena_workgroup", + "resourceName": "example", + "searchKey": "aws_athena_workgroup[{{example}}]", + "searchValue": "", + "expectedValue": "aws_athena_workgroup[{{example}}].configuration.result_configuration.encryption_configuration should be defined", + "actualValue": "aws_athena_workgroup[{{example}}].configuration is missing", + "issueType": "MissingAttribute", + "similarityID": "11f7dcb4ad31b0a86fa9e6252ddf1266f40b21b397882a499b9e42b4bed3b62d", + "search_line": -1 }, { "queryName": "Athena Workgroup Not Encrypted", "severity": "HIGH", "line": 8, - "filename": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "aws_athena_workgroup", + "resourceName": "example", + "searchKey": "aws_athena_workgroup[{{example_2}}].configuration", + "searchValue": "", + "expectedValue": "aws_athena_workgroup[{{example_2}}].configuration.result_configuration.encryption_configuration should be defined", + "actualValue": "aws_athena_workgroup[{{example_2}}].configuration.result_configuration is missing", + "issueType": "MissingAttribute", + "similarityID": "787c6b4909c296e09868f43dc6d7942aa1cf8b9d51b45a67fd2936a1d06ca86b", + "search_line": -1 }, { "queryName": "Athena Workgroup Not Encrypted", "severity": "HIGH", "line": 21, - "filename": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "aws_athena_workgroup", + "resourceName": "example", + "searchKey": "aws_athena_workgroup[{{example_3}}].configuration.result_configuration", + "searchValue": "", + "expectedValue": "aws_athena_workgroup[{{example_3}}].configuration.result_configuration.encryption_configuration should be defined", + "actualValue": "aws_athena_workgroup[{{example_3}}].configuration.result_configuration.encryption_configuration is missing", + "issueType": "MissingAttribute", + "similarityID": "4512a7dda3678e84ede004737b758a9cdcc721abdcf74f40a22dcf2b368c422d", + "search_line": -1 } ] diff --git a/assets/queries/terraform/aws/aurora_with_disabled_at_rest_encryption/test/positive_expected_result.json b/assets/queries/terraform/aws/aurora_with_disabled_at_rest_encryption/test/positive_expected_result.json index 9477d4c16c9..72311d67bd6 100644 --- a/assets/queries/terraform/aws/aurora_with_disabled_at_rest_encryption/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/aurora_with_disabled_at_rest_encryption/test/positive_expected_result.json @@ -3,12 +3,30 @@ "queryName": "Aurora With Disabled at Rest Encryption", "severity": "HIGH", "line": 16, - "filename": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "aws_rds_cluster", + "resourceName": "my_cluster", + "searchKey": "aws_rds_cluster[{{my_cluster}}].storage_encrypted", + "searchValue": "", + "expectedValue": "aws_rds_cluster.storage_encrypted should be set to 'true'", + "actualValue": "aws_rds_cluster.storage_encrypted is set to 'false'", + "issueType": "IncorrectValue", + "similarityID": "6d0cfff93f298e73b169ee14e619c5cee0c00b082036b7df62e842ba5a4d87cc", + "search_line": -1 }, { "queryName": "Aurora With Disabled at Rest Encryption", "severity": "HIGH", "line": 5, - "filename": "positive2.tf" + "fileName": "positive2.tf", + "resourceType": "aws_rds_cluster", + "resourceName": "my_cluster", + "searchKey": "aws_rds_cluster[{{my_cluster}}]", + "searchValue": "", + "expectedValue": "aws_rds_cluster.storage_encrypted should be defined and set to 'true'", + "actualValue": "aws_rds_cluster.storage_encrypted is undefined", + "issueType": "MissingAttribute", + "similarityID": "34946d0ea8604b9949f6718b5ea5dc0363d18ff302bc4199b517e0e663fbb743", + "search_line": -1 } ] diff --git a/assets/queries/terraform/aws/authentication_without_mfa/test/positive_expected_result.json b/assets/queries/terraform/aws/authentication_without_mfa/test/positive_expected_result.json index b19f10f0100..631a3453fcb 100644 --- a/assets/queries/terraform/aws/authentication_without_mfa/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/authentication_without_mfa/test/positive_expected_result.json @@ -3,12 +3,30 @@ "queryName": "Authentication Without MFA", "severity": "LOW", "line": 23, - "fileName": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "aws_iam_user_policy", + "resourceName": "aws-foundations-benchmark-1-4-0-terraform-user", + "searchKey": "aws_iam_user_policy[positive1].policy", + "searchValue": "", + "expectedValue": "'policy.Statement.Principal.AWS' should contain ':mfa/' or 'policy.Statement.Condition.BoolIfExists.aws:MultiFactorAuthPresent' should be set to true", + "actualValue": "'policy.Statement.Principal.AWS' doesn't contain ':mfa/' or 'policy.Statement.Condition.BoolIfExists.aws:MultiFactorAuthPresent' is set to false", + "issueType": "IncorrectValue", + "similarityID": "c3b38eafa9b6dcced8203005df5e1cffaea961cb06139335ecb6a1d51f1f645a", + "search_line": 23 }, { "queryName": "Authentication Without MFA", "severity": "LOW", "line": 19, - "fileName": "positive2.tf" + "fileName": "positive2.tf", + "resourceType": "aws_iam_user_policy", + "resourceName": "aws-foundations-benchmark-1-4-0-terraform-user", + "searchKey": "aws_iam_user_policy[positive2].policy", + "searchValue": "", + "expectedValue": "The attributes 'policy.Statement.Condition', 'policy.Statement.Condition.BoolIfExists', and 'policy.Statement.Condition.BoolIfExists.aws:MultiFactorAuthPresent' should be defined and not null", + "actualValue": "The attribute(s) 'policy.Statement.Condition' or/and 'policy.Statement.Condition.BoolIfExists' or/and 'policy.Statement.Condition.BoolIfExists.aws:MultiFactorAuthPresent' is/are undefined or null", + "issueType": "MissingAttribute", + "similarityID": "746c7338ffdeb083a525610039f7b8965874a1b0999f32cbb9340d81ade6dc1c", + "search_line": 19 } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/auto_scaling_group_with_no_associated_elb/test/positive_expected_result.json b/assets/queries/terraform/aws/auto_scaling_group_with_no_associated_elb/test/positive_expected_result.json index e75a9075e68..11c51aec9d4 100644 --- a/assets/queries/terraform/aws/auto_scaling_group_with_no_associated_elb/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/auto_scaling_group_with_no_associated_elb/test/positive_expected_result.json @@ -3,36 +3,90 @@ "queryName": "Auto Scaling Group With No Associated ELB", "severity": "MEDIUM", "line": 1, - "fileName": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "aws_autoscaling_group", + "resourceName": "bar", + "searchKey": "aws_autoscaling_group[bar]", + "searchValue": "", + "expectedValue": "aws_autoscaling_group[bar].load_balancers should be set and not empty", + "actualValue": "aws_autoscaling_group[bar].load_balancers is undefined", + "issueType": "MissingAttribute", + "similarityID": "cee4eb377203162aa8ee37c881d29a19dbab254b8191fc60bbbf12562477b87d", + "search_line": 1 }, { "queryName": "Auto Scaling Group With No Associated ELB", "severity": "MEDIUM", "line": 12, - "fileName": "positive2.tf" + "fileName": "positive2.tf", + "resourceType": "aws_autoscaling_group", + "resourceName": "positive2", + "searchKey": "aws_autoscaling_group[positive2].load_balancers", + "searchValue": "", + "expectedValue": "aws_autoscaling_group[positive2].load_balancers should be set and not empty", + "actualValue": "aws_autoscaling_group[positive2].load_balancers is empty", + "issueType": "IncorrectValue", + "similarityID": "e78d0ae0844ef83dd7dd742f8f49997de290077ec2843c802e6109fec9e324da", + "search_line": 12 }, { "queryName": "Auto Scaling Group With No Associated ELB", "severity": "MEDIUM", "line": 1, - "fileName": "positive3.tf" + "fileName": "positive3.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[positive3]", + "searchValue": "", + "expectedValue": "'load_balancers' should be set and not empty", + "actualValue": "'load_balancers' is undefined", + "issueType": "MissingAttribute", + "similarityID": "38528b242d39820c13948f9780d1305c890554f54b819f8d1731e0c78d908dbf", + "search_line": 1 }, { "queryName": "Auto Scaling Group With No Associated ELB", "severity": "MEDIUM", "line": 14, - "fileName": "positive4.tf" + "fileName": "positive4.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[positive4].load_balancers", + "searchValue": "", + "expectedValue": "'load_balancers' should be set and not empty", + "actualValue": "'load_balancers' is undefined", + "issueType": "IncorrectValue", + "similarityID": "52265c95dd14af9747622e444a116ec1a61d188544b57913b28ff6b1253685fc", + "search_line": 14 }, { "queryName": "Auto Scaling Group With No Associated ELB", "severity": "MEDIUM", "line": 1, - "fileName": "positive5.tf" + "fileName": "positive5.tf", + "resourceType": "aws_autoscaling_group", + "resourceName": "bar-", + "searchKey": "aws_autoscaling_group[foo]", + "searchValue": "", + "expectedValue": "aws_autoscaling_group[foo].load_balancers should be set and not empty", + "actualValue": "aws_autoscaling_group[foo].load_balancers is undefined", + "issueType": "MissingAttribute", + "similarityID": "c47d78efd0d110432c9e8baf296854230a9b7de66fa18c5baa9d0d66f07e005b", + "search_line": 1 }, { "queryName": "Auto Scaling Group With No Associated ELB", "severity": "MEDIUM", "line": 1, - "fileName": "positive6.tf" + "fileName": "positive6.tf", + "resourceType": "aws_autoscaling_group", + "resourceName": "bar-", + "searchKey": "aws_autoscaling_group[foo]", + "searchValue": "", + "expectedValue": "aws_autoscaling_group[foo].load_balancers should be set and not empty", + "actualValue": "aws_autoscaling_group[foo].load_balancers is undefined", + "issueType": "MissingAttribute", + "similarityID": "7d836cb35fc583b128128ca1bf8ad7dc1e3f686c3053677e2fc179273a771e3c", + "search_line": 1 } ] diff --git a/assets/queries/terraform/aws/automatic_minor_upgrades_disabled/test/positive_expected_result.json b/assets/queries/terraform/aws/automatic_minor_upgrades_disabled/test/positive_expected_result.json index 83ba730529e..9eb433021ae 100644 --- a/assets/queries/terraform/aws/automatic_minor_upgrades_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/automatic_minor_upgrades_disabled/test/positive_expected_result.json @@ -3,12 +3,30 @@ "queryName": "Automatic Minor Upgrades Disabled", "severity": "LOW", "line": 13, - "fileName": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "aws_db_instance", + "resourceName": "mydb", + "searchKey": "aws_db_instance[positive1].auto_minor_version_upgrade", + "searchValue": "", + "expectedValue": "'auto_minor_version_upgrade' should be set to true", + "actualValue": "'auto_minor_version_upgrade' is set to false", + "issueType": "IncorrectValue", + "similarityID": "4e3488163ca64b8dbb69ab1a05026b7297eb24c7bfd7a41810c9e7de466303a5", + "search_line": 13 }, { "queryName": "Automatic Minor Upgrades Disabled", "severity": "LOW", "line": 11, - "fileName": "positive2.tf" + "fileName": "positive2.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[db].auto_minor_version_upgrade", + "searchValue": "", + "expectedValue": "'auto_minor_version_upgrade' should be set to true", + "actualValue": "'auto_minor_version_upgrade' is set to false", + "issueType": "IncorrectValue", + "similarityID": "0b4ef55c4f8b8b130cfc1c6f243da2c6ed2bbcab750091270a6265621d184d0f", + "search_line": 11 } ] diff --git a/assets/queries/terraform/aws/autoscaling_groups_supply_tags/test/positive_expected_result.json b/assets/queries/terraform/aws/autoscaling_groups_supply_tags/test/positive_expected_result.json index fe9dda79ff0..fc5a933f689 100644 --- a/assets/queries/terraform/aws/autoscaling_groups_supply_tags/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/autoscaling_groups_supply_tags/test/positive_expected_result.json @@ -3,12 +3,30 @@ "queryName": "Autoscaling Groups Supply Tags", "severity": "LOW", "line": 1, - "fileName": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "aws_autoscaling_group", + "resourceName": "foobar3-terraform-test", + "searchKey": "aws_autoscaling_group[positive1]", + "searchValue": "", + "expectedValue": "'tags' or 'tag' should be defined and not null", + "actualValue": "'tags' and 'tag' are undefined or null", + "issueType": "MissingAttribute", + "similarityID": "60803c162c178d43a6b73279e60a36960e0535f90436a57982f3ceba120fcad0", + "search_line": 1 }, { "queryName": "Autoscaling Groups Supply Tags", "severity": "LOW", "line": 1, - "fileName": "positive2.tf" + "fileName": "positive2.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[asg]", + "searchValue": "", + "expectedValue": "'tags' should be defined and not null", + "actualValue": "'tags' is undefined or null", + "issueType": "MissingAttribute", + "similarityID": "25873740cf726cf2a91858f3738390bfa85737436fd853b950db1adc26127045", + "search_line": 1 } ] diff --git a/assets/queries/terraform/aws/aws_eip_not_attached_to_any_instance/test/positive_expected_result.json b/assets/queries/terraform/aws/aws_eip_not_attached_to_any_instance/test/positive_expected_result.json index aee6e567c5a..465e24dddc1 100644 --- a/assets/queries/terraform/aws/aws_eip_not_attached_to_any_instance/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/aws_eip_not_attached_to_any_instance/test/positive_expected_result.json @@ -3,54 +3,135 @@ "queryName": "AWS EIP not attached to any instance", "severity": "LOW", "line": 1, - "fileName": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "aws_eip", + "resourceName": "ok_eip", + "searchKey": "aws_eip[ok_eip]", + "searchValue": "", + "expectedValue": "All EIPs should be attached", + "actualValue": "EIP is missing domain field set to \"vpc\"", + "issueType": "MissingAttribute", + "similarityID": "147538feca7f1f7f52e65c72d870cbba517bbfe3d04e43c0c47e0fe5ab2a9a38", + "search_line": 1 }, { "queryName": "AWS EIP not attached to any instance", "severity": "LOW", "line": 6, - "fileName": "positive2.tf" + "fileName": "positive2.tf", + "resourceType": "aws_eip", + "resourceName": "web_eip", + "searchKey": "aws_eip[web_eip]", + "searchValue": "", + "expectedValue": "All EIPs should be attached", + "actualValue": "EIP is missing domain field set to \"vpc\"", + "issueType": "MissingAttribute", + "similarityID": "7fe6de84f4a10fd01dec76fc94da32ee4769a84e2e4f71abbb127d643271baf5", + "search_line": 6 }, { "queryName": "AWS EIP not attached to any instance", "severity": "LOW", "line": 1, - "fileName": "positive3.tf" + "fileName": "positive3.tf", + "resourceType": "aws_eip", + "resourceName": "nat_eip", + "searchKey": "aws_eip[nat_eip]", + "searchValue": "", + "expectedValue": "All EIPs should be attached", + "actualValue": "EIP is not attached", + "issueType": "MissingAttribute", + "similarityID": "dea0be734cadda2b7de3c4b669e20e6e8b630b84f51e22961b6a62e4542c365e", + "search_line": 1 }, { "queryName": "AWS EIP not attached to any instance", "severity": "LOW", "line": 1, - "fileName": "positive4.tf" + "fileName": "positive4.tf", + "resourceType": "aws_eip", + "resourceName": "transfer_eip", + "searchKey": "aws_eip[transfer_eip]", + "searchValue": "", + "expectedValue": "All EIPs should be attached", + "actualValue": "EIP is not attached", + "issueType": "MissingAttribute", + "similarityID": "238c590105d09398466cd3e6c133a26cc256c7364abbe185473e13fb2f1886f9", + "search_line": 1 }, { "queryName": "AWS EIP not attached to any instance", "severity": "LOW", "line": 5, - "fileName": "positive5.tf" + "fileName": "positive5.tf", + "resourceType": "aws_eip", + "resourceName": "one", + "searchKey": "aws_eip[one]", + "searchValue": "", + "expectedValue": "All EIPs should be attached", + "actualValue": "EIP is not attached", + "issueType": "MissingAttribute", + "similarityID": "afac433460e3881ed7776461693be898b1e1081a5f8404484f38b729863fc545", + "search_line": 5 }, { "queryName": "AWS EIP not attached to any instance", "severity": "LOW", "line": 1, - "fileName": "positive6.tf" + "fileName": "positive6.tf", + "resourceType": "aws_eip", + "resourceName": "ok_eip", + "searchKey": "aws_eip[ok_eip]", + "searchValue": "", + "expectedValue": "All EIPs should be attached", + "actualValue": "Vpc is not set to true", + "issueType": "MissingAttribute", + "similarityID": "9ac15c69be31884e0b3a768ccece81a94132c120ea5a14d16efb8f4171d24e43", + "search_line": 1 }, { "queryName": "AWS EIP not attached to any instance", "severity": "LOW", "line": 1, - "fileName": "positive7.tf" + "fileName": "positive7.tf", + "resourceType": "aws_eip", + "resourceName": "ok_eip", + "searchKey": "aws_eip[ok_eip]", + "searchValue": "", + "expectedValue": "All EIPs should be attached", + "actualValue": "Domain is not set to \"vpc\"", + "issueType": "MissingAttribute", + "similarityID": "0cdf833018ef978d4f4182a555698fef921beb47c914c7444e8749fa2d630b78", + "search_line": 1 }, { "queryName": "AWS EIP not attached to any instance", "severity": "LOW", "line": 1, - "fileName": "positive8.tf" + "fileName": "positive8.tf", + "resourceType": "aws_eip", + "resourceName": "eip_example", + "searchKey": "aws_eip[eip_example]", + "searchValue": "", + "expectedValue": "All EIPs should be attached", + "actualValue": "EIP is not attached", + "issueType": "MissingAttribute", + "similarityID": "a765fbe3851c22f6db729248c7432ba7ebf3f297101982f1a6edb17490049c9a", + "search_line": 1 }, { "queryName": "AWS EIP not attached to any instance", "severity": "LOW", "line": 6, - "fileName": "positive9.tf" + "fileName": "positive9.tf", + "resourceType": "aws_eip", + "resourceName": "web_eip", + "searchKey": "aws_eip[web_eip]", + "searchValue": "", + "expectedValue": "All EIPs should be attached", + "actualValue": "EIP is not attached", + "issueType": "MissingAttribute", + "similarityID": "74e394f7deb7adf7d23acdfd58cabb3b6b9244ead17a1b6f45dec3b35005292a", + "search_line": 6 } ] diff --git a/assets/queries/terraform/aws/aws_password_policy_with_unchangeable_passwords/test/positive_expected_result.json b/assets/queries/terraform/aws/aws_password_policy_with_unchangeable_passwords/test/positive_expected_result.json index 27c0f9f9aa7..9f7f06d9ecb 100644 --- a/assets/queries/terraform/aws/aws_password_policy_with_unchangeable_passwords/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/aws_password_policy_with_unchangeable_passwords/test/positive_expected_result.json @@ -2,6 +2,16 @@ { "queryName": "AWS Password Policy With Unchangeable Passwords", "severity": "LOW", - "line": 12 + "line": 12, + "fileName": "positive.tf", + "resourceType": "aws_iam_account_password_policy", + "resourceName": "positive2", + "searchKey": "aws_iam_account_password_policy[positive2].allow_users_to_change_password", + "searchValue": "", + "expectedValue": "'allow_users_to_change_password' should equal 'true'", + "actualValue": "'allow_users_to_change_password' is equal 'false'", + "issueType": "IncorrectValue", + "similarityID": "f945235f3dd54013feef1ac8b82e09dba8da3b3bddff34fec5562312acc5bda1", + "search_line": 12 } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/batch_job_definition_with_privileged_container_properties/test/positive_expected_result.json b/assets/queries/terraform/aws/batch_job_definition_with_privileged_container_properties/test/positive_expected_result.json index 02df24b24d5..8e05dedcb75 100644 --- a/assets/queries/terraform/aws/batch_job_definition_with_privileged_container_properties/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/batch_job_definition_with_privileged_container_properties/test/positive_expected_result.json @@ -1,7 +1,17 @@ [ { - "line": 11, "queryName": "Batch Job Definition With Privileged Container Properties", - "severity": "HIGH" + "severity": "HIGH", + "line": 11, + "fileName": "positive.tf", + "resourceType": "aws_batch_job_definition", + "resourceName": "tf_test_batch_job_definition", + "searchKey": "aws_batch_job_definition[positive1].container_properties.privileged", + "searchValue": "", + "expectedValue": "aws_batch_job_definition[positive1].container_properties.privileged should be 'false' or not set", + "actualValue": "aws_batch_job_definition[positive1].container_properties.privileged is 'true'", + "issueType": "IncorrectValue", + "similarityID": "a032abbaf02eb728fc0baf3ad77feb08ac56baf8a911296becea445a723a67f6", + "search_line": -1 } ] diff --git a/assets/queries/terraform/aws/block_device_is_not_encrypted/test/positive_expected_result.json b/assets/queries/terraform/aws/block_device_is_not_encrypted/test/positive_expected_result.json index 9ae3e7fd697..145c2b1ff86 100644 --- a/assets/queries/terraform/aws/block_device_is_not_encrypted/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/block_device_is_not_encrypted/test/positive_expected_result.json @@ -3,150 +3,375 @@ "queryName": "Block Device Is Not Encrypted", "severity": "HIGH", "line": 11, - "fileName": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "aws_launch_configuration", + "resourceName": "example1", + "searchKey": "aws_launch_configuration[example1].ebs_block_device", + "searchValue": "", + "expectedValue": "aws_launch_configuration[example1].ebs_block_device.encrypted should be set", + "actualValue": "aws_launch_configuration[example1].ebs_block_device.encrypted is undefined", + "issueType": "MissingAttribute", + "similarityID": "96f3c37f3fcb143e26bf8338918fa46797282f4cbf00c998a2b8e57078ce944d", + "search_line": 11 }, { "queryName": "Block Device Is Not Encrypted", "severity": "HIGH", "line": 28, - "fileName": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "aws_launch_configuration", + "resourceName": "example2", + "searchKey": "aws_launch_configuration[example2].ebs_block_device.encrypted", + "searchValue": "", + "expectedValue": "aws_launch_configuration[example2].ebs_block_device.encrypted should be true", + "actualValue": "aws_launch_configuration[example2].ebs_block_device.encrypted is false", + "issueType": "IncorrectValue", + "similarityID": "6e5362621ab8ba20df7e064431c866367d8576b1451bc28b8880073877d3ad2b", + "search_line": 28 }, { "queryName": "Block Device Is Not Encrypted", "severity": "HIGH", "line": 36, - "fileName": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "aws_launch_configuration", + "resourceName": "test-launch-config", + "searchKey": "aws_launch_configuration[example3].root_block_device.encrypted", + "searchValue": "", + "expectedValue": "aws_launch_configuration[example3].root_block_device.encrypted should be true", + "actualValue": "aws_launch_configuration[example3].root_block_device.encrypted is false", + "issueType": "IncorrectValue", + "similarityID": "68055d8594e07c305608fd0086fd1c8fd61bb53339cd3af55a4ce5d7cab3a0e7", + "search_line": 36 }, { "queryName": "Block Device Is Not Encrypted", "severity": "HIGH", "line": 7, - "fileName": "positive2.tf" + "fileName": "positive2.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[asg].ebs_block_device.0", + "searchValue": "", + "expectedValue": "'encrypted' should be defined", + "actualValue": "'encrypted' is undefined", + "issueType": "IncorrectValue", + "similarityID": "5c856bd351ed179981d853c37dabead262b7ac610b500e914c2a4665b038d341", + "search_line": 7 }, { "queryName": "Block Device Is Not Encrypted", "severity": "HIGH", "line": 16, - "fileName": "positive2.tf" + "fileName": "positive2.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[asg].root_block_device.0", + "searchValue": "", + "expectedValue": "'encrypted' should be defined", + "actualValue": "'encrypted' is undefined", + "issueType": "IncorrectValue", + "similarityID": "d5d8237042c56dc4c2cc6761ce8a92407ceb47a83a93aa45e6b2059d7fead9fb", + "search_line": 16 }, { "queryName": "Block Device Is Not Encrypted", "severity": "HIGH", "line": 28, - "fileName": "positive2.tf" + "fileName": "positive2.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[asg2].block_device_mappings.0.ebs", + "searchValue": "", + "expectedValue": "'encrypted' should be defined", + "actualValue": "'encrypted' is undefined", + "issueType": "IncorrectValue", + "similarityID": "e7a3a06d2c2a436e0083af1742c3c60ab1fd1a1614c35eacbf12525ecfbddcdd", + "search_line": 28 }, { "queryName": "Block Device Is Not Encrypted", "severity": "HIGH", "line": 35, - "fileName": "positive2.tf" + "fileName": "positive2.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[asg2].block_device_mappings.1.ebs", + "searchValue": "", + "expectedValue": "'encrypted' should be defined", + "actualValue": "'encrypted' is undefined", + "issueType": "IncorrectValue", + "similarityID": "9e0efb03e6235a7383c51aa1cc5f9c9f34c55346a8bd22f162e861b7eccd176e", + "search_line": 35 }, { "queryName": "Block Device Is Not Encrypted", "severity": "HIGH", "line": 11, - "fileName": "positive3.tf" + "fileName": "positive3.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[asg].ebs_block_device.0.encrypted", + "searchValue": "", + "expectedValue": "'encrypted' should be true", + "actualValue": "'encrypted' is false", + "issueType": "IncorrectValue", + "similarityID": "fe34c33be8d4dc7d158d8630dfdffadba2977a18a71d5acd2a48e13319ce0841", + "search_line": 11 }, { "queryName": "Block Device Is Not Encrypted", "severity": "HIGH", "line": 17, - "fileName": "positive3.tf" + "fileName": "positive3.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[asg].root_block_device.0", + "searchValue": "", + "expectedValue": "'encrypted' should be defined", + "actualValue": "'encrypted' is undefined", + "issueType": "IncorrectValue", + "similarityID": "175c47bae89fb08c05f0a1cc31bdd0d06ac435095a8f20376f5b544b8e90ddf6", + "search_line": 17 }, { "queryName": "Block Device Is Not Encrypted", "severity": "HIGH", "line": 27, - "fileName": "positive3.tf" + "fileName": "positive3.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[asg2].block_device_mappings.1.ebs.encrypted", + "searchValue": "", + "expectedValue": "'encrypted' should be true", + "actualValue": "'encrypted' is false", + "issueType": "IncorrectValue", + "similarityID": "9e6607a877bd018bd5dd16fe2c55139c9ca85993ae6a52b6c4030b7f3f3a2e19", + "search_line": -1 }, { "queryName": "Block Device Is Not Encrypted", "severity": "HIGH", "line": 29, - "fileName": "positive3.tf" + "fileName": "positive3.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[asg2].block_device_mappings.0.ebs", + "searchValue": "", + "expectedValue": "'encrypted' should be defined", + "actualValue": "'encrypted' is undefined", + "issueType": "IncorrectValue", + "similarityID": "f5ddd54b2314205a8b158fe1e631d0e32a9adac0fe3e12b5a0595fe8c949b818", + "search_line": 29 }, { "queryName": "Block Device Is Not Encrypted", "severity": "HIGH", "line": 7, - "fileName": "positive4.tf" + "fileName": "positive4.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[asg].ebs_block_device.0", + "searchValue": "", + "expectedValue": "'encrypted' should be defined", + "actualValue": "'encrypted' is undefined", + "issueType": "IncorrectValue", + "similarityID": "30176ff5f5bde8632452452e0fba130e7a03febf0e146f4d8603dc870f5ff5a2", + "search_line": 7 }, { "queryName": "Block Device Is Not Encrypted", "severity": "HIGH", "line": 18, - "fileName": "positive4.tf" + "fileName": "positive4.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[asg].root_block_device.0.encrypted", + "searchValue": "", + "expectedValue": "'encrypted' should be true", + "actualValue": "'encrypted' is false", + "issueType": "IncorrectValue", + "similarityID": "81b4eecb9efe178c1a8dd48a549129798dc58213068fecc539e8c784fa390e7f", + "search_line": 18 }, { "queryName": "Block Device Is Not Encrypted", "severity": "HIGH", "line": 27, - "fileName": "positive4.tf" + "fileName": "positive4.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[asg2].block_device_mappings.1.ebs.encrypted", + "searchValue": "", + "expectedValue": "'encrypted' should be true", + "actualValue": "'encrypted' is false", + "issueType": "IncorrectValue", + "similarityID": "243a9d6b5d9cd21258ace28fd9751e47036c1f5aad49195acf6549f0c1625f1a", + "search_line": -1 }, { "queryName": "Block Device Is Not Encrypted", "severity": "HIGH", "line": 41, - "fileName": "positive4.tf" + "fileName": "positive4.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[asg2].block_device_mappings.0.ebs.encrypted", + "searchValue": "", + "expectedValue": "'encrypted' should be true", + "actualValue": "'encrypted' is false", + "issueType": "IncorrectValue", + "similarityID": "ad96dd80bacf91358b8ff52a5ba2921294436ddf69b489df7736b1ea07b2680f", + "search_line": -1 }, { "queryName": "Block Device Is Not Encrypted", "severity": "HIGH", "line": 7, - "fileName": "positive5.tf" + "fileName": "positive5.tf", + "resourceType": "aws_instance", + "resourceName": "web-app-instance", + "searchKey": "aws_instance[example1].root_block_device.encrypted", + "searchValue": "", + "expectedValue": "aws_instance[example1].root_block_device.encrypted should be true", + "actualValue": "aws_instance[example1].root_block_device.encrypted is false", + "issueType": "IncorrectValue", + "similarityID": "1ab07d8374147d217484b1f4e4a444c90d6eb7ca43456ea531a03a23d6f3b1b3", + "search_line": 7 }, { "queryName": "Block Device Is Not Encrypted", "severity": "HIGH", "line": 31, - "fileName": "positive5.tf" + "fileName": "positive5.tf", + "resourceType": "aws_instance", + "resourceName": "positive5", + "searchKey": "aws_instance[example2].ebs_block_device.encrypted", + "searchValue": "", + "expectedValue": "aws_instance[example2].ebs_block_device.encrypted should be true", + "actualValue": "aws_instance[example2].ebs_block_device.encrypted is false", + "issueType": "IncorrectValue", + "similarityID": "4188d62cbb1c9ca11de1c3895631e5617111036612e1d66b1c647447a132752b", + "search_line": 31 }, { "queryName": "Block Device Is Not Encrypted", "severity": "HIGH", "line": 5, - "fileName": "positive6.tf" + "fileName": "positive6.tf", + "resourceType": "aws_instance", + "resourceName": "web-app-instance", + "searchKey": "aws_instance[example1].root_block_device", + "searchValue": "", + "expectedValue": "aws_instance[example1].root_block_device.encrypted should be set", + "actualValue": "aws_instance[example1].root_block_device.encrypted is undefined", + "issueType": "MissingAttribute", + "similarityID": "a94b8c0519cd23b38afbbbacbd7d5775e3cc37ab1a9d8fd9d4e0a204618a808b", + "search_line": 5 }, { "queryName": "Block Device Is Not Encrypted", "severity": "HIGH", "line": 24, - "fileName": "positive6.tf" + "fileName": "positive6.tf", + "resourceType": "aws_instance", + "resourceName": "web-app-instance", + "searchKey": "aws_instance[example2].ebs_block_device", + "searchValue": "", + "expectedValue": "aws_instance[example2].ebs_block_device.encrypted should be set", + "actualValue": "aws_instance[example2].ebs_block_device.encrypted is undefined", + "issueType": "MissingAttribute", + "similarityID": "6b5a40a0865b5d3cd44517690d598136d78423cb8b065281e2c1e2ff3fd147a6", + "search_line": 24 }, { "queryName": "Block Device Is Not Encrypted", "severity": "HIGH", "line": 11, - "fileName": "positive7.tf" + "fileName": "positive7.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[positive7-aws6].root_block_device.encrypted", + "searchValue": "", + "expectedValue": "'encrypted' should be true", + "actualValue": "'encrypted' is false", + "issueType": "IncorrectValue", + "similarityID": "e4080cf03dae619c9e14d3b937df9e19bd7a373db16aee5778dee6682873227f", + "search_line": -1 }, { "queryName": "Block Device Is Not Encrypted", "severity": "HIGH", "line": 29, - "fileName": "positive7.tf" + "fileName": "positive7.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[positive7-legacy].root_block_device.0.encrypted", + "searchValue": "", + "expectedValue": "'encrypted' should be true", + "actualValue": "'encrypted' is false", + "issueType": "IncorrectValue", + "similarityID": "a156c404bec1d89bace739bb3bb8e9995ab26d5a6983baef539151422ff91ca4", + "search_line": 29 }, { "queryName": "Block Device Is Not Encrypted", "severity": "HIGH", "line": 10, - "fileName": "positive8.tf" + "fileName": "positive8.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[positive8-aws6].root_block_device.encrypted", + "searchValue": "", + "expectedValue": "'encrypted' should be true", + "actualValue": "'encrypted' is false", + "issueType": "IncorrectValue", + "similarityID": "7b490144af11a0fda2c49670d56c080819fcff65381a2ec81bef349fb3eaeae1", + "search_line": -1 }, { "queryName": "Block Device Is Not Encrypted", "severity": "HIGH", "line": 27, - "fileName": "positive8.tf" + "fileName": "positive8.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[positive8-legacy].root_block_device.0.encrypted", + "searchValue": "", + "expectedValue": "'encrypted' should be true", + "actualValue": "'encrypted' is false", + "issueType": "IncorrectValue", + "similarityID": "4fe5a3a690659c83ee7b282ecb231080da8fa0bfe5a0cd27d431f6655231a093", + "search_line": 27 }, { "queryName": "Block Device Is Not Encrypted", "severity": "HIGH", "line": 9, - "fileName": "positive9.tf" + "fileName": "positive9.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[positive9-aws6].root_block_device", + "searchValue": "", + "expectedValue": "'encrypted' should be defined", + "actualValue": "'encrypted' is undefined", + "issueType": "MissingAttribute", + "similarityID": "3472a133956f4d7ad61c2ebfa4f1d159f4f2b59a95441be261cdda0732e3e0bf", + "search_line": 9 }, { "queryName": "Block Device Is Not Encrypted", "severity": "HIGH", "line": 26, - "fileName": "positive9.tf" + "fileName": "positive9.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[positive9-legacy].root_block_device.0", + "searchValue": "", + "expectedValue": "'encrypted' should be defined", + "actualValue": "'encrypted' is undefined", + "issueType": "IncorrectValue", + "similarityID": "0e8c7fd44a97b3791c8384a4bf637c2676085ad4ad7231189d70813c784c0550", + "search_line": 26 } ] diff --git a/assets/queries/terraform/aws/ca_certificate_identifier_is_outdated/test/positive_expected_result.json b/assets/queries/terraform/aws/ca_certificate_identifier_is_outdated/test/positive_expected_result.json index 245876f319a..e34a8118fd9 100644 --- a/assets/queries/terraform/aws/ca_certificate_identifier_is_outdated/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/ca_certificate_identifier_is_outdated/test/positive_expected_result.json @@ -3,12 +3,30 @@ "queryName": "CA Certificate Identifier Is Outdated", "severity": "MEDIUM", "line": 12, - "fileName": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "aws_db_instance", + "resourceName": "mydb", + "searchKey": "aws_db_instance[positive1].ca_cert_identifier", + "searchValue": "", + "expectedValue": "'aws_db_instance.ca_cert_identifier' should be one provided by Amazon RDS.", + "actualValue": "'aws_db_instance.ca_cert_identifier' is 'rds-ca-2015'", + "issueType": "IncorrectValue", + "similarityID": "6710af6251fbf726a811348edf2f5ed52982fe94c962d3506dd11bc3fc22c644", + "search_line": 12 }, { "queryName": "CA Certificate Identifier Is Outdated", "severity": "MEDIUM", "line": 11, - "fileName": "positive2.tf" + "fileName": "positive2.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[db].ca_cert_identifier", + "searchValue": "", + "expectedValue": "'ca_cert_identifier' should be one provided by Amazon RDS.", + "actualValue": "'ca_cert_identifier' is 'rds-ca-2015'", + "issueType": "IncorrectValue", + "similarityID": "af1b9139b586c7cc1c4bd84933b04f1383540681c691bf2c9291d971d4374884", + "search_line": 11 } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/cdn_configuration_is_missing/test/positive_expected_result.json b/assets/queries/terraform/aws/cdn_configuration_is_missing/test/positive_expected_result.json index 2a75eeb2298..a7b7a41aa7a 100644 --- a/assets/queries/terraform/aws/cdn_configuration_is_missing/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/cdn_configuration_is_missing/test/positive_expected_result.json @@ -2,16 +2,46 @@ { "queryName": "CDN Configuration Is Missing", "severity": "LOW", - "line": 11 + "line": 11, + "fileName": "positive.tf", + "resourceType": "aws_cloudfront_distribution", + "resourceName": "positive1", + "searchKey": "resource.aws_cloudfront_distribution[positive1].enabled", + "searchValue": "", + "expectedValue": "resource.aws_cloudfront_distribution[positive1].enabled should be set to 'true'", + "actualValue": "resource.aws_cloudfront_distribution[positive1].enabled is configured as 'false'", + "issueType": "IncorrectValue", + "similarityID": "b3947c724d29fca11a74077a7ac0752e56dcfbef06b0ed6ea711560bc65dd185", + "search_line": 11 }, { "queryName": "CDN Configuration Is Missing", "severity": "LOW", - "line": 61 + "line": 61, + "fileName": "positive.tf", + "resourceType": "aws_cloudfront_distribution", + "resourceName": "positive2", + "searchKey": "resource.aws_cloudfront_distribution[positive2]", + "searchValue": "enabled", + "expectedValue": "resource.aws_cloudfront_distribution[positive2].enabled should be set to 'true'", + "actualValue": "resource.aws_cloudfront_distribution[positive2].enabled is not defined", + "issueType": "MissingAttribute", + "similarityID": "0480c287c786dd74dd3e2efc644284487ab64404fc23a7cb1d2c3e29c36b2df5", + "search_line": 61 }, { "queryName": "CDN Configuration Is Missing", "severity": "LOW", - "line": 61 + "line": 61, + "fileName": "positive.tf", + "resourceType": "aws_cloudfront_distribution", + "resourceName": "positive2", + "searchKey": "resource.aws_cloudfront_distribution[positive2]", + "searchValue": "origin", + "expectedValue": "resource.aws_cloudfront_distribution[positive2].origin should be defined", + "actualValue": "resource.aws_cloudfront_distribution[positive2].origin is not defined", + "issueType": "MissingAttribute", + "similarityID": "8fa63b75f9709631b53070bc29ddbace47436492f0b1fce86c51b15f98e0b757", + "search_line": 61 } ] diff --git a/assets/queries/terraform/aws/certificate_has_expired/test/positive_expected_result.json b/assets/queries/terraform/aws/certificate_has_expired/test/positive_expected_result.json index e7adcba6c9b..90324536e22 100644 --- a/assets/queries/terraform/aws/certificate_has_expired/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/certificate_has_expired/test/positive_expected_result.json @@ -2,6 +2,16 @@ { "queryName": "Certificate Has Expired", "severity": "MEDIUM", - "line": 2 + "line": 2, + "fileName": "positive.tf", + "resourceType": "aws_api_gateway_domain_name", + "resourceName": "example2", + "searchKey": "aws_api_gateway_domain_name[example2].certificate_body", + "searchValue": "", + "expectedValue": "aws_api_gateway_domain_name[example2].certificate_body should not have expired", + "actualValue": "aws_api_gateway_domain_name[example2].certificate_body has expired", + "issueType": "IncorrectValue", + "similarityID": "3b973a9d57a0b0d1a95f956669e72dfc4956c9cb59fc2d2a97cf2e7f7e8a9a09", + "search_line": -1 } ] diff --git a/assets/queries/terraform/aws/certificate_rsa_key_bytes_lower_than_256/test/positive_expected_result.json b/assets/queries/terraform/aws/certificate_rsa_key_bytes_lower_than_256/test/positive_expected_result.json index e03996e371c..a77def81aee 100644 --- a/assets/queries/terraform/aws/certificate_rsa_key_bytes_lower_than_256/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/certificate_rsa_key_bytes_lower_than_256/test/positive_expected_result.json @@ -3,12 +3,30 @@ "queryName": "Certificate RSA Key Bytes Lower Than 256", "severity": "MEDIUM", "line": 2, - "fileName": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "aws_api_gateway_domain_name", + "resourceName": "example", + "searchKey": "aws_api_gateway_domain_name[example].certificate_body", + "searchValue": "", + "expectedValue": "aws_api_gateway_domain_name[example].certificate_body uses a RSA key with a length equal to or higher than 256 bytes", + "actualValue": "aws_api_gateway_domain_name[example].certificate_body does not use a RSA key with a length equal to or higher than 256 bytes", + "issueType": "IncorrectValue", + "similarityID": "20aba9c1d8ebc0f5545a80fa4f9170be6af2f4bb9db9b3ac762578e776f0a246", + "search_line": -1 }, { "queryName": "Certificate RSA Key Bytes Lower Than 256", "severity": "MEDIUM", "line": 3, - "fileName": "positive2.tf" + "fileName": "positive2.tf", + "resourceType": "aws_iam_server_certificate", + "resourceName": "test_cert2", + "searchKey": "aws_iam_server_certificate[test_cert2].certificate_body", + "searchValue": "", + "expectedValue": "aws_iam_server_certificate[test_cert2].certificate_body uses a RSA key with a length equal to or higher than 256 bytes", + "actualValue": "aws_iam_server_certificate[test_cert2].certificate_body does not use a RSA key with a length equal to or higher than 256 bytes", + "issueType": "IncorrectValue", + "similarityID": "e9505df4e5a60752e02befd8d629b889c864495a7820e97032b440a18755286f", + "search_line": -1 } ] diff --git a/assets/queries/terraform/aws/cloudfront_logging_disabled/test/positive_expected_result.json b/assets/queries/terraform/aws/cloudfront_logging_disabled/test/positive_expected_result.json index 0e8947653f8..4d808983c9d 100644 --- a/assets/queries/terraform/aws/cloudfront_logging_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/cloudfront_logging_disabled/test/positive_expected_result.json @@ -2,6 +2,16 @@ { "queryName": "CloudFront Logging Disabled", "severity": "MEDIUM", - "line": 1 + "line": 1, + "fileName": "positive.tf", + "resourceType": "aws_cloudfront_distribution", + "resourceName": "positive1", + "searchKey": "aws_cloudfront_distribution[positive1]", + "searchValue": "", + "expectedValue": "aws_cloudfront_distribution[positive1].logging_config should be defined", + "actualValue": "aws_cloudfront_distribution[positive1].logging_config is undefined", + "issueType": "MissingAttribute", + "similarityID": "846332a28b9319f0e222398bd082224d6f2f8dc6e7a5f3c8194a8d1c219632b5", + "search_line": -1 } ] diff --git a/assets/queries/terraform/aws/cloudfront_viewer_protocol_policy_allows_http/test/positive_expected_result.json b/assets/queries/terraform/aws/cloudfront_viewer_protocol_policy_allows_http/test/positive_expected_result.json index d994045fcec..e21963a50e5 100644 --- a/assets/queries/terraform/aws/cloudfront_viewer_protocol_policy_allows_http/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/cloudfront_viewer_protocol_policy_allows_http/test/positive_expected_result.json @@ -2,11 +2,31 @@ { "queryName": "Cloudfront Viewer Protocol Policy Allows HTTP", "severity": "MEDIUM", - "line": 27 + "line": 27, + "fileName": "positive.tf", + "resourceType": "aws_cloudfront_distribution", + "resourceName": "positive1", + "searchKey": "resource.aws_cloudfront_distribution[positive1].default_cache_behavior.viewer_protocol_policy", + "searchValue": "", + "expectedValue": "resource.aws_cloudfront_distribution[positive1].default_cache_behavior.viewer_protocol_policy should be 'https-only' or 'redirect-to-https'", + "actualValue": "resource.aws_cloudfront_distribution[positive1].default_cache_behavior.viewer_protocol_policy isn't 'https-only' or 'redirect-to-https'", + "issueType": "IncorrectValue", + "similarityID": "ed9918a8c8a679bbffbde29a12acf6c66c370ccef0cab9a5178f67464fc1939d", + "search_line": -1 }, { "queryName": "Cloudfront Viewer Protocol Policy Allows HTTP", "severity": "MEDIUM", - "line": 96 + "line": 96, + "fileName": "positive.tf", + "resourceType": "aws_cloudfront_distribution", + "resourceName": "positive2", + "searchKey": "resource.aws_cloudfront_distribution[positive2].ordered_cache_behavior.{{/content/immutable/*}}.viewer_protocol_policy", + "searchValue": "", + "expectedValue": "resource.aws_cloudfront_distribution[positive2].ordered_cache_behavior.viewer_protocol_policy should be 'https-only' or 'redirect-to-https'", + "actualValue": "resource.aws_cloudfront_distribution[positive2].ordered_cache_behavior.viewer_protocol_policy isn't 'https-only' or 'redirect-to-https'", + "issueType": "IncorrectValue", + "similarityID": "e0d3067e3afaa5b4f311a6eb1506d37971ad3f4c164d7f998670724c128fdefb", + "search_line": -1 } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/cloudfront_without_minimum_protocol_tls_1.2/test/positive_expected_result.json b/assets/queries/terraform/aws/cloudfront_without_minimum_protocol_tls_1.2/test/positive_expected_result.json index 6885c67a30f..852b1fa5dd1 100644 --- a/assets/queries/terraform/aws/cloudfront_without_minimum_protocol_tls_1.2/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/cloudfront_without_minimum_protocol_tls_1.2/test/positive_expected_result.json @@ -3,24 +3,60 @@ "queryName": "CloudFront Without Minimum Protocol TLS 1.2", "severity": "MEDIUM", "line": 1, - "fileName": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "aws_cloudfront_distribution", + "resourceName": "positive1", + "searchKey": "resource.aws_cloudfront_distribution[positive1]", + "searchValue": "", + "expectedValue": "resource.aws_cloudfront_distribution[positive1].viewer_certificate' should be defined and not null", + "actualValue": "resource.aws_cloudfront_distribution[positive1].viewer_certificate' is undefined or null", + "issueType": "MissingAttribute", + "similarityID": "1e3363e27db837ea181a1b1c1605518bdf1ff0593859a15f134b08858f4e786b", + "search_line": 1 }, { "queryName": "CloudFront Without Minimum Protocol TLS 1.2", "severity": "MEDIUM", "line": 25, - "fileName": "positive2.tf" + "fileName": "positive2.tf", + "resourceType": "aws_cloudfront_distribution", + "resourceName": "positive2", + "searchKey": "resource.aws_cloudfront_distribution[positive2].viewer_certificate.minimum_protocol_version", + "searchValue": "", + "expectedValue": "resource.aws_cloudfront_distribution[positive2].viewer_certificate.minimum_protocol_version' should be TLSv1.2_x", + "actualValue": "resource.aws_cloudfront_distribution[positive2].viewer_certificate.minimum_protocol_version' is TLSv1_2016", + "issueType": "IncorrectValue", + "similarityID": "d270e4d4285377b7dbeebf3ddadb8ac9ce2a53ca4277c78be09c8791cc0eaac3", + "search_line": 25 }, { "queryName": "CloudFront Without Minimum Protocol TLS 1.2", "severity": "MEDIUM", "line": 24, - "fileName": "positive3.tf" + "fileName": "positive3.tf", + "resourceType": "aws_cloudfront_distribution", + "resourceName": "positive3", + "searchKey": "resource.aws_cloudfront_distribution[positive3].viewer_certificate.cloudfront_default_certificate", + "searchValue": "", + "expectedValue": "resource.aws_cloudfront_distribution[positive3].viewer_certificate.cloudfront_default_certificate' should be 'false'", + "actualValue": "resource.aws_cloudfront_distribution[positive3].viewer_certificate.cloudfront_default_certificate' is 'true'", + "issueType": "IncorrectValue", + "similarityID": "feaba1e5d7949ce3bcb4465329555cd8b65da3e9f159f72de852b0cfd853a1d2", + "search_line": 24 }, { "queryName": "CloudFront Without Minimum Protocol TLS 1.2", "severity": "MEDIUM", "line": 23, - "fileName": "positive4.tf" + "fileName": "positive4.tf", + "resourceType": "aws_cloudfront_distribution", + "resourceName": "positive4", + "searchKey": "resource.aws_cloudfront_distribution[positive4].viewer_certificate", + "searchValue": "", + "expectedValue": "resource.aws_cloudfront_distribution[positive4].viewer_certificate.minimum_protocol_version' should be defined and not null", + "actualValue": "resource.aws_cloudfront_distribution[positive4].viewer_certificate.minimum_protocol_version' is undefined or null", + "issueType": "MissingAttribute", + "similarityID": "098b854d43175daf1c800f8d3bdedb72e87c9a10d13f3d1d9003c3bb6d03f7b7", + "search_line": 23 } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/cloudfront_without_waf/test/positive_expected_result.json b/assets/queries/terraform/aws/cloudfront_without_waf/test/positive_expected_result.json index 109793cfe3c..366aba5d731 100755 --- a/assets/queries/terraform/aws/cloudfront_without_waf/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/cloudfront_without_waf/test/positive_expected_result.json @@ -2,6 +2,16 @@ { "queryName": "CloudFront Without WAF", "severity": "MEDIUM", - "line": 15 + "line": 15, + "fileName": "positive.tf", + "resourceType": "aws_cloudfront_distribution", + "resourceName": "positive1", + "searchKey": "aws_cloudfront_distribution[positive1].web_acl_id", + "searchValue": "", + "expectedValue": "'web_acl_id' should exist", + "actualValue": "'web_acl_id' is missing", + "issueType": "MissingAttribute", + "similarityID": "4dbf6ae3dc6981e84bbf5ebc48d7070a2a1148ce73ffb93c75f5ad8195db2cf0", + "search_line": -1 } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/cloudtrail_log_file_validation_disabled/test/positive_expected_result.json b/assets/queries/terraform/aws/cloudtrail_log_file_validation_disabled/test/positive_expected_result.json index 38519cfef6e..0bc0f691f9a 100644 --- a/assets/queries/terraform/aws/cloudtrail_log_file_validation_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/cloudtrail_log_file_validation_disabled/test/positive_expected_result.json @@ -2,11 +2,31 @@ { "queryName": "CloudTrail Log File Validation Disabled", "severity": "LOW", - "line": 1 + "line": 1, + "fileName": "positive.tf", + "resourceType": "aws_cloudtrail", + "resourceName": "positive1", + "searchKey": "aws_cloudtrail[positive1]", + "searchValue": "", + "expectedValue": "'aws_cloudtrail[positive1].enable_log_file_validation' should be set", + "actualValue": "'aws_cloudtrail[positive1].enable_log_file_validation' is undefined", + "issueType": "MissingAttribute", + "similarityID": "e831fab32da535c297ec011b2ac519e108a6cfe8848d23716c81b18aa8bbbb47", + "search_line": 1 }, { "queryName": "CloudTrail Log File Validation Disabled", "severity": "LOW", - "line": 9 + "line": 9, + "fileName": "positive.tf", + "resourceType": "aws_cloudtrail", + "resourceName": "positive2", + "searchKey": "aws_cloudtrail[positive2].enable_log_file_validation", + "searchValue": "", + "expectedValue": "'aws_cloudtrail[positive2].enable_log_file_validation' should be true", + "actualValue": "'aws_cloudtrail[positive2].enable_log_file_validation' is false", + "issueType": "IncorrectValue", + "similarityID": "d01f3677839bf1fcf64ccc243635796e2f5f68c8279dde3ac78d54238131c871", + "search_line": 9 } ] diff --git a/assets/queries/terraform/aws/cloudtrail_log_files_not_encrypted_with_kms/test/positive_expected_result.json b/assets/queries/terraform/aws/cloudtrail_log_files_not_encrypted_with_kms/test/positive_expected_result.json index 1b50e20f3e9..6140c81ea35 100644 --- a/assets/queries/terraform/aws/cloudtrail_log_files_not_encrypted_with_kms/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/cloudtrail_log_files_not_encrypted_with_kms/test/positive_expected_result.json @@ -2,6 +2,16 @@ { "queryName": "CloudTrail Log Files Not Encrypted With KMS", "severity": "LOW", - "line": 1 + "line": 1, + "fileName": "positive.tf", + "resourceType": "aws_cloudtrail", + "resourceName": "npositive_1", + "searchKey": "aws_cloudtrail[positive1]", + "searchValue": "", + "expectedValue": "aws_cloudtrail[positive1].kms_key_id should be defined and not null", + "actualValue": "aws_cloudtrail[positive1].kms_key_id is undefined or null", + "issueType": "MissingAttribute", + "similarityID": "70028be52284cbee58478c52b0fc02a98ddcba881dcc827159ec9766a9879b0b", + "search_line": -1 } ] diff --git a/assets/queries/terraform/aws/cloudtrail_log_files_s3_bucket_is_publicly_accessible/test/positive_expected_result.json b/assets/queries/terraform/aws/cloudtrail_log_files_s3_bucket_is_publicly_accessible/test/positive_expected_result.json index f1f9a1ab388..07c8e28d7f8 100644 --- a/assets/queries/terraform/aws/cloudtrail_log_files_s3_bucket_is_publicly_accessible/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/cloudtrail_log_files_s3_bucket_is_publicly_accessible/test/positive_expected_result.json @@ -3,18 +3,45 @@ "queryName": "CloudTrail Log Files S3 Bucket is Publicly Accessible", "severity": "HIGH", "line": 25, - "filename": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "aws_s3_bucket", + "resourceName": "my-tf-test-bucket", + "searchKey": "aws_s3_bucket[b].acl", + "searchValue": "", + "expectedValue": "aws_s3_bucket[b] to not be publicly accessible", + "actualValue": "aws_s3_bucket[b] is publicly accessible", + "issueType": "IncorrectValue", + "similarityID": "1ac3e78817a71314e571ab6443e57176fc7c85d2d11b7c8ce658ec0fd6fd800e", + "search_line": -1 }, { "queryName": "CloudTrail Log Files S3 Bucket is Publicly Accessible", "severity": "HIGH", "line": 23, - "filename": "positive2.tf" + "fileName": "positive2.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[s3_bucket].acl", + "searchValue": "", + "expectedValue": "module[s3_bucket] to not be publicly accessible", + "actualValue": "module[s3_bucket] is publicly accessible", + "issueType": "IncorrectValue", + "similarityID": "880eba88f283595e71e1f81e985dd20c75c983430fea9c1775c0138ec1faa9aa", + "search_line": -1 }, { "queryName": "CloudTrail Log Files S3 Bucket is Publicly Accessible", "severity": "HIGH", "line": 24, - "filename": "positive3.tf" + "fileName": "positive3.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[s3_bucket].acl", + "searchValue": "", + "expectedValue": "module[s3_bucket] to not be publicly accessible", + "actualValue": "module[s3_bucket] is publicly accessible", + "issueType": "IncorrectValue", + "similarityID": "1fe4f8b775122a9831d4dccdcfb7a6f5437975c0df3d0bf50a4ca08a0b20e733", + "search_line": -1 } ] diff --git a/assets/queries/terraform/aws/cloudtrail_log_files_s3_bucket_with_logging_disabled/test/positive_expected_result.json b/assets/queries/terraform/aws/cloudtrail_log_files_s3_bucket_with_logging_disabled/test/positive_expected_result.json index 3a2437a6896..845e4566d11 100644 --- a/assets/queries/terraform/aws/cloudtrail_log_files_s3_bucket_with_logging_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/cloudtrail_log_files_s3_bucket_with_logging_disabled/test/positive_expected_result.json @@ -3,18 +3,45 @@ "queryName": "CloudTrail Log Files S3 Bucket with Logging Disabled", "severity": "MEDIUM", "line": 23, - "fileName": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "aws_s3_bucket", + "resourceName": "tf-test-trail", + "searchKey": "aws_s3_bucket[foo]", + "searchValue": "", + "expectedValue": "aws_s3_bucket[foo] to have 'logging' defined", + "actualValue": "aws_s3_bucket[foo] does not have 'logging' defined", + "issueType": "MissingAttribute", + "similarityID": "15fe8adc1f90b72a805ec95d08e1d93cf4da95c4aed0ad93c697d2ddd2cebdc9", + "search_line": 23 }, { "queryName": "CloudTrail Log Files S3 Bucket with Logging Disabled", "severity": "MEDIUM", "line": 1, - "fileName": "positive2.tf" + "fileName": "positive2.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[foo]", + "searchValue": "", + "expectedValue": "'logging' should be defined", + "actualValue": "'logging' is undefined", + "issueType": "MissingAttribute", + "similarityID": "5ccda27c003dfc4eec130ba3e3bd7b15283da87f242d545bdc6a1c733ed3be91", + "search_line": 1 }, { "queryName": "CloudTrail Log Files S3 Bucket with Logging Disabled", "severity": "MEDIUM", "line": 21, - "fileName": "positive3.tf" + "fileName": "positive3.tf", + "resourceType": "aws_s3_bucket", + "resourceName": "my-tf-example-bucket", + "searchKey": "aws_s3_bucket[bb]", + "searchValue": "", + "expectedValue": "aws_s3_bucket[bb] to have 'logging' defined", + "actualValue": "aws_s3_bucket[bb] does not have 'logging' defined", + "issueType": "MissingAttribute", + "similarityID": "2c480ed967cb9505895be2956115d6debe9315ee2d8f2aee489e2ecf0155c9d8", + "search_line": 21 } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/cloudtrail_logging_disabled/test/positive_expected_result.json b/assets/queries/terraform/aws/cloudtrail_logging_disabled/test/positive_expected_result.json index 8e57b93dc88..cf23d9c1408 100644 --- a/assets/queries/terraform/aws/cloudtrail_logging_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/cloudtrail_logging_disabled/test/positive_expected_result.json @@ -2,6 +2,16 @@ { "queryName": "CloudTrail Logging Disabled", "severity": "MEDIUM", - "line": 5 + "line": 5, + "fileName": "positive.tf", + "resourceType": "aws_cloudtrail", + "resourceName": "positive", + "searchKey": "aws_cloudtrail.positive1.enable_logging", + "searchValue": "", + "expectedValue": "aws_cloudtrail.positive1.enable_logging should be true", + "actualValue": "aws_cloudtrail.positive1.enable_logging is false", + "issueType": "IncorrectValue", + "similarityID": "96869cb65845e99623cba1cf83ad2d912187a8837d76ab5b604357adbc78da31", + "search_line": 5 } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/cloudtrail_multi_region_disabled/test/positive_expected_result.json b/assets/queries/terraform/aws/cloudtrail_multi_region_disabled/test/positive_expected_result.json index 64b89e0ab91..a1299f79335 100644 --- a/assets/queries/terraform/aws/cloudtrail_multi_region_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/cloudtrail_multi_region_disabled/test/positive_expected_result.json @@ -3,18 +3,45 @@ "queryName": "CloudTrail Multi Region Disabled", "severity": "LOW", "line": 2, - "fileName": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "aws_cloudtrail", + "resourceName": "npositive_1", + "searchKey": "aws_cloudtrail[positive1]", + "searchValue": "", + "expectedValue": "aws_cloudtrail[positive1].is_multi_region_trail should be defined and not null", + "actualValue": "aws_cloudtrail[positive1].is_multi_region_trail is undefined or null", + "issueType": "MissingAttribute", + "similarityID": "7703291eadb50d88e0d6da6b06825388fd3e1ec72cf4c1008ef8aa17a1da1551", + "search_line": 2 }, { "queryName": "CloudTrail Multi Region Disabled", "severity": "LOW", "line": 4, - "fileName": "positive2.tf" + "fileName": "positive2.tf", + "resourceType": "aws_cloudtrail", + "resourceName": "npositive_2", + "searchKey": "aws_cloudtrail[positive2].is_multi_region_trail", + "searchValue": "", + "expectedValue": "aws_cloudtrail[positive2].is_multi_region_trail should be set to true", + "actualValue": "aws_cloudtrail[positive2].is_multi_region_trail is set to false", + "issueType": "IncorrectValue", + "similarityID": "39f8f2219eb718457e887e5536b0880436df7d01042a25aa808c16bb73e2155f", + "search_line": 4 }, { "queryName": "CloudTrail Multi Region Disabled", "severity": "LOW", "line": 5, - "fileName": "positive3.tf" + "fileName": "positive3.tf", + "resourceType": "aws_cloudtrail", + "resourceName": "npositive_3", + "searchKey": "aws_cloudtrail[positive3].include_global_service_events", + "searchValue": "", + "expectedValue": "aws_cloudtrail[positive3].include_global_service_events should be undefined or set to true", + "actualValue": "aws_cloudtrail[positive3].include_global_service_events is set to false", + "issueType": "IncorrectValue", + "similarityID": "f256060602a6371d20103b93ec5caa1a3543dc8dfa0cc19ac21d7add4baa86f2", + "search_line": 5 } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/cloudtrail_not_integrated_with_cloudwatch/test/positive_expected_result.json b/assets/queries/terraform/aws/cloudtrail_not_integrated_with_cloudwatch/test/positive_expected_result.json index 8f79cf0b981..c051914a221 100644 --- a/assets/queries/terraform/aws/cloudtrail_not_integrated_with_cloudwatch/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/cloudtrail_not_integrated_with_cloudwatch/test/positive_expected_result.json @@ -1,12 +1,32 @@ [ { + "queryName": "CloudTrail Not Integrated With CloudWatch", "severity": "LOW", "line": 1, - "queryName": "CloudTrail Not Integrated With CloudWatch" + "fileName": "positive.tf", + "resourceType": "aws_cloudtrail", + "resourceName": "tf-trail-foobar", + "searchKey": "aws_cloudtrail[positive1]", + "searchValue": "cloud_watch_logs_group_arn", + "expectedValue": "aws_cloudtrail[positive1].cloud_watch_logs_group_arn should be defined and not null", + "actualValue": "aws_cloudtrail[positive1].cloud_watch_logs_group_arn is undefined or null", + "issueType": "MissingAttribute", + "similarityID": "64792d916f4a3d76bea1054a16bc58742190071d7ab625f5a366bf5296272a6d", + "search_line": 1 }, { + "queryName": "CloudTrail Not Integrated With CloudWatch", "severity": "LOW", "line": 1, - "queryName": "CloudTrail Not Integrated With CloudWatch" + "fileName": "positive.tf", + "resourceType": "aws_cloudtrail", + "resourceName": "tf-trail-foobar", + "searchKey": "aws_cloudtrail[positive1]", + "searchValue": "cloud_watch_logs_role_arn", + "expectedValue": "aws_cloudtrail[positive1].cloud_watch_logs_role_arn should be defined and not null", + "actualValue": "aws_cloudtrail[positive1].cloud_watch_logs_role_arn is undefined or null", + "issueType": "MissingAttribute", + "similarityID": "d001c0970ec78c3d34d5e7d57a11c0812e8599224ca1fae1087cbaed40420c87", + "search_line": 1 } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/cloudtrail_sns_topic_name_undefined/test/positive_expected_result.json b/assets/queries/terraform/aws/cloudtrail_sns_topic_name_undefined/test/positive_expected_result.json index ab5ba6bb6b4..29a5d698dd7 100644 --- a/assets/queries/terraform/aws/cloudtrail_sns_topic_name_undefined/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/cloudtrail_sns_topic_name_undefined/test/positive_expected_result.json @@ -2,11 +2,31 @@ { "queryName": "CloudTrail SNS Topic Name Undefined", "severity": "LOW", - "line": 1 + "line": 1, + "fileName": "positive.tf", + "resourceType": "aws_cloudtrail", + "resourceName": "positive1", + "searchKey": "aws_cloudtrail[positive1]", + "searchValue": "", + "expectedValue": "'aws_cloudtrail[positive1].sns_topic_name' should be set and should not be null", + "actualValue": "'aws_cloudtrail[positive1].sns_topic_name' is undefined or null", + "issueType": "MissingAttribute", + "similarityID": "819fd1953ca1ace4afbe67d2dfab9f1fe6559670d7d04a3f38f74a5f1a6fb743", + "search_line": -1 }, { "queryName": "CloudTrail SNS Topic Name Undefined", "severity": "LOW", - "line": 5 + "line": 5, + "fileName": "positive.tf", + "resourceType": "aws_cloudtrail", + "resourceName": "positive2", + "searchKey": "aws_cloudtrail[positive2]", + "searchValue": "", + "expectedValue": "'aws_cloudtrail[positive2].sns_topic_name' should be set and should not be null", + "actualValue": "'aws_cloudtrail[positive2].sns_topic_name' is undefined or null", + "issueType": "MissingAttribute", + "similarityID": "63ce17570bf55f5d156276419f791d59c19476a7aa73240d5ca7228f0aee53be", + "search_line": -1 } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/cloudwatch_aws_config_configuration_changes_alarm_missing/test/positive_expected_result.json b/assets/queries/terraform/aws/cloudwatch_aws_config_configuration_changes_alarm_missing/test/positive_expected_result.json index 1459de355bb..5624e45df41 100644 --- a/assets/queries/terraform/aws/cloudwatch_aws_config_configuration_changes_alarm_missing/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/cloudwatch_aws_config_configuration_changes_alarm_missing/test/positive_expected_result.json @@ -3,24 +3,60 @@ "queryName": "CloudWatch AWS Config Configuration Changes Alarm Missing", "severity": "MEDIUM", "line": 1, - "fileName": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "aws_cloudwatch_log_metric_filter", + "resourceName": "unknown", + "searchKey": "resource", + "searchValue": "", + "expectedValue": "aws_cloudwatch_log_metric_filter should have pattern { ($.eventSource = config.amazonaws.com) && (($.eventName=StopConfigurationRecorder)||($.eventName=DeleteDeliveryChannel)||($.eventName=PutDeliveryChannel)||($.eventName=PutConfigurationRecorder)) } and be associated an aws_cloudwatch_metric_alarm", + "actualValue": "aws_cloudwatch_log_metric_filter not filtering pattern { ($.eventSource = config.amazonaws.com) && (($.eventName=StopConfigurationRecorder)||($.eventName=DeleteDeliveryChannel)||($.eventName=PutDeliveryChannel)||($.eventName=PutConfigurationRecorder)) } or not associated with any aws_cloudwatch_metric_alarm", + "issueType": "MissingAttribute", + "similarityID": "647a18453c9f4a69dac2c0dcecddafc90c4a2b99e5aaa8de389ff78979821ee5", + "search_line": 1 }, { "queryName": "CloudWatch AWS Config Configuration Changes Alarm Missing", "severity": "MEDIUM", "line": 1, - "fileName": "positive2.tf" + "fileName": "positive2.tf", + "resourceType": "aws_cloudwatch_log_metric_filter", + "resourceName": "unknown", + "searchKey": "resource", + "searchValue": "", + "expectedValue": "aws_cloudwatch_log_metric_filter should have pattern { ($.eventSource = config.amazonaws.com) && (($.eventName=StopConfigurationRecorder)||($.eventName=DeleteDeliveryChannel)||($.eventName=PutDeliveryChannel)||($.eventName=PutConfigurationRecorder)) } and be associated an aws_cloudwatch_metric_alarm", + "actualValue": "aws_cloudwatch_log_metric_filter not filtering pattern { ($.eventSource = config.amazonaws.com) && (($.eventName=StopConfigurationRecorder)||($.eventName=DeleteDeliveryChannel)||($.eventName=PutDeliveryChannel)||($.eventName=PutConfigurationRecorder)) } or not associated with any aws_cloudwatch_metric_alarm", + "issueType": "MissingAttribute", + "similarityID": "c45f94234b662c8808c7145371a84ca94fd7c54564453c446381791c2bf8418f", + "search_line": 1 }, { "queryName": "CloudWatch AWS Config Configuration Changes Alarm Missing", "severity": "MEDIUM", "line": 1, - "fileName": "positive3.tf" + "fileName": "positive3.tf", + "resourceType": "aws_cloudwatch_log_metric_filter", + "resourceName": "unknown", + "searchKey": "resource", + "searchValue": "", + "expectedValue": "aws_cloudwatch_log_metric_filter should have pattern { ($.eventSource = config.amazonaws.com) && (($.eventName=StopConfigurationRecorder)||($.eventName=DeleteDeliveryChannel)||($.eventName=PutDeliveryChannel)||($.eventName=PutConfigurationRecorder)) } and be associated an aws_cloudwatch_metric_alarm", + "actualValue": "aws_cloudwatch_log_metric_filter not filtering pattern { ($.eventSource = config.amazonaws.com) && (($.eventName=StopConfigurationRecorder)||($.eventName=DeleteDeliveryChannel)||($.eventName=PutDeliveryChannel)||($.eventName=PutConfigurationRecorder)) } or not associated with any aws_cloudwatch_metric_alarm", + "issueType": "MissingAttribute", + "similarityID": "a4da155b660578c7c6a1d437281ba0c53707e8a17c31d356478be2c931e23c2c", + "search_line": 1 }, { "queryName": "CloudWatch AWS Config Configuration Changes Alarm Missing", "severity": "MEDIUM", "line": 1, - "fileName": "positive4.tf" + "fileName": "positive4.tf", + "resourceType": "aws_cloudwatch_log_metric_filter", + "resourceName": "unknown", + "searchKey": "resource", + "searchValue": "", + "expectedValue": "aws_cloudwatch_log_metric_filter should have pattern { ($.eventSource = config.amazonaws.com) && (($.eventName=StopConfigurationRecorder)||($.eventName=DeleteDeliveryChannel)||($.eventName=PutDeliveryChannel)||($.eventName=PutConfigurationRecorder)) } and be associated an aws_cloudwatch_metric_alarm", + "actualValue": "aws_cloudwatch_log_metric_filter not filtering pattern { ($.eventSource = config.amazonaws.com) && (($.eventName=StopConfigurationRecorder)||($.eventName=DeleteDeliveryChannel)||($.eventName=PutDeliveryChannel)||($.eventName=PutConfigurationRecorder)) } or not associated with any aws_cloudwatch_metric_alarm", + "issueType": "MissingAttribute", + "similarityID": "500bf3c171d365434683ad5b3d9e081e1947c2f56a2bc2f314e71eda26601172", + "search_line": 1 } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/cloudwatch_aws_organizations_changes_missing_alarm/test/positive_expected_result.json b/assets/queries/terraform/aws/cloudwatch_aws_organizations_changes_missing_alarm/test/positive_expected_result.json index b56668d3c45..a2959dc049c 100644 --- a/assets/queries/terraform/aws/cloudwatch_aws_organizations_changes_missing_alarm/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/cloudwatch_aws_organizations_changes_missing_alarm/test/positive_expected_result.json @@ -3,12 +3,30 @@ "queryName": "CloudWatch AWS Organizations Changes Missing Alarm", "severity": "INFO", "line": 1, - "fileName": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "aws_cloudwatch_log_metric_filter", + "resourceName": "unknown", + "searchKey": "resource", + "searchValue": "", + "expectedValue": "aws_cloudwatch_log_metric_filter should have pattern { ($.eventSource = \"organizations.amazonaws.com\") && (($.eventName = AcceptHandshake) || ($.eventName = AttachPolicy) || ($.eventName = CreateAccount) || ($.eventName = PutBucketLifecycle) || ($.eventName = CreateOrganizationalUnit) || ($.eventName = CreatePolicy) || ($.eventName = DeclineHandshake) || ($.eventName = DeleteOrganization) || ($.eventName = DeleteOrganizationalUnit) || ($.eventName = DeletePolicy) || ($.eventName = DetachPolicy) || ($.eventName = DisablePolicyType) || ($.eventName = EnablePolicyType) || ($.eventName = InviteAccountToOrganization) || ($.eventName = LeaveOrganization) || ($.eventName = MoveAccount) || ($.eventName = RemoveAccountFromOrganization) || ($.eventName = UpdatePolicy) || ($.eventName = UpdateOrganizationalUni)) } and be associated an aws_cloudwatch_metric_alarm", + "actualValue": "aws_cloudwatch_log_metric_filter not filtering pattern { ($.eventSource = \"organizations.amazonaws.com\") && (($.eventName = AcceptHandshake) || ($.eventName = AttachPolicy) || ($.eventName = CreateAccount) || ($.eventName = PutBucketLifecycle) || ($.eventName = CreateOrganizationalUnit) || ($.eventName = CreatePolicy) || ($.eventName = DeclineHandshake) || ($.eventName = DeleteOrganization) || ($.eventName = DeleteOrganizationalUnit) || ($.eventName = DeletePolicy) || ($.eventName = DetachPolicy) || ($.eventName = DisablePolicyType) || ($.eventName = EnablePolicyType) || ($.eventName = InviteAccountToOrganization) || ($.eventName = LeaveOrganization) || ($.eventName = MoveAccount) || ($.eventName = RemoveAccountFromOrganization) || ($.eventName = UpdatePolicy) || ($.eventName = UpdateOrganizationalUni)) } or not associated with any aws_cloudwatch_metric_alarm", + "issueType": "MissingAttribute", + "similarityID": "aa59e9a4909828ce63bb4c4891ee8f1533bd3a8a2cda7276d7cea17ffe9e7254", + "search_line": 1 }, { "queryName": "CloudWatch AWS Organizations Changes Missing Alarm", "severity": "INFO", "line": 1, - "fileName": "positive2.tf" + "fileName": "positive2.tf", + "resourceType": "aws_cloudwatch_log_metric_filter", + "resourceName": "unknown", + "searchKey": "resource", + "searchValue": "", + "expectedValue": "aws_cloudwatch_log_metric_filter should have pattern { ($.eventSource = \"organizations.amazonaws.com\") && (($.eventName = AcceptHandshake) || ($.eventName = AttachPolicy) || ($.eventName = CreateAccount) || ($.eventName = PutBucketLifecycle) || ($.eventName = CreateOrganizationalUnit) || ($.eventName = CreatePolicy) || ($.eventName = DeclineHandshake) || ($.eventName = DeleteOrganization) || ($.eventName = DeleteOrganizationalUnit) || ($.eventName = DeletePolicy) || ($.eventName = DetachPolicy) || ($.eventName = DisablePolicyType) || ($.eventName = EnablePolicyType) || ($.eventName = InviteAccountToOrganization) || ($.eventName = LeaveOrganization) || ($.eventName = MoveAccount) || ($.eventName = RemoveAccountFromOrganization) || ($.eventName = UpdatePolicy) || ($.eventName = UpdateOrganizationalUni)) } and be associated an aws_cloudwatch_metric_alarm", + "actualValue": "aws_cloudwatch_log_metric_filter not filtering pattern { ($.eventSource = \"organizations.amazonaws.com\") && (($.eventName = AcceptHandshake) || ($.eventName = AttachPolicy) || ($.eventName = CreateAccount) || ($.eventName = PutBucketLifecycle) || ($.eventName = CreateOrganizationalUnit) || ($.eventName = CreatePolicy) || ($.eventName = DeclineHandshake) || ($.eventName = DeleteOrganization) || ($.eventName = DeleteOrganizationalUnit) || ($.eventName = DeletePolicy) || ($.eventName = DetachPolicy) || ($.eventName = DisablePolicyType) || ($.eventName = EnablePolicyType) || ($.eventName = InviteAccountToOrganization) || ($.eventName = LeaveOrganization) || ($.eventName = MoveAccount) || ($.eventName = RemoveAccountFromOrganization) || ($.eventName = UpdatePolicy) || ($.eventName = UpdateOrganizationalUni)) } or not associated with any aws_cloudwatch_metric_alarm", + "issueType": "MissingAttribute", + "similarityID": "f7a5bb352b90eb8273cb6d24efa9454579e344afaa3b66701993907a2b92c24d", + "search_line": 1 } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/cloudwatch_changes_to_nacl_alarm_missing/test/positive_expected_result.json b/assets/queries/terraform/aws/cloudwatch_changes_to_nacl_alarm_missing/test/positive_expected_result.json index 89ee21fe61c..c30deb5be82 100644 --- a/assets/queries/terraform/aws/cloudwatch_changes_to_nacl_alarm_missing/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/cloudwatch_changes_to_nacl_alarm_missing/test/positive_expected_result.json @@ -3,12 +3,30 @@ "queryName": "CloudWatch Changes To NACL Alarm Missing", "severity": "MEDIUM", "line": 1, - "fileName": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "aws_cloudwatch_log_metric_filter", + "resourceName": "unknown", + "searchKey": "resource", + "searchValue": "", + "expectedValue": "aws_cloudwatch_log_metric_filter should have pattern { ($.eventName = CreateNetworkAcl) || ($.eventName = CreateNetworkAclEntry) || ($.eventName = DeleteNetworkAcl) || ($.eventName = DeleteNetworkAclEntry) || ($.eventName = ReplaceNetworkAclEntry) || ($.eventName = ReplaceNetworkAclAssociation) } and be associated an aws_cloudwatch_metric_alarm", + "actualValue": "aws_cloudwatch_log_metric_filter not filtering pattern { ($.eventName = CreateNetworkAcl) || ($.eventName = CreateNetworkAclEntry) || ($.eventName = DeleteNetworkAcl) || ($.eventName = DeleteNetworkAclEntry) || ($.eventName = ReplaceNetworkAclEntry) || ($.eventName = ReplaceNetworkAclAssociation) } or not associated with any aws_cloudwatch_metric_alarm", + "issueType": "MissingAttribute", + "similarityID": "b538253f4df005769eecfd23b879e7734617a62c217bbf656e4ff5f2f5ffbd7d", + "search_line": 1 }, { "queryName": "CloudWatch Changes To NACL Alarm Missing", "severity": "MEDIUM", "line": 1, - "fileName": "positive2.tf" + "fileName": "positive2.tf", + "resourceType": "aws_cloudwatch_log_metric_filter", + "resourceName": "unknown", + "searchKey": "resource", + "searchValue": "", + "expectedValue": "aws_cloudwatch_log_metric_filter should have pattern { ($.eventName = CreateNetworkAcl) || ($.eventName = CreateNetworkAclEntry) || ($.eventName = DeleteNetworkAcl) || ($.eventName = DeleteNetworkAclEntry) || ($.eventName = ReplaceNetworkAclEntry) || ($.eventName = ReplaceNetworkAclAssociation) } and be associated an aws_cloudwatch_metric_alarm", + "actualValue": "aws_cloudwatch_log_metric_filter not filtering pattern { ($.eventName = CreateNetworkAcl) || ($.eventName = CreateNetworkAclEntry) || ($.eventName = DeleteNetworkAcl) || ($.eventName = DeleteNetworkAclEntry) || ($.eventName = ReplaceNetworkAclEntry) || ($.eventName = ReplaceNetworkAclAssociation) } or not associated with any aws_cloudwatch_metric_alarm", + "issueType": "MissingAttribute", + "similarityID": "b6bbed9ff892c1b2fb75a648d49142845776990c9ea4a2b846defc562d738a2f", + "search_line": 1 } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/cloudwatch_cloudtrail_configuration_changes_alarm_missing/test/positive_expected_result.json b/assets/queries/terraform/aws/cloudwatch_cloudtrail_configuration_changes_alarm_missing/test/positive_expected_result.json index 01f6d72185c..b889f00c4d4 100644 --- a/assets/queries/terraform/aws/cloudwatch_cloudtrail_configuration_changes_alarm_missing/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/cloudwatch_cloudtrail_configuration_changes_alarm_missing/test/positive_expected_result.json @@ -3,18 +3,45 @@ "queryName": "Cloudwatch Cloudtrail Configuration Changes Alarm Missing", "severity": "MEDIUM", "line": 1, - "fileName": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "aws_cloudwatch_log_metric_filter", + "resourceName": "unknown", + "searchKey": "resource", + "searchValue": "", + "expectedValue": "aws_cloudwatch_log_metric_filter should have pattern { ($.eventName = CreateTrail) || ($.eventName = UpdateTrail) || ($.eventName = DeleteTrail) || ($.eventName = StartLogging) || ($.eventName = StopLogging) } and be associated an aws_cloudwatch_metric_alarm", + "actualValue": "aws_cloudwatch_log_metric_filter not filtering pattern { ($.eventName = CreateTrail) || ($.eventName = UpdateTrail) || ($.eventName = DeleteTrail) || ($.eventName = StartLogging) || ($.eventName = StopLogging) } or not associated with any aws_cloudwatch_metric_alarm", + "issueType": "MissingAttribute", + "similarityID": "fdf98714940e88150b33c16de648f7f55333d62c5d7fa357e68c99d1759206bf", + "search_line": 1 }, { "queryName": "Cloudwatch Cloudtrail Configuration Changes Alarm Missing", "severity": "MEDIUM", "line": 1, - "fileName": "positive2.tf" + "fileName": "positive2.tf", + "resourceType": "aws_cloudwatch_log_metric_filter", + "resourceName": "unknown", + "searchKey": "resource", + "searchValue": "", + "expectedValue": "aws_cloudwatch_log_metric_filter should have pattern { ($.eventName = CreateTrail) || ($.eventName = UpdateTrail) || ($.eventName = DeleteTrail) || ($.eventName = StartLogging) || ($.eventName = StopLogging) } and be associated an aws_cloudwatch_metric_alarm", + "actualValue": "aws_cloudwatch_log_metric_filter not filtering pattern { ($.eventName = CreateTrail) || ($.eventName = UpdateTrail) || ($.eventName = DeleteTrail) || ($.eventName = StartLogging) || ($.eventName = StopLogging) } or not associated with any aws_cloudwatch_metric_alarm", + "issueType": "MissingAttribute", + "similarityID": "0fbe938d18c54419b72d7a9541c61606506af79c5b3acaffb661e9a2d9dde7f2", + "search_line": 1 }, { "queryName": "Cloudwatch Cloudtrail Configuration Changes Alarm Missing", "severity": "MEDIUM", "line": 1, - "fileName": "positive3.tf" + "fileName": "positive3.tf", + "resourceType": "aws_cloudwatch_log_metric_filter", + "resourceName": "unknown", + "searchKey": "resource", + "searchValue": "", + "expectedValue": "aws_cloudwatch_log_metric_filter should have pattern { ($.eventName = CreateTrail) || ($.eventName = UpdateTrail) || ($.eventName = DeleteTrail) || ($.eventName = StartLogging) || ($.eventName = StopLogging) } and be associated an aws_cloudwatch_metric_alarm", + "actualValue": "aws_cloudwatch_log_metric_filter not filtering pattern { ($.eventName = CreateTrail) || ($.eventName = UpdateTrail) || ($.eventName = DeleteTrail) || ($.eventName = StartLogging) || ($.eventName = StopLogging) } or not associated with any aws_cloudwatch_metric_alarm", + "issueType": "MissingAttribute", + "similarityID": "6fa849f7011db7899ab91b125aa1b92921a709c0bbe78431c1a8e9da3546ced0", + "search_line": 1 } ] diff --git a/assets/queries/terraform/aws/cloudwatch_disabling_or_scheduled_deletion_of_customer_created_cmk_alarm_missing/test/positive_expected_result.json b/assets/queries/terraform/aws/cloudwatch_disabling_or_scheduled_deletion_of_customer_created_cmk_alarm_missing/test/positive_expected_result.json index 524dfb593ab..227551fd3db 100644 --- a/assets/queries/terraform/aws/cloudwatch_disabling_or_scheduled_deletion_of_customer_created_cmk_alarm_missing/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/cloudwatch_disabling_or_scheduled_deletion_of_customer_created_cmk_alarm_missing/test/positive_expected_result.json @@ -3,18 +3,45 @@ "queryName": "CloudWatch Disabling Or Scheduled Deletion Of Customer Created CMK Alarm Missing", "severity": "MEDIUM", "line": 1, - "fileName": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "aws_cloudwatch_log_metric_filter", + "resourceName": "unknown", + "searchKey": "resource", + "searchValue": "", + "expectedValue": "aws_cloudwatch_log_metric_filter should have pattern{ ($.eventSource = kms.amazonaws.com) && (($.eventName = DisableKey) || ($.eventName = ScheduleKeyDeletion)) } and be associated an aws_cloudwatch_metric_alarm", + "actualValue": "aws_cloudwatch_log_metric_filter not filtering pattern{ ($.eventSource = kms.amazonaws.com) && (($.eventName = DisableKey) || ($.eventName = ScheduleKeyDeletion)) } or not associated with any aws_cloudwatch_metric_alarm", + "issueType": "MissingAttribute", + "similarityID": "86680383391400e95d2f7080e5c38db955b20a39bdc53ad74e58722ec9da51ca", + "search_line": 1 }, { "queryName": "CloudWatch Disabling Or Scheduled Deletion Of Customer Created CMK Alarm Missing", "severity": "MEDIUM", "line": 1, - "fileName": "positive2.tf" + "fileName": "positive2.tf", + "resourceType": "aws_cloudwatch_log_metric_filter", + "resourceName": "unknown", + "searchKey": "resource", + "searchValue": "", + "expectedValue": "aws_cloudwatch_log_metric_filter should have pattern{ ($.eventSource = kms.amazonaws.com) && (($.eventName = DisableKey) || ($.eventName = ScheduleKeyDeletion)) } and be associated an aws_cloudwatch_metric_alarm", + "actualValue": "aws_cloudwatch_log_metric_filter not filtering pattern{ ($.eventSource = kms.amazonaws.com) && (($.eventName = DisableKey) || ($.eventName = ScheduleKeyDeletion)) } or not associated with any aws_cloudwatch_metric_alarm", + "issueType": "MissingAttribute", + "similarityID": "fc6dcedb84f2223db8a5370c549c9ece8f94259d9f0cd16ff858bdbdeb35140f", + "search_line": 1 }, { "queryName": "CloudWatch Disabling Or Scheduled Deletion Of Customer Created CMK Alarm Missing", "severity": "MEDIUM", "line": 1, - "fileName": "positive3.tf" + "fileName": "positive3.tf", + "resourceType": "aws_cloudwatch_log_metric_filter", + "resourceName": "unknown", + "searchKey": "resource", + "searchValue": "", + "expectedValue": "aws_cloudwatch_log_metric_filter should have pattern{ ($.eventSource = kms.amazonaws.com) && (($.eventName = DisableKey) || ($.eventName = ScheduleKeyDeletion)) } and be associated an aws_cloudwatch_metric_alarm", + "actualValue": "aws_cloudwatch_log_metric_filter not filtering pattern{ ($.eventSource = kms.amazonaws.com) && (($.eventName = DisableKey) || ($.eventName = ScheduleKeyDeletion)) } or not associated with any aws_cloudwatch_metric_alarm", + "issueType": "MissingAttribute", + "similarityID": "103868d0535cd383201f60bc73893c7f70c2fe29821dce5ddcd6c5190ad3ce0c", + "search_line": 1 } ] diff --git a/assets/queries/terraform/aws/cloudwatch_iam_policy_changes_alarm_missing/test/positive_expected_result.json b/assets/queries/terraform/aws/cloudwatch_iam_policy_changes_alarm_missing/test/positive_expected_result.json index 8dcb4abaef3..5ee7f9c06e1 100644 --- a/assets/queries/terraform/aws/cloudwatch_iam_policy_changes_alarm_missing/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/cloudwatch_iam_policy_changes_alarm_missing/test/positive_expected_result.json @@ -3,12 +3,30 @@ "queryName": "CloudWatch IAM Policy Changes Alarm Missing", "severity": "LOW", "line": 1, - "fileName": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "aws_cloudwatch_log_metric_filter", + "resourceName": "unknown", + "searchKey": "resource", + "searchValue": "", + "expectedValue": "aws_cloudwatch_log_metric_filter should have pattern {($.eventName=DeleteGroupPolicy)||($.eventName=DeleteRolePolicy)||($.eventName=DeleteUserPolicy)||($.eventName=PutGroupPolicy)||($.eventName=PutRolePolicy)||($.eventName=PutUserPolicy)||($.eventName=CreatePolicy)||($.eventName=DeletePolicy)||($.eventName=CreatePolicyVersion)||($.eventName=DeletePolicyVersion)||($.eventName=AttachRolePolicy)||($.eventName=DetachRolePolicy)||($.eventName=AttachUserPolicy)||($.eventName=DetachUserPolicy)||($.eventName=AttachGroupPolicy)||($.eventName=DetachGroupPolicy)} and be associated an aws_cloudwatch_metric_alarm", + "actualValue": "aws_cloudwatch_log_metric_filter not filtering pattern {($.eventName=DeleteGroupPolicy)||($.eventName=DeleteRolePolicy)||($.eventName=DeleteUserPolicy)||($.eventName=PutGroupPolicy)||($.eventName=PutRolePolicy)||($.eventName=PutUserPolicy)||($.eventName=CreatePolicy)||($.eventName=DeletePolicy)||($.eventName=CreatePolicyVersion)||($.eventName=DeletePolicyVersion)||($.eventName=AttachRolePolicy)||($.eventName=DetachRolePolicy)||($.eventName=AttachUserPolicy)||($.eventName=DetachUserPolicy)||($.eventName=AttachGroupPolicy)||($.eventName=DetachGroupPolicy)} or not associated with any aws_cloudwatch_metric_alarm", + "issueType": "MissingAttribute", + "similarityID": "b7985eb22eaa71afbf95ea73daf72b4fddc1f18a67193d17b344f0122f0bc975", + "search_line": 1 }, { "queryName": "CloudWatch IAM Policy Changes Alarm Missing", "severity": "LOW", "line": 1, - "fileName": "positive2.tf" + "fileName": "positive2.tf", + "resourceType": "aws_cloudwatch_log_metric_filter", + "resourceName": "unknown", + "searchKey": "resource", + "searchValue": "", + "expectedValue": "aws_cloudwatch_log_metric_filter should have pattern {($.eventName=DeleteGroupPolicy)||($.eventName=DeleteRolePolicy)||($.eventName=DeleteUserPolicy)||($.eventName=PutGroupPolicy)||($.eventName=PutRolePolicy)||($.eventName=PutUserPolicy)||($.eventName=CreatePolicy)||($.eventName=DeletePolicy)||($.eventName=CreatePolicyVersion)||($.eventName=DeletePolicyVersion)||($.eventName=AttachRolePolicy)||($.eventName=DetachRolePolicy)||($.eventName=AttachUserPolicy)||($.eventName=DetachUserPolicy)||($.eventName=AttachGroupPolicy)||($.eventName=DetachGroupPolicy)} and be associated an aws_cloudwatch_metric_alarm", + "actualValue": "aws_cloudwatch_log_metric_filter not filtering pattern {($.eventName=DeleteGroupPolicy)||($.eventName=DeleteRolePolicy)||($.eventName=DeleteUserPolicy)||($.eventName=PutGroupPolicy)||($.eventName=PutRolePolicy)||($.eventName=PutUserPolicy)||($.eventName=CreatePolicy)||($.eventName=DeletePolicy)||($.eventName=CreatePolicyVersion)||($.eventName=DeletePolicyVersion)||($.eventName=AttachRolePolicy)||($.eventName=DetachRolePolicy)||($.eventName=AttachUserPolicy)||($.eventName=DetachUserPolicy)||($.eventName=AttachGroupPolicy)||($.eventName=DetachGroupPolicy)} or not associated with any aws_cloudwatch_metric_alarm", + "issueType": "MissingAttribute", + "similarityID": "d9d68ba795e2c4990aea41d6dc348b2b36bf97b47b621d60949c21f323ce79d2", + "search_line": 1 } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/cloudwatch_log_group_not_encrypted/test/positive_expected_result.json b/assets/queries/terraform/aws/cloudwatch_log_group_not_encrypted/test/positive_expected_result.json index 0300572746a..06613bd406d 100644 --- a/assets/queries/terraform/aws/cloudwatch_log_group_not_encrypted/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/cloudwatch_log_group_not_encrypted/test/positive_expected_result.json @@ -2,6 +2,16 @@ { "queryName": "CloudWatch Log Group Without KMS", "severity": "MEDIUM", - "line": 1 + "line": 1, + "fileName": "positive.tf", + "resourceType": "aws_cloudwatch_log_group", + "resourceName": "Yada", + "searchKey": "aws_cloudwatch_log_group[negative1]", + "searchValue": "", + "expectedValue": "Attribute 'kms_key_id' should be set", + "actualValue": "Attribute 'kms_key_id' is undefined", + "issueType": "MissingAttribute", + "similarityID": "303f3a86d310b35614eca0f5af2679029d07602480e985f8ab0f0207b8b6128c", + "search_line": -1 } ] diff --git a/assets/queries/terraform/aws/cloudwatch_logging_disabled/test/positive_expected_result.json b/assets/queries/terraform/aws/cloudwatch_logging_disabled/test/positive_expected_result.json index a8111fc9274..28626ffd476 100644 --- a/assets/queries/terraform/aws/cloudwatch_logging_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/cloudwatch_logging_disabled/test/positive_expected_result.json @@ -1,12 +1,32 @@ [ - { - "queryName": "CloudWatch Logging Disabled", - "severity": "MEDIUM", - "line": 1 - }, - { - "queryName": "CloudWatch Logging Disabled", - "severity": "MEDIUM", - "line": 10 - } + { + "queryName": "CloudWatch Logging Disabled", + "severity": "MEDIUM", + "line": 1, + "fileName": "positive.tf", + "resourceType": "aws_route53_zone", + "resourceName": "example.com", + "searchKey": "aws_route53_zone[no_query_log]", + "searchValue": "", + "expectedValue": "'aws_route53_query_log' should be set for respective 'aws_route53_zone'", + "actualValue": "'aws_route53_query_log' is undefined", + "issueType": "MissingAttribute", + "similarityID": "92742e6566deb2d86b83ce796215196e1b9316363298601a424524b969b8e4ae", + "search_line": -1 + }, + { + "queryName": "CloudWatch Logging Disabled", + "severity": "MEDIUM", + "line": 10, + "fileName": "positive.tf", + "resourceType": "aws_route53_query_log", + "resourceName": "log_group_mismatch", + "searchKey": "aws_route53_query_log[log_group_mismatch].cloudwatch_log_group_arn", + "searchValue": "", + "expectedValue": "'aws_route53_query_log' log group refers to the query log", + "actualValue": "'aws_route53_query_log' log group does not match with the log name", + "issueType": "IncorrectValue", + "similarityID": "9daa6f3dbe2e76a2d74fa869c85f901289cf4043489112a9e74d36c4ea9d9a1e", + "search_line": -1 + } ] diff --git a/assets/queries/terraform/aws/cloudwatch_logs_destination_with_vulnerable_policy/test/positive_expected_result.json b/assets/queries/terraform/aws/cloudwatch_logs_destination_with_vulnerable_policy/test/positive_expected_result.json index 98c3bff2732..fc8ba39d2a4 100644 --- a/assets/queries/terraform/aws/cloudwatch_logs_destination_with_vulnerable_policy/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/cloudwatch_logs_destination_with_vulnerable_policy/test/positive_expected_result.json @@ -3,6 +3,15 @@ "queryName": "CloudWatch Logs Destination With Vulnerable Policy", "severity": "LOW", "line": 22, - "fileName": "positive.tf" + "fileName": "positive.tf", + "resourceType": "aws_cloudwatch_log_destination_policy", + "resourceName": "test_destination_policy", + "searchKey": "aws_cloudwatch_log_destination_policy[test_destination_policy].access_policy", + "searchValue": "", + "expectedValue": "aws_cloudwatch_log_destination_policy[test_destination_policy].access_policy should not have wildcard in 'principals' and 'actions'", + "actualValue": "aws_cloudwatch_log_destination_policy[test_destination_policy].access_policy has wildcard in 'principals' or 'actions'", + "issueType": "IncorrectValue", + "similarityID": "ce92cad0b84639b2c03ec20f947fe68c6b99d57aeee160116b6df1f1e1094d08", + "search_line": 22 } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/cloudwatch_management_console_auth_failed_alarm_missing/test/positive_expected_result.json b/assets/queries/terraform/aws/cloudwatch_management_console_auth_failed_alarm_missing/test/positive_expected_result.json index 3ea9b674763..8bb8b7c291f 100644 --- a/assets/queries/terraform/aws/cloudwatch_management_console_auth_failed_alarm_missing/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/cloudwatch_management_console_auth_failed_alarm_missing/test/positive_expected_result.json @@ -3,24 +3,60 @@ "queryName": "CloudWatch Management Console Auth Failed Alarm Missing", "severity": "MEDIUM", "line": 1, - "fileName": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "aws_cloudwatch_log_metric_filter", + "resourceName": "unknown", + "searchKey": "resource", + "searchValue": "", + "expectedValue": "aws_cloudwatch_log_metric_filter should have pattern { $.eventName = ConsoleLogin && $.errorMessage = \"Failed authentication\" } and be associated an aws_cloudwatch_metric_alarm", + "actualValue": "aws_cloudwatch_log_metric_filter not filtering pattern { $.eventName = ConsoleLogin && $.errorMessage = \"Failed authentication\" } or not associated with any aws_cloudwatch_metric_alarm", + "issueType": "MissingAttribute", + "similarityID": "d2a316abf1db85687df6aed3c3b596f2528ebc4764d11486bba6ecc8df4c90d9", + "search_line": 1 }, { "queryName": "CloudWatch Management Console Auth Failed Alarm Missing", "severity": "MEDIUM", "line": 1, - "fileName": "positive2.tf" + "fileName": "positive2.tf", + "resourceType": "aws_cloudwatch_log_metric_filter", + "resourceName": "unknown", + "searchKey": "resource", + "searchValue": "", + "expectedValue": "aws_cloudwatch_log_metric_filter should have pattern { $.eventName = ConsoleLogin && $.errorMessage = \"Failed authentication\" } and be associated an aws_cloudwatch_metric_alarm", + "actualValue": "aws_cloudwatch_log_metric_filter not filtering pattern { $.eventName = ConsoleLogin && $.errorMessage = \"Failed authentication\" } or not associated with any aws_cloudwatch_metric_alarm", + "issueType": "MissingAttribute", + "similarityID": "8ef10a7f74147e435a8fa92f1be7fde8e712a58274972b11dc967fb312b897dc", + "search_line": 1 }, { "queryName": "CloudWatch Management Console Auth Failed Alarm Missing", "severity": "MEDIUM", "line": 1, - "fileName": "positive3.tf" + "fileName": "positive3.tf", + "resourceType": "aws_cloudwatch_log_metric_filter", + "resourceName": "unknown", + "searchKey": "resource", + "searchValue": "", + "expectedValue": "aws_cloudwatch_log_metric_filter should have pattern { $.eventName = ConsoleLogin && $.errorMessage = \"Failed authentication\" } and be associated an aws_cloudwatch_metric_alarm", + "actualValue": "aws_cloudwatch_log_metric_filter not filtering pattern { $.eventName = ConsoleLogin && $.errorMessage = \"Failed authentication\" } or not associated with any aws_cloudwatch_metric_alarm", + "issueType": "MissingAttribute", + "similarityID": "5873fc678490cffb6ce13f687fd50f37da9d897a4c75245f0ad75d0d3e008354", + "search_line": 1 }, { "queryName": "CloudWatch Management Console Auth Failed Alarm Missing", "severity": "MEDIUM", "line": 1, - "fileName": "positive4.tf" + "fileName": "positive4.tf", + "resourceType": "aws_cloudwatch_log_metric_filter", + "resourceName": "unknown", + "searchKey": "resource", + "searchValue": "", + "expectedValue": "aws_cloudwatch_log_metric_filter should have pattern { $.eventName = ConsoleLogin && $.errorMessage = \"Failed authentication\" } and be associated an aws_cloudwatch_metric_alarm", + "actualValue": "aws_cloudwatch_log_metric_filter not filtering pattern { $.eventName = ConsoleLogin && $.errorMessage = \"Failed authentication\" } or not associated with any aws_cloudwatch_metric_alarm", + "issueType": "MissingAttribute", + "similarityID": "042c8db9ba4435584331e20c0269eb86650c850e4479316f66deb4e91f75f763", + "search_line": 1 } ] diff --git a/assets/queries/terraform/aws/cloudwatch_management_console_sign_in_without_mfa_alarm_missing/test/positive_expected_result.json b/assets/queries/terraform/aws/cloudwatch_management_console_sign_in_without_mfa_alarm_missing/test/positive_expected_result.json index 66cbc78e523..55511696de0 100644 --- a/assets/queries/terraform/aws/cloudwatch_management_console_sign_in_without_mfa_alarm_missing/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/cloudwatch_management_console_sign_in_without_mfa_alarm_missing/test/positive_expected_result.json @@ -3,24 +3,60 @@ "queryName": "CloudWatch Console Sign-in Without MFA Alarm Missing", "severity": "LOW", "line": 1, - "fileName": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "aws_cloudwatch_log_metric_filter", + "resourceName": "unknown", + "searchKey": "resource", + "searchValue": "", + "expectedValue": "aws_cloudwatch_log_metric_filter should have pattern { ($.eventName = \"ConsoleLogin\") && ($.additionalEventData.MFAUsed != \"Yes\") } and be associated an aws_cloudwatch_metric_alarm", + "actualValue": "aws_cloudwatch_log_metric_filter not filtering pattern { ($.eventName = \"ConsoleLogin\") && ($.additionalEventData.MFAUsed != \"Yes\") } or not associated with any aws_cloudwatch_metric_alarm", + "issueType": "MissingAttribute", + "similarityID": "f374c016c281320750484e09977ac0d9ce592add0958ed6f9e9e2eb584f6ab20", + "search_line": 1 }, { "queryName": "CloudWatch Console Sign-in Without MFA Alarm Missing", "severity": "LOW", "line": 1, - "fileName": "positive2.tf" + "fileName": "positive2.tf", + "resourceType": "aws_cloudwatch_log_metric_filter", + "resourceName": "unknown", + "searchKey": "resource", + "searchValue": "", + "expectedValue": "aws_cloudwatch_log_metric_filter should have pattern { ($.eventName = \"ConsoleLogin\") && ($.additionalEventData.MFAUsed != \"Yes\") } and be associated an aws_cloudwatch_metric_alarm", + "actualValue": "aws_cloudwatch_log_metric_filter not filtering pattern { ($.eventName = \"ConsoleLogin\") && ($.additionalEventData.MFAUsed != \"Yes\") } or not associated with any aws_cloudwatch_metric_alarm", + "issueType": "MissingAttribute", + "similarityID": "495021a36cb296ff2e808790962352267c8b5152136ef62955d9bf0f665a7fbf", + "search_line": 1 }, { "queryName": "CloudWatch Console Sign-in Without MFA Alarm Missing", "severity": "LOW", "line": 1, - "fileName": "positive3.tf" + "fileName": "positive3.tf", + "resourceType": "aws_cloudwatch_log_metric_filter", + "resourceName": "unknown", + "searchKey": "resource", + "searchValue": "", + "expectedValue": "aws_cloudwatch_log_metric_filter should have pattern { ($.eventName = \"ConsoleLogin\") && ($.additionalEventData.MFAUsed != \"Yes\") } and be associated an aws_cloudwatch_metric_alarm", + "actualValue": "aws_cloudwatch_log_metric_filter not filtering pattern { ($.eventName = \"ConsoleLogin\") && ($.additionalEventData.MFAUsed != \"Yes\") } or not associated with any aws_cloudwatch_metric_alarm", + "issueType": "MissingAttribute", + "similarityID": "d5dc94550509265ab1dd3efbc1c31702dabf880b8352794d7c1bcd80657ea461", + "search_line": 1 }, { "queryName": "CloudWatch Console Sign-in Without MFA Alarm Missing", "severity": "LOW", "line": 1, - "fileName": "positive4.tf" + "fileName": "positive4.tf", + "resourceType": "aws_cloudwatch_log_metric_filter", + "resourceName": "unknown", + "searchKey": "resource", + "searchValue": "", + "expectedValue": "aws_cloudwatch_log_metric_filter should have pattern { ($.eventName = \"ConsoleLogin\") && ($.additionalEventData.MFAUsed != \"Yes\") } and be associated an aws_cloudwatch_metric_alarm", + "actualValue": "aws_cloudwatch_log_metric_filter not filtering pattern { ($.eventName = \"ConsoleLogin\") && ($.additionalEventData.MFAUsed != \"Yes\") } or not associated with any aws_cloudwatch_metric_alarm", + "issueType": "MissingAttribute", + "similarityID": "f0be431fa053e6d8dc011f9a6e4b7beed3cd6111555ac894c950f342998b8268", + "search_line": 1 } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/cloudwatch_metrics_disabled/test/positive_expected_result.json b/assets/queries/terraform/aws/cloudwatch_metrics_disabled/test/positive_expected_result.json index fda8b64338a..5ef224ecbb9 100644 --- a/assets/queries/terraform/aws/cloudwatch_metrics_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/cloudwatch_metrics_disabled/test/positive_expected_result.json @@ -2,11 +2,31 @@ { "queryName": "CloudWatch Metrics Disabled", "severity": "MEDIUM", - "line": 8 + "line": 8, + "fileName": "positive.tf", + "resourceType": "aws_api_gateway_method_settings", + "resourceName": "positive1", + "searchKey": "aws_api_gateway_method_settings[positive1].settings.metrics_enabled", + "searchValue": "", + "expectedValue": "aws_api_gateway_method_settings[positive1].settings.metrics_enabled should be true", + "actualValue": "aws_api_gateway_method_settings[positive1].settings.metrics_enabled is false", + "issueType": "IncorrectValue", + "similarityID": "a34ceafc7e09b8e278970bee3654199f9b14b9c171c75fd493145b150546c8c8", + "search_line": 8 }, { "queryName": "CloudWatch Metrics Disabled", "severity": "MEDIUM", - "line": 18 + "line": 18, + "fileName": "positive.tf", + "resourceType": "aws_api_gateway_method_settings", + "resourceName": "positive2", + "searchKey": "aws_api_gateway_method_settings[positive2].settings", + "searchValue": "", + "expectedValue": "aws_api_gateway_method_settings[positive2].settings.metrics_enabled should be defined and not null", + "actualValue": "aws_api_gateway_method_settings[positive2].settings.metrics_enabled is undefined or null", + "issueType": "MissingAttribute", + "similarityID": "9704ea8b477bc9e244aa2abb15fa06eaabd28a0426183d058c9a4e918f326025", + "search_line": 18 } ] diff --git a/assets/queries/terraform/aws/cloudwatch_network_gateways_changes_alarm_missing/test/positive_expected_result.json b/assets/queries/terraform/aws/cloudwatch_network_gateways_changes_alarm_missing/test/positive_expected_result.json index a206a39b44e..51302c5170f 100644 --- a/assets/queries/terraform/aws/cloudwatch_network_gateways_changes_alarm_missing/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/cloudwatch_network_gateways_changes_alarm_missing/test/positive_expected_result.json @@ -3,18 +3,45 @@ "queryName": "CloudWatch Network Gateways Changes Alarm Missing", "severity": "LOW", "line": 1, - "fileName": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "aws_cloudwatch_log_metric_filter", + "resourceName": "unknown", + "searchKey": "resource", + "searchValue": "", + "expectedValue": "aws_cloudwatch_log_metric_filter should have pattern { ($.eventName = CreateTrail) || ($.eventName = UpdateTrail) || ($.eventName = DeleteTrail) || ($.eventName = StartLogging) || ($.eventName = StopLogging) } and be associated an aws_cloudwatch_metric_alarm", + "actualValue": "aws_cloudwatch_log_metric_filter not filtering pattern { ($.eventName = CreateTrail) || ($.eventName = UpdateTrail) || ($.eventName = DeleteTrail) || ($.eventName = StartLogging) || ($.eventName = StopLogging) } or not associated with any aws_cloudwatch_metric_alarm", + "issueType": "MissingAttribute", + "similarityID": "a7414f8157d82971c97e83542fef3ea704cefcb9dd7e6e3579e77098ebbce8c0", + "search_line": 1 }, { "queryName": "CloudWatch Network Gateways Changes Alarm Missing", "severity": "LOW", "line": 1, - "fileName": "positive2.tf" + "fileName": "positive2.tf", + "resourceType": "aws_cloudwatch_log_metric_filter", + "resourceName": "unknown", + "searchKey": "resource", + "searchValue": "", + "expectedValue": "aws_cloudwatch_log_metric_filter should have pattern { ($.eventName = CreateTrail) || ($.eventName = UpdateTrail) || ($.eventName = DeleteTrail) || ($.eventName = StartLogging) || ($.eventName = StopLogging) } and be associated an aws_cloudwatch_metric_alarm", + "actualValue": "aws_cloudwatch_log_metric_filter not filtering pattern { ($.eventName = CreateTrail) || ($.eventName = UpdateTrail) || ($.eventName = DeleteTrail) || ($.eventName = StartLogging) || ($.eventName = StopLogging) } or not associated with any aws_cloudwatch_metric_alarm", + "issueType": "MissingAttribute", + "similarityID": "54ccf9c44265cf90f7ec6ef6565813ad50671cc24b2e3f4bd0434f9dd9d40ad5", + "search_line": 1 }, { "queryName": "CloudWatch Network Gateways Changes Alarm Missing", "severity": "LOW", "line": 1, - "fileName": "positive3.tf" + "fileName": "positive3.tf", + "resourceType": "aws_cloudwatch_log_metric_filter", + "resourceName": "unknown", + "searchKey": "resource", + "searchValue": "", + "expectedValue": "aws_cloudwatch_log_metric_filter should have pattern { ($.eventName = CreateTrail) || ($.eventName = UpdateTrail) || ($.eventName = DeleteTrail) || ($.eventName = StartLogging) || ($.eventName = StopLogging) } and be associated an aws_cloudwatch_metric_alarm", + "actualValue": "aws_cloudwatch_log_metric_filter not filtering pattern { ($.eventName = CreateTrail) || ($.eventName = UpdateTrail) || ($.eventName = DeleteTrail) || ($.eventName = StartLogging) || ($.eventName = StopLogging) } or not associated with any aws_cloudwatch_metric_alarm", + "issueType": "MissingAttribute", + "similarityID": "2925f67e182cec585c5cd8d50cf5cbd05df8b40b72cd2cba8ce1a5777ca355a6", + "search_line": 1 } ] diff --git a/assets/queries/terraform/aws/cloudwatch_root_account_use_alarm_missing/test/positive_expected_result.json b/assets/queries/terraform/aws/cloudwatch_root_account_use_alarm_missing/test/positive_expected_result.json index 1e6878d363a..6e345c6e3b4 100644 --- a/assets/queries/terraform/aws/cloudwatch_root_account_use_alarm_missing/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/cloudwatch_root_account_use_alarm_missing/test/positive_expected_result.json @@ -3,24 +3,60 @@ "queryName": "CloudWatch Root Account Use Missing", "severity": "MEDIUM", "line": 1, - "fileName": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "aws_cloudwatch_log_metric_filter", + "resourceName": "unknown", + "searchKey": "resource", + "searchValue": "", + "expectedValue": "aws_cloudwatch_log_metric_filter should have pattern { $.userIdentity.type = \"Root\" && $.userIdentity.invokedBy NOT EXISTS && $.eventType != \"AwsServiceEvent\" } and be associated an aws_cloudwatch_metric_alarm", + "actualValue": "aws_cloudwatch_log_metric_filter not filtering pattern { $.userIdentity.type = \"Root\" && $.userIdentity.invokedBy NOT EXISTS && $.eventType != \"AwsServiceEvent\" } or not associated with any aws_cloudwatch_metric_alarm", + "issueType": "MissingAttribute", + "similarityID": "368051c2424d104774ebfaa87b2f848f89e80dbeef4ec0bc44b523d4cb52fd6e", + "search_line": 1 }, { "queryName": "CloudWatch Root Account Use Missing", "severity": "MEDIUM", "line": 1, - "fileName": "positive2.tf" + "fileName": "positive2.tf", + "resourceType": "aws_cloudwatch_log_metric_filter", + "resourceName": "unknown", + "searchKey": "resource", + "searchValue": "", + "expectedValue": "aws_cloudwatch_log_metric_filter should have pattern { $.userIdentity.type = \"Root\" && $.userIdentity.invokedBy NOT EXISTS && $.eventType != \"AwsServiceEvent\" } and be associated an aws_cloudwatch_metric_alarm", + "actualValue": "aws_cloudwatch_log_metric_filter not filtering pattern { $.userIdentity.type = \"Root\" && $.userIdentity.invokedBy NOT EXISTS && $.eventType != \"AwsServiceEvent\" } or not associated with any aws_cloudwatch_metric_alarm", + "issueType": "MissingAttribute", + "similarityID": "8c0dc40dbf548d6cbaec21afaf98c5e7f268f14e08d35435aa9ef1c617385c0c", + "search_line": 1 }, { "queryName": "CloudWatch Root Account Use Missing", "severity": "MEDIUM", "line": 1, - "fileName": "positive3.tf" + "fileName": "positive3.tf", + "resourceType": "aws_cloudwatch_log_metric_filter", + "resourceName": "unknown", + "searchKey": "resource", + "searchValue": "", + "expectedValue": "aws_cloudwatch_log_metric_filter should have pattern { $.userIdentity.type = \"Root\" && $.userIdentity.invokedBy NOT EXISTS && $.eventType != \"AwsServiceEvent\" } and be associated an aws_cloudwatch_metric_alarm", + "actualValue": "aws_cloudwatch_log_metric_filter not filtering pattern { $.userIdentity.type = \"Root\" && $.userIdentity.invokedBy NOT EXISTS && $.eventType != \"AwsServiceEvent\" } or not associated with any aws_cloudwatch_metric_alarm", + "issueType": "MissingAttribute", + "similarityID": "f2beb556a576da2d036c4138462b0eb53f54f5db64160dbf91db23b0f8af9ebb", + "search_line": 1 }, { "queryName": "CloudWatch Root Account Use Missing", "severity": "MEDIUM", "line": 1, - "fileName": "positive4.tf" + "fileName": "positive4.tf", + "resourceType": "aws_cloudwatch_log_metric_filter", + "resourceName": "unknown", + "searchKey": "resource", + "searchValue": "", + "expectedValue": "aws_cloudwatch_log_metric_filter should have pattern { $.userIdentity.type = \"Root\" && $.userIdentity.invokedBy NOT EXISTS && $.eventType != \"AwsServiceEvent\" } and be associated an aws_cloudwatch_metric_alarm", + "actualValue": "aws_cloudwatch_log_metric_filter not filtering pattern { $.userIdentity.type = \"Root\" && $.userIdentity.invokedBy NOT EXISTS && $.eventType != \"AwsServiceEvent\" } or not associated with any aws_cloudwatch_metric_alarm", + "issueType": "MissingAttribute", + "similarityID": "53799bba03580088c09d46907399d7d6c23663a462e6af49d59a3440c061e8fa", + "search_line": 1 } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/cloudwatch_route_table_changes_alarm_missing/test/positive_expected_result.json b/assets/queries/terraform/aws/cloudwatch_route_table_changes_alarm_missing/test/positive_expected_result.json index d146a964901..3fc0b040c95 100644 --- a/assets/queries/terraform/aws/cloudwatch_route_table_changes_alarm_missing/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/cloudwatch_route_table_changes_alarm_missing/test/positive_expected_result.json @@ -3,18 +3,45 @@ "queryName": "CloudWatch Route Table Changes Alarm Missing", "severity": "LOW", "line": 1, - "fileName": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "aws_cloudwatch_log_metric_filter", + "resourceName": "unknown", + "searchKey": "resource", + "searchValue": "", + "expectedValue": "aws_cloudwatch_log_metric_filter should have pattern { ($.eventName = CreateRoute) || ($.eventName = CreateRouteTable) || ($.eventName = ReplaceRoute) || ($.eventName = ReplaceRouteTableAssociation) || ($.eventName = DeleteRouteTable) || ($.eventName = DeleteRoute) || ($.eventName = DisassociateRouteTable) } and be associated an aws_cloudwatch_metric_alarm", + "actualValue": "aws_cloudwatch_log_metric_filter not filtering pattern { ($.eventName = CreateRoute) || ($.eventName = CreateRouteTable) || ($.eventName = ReplaceRoute) || ($.eventName = ReplaceRouteTableAssociation) || ($.eventName = DeleteRouteTable) || ($.eventName = DeleteRoute) || ($.eventName = DisassociateRouteTable) } or not associated with any aws_cloudwatch_metric_alarm", + "issueType": "MissingAttribute", + "similarityID": "6d03656438848f5079bbd9c3248e8b042369d3471ba1813571bf77e607f19552", + "search_line": 1 }, { "queryName": "CloudWatch Route Table Changes Alarm Missing", "severity": "LOW", "line": 1, - "fileName": "positive2.tf" + "fileName": "positive2.tf", + "resourceType": "aws_cloudwatch_log_metric_filter", + "resourceName": "unknown", + "searchKey": "resource", + "searchValue": "", + "expectedValue": "aws_cloudwatch_log_metric_filter should have pattern { ($.eventName = CreateRoute) || ($.eventName = CreateRouteTable) || ($.eventName = ReplaceRoute) || ($.eventName = ReplaceRouteTableAssociation) || ($.eventName = DeleteRouteTable) || ($.eventName = DeleteRoute) || ($.eventName = DisassociateRouteTable) } and be associated an aws_cloudwatch_metric_alarm", + "actualValue": "aws_cloudwatch_log_metric_filter not filtering pattern { ($.eventName = CreateRoute) || ($.eventName = CreateRouteTable) || ($.eventName = ReplaceRoute) || ($.eventName = ReplaceRouteTableAssociation) || ($.eventName = DeleteRouteTable) || ($.eventName = DeleteRoute) || ($.eventName = DisassociateRouteTable) } or not associated with any aws_cloudwatch_metric_alarm", + "issueType": "MissingAttribute", + "similarityID": "691fc641fc7d06372a008f6cb54909f05d67df6346d54e1cb95ad308178146b5", + "search_line": 1 }, { "queryName": "CloudWatch Route Table Changes Alarm Missing", "severity": "LOW", "line": 1, - "fileName": "positive3.tf" + "fileName": "positive3.tf", + "resourceType": "aws_cloudwatch_log_metric_filter", + "resourceName": "unknown", + "searchKey": "resource", + "searchValue": "", + "expectedValue": "aws_cloudwatch_log_metric_filter should have pattern { ($.eventName = CreateRoute) || ($.eventName = CreateRouteTable) || ($.eventName = ReplaceRoute) || ($.eventName = ReplaceRouteTableAssociation) || ($.eventName = DeleteRouteTable) || ($.eventName = DeleteRoute) || ($.eventName = DisassociateRouteTable) } and be associated an aws_cloudwatch_metric_alarm", + "actualValue": "aws_cloudwatch_log_metric_filter not filtering pattern { ($.eventName = CreateRoute) || ($.eventName = CreateRouteTable) || ($.eventName = ReplaceRoute) || ($.eventName = ReplaceRouteTableAssociation) || ($.eventName = DeleteRouteTable) || ($.eventName = DeleteRoute) || ($.eventName = DisassociateRouteTable) } or not associated with any aws_cloudwatch_metric_alarm", + "issueType": "MissingAttribute", + "similarityID": "11b5ecb9045ac2c381411430610e9759f6b57500d59be06621154f94b907acc0", + "search_line": 1 } ] diff --git a/assets/queries/terraform/aws/cloudwatch_s3_policy_change_alarm_missing/test/positive_expected_result.json b/assets/queries/terraform/aws/cloudwatch_s3_policy_change_alarm_missing/test/positive_expected_result.json index 6e6bdca530c..474feee948c 100644 --- a/assets/queries/terraform/aws/cloudwatch_s3_policy_change_alarm_missing/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/cloudwatch_s3_policy_change_alarm_missing/test/positive_expected_result.json @@ -3,48 +3,120 @@ "queryName": "CloudWatch S3 policy Change Alarm Missing", "severity": "MEDIUM", "line": 1, - "fileName": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "aws_cloudwatch_log_metric_filter", + "resourceName": "cis_s3_bucket_policy_change_metric_filter", + "searchKey": "aws_cloudwatch_log_metric_filter[cis_s3_bucket_policy_change_metric_filter]", + "searchValue": "", + "expectedValue": "aws_cloudwatch_log_metric_filter should be associated an aws_cloudwatch_metric_alarm", + "actualValue": "aws_cloudwatch_log_metric_filter not associated with any aws_cloudwatch_metric_alarm", + "issueType": "MissingAttribute", + "similarityID": "b3da1daa6cb620a26c9b02ec2ca14e882e03fa23abdc9dfb03406018fc9d5edd", + "search_line": 1 }, { "queryName": "CloudWatch S3 policy Change Alarm Missing", "severity": "MEDIUM", "line": 3, - "fileName": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "aws_cloudwatch_log_metric_filter", + "resourceName": "cis_s3_bucket_policy_change_metric_filter", + "searchKey": "aws_cloudwatch_log_metric_filter.cis_s3_bucket_policy_change_metric_filter", + "searchValue": "", + "expectedValue": "aws_cloudwatch_log_metric_filter should have pattern $.eventSource equal to `s3.amazonaws.com` and $.eventName equal to `PutBucketAcl`, `PutBucketPolicy`, `PutBucketCors`, `PutBucketLifecycle`, `PutBucketReplication`, `DeleteBucketPolicy`, `DeleteBucketCors`, `DeleteBucketLifecycle` and `DeleteBucketReplication`", + "actualValue": "aws_cloudwatch_log_metric_filter with wrong pattern", + "issueType": "MissingAttribute", + "similarityID": "76c8ef8a22a247820d8e9ba714d8a2d8f29e58ce3243db07669619326fd59b98", + "search_line": 3 }, { "queryName": "CloudWatch S3 policy Change Alarm Missing", "severity": "MEDIUM", "line": 30, - "fileName": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "aws_cloudwatch_log_metric_filter", + "resourceName": "cis_no_mfa_console_signin_metric_filter", + "searchKey": "aws_cloudwatch_log_metric_filter.cis_no_mfa_console_signin_metric_filter", + "searchValue": "", + "expectedValue": "aws_cloudwatch_log_metric_filter should have pattern $.eventSource equal to `s3.amazonaws.com` and $.eventName equal to `PutBucketAcl`, `PutBucketPolicy`, `PutBucketCors`, `PutBucketLifecycle`, `PutBucketReplication`, `DeleteBucketPolicy`, `DeleteBucketCors`, `DeleteBucketLifecycle` and `DeleteBucketReplication`", + "actualValue": "aws_cloudwatch_log_metric_filter with wrong pattern", + "issueType": "MissingAttribute", + "similarityID": "52ee6aefb2e830dda4644dec09ae063221268d15195b3ddf0167fd2fd5ad0abc", + "search_line": 30 }, { "queryName": "CloudWatch S3 policy Change Alarm Missing", "severity": "MEDIUM", "line": 3, - "fileName": "positive2.tf" + "fileName": "positive2.tf", + "resourceType": "aws_cloudwatch_log_metric_filter", + "resourceName": "cis_s3_bucket_policy_change_metric_filter", + "searchKey": "aws_cloudwatch_log_metric_filter.cis_s3_bucket_policy_change_metric_filter", + "searchValue": "", + "expectedValue": "aws_cloudwatch_log_metric_filter should have pattern $.eventSource equal to `s3.amazonaws.com` and $.eventName equal to `PutBucketAcl`, `PutBucketPolicy`, `PutBucketCors`, `PutBucketLifecycle`, `PutBucketReplication`, `DeleteBucketPolicy`, `DeleteBucketCors`, `DeleteBucketLifecycle` and `DeleteBucketReplication`", + "actualValue": "aws_cloudwatch_log_metric_filter with wrong pattern", + "issueType": "MissingAttribute", + "similarityID": "4c19fa7bb0a1026474da07e9f40e1c131b29e584d1db93046f5fc45b263e5ff9", + "search_line": 3 }, { "queryName": "CloudWatch S3 policy Change Alarm Missing", "severity": "MEDIUM", "line": 3, - "fileName": "positive3.tf" + "fileName": "positive3.tf", + "resourceType": "aws_cloudwatch_log_metric_filter", + "resourceName": "cis_s3_bucket_policy_change_metric_filter", + "searchKey": "aws_cloudwatch_log_metric_filter.cis_s3_bucket_policy_change_metric_filter", + "searchValue": "", + "expectedValue": "aws_cloudwatch_log_metric_filter should have pattern $.eventSource equal to `s3.amazonaws.com` and $.eventName equal to `PutBucketAcl`, `PutBucketPolicy`, `PutBucketCors`, `PutBucketLifecycle`, `PutBucketReplication`, `DeleteBucketPolicy`, `DeleteBucketCors`, `DeleteBucketLifecycle` and `DeleteBucketReplication`", + "actualValue": "aws_cloudwatch_log_metric_filter with wrong pattern", + "issueType": "MissingAttribute", + "similarityID": "787135365c1a3d28766ad9307ed68ad776b76923bc958592b1d563318544fe8f", + "search_line": 3 }, { "queryName": "CloudWatch S3 policy Change Alarm Missing", "severity": "MEDIUM", "line": 3, - "fileName": "positive4.tf" + "fileName": "positive4.tf", + "resourceType": "aws_cloudwatch_log_metric_filter", + "resourceName": "cis_s3_bucket_policy_change_metric_filter", + "searchKey": "aws_cloudwatch_log_metric_filter.cis_s3_bucket_policy_change_metric_filter", + "searchValue": "", + "expectedValue": "aws_cloudwatch_log_metric_filter should have pattern $.eventSource equal to `s3.amazonaws.com` and $.eventName equal to `PutBucketAcl`, `PutBucketPolicy`, `PutBucketCors`, `PutBucketLifecycle`, `PutBucketReplication`, `DeleteBucketPolicy`, `DeleteBucketCors`, `DeleteBucketLifecycle` and `DeleteBucketReplication`", + "actualValue": "aws_cloudwatch_log_metric_filter with wrong pattern", + "issueType": "MissingAttribute", + "similarityID": "dc17a1fbbdb918795f2e572e9c8f49ba33e66bf40731a145b0f382973f10581a", + "search_line": 3 }, { "queryName": "CloudWatch S3 policy Change Alarm Missing", "severity": "MEDIUM", "line": 4, - "fileName": "positive5.tf" + "fileName": "positive5.tf", + "resourceType": "aws_cloudwatch_log_metric_filter", + "resourceName": "cis_s3_bucket_policy_change_metric_filter", + "searchKey": "aws_cloudwatch_log_metric_filter.cis_s3_bucket_policy_change_metric_filter", + "searchValue": "", + "expectedValue": "aws_cloudwatch_log_metric_filter should have pattern $.eventSource equal to `s3.amazonaws.com` and $.eventName equal to `PutBucketAcl`, `PutBucketPolicy`, `PutBucketCors`, `PutBucketLifecycle`, `PutBucketReplication`, `DeleteBucketPolicy`, `DeleteBucketCors`, `DeleteBucketLifecycle` and `DeleteBucketReplication`", + "actualValue": "aws_cloudwatch_log_metric_filter with wrong pattern", + "issueType": "MissingAttribute", + "similarityID": "13b7000750e81ed22f133f96c95584681a1f4afad3159b56295e70f5ced72da9", + "search_line": 4 }, { "queryName": "CloudWatch S3 policy Change Alarm Missing", "severity": "MEDIUM", "line": 31, - "fileName": "positive5.tf" + "fileName": "positive5.tf", + "resourceType": "aws_cloudwatch_log_metric_filter", + "resourceName": "cis_no_mfa_console_signin_metric_filter", + "searchKey": "aws_cloudwatch_log_metric_filter.cis_no_mfa_console_signin_metric_filter", + "searchValue": "", + "expectedValue": "aws_cloudwatch_log_metric_filter should have pattern $.eventSource equal to `s3.amazonaws.com` and $.eventName equal to `PutBucketAcl`, `PutBucketPolicy`, `PutBucketCors`, `PutBucketLifecycle`, `PutBucketReplication`, `DeleteBucketPolicy`, `DeleteBucketCors`, `DeleteBucketLifecycle` and `DeleteBucketReplication`", + "actualValue": "aws_cloudwatch_log_metric_filter with wrong pattern", + "issueType": "MissingAttribute", + "similarityID": "84e1a094f2416edcfc14b2a9202839c4a1fb8e3ff8f9d6bcfcc6d383a968eef7", + "search_line": 31 } ] diff --git a/assets/queries/terraform/aws/cloudwatch_security_group_changes_alarm_missing/test/positive_expected_result.json b/assets/queries/terraform/aws/cloudwatch_security_group_changes_alarm_missing/test/positive_expected_result.json index 378c98dd2b2..c5df040eb39 100644 --- a/assets/queries/terraform/aws/cloudwatch_security_group_changes_alarm_missing/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/cloudwatch_security_group_changes_alarm_missing/test/positive_expected_result.json @@ -3,18 +3,45 @@ "queryName": "Cloudwatch Security Group Changes Alarm Missing", "severity": "MEDIUM", "line": 1, - "fileName": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "aws_cloudwatch_log_metric_filter", + "resourceName": "unknown", + "searchKey": "resource", + "searchValue": "", + "expectedValue": "aws_cloudwatch_log_metric_filter should have pattern { ($.eventName = AuthorizeSecurityGroupIngress) || ($.eventName = AuthorizeSecurityGroupEgress) || ($.eventName = RevokeSecurityGroupIngress) || ($.eventName = RevokeSecurityGroupEgress) || ($.eventName = CreateSecurityGroup) || ($.eventName = DeleteSecurityGroup)} and be associated an aws_cloudwatch_metric_alarm", + "actualValue": "aws_cloudwatch_log_metric_filter not filtering pattern { ($.eventName = AuthorizeSecurityGroupIngress) || ($.eventName = AuthorizeSecurityGroupEgress) || ($.eventName = RevokeSecurityGroupIngress) || ($.eventName = RevokeSecurityGroupEgress) || ($.eventName = CreateSecurityGroup) || ($.eventName = DeleteSecurityGroup)} or not associated with any aws_cloudwatch_metric_alarm", + "issueType": "MissingAttribute", + "similarityID": "d590d829bf02861923471f69cd98ec1b120451741f0eb0a98cdaf5b28dd02597", + "search_line": 1 }, { "queryName": "Cloudwatch Security Group Changes Alarm Missing", "severity": "MEDIUM", "line": 1, - "fileName": "positive2.tf" + "fileName": "positive2.tf", + "resourceType": "aws_cloudwatch_log_metric_filter", + "resourceName": "unknown", + "searchKey": "resource", + "searchValue": "", + "expectedValue": "aws_cloudwatch_log_metric_filter should have pattern { ($.eventName = AuthorizeSecurityGroupIngress) || ($.eventName = AuthorizeSecurityGroupEgress) || ($.eventName = RevokeSecurityGroupIngress) || ($.eventName = RevokeSecurityGroupEgress) || ($.eventName = CreateSecurityGroup) || ($.eventName = DeleteSecurityGroup)} and be associated an aws_cloudwatch_metric_alarm", + "actualValue": "aws_cloudwatch_log_metric_filter not filtering pattern { ($.eventName = AuthorizeSecurityGroupIngress) || ($.eventName = AuthorizeSecurityGroupEgress) || ($.eventName = RevokeSecurityGroupIngress) || ($.eventName = RevokeSecurityGroupEgress) || ($.eventName = CreateSecurityGroup) || ($.eventName = DeleteSecurityGroup)} or not associated with any aws_cloudwatch_metric_alarm", + "issueType": "MissingAttribute", + "similarityID": "7b871910139aca71b484e1f6e936cc4c6d861c598b8251fe2b58b9e498e767ee", + "search_line": 1 }, { "queryName": "Cloudwatch Security Group Changes Alarm Missing", "severity": "MEDIUM", "line": 1, - "fileName": "positive3.tf" + "fileName": "positive3.tf", + "resourceType": "aws_cloudwatch_log_metric_filter", + "resourceName": "unknown", + "searchKey": "resource", + "searchValue": "", + "expectedValue": "aws_cloudwatch_log_metric_filter should have pattern { ($.eventName = AuthorizeSecurityGroupIngress) || ($.eventName = AuthorizeSecurityGroupEgress) || ($.eventName = RevokeSecurityGroupIngress) || ($.eventName = RevokeSecurityGroupEgress) || ($.eventName = CreateSecurityGroup) || ($.eventName = DeleteSecurityGroup)} and be associated an aws_cloudwatch_metric_alarm", + "actualValue": "aws_cloudwatch_log_metric_filter not filtering pattern { ($.eventName = AuthorizeSecurityGroupIngress) || ($.eventName = AuthorizeSecurityGroupEgress) || ($.eventName = RevokeSecurityGroupIngress) || ($.eventName = RevokeSecurityGroupEgress) || ($.eventName = CreateSecurityGroup) || ($.eventName = DeleteSecurityGroup)} or not associated with any aws_cloudwatch_metric_alarm", + "issueType": "MissingAttribute", + "similarityID": "c9a1772b9e3ac7635ae7885bae0488dc94589bcef3c72b3fa2d3f3311476d07c", + "search_line": 1 } ] diff --git a/assets/queries/terraform/aws/cloudwatch_unauthorized_access_defined_alarm_missing/test/positive_expected_result.json b/assets/queries/terraform/aws/cloudwatch_unauthorized_access_defined_alarm_missing/test/positive_expected_result.json index a85b9cc9ec1..f2e8503c719 100644 --- a/assets/queries/terraform/aws/cloudwatch_unauthorized_access_defined_alarm_missing/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/cloudwatch_unauthorized_access_defined_alarm_missing/test/positive_expected_result.json @@ -3,24 +3,60 @@ "queryName": "CloudWatch Unauthorized Access Alarm Missing", "severity": "CRITICAL", "line": 1, - "fileName": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "aws_cloudwatch_log_metric_filter", + "resourceName": "unknown", + "searchKey": "resource", + "searchValue": "", + "expectedValue": "aws_cloudwatch_log_metric_filter should have pattern { $.errorCode = *UnauthorizedOperation || $.errorCode = AccessDenied* } and be associated an aws_cloudwatch_metric_alarm", + "actualValue": "aws_cloudwatch_log_metric_filter not filtering pattern { $.errorCode = *UnauthorizedOperation || $.errorCode = AccessDenied* } or not associated with any aws_cloudwatch_metric_alarm", + "issueType": "MissingAttribute", + "similarityID": "7d60e0bc7466d6943b37b8db51569b3bcaed0ba92456c47946bb9097532b73a1", + "search_line": 1 }, { "queryName": "CloudWatch Unauthorized Access Alarm Missing", "severity": "CRITICAL", "line": 1, - "fileName": "positive2.tf" + "fileName": "positive2.tf", + "resourceType": "aws_cloudwatch_log_metric_filter", + "resourceName": "unknown", + "searchKey": "resource", + "searchValue": "", + "expectedValue": "aws_cloudwatch_log_metric_filter should have pattern { $.errorCode = *UnauthorizedOperation || $.errorCode = AccessDenied* } and be associated an aws_cloudwatch_metric_alarm", + "actualValue": "aws_cloudwatch_log_metric_filter not filtering pattern { $.errorCode = *UnauthorizedOperation || $.errorCode = AccessDenied* } or not associated with any aws_cloudwatch_metric_alarm", + "issueType": "MissingAttribute", + "similarityID": "414830b096564463853f5dce9d53dc2bbc97d88d2ed6e4adbb47058d5c905352", + "search_line": 1 }, { "queryName": "CloudWatch Unauthorized Access Alarm Missing", "severity": "CRITICAL", "line": 1, - "fileName": "positive3.tf" + "fileName": "positive3.tf", + "resourceType": "aws_cloudwatch_log_metric_filter", + "resourceName": "unknown", + "searchKey": "resource", + "searchValue": "", + "expectedValue": "aws_cloudwatch_log_metric_filter should have pattern { $.errorCode = *UnauthorizedOperation || $.errorCode = AccessDenied* } and be associated an aws_cloudwatch_metric_alarm", + "actualValue": "aws_cloudwatch_log_metric_filter not filtering pattern { $.errorCode = *UnauthorizedOperation || $.errorCode = AccessDenied* } or not associated with any aws_cloudwatch_metric_alarm", + "issueType": "MissingAttribute", + "similarityID": "ba5cea4a1e99e5902010ccd0e4c973457c7cc124c039d6fe1266c5fefb962aee", + "search_line": 1 }, { "queryName": "CloudWatch Unauthorized Access Alarm Missing", "severity": "CRITICAL", "line": 1, - "fileName": "positive4.tf" + "fileName": "positive4.tf", + "resourceType": "aws_cloudwatch_log_metric_filter", + "resourceName": "unknown", + "searchKey": "resource", + "searchValue": "", + "expectedValue": "aws_cloudwatch_log_metric_filter should have pattern { $.errorCode = *UnauthorizedOperation || $.errorCode = AccessDenied* } and be associated an aws_cloudwatch_metric_alarm", + "actualValue": "aws_cloudwatch_log_metric_filter not filtering pattern { $.errorCode = *UnauthorizedOperation || $.errorCode = AccessDenied* } or not associated with any aws_cloudwatch_metric_alarm", + "issueType": "MissingAttribute", + "similarityID": "26da72708a74111f442b46a626ef5f1a0f888b9ae0b5f04a05fd31d9211de8a1", + "search_line": 1 } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/cloudwatch_vpc_changes_alarm_missing/test/positive_expected_result.json b/assets/queries/terraform/aws/cloudwatch_vpc_changes_alarm_missing/test/positive_expected_result.json index b13d90ce06d..28bdaa9cd52 100644 --- a/assets/queries/terraform/aws/cloudwatch_vpc_changes_alarm_missing/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/cloudwatch_vpc_changes_alarm_missing/test/positive_expected_result.json @@ -3,18 +3,45 @@ "queryName": "CloudWatch VPC Changes Alarm Missing", "severity": "MEDIUM", "line": 1, - "fileName": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "aws_cloudwatch_log_metric_filter", + "resourceName": "unknown", + "searchKey": "resource", + "searchValue": "", + "expectedValue": "aws_cloudwatch_log_metric_filter should have pattern { ($.eventName = CreateVpc) || ($.eventName = DeleteVpc) || ($.eventName = ModifyVpcAttribute) || ($.eventName = AcceptVpcPeeringConnection) || ($.eventName = CreateVpcPeeringConnection) || ($.eventName = DeleteVpcPeeringConnection) || ($.eventName = RejectVpcPeeringConnection) || ($.eventName = AttachClassicLinkVpc) || ($.eventName = DetachClassicLinkVpc) || ($.eventName = DisableVpcClassicLink) || ($.eventName = EnableVpcClassicLink) } and be associated an aws_cloudwatch_metric_alarm", + "actualValue": "aws_cloudwatch_log_metric_filter not filtering pattern { ($.eventName = CreateVpc) || ($.eventName = DeleteVpc) || ($.eventName = ModifyVpcAttribute) || ($.eventName = AcceptVpcPeeringConnection) || ($.eventName = CreateVpcPeeringConnection) || ($.eventName = DeleteVpcPeeringConnection) || ($.eventName = RejectVpcPeeringConnection) || ($.eventName = AttachClassicLinkVpc) || ($.eventName = DetachClassicLinkVpc) || ($.eventName = DisableVpcClassicLink) || ($.eventName = EnableVpcClassicLink) } or not associated with any aws_cloudwatch_metric_alarm", + "issueType": "MissingAttribute", + "similarityID": "cbac7d64fef2ea707dab5fa636cea55279238976788e275019c8cd61226f3558", + "search_line": 1 }, { "queryName": "CloudWatch VPC Changes Alarm Missing", "severity": "MEDIUM", "line": 1, - "fileName": "positive2.tf" + "fileName": "positive2.tf", + "resourceType": "aws_cloudwatch_log_metric_filter", + "resourceName": "unknown", + "searchKey": "resource", + "searchValue": "", + "expectedValue": "aws_cloudwatch_log_metric_filter should have pattern { ($.eventName = CreateVpc) || ($.eventName = DeleteVpc) || ($.eventName = ModifyVpcAttribute) || ($.eventName = AcceptVpcPeeringConnection) || ($.eventName = CreateVpcPeeringConnection) || ($.eventName = DeleteVpcPeeringConnection) || ($.eventName = RejectVpcPeeringConnection) || ($.eventName = AttachClassicLinkVpc) || ($.eventName = DetachClassicLinkVpc) || ($.eventName = DisableVpcClassicLink) || ($.eventName = EnableVpcClassicLink) } and be associated an aws_cloudwatch_metric_alarm", + "actualValue": "aws_cloudwatch_log_metric_filter not filtering pattern { ($.eventName = CreateVpc) || ($.eventName = DeleteVpc) || ($.eventName = ModifyVpcAttribute) || ($.eventName = AcceptVpcPeeringConnection) || ($.eventName = CreateVpcPeeringConnection) || ($.eventName = DeleteVpcPeeringConnection) || ($.eventName = RejectVpcPeeringConnection) || ($.eventName = AttachClassicLinkVpc) || ($.eventName = DetachClassicLinkVpc) || ($.eventName = DisableVpcClassicLink) || ($.eventName = EnableVpcClassicLink) } or not associated with any aws_cloudwatch_metric_alarm", + "issueType": "MissingAttribute", + "similarityID": "fec8e5fe984d98f19ae87ba87a304970d872992fa95ce566c1d9a42b80cc214b", + "search_line": 1 }, { "queryName": "CloudWatch VPC Changes Alarm Missing", "severity": "MEDIUM", "line": 1, - "fileName": "positive3.tf" + "fileName": "positive3.tf", + "resourceType": "aws_cloudwatch_log_metric_filter", + "resourceName": "unknown", + "searchKey": "resource", + "searchValue": "", + "expectedValue": "aws_cloudwatch_log_metric_filter should have pattern { ($.eventName = CreateVpc) || ($.eventName = DeleteVpc) || ($.eventName = ModifyVpcAttribute) || ($.eventName = AcceptVpcPeeringConnection) || ($.eventName = CreateVpcPeeringConnection) || ($.eventName = DeleteVpcPeeringConnection) || ($.eventName = RejectVpcPeeringConnection) || ($.eventName = AttachClassicLinkVpc) || ($.eventName = DetachClassicLinkVpc) || ($.eventName = DisableVpcClassicLink) || ($.eventName = EnableVpcClassicLink) } and be associated an aws_cloudwatch_metric_alarm", + "actualValue": "aws_cloudwatch_log_metric_filter not filtering pattern { ($.eventName = CreateVpc) || ($.eventName = DeleteVpc) || ($.eventName = ModifyVpcAttribute) || ($.eventName = AcceptVpcPeeringConnection) || ($.eventName = CreateVpcPeeringConnection) || ($.eventName = DeleteVpcPeeringConnection) || ($.eventName = RejectVpcPeeringConnection) || ($.eventName = AttachClassicLinkVpc) || ($.eventName = DetachClassicLinkVpc) || ($.eventName = DisableVpcClassicLink) || ($.eventName = EnableVpcClassicLink) } or not associated with any aws_cloudwatch_metric_alarm", + "issueType": "MissingAttribute", + "similarityID": "1f78eededa4da1e6ee3aa8dfcf37033c7a9c7e4ae9cf9b1b544c9a066eac857c", + "search_line": 1 } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/cloudwatch_without_retention_period_specified/test/positive_expected_result.json b/assets/queries/terraform/aws/cloudwatch_without_retention_period_specified/test/positive_expected_result.json index f2071da151f..5a3f876a104 100644 --- a/assets/queries/terraform/aws/cloudwatch_without_retention_period_specified/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/cloudwatch_without_retention_period_specified/test/positive_expected_result.json @@ -2,11 +2,31 @@ { "queryName": "CloudWatch Without Retention Period Specified", "severity": "INFO", - "line": 1 + "line": 1, + "fileName": "positive.tf", + "resourceType": "aws_cloudwatch_log_group", + "resourceName": "Yada", + "searchKey": "aws_cloudwatch_log_group[positive1]", + "searchValue": "", + "expectedValue": "Attribute 'retention_in_days' should be set and valid", + "actualValue": "Attribute 'retention_in_days' is undefined", + "issueType": "MissingAttribute", + "similarityID": "fe7015e943acdbcd293b0fa0d83503534062f5621a4b77c831f4df4350f58542", + "search_line": 1 }, { "queryName": "CloudWatch Without Retention Period Specified", "severity": "INFO", - "line": 18 + "line": 18, + "fileName": "positive.tf", + "resourceType": "aws_cloudwatch_log_group", + "resourceName": "Yada", + "searchKey": "aws_cloudwatch_log_group[positive2].retention_in_days", + "searchValue": "", + "expectedValue": "Attribute 'retention_in_days' should be set and valid", + "actualValue": "Attribute 'retention_in_days' is set but invalid", + "issueType": "IncorrectValue", + "similarityID": "1bc52e2619e98ac1106541444d5d0067c9ab6ab7132dd7e39fe225d81364f5f6", + "search_line": 18 } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/cmk_is_unusable/test/positive_expected_result.json b/assets/queries/terraform/aws/cmk_is_unusable/test/positive_expected_result.json index d08e5c00762..8834fddc9d7 100644 --- a/assets/queries/terraform/aws/cmk_is_unusable/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/cmk_is_unusable/test/positive_expected_result.json @@ -2,6 +2,16 @@ { "queryName": "CMK Is Unusable", "severity": "MEDIUM", - "line": 3 + "line": 3, + "fileName": "positive.tf", + "resourceType": "aws_kms_key", + "resourceName": "a", + "searchKey": "aws_kms_key[a].is_enabled", + "searchValue": "", + "expectedValue": "aws_kms_key[a].is_enabled should be set to true", + "actualValue": "aws_kms_key[a].is_enabled is set to false", + "issueType": "IncorrectValue", + "similarityID": "a31ad3862f3b3ab9773eff997553ec606cbae24b670b01197c215cd1702ce7cf", + "search_line": 3 } ] diff --git a/assets/queries/terraform/aws/cmk_rotation_disabled/test/positive_expected_result.json b/assets/queries/terraform/aws/cmk_rotation_disabled/test/positive_expected_result.json index 09a15bd8446..8c30d8269b0 100644 --- a/assets/queries/terraform/aws/cmk_rotation_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/cmk_rotation_disabled/test/positive_expected_result.json @@ -3,30 +3,75 @@ "queryName": "CMK Rotation Disabled", "severity": "LOW", "line": 1, - "fileName": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "aws_kms_key", + "resourceName": "positive1", + "searchKey": "aws_kms_key[positive1]", + "searchValue": "", + "expectedValue": "aws_kms_key[positive1].enable_key_rotation should be set to true", + "actualValue": "aws_kms_key[positive1].enable_key_rotation is undefined", + "issueType": "MissingAttribute", + "similarityID": "855415f1b6dd39ab191b00787282c99c6a64c056d3e3a45ba32a95e66d56b242", + "search_line": -1 }, { "queryName": "CMK Rotation Disabled", "severity": "LOW", "line": 1, - "fileName": "positive2.tf" + "fileName": "positive2.tf", + "resourceType": "aws_kms_key", + "resourceName": "positive2", + "searchKey": "aws_kms_key[positive2]", + "searchValue": "", + "expectedValue": "aws_kms_key[positive2].enable_key_rotation should be set to true", + "actualValue": "aws_kms_key[positive2].enable_key_rotation is false", + "issueType": "IncorrectValue", + "similarityID": "c776df71513a6f5bcb04b63511c3efe16397b21bf4c1c0def2e505e2a0842247", + "search_line": -1 }, { "queryName": "CMK Rotation Disabled", "severity": "LOW", "line": 1, - "fileName": "positive3.tf" + "fileName": "positive3.tf", + "resourceType": "aws_kms_key", + "resourceName": "positive3", + "searchKey": "aws_kms_key[positive3]", + "searchValue": "", + "expectedValue": "aws_kms_key[positive3].enable_key_rotation should be set to true", + "actualValue": "aws_kms_key[positive3].enable_key_rotation is false", + "issueType": "IncorrectValue", + "similarityID": "9cd62e95346b4d4f791226f3bb25253c509246af2549da8ffc90b5fa53b6b963", + "search_line": -1 }, { "queryName": "CMK Rotation Disabled", "severity": "LOW", "line": 1, - "fileName": "positive4.tf" + "fileName": "positive4.tf", + "resourceType": "aws_kms_key", + "resourceName": "positive4", + "searchKey": "aws_kms_key[positive4]", + "searchValue": "", + "expectedValue": "aws_kms_key[positive4].enable_key_rotation should be set to true", + "actualValue": "aws_kms_key[positive4].enable_key_rotation is false", + "issueType": "IncorrectValue", + "similarityID": "1da61fc2b32bdc8085ffbd6884bc65959a0bc95e0c016641c492a30beea41c30", + "search_line": -1 }, { "queryName": "CMK Rotation Disabled", "severity": "LOW", "line": 1, - "fileName": "positive5.tf" + "fileName": "positive5.tf", + "resourceType": "aws_kms_key", + "resourceName": "positive5", + "searchKey": "aws_kms_key[positive5]", + "searchValue": "", + "expectedValue": "aws_kms_key[positive5].enable_key_rotation should be set to false", + "actualValue": "aws_kms_key[positive5].enable_key_rotation is true", + "issueType": "IncorrectValue", + "similarityID": "6bca89e21515c6d096ed9fd2c8ce486ce97a7607c9b09af9bf29dcf9d194d65a", + "search_line": -1 } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/codebuild_project_encrypted_with_aws_managed_key/test/positive_expected_result.json b/assets/queries/terraform/aws/codebuild_project_encrypted_with_aws_managed_key/test/positive_expected_result.json index 7c4547c7354..c2cddb68c7c 100644 --- a/assets/queries/terraform/aws/codebuild_project_encrypted_with_aws_managed_key/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/codebuild_project_encrypted_with_aws_managed_key/test/positive_expected_result.json @@ -2,6 +2,16 @@ { "queryName": "CodeBuild Project Encrypted With AWS Managed Key", "severity": "LOW", - "line": 35 + "line": 35, + "fileName": "positive.tf", + "resourceType": "aws_codebuild_project", + "resourceName": "project-cloudrail-test", + "searchKey": "aws_codebuild_project[project-cloudrail-test].encryption_key", + "searchValue": "", + "expectedValue": "CodeBuild Project should not be encrypted with AWS managed key", + "actualValue": "CodeBuild Project is encrypted with AWS managed key", + "issueType": "IncorrectValue", + "similarityID": "d09b258100bca147b19b8b12f6a296541c814579c7a8a767fe7d1a6c2c62e63a", + "search_line": -1 } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/cognito_userpool_without_mfa/test/positive_expected_result.json b/assets/queries/terraform/aws/cognito_userpool_without_mfa/test/positive_expected_result.json index 0942578b863..c1353c45b62 100644 --- a/assets/queries/terraform/aws/cognito_userpool_without_mfa/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/cognito_userpool_without_mfa/test/positive_expected_result.json @@ -2,16 +2,46 @@ { "queryName": "Cognito UserPool Without MFA", "severity": "LOW", - "line": 1 + "line": 1, + "fileName": "positive.tf", + "resourceType": "aws_cognito_user_pool", + "resourceName": "positive1", + "searchKey": "aws_cognito_user_pool[positive1]", + "searchValue": "", + "expectedValue": "aws_cognito_user_pool[positive1].mfa_configuration should be set", + "actualValue": "aws_cognito_user_pool[positive1].mfa_configuration is undefined", + "issueType": "MissingAttribute", + "similarityID": "d395907f246f3495b7e041269c14ab1f0358280dda185ce1f9dcc3a1a368f8a6", + "search_line": -1 }, { "queryName": "Cognito UserPool Without MFA", "severity": "LOW", - "line": 16 + "line": 16, + "fileName": "positive.tf", + "resourceType": "aws_cognito_user_pool", + "resourceName": "positive2", + "searchKey": "aws_cognito_user_pool[positive2]", + "searchValue": "", + "expectedValue": "aws_cognito_user_pool[positive2].mfa_configuration should be set to 'ON' or 'OPTIONAL", + "actualValue": "aws_cognito_user_pool[positive2].mfa_configuration is set to 'OFF'", + "issueType": "IncorrectValue", + "similarityID": "3d41aba81b06e65cfb1d1f7af792645fcb28a267a973bdc76fe65de994918824", + "search_line": -1 }, { "queryName": "Cognito UserPool Without MFA", "severity": "LOW", - "line": 32 + "line": 32, + "fileName": "positive.tf", + "resourceType": "aws_cognito_user_pool", + "resourceName": "positive3", + "searchKey": "aws_cognito_user_pool[positive3]", + "searchValue": "", + "expectedValue": "aws_cognito_user_pool[positive3] should have 'sms_configuration' or 'software_token_mfa_configuration' defined", + "actualValue": "aws_cognito_user_pool[positive3] doesn't have 'sms_configuration' or 'software_token_mfa_configuration' defined", + "issueType": "MissingAttribute", + "similarityID": "056fded746da9805d47e17e34b9d270c705f584df7c8f940266c65af47290c32", + "search_line": -1 } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/config_configuration_aggregator_to_all_regions_disabled/test/positive_expected_result.json b/assets/queries/terraform/aws/config_configuration_aggregator_to_all_regions_disabled/test/positive_expected_result.json index 66411526a70..bb1afaa2ee4 100644 --- a/assets/queries/terraform/aws/config_configuration_aggregator_to_all_regions_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/config_configuration_aggregator_to_all_regions_disabled/test/positive_expected_result.json @@ -3,12 +3,30 @@ "queryName": "Configuration Aggregator to All Regions Disabled", "severity": "LOW", "line": 4, - "fileName": "positive.tf" + "fileName": "positive.tf", + "resourceType": "aws_config_configuration_aggregator", + "resourceName": "example", + "searchKey": "aws_config_configuration_aggregator[positive1].account_aggregation_source", + "searchValue": "", + "expectedValue": "'aws_config_configuration_aggregator[positive1].account_aggregation_source.all_regions' should be set to true", + "actualValue": "'aws_config_configuration_aggregator[positive1].account_aggregation_source.all_regions' is undefined", + "issueType": "MissingAttribute", + "similarityID": "91e05b9e3f0e258bcedfef07a5d970b8b003dee0b5d90911bbd40ac4f3eee1d3", + "search_line": 4 }, { "queryName": "Configuration Aggregator to All Regions Disabled", "severity": "LOW", "line": 16, - "fileName": "positive.tf" + "fileName": "positive.tf", + "resourceType": "aws_config_configuration_aggregator", + "resourceName": "example", + "searchKey": "aws_config_configuration_aggregator[positive2].organization_aggregation_source.all_regions", + "searchValue": "", + "expectedValue": "'aws_config_configuration_aggregator[positive2].organization_aggregation_source.all_regions' should be set to true", + "actualValue": "'aws_config_configuration_aggregator[positive2].organization_aggregation_source.all_regions' is set to false", + "issueType": "IncorrectValue", + "similarityID": "7beefae3c54ad2820e01e0384b635cf8833a7237fe58012433a9968bfdecb32f", + "search_line": 16 } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/config_rule_for_encrypted_volumes_is_disabled/test/positive_expected_result.json b/assets/queries/terraform/aws/config_rule_for_encrypted_volumes_is_disabled/test/positive_expected_result.json index 2130cceed2f..7419532403f 100644 --- a/assets/queries/terraform/aws/config_rule_for_encrypted_volumes_is_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/config_rule_for_encrypted_volumes_is_disabled/test/positive_expected_result.json @@ -2,6 +2,16 @@ { "queryName": "Config Rule For Encrypted Volumes Disabled", "severity": "HIGH", - "line": 1 + "line": 1, + "fileName": "positive.tf", + "resourceType": "aws_config_config_rule", + "resourceName": "unknown", + "searchKey": "aws_config_config_rule", + "searchValue": "", + "expectedValue": "There should be a 'aws_config_config_rule' resource with source id: 'ENCRYPTED_VOLUMES'", + "actualValue": "No 'aws_config_config_rule' resource has source id: 'ENCRYPTED_VOLUMES'", + "issueType": "MissingAttribute", + "similarityID": "f265ffc54b4c1647a94eca039f7f7309e712d43f54c3d41951db15443d654ec5", + "search_line": -1 } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/cross_account_iam_assume_role_policy_without_external_id_or_mfa/test/positive_expected_result.json b/assets/queries/terraform/aws/cross_account_iam_assume_role_policy_without_external_id_or_mfa/test/positive_expected_result.json index ba8676020d4..ddfdde9d87f 100644 --- a/assets/queries/terraform/aws/cross_account_iam_assume_role_policy_without_external_id_or_mfa/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/cross_account_iam_assume_role_policy_without_external_id_or_mfa/test/positive_expected_result.json @@ -3,18 +3,45 @@ "queryName": "Cross-Account IAM Assume Role Policy Without ExternalId or MFA", "severity": "HIGH", "line": 4, - "fileName": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "aws_iam_role", + "resourceName": "test_role", + "searchKey": "aws_iam_role[positive1].assume_role_policy", + "searchValue": "", + "expectedValue": "'assume_role_policy' requires external ID or MFA", + "actualValue": "'assume_role_policy' does not require external ID or MFA", + "issueType": "IncorrectValue", + "similarityID": "007ef04de604a58925efd25d90616c5ecf1426206270825015ce47697b8394bd", + "search_line": 4 }, { "queryName": "Cross-Account IAM Assume Role Policy Without ExternalId or MFA", "severity": "HIGH", "line": 4, - "fileName": "positive2.tf" + "fileName": "positive2.tf", + "resourceType": "aws_iam_role", + "resourceName": "test_role", + "searchKey": "aws_iam_role[positive2].assume_role_policy", + "searchValue": "", + "expectedValue": "'assume_role_policy' requires external ID or MFA", + "actualValue": "'assume_role_policy' does not require external ID or MFA", + "issueType": "IncorrectValue", + "similarityID": "ff60615e4047604b50e3e2c4af6c95b0d91fdbb7965185a2054e63d8df520da6", + "search_line": 4 }, { "queryName": "Cross-Account IAM Assume Role Policy Without ExternalId or MFA", "severity": "HIGH", "line": 4, - "fileName": "positive3.tf" + "fileName": "positive3.tf", + "resourceType": "aws_iam_role", + "resourceName": "test_role", + "searchKey": "aws_iam_role[positive3].assume_role_policy", + "searchValue": "", + "expectedValue": "'assume_role_policy' requires external ID or MFA", + "actualValue": "'assume_role_policy' does not require external ID or MFA", + "issueType": "IncorrectValue", + "similarityID": "718cda70a43850062384f5a4e2566e22bbde646e8d066bb28f3d698b7432c2f3", + "search_line": 4 } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/dax_cluster_not_encrypted/test/positive_expected_result.json b/assets/queries/terraform/aws/dax_cluster_not_encrypted/test/positive_expected_result.json index d4de57a7a33..35ef44379ad 100644 --- a/assets/queries/terraform/aws/dax_cluster_not_encrypted/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/dax_cluster_not_encrypted/test/positive_expected_result.json @@ -3,18 +3,45 @@ "queryName": "DAX Cluster Not Encrypted", "severity": "HIGH", "line": 1, - "filename": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "aws_dax_cluster", + "resourceName": "bar_1", + "searchKey": "aws_dax_cluster[{{bar_1}}]", + "searchValue": "", + "expectedValue": "aws_dax_cluster.server_side_encryption.enabled should be set to true", + "actualValue": "aws_dax_cluster.server_side_encryption is missing", + "issueType": "MissingAttribute", + "similarityID": "7bf8659f469ddf174301c3b4ce79fdcd00a0e319050446b0b1a63c65362094c9", + "search_line": -1 }, { "queryName": "DAX Cluster Not Encrypted", "severity": "HIGH", "line": 14, - "filename": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "aws_dax_cluster", + "resourceName": "bar_2", + "searchKey": "aws_dax_cluster[{{bar_2}}].server_side_encryption", + "searchValue": "", + "expectedValue": "aws_dax_cluster.server_side_encryption.enabled should be set to true", + "actualValue": "aws_dax_cluster.server_side_encryption.enabled is missing", + "issueType": "MissingAttribute", + "similarityID": "ef5820dc200a32febe007783e5e94653a11db7616dae28127ac3f84809f04b39", + "search_line": -1 }, { "queryName": "DAX Cluster Not Encrypted", "severity": "HIGH", "line": 25, - "filename": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "aws_dax_cluster", + "resourceName": "bar_3", + "searchKey": "aws_dax_cluster[{{bar_3}}].server_side_encryption.enabled", + "searchValue": "", + "expectedValue": "aws_dax_cluster.server_side_encryption.enabled should be set to true", + "actualValue": "aws_dax_cluster.server_side_encryption.enabled is set to false", + "issueType": "IncorrectValue", + "similarityID": "68968a0912cb81bb042ea83a125e1090945c2aa0ca69db7168c87f55e695e6b3", + "search_line": 25 } ] diff --git a/assets/queries/terraform/aws/db_instance_storage_not_encrypted/test/positive_expected_result.json b/assets/queries/terraform/aws/db_instance_storage_not_encrypted/test/positive_expected_result.json index 9fc13b5371e..4cded578951 100644 --- a/assets/queries/terraform/aws/db_instance_storage_not_encrypted/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/db_instance_storage_not_encrypted/test/positive_expected_result.json @@ -1,26 +1,62 @@ [ - { - "queryName": "DB Instance Storage Not Encrypted", - "severity": "HIGH", - "line": 11, - "fileName": "positive1.tf" - }, - { - "queryName": "DB Instance Storage Not Encrypted", - "severity": "HIGH", - "line": 14, - "fileName": "positive1.tf" - }, - { - "queryName": "DB Instance Storage Not Encrypted", - "severity": "HIGH", - "line": 1, - "fileName": "positive2.tf" - }, - { - "queryName": "DB Instance Storage Not Encrypted", - "severity": "HIGH", - "line": 11, - "fileName": "positive3.tf" - } + { + "queryName": "DB Instance Storage Not Encrypted", + "severity": "HIGH", + "line": 11, + "fileName": "positive1.tf", + "resourceType": "aws_db_instance", + "resourceName": "mydb", + "searchKey": "aws_db_instance[positive1].storage_encrypted", + "searchValue": "", + "expectedValue": "'storage_encrypted' should be set to true", + "actualValue": "'storage_encrypted' is set to false", + "issueType": "IncorrectValue", + "similarityID": "86a61899afc2919671dcd916c25a2900f0805dea36e86bec8bf2d393ae5db76b", + "search_line": 11 + }, + { + "queryName": "DB Instance Storage Not Encrypted", + "severity": "HIGH", + "line": 14, + "fileName": "positive1.tf", + "resourceType": "aws_db_instance", + "resourceName": "mydb", + "searchKey": "aws_db_instance[positive2]", + "searchValue": "", + "expectedValue": "'storage_encrypted' should be set to true", + "actualValue": "'storage_encrypted' is undefined or null", + "issueType": "MissingAttribute", + "similarityID": "72f2a60f596e0f4b1e9fe07fd27e96c23efd0045dfe7af5d7e43c889cab8966e", + "search_line": 14 + }, + { + "queryName": "DB Instance Storage Not Encrypted", + "severity": "HIGH", + "line": 1, + "fileName": "positive2.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[db]", + "searchValue": "", + "expectedValue": "'storage_encrypted' should be set to true", + "actualValue": "'storage_encrypted' is undefined or null", + "issueType": "MissingAttribute", + "similarityID": "6f7ebc20055884591fc4b87a30c0587d91fc04bc0253c1b4c41d41de631328b7", + "search_line": 1 + }, + { + "queryName": "DB Instance Storage Not Encrypted", + "severity": "HIGH", + "line": 11, + "fileName": "positive3.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[db].storage_encrypted", + "searchValue": "", + "expectedValue": "'storage_encrypted' should be set to true", + "actualValue": "'storage_encrypted' is set to false", + "issueType": "IncorrectValue", + "similarityID": "9fbe5b86671ee2fea9bf28da80d6b32a2d7e1bf2059f3e2ed245d81c024faf23", + "search_line": 11 + } ] diff --git a/assets/queries/terraform/aws/db_security_group_has_public_interface/test/positive_expected_result.json b/assets/queries/terraform/aws/db_security_group_has_public_interface/test/positive_expected_result.json index 3190fe513b0..38dab211555 100644 --- a/assets/queries/terraform/aws/db_security_group_has_public_interface/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/db_security_group_has_public_interface/test/positive_expected_result.json @@ -1,14 +1,32 @@ [ - { - "queryName": "DB Security Group Has Public Interface", - "severity": "HIGH", - "line": 5, - "fileName": "positive1.tf" - }, - { - "queryName": "DB Security Group Has Public Interface", - "severity": "HIGH", - "line": 9, - "fileName": "positive2.tf" - } + { + "queryName": "DB Security Group Has Public Interface", + "severity": "HIGH", + "line": 5, + "fileName": "positive1.tf", + "resourceType": "aws_db_security_group", + "resourceName": "rds_sg", + "searchKey": "aws_db_security_group[positive1].ingress.cidr", + "searchValue": "", + "expectedValue": "'aws_db_security_group[positive1].ingress.cidr' should not be '0.0.0.0/0' or '::/0'", + "actualValue": "'aws_db_security_group[positive1].ingress.cidr' is '0.0.0.0/0'", + "issueType": "IncorrectValue", + "similarityID": "bb5a028dbcc0681dad96bf6a3e18322927ff144fd940d543208e9276f504a444", + "search_line": 5 + }, + { + "queryName": "DB Security Group Has Public Interface", + "severity": "HIGH", + "line": 9, + "fileName": "positive2.tf", + "resourceType": "aws_db_security_group", + "resourceName": "rds_sg", + "searchKey": "aws_db_security_group[positive1].ingress.cidr", + "searchValue": "", + "expectedValue": "'aws_db_security_group[positive1].ingress[1].cidr' should not be '0.0.0.0/0' or '::/0'", + "actualValue": "'aws_db_security_group[positive1].ingress[1].cidr' is '0.0.0.0/0'", + "issueType": "IncorrectValue", + "similarityID": "8cc7cf133bb42872647ac40de8fc0064b385afba7dbb4def5af34803b7a0e658", + "search_line": 9 + } ] diff --git a/assets/queries/terraform/aws/db_security_group_open_to_large_scope/test/positive_expected_result.json b/assets/queries/terraform/aws/db_security_group_open_to_large_scope/test/positive_expected_result.json index a231edd750c..b0a959b8010 100644 --- a/assets/queries/terraform/aws/db_security_group_open_to_large_scope/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/db_security_group_open_to_large_scope/test/positive_expected_result.json @@ -2,6 +2,16 @@ { "queryName": "DB Security Group Open To Large Scope", "severity": "HIGH", - "line": 5 + "line": 5, + "fileName": "positive.tf", + "resourceType": "aws_db_security_group", + "resourceName": "positive1", + "searchKey": "aws_db_security_group[positive1].ingress.cidr", + "searchValue": "", + "expectedValue": "'aws_db_security_group.ingress.cidr' > 24", + "actualValue": "'aws_db_security_group.ingress.cidr' <= 24", + "issueType": "IncorrectValue", + "similarityID": "4ce3380e1525dabddbca152201bbb283345f1fcfb2cd177136add5a9a3070e55", + "search_line": -1 } ] diff --git a/assets/queries/terraform/aws/db_security_group_with_public_scope/test/positive_expected_result.json b/assets/queries/terraform/aws/db_security_group_with_public_scope/test/positive_expected_result.json index 48e1b64a9c2..a98ee320010 100644 --- a/assets/queries/terraform/aws/db_security_group_with_public_scope/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/db_security_group_with_public_scope/test/positive_expected_result.json @@ -2,6 +2,16 @@ { "queryName": "DB Security Group With Public Scope", "severity": "CRITICAL", - "line": 5 + "line": 5, + "fileName": "positive.tf", + "resourceType": "aws_db_security_group", + "resourceName": "positive1", + "searchKey": "aws_db_security_group[positive1].ingress.cidr", + "searchValue": "", + "expectedValue": "'aws_db_security_group.ingress.cidr' != 0.0.0.0/0", + "actualValue": "'aws_db_security_group.ingress.cidr'= 0.0.0.0/0", + "issueType": "IncorrectValue", + "similarityID": "23b63035fa537a59e3b984928b29a03d6f2862972a95156370ab25ad658025ae", + "search_line": -1 } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/default_security_groups_with_unrestricted_traffic/test/positive_expected_result.json b/assets/queries/terraform/aws/default_security_groups_with_unrestricted_traffic/test/positive_expected_result.json index 3cc3958c7b9..baaa8275980 100644 --- a/assets/queries/terraform/aws/default_security_groups_with_unrestricted_traffic/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/default_security_groups_with_unrestricted_traffic/test/positive_expected_result.json @@ -2,16 +2,46 @@ { "queryName": "Default Security Groups With Unrestricted Traffic", "severity": "HIGH", - "line": 1 + "line": 1, + "fileName": "positive.tf", + "resourceType": "aws_db_security_group", + "resourceName": "positive1", + "searchKey": "aws_default_security_group[positive1]", + "searchValue": "", + "expectedValue": "ingress.cidr_blocks or egress.cidr_blocks diferent from '0.0.0.0/0' and '::/0'", + "actualValue": "ingress.cidr_blocks or egress.cidr_blocks are equal to '0.0.0.0/0' or '::/0'", + "issueType": "IncorrectValue", + "similarityID": "fc97d75ae30f483073718da877ef8a12ce6ab274142b46a5858bfd5a1880bd17", + "search_line": -1 }, { "queryName": "Default Security Groups With Unrestricted Traffic", "severity": "HIGH", - "line": 13 + "line": 13, + "fileName": "positive.tf", + "resourceType": "aws_db_security_group", + "resourceName": "positive2", + "searchKey": "aws_default_security_group[positive2]", + "searchValue": "", + "expectedValue": "ingress.cidr_blocks or egress.cidr_blocks diferent from '0.0.0.0/0' and '::/0'", + "actualValue": "ingress.cidr_blocks or egress.cidr_blocks are equal to '0.0.0.0/0' or '::/0'", + "issueType": "IncorrectValue", + "similarityID": "1b527a262a319285207cd0cf0276fd1868195e53240cff6bd397eb707a57cac3", + "search_line": -1 }, { "queryName": "Default Security Groups With Unrestricted Traffic", "severity": "HIGH", - "line": 24 + "line": 24, + "fileName": "positive.tf", + "resourceType": "aws_db_security_group", + "resourceName": "positive3", + "searchKey": "aws_default_security_group[positive3]", + "searchValue": "", + "expectedValue": "ingress.cidr_blocks or egress.cidr_blocks diferent from '0.0.0.0/0' and '::/0'", + "actualValue": "ingress.cidr_blocks or egress.cidr_blocks are equal to '0.0.0.0/0' or '::/0'", + "issueType": "IncorrectValue", + "similarityID": "f65d96636040b9b31e232907574db6325b00afe8e710eee6a71c1b44d0812c8a", + "search_line": -1 } ] diff --git a/assets/queries/terraform/aws/default_vpc_exists/test/positive_expected_result.json b/assets/queries/terraform/aws/default_vpc_exists/test/positive_expected_result.json index 67846e5982e..6fffc028e33 100644 --- a/assets/queries/terraform/aws/default_vpc_exists/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/default_vpc_exists/test/positive_expected_result.json @@ -3,12 +3,30 @@ "queryName": "Default VPC Exists", "severity": "MEDIUM", "line": 1, - "filename": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "aws_default_vpc", + "resourceName": "Default VPC", + "searchKey": "aws_default_vpc[positive1]", + "searchValue": "", + "expectedValue": "'aws_default_vpc' should not exist", + "actualValue": "'aws_default_vpc' exists", + "issueType": "IncorrectValue", + "similarityID": "57089b35eb1038a73e3ba96cc84ac3fa4b54e6756ec58ecf94c237b7a92cf225", + "search_line": 1 }, { "queryName": "Default VPC Exists", "severity": "MEDIUM", "line": 14, - "filename": "positive2.tf" + "fileName": "positive2.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "vpc.default_vpc_name", + "searchValue": "", + "expectedValue": "'aws_default_vpc' should not exist", + "actualValue": "'aws_default_vpc' exists", + "issueType": "IncorrectValue", + "similarityID": "75c23bdd15a61f22b3e193a58023838dbfea3b3524ca888b575257f2bc89814f", + "search_line": 14 } ] diff --git a/assets/queries/terraform/aws/docdb_cluster_encrypted_with_aws_managed_key/test/positive_expected_result.json b/assets/queries/terraform/aws/docdb_cluster_encrypted_with_aws_managed_key/test/positive_expected_result.json index 8788d51d849..0bbf2946a8d 100644 --- a/assets/queries/terraform/aws/docdb_cluster_encrypted_with_aws_managed_key/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/docdb_cluster_encrypted_with_aws_managed_key/test/positive_expected_result.json @@ -2,6 +2,16 @@ { "queryName": "DOCDB Cluster Encrypted With AWS Managed Key", "severity": "LOW", - "line": 16 + "line": 16, + "fileName": "positive.tf", + "resourceType": "aws_docdb_cluster", + "resourceName": "test2", + "searchKey": "aws_docdb_cluster[test2].kms_key_id", + "searchValue": "", + "expectedValue": "DOCDB Cluster should not be encrypted with AWS managed key", + "actualValue": "DOCDB Cluster is encrypted with AWS managed key", + "issueType": "IncorrectValue", + "similarityID": "37d0cff321892bbd675d2f5d72c872bd332ce257a832519e031e3b8c3bf365f0", + "search_line": -1 } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/docdb_cluster_not_encrypted/test/positive_expected_result.json b/assets/queries/terraform/aws/docdb_cluster_not_encrypted/test/positive_expected_result.json index bf3c7122305..2eb39e0a3de 100644 --- a/assets/queries/terraform/aws/docdb_cluster_not_encrypted/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/docdb_cluster_not_encrypted/test/positive_expected_result.json @@ -3,12 +3,30 @@ "queryName": "DOCDB Cluster Not Encrypted", "severity": "HIGH", "line": 1, - "filename": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "aws_docdb_cluster", + "resourceName": "docdb", + "searchKey": "aws_docdb_cluster[{{docdb}}]", + "searchValue": "", + "expectedValue": "aws_docdb_cluster.storage_encrypted should be set to true", + "actualValue": "aws_docdb_cluster.storage_encrypted is missing", + "issueType": "MissingAttribute", + "similarityID": "eff2882c2a00eb960a17131e77342bc3ef36cb2eebb0d01341a5ac4756370583", + "search_line": 1 }, { "queryName": "DOCDB Cluster Not Encrypted", "severity": "HIGH", "line": 19, - "filename": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "aws_docdb_cluster", + "resourceName": "docdb_2", + "searchKey": "aws_docdb_cluster[{{docdb_2}}].storage_encrypted", + "searchValue": "", + "expectedValue": "aws_docdb_cluster.storage_encrypted should be set to true", + "actualValue": "aws_docdb_cluster.storage_encrypted is set to false", + "issueType": "IncorrectValue", + "similarityID": "d50ce0ff1b5f34fed8b22c3e521315889d678dc4c943a27973c507e4dff9e044", + "search_line": 19 } ] diff --git a/assets/queries/terraform/aws/docdb_cluster_without_kms/test/positive_expected_result.json b/assets/queries/terraform/aws/docdb_cluster_without_kms/test/positive_expected_result.json index 6556e064692..adcacd03619 100644 --- a/assets/queries/terraform/aws/docdb_cluster_without_kms/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/docdb_cluster_without_kms/test/positive_expected_result.json @@ -3,6 +3,15 @@ "queryName": "DOCDB Cluster Without KMS", "severity": "HIGH", "line": 1, - "filename": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "aws_docdb_cluster", + "resourceName": "docdb", + "searchKey": "aws_docdb_cluster[{{docdb}}]", + "searchValue": "", + "expectedValue": "aws_docdb_cluster.kms_key_id should be defined and not null", + "actualValue": "aws_docdb_cluster.kms_key_id is undefined or null", + "issueType": "MissingAttribute", + "similarityID": "88ae60d5a7df8532b667539484011861699fc484a8d134a32ed9f657df8370ad", + "search_line": -1 } ] diff --git a/assets/queries/terraform/aws/docdb_logging_disabled/test/positive_expected_result.json b/assets/queries/terraform/aws/docdb_logging_disabled/test/positive_expected_result.json index 0c84ccf6804..e539b8c7534 100644 --- a/assets/queries/terraform/aws/docdb_logging_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/docdb_logging_disabled/test/positive_expected_result.json @@ -3,24 +3,60 @@ "queryName": "DocDB Logging Is Disabled", "severity": "MEDIUM", "line": 1, - "filename": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "aws_docdb_cluster", + "resourceName": "positive1", + "searchKey": "aws_docdb_cluster[{{positive1}}]", + "searchValue": "", + "expectedValue": "aws_docdb_cluster.enabled_cloudwatch_logs_exports should be defined", + "actualValue": "aws_docdb_cluster.enabled_cloudwatch_logs_exports is undefined", + "issueType": "MissingAttribute", + "similarityID": "8a9cc162eb262bed6b2267499c319ee64157fc39c1b61dea5f9d4b2f096e8585", + "search_line": -1 }, { "queryName": "DocDB Logging Is Disabled", "severity": "MEDIUM", "line": 10, - "filename": "positive2.tf" + "fileName": "positive2.tf", + "resourceType": "aws_docdb_cluster", + "resourceName": "positive2", + "searchKey": "aws_docdb_cluster[{{positive2}}].enabled_cloudwatch_logs_exports", + "searchValue": "", + "expectedValue": "aws_docdb_cluster.enabled_cloudwatch_logs_exports should have all following values: audit, profiler", + "actualValue": "aws_docdb_cluster.enabled_cloudwatch_logs_exports is empty", + "issueType": "IncorrectValue", + "similarityID": "6451e4eff5359ff8ebd5ab28b9682da5b740c933a87a32cba7f49304bda0406e", + "search_line": -1 }, { "queryName": "DocDB Logging Is Disabled", "severity": "MEDIUM", "line": 10, - "filename": "positive3.tf" + "fileName": "positive3.tf", + "resourceType": "aws_docdb_cluster", + "resourceName": "positive3", + "searchKey": "aws_docdb_cluster[{{positive3}}].enabled_cloudwatch_logs_exports", + "searchValue": "", + "expectedValue": "aws_docdb_cluster.enabled_cloudwatch_logs_exports should have all following values: audit, profiler", + "actualValue": "aws_docdb_cluster.enabled_cloudwatch_logs_exports has the following missing values: audit", + "issueType": "IncorrectValue", + "similarityID": "95971ccf3a4f88527e168cac0d0d49af73669482d328d544b23140fd354e30ff", + "search_line": -1 }, { "queryName": "DocDB Logging Is Disabled", "severity": "MEDIUM", "line": 10, - "filename": "positive4.tf" + "fileName": "positive4.tf", + "resourceType": "aws_docdb_cluster", + "resourceName": "positive4", + "searchKey": "aws_docdb_cluster[{{positive4}}].enabled_cloudwatch_logs_exports", + "searchValue": "", + "expectedValue": "aws_docdb_cluster.enabled_cloudwatch_logs_exports should have all following values: audit, profiler", + "actualValue": "aws_docdb_cluster.enabled_cloudwatch_logs_exports has the following missing values: profiler", + "issueType": "IncorrectValue", + "similarityID": "da824f68b7555321d87fd8fb171bf7b13cb583cdaa6e3589ab71e5d0a07224b0", + "search_line": -1 } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/dynamodb_table_not_encrypted/test/positive_expected_result.json b/assets/queries/terraform/aws/dynamodb_table_not_encrypted/test/positive_expected_result.json index 4fe338ed241..3236e721c7c 100644 --- a/assets/queries/terraform/aws/dynamodb_table_not_encrypted/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/dynamodb_table_not_encrypted/test/positive_expected_result.json @@ -3,12 +3,30 @@ "queryName": "DynamoDB Table Not Encrypted", "severity": "HIGH", "line": 1, - "filename": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "aws_dynamodb_table", + "resourceName": "example", + "searchKey": "aws_dynamodb_table[{{example}}]", + "searchValue": "", + "expectedValue": "aws_dynamodb_table.server_side_encryption.enabled should be set to true", + "actualValue": "aws_dynamodb_table.server_side_encryption is missing", + "issueType": "MissingAttribute", + "similarityID": "fee441a4532096aa7d827b33f80b8eb3dd9ddcb32eb626ad2c5fff5fc5b980a5", + "search_line": 1 }, { "queryName": "DynamoDB Table Not Encrypted", "severity": "HIGH", "line": 30, - "filename": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "aws_dynamodb_table", + "resourceName": "example", + "searchKey": "aws_dynamodb_table[{{example_2}}].server_side_encryption.enabled", + "searchValue": "", + "expectedValue": "aws_dynamodb_table.server_side_encryption.enabled should be set to true", + "actualValue": "aws_dynamodb_table.server_side_encryption.enabled is set to false", + "issueType": "IncorrectValue", + "similarityID": "8bec6928272dc95392c1b3bb223548688097c83548001fdf89cefefcd8d21905", + "search_line": 30 } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/dynamodb_table_point_in_time_recovery_disabled/test/positive_expected_result.json b/assets/queries/terraform/aws/dynamodb_table_point_in_time_recovery_disabled/test/positive_expected_result.json index bb0ed6d24e4..d3ddd709732 100644 --- a/assets/queries/terraform/aws/dynamodb_table_point_in_time_recovery_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/dynamodb_table_point_in_time_recovery_disabled/test/positive_expected_result.json @@ -3,12 +3,30 @@ "queryName": "DynamoDB Table Point In Time Recovery Disabled", "severity": "INFO", "line": 10, - "filename": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "aws_dynamodb_table", + "resourceName": "aws_dynamodb_table", + "searchKey": "aws_dynamodb_table[{{basic-dynamodb-table}}].point_in_time_recovery.enabled", + "searchValue": "", + "expectedValue": "aws_dynamodb_table.point_in_time_recovery.enabled should be set to true", + "actualValue": "aws_dynamodb_table.point_in_time_recovery.enabled is set to false", + "issueType": "IncorrectValue", + "similarityID": "0143bd0c94ba9b4cc921dbb167c0e5c0fe5c5489a0795f2c6d53202a47b4b3cd", + "search_line": -1 }, { "queryName": "DynamoDB Table Point In Time Recovery Disabled", "severity": "INFO", "line": 1, - "filename": "positive2.tf" + "fileName": "positive2.tf", + "resourceType": "aws_dynamodb_table", + "resourceName": "aws_dynamodb_table", + "searchKey": "aws_dynamodb_table[{{basic-dynamodb-table}}]", + "searchValue": "", + "expectedValue": "aws_dynamodb_table.point_in_time_recovery.enabled should be enabled", + "actualValue": "aws_dynamodb_table.point_in_time_recovery is missing", + "issueType": "MissingAttribute", + "similarityID": "80e2dccf1dda7942af780cf7615e353de7a515dc1c430bbfa25a15259b85500b", + "search_line": -1 } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/dynamodb_vpc_endpoint_without_route_table_association/test/positive_expected_result.json b/assets/queries/terraform/aws/dynamodb_vpc_endpoint_without_route_table_association/test/positive_expected_result.json index 2d63fdae815..3e6a030d6bd 100644 --- a/assets/queries/terraform/aws/dynamodb_vpc_endpoint_without_route_table_association/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/dynamodb_vpc_endpoint_without_route_table_association/test/positive_expected_result.json @@ -2,6 +2,16 @@ { "queryName": "Dynamodb VPC Endpoint Without Route Table Association", "severity": "LOW", - "line": 31 + "line": 31, + "fileName": "positive.tf", + "resourceType": "aws_vpc_endpoint", + "resourceName": "dynamodb-vpce-gw", + "searchKey": "aws_vpc_endpoint[dynamodb-vpce-gw].vpc_id", + "searchValue": "", + "expectedValue": "Dynamodb VPC Endpoint should be associated with Route Table Association", + "actualValue": "Dynamodb VPC Endpoint is not associated with Route Table Association", + "issueType": "MissingAttribute", + "similarityID": "fe092c73c57cce460b10a7b521e53532b071a50b8fe723eea595e7fe4977d922", + "search_line": -1 } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/ebs_default_encryption_disabled/test/positive_expected_result.json b/assets/queries/terraform/aws/ebs_default_encryption_disabled/test/positive_expected_result.json index 65ef7abe96e..95346a6499c 100644 --- a/assets/queries/terraform/aws/ebs_default_encryption_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/ebs_default_encryption_disabled/test/positive_expected_result.json @@ -2,6 +2,16 @@ { "queryName": "EBS Default Encryption Disabled", "severity": "HIGH", - "line": 2 + "line": 2, + "fileName": "positive.tf", + "resourceType": "aws_ebs_encryption_by_default", + "resourceName": "positive1", + "searchKey": "aws_ebs_encryption_by_default[positive1].enabled", + "searchValue": "", + "expectedValue": "'aws_ebs_encryption_by_default.encrypted' should be true", + "actualValue": "'aws_ebs_encryption_by_default.encrypted' is false", + "issueType": "IncorrectValue", + "similarityID": "0a82d63ff601670505cdc2c012394a3c93dba19af5bdbc447f646348ddcd37fe", + "search_line": 2 } ] diff --git a/assets/queries/terraform/aws/ebs_volume_encryption_disabled/test/positive_expected_result.json b/assets/queries/terraform/aws/ebs_volume_encryption_disabled/test/positive_expected_result.json index 8ba140c64e7..85a00f57320 100644 --- a/assets/queries/terraform/aws/ebs_volume_encryption_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/ebs_volume_encryption_disabled/test/positive_expected_result.json @@ -3,12 +3,30 @@ "queryName": "EBS Volume Encryption Disabled", "severity": "HIGH", "line": 4, - "fileName": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "aws_ebs_volume", + "resourceName": "HelloWorld", + "searchKey": "aws_ebs_volume[positive1].encrypted", + "searchValue": "", + "expectedValue": "One of 'aws_ebs_volume.encrypted' should be 'true'", + "actualValue": "One of 'aws_ebs_volume.encrypted' is 'false'", + "issueType": "IncorrectValue", + "similarityID": "da866a7215ee156847aeba712906fa9dcf930b6f54971511eb99f279300986d7", + "search_line": 4 }, { "queryName": "EBS Volume Encryption Disabled", "severity": "HIGH", "line": 1, - "fileName": "positive2.tf" + "fileName": "positive2.tf", + "resourceType": "aws_ebs_volume", + "resourceName": "HelloWorld", + "searchKey": "aws_ebs_volume[positive2]", + "searchValue": "", + "expectedValue": "One of 'aws_ebs_volume.encrypted' should be defined", + "actualValue": "One of 'aws_ebs_volume.encrypted' is undefined", + "issueType": "MissingAttribute", + "similarityID": "24f46d184ac1fc49ebe44d579b5ebcfd2eca0f09bac6680ffc1fe216b234cfbb", + "search_line": 1 } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/ebs_volume_snapshot_not_encrypted/test/positive_expected_result.json b/assets/queries/terraform/aws/ebs_volume_snapshot_not_encrypted/test/positive_expected_result.json index da1650285d8..b3828c8549c 100644 --- a/assets/queries/terraform/aws/ebs_volume_snapshot_not_encrypted/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/ebs_volume_snapshot_not_encrypted/test/positive_expected_result.json @@ -3,12 +3,30 @@ "queryName": "EBS Volume Snapshot Not Encrypted", "severity": "HIGH", "line": 4, - "fileName": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "aws_ebs_volume", + "resourceName": "positive1", + "searchKey": "aws_ebs_volume[positive1].encrypted", + "searchValue": "", + "expectedValue": "'aws_ebs_volume[positive1].encrypted' associated with aws_ebs_snapshot[positive1] should be true", + "actualValue": "'aws_ebs_volume[positive1].encrypted' associated with aws_ebs_snapshot[positive1] is false", + "issueType": "IncorrectValue", + "similarityID": "1456df18ac01939c2244863c847ebd2d186afcbab2981fd74e6194e58ec134f9", + "search_line": -1 }, { "queryName": "EBS Volume Snapshot Not Encrypted", "severity": "HIGH", "line": 10, - "fileName": "positive2.tf" + "fileName": "positive2.tf", + "resourceType": "aws_ebs_snapshot", + "resourceName": "positive2", + "searchKey": "aws_ebs_snapshot[positive2]", + "searchValue": "", + "expectedValue": "'aws_ebs_volume[positive2].encrypted' associated with aws_ebs_snapshot[positive2] should be set", + "actualValue": "'aws_ebs_volume[positive2].encrypted' associated with aws_ebs_snapshot[positive2] is undefined", + "issueType": "MissingAttribute", + "similarityID": "00bb4b9c56693ac46f85733b066abdcb6aece8afb2651082ba45c3db14e1b72d", + "search_line": -1 } ] diff --git a/assets/queries/terraform/aws/ec2_instance_has_public_ip/test/positive_expected_result.json b/assets/queries/terraform/aws/ec2_instance_has_public_ip/test/positive_expected_result.json index 71d37ca807f..734656520bf 100644 --- a/assets/queries/terraform/aws/ec2_instance_has_public_ip/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/ec2_instance_has_public_ip/test/positive_expected_result.json @@ -3,24 +3,60 @@ "queryName": "EC2 Instance Has Public IP", "severity": "MEDIUM", "line": 17, - "fileName": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "aws_instance", + "resourceName": "HelloWorld", + "searchKey": "aws_instance.web2", + "searchValue": "", + "expectedValue": "'associate_public_ip_address' should be defined and not null", + "actualValue": "'associate_public_ip_address' is undefined or null", + "issueType": "MissingAttribute", + "similarityID": "193c0c4fc1eaa42951e69fd6413c52ced96d31029ef414be5fdafe05972cb586", + "search_line": 17 }, { "queryName": "EC2 Instance Has Public IP", "severity": "MEDIUM", "line": 28, - "fileName": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "aws_instance", + "resourceName": "HelloWorld", + "searchKey": "aws_instance.web3.associate_public_ip_address", + "searchValue": "", + "expectedValue": "'associate_public_ip_address' should be set to false", + "actualValue": "'associate_public_ip_address' is true", + "issueType": "IncorrectValue", + "similarityID": "087080a66deb5ab597b6336ec62d32d5c3329f2e94661ab9c81b10a642b2f2b6", + "search_line": 28 }, { "queryName": "EC2 Instance Has Public IP", "severity": "MEDIUM", "line": 1, - "fileName": "positive2.tf" + "fileName": "positive2.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[ec2_instance]", + "searchValue": "", + "expectedValue": "'associate_public_ip_address' should be defined and not null", + "actualValue": "'associate_public_ip_address' is undefined or null", + "issueType": "MissingAttribute", + "similarityID": "6936cfc66743a8ab7cedbdd632d4df03ad99c302343c84a4c9fc8e77753a42ca", + "search_line": 1 }, { "queryName": "EC2 Instance Has Public IP", "severity": "MEDIUM", "line": 13, - "fileName": "positive3.tf" + "fileName": "positive3.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[ec2_instance].associate_public_ip_address", + "searchValue": "", + "expectedValue": "'associate_public_ip_address' should be set to false", + "actualValue": "'associate_public_ip_address' is true", + "issueType": "IncorrectValue", + "similarityID": "97e9cedbb06c6070fc8ca0e11ad44c6f6dd867ccb6d1e4c76058ee1693dece71", + "search_line": 13 } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/ec2_instance_monitoring_disabled/test/positive_expected_result.json b/assets/queries/terraform/aws/ec2_instance_monitoring_disabled/test/positive_expected_result.json index edc9aa0da27..43b6abbe3ed 100644 --- a/assets/queries/terraform/aws/ec2_instance_monitoring_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/ec2_instance_monitoring_disabled/test/positive_expected_result.json @@ -3,30 +3,75 @@ "queryName": "EC2 Instance Monitoring Disabled", "severity": "MEDIUM", "line": 17, - "fileName": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "aws_instance", + "resourceName": "HelloWorld", + "searchKey": "aws_instance.{{monitoring_positive1}}", + "searchValue": "", + "expectedValue": "'monitoring' should be defined and not null", + "actualValue": "'monitoring' is undefined or null", + "issueType": "MissingAttribute", + "similarityID": "c7857d5e5265dea8883a3442036b2f93201e6f2b79ee7c9f79c736656d77e649", + "search_line": 17 }, { "queryName": "EC2 Instance Monitoring Disabled", "severity": "MEDIUM", "line": 20, - "fileName": "positive2.tf" + "fileName": "positive2.tf", + "resourceType": "aws_instance", + "resourceName": "HelloWorld", + "searchKey": "aws_instance.{{monitoring_positive2}}.monitoring", + "searchValue": "", + "expectedValue": "monitoring_positive2.'monitoring' should be set to true", + "actualValue": "monitoring_positive2.'monitoring' is set to false", + "issueType": "IncorrectValue", + "similarityID": "472a37dbab4b890684b38244bf5a220feacbaf3f3ce43a2d9c8427e6daf5137e", + "search_line": 20 }, { "queryName": "EC2 Instance Monitoring Disabled", "severity": "MEDIUM", "line": 1, - "fileName": "positive3.tf" + "fileName": "positive3.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[ec2_instance]", + "searchValue": "", + "expectedValue": "'monitoring' should be defined and not null", + "actualValue": "'monitoring' is undefined or null", + "issueType": "MissingAttribute", + "similarityID": "cab62de2d9baca63e7eda82d6de956a403d59454907b27f5b6d60bafb92ec474", + "search_line": 1 }, { "queryName": "EC2 Instance Monitoring Disabled", "severity": "MEDIUM", "line": 10, - "fileName": "positive4.tf" + "fileName": "positive4.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[ec2_instance].monitoring", + "searchValue": "", + "expectedValue": "ec2_instance.'monitoring' should be set to true", + "actualValue": "ec2_instance.'monitoring' is set to false", + "issueType": "IncorrectValue", + "similarityID": "b04aff48eafcb6b2b1043bcf56aea0827a48a6ed3510e1c84116d44f4fec72a2", + "search_line": 10 }, { "queryName": "EC2 Instance Monitoring Disabled", "severity": "MEDIUM", "line": 28, - "fileName": "positive5.json" + "fileName": "positive5.json", + "resourceType": "aws_instance", + "resourceName": "cdktf-test", + "searchKey": "aws_instance.{{cdktf-test}}.monitoring", + "searchValue": "", + "expectedValue": "cdktf-test.'monitoring' should be set to true", + "actualValue": "cdktf-test.'monitoring' is set to false", + "issueType": "IncorrectValue", + "similarityID": "5fb27bf671b9703a52e2851b07e8e56972b3af0463e35b1240e9b6affab3211e", + "search_line": 28 } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/ec2_instance_using_api_keys/test/positive_expected_result.json b/assets/queries/terraform/aws/ec2_instance_using_api_keys/test/positive_expected_result.json index 715b290c48f..500fbb70ee9 100644 --- a/assets/queries/terraform/aws/ec2_instance_using_api_keys/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/ec2_instance_using_api_keys/test/positive_expected_result.json @@ -3,72 +3,180 @@ "queryName": "EC2 Instance Using API Keys", "severity": "LOW", "line": 5, - "fileName": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "aws_instance", + "resourceName": "test", + "searchKey": "aws_instance[positive1]", + "searchValue": "", + "expectedValue": "aws_instance[positive1] should be using iam_instance_profile to assign a role with permissions", + "actualValue": "aws_instance[positive1].user_data is being used to configure AWS API keys", + "issueType": "MissingAttribute", + "similarityID": "63c8acf05ee7a720d776c4e39c30caf1e2f8082242e9fcc2644e44a538e51c5b", + "search_line": -1 }, { "queryName": "EC2 Instance Using API Keys", "severity": "LOW", "line": 5, - "fileName": "positive2.tf" + "fileName": "positive2.tf", + "resourceType": "aws_instance", + "resourceName": "test", + "searchKey": "aws_instance[positive2]", + "searchValue": "", + "expectedValue": "aws_instance[positive2] should be using iam_instance_profile to assign a role with permissions", + "actualValue": "aws_instance[positive2].user_data is being used to configure AWS API keys", + "issueType": "MissingAttribute", + "similarityID": "d8aef5392f0d7d7440d87dd95c4f9f33371b70bb74724db2d0dd8a83b6055352", + "search_line": -1 }, { "queryName": "EC2 Instance Using API Keys", "severity": "LOW", "line": 5, - "fileName": "positive3.tf" + "fileName": "positive3.tf", + "resourceType": "aws_instance", + "resourceName": "test", + "searchKey": "aws_instance[positive3]", + "searchValue": "", + "expectedValue": "aws_instance[positive3] should be using iam_instance_profile to assign a role with permissions", + "actualValue": "aws_instance[positive3].user_data is being used to configure AWS API keys", + "issueType": "MissingAttribute", + "similarityID": "e2608bc2689a238860dc781bf3392483c81507d7cbadb0c72b35ed766905a6fa", + "search_line": -1 }, { "queryName": "EC2 Instance Using API Keys", "severity": "LOW", "line": 5, - "fileName": "positive4.tf" + "fileName": "positive4.tf", + "resourceType": "aws_instance", + "resourceName": "test", + "searchKey": "aws_instance[positive4]", + "searchValue": "", + "expectedValue": "aws_instance[positive4] should be using iam_instance_profile to assign a role with permissions", + "actualValue": "aws_instance[positive4].user_data is being used to configure AWS API keys", + "issueType": "MissingAttribute", + "similarityID": "0762fc962a07388ce7d4e59dcd70ff3af4f2539faf650faf404acd034482395b", + "search_line": -1 }, { "queryName": "EC2 Instance Using API Keys", "severity": "LOW", "line": 5, - "fileName": "positive5.tf" + "fileName": "positive5.tf", + "resourceType": "aws_instance", + "resourceName": "test", + "searchKey": "aws_instance[positive5]", + "searchValue": "", + "expectedValue": "aws_instance[positive5] should be using iam_instance_profile to assign a role with permissions", + "actualValue": "aws_instance[positive5].user_data is being used to configure AWS API keys", + "issueType": "MissingAttribute", + "similarityID": "65a235a88f46225ff156bb086900958e85413678e5638db7271e6e9a64df2cb2", + "search_line": -1 }, { "queryName": "EC2 Instance Using API Keys", "severity": "LOW", "line": 5, - "fileName": "positive6.tf" + "fileName": "positive6.tf", + "resourceType": "aws_instance", + "resourceName": "test", + "searchKey": "aws_instance[positive6]", + "searchValue": "", + "expectedValue": "aws_instance[positive6] should be using iam_instance_profile to assign a role with permissions", + "actualValue": "aws_instance[positive6].user_data is being used to configure AWS API keys", + "issueType": "MissingAttribute", + "similarityID": "b6cc53e02ce133d0bc3a640d14507bc41a336cef1e3047b9473fa7a9480ef8d1", + "search_line": -1 }, { "queryName": "EC2 Instance Using API Keys", "severity": "LOW", "line": 13, - "fileName": "positive7.tf" + "fileName": "positive7.tf", + "resourceType": "aws_instance", + "resourceName": "test", + "searchKey": "aws_instance[positive7].provisioner", + "searchValue": "", + "expectedValue": "aws_instance[positive7].provisioner.remote-exec should be used to configure AWS API keys", + "actualValue": "aws_instance[positive7] should be using iam_instance_profile to assign a role with permissions", + "issueType": "IncorrectValue", + "similarityID": "7c548973d3c2ffc0213d216fd2ae7bde63b62f293c7ffbf06021d7bb2c0fc561", + "search_line": -1 }, { "queryName": "EC2 Instance Using API Keys", "severity": "LOW", "line": 13, - "fileName": "positive8.tf" + "fileName": "positive8.tf", + "resourceType": "aws_instance", + "resourceName": "test", + "searchKey": "aws_instance[positive8].provisioner", + "searchValue": "", + "expectedValue": "aws_instance[positive8].provisioner.file should be used to configure AWS API keys", + "actualValue": "aws_instance[positive8] should be using iam_instance_profile to assign a role with permissions", + "issueType": "IncorrectValue", + "similarityID": "5eadadd639111238ed2eb3a7b94adc1266ff457078d42ebf7ac8b9996e5d6520", + "search_line": -1 }, { "queryName": "EC2 Instance Using API Keys", "severity": "LOW", "line": 13, - "fileName": "positive9.tf" + "fileName": "positive9.tf", + "resourceType": "aws_instance", + "resourceName": "test", + "searchKey": "aws_instance[positive9].provisioner", + "searchValue": "", + "expectedValue": "aws_instance[positive9].provisioner.remote-exec should be used to configure AWS API keys", + "actualValue": "aws_instance[positive9] should be using iam_instance_profile to assign a role with permissions", + "issueType": "IncorrectValue", + "similarityID": "11a6fe245d82061da755d93b09bece83c4fd018f77e0b6c5b2511220de6552aa", + "search_line": -1 }, { "queryName": "EC2 Instance Using API Keys", "severity": "LOW", "line": 1, - "fileName": "positive10.tf" + "fileName": "positive10.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[ec2_instance]", + "searchValue": "", + "expectedValue": "module[ec2_instance] should be using iam_instance_profile to assign a role with permissions", + "actualValue": "module[ec2_instance].user_data is being used to configure AWS API keys", + "issueType": "MissingAttribute", + "similarityID": "fa6724106fbb3e3474e7cc1fcba193bae25f948ef83fe21124c0a80c3e71adf2", + "search_line": 1 }, { "queryName": "EC2 Instance Using API Keys", "severity": "LOW", "line": 1, - "fileName": "positive11.tf" + "fileName": "positive11.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[ec2_instance]", + "searchValue": "", + "expectedValue": "module[ec2_instance] should be using iam_instance_profile to assign a role with permissions", + "actualValue": "module[ec2_instance].user_data is being used to configure AWS API keys", + "issueType": "MissingAttribute", + "similarityID": "bffc4644fc510a7d8dc666a91d7d3f854c3dbf68411202127ac473d2d80ebd17", + "search_line": 1 }, { "queryName": "EC2 Instance Using API Keys", "severity": "LOW", "line": 1, - "fileName": "positive12.tf" + "fileName": "positive12.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[ec2_instance]", + "searchValue": "", + "expectedValue": "module[ec2_instance] should be using iam_instance_profile to assign a role with permissions", + "actualValue": "module[ec2_instance].user_data is being used to configure AWS API keys", + "issueType": "MissingAttribute", + "similarityID": "07e0e01106bc24564daeaec18ca818721ded1614274c9dfe8b2d0357665ba995", + "search_line": 1 } ] diff --git a/assets/queries/terraform/aws/ec2_instance_using_default_security_group/test/positive_expected_result.json b/assets/queries/terraform/aws/ec2_instance_using_default_security_group/test/positive_expected_result.json index 60974d84ff2..5ac3f0369e6 100644 --- a/assets/queries/terraform/aws/ec2_instance_using_default_security_group/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/ec2_instance_using_default_security_group/test/positive_expected_result.json @@ -3,12 +3,30 @@ "queryName": "EC2 Instance Using Default Security Group", "severity": "MEDIUM", "line": 9, - "fileName": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "aws_instance", + "resourceName": "HelloWorld", + "searchKey": "aws_instance[positive1].security_groups", + "searchValue": "", + "expectedValue": "aws_instance[positive1].security_groups should not be using default security group", + "actualValue": "aws_instance[positive1].security_groups is using at least one default security group", + "issueType": "IncorrectValue", + "similarityID": "8bb360e64e5d1fecf62a47aa78395d51ea94f9c8daa0ba216661f2577f0ad3f7", + "search_line": 9 }, { "queryName": "EC2 Instance Using Default Security Group", "severity": "MEDIUM", "line": 6, - "fileName": "positive2.tf" + "fileName": "positive2.tf", + "resourceType": "aws_instance", + "resourceName": "positive2", + "searchKey": "aws_instance[positive2].vpc_security_group_ids", + "searchValue": "", + "expectedValue": "aws_instance[positive2].vpc_security_group_ids should not be using default security group", + "actualValue": "aws_instance[positive2].vpc_security_group_ids is using at least one default security group", + "issueType": "IncorrectValue", + "similarityID": "a3bac31e31503391c514a942b1ff292de6bbd4555e4c151aa13db80594757335", + "search_line": 6 } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/ec2_instance_using_default_vpc/test/positive_expected_result.json b/assets/queries/terraform/aws/ec2_instance_using_default_vpc/test/positive_expected_result.json index 9d70d60ac40..a7839990135 100644 --- a/assets/queries/terraform/aws/ec2_instance_using_default_vpc/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/ec2_instance_using_default_vpc/test/positive_expected_result.json @@ -3,6 +3,15 @@ "queryName": "EC2 Instance Using Default VPC", "severity": "LOW", "line": 6, - "fileName": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "aws_instance", + "resourceName": "positive1", + "searchKey": "aws_instance[positive1].subnet_id", + "searchValue": "", + "expectedValue": "aws_instance[positive1].subnet_id should not be associated with a default VPC", + "actualValue": "aws_instance[positive1].subnet_id is associated with a default VPC", + "issueType": "IncorrectValue", + "similarityID": "5fa312676b2c55265a88fc327e7c5b713596ff1fc97bf7e623ef2cdc90b41ac7", + "search_line": 6 } ] diff --git a/assets/queries/terraform/aws/ec2_not_ebs_optimized/test/positive_expected_result.json b/assets/queries/terraform/aws/ec2_not_ebs_optimized/test/positive_expected_result.json index 98335b48ae9..8c7ff88e2a8 100644 --- a/assets/queries/terraform/aws/ec2_not_ebs_optimized/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/ec2_not_ebs_optimized/test/positive_expected_result.json @@ -3,24 +3,60 @@ "queryName": "EC2 Not EBS Optimized", "severity": "INFO", "line": 17, - "filename": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "aws_instance", + "resourceName": "HelloWorld", + "searchKey": "aws_instance[{{web}}]", + "searchValue": "", + "expectedValue": "'ebs_optimized' should be set to true", + "actualValue": "'ebs_optimized' is undefined or null", + "issueType": "MissingAttribute", + "similarityID": "7da8a09356c76b035cacc69c037658aff89ccd49b12d298e7421f51abfaa3888", + "search_line": 17 }, { "queryName": "EC2 Not EBS Optimized", "severity": "INFO", "line": 20, - "filename": "positive2.tf" + "fileName": "positive2.tf", + "resourceType": "aws_instance", + "resourceName": "HelloWorld", + "searchKey": "aws_instance[{{web}}].ebs_optimized", + "searchValue": "", + "expectedValue": "'ebs_optimized' should be set to true", + "actualValue": "'ebs_optimized' is set to false", + "issueType": "IncorrectValue", + "similarityID": "efcb90259294d7ed6f5197b2ceda411924c2a0c64392f5468bb504426604ff55", + "search_line": 20 }, { "queryName": "EC2 Not EBS Optimized", "severity": "INFO", "line": 1, - "filename": "positive3.tf" + "fileName": "positive3.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[ec2_instance]", + "searchValue": "", + "expectedValue": "'ebs_optimized' should be set to true", + "actualValue": "'ebs_optimized' is undefined or null", + "issueType": "MissingAttribute", + "similarityID": "e5fbf03016d3800b4e8a0fd12206816c34d70e59fc61dabb0281a42c0fff5f6a", + "search_line": 1 }, { "queryName": "EC2 Not EBS Optimized", "severity": "INFO", "line": 9, - "filename": "positive4.tf" + "fileName": "positive4.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[ec2_instance].ebs_optimized", + "searchValue": "", + "expectedValue": "'ebs_optimized' should be set to true", + "actualValue": "'ebs_optimized' is set to false", + "issueType": "IncorrectValue", + "similarityID": "cefc8594d51c772e25e5475f53170602e6f4e6914761a98adbb5be68187b58ef", + "search_line": 9 } ] diff --git a/assets/queries/terraform/aws/ecr_image_tag_not_immutable/test/positive_expected_result.json b/assets/queries/terraform/aws/ecr_image_tag_not_immutable/test/positive_expected_result.json index 5f98584ec05..d2def634573 100644 --- a/assets/queries/terraform/aws/ecr_image_tag_not_immutable/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/ecr_image_tag_not_immutable/test/positive_expected_result.json @@ -3,12 +3,30 @@ "queryName": "ECR Image Tag Not Immutable", "severity": "MEDIUM", "line": 3, - "fileName": "positive.tf" + "fileName": "positive.tf", + "resourceType": "aws_ecr_repository", + "resourceName": "bar", + "searchKey": "aws_ecr_repository.foo2.image_tag_mutability", + "searchValue": "", + "expectedValue": "aws_ecr_repository.foo2.image_tag_mutability should be 'IMMUTABLE'", + "actualValue": "aws_ecr_repository.foo2.image_tag_mutability is 'MUTABLE'", + "issueType": "IncorrectValue", + "similarityID": "2be5637a54bd0dc5b6f7f8426c4c2b7275745927ee26a7f951b4d916ec491896", + "search_line": 3 }, { "queryName": "ECR Image Tag Not Immutable", "severity": "MEDIUM", "line": 10, - "fileName": "positive.tf" + "fileName": "positive.tf", + "resourceType": "aws_ecr_repository", + "resourceName": "bar", + "searchKey": "aws_ecr_repository.foo3", + "searchValue": "", + "expectedValue": "aws_ecr_repository.foo3.image_tag_mutability should be defined and not null", + "actualValue": "aws_ecr_repository.foo3.image_tag_mutability is undefined or null", + "issueType": "MissingAttribute", + "similarityID": "bc13210a5cf0ec1a14be24fce473bab198194621382265bc5bd27e6b2624b9b9", + "search_line": 10 } ] diff --git a/assets/queries/terraform/aws/ecr_repository_is_publicly_accessible/test/positive_expected_result.json b/assets/queries/terraform/aws/ecr_repository_is_publicly_accessible/test/positive_expected_result.json index 6a419b1981b..292484bbbf8 100644 --- a/assets/queries/terraform/aws/ecr_repository_is_publicly_accessible/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/ecr_repository_is_publicly_accessible/test/positive_expected_result.json @@ -2,6 +2,16 @@ { "queryName": "ECR Repository Is Publicly Accessible", "severity": "CRITICAL", - "line": 8 + "line": 8, + "fileName": "positive.tf", + "resourceType": "aws_ecr_repository_policy", + "resourceName": "positive2", + "searchKey": "aws_ecr_repository_policy[positive2].policy", + "searchValue": "", + "expectedValue": "'Statement.Principal' shouldn't contain '*'", + "actualValue": "'Statement.Principal' contains '*'", + "issueType": "IncorrectValue", + "similarityID": "3c30985462d930ca29310dc0e8534ff2a279f46252c3fcf7d514a3983a58e2db", + "search_line": 8 } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/ecr_repository_not_encrypted/test/positive_expected_result.json b/assets/queries/terraform/aws/ecr_repository_not_encrypted/test/positive_expected_result.json index ff2bfc9644f..74af5b29416 100644 --- a/assets/queries/terraform/aws/ecr_repository_not_encrypted/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/ecr_repository_not_encrypted/test/positive_expected_result.json @@ -2,11 +2,31 @@ { "queryName": "ECR Repository Not Encrypted With CMK", "severity": "LOW", - "line": 1 + "line": 1, + "fileName": "positive.tf", + "resourceType": "aws_ecr_repository", + "resourceName": "bar", + "searchKey": "aws_ecr_repository[foo]", + "searchValue": "", + "expectedValue": "'encryption_configuration' should be defined with 'KMS' as encryption type and a KMS key ARN", + "actualValue": "'encryption_configuration' is undefined or null", + "issueType": "MissingAttribute", + "similarityID": "043326c7e129803c495fbcf6d4d7085dc29f4f8cca29ee1a330fa8fc1651697f", + "search_line": -1 }, { "queryName": "ECR Repository Not Encrypted With CMK", "severity": "LOW", - "line": 18 + "line": 18, + "fileName": "positive.tf", + "resourceType": "aws_ecr_repository", + "resourceName": "barX", + "searchKey": "aws_ecr_repository[fooX].encryption_configuration", + "searchValue": "", + "expectedValue": "'encryption_configuration.encryption_type' should be set to 'KMS' and 'encryption_configuration.kms_key' specifies a KMS key ARN", + "actualValue": "'encryption_configuration.encryption_type' is not set to 'KMS' and/or 'encryption_configuration.kms_key' does not specify a KMS key ARN", + "issueType": "IncorrectValue", + "similarityID": "18d519beebc43b9ba66d11802cfd8a1c88c3fa80f87f49e7c6334698294ebc13", + "search_line": -1 } ] diff --git a/assets/queries/terraform/aws/ecr_repository_without_policy/test/positive_expected_result.json b/assets/queries/terraform/aws/ecr_repository_without_policy/test/positive_expected_result.json index 8733ccfe1b0..54e98fc50e0 100644 --- a/assets/queries/terraform/aws/ecr_repository_without_policy/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/ecr_repository_without_policy/test/positive_expected_result.json @@ -3,12 +3,30 @@ "queryName": "ECR Repository Without Policy", "severity": "LOW", "line": 1, - "filename": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "aws_ecr_repository", + "resourceName": "foo", + "searchKey": "aws_ecr_repository[foo]", + "searchValue": "", + "expectedValue": "aws_ecr_repository[foo] has policies attached", + "actualValue": "aws_ecr_repository[foo] doesn't have policies attached", + "issueType": "MissingAttribute", + "similarityID": "a90c5e834c076ebd57017b169000f2e536a10c0fd7f262871f1a6317b7ca75f9", + "search_line": -1 }, { "queryName": "ECR Repository Without Policy", "severity": "LOW", "line": 1, - "filename": "positive2.tf" + "fileName": "positive2.tf", + "resourceType": "aws_ecr_repository", + "resourceName": "foo2", + "searchKey": "aws_ecr_repository[foo2]", + "searchValue": "", + "expectedValue": "aws_ecr_repository[foo2] has policies attached", + "actualValue": "aws_ecr_repository[foo2] doesn't have policies attached", + "issueType": "MissingAttribute", + "similarityID": "2ad0d7d3813a9ea699fdf443a6e225e7afac9a4f86135042853446dd73a92f5a", + "search_line": -1 } ] diff --git a/assets/queries/terraform/aws/ecs_cluster_container_insights_disabled/test/positive_expected_result.json b/assets/queries/terraform/aws/ecs_cluster_container_insights_disabled/test/positive_expected_result.json index 14338d961fd..a1929bcb6af 100644 --- a/assets/queries/terraform/aws/ecs_cluster_container_insights_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/ecs_cluster_container_insights_disabled/test/positive_expected_result.json @@ -2,6 +2,16 @@ { "queryName": "ECS Cluster with Container Insights Disabled", "severity": "LOW", - "line": 1 + "line": 1, + "fileName": "positive.tf", + "resourceType": "aws_ecs_cluster", + "resourceName": "white-hart", + "searchKey": "aws_ecs_cluster[foo]", + "searchValue": "", + "expectedValue": "'aws_ecs_cluster[foo].setting.name' should be set to 'containerInsights' and 'aws_ecs_cluster[foo].setting.value' should be set to 'enabled'", + "actualValue": "'aws_ecs_cluster[foo].setting.name' is not set to 'containerInsights' and/or 'aws_ecs_cluster[foo].setting.value' is not set to 'enabled'", + "issueType": "IncorrectValue", + "similarityID": "1c969081093b3aac33b217a9c778d2ee8a5fdde6249647c04a59fdb1d22b6a32", + "search_line": -1 } ] diff --git a/assets/queries/terraform/aws/ecs_service_admin_role_is_present/test/positive_expected_result.json b/assets/queries/terraform/aws/ecs_service_admin_role_is_present/test/positive_expected_result.json index c472ceefe5b..ea4c5d04655 100644 --- a/assets/queries/terraform/aws/ecs_service_admin_role_is_present/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/ecs_service_admin_role_is_present/test/positive_expected_result.json @@ -1,7 +1,17 @@ [ - { - "queryName": "ECS Service Admin Role Is Present", - "severity": "HIGH", - "line": 7 - } + { + "queryName": "ECS Service Admin Role Is Present", + "severity": "HIGH", + "line": 7, + "fileName": "positive.tf", + "resourceType": "aws_ecs_service", + "resourceName": "mongodb", + "searchKey": "aws_ecs_service[positive1].iam_role", + "searchValue": "", + "expectedValue": "'aws_ecs_service[positive1].iam_role' should not equal to 'admin'", + "actualValue": "'aws_ecs_service[positive1].iam_role' is equal to 'admin'", + "issueType": "IncorrectValue", + "similarityID": "cb3b10cbf6ba554618c345120598175692bff02052fd2c11d3e0c66d91de5d6a", + "search_line": -1 + } ] diff --git a/assets/queries/terraform/aws/ecs_service_without_running_tasks/test/positive_expected_result.json b/assets/queries/terraform/aws/ecs_service_without_running_tasks/test/positive_expected_result.json index 038245c2cee..455f8a654de 100644 --- a/assets/queries/terraform/aws/ecs_service_without_running_tasks/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/ecs_service_without_running_tasks/test/positive_expected_result.json @@ -3,6 +3,15 @@ "queryName": "ECS Service Without Running Tasks", "severity": "LOW", "line": 1, - "fileName": "positive.tf" + "fileName": "positive.tf", + "resourceType": "aws_ecs_service", + "resourceName": "positive1", + "searchKey": "aws_ecs_service[positive1]", + "searchValue": "", + "expectedValue": "'aws_ecs_service[positive1]' has at least 1 task running", + "actualValue": "'aws_ecs_service[positive1]' must have at least 1 task running", + "issueType": "IncorrectValue", + "similarityID": "fc9998edc42ae08dfd1bb00f164958eb73e2cfecc063cde665be5a9ec5a23875", + "search_line": -1 } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/ecs_services_assigned_with_public_ip_address/test/positive_expected_result.json b/assets/queries/terraform/aws/ecs_services_assigned_with_public_ip_address/test/positive_expected_result.json index 18ccc7a1c7e..c12f72d37ce 100644 --- a/assets/queries/terraform/aws/ecs_services_assigned_with_public_ip_address/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/ecs_services_assigned_with_public_ip_address/test/positive_expected_result.json @@ -1,14 +1,32 @@ [ { + "queryName": "ECS Services assigned with public IP address", "severity": "MEDIUM", "line": 15, - "queryName": "ECS Services assigned with public IP address", - "fileName": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "aws_ecs_service", + "resourceName": "example_service_dev", + "searchKey": "aws_ecs_service[example_ecs_service].network_configuration.assign_public_ip", + "searchValue": "", + "expectedValue": "'aws_ecs_service[example_ecs_service].network_configuration.assign_public_ip' should be set to 'false'(default value is 'false')", + "actualValue": "'aws_ecs_service[example_ecs_service].network_configuration.assign_public_ip' is set to true", + "issueType": "IncorrectValue", + "similarityID": "87b4ef8a134908da73d677465fc0f85a9e0a9446f08a598436498385fc0ba33e", + "search_line": 15 }, { + "queryName": "ECS Services assigned with public IP address", "severity": "MEDIUM", "line": 17, - "queryName": "ECS Services assigned with public IP address", - "fileName": "positive2.tf" + "fileName": "positive2.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[ecs].services.frontend.assign_public_ip", + "searchValue": "", + "expectedValue": "'module[ecs].services.frontend.assign_public_ip' should be set to 'false'(default value is 'false')", + "actualValue": "'module[ecs].services.frontend.assign_public_ip' is set to true", + "issueType": "IncorrectValue", + "similarityID": "29ebe55741ae625add24cc3ff050f343476e58a185acf67e0970bddd10f9d0e3", + "search_line": -1 } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/ecs_task_definition_network_mode_not_recommended/test/positive_expected_result.json b/assets/queries/terraform/aws/ecs_task_definition_network_mode_not_recommended/test/positive_expected_result.json index be1f04a0a99..022cbfe20d3 100644 --- a/assets/queries/terraform/aws/ecs_task_definition_network_mode_not_recommended/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/ecs_task_definition_network_mode_not_recommended/test/positive_expected_result.json @@ -2,6 +2,16 @@ { "queryName": "ECS Task Definition Network Mode Not Recommended", "severity": "MEDIUM", - "line": 3 + "line": 3, + "fileName": "positive.tf", + "resourceType": "aws_ecs_task_definition", + "resourceName": "positive1", + "searchKey": "aws_ecs_task_definition[positive1].network_mode", + "searchValue": "", + "expectedValue": "'network_mode' should equal to 'awsvpc'", + "actualValue": "'network_mode' is equal to 'none'", + "issueType": "IncorrectValue", + "similarityID": "39f39fb38fcd27c3b956b487c553cdea3be31a424bfbea4d9a249a420b4228e8", + "search_line": 3 } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/efs_not_encrypted/test/positive_expected_result.json b/assets/queries/terraform/aws/efs_not_encrypted/test/positive_expected_result.json index 2eaa672c30d..af01a21890a 100644 --- a/assets/queries/terraform/aws/efs_not_encrypted/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/efs_not_encrypted/test/positive_expected_result.json @@ -2,11 +2,31 @@ { "queryName": "EFS Not Encrypted", "severity": "HIGH", - "line": 1 + "line": 1, + "fileName": "positive.tf", + "resourceType": "aws_efs_file_system", + "resourceName": "MyProduct", + "searchKey": "aws_efs_file_system[positive1]", + "searchValue": "", + "expectedValue": "aws_efs_file_system[positive1].encrypted' should be defined and not null", + "actualValue": "aws_efs_file_system[positive1].encrypted' is undefined or null", + "issueType": "MissingAttribute", + "similarityID": "9220ddd50c6a30a739db0cfced0cdfeb54783dad8fc28fac94e233585c1fcf19", + "search_line": -1 }, { "queryName": "EFS Not Encrypted", "severity": "HIGH", - "line": 11 + "line": 11, + "fileName": "positive.tf", + "resourceType": "aws_efs_file_system", + "resourceName": "MyProduct", + "searchKey": "aws_efs_file_system[positive2].encrypted", + "searchValue": "", + "expectedValue": "aws_efs_file_system[positive2].encrypted' should be true", + "actualValue": "aws_efs_file_system[positive2].encrypted' is false", + "issueType": "IncorrectValue", + "similarityID": "af301a2d051356a8f6400454289be4206830f49f057432fc4323994f101f9cd0", + "search_line": 11 } ] diff --git a/assets/queries/terraform/aws/efs_volume_with_disabled_transit_encryption/test/positive_expected_result.json b/assets/queries/terraform/aws/efs_volume_with_disabled_transit_encryption/test/positive_expected_result.json index 562e3a327a2..2747ec5c760 100644 --- a/assets/queries/terraform/aws/efs_volume_with_disabled_transit_encryption/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/efs_volume_with_disabled_transit_encryption/test/positive_expected_result.json @@ -3,60 +3,150 @@ "queryName": "EFS Volume With Disabled Transit Encryption", "severity": "MEDIUM", "line": 11, - "filename": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "aws_ecs_task_definition", + "resourceName": "service", + "searchKey": "aws_ecs_task_definition[{{service}}].volume.efs_volume_configuration.transit_encryption", + "searchValue": "", + "expectedValue": "aws_ecs_task_definition.volume.efs_volume_configuration.transit_encryption value should be 'ENABLED'", + "actualValue": "aws_ecs_task_definition.volume.efs_volume_configuration.transit_encryption value is 'DISABLED'", + "issueType": "IncorrectValue", + "similarityID": "7ad1f8b9e8787d33047adab15edd402808acd71b82002c2ac50031b2786fefd0", + "search_line": 11 }, { "queryName": "EFS Volume With Disabled Transit Encryption", "severity": "MEDIUM", "line": 8, - "filename": "positive2.tf" + "fileName": "positive2.tf", + "resourceType": "aws_ecs_task_definition", + "resourceName": "service_2", + "searchKey": "aws_ecs_task_definition[{{service_2}}].volume.efs_volume_configuration", + "searchValue": "", + "expectedValue": "aws_ecs_task_definition.volume.efs_volume_configuration.transit_encryption value should be 'ENABLED'", + "actualValue": "aws_ecs_task_definition.volume.efs_volume_configuration.transit_encryption is missing", + "issueType": "MissingAttribute", + "similarityID": "ddd2ccad8fd11c8ad115b4ab0d6d6bb375c5d003109979c6b64a280555b91cc3", + "search_line": 8 }, { "queryName": "EFS Volume With Disabled Transit Encryption", "severity": "MEDIUM", "line": 5, - "filename": "positive3.tf" + "fileName": "positive3.tf", + "resourceType": "aws_ecs_task_definition", + "resourceName": "service_2", + "searchKey": "aws_ecs_task_definition[{{service_2}}].volume", + "searchValue": "", + "expectedValue": "aws_ecs_task_definition.volume.efs_volume_configuration value should be defined", + "actualValue": "aws_ecs_task_definition.volume.efs_volume_configuration is not set", + "issueType": "MissingAttribute", + "similarityID": "911114eaac26793ea9bc6a7a0b8cd0baeb9d8feebde264f77e60494bdd668c29", + "search_line": 5 }, { "queryName": "EFS Volume With Disabled Transit Encryption", "severity": "MEDIUM", "line": 11, - "filename": "positive4.tf" + "fileName": "positive4.tf", + "resourceType": "aws_ecs_task_definition", + "resourceName": "service_4", + "searchKey": "aws_ecs_task_definition[{{service_4}}].volume[0].efs_volume_configuration.transit_encryption", + "searchValue": "", + "expectedValue": "aws_ecs_task_definition.volume.efs_volume_configuration.transit_encryption value should be 'ENABLED'", + "actualValue": "aws_ecs_task_definition.volume.efs_volume_configuration.transit_encryption value is 'DISABLED'", + "issueType": "IncorrectValue", + "similarityID": "a9fc0e20ba8996a811c80ee4b2e92d7ff68537729d2e9f96723469892e4b880f", + "search_line": 11 }, { "queryName": "EFS Volume With Disabled Transit Encryption", "severity": "MEDIUM", "line": 26, - "filename": "positive4.tf" + "fileName": "positive4.tf", + "resourceType": "aws_ecs_task_definition", + "resourceName": "service_4", + "searchKey": "aws_ecs_task_definition[{{service_4}}].volume[1].efs_volume_configuration.transit_encryption", + "searchValue": "", + "expectedValue": "aws_ecs_task_definition.volume.efs_volume_configuration.transit_encryption value should be 'ENABLED'", + "actualValue": "aws_ecs_task_definition.volume.efs_volume_configuration.transit_encryption value is 'DISABLED'", + "issueType": "IncorrectValue", + "similarityID": "c30f5479b02894ba0a5f0b84e5309590441cc72a1682dbcff9e8e80820affb2c", + "search_line": 26 }, { "queryName": "EFS Volume With Disabled Transit Encryption", "severity": "MEDIUM", "line": 8, - "filename": "positive5.tf" + "fileName": "positive5.tf", + "resourceType": "aws_ecs_task_definition", + "resourceName": "service_5", + "searchKey": "aws_ecs_task_definition[{{service_5}}].volume[0].efs_volume_configuration", + "searchValue": "", + "expectedValue": "aws_ecs_task_definition.volume.efs_volume_configuration.transit_encryption value should be 'ENABLED'", + "actualValue": "aws_ecs_task_definition.volume.efs_volume_configuration.transit_encryption is missing", + "issueType": "MissingAttribute", + "similarityID": "2dc5a17df819fb52050e6d80d13530596fdf6f798bb3f705961fd3b28c9c2d94", + "search_line": 8 }, { "queryName": "EFS Volume With Disabled Transit Encryption", "severity": "MEDIUM", "line": 22, - "filename": "positive5.tf" + "fileName": "positive5.tf", + "resourceType": "aws_ecs_task_definition", + "resourceName": "service_5", + "searchKey": "aws_ecs_task_definition[{{service_5}}].volume[1].efs_volume_configuration", + "searchValue": "", + "expectedValue": "aws_ecs_task_definition.volume.efs_volume_configuration.transit_encryption value should be 'ENABLED'", + "actualValue": "aws_ecs_task_definition.volume.efs_volume_configuration.transit_encryption is missing", + "issueType": "MissingAttribute", + "similarityID": "44b0da56fa838b4fe781d26361e11d8c94d2d51ee2b1ca253dda02d5d3c5730b", + "search_line": 22 }, { "queryName": "EFS Volume With Disabled Transit Encryption", "severity": "MEDIUM", "line": 5, - "filename": "positive6.tf" + "fileName": "positive6.tf", + "resourceType": "aws_ecs_task_definition", + "resourceName": "service_6", + "searchKey": "aws_ecs_task_definition[{{service_6}}].volume[0]", + "searchValue": "", + "expectedValue": "aws_ecs_task_definition.volume.efs_volume_configuration value should be defined", + "actualValue": "aws_ecs_task_definition.volume.efs_volume_configuration is not set", + "issueType": "MissingAttribute", + "similarityID": "edd1fe3f83a0df51accac608291769fac823860f16ffe630941d468eff4d3dba", + "search_line": 5 }, { "queryName": "EFS Volume With Disabled Transit Encryption", "severity": "MEDIUM", "line": 9, - "filename": "positive6.tf" + "fileName": "positive6.tf", + "resourceType": "aws_ecs_task_definition", + "resourceName": "service_6", + "searchKey": "aws_ecs_task_definition[{{service_6}}].volume[1]", + "searchValue": "", + "expectedValue": "aws_ecs_task_definition.volume.efs_volume_configuration value should be defined", + "actualValue": "aws_ecs_task_definition.volume.efs_volume_configuration is not set", + "issueType": "MissingAttribute", + "similarityID": "3d186d5be20a7c7955e214794ee4fa49d357495e194980bec216b6daaf56b2cd", + "search_line": 9 }, { "queryName": "EFS Volume With Disabled Transit Encryption", "severity": "MEDIUM", "line": 26, - "filename": "positive7.tf" + "fileName": "positive7.tf", + "resourceType": "aws_ecs_task_definition", + "resourceName": "service_7", + "searchKey": "aws_ecs_task_definition[{{service_7}}].volume[1].efs_volume_configuration.transit_encryption", + "searchValue": "", + "expectedValue": "aws_ecs_task_definition.volume.efs_volume_configuration.transit_encryption value should be 'ENABLED'", + "actualValue": "aws_ecs_task_definition.volume.efs_volume_configuration.transit_encryption value is 'DISABLED'", + "issueType": "IncorrectValue", + "similarityID": "c739dec12d9a9f92929eb5e14d32f5f8200c5f89decb152cec774df6e86705b4", + "search_line": 26 } ] diff --git a/assets/queries/terraform/aws/efs_with_vulnerable_policy/test/positive_expected_result.json b/assets/queries/terraform/aws/efs_with_vulnerable_policy/test/positive_expected_result.json index c8af7a301f9..62a9e924cb6 100644 --- a/assets/queries/terraform/aws/efs_with_vulnerable_policy/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/efs_with_vulnerable_policy/test/positive_expected_result.json @@ -3,6 +3,15 @@ "queryName": "EFS With Vulnerable Policy", "severity": "MEDIUM", "line": 16, - "fileName": "positive.tf" + "fileName": "positive.tf", + "resourceType": "aws_efs_file_system_policy", + "resourceName": "not_secure_policy", + "searchKey": "aws_efs_file_system_policy[not_secure_policy].policy", + "searchValue": "", + "expectedValue": "aws_efs_file_system_policy[not_secure_policy].policy should not have wildcard in 'Action' and 'Principal'", + "actualValue": "aws_efs_file_system_policy[not_secure_policy].policy has wildcard in 'Action' or 'Principal'", + "issueType": "IncorrectValue", + "similarityID": "ecc214468c6acb515f2a35aa664e39eeb5f1e5397bc63408d02dd2b16f82f9d4", + "search_line": 16 } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/efs_without_kms/test/positive_expected_result.json b/assets/queries/terraform/aws/efs_without_kms/test/positive_expected_result.json index ba63f84dca0..1c886647df8 100644 --- a/assets/queries/terraform/aws/efs_without_kms/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/efs_without_kms/test/positive_expected_result.json @@ -2,6 +2,16 @@ { "queryName": "EFS Without KMS", "severity": "LOW", - "line": 1 + "line": 1, + "fileName": "positive.tf", + "resourceType": "aws_efs_file_system", + "resourceName": "MyProduct", + "searchKey": "aws_efs_file_system[positive1]", + "searchValue": "", + "expectedValue": "aws_efs_file_system[positive1].kms_key_id' should be defined'", + "actualValue": "aws_efs_file_system[positive1].kms_key_id' is undefined", + "issueType": "MissingAttribute", + "similarityID": "884bbccdff8fc052e48036ae7562fded9722769e4b37de8736c48755c80060f3", + "search_line": -1 } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/eks_cluster_encryption_disabled/test/positive_expected_result.json b/assets/queries/terraform/aws/eks_cluster_encryption_disabled/test/positive_expected_result.json index 1dc99e33f29..ac4e721cc47 100644 --- a/assets/queries/terraform/aws/eks_cluster_encryption_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/eks_cluster_encryption_disabled/test/positive_expected_result.json @@ -3,12 +3,30 @@ "queryName": "EKS Cluster Encryption Disabled", "severity": "HIGH", "line": 6, - "fileName": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "aws_eks_cluster", + "resourceName": "example", + "searchKey": "aws_eks_cluster[positive1]", + "searchValue": "", + "expectedValue": "'encryption_config' should be defined and not null", + "actualValue": "'encryption_config' is undefined or null", + "issueType": "MissingAttribute", + "similarityID": "c8d77c5cf662d1bf04f0793617265cdc71e0f36d9c7ae2de3d4d64d89b463688", + "search_line": 6 }, { "queryName": "EKS Cluster Encryption Disabled", "severity": "HIGH", "line": 11, - "fileName": "positive2.tf" + "fileName": "positive2.tf", + "resourceType": "aws_eks_cluster", + "resourceName": "example", + "searchKey": "aws_eks_cluster[positive2].encryption_config.resources", + "searchValue": "", + "expectedValue": "'secrets' should be defined", + "actualValue": "'secrets' is undefined", + "issueType": "IncorrectValue", + "similarityID": "2bfa2cf55b85175d1fb4cb417b025196361a1dc34934b8598fcbf8ed0e2d0303", + "search_line": -1 } ] diff --git a/assets/queries/terraform/aws/eks_cluster_has_public_access/test/positive_expected_result.json b/assets/queries/terraform/aws/eks_cluster_has_public_access/test/positive_expected_result.json index d8b401a6a00..7651950067d 100644 --- a/assets/queries/terraform/aws/eks_cluster_has_public_access/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/eks_cluster_has_public_access/test/positive_expected_result.json @@ -2,6 +2,16 @@ { "queryName": "EKS Cluster Has Public Access", "severity": "MEDIUM", - "line": 7 + "line": 7, + "fileName": "positive.tf", + "resourceType": "aws_eks_cluster", + "resourceName": "example", + "searchKey": "aws_eks_cluster[positive1].vpc_config.endpoint_public_access", + "searchValue": "", + "expectedValue": "'vpc_config.endpoint_public_access' should equal 'false'", + "actualValue": "'vpc_config.endpoint_public_access' is equal 'true'", + "issueType": "IncorrectValue", + "similarityID": "344679a9754df503aa0ef7261ed4d85f39f5707afae37590f0d27b66ad208968", + "search_line": 7 } ] diff --git a/assets/queries/terraform/aws/eks_cluster_has_public_access_cidrs/test/positive_expected_result.json b/assets/queries/terraform/aws/eks_cluster_has_public_access_cidrs/test/positive_expected_result.json index fc8b1649bfe..a2fd216f042 100644 --- a/assets/queries/terraform/aws/eks_cluster_has_public_access_cidrs/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/eks_cluster_has_public_access_cidrs/test/positive_expected_result.json @@ -2,11 +2,31 @@ { "queryName": "EKS Cluster Has Public Access CIDRs", "severity": "MEDIUM", - "line": 8 + "line": 8, + "fileName": "positive.tf", + "resourceType": "aws_eks_cluster", + "resourceName": "example", + "searchKey": "aws_eks_cluster[positive1].vpc_config.public_access_cidrs", + "searchValue": "", + "expectedValue": "One of 'vpc_config.public_access_cidrs' not equal '0.0.0.0/0'", + "actualValue": "One of 'vpc_config.public_access_cidrs' is equal '0.0.0.0/0'", + "issueType": "IncorrectValue", + "similarityID": "687590a8ffdae58b27062318a834447a7f55e921c5f8a13ab6b8f3fd50c022df", + "search_line": -1 }, { "queryName": "EKS Cluster Has Public Access CIDRs", "severity": "MEDIUM", - "line": 30 + "line": 30, + "fileName": "positive.tf", + "resourceType": "aws_eks_cluster", + "resourceName": "without_example", + "searchKey": "aws_eks_cluster[positive2].vpc_config.public_access_cidrs", + "searchValue": "", + "expectedValue": "'vpc_config.public_access_cidrs' should exist", + "actualValue": "'vpc_config.public_access_cidrs' is missing", + "issueType": "MissingAttribute", + "similarityID": "b83ce23e4cfa68bb13f3a75f40f9edc13a2dd19f5af673ad3bfd5df16f001782", + "search_line": -1 } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/eks_cluster_log_disabled/test/positive_expected_result.json b/assets/queries/terraform/aws/eks_cluster_log_disabled/test/positive_expected_result.json index 5f09bd406dd..0d7d293aaa1 100644 --- a/assets/queries/terraform/aws/eks_cluster_log_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/eks_cluster_log_disabled/test/positive_expected_result.json @@ -3,6 +3,15 @@ "queryName": "EKS cluster logging is not enabled", "severity": "MEDIUM", "line": 6, - "filename": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "aws_eks_cluster", + "resourceName": "example", + "searchKey": "aws_eks_cluster[positive1]", + "searchValue": "", + "expectedValue": "'enabled_cluster_log_types' should be defined and not null", + "actualValue": "'enabled_cluster_log_types' is undefined or null", + "issueType": "MissingAttribute", + "similarityID": "df4281cd28a9ff67ac491492a3fec9dba1865a13b2e36b7fd300b650e6ee237d", + "search_line": -1 } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/eks_node_group_remote_access_disabled/test/positive_expected_result.json b/assets/queries/terraform/aws/eks_node_group_remote_access_disabled/test/positive_expected_result.json index 56ceeded77b..78c8224ceaf 100644 --- a/assets/queries/terraform/aws/eks_node_group_remote_access_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/eks_node_group_remote_access_disabled/test/positive_expected_result.json @@ -3,6 +3,15 @@ "queryName": "EKS node group remote access disabled", "severity": "MEDIUM", "line": 13, - "fileName": "positive.tf" + "fileName": "positive.tf", + "resourceType": "aws_eks_node_group", + "resourceName": "positive", + "searchKey": "aws_eks_node_group[positive].remote_access", + "searchValue": "", + "expectedValue": "'aws_eks_node_group[positive].remote_access.source_security_groups_ids' should be defined and not null", + "actualValue": "'aws_eks_node_group[positive].remote_access.source_security_groups_ids' is undefined or null", + "issueType": "MissingAttribute", + "similarityID": "cb898c045bfc522c314092a47097cdb73078fd6827e1fec7b0a05731d96d96b7", + "search_line": -1 } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/elasticache_nodes_not_created_across_multi_az/test/positive_expected_result.json b/assets/queries/terraform/aws/elasticache_nodes_not_created_across_multi_az/test/positive_expected_result.json index 21916a4ecf0..39c4e0f0b25 100644 --- a/assets/queries/terraform/aws/elasticache_nodes_not_created_across_multi_az/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/elasticache_nodes_not_created_across_multi_az/test/positive_expected_result.json @@ -2,11 +2,31 @@ { "queryName": "ElastiCache Nodes Not Created Across Multi AZ", "severity": "MEDIUM", - "line": 1 + "line": 1, + "fileName": "positive.tf", + "resourceType": "aws_elasticache_cluster", + "resourceName": "cluster-example", + "searchKey": "aws_elasticache_cluster[positive1]", + "searchValue": "", + "expectedValue": "'az_mode' should be set and must be 'cross-az' in multi nodes cluster", + "actualValue": "'az_mode' is undefined", + "issueType": "MissingAttribute", + "similarityID": "d6399b3503d592fdaea7a37df8046afba7070c4cab038304a0ded1c6f7191f20", + "search_line": 1 }, { "queryName": "ElastiCache Nodes Not Created Across Multi AZ", "severity": "MEDIUM", - "line": 12 + "line": 12, + "fileName": "positive.tf", + "resourceType": "aws_elasticache_cluster", + "resourceName": "cluster-example", + "searchKey": "aws_elasticache_cluster[positive2].az_mode", + "searchValue": "", + "expectedValue": "'az_mode' should be 'cross-az' in multi nodes cluster", + "actualValue": "'az_mode' is 'single-az'", + "issueType": "IncorrectValue", + "similarityID": "974728ec6c9029b6759e5952ad6e6e3e00073d6187e96ae1cc6ed271317c614e", + "search_line": 12 } ] diff --git a/assets/queries/terraform/aws/elasticache_redis_cluster_without_backup/test/positive_expected_result.json b/assets/queries/terraform/aws/elasticache_redis_cluster_without_backup/test/positive_expected_result.json index e6c9f8ed3cc..87f05a2030c 100644 --- a/assets/queries/terraform/aws/elasticache_redis_cluster_without_backup/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/elasticache_redis_cluster_without_backup/test/positive_expected_result.json @@ -2,11 +2,31 @@ { "queryName": "ElastiCache Redis Cluster Without Backup", "severity": "MEDIUM", - "line": 1 + "line": 1, + "fileName": "positive.tf", + "resourceType": "aws_elasticache_cluster", + "resourceName": "cluster", + "searchKey": "aws_elasticache_cluster[positive1]", + "searchValue": "", + "expectedValue": "'snapshot_retention_limit' should be higher than 0", + "actualValue": "'snapshot_retention_limit' is undefined", + "issueType": "MissingAttribute", + "similarityID": "ff1a4070de1df0e55ce3086c0393c72afeba5b05a7e3799f12fd778e39a67642", + "search_line": 1 }, { "queryName": "ElastiCache Redis Cluster Without Backup", "severity": "MEDIUM", - "line": 16 + "line": 16, + "fileName": "positive.tf", + "resourceType": "aws_elasticache_cluster", + "resourceName": "cluster", + "searchKey": "aws_elasticache_cluster[positive2].snapshot_retention_limit", + "searchValue": "", + "expectedValue": "'snapshot_retention_limit' should be higher than 0", + "actualValue": "'snapshot_retention_limit' is 0", + "issueType": "IncorrectValue", + "similarityID": "63db53491d18c5136df8267c98d62607bda372dc3389cf2321026339ca95edf8", + "search_line": 16 } ] diff --git a/assets/queries/terraform/aws/elasticache_replication_group_not_encrypted_at_rest/test/positive_expected_result.json b/assets/queries/terraform/aws/elasticache_replication_group_not_encrypted_at_rest/test/positive_expected_result.json index 97de094b1b1..70d436d4a90 100644 --- a/assets/queries/terraform/aws/elasticache_replication_group_not_encrypted_at_rest/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/elasticache_replication_group_not_encrypted_at_rest/test/positive_expected_result.json @@ -3,12 +3,30 @@ "queryName": "ElastiCache Replication Group Not Encrypted At Rest", "severity": "HIGH", "line": 1, - "fileName": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "aws_elasticache_replication_group", + "resourceName": "example", + "searchKey": "aws_elasticache_replication_group[example]", + "searchValue": "", + "expectedValue": "The attribute 'at_rest_encryption_enabled' should be set to true", + "actualValue": "The attribute 'at_rest_encryption_enabled' is undefined", + "issueType": "MissingAttribute", + "similarityID": "dddf27bfb7165f78dc071ad9b7b07ef6995447eb575087f585d95da45923804f", + "search_line": 1 }, { "queryName": "ElastiCache Replication Group Not Encrypted At Rest", "severity": "HIGH", "line": 9, - "fileName": "positive2.tf" + "fileName": "positive2.tf", + "resourceType": "aws_elasticache_replication_group", + "resourceName": "example2", + "searchKey": "aws_elasticache_replication_group[example2].at_rest_encryption_enabled", + "searchValue": "", + "expectedValue": "The attribute 'at_rest_encryption_enabled' should be set to true", + "actualValue": "The attribute 'at_rest_encryption_enabled' is not set to true", + "issueType": "IncorrectValue", + "similarityID": "7f9b706cf6be574a894ec67e7702b797571b602283aa601b284dc9e46694b412", + "search_line": 9 } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/elasticache_replication_group_not_encrypted_at_transit/test/positive_expected_result.json b/assets/queries/terraform/aws/elasticache_replication_group_not_encrypted_at_transit/test/positive_expected_result.json index f12eb88b6db..c4f07e1386e 100644 --- a/assets/queries/terraform/aws/elasticache_replication_group_not_encrypted_at_transit/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/elasticache_replication_group_not_encrypted_at_transit/test/positive_expected_result.json @@ -3,12 +3,30 @@ "queryName": "ElastiCache Replication Group Not Encrypted At Transit", "severity": "MEDIUM", "line": 1, - "filename": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "aws_elasticache_replication_group", + "resourceName": "example", + "searchKey": "aws_elasticache_replication_group[example]", + "searchValue": "", + "expectedValue": "The attribute 'transit_encryption_enabled' should be set to true", + "actualValue": "The attribute 'transit_encryption_enabled' is undefined", + "issueType": "MissingAttribute", + "similarityID": "68480c2644bf51f9b905415e01016f8b60088c28d7283cacf1048e8c6450c00c", + "search_line": -1 }, { "queryName": "ElastiCache Replication Group Not Encrypted At Transit", "severity": "MEDIUM", "line": 9, - "filename": "positive2.tf" + "fileName": "positive2.tf", + "resourceType": "aws_elasticache_replication_group", + "resourceName": "example", + "searchKey": "aws_elasticache_replication_group[example].transit_encryption_enabled", + "searchValue": "", + "expectedValue": "The attribute 'transit_encryption_enabled' should be set to true", + "actualValue": "The attribute 'transit_encryption_enabled' is not set to true", + "issueType": "IncorrectValue", + "similarityID": "a8d53ac8d8e22e36e4c00886b9fbbacf117385802751fa76b9369d10c020e650", + "search_line": -1 } ] diff --git a/assets/queries/terraform/aws/elasticache_using_default_port/test/positive_expected_result.json b/assets/queries/terraform/aws/elasticache_using_default_port/test/positive_expected_result.json index c99229d5c61..91e3fbb7f87 100644 --- a/assets/queries/terraform/aws/elasticache_using_default_port/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/elasticache_using_default_port/test/positive_expected_result.json @@ -3,24 +3,60 @@ "queryName": "ElastiCache Using Default Port", "severity": "LOW", "line": 1, - "fileName": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "aws_elasticache_cluster", + "resourceName": "cluster", + "searchKey": "aws_elasticache_cluster[positive1]", + "searchValue": "", + "expectedValue": "aws_elasticache_cluster.port should be defined and not null", + "actualValue": "aws_elasticache_cluster.port is undefined or null", + "issueType": "MissingAttribute", + "similarityID": "ba28ab54716ed2b230606a502ba9b3c73871f29238d2757a51dc1e9465794978", + "search_line": 1 }, { "queryName": "ElastiCache Using Default Port", "severity": "LOW", "line": 1, - "fileName": "positive2.tf" + "fileName": "positive2.tf", + "resourceType": "aws_elasticache_cluster", + "resourceName": "cluster", + "searchKey": "aws_elasticache_cluster[positive2]", + "searchValue": "", + "expectedValue": "aws_elasticache_cluster.port should be defined and not null", + "actualValue": "aws_elasticache_cluster.port is undefined or null", + "issueType": "MissingAttribute", + "similarityID": "f8bc5f6649e01944301f517edcb541306008b3599379e615d030fd681bd13c1a", + "search_line": 1 }, { "queryName": "ElastiCache Using Default Port", "severity": "LOW", "line": 7, - "fileName": "positive3.tf" + "fileName": "positive3.tf", + "resourceType": "aws_elasticache_cluster", + "resourceName": "cluster", + "searchKey": "aws_elasticache_cluster[positive3].port", + "searchValue": "", + "expectedValue": "'port' should not be set to 6379", + "actualValue": "'port' is set to 6379", + "issueType": "IncorrectValue", + "similarityID": "1acf9a731f71dfc9cfba5a2e3f767f1f7452b604b76fd1c828b88f082de5b5e6", + "search_line": 7 }, { "queryName": "ElastiCache Using Default Port", "severity": "LOW", "line": 7, - "fileName": "positive4.tf" + "fileName": "positive4.tf", + "resourceType": "aws_elasticache_cluster", + "resourceName": "cluster", + "searchKey": "aws_elasticache_cluster[positive2].port", + "searchValue": "", + "expectedValue": "'port' should not be set to 11211", + "actualValue": "'port' is set to 11211", + "issueType": "IncorrectValue", + "similarityID": "6813904e4f1688b435017179a9e62706d1b6160a54987d68d39a88720ea369ac", + "search_line": 7 } ] diff --git a/assets/queries/terraform/aws/elasticache_without_vpc/test/positive_expected_result.json b/assets/queries/terraform/aws/elasticache_without_vpc/test/positive_expected_result.json index a1992dd7bdd..43f466c6e60 100644 --- a/assets/queries/terraform/aws/elasticache_without_vpc/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/elasticache_without_vpc/test/positive_expected_result.json @@ -1,8 +1,17 @@ [ - { - "queryName": "ElastiCache Without VPC", - "severity": "LOW", - "line": 1, - "fileName": "positive.tf" - } + { + "queryName": "ElastiCache Without VPC", + "severity": "LOW", + "line": 1, + "fileName": "positive.tf", + "resourceType": "aws_elasticache_cluster", + "resourceName": "cluster-example", + "searchKey": "aws_elasticache_cluster[positive1]", + "searchValue": "", + "expectedValue": "'aws_elasticache_cluster[positive1].subnet_group_name' should be defined and not null'", + "actualValue": "'aws_elasticache_cluster[positive1].subnet_group_name' is undefined or null", + "issueType": "MissingAttribute", + "similarityID": "43f0c49dbce33870a775bb490e63fd1f36cd52c8bed775a9786624e7292dca4f", + "search_line": 1 + } ] diff --git a/assets/queries/terraform/aws/elasticsearch_domain_not_encrypted_node_to_node/test/positive_expected_result.json b/assets/queries/terraform/aws/elasticsearch_domain_not_encrypted_node_to_node/test/positive_expected_result.json index 97643939504..a40cb5804ae 100644 --- a/assets/queries/terraform/aws/elasticsearch_domain_not_encrypted_node_to_node/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/elasticsearch_domain_not_encrypted_node_to_node/test/positive_expected_result.json @@ -3,12 +3,30 @@ "queryName": "Elasticsearch Domain Not Encrypted Node To Node", "severity": "MEDIUM", "line": 1, - "fileName": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "aws_elasticsearch_domain", + "resourceName": "positive1", + "searchKey": "aws_elasticsearch_domain[{{positive1}}]", + "searchValue": "", + "expectedValue": "The attribute 'node_to_node_encryption' should be set to true", + "actualValue": "The attribute 'node_to_node_encryption' is undefined", + "issueType": "MissingAttribute", + "similarityID": "8edc6f87cc795101d420af9f5c908ccdd369ed61d944c0a28a45f94aba500103", + "search_line": 1 }, { "queryName": "Elasticsearch Domain Not Encrypted Node To Node", "severity": "MEDIUM", "line": 14, - "fileName": "positive2.tf" + "fileName": "positive2.tf", + "resourceType": "aws_elasticsearch_domain", + "resourceName": "positive1", + "searchKey": "aws_elasticsearch_domain[{{positive1}}].node_to_node_encryption.enabled", + "searchValue": "", + "expectedValue": "The attribute 'node_to_node_encryption' should be set to true", + "actualValue": "The attribute 'node_to_node_encryption' is not set to true", + "issueType": "IncorrectValue", + "similarityID": "7c1db9300a5dd315c90cd35ffd05969b07918324ed636739aaaad5d87a086ddf", + "search_line": -1 } ] diff --git a/assets/queries/terraform/aws/elasticsearch_domain_with_vulnerable_policy/test/positive_expected_result.json b/assets/queries/terraform/aws/elasticsearch_domain_with_vulnerable_policy/test/positive_expected_result.json index 2b1845daf6d..c9211840589 100644 --- a/assets/queries/terraform/aws/elasticsearch_domain_with_vulnerable_policy/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/elasticsearch_domain_with_vulnerable_policy/test/positive_expected_result.json @@ -3,6 +3,15 @@ "queryName": "Elasticsearch Domain With Vulnerable Policy", "severity": "MEDIUM", "line": 18, - "fileName": "positive.tf" + "fileName": "positive.tf", + "resourceType": "aws_elasticsearch_domain_policy", + "resourceName": "main", + "searchKey": "aws_elasticsearch_domain_policy[main].access_policies", + "searchValue": "", + "expectedValue": "aws_elasticsearch_domain_policy[main].access_policies should not have wildcard in 'Action' and 'Principal'", + "actualValue": "aws_elasticsearch_domain_policy[main].access_policies has wildcard in 'Action' or 'Principal'", + "issueType": "IncorrectValue", + "similarityID": "9b6928f0059b7de227fe3b54acef45bdf4fa0223d908027991821cc166236c48", + "search_line": 18 } ] diff --git a/assets/queries/terraform/aws/elasticsearch_encryption_with_kms_is_disabled/test/positive_expected_result.json b/assets/queries/terraform/aws/elasticsearch_encryption_with_kms_is_disabled/test/positive_expected_result.json index 35a08640780..5233558118c 100644 --- a/assets/queries/terraform/aws/elasticsearch_encryption_with_kms_is_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/elasticsearch_encryption_with_kms_is_disabled/test/positive_expected_result.json @@ -2,6 +2,16 @@ { "queryName": "ElasticSearch Encryption With KMS Disabled", "severity": "HIGH", - "line": 5 + "line": 5, + "fileName": "positive.tf", + "resourceType": "aws_elasticsearch_domain", + "resourceName": "positive1", + "searchKey": "aws_elasticsearch_domain[positive1].encrypt_at_rest", + "searchValue": "", + "expectedValue": "'aws_elasticsearch_domain[positive1].encrypt_at_rest.kms_key_id' should be set with encryption at rest", + "actualValue": "'aws_elasticsearch_domain[positive1].encrypt_at_rest.kms_key_id' is undefined", + "issueType": "MissingAttribute", + "similarityID": "0c7750524064e21e5f226ae0be612857f6820fdfae57a966226391ac8c2ffb5f", + "search_line": -1 } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/elasticsearch_logs_disabled/test/positive_expected_result.json b/assets/queries/terraform/aws/elasticsearch_logs_disabled/test/positive_expected_result.json index a22034a740d..fe31a517429 100644 --- a/assets/queries/terraform/aws/elasticsearch_logs_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/elasticsearch_logs_disabled/test/positive_expected_result.json @@ -3,12 +3,30 @@ "queryName": "Elasticsearch Log Disabled", "severity": "MEDIUM", "line": 6, - "filename": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "aws_elasticsearch_domain", + "resourceName": "positive1", + "searchKey": "aws_elasticsearch_domain[{{positive1}}].log_publishing_options.enabled", + "searchValue": "", + "expectedValue": "'log_publishing_options.enabled' should be true", + "actualValue": "'log_publishing_options.enabled' is false", + "issueType": "IncorrectValue", + "similarityID": "055e9a6e5743c7bc6b1e73cf8462f074d24695ad09012e24fbefc86014b6535b", + "search_line": 6 }, { "queryName": "Elasticsearch Log Disabled", "severity": "MEDIUM", "line": 1, - "filename": "positive2.tf" + "fileName": "positive2.tf", + "resourceType": "aws_elasticsearch_domain", + "resourceName": "positive2", + "searchKey": "aws_elasticsearch_domain[{{positive2}}]", + "searchValue": "", + "expectedValue": "'log_publishing_options' should be defined and not null", + "actualValue": "'log_publishing_options' is undefined or null", + "issueType": "MissingAttribute", + "similarityID": "c8677cd129c390f99d9f7e6dcec06485c5fa816f7af33e0c2889ea3ecc6029fc", + "search_line": 1 } ] diff --git a/assets/queries/terraform/aws/elasticsearch_not_encrypted_at_rest/test/positive_expected_result.json b/assets/queries/terraform/aws/elasticsearch_not_encrypted_at_rest/test/positive_expected_result.json index 7a0f9115878..a94d39936d8 100644 --- a/assets/queries/terraform/aws/elasticsearch_not_encrypted_at_rest/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/elasticsearch_not_encrypted_at_rest/test/positive_expected_result.json @@ -2,11 +2,31 @@ { "queryName": "ElasticSearch Not Encrypted At Rest", "severity": "HIGH", - "line": 1 + "line": 1, + "fileName": "positive.tf", + "resourceType": "aws_elasticsearch_domain", + "resourceName": "positive1", + "searchKey": "aws_elasticsearch_domain[positive1]", + "searchValue": "", + "expectedValue": "'encrypt_at_rest' should be set and enabled", + "actualValue": "'encrypt_at_rest' is undefined", + "issueType": "MissingAttribute", + "similarityID": "415a1912ca61cd7b7703c784d2ed3854cce0d7255209fd7e631a7d5ddd969788", + "search_line": 1 }, { "queryName": "ElasticSearch Not Encrypted At Rest", "severity": "HIGH", - "line": 11 + "line": 11, + "fileName": "positive.tf", + "resourceType": "aws_elasticsearch_domain", + "resourceName": "positive2", + "searchKey": "aws_elasticsearch_domain[positive2].encrypt_at_rest.enabled", + "searchValue": "", + "expectedValue": "'encrypt_at_rest.enabled' should be true", + "actualValue": "'encrypt_at_rest.enabled' is false", + "issueType": "IncorrectValue", + "similarityID": "f99dac270ff415284034af822e03bb64cf61943693aaa91ba281721ae8d39765", + "search_line": 11 } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/elasticsearch_with_https_disabled/test/positive_expected_result.json b/assets/queries/terraform/aws/elasticsearch_with_https_disabled/test/positive_expected_result.json index 982f13b43ec..e8d4c3b7a5c 100644 --- a/assets/queries/terraform/aws/elasticsearch_with_https_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/elasticsearch_with_https_disabled/test/positive_expected_result.json @@ -3,6 +3,15 @@ "queryName": "Elasticsearch with HTTPS disabled", "severity": "MEDIUM", "line": 27, - "fileName": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "aws_elasticsearch_domain", + "resourceName": "my-elasticsearch-domain", + "searchKey": "aws_elasticsearch_domain[{{example}}]", + "searchValue": "", + "expectedValue": "The attribute 'enforce_https' should be set to 'true'", + "actualValue": "The attribute 'enforce_https' is set to 'false'", + "issueType": "IncorrectValue", + "similarityID": "e72f636310cd2554346795fb3a8715c43ffebf1884a05d9829500e13cff2117c", + "search_line": 27 } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/elasticsearch_without_iam_authentication/test/positive_expected_result.json b/assets/queries/terraform/aws/elasticsearch_without_iam_authentication/test/positive_expected_result.json index dd2e7e151b2..1ea3369ac73 100644 --- a/assets/queries/terraform/aws/elasticsearch_without_iam_authentication/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/elasticsearch_without_iam_authentication/test/positive_expected_result.json @@ -3,12 +3,30 @@ "queryName": "Elasticsearch Without IAM Authentication", "severity": "MEDIUM", "line": 1, - "fileName": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "aws_elasticsearch_domain", + "resourceName": "example", + "searchKey": "aws_elasticsearch_domain[example]", + "searchValue": "", + "expectedValue": "Elasticsearch Domain ensure IAM Authentication", + "actualValue": "Elasticsearch Domain does not ensure IAM Authentication", + "issueType": "IncorrectValue", + "similarityID": "1b5e23235b839762174e5046dbbc88640835a42561ff69f5a7149281f3c1d6b4", + "search_line": 1 }, { "queryName": "Elasticsearch Without IAM Authentication", "severity": "MEDIUM", "line": 1, - "fileName": "positive2.tf" + "fileName": "positive2.tf", + "resourceType": "aws_elasticsearch_domain", + "resourceName": "example2", + "searchKey": "aws_elasticsearch_domain[example2]", + "searchValue": "", + "expectedValue": "Elasticsearch Domain ensure IAM Authentication", + "actualValue": "Elasticsearch Domain does not ensure IAM Authentication", + "issueType": "IncorrectValue", + "similarityID": "422d370c177dd5ee1ad604a29ebb37ebd18d7951158f3fa5d1e5deea84faa318", + "search_line": 1 } ] diff --git a/assets/queries/terraform/aws/elasticsearch_without_slow_logs/test/positive_expected_result.json b/assets/queries/terraform/aws/elasticsearch_without_slow_logs/test/positive_expected_result.json index 023e30233ed..425c561c840 100644 --- a/assets/queries/terraform/aws/elasticsearch_without_slow_logs/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/elasticsearch_without_slow_logs/test/positive_expected_result.json @@ -3,6 +3,15 @@ "queryName": "ElasticSearch Without Slow Logs", "severity": "LOW", "line": 4, - "filename": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "aws_elasticsearch_domain", + "resourceName": "positive1", + "searchKey": "aws_elasticsearch_domain[{{positive1}}].log_publishing_options.log_type", + "searchValue": "", + "expectedValue": "'log_publishing_options.log_type' should not be INDEX_SLOW_LOGS or SEARCH_SLOW_LOGS ", + "actualValue": "'log_publishing_options.enabled' is ES_APPLICATION_LOGS or AUDIT_LOGS", + "issueType": "IncorrectValue", + "similarityID": "317548539323f9b19f1fbd55eeb623a65c275bb57fd65160156f42a00ea87621", + "search_line": 4 } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/elb_access_logging_disabled/test/positive_expected_result.json b/assets/queries/terraform/aws/elb_access_logging_disabled/test/positive_expected_result.json index 6c46eb0bbaf..911c1f9cd82 100644 --- a/assets/queries/terraform/aws/elb_access_logging_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/elb_access_logging_disabled/test/positive_expected_result.json @@ -3,24 +3,60 @@ "queryName": "ELB Access Log Disabled", "severity": "MEDIUM", "line": 9, - "filename": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "aws_elb", + "resourceName": "foobar-terraform-elb", + "searchKey": "aws_elb[{{postive1}}].access_logs.enabled", + "searchValue": "", + "expectedValue": "'aws_elb[{{postive1}}].access_logs.enabled' should be true", + "actualValue": "'aws_elb[{{postive1}}].access_logs.enabled' is false", + "issueType": "IncorrectValue", + "similarityID": "ddc9ff966762ffe636e707675db9d0127458f683443d96a43097900dceee186b", + "search_line": 9 }, { "queryName": "ELB Access Log Disabled", "severity": "MEDIUM", "line": 1, - "filename": "positive2.tf" + "fileName": "positive2.tf", + "resourceType": "aws_elb", + "resourceName": "foobar-terraform-elb", + "searchKey": "aws_elb[{{postive2}}]", + "searchValue": "", + "expectedValue": "'aws_elb[{{postive2}}].access_logs' should be defined and not null", + "actualValue": "'aws_elb[{{postive2}}].access_logs' is undefined or null", + "issueType": "MissingAttribute", + "similarityID": "32c9fcc00fe5147d0ad5254c24d3d0b994aac836257e44b160a49f380df65137", + "search_line": 1 }, { "queryName": "ELB Access Log Disabled", "severity": "MEDIUM", - "line": 39, - "filename": "positive4.tf" + "line": 1, + "fileName": "positive3.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[elb_http]", + "searchValue": "", + "expectedValue": "'access_logs' should be defined and not null", + "actualValue": "'access_logs' is undefined or null", + "issueType": "MissingAttribute", + "similarityID": "ca683ce6ea2ec2b949e09bf8146009583d6a0fce6934ddc88539d8b80670ab27", + "search_line": 1 }, { "queryName": "ELB Access Log Disabled", "severity": "MEDIUM", - "line": 1, - "filename": "positive3.tf" + "line": 39, + "fileName": "positive4.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[elb_http].access_logs.enabled", + "searchValue": "", + "expectedValue": "'access_logs.enabled' should be true", + "actualValue": "'access_logs.enabled' is false", + "issueType": "IncorrectValue", + "similarityID": "e8f0a0b412ae7116a96c24c3409e742a0f2947ad44e80f25f6b8a74463b95960", + "search_line": -1 } ] diff --git a/assets/queries/terraform/aws/elb_using_insecure_protocols/test/positive_expected_result.json b/assets/queries/terraform/aws/elb_using_insecure_protocols/test/positive_expected_result.json index d3475be6d2a..148fc87cabb 100644 --- a/assets/queries/terraform/aws/elb_using_insecure_protocols/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/elb_using_insecure_protocols/test/positive_expected_result.json @@ -2,11 +2,31 @@ { "queryName": "ELB Using Insecure Protocols", "severity": "MEDIUM", - "line": 41 + "line": 30, + "fileName": "positive.tf", + "resourceType": "aws_load_balancer_policy", + "resourceName": "positive4", + "searchKey": "aws_load_balancer_policy[positive4].policy_attribute[1].name", + "searchValue": "", + "expectedValue": "'aws_load_balancer_policy[positive4].policy_attribute[Protocol-TLSv1]' should not be an insecure protocol", + "actualValue": "'aws_load_balancer_policy[positive4].policy_attribute[Protocol-TLSv1]' is an insecure protocol", + "issueType": "IncorrectValue", + "similarityID": "7cd8c19629be3b781907f04edea5c502735f7be03b1b613274252c364b59bdbe", + "search_line": 30 }, { "queryName": "ELB Using Insecure Protocols", "severity": "MEDIUM", - "line": 30 + "line": 41, + "fileName": "positive.tf", + "resourceType": "aws_load_balancer_policy", + "resourceName": "positive5", + "searchKey": "aws_load_balancer_policy[positive5].policy_attribute.name", + "searchValue": "", + "expectedValue": "'aws_load_balancer_policy[positive5].policy_attribute[Protocol-SSLv3]' should not be an insecure protocol", + "actualValue": "'aws_load_balancer_policy[positive5].policy_attribute[Protocol-SSLv3]' is an insecure protocol", + "issueType": "IncorrectValue", + "similarityID": "f69a436fb47d803a5c4e8e3f37aaacf3882def98a9ef97da80cf815f5f04cfb2", + "search_line": 41 } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/elb_using_weak_ciphers/test/positive_expected_result.json b/assets/queries/terraform/aws/elb_using_weak_ciphers/test/positive_expected_result.json index 7e31718727b..6c3d48fc84f 100644 --- a/assets/queries/terraform/aws/elb_using_weak_ciphers/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/elb_using_weak_ciphers/test/positive_expected_result.json @@ -2,16 +2,46 @@ { "queryName": "ELB Using Weak Ciphers", "severity": "HIGH", - "line": 41 + "line": 41, + "fileName": "positive.tf", + "resourceType": "aws_load_balancer_policy", + "resourceName": "positive4", + "searchKey": "aws_load_balancer_policy[positive4]", + "searchValue": "", + "expectedValue": "'aws_load_balancer_policy[positive4].policy_attribute[TLS_RSA_ARCFOUR_128_SHA1].name' should not be a weak cipher", + "actualValue": "'aws_load_balancer_policy[positive4].policy_attribute[TLS_RSA_ARCFOUR_128_SHA1].name' is a weak cipher", + "issueType": "IncorrectValue", + "similarityID": "a7cab99baf972fcffb259d69f5e73d9e472ce35687c0f8e78f961e81c49d6f0e", + "search_line": -1 }, { "queryName": "ELB Using Weak Ciphers", "severity": "HIGH", - "line": 63 + "line": 63, + "fileName": "positive.tf", + "resourceType": "aws_load_balancer_policy", + "resourceName": "positive5", + "searchKey": "aws_load_balancer_policy[positive5].policy_attribute.name", + "searchValue": "", + "expectedValue": "'aws_load_balancer_policy[positive5].policy_attribute[DES-CBC3-SHA].name' should not be a weak cipher", + "actualValue": "'aws_load_balancer_policy[positive5].policy_attribute[DES-CBC3-SHA].name' is a weak cipher", + "issueType": "IncorrectValue", + "similarityID": "4924947c01da7899adbfe44f26e478f75dded599c4fe76574c894cb640f46be5", + "search_line": -1 }, { "queryName": "ELB Using Weak Ciphers", "severity": "HIGH", - "line": 74 + "line": 74, + "fileName": "positive.tf", + "resourceType": "aws_load_balancer_policy", + "resourceName": "positive6", + "searchKey": "aws_load_balancer_policy[positive6].policy_attribute.name", + "searchValue": "", + "expectedValue": "'aws_load_balancer_policy[positive6].policy_attribute[TLS_ECDHE_ECDSA_WITH_ARIA_256_GCM_SHA384].name' should not be a weak cipher", + "actualValue": "'aws_load_balancer_policy[positive6].policy_attribute[TLS_ECDHE_ECDSA_WITH_ARIA_256_GCM_SHA384].name' is a weak cipher", + "issueType": "IncorrectValue", + "similarityID": "44a3591bd1149bfd0dbbe304e8a44902db2dda4feffed852e7364ebff4b66f13", + "search_line": -1 } ] diff --git a/assets/queries/terraform/aws/elb_v2_lb_access_log_disabled/test/positive_expected_result.json b/assets/queries/terraform/aws/elb_v2_lb_access_log_disabled/test/positive_expected_result.json index 585f9f8c48e..0425cb157e6 100644 --- a/assets/queries/terraform/aws/elb_v2_lb_access_log_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/elb_v2_lb_access_log_disabled/test/positive_expected_result.json @@ -3,36 +3,90 @@ "queryName": "ELBv2 LB Access Log Disabled", "severity": "MEDIUM", "line": 13, - "fileName": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "aws_lb", + "resourceName": "test-lb-tf", + "searchKey": "aws_lb[test].access_logs.enabled", + "searchValue": "", + "expectedValue": "'access_logs.enabled' should be defined and set to true", + "actualValue": "'access_logs.enabled' is not set to true", + "issueType": "IncorrectValue", + "similarityID": "6cb1a0d6d618f67fa0281a6542643777da281bdc6a838e746a498db6e6ce5d54", + "search_line": 13 }, { "queryName": "ELBv2 LB Access Log Disabled", "severity": "MEDIUM", "line": 10, - "fileName": "positive2.tf" + "fileName": "positive2.tf", + "resourceType": "aws_lb", + "resourceName": "test-lb-tf", + "searchKey": "aws_lb[test].access_logs", + "searchValue": "", + "expectedValue": "'access_logs.enabled' should be defined and set to true", + "actualValue": "'access_logs.enabled' is undefined", + "issueType": "MissingAttribute", + "similarityID": "73243539202493cd1b9975b95e573d93f2d0e219807529aedbf0d521fd6491a0", + "search_line": 10 }, { "queryName": "ELBv2 LB Access Log Disabled", "severity": "MEDIUM", "line": 1, - "fileName": "positive3.tf" + "fileName": "positive3.tf", + "resourceType": "aws_lb", + "resourceName": "test-lb-tf", + "searchKey": "aws_lb[test]", + "searchValue": "", + "expectedValue": "'access_logs.enabled' should be defined and set to true", + "actualValue": "'access_logs' is undefined", + "issueType": "MissingAttribute", + "similarityID": "95e419b52a3ee5640a46c515afda8880899688b23d1cdaac30ebc520fc01f0ba", + "search_line": 1 }, { "queryName": "ELBv2 LB Access Log Disabled", "severity": "MEDIUM", "line": 14, - "fileName": "positive4.tf" + "fileName": "positive4.tf", + "resourceType": "aws_alb", + "resourceName": "test-lb-tf", + "searchKey": "aws_alb[test].access_logs.enabled", + "searchValue": "", + "expectedValue": "'access_logs.enabled' should be defined and set to true", + "actualValue": "'access_logs.enabled' is not set to true", + "issueType": "IncorrectValue", + "similarityID": "a0e45c930674df6801494b90c99e4cc988d4c3c1a7701b7af81a00722489e974", + "search_line": 14 }, { "queryName": "ELBv2 LB Access Log Disabled", "severity": "MEDIUM", "line": 11, - "fileName": "positive5.tf" + "fileName": "positive5.tf", + "resourceType": "aws_alb", + "resourceName": "test-lb-tf", + "searchKey": "aws_alb[test].access_logs", + "searchValue": "", + "expectedValue": "'access_logs.enabled' should be defined and set to true", + "actualValue": "'access_logs.enabled' is undefined", + "issueType": "MissingAttribute", + "similarityID": "b3fa6fef0a6c221cc8effed4b24bc186ad0ab95b08daf9ccd234194fd75a158c", + "search_line": 11 }, { "queryName": "ELBv2 LB Access Log Disabled", "severity": "MEDIUM", "line": 2, - "fileName": "positive6.tf" + "fileName": "positive6.tf", + "resourceType": "aws_alb", + "resourceName": "test-lb-tf", + "searchKey": "aws_alb[test]", + "searchValue": "", + "expectedValue": "'access_logs.enabled' should be defined and set to true", + "actualValue": "'access_logs' is undefined", + "issueType": "MissingAttribute", + "similarityID": "15dbfef179cd44c747d6d5f749122b8f5574275a991c7293a0bcfe35fedbe013", + "search_line": 2 } ] diff --git a/assets/queries/terraform/aws/emr_without_vpc/test/positive_expected_result.json b/assets/queries/terraform/aws/emr_without_vpc/test/positive_expected_result.json index c1fd09e9e54..27641fd5aa1 100644 --- a/assets/queries/terraform/aws/emr_without_vpc/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/emr_without_vpc/test/positive_expected_result.json @@ -1,8 +1,17 @@ [ - { - "queryName": "EMR Without VPC", - "severity": "LOW", - "line": 1, - "fileName": "positive.tf" - } + { + "queryName": "EMR Without VPC", + "severity": "LOW", + "line": 1, + "fileName": "positive.tf", + "resourceType": "aws_emr_cluster", + "resourceName": "emr-test-arn", + "searchKey": "aws_emr_cluster[positive1]", + "searchValue": "", + "expectedValue": "'aws_emr_cluster[positive1].subnet_id' or 'aws_emr_cluster[positive1].subnet_ids' should be defined and not null'", + "actualValue": "'aws_emr_cluster[positive1].subnet_id' or 'aws_emr_cluster[positive1].subnet_ids' is undefined or null", + "issueType": "MissingAttribute", + "similarityID": "56b139e27fef8546b0be51da19892eb8a304f9a52f5471dba9fd57e6b6595739", + "search_line": 1 + } ] diff --git a/assets/queries/terraform/aws/global_accelerator_flow_logs_disabled/test/positive_expected_result.json b/assets/queries/terraform/aws/global_accelerator_flow_logs_disabled/test/positive_expected_result.json index 660a6a6953f..c9faf23d79e 100644 --- a/assets/queries/terraform/aws/global_accelerator_flow_logs_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/global_accelerator_flow_logs_disabled/test/positive_expected_result.json @@ -3,18 +3,45 @@ "queryName": "Global Accelerator Flow Logs Disabled", "severity": "MEDIUM", "line": 1, - "filename": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "aws_globalaccelerator_accelerator", + "resourceName": "Example", + "searchKey": "aws_globalaccelerator_accelerator[{{positive1}}]", + "searchValue": "", + "expectedValue": "aws_globalaccelerator_accelerator[{{positive1}}].flow_logs_enabled should be defined and not null", + "actualValue": "aws_globalaccelerator_accelerator[{{positive1}}].flow_logs_enabled is undefined or null", + "issueType": "MissingAttribute", + "similarityID": "3e0e7ddee8436957270a5d5561e6f905d09126400d953e4a09c77141f1a75420", + "search_line": 1 }, { "queryName": "Global Accelerator Flow Logs Disabled", "severity": "MEDIUM", "line": 6, - "filename": "positive2.tf" + "fileName": "positive2.tf", + "resourceType": "aws_globalaccelerator_accelerator", + "resourceName": "Example", + "searchKey": "aws_globalaccelerator_accelerator[{{positive2}}].attributes", + "searchValue": "", + "expectedValue": "aws_globalaccelerator_accelerator[{{positive2}}].flow_logs_enabled should be defined and not null", + "actualValue": "aws_globalaccelerator_accelerator[{{positive2}}].flow_logs_enabled is undefined or null", + "issueType": "MissingAttribute", + "similarityID": "0728b7081b4a6e0de7e86a8b02c49da658f2c821909661bae3b8d469c6b245a6", + "search_line": 6 }, { "queryName": "Global Accelerator Flow Logs Disabled", "severity": "MEDIUM", "line": 7, - "filename": "positive3.tf" + "fileName": "positive3.tf", + "resourceType": "aws_globalaccelerator_accelerator", + "resourceName": "Example", + "searchKey": "aws_globalaccelerator_accelerator[{{positive3}}].attributes.flow_logs_enabled", + "searchValue": "", + "expectedValue": "aws_globalaccelerator_accelerator[{{positive3}}].flow_logs_enabled should be true", + "actualValue": "aws_globalaccelerator_accelerator[{{positive3}}].flow_logs_enabled is false", + "issueType": "IncorrectValue", + "similarityID": "5f4df54e35a9b6e759b8ee7c6611993478fa77052b320fa7944749635b4c94f4", + "search_line": 7 } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/glue_data_catalog_encryption_disabled/test/positive_expected_result.json b/assets/queries/terraform/aws/glue_data_catalog_encryption_disabled/test/positive_expected_result.json index 053cddb8eb5..bff066b119e 100644 --- a/assets/queries/terraform/aws/glue_data_catalog_encryption_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/glue_data_catalog_encryption_disabled/test/positive_expected_result.json @@ -3,24 +3,60 @@ "queryName": "Glue Data Catalog Encryption Disabled", "severity": "HIGH", "line": 5, - "fileName": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "aws_glue_data_catalog_encryption_settings", + "resourceName": "positive1", + "searchKey": "aws_glue_data_catalog_encryption_settings[positive1].data_catalog_encryption_settings.connection_password_encryption.return_connection_password_encrypted", + "searchValue": "", + "expectedValue": "'return_connection_password_encrypted' should be set to true", + "actualValue": "'return_connection_password_encrypted' is not set to true", + "issueType": "IncorrectValue", + "similarityID": "3a8b27fe319be06dfdd8d90979f53d8d03bf818f609cb11c094ad95178b04fa3", + "search_line": 5 }, { "queryName": "Glue Data Catalog Encryption Disabled", "severity": "HIGH", "line": 3, - "fileName": "positive2.tf" + "fileName": "positive2.tf", + "resourceType": "aws_glue_data_catalog_encryption_settings", + "resourceName": "positive2", + "searchKey": "aws_glue_data_catalog_encryption_settings[positive2].data_catalog_encryption_settings.connection_password_encryption", + "searchValue": "", + "expectedValue": "'aws_kms_key_id' should be defined and not null", + "actualValue": "'aws_kms_key_id' is undefined or null", + "issueType": "MissingAttribute", + "similarityID": "b329b3df1447a9672749afe9d19c826a73badeb9e69b1e683a858be22be6fe6d", + "search_line": 3 }, { "queryName": "Glue Data Catalog Encryption Disabled", "severity": "HIGH", "line": 9, - "fileName": "positive3.tf" + "fileName": "positive3.tf", + "resourceType": "aws_glue_data_catalog_encryption_settings", + "resourceName": "positive3", + "searchKey": "aws_glue_data_catalog_encryption_settings[positive3].data_catalog_encryption_settings.encryption_at_rest.catalog_encryption_mode", + "searchValue": "", + "expectedValue": "'catalog_encryption_mode' should be set to 'SSE-KMS'", + "actualValue": "'catalog_encryption_mode' is not set to 'SSE-KMS'", + "issueType": "IncorrectValue", + "similarityID": "3fb9ed9df11a4229b56e2654e0acb54b6975464e427745e3f8caad4cdb9a03f9", + "search_line": 9 }, { "queryName": "Glue Data Catalog Encryption Disabled", "severity": "HIGH", "line": 8, - "fileName": "positive4.tf" + "fileName": "positive4.tf", + "resourceType": "aws_glue_data_catalog_encryption_settings", + "resourceName": "positive4", + "searchKey": "aws_glue_data_catalog_encryption_settings[positive4].data_catalog_encryption_settings.encryption_at_rest", + "searchValue": "", + "expectedValue": "'sse_aws_kms_key_id' should be defined and not null", + "actualValue": "'sse_aws_kms_key_id' is undefined or null", + "issueType": "MissingAttribute", + "similarityID": "08c1d380b1e4ae48bc981d39c6ce514c9e2a257961ca5f437b8d19639d5a0f03", + "search_line": 8 } ] diff --git a/assets/queries/terraform/aws/glue_security_configuration_encryption_disabled/test/positive_expected_result.json b/assets/queries/terraform/aws/glue_security_configuration_encryption_disabled/test/positive_expected_result.json index 99f94932214..1b9cac84cc3 100644 --- a/assets/queries/terraform/aws/glue_security_configuration_encryption_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/glue_security_configuration_encryption_disabled/test/positive_expected_result.json @@ -3,18 +3,45 @@ "queryName": "Glue Security Configuration Encryption Disabled", "severity": "HIGH", "line": 5, - "fileName": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "aws_glue_security_configuration", + "resourceName": "example", + "searchKey": "aws_glue_security_configuration[positive1].encryption_configuration.cloudwatch_encryption", + "searchValue": "", + "expectedValue": "aws_glue_security_configuration[positive1].encryption_configuration.cloudwatch_encryption has 'kms_key_arn' defined and not null", + "actualValue": "aws_glue_security_configuration[positive1].encryption_configuration.cloudwatch_encryption has 'kms_key_arn' undefined or null", + "issueType": "MissingAttribute", + "similarityID": "bc1a7aa53739880a967c0528dd854c5fc488adc603b55f6ff8b4bdd271208dc3", + "search_line": 5 }, { "queryName": "Glue Security Configuration Encryption Disabled", "severity": "HIGH", "line": 11, - "fileName": "positive2.tf" + "fileName": "positive2.tf", + "resourceType": "aws_glue_security_configuration", + "resourceName": "example", + "searchKey": "aws_glue_security_configuration[positive2].encryption_configuration.job_bookmarks_encryption.job_bookmarks_encryption_mode", + "searchValue": "", + "expectedValue": "'job_bookmarks_encryption_mode' should be set to 'CSE-KMS'", + "actualValue": "'job_bookmarks_encryption_mode' is not set to 'CSE-KMS'", + "issueType": "IncorrectValue", + "similarityID": "f5568afb77fb95f8ef4ffd30d56fbc45453e6c01d91c18a539d149f360c9f664", + "search_line": -1 }, { "queryName": "Glue Security Configuration Encryption Disabled", "severity": "HIGH", "line": 10, - "fileName": "positive3.tf" + "fileName": "positive3.tf", + "resourceType": "aws_glue_security_configuration", + "resourceName": "example", + "searchKey": "aws_glue_security_configuration[positive2].job_bookmarks_encryption", + "searchValue": "", + "expectedValue": "aws_glue_security_configuration[positive2].job_bookmarks_encryption has 'job_bookmarks_encryption_mode' defined and not null", + "actualValue": "aws_glue_security_configKeyiguration[positive2].job_bookmarks_encryption has 'job_bookmarks_encryption_mode' undefined or null", + "issueType": "MissingAttribute", + "similarityID": "1ce618c25f7c9549f6b24c325fa4d58432031dfc3e9e68f1b1bd078aa97ca788", + "search_line": -1 } ] diff --git a/assets/queries/terraform/aws/glue_with_vulnerable_policy/test/positive_expected_result.json b/assets/queries/terraform/aws/glue_with_vulnerable_policy/test/positive_expected_result.json index 60c40b691d5..8b53e272464 100644 --- a/assets/queries/terraform/aws/glue_with_vulnerable_policy/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/glue_with_vulnerable_policy/test/positive_expected_result.json @@ -3,6 +3,15 @@ "queryName": "Glue With Vulnerable Policy", "severity": "MEDIUM", "line": 15, - "fileName": "positive.tf" + "fileName": "positive.tf", + "resourceType": "aws_glue_resource_policy", + "resourceName": "example", + "searchKey": "aws_glue_resource_policy[example].policy", + "searchValue": "", + "expectedValue": "aws_glue_resource_policy[example].policy should not have wildcard in 'principals' and 'actions'", + "actualValue": "aws_glue_resource_policy[example].policy has wildcard in 'principals' or 'actions'", + "issueType": "IncorrectValue", + "similarityID": "b5d8a40fb1b357c2fa0d2f8d2789b15be7362d4151d0b10c85756b76246101db", + "search_line": 15 } ] diff --git a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_glue_UpdateDevEndpoint/test/positive_expected_result.json b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_glue_UpdateDevEndpoint/test/positive_expected_result.json index 767d9dbbb2a..e9afca2b1bd 100644 --- a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_glue_UpdateDevEndpoint/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_glue_UpdateDevEndpoint/test/positive_expected_result.json @@ -3,6 +3,15 @@ "queryName": "Group With Privilege Escalation By Actions 'glue:UpdateDevEndpoint'", "severity": "MEDIUM", "line": 1, - "fileName": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "aws_iam_group", + "resourceName": "cosmic", + "searchKey": "aws_iam_group[cosmic]", + "searchValue": "", + "expectedValue": "group cosmic shouldn't be associated with a policy that has Action set to 'glue:UpdateDevEndpoint' and Resource set to '*'", + "actualValue": "group cosmic is associated with a policy that has Action set to 'glue:UpdateDevEndpoint' and Resource set to '*'", + "issueType": "IncorrectValue", + "similarityID": "5268d10fe6546653fa882389bc14936770dbe2e7e8526a08c2d5642ec57f1b98", + "search_line": 1 } ] diff --git a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_AddUserToGroup/test/positive_expected_result.json b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_AddUserToGroup/test/positive_expected_result.json index dca2ecc1114..a2099e1f740 100644 --- a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_AddUserToGroup/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_AddUserToGroup/test/positive_expected_result.json @@ -3,6 +3,15 @@ "queryName": "Group With Privilege Escalation By Actions 'iam:AddUserToGroup'", "severity": "MEDIUM", "line": 1, - "fileName": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "aws_iam_group", + "resourceName": "cosmic", + "searchKey": "aws_iam_group[cosmic]", + "searchValue": "", + "expectedValue": "group cosmic should not be associated with a policy that has Action set to 'iam:AddUserToGroup' and Resource set to '*'", + "actualValue": "group cosmic is associated with a policy that has Action set to 'iam:AddUserToGroup' and Resource set to '*'", + "issueType": "IncorrectValue", + "similarityID": "640d10b7f53b3c7a50ce88a7dfa107d10c8a5237faaeab97e5b41bfa83936ecb", + "search_line": 1 } ] diff --git a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_AttachGroupPolicy/test/positive_expected_result.json b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_AttachGroupPolicy/test/positive_expected_result.json index 3c3fd030c44..628691d3175 100644 --- a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_AttachGroupPolicy/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_AttachGroupPolicy/test/positive_expected_result.json @@ -3,6 +3,15 @@ "queryName": "Group With Privilege Escalation By Actions 'iam:AttachGroupPolicy'", "severity": "MEDIUM", "line": 1, - "fileName": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "aws_iam_group", + "resourceName": "cosmic", + "searchKey": "aws_iam_group[cosmic]", + "searchValue": "", + "expectedValue": "group cosmic shouldn't be associated with a policy that has Action set to 'iam:AttachGroupPolicy' and Resource set to '*'", + "actualValue": "group cosmic is associated with a policy that has Action set to 'iam:AttachGroupPolicy' and Resource set to '*'", + "issueType": "IncorrectValue", + "similarityID": "edd0d0160737ce8a99cad94cf2b086859cf839f0ce29d96ec75352c102d9d7a2", + "search_line": 1 } ] diff --git a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_AttachRolePolicy/test/positive_expected_result.json b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_AttachRolePolicy/test/positive_expected_result.json index 1e87698084e..14ce49ff6da 100644 --- a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_AttachRolePolicy/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_AttachRolePolicy/test/positive_expected_result.json @@ -3,6 +3,15 @@ "queryName": "Group With Privilege Escalation By Actions 'iam:AttachRolePolicy'", "severity": "MEDIUM", "line": 1, - "fileName": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "aws_iam_group", + "resourceName": "cosmic", + "searchKey": "aws_iam_group[cosmic]", + "searchValue": "", + "expectedValue": "group cosmic should not be associated with a policy that has Action set to 'iam:AttachRolePolicy' and Resource set to '*'", + "actualValue": "group cosmic is associated with a policy that has Action set to 'iam:AttachRolePolicy' and Resource set to '*'", + "issueType": "IncorrectValue", + "similarityID": "532da87283c1a19101d366e48e6c80ae0150a6ef54e54ecd92329f910f549cbd", + "search_line": 1 } ] diff --git a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_AttachUserPolicy/test/positive_expected_result.json b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_AttachUserPolicy/test/positive_expected_result.json index 528dfaa32ea..ff8ac7de790 100644 --- a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_AttachUserPolicy/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_AttachUserPolicy/test/positive_expected_result.json @@ -3,6 +3,15 @@ "queryName": "Group With Privilege Escalation By Actions 'iam:AttachUserPolicy'", "severity": "MEDIUM", "line": 1, - "fileName": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "aws_iam_group", + "resourceName": "cosmic", + "searchKey": "aws_iam_group[cosmic]", + "searchValue": "", + "expectedValue": "group cosmic shouldn't be associated with a policy that has Action set to 'iam:AttachUserPolicy' and Resource set to '*'", + "actualValue": "group cosmic is associated with a policy that has Action set to 'iam:AttachUserPolicy' and Resource set to '*'", + "issueType": "IncorrectValue", + "similarityID": "990879bda7d4ae65c2fa6425e9d64dc8b063c88f24b3cc6ec0e646afe6226c7e", + "search_line": 1 } ] diff --git a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_CreateAccessKey/test/positive_expected_result.json b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_CreateAccessKey/test/positive_expected_result.json index 96eba745bcc..ab696ccc58b 100644 --- a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_CreateAccessKey/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_CreateAccessKey/test/positive_expected_result.json @@ -3,6 +3,15 @@ "queryName": "Group With Privilege Escalation By Actions 'iam:CreateAccessKey'", "severity": "MEDIUM", "line": 1, - "fileName": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "aws_iam_group", + "resourceName": "cosmic", + "searchKey": "aws_iam_group[cosmic]", + "searchValue": "", + "expectedValue": "group cosmic should not be associated with a policy that has Action set to 'iam:CreateAccessKey' and Resource set to '*'", + "actualValue": "group cosmic is associated with a policy that has Action set to 'iam:CreateAccessKey' and Resource set to '*'", + "issueType": "IncorrectValue", + "similarityID": "254afde9f580ba6df3f0bd32601e1773402d7cbfbed5c191f005ce12ac58a001", + "search_line": 1 } ] diff --git a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_CreateLoginProfile/test/positive_expected_result.json b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_CreateLoginProfile/test/positive_expected_result.json index 423c580bd76..d6be10f5adf 100644 --- a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_CreateLoginProfile/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_CreateLoginProfile/test/positive_expected_result.json @@ -3,6 +3,15 @@ "queryName": "Group With Privilege Escalation By Actions 'iam:CreateLoginProfile'", "severity": "MEDIUM", "line": 1, - "fileName": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "aws_iam_group", + "resourceName": "cosmic", + "searchKey": "aws_iam_group[cosmic]", + "searchValue": "", + "expectedValue": "group cosmic shouldn't be associated with a policy that has Action set to 'iam:CreateLoginProfile' and Resource set to '*'", + "actualValue": "group cosmic is associated with a policy that has Action set to 'iam:CreateLoginProfile' and Resource set to '*'", + "issueType": "IncorrectValue", + "similarityID": "d4fc65a47fc218631f8ff4e3cca768a2b366de75d6007c83e01d3e9e435ca297", + "search_line": 1 } ] diff --git a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_CreatePolicyVersion/test/positive_expected_result.json b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_CreatePolicyVersion/test/positive_expected_result.json index b08389ad245..c87d0d7354c 100644 --- a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_CreatePolicyVersion/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_CreatePolicyVersion/test/positive_expected_result.json @@ -3,6 +3,15 @@ "queryName": "Group With Privilege Escalation By Actions 'iam:CreatePolicyVersion'", "severity": "MEDIUM", "line": 1, - "fileName": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "aws_iam_group", + "resourceName": "cosmic", + "searchKey": "aws_iam_group[cosmic]", + "searchValue": "", + "expectedValue": "group cosmic shouldn't be associated with a policy that has Action set to 'iam:CreatePolicyVersion' and Resource set to '*'", + "actualValue": "group cosmic is associated with a policy that has Action set to 'iam:CreatePolicyVersion' and Resource set to '*'", + "issueType": "IncorrectValue", + "similarityID": "ad181769b525048692e7a1359f9a0da05e6fb4abcb3514a57386e23212e7529d", + "search_line": 1 } ] diff --git a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PassRole_and_cloudformation_CreateStack/test/positive_expected_result.json b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PassRole_and_cloudformation_CreateStack/test/positive_expected_result.json index e012e5db9e4..62b0c078cb8 100644 --- a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PassRole_and_cloudformation_CreateStack/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PassRole_and_cloudformation_CreateStack/test/positive_expected_result.json @@ -3,6 +3,15 @@ "queryName": "Group With Privilege Escalation By Actions 'cloudformation:CreateStack' And 'iam:PassRole'", "severity": "MEDIUM", "line": 1, - "fileName": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "aws_iam_group", + "resourceName": "cosmic", + "searchKey": "aws_iam_group[cosmic]", + "searchValue": "", + "expectedValue": "group cosmic shouldn't be associated with a policy that has Action set to 'cloudformation:CreateStack' and 'iam:PassRole' and Resource set to '*'", + "actualValue": "group cosmic is associated with a policy that has Action set to 'cloudformation:CreateStack' and 'iam:PassRole' and Resource set to '*'", + "issueType": "IncorrectValue", + "similarityID": "c2057ab9cbe60474f1edddd18dd38685d5014b7553be5ab924ddd2aeefa8bc26", + "search_line": 1 } ] diff --git a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PassRole_and_ec2_RunInstances/test/positive_expected_result.json b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PassRole_and_ec2_RunInstances/test/positive_expected_result.json index e269c9d79e7..1122af4f1d7 100644 --- a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PassRole_and_ec2_RunInstances/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PassRole_and_ec2_RunInstances/test/positive_expected_result.json @@ -3,6 +3,15 @@ "queryName": "Group With Privilege Escalation By Actions 'ec2:RunInstances' And 'iam:PassRole'", "severity": "MEDIUM", "line": 1, - "fileName": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "aws_iam_group", + "resourceName": "cosmic", + "searchKey": "aws_iam_group[cosmic]", + "searchValue": "", + "expectedValue": "group cosmic shouldn't be associated with a policy that has Action set to 'ec2:RunInstances' and 'iam:PassRole' and Resource set to '*'", + "actualValue": "group cosmic is associated with a policy that has Action set to 'ec2:RunInstances' and 'iam:PassRole' and Resource set to '*'", + "issueType": "IncorrectValue", + "similarityID": "609e1c4e15377b792a34f8469a76e39f431bd552d4c6a7f512cc00bfcc9567f9", + "search_line": 1 } ] diff --git a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PassRole_and_glue_CreateDevEndpoint/test/positive_expected_result.json b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PassRole_and_glue_CreateDevEndpoint/test/positive_expected_result.json index 03396830fe3..a740cc1de65 100644 --- a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PassRole_and_glue_CreateDevEndpoint/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PassRole_and_glue_CreateDevEndpoint/test/positive_expected_result.json @@ -3,6 +3,15 @@ "queryName": "Group With Privilege Escalation By Actions 'glue:CreateDevEndpoint' And 'iam:PassRole'", "severity": "MEDIUM", "line": 1, - "fileName": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "aws_iam_group", + "resourceName": "cosmic", + "searchKey": "aws_iam_group[cosmic]", + "searchValue": "", + "expectedValue": "group cosmic shouldn't be associated with a policy that has Action set to 'glue:CreateDevEndpoint' and 'iam:PassRole' and Resource set to '*'", + "actualValue": "group cosmic is associated with a policy that has Action set to 'glue:CreateDevEndpoint' and 'iam:PassRole' and Resource set to '*'", + "issueType": "IncorrectValue", + "similarityID": "e3ce48c680be414071962764d8723758d977e37254580437fb6ede35c48e4069", + "search_line": 1 } ] diff --git a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PassRole_and_lambda_CreateFunction_and_lambda_InvokeFunction/test/positive_expected_result.json b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PassRole_and_lambda_CreateFunction_and_lambda_InvokeFunction/test/positive_expected_result.json index 3a5cbe039fe..f8c30afd880 100644 --- a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PassRole_and_lambda_CreateFunction_and_lambda_InvokeFunction/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PassRole_and_lambda_CreateFunction_and_lambda_InvokeFunction/test/positive_expected_result.json @@ -3,6 +3,15 @@ "queryName": "Group With Privilege Escalation By Actions 'lambda:CreateFunction' And 'iam:PassRole' And 'lambda:InvokeFunction'", "severity": "MEDIUM", "line": 1, - "fileName": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "aws_iam_group", + "resourceName": "cosmic", + "searchKey": "aws_iam_group[cosmic]", + "searchValue": "", + "expectedValue": "group cosmic shouldn't be associated with a policy that has Action set to 'lambda:CreateFunction' and 'iam:PassRole' and 'lambda:InvokeFunction' and Resource set to '*'", + "actualValue": "group cosmic is associated with a policy that has Action set to 'lambda:CreateFunction' and 'iam:PassRole' and 'lambda:InvokeFunction' and Resource set to '*'", + "issueType": "IncorrectValue", + "similarityID": "5f2b5ea6c0c97df2658e155ad994f745cb91f39b7dc65c93851cfe32a0b8a647", + "search_line": 1 } ] diff --git a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PutGroupPolicy/test/positive_expected_result.json b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PutGroupPolicy/test/positive_expected_result.json index e9e97ad162b..840ecb5427e 100644 --- a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PutGroupPolicy/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PutGroupPolicy/test/positive_expected_result.json @@ -3,6 +3,15 @@ "queryName": "Group With Privilege Escalation By Actions 'iam:PutGroupPolicy'", "severity": "MEDIUM", "line": 1, - "fileName": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "aws_iam_group", + "resourceName": "cosmic", + "searchKey": "aws_iam_group[cosmic]", + "searchValue": "", + "expectedValue": "group cosmic shouldn't be associated with a policy that has Action set to 'iam:PutGroupPolicy' and Resource set to '*'", + "actualValue": "group cosmic is associated with a policy that has Action set to 'iam:PutGroupPolicy' and Resource set to '*'", + "issueType": "IncorrectValue", + "similarityID": "51e2da04f8c3168ef51c29e1f350cc6d35021e34bd385b742369cfe47671ea1f", + "search_line": 1 } ] diff --git a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PutRolePolicy/test/positive_expected_result.json b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PutRolePolicy/test/positive_expected_result.json index a989eecfd2a..2646987de69 100644 --- a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PutRolePolicy/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PutRolePolicy/test/positive_expected_result.json @@ -3,6 +3,15 @@ "queryName": "Group With Privilege Escalation By Actions 'iam:PutRolePolicy'", "severity": "MEDIUM", "line": 1, - "fileName": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "aws_iam_group", + "resourceName": "cosmic", + "searchKey": "aws_iam_group[cosmic]", + "searchValue": "", + "expectedValue": "group cosmic should not be associated with a policy that has Action set to 'iam:PutRolePolicy' and Resource set to '*'", + "actualValue": "group cosmic is associated with a policy that has Action set to 'iam:PutRolePolicy' and Resource set to '*'", + "issueType": "IncorrectValue", + "similarityID": "6b48a6b3662fd536cd6578ec2dd1d34e95aeaea33be7803850e90f5a33c02c2e", + "search_line": 1 } ] diff --git a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PutUserPolicy/test/positive_expected_result.json b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PutUserPolicy/test/positive_expected_result.json index 490028dfcbc..7c99058964b 100644 --- a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PutUserPolicy/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PutUserPolicy/test/positive_expected_result.json @@ -3,6 +3,15 @@ "queryName": "Group With Privilege Escalation By Actions 'iam:PutUserPolicy'", "severity": "MEDIUM", "line": 1, - "fileName": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "aws_iam_group", + "resourceName": "cosmic", + "searchKey": "aws_iam_group[cosmic]", + "searchValue": "", + "expectedValue": "group cosmic should not be associated with a policy that has Action set to 'iam:PutUserPolicy' and Resource set to '*'", + "actualValue": "group cosmic is associated with a policy that has Action set to 'iam:PutUserPolicy' and Resource set to '*'", + "issueType": "IncorrectValue", + "similarityID": "d6930b600aa9ce8b498c330a65f7b4b49aad6252f086140dc57a5aa903b51783", + "search_line": 1 } ] diff --git a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_SetDefaultPolicyVersion/test/positive_expected_result.json b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_SetDefaultPolicyVersion/test/positive_expected_result.json index 891da8391d0..32091eff0a2 100644 --- a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_SetDefaultPolicyVersion/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_SetDefaultPolicyVersion/test/positive_expected_result.json @@ -3,6 +3,15 @@ "queryName": "Group With Privilege Escalation By Actions 'iam:SetDefaultPolicyVersion'", "severity": "MEDIUM", "line": 1, - "fileName": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "aws_iam_group", + "resourceName": "cosmic", + "searchKey": "aws_iam_group[cosmic]", + "searchValue": "", + "expectedValue": "group cosmic shouldn't be associated with a policy that has Action set to 'iam:SetDefaultPolicyVersion' and Resource set to '*'", + "actualValue": "group cosmic is associated with a policy that has Action set to 'iam:SetDefaultPolicyVersion' and Resource set to '*'", + "issueType": "IncorrectValue", + "similarityID": "236f2c1b8fc4bf94462e402f16c5d6cae78c15eac39edd4f535fe02b4febc5e0", + "search_line": 1 } ] diff --git a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_UpdateAssumeRolePolicy_and_sts_AssumeRole/test/positive_expected_result.json b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_UpdateAssumeRolePolicy_and_sts_AssumeRole/test/positive_expected_result.json index d94146558e8..b2ca32eb826 100644 --- a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_UpdateAssumeRolePolicy_and_sts_AssumeRole/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_UpdateAssumeRolePolicy_and_sts_AssumeRole/test/positive_expected_result.json @@ -3,6 +3,15 @@ "queryName": "Group With Privilege Escalation By Actions 'iam:UpdateAssumeRolePolicy' And 'sts:AssumeRole'", "severity": "MEDIUM", "line": 1, - "fileName": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "aws_iam_group", + "resourceName": "cosmic", + "searchKey": "aws_iam_group[cosmic]", + "searchValue": "", + "expectedValue": "group cosmic shouldn't be associated with a policy that has Action set to 'iam:UpdateAssumeRolePolicy' and 'sts:AssumeRole' and Resource set to '*'", + "actualValue": "group cosmic is associated with a policy that has Action set to 'iam:UpdateAssumeRolePolicy' and 'sts:AssumeRole' and Resource set to '*'", + "issueType": "IncorrectValue", + "similarityID": "0887ff5d37479c0924ad3443da5f5ab4e735c0d4f3ce155616efa19ffead9b99", + "search_line": 1 } ] diff --git a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_UpdateLoginProfile/test/positive_expected_result.json b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_UpdateLoginProfile/test/positive_expected_result.json index 550cd399885..b659f8c47ac 100644 --- a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_UpdateLoginProfile/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_UpdateLoginProfile/test/positive_expected_result.json @@ -3,6 +3,15 @@ "queryName": "Group With Privilege Escalation By Actions 'iam:UpdateLoginProfile'", "severity": "MEDIUM", "line": 1, - "fileName": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "aws_iam_group", + "resourceName": "cosmic", + "searchKey": "aws_iam_group[cosmic]", + "searchValue": "", + "expectedValue": "group cosmic shouldn't be associated with a policy that has Action set to 'iam:UpdateLoginProfile' and Resource set to '*'", + "actualValue": "group cosmic is associated with a policy that has Action set to 'iam:UpdateLoginProfile' and Resource set to '*'", + "issueType": "IncorrectValue", + "similarityID": "e8ba7d941091b509f8d4a21952b7b043533d4020110cc82fe8f07834adeb224b", + "search_line": 1 } ] diff --git a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_lambda_UpdateFunctionCode/test/positive_expected_result.json b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_lambda_UpdateFunctionCode/test/positive_expected_result.json index 87b739574ab..6783349f620 100644 --- a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_lambda_UpdateFunctionCode/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_lambda_UpdateFunctionCode/test/positive_expected_result.json @@ -3,6 +3,15 @@ "queryName": "Group With Privilege Escalation By Actions 'lambda:UpdateFunctionCode'", "severity": "MEDIUM", "line": 1, - "fileName": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "aws_iam_group", + "resourceName": "cosmic", + "searchKey": "aws_iam_group[cosmic]", + "searchValue": "", + "expectedValue": "group cosmic shouldn't be associated with a policy that has Action set to 'lambda:UpdateFunctionCode' and Resource set to '*'", + "actualValue": "group cosmic is associated with a policy that has Action set to 'lambda:UpdateFunctionCode' and Resource set to '*'", + "issueType": "IncorrectValue", + "similarityID": "7dd791dae37979365a092bc6b93c4fc2400ec841c08d24e64fd69b70d2c88f1b", + "search_line": 1 } ] diff --git a/assets/queries/terraform/aws/guardduty_detector_disabled/test/positive_expected_result.json b/assets/queries/terraform/aws/guardduty_detector_disabled/test/positive_expected_result.json index 2908de223bb..288571ff3d8 100644 --- a/assets/queries/terraform/aws/guardduty_detector_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/guardduty_detector_disabled/test/positive_expected_result.json @@ -2,6 +2,16 @@ { "queryName": "GuardDuty Detector Disabled", "severity": "MEDIUM", - "line": 2 + "line": 2, + "fileName": "positive.tf", + "resourceType": "aws_guardduty_detector", + "resourceName": "positive1", + "searchKey": "aws_guardduty_detector[positive1].enable", + "searchValue": "", + "expectedValue": "GuardDuty Detector should be Enabled", + "actualValue": "GuardDuty Detector is not Enabled", + "issueType": "IncorrectValue", + "similarityID": "5a1360e416dc2b96202d44cc62a309fbd159f47c4231dda39408c76464799e5a", + "search_line": 2 } ] diff --git a/assets/queries/terraform/aws/hardcoded_aws_access_key/test/positive_expected_result.json b/assets/queries/terraform/aws/hardcoded_aws_access_key/test/positive_expected_result.json index 7cfc634073e..d175d688f0b 100644 --- a/assets/queries/terraform/aws/hardcoded_aws_access_key/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/hardcoded_aws_access_key/test/positive_expected_result.json @@ -2,13 +2,31 @@ { "queryName": "Hardcoded AWS Access Key", "severity": "HIGH", - "line": 5, - "fileName": "positive2.tf" + "line": 13, + "fileName": "positive1.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[ec2_instance].user_data", + "searchValue": "", + "expectedValue": "'user_data' shouldn't contain hardcoded access key", + "actualValue": "'user_data' contains hardcoded access key", + "issueType": "IncorrectValue", + "similarityID": "d7cc008fa4baacae58089b9527be9f49e980fbd7e7ea7cae805d5faf1692922d", + "search_line": 13 }, { "queryName": "Hardcoded AWS Access Key", "severity": "HIGH", - "line": 13, - "fileName": "positive1.tf" + "line": 5, + "fileName": "positive2.tf", + "resourceType": "aws_instance", + "resourceName": "HelloWorld", + "searchKey": "aws_instance[positive1].user_data", + "searchValue": "", + "expectedValue": "'user_data' shouldn't contain hardcoded access key", + "actualValue": "'user_data' contains hardcoded access key", + "issueType": "IncorrectValue", + "similarityID": "16645680508968c8278362b729442b36f1ecfb88476098442f102e7e9e696ff0", + "search_line": 5 } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/hardcoded_aws_access_key_in_lambda/test/positive_expected_result.json b/assets/queries/terraform/aws/hardcoded_aws_access_key_in_lambda/test/positive_expected_result.json index f633fc224fd..1a453d59f4c 100644 --- a/assets/queries/terraform/aws/hardcoded_aws_access_key_in_lambda/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/hardcoded_aws_access_key_in_lambda/test/positive_expected_result.json @@ -2,13 +2,31 @@ { "queryName": "Hardcoded AWS Access Key In Lambda", "severity": "HIGH", - "line": 57, - "fileName": "positive.tf" + "line": 36, + "fileName": "positive.tf", + "resourceType": "aws_lambda_function", + "resourceName": "positive2", + "searchKey": "aws_lambda_function[positive2].environment.variables.foo", + "searchValue": "", + "expectedValue": "'environment.variables' shouldn't contain AWS Access Key", + "actualValue": "'environment.variables' contains AWS Access Key", + "issueType": "IncorrectValue", + "similarityID": "153ad22bbb5d6dd9b8fb498372643b64336e04da3176eef88bd2baa2b428047d", + "search_line": -1 }, { "queryName": "Hardcoded AWS Access Key In Lambda", "severity": "HIGH", - "line": 36, - "fileName": "positive.tf" + "line": 57, + "fileName": "positive.tf", + "resourceType": "aws_lambda_function", + "resourceName": "positive3", + "searchKey": "aws_lambda_function[positive3].environment.variables.foo", + "searchValue": "", + "expectedValue": "'environment.variables' shouldn't contain AWS Access Key", + "actualValue": "'environment.variables' contains AWS Access Key", + "issueType": "IncorrectValue", + "similarityID": "dc44a8a51e26497e96d4a32eb262c269ecb2ad3851c2d5c609fbc128edc446dc", + "search_line": -1 } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/http_port_open/test/positive_expected_result.json b/assets/queries/terraform/aws/http_port_open/test/positive_expected_result.json index 2fcdca8b230..b8a9096d903 100644 --- a/assets/queries/terraform/aws/http_port_open/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/http_port_open/test/positive_expected_result.json @@ -3,102 +3,255 @@ "queryName": "HTTP Port Open To Internet", "severity": "MEDIUM", "line": 5, - "fileName": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "aws_security_group", + "resourceName": "allow_tls", + "searchKey": "aws_security_group[positive1-1].ingress", + "searchValue": "", + "expectedValue": "aws_security_group[positive1-1].ingress should not open the HTTP port (80)", + "actualValue": "aws_security_group[positive1-1].ingress opens the HTTP port (80)", + "issueType": "IncorrectValue", + "similarityID": "d065f7afe253469618512257d8293335294e6b4db0e1ec4b506e0df43f87584e", + "search_line": 5 }, { "queryName": "HTTP Port Open To Internet", "severity": "MEDIUM", "line": 26, - "fileName": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "aws_security_group", + "resourceName": "allow_tls", + "searchKey": "aws_security_group[positive1-2].ingress[1]", + "searchValue": "", + "expectedValue": "aws_security_group[positive1-2].ingress[1] should not open the HTTP port (80)", + "actualValue": "aws_security_group[positive1-2].ingress[1] opens the HTTP port (80)", + "issueType": "IncorrectValue", + "similarityID": "3000487145795185e1aad437644dbd025825a0dada9f4b495f0b257eec8f3b4b", + "search_line": 26 }, { "queryName": "HTTP Port Open To Internet", "severity": "MEDIUM", "line": 39, - "fileName": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "aws_security_group", + "resourceName": "allow_tls", + "searchKey": "aws_security_group[positive1-3].ingress", + "searchValue": "", + "expectedValue": "aws_security_group[positive1-3].ingress should not open the HTTP port (80)", + "actualValue": "aws_security_group[positive1-3].ingress opens the HTTP port (80)", + "issueType": "IncorrectValue", + "similarityID": "e7aebb3cd08dd5eceb137c04eca9bb9b7ced27cc02e1c045db7016021912c078", + "search_line": 39 }, { "queryName": "HTTP Port Open To Internet", "severity": "MEDIUM", "line": 60, - "fileName": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "aws_security_group", + "resourceName": "allow_tls", + "searchKey": "aws_security_group[positive1-4].ingress[1]", + "searchValue": "", + "expectedValue": "aws_security_group[positive1-4].ingress[1] should not open the HTTP port (80)", + "actualValue": "aws_security_group[positive1-4].ingress[1] opens the HTTP port (80)", + "issueType": "IncorrectValue", + "similarityID": "5036249f20c7b9b0503f6f99c448eb331027376c1690c04297e56d708a3453ca", + "search_line": 60 }, { "queryName": "HTTP Port Open To Internet", "severity": "MEDIUM", "line": 73, - "fileName": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "aws_security_group", + "resourceName": "allow_tls", + "searchKey": "aws_security_group[positive1-5].ingress", + "searchValue": "", + "expectedValue": "aws_security_group[positive1-5].ingress should not open the HTTP port (80)", + "actualValue": "aws_security_group[positive1-5].ingress opens the HTTP port (80)", + "issueType": "IncorrectValue", + "similarityID": "d53b891c71b0bbfa862e16830e68013dc3cb15cf4f35c3179bda0ec8e66332b2", + "search_line": 73 }, { "queryName": "HTTP Port Open To Internet", "severity": "MEDIUM", "line": 87, - "fileName": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "aws_security_group", + "resourceName": "allow_tls", + "searchKey": "aws_security_group[positive1-6].ingress", + "searchValue": "", + "expectedValue": "aws_security_group[positive1-6].ingress should not open the HTTP port (80)", + "actualValue": "aws_security_group[positive1-6].ingress opens the HTTP port (80)", + "issueType": "IncorrectValue", + "similarityID": "417636f98ef8d83a1aeed9052db85d8ecf1651991d27b7ecc22c6d158ac78cfc", + "search_line": 87 }, { "queryName": "HTTP Port Open To Internet", "severity": "MEDIUM", "line": 101, - "fileName": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "aws_security_group", + "resourceName": "allow_tls", + "searchKey": "aws_security_group[positive1-7].ingress", + "searchValue": "", + "expectedValue": "aws_security_group[positive1-7].ingress should not open the HTTP port (80)", + "actualValue": "aws_security_group[positive1-7].ingress opens the HTTP port (80)", + "issueType": "IncorrectValue", + "similarityID": "42cd4f4334d8a2441dc29af51a26b4a16b4892ec250e17ff5abb5e326ae1587d", + "search_line": 101 }, { "queryName": "HTTP Port Open To Internet", "severity": "MEDIUM", "line": 7, - "fileName": "positive2.tf" + "fileName": "positive2.tf", + "resourceType": "aws_vpc_security_group_ingress_rule", + "resourceName": "positive2-1", + "searchKey": "aws_vpc_security_group_ingress_rule[positive2-1]", + "searchValue": "", + "expectedValue": "aws_vpc_security_group_ingress_rule[positive2-1] should not open the HTTP port (80)", + "actualValue": "aws_vpc_security_group_ingress_rule[positive2-1] opens the HTTP port (80)", + "issueType": "IncorrectValue", + "similarityID": "1dd9d962aed42f6398a70a11b5b7cc598cd94789a21fae1fa5aca46826170271", + "search_line": 7 }, { "queryName": "HTTP Port Open To Internet", "severity": "MEDIUM", "line": 17, - "fileName": "positive2.tf" + "fileName": "positive2.tf", + "resourceType": "aws_vpc_security_group_ingress_rule", + "resourceName": "positive2-2", + "searchKey": "aws_vpc_security_group_ingress_rule[positive2-2]", + "searchValue": "", + "expectedValue": "aws_vpc_security_group_ingress_rule[positive2-2] should not open the HTTP port (80)", + "actualValue": "aws_vpc_security_group_ingress_rule[positive2-2] opens the HTTP port (80)", + "issueType": "IncorrectValue", + "similarityID": "c9627412d03a4003f98c434285b2746e4f530294c386f86284b80d3c50d930a9", + "search_line": 17 }, { "queryName": "HTTP Port Open To Internet", "severity": "MEDIUM", "line": 7, - "fileName": "positive3.tf" + "fileName": "positive3.tf", + "resourceType": "aws_security_group_rule", + "resourceName": "positive3-1", + "searchKey": "aws_security_group_rule[positive3-1]", + "searchValue": "", + "expectedValue": "aws_security_group_rule[positive3-1] should not open the HTTP port (80)", + "actualValue": "aws_security_group_rule[positive3-1] opens the HTTP port (80)", + "issueType": "IncorrectValue", + "similarityID": "569e04d4e3a70ed11dbf843f56afa945bf85c2baa004a4eb884b8ab737b49903", + "search_line": 7 }, { "queryName": "HTTP Port Open To Internet", "severity": "MEDIUM", "line": 17, - "fileName": "positive3.tf" + "fileName": "positive3.tf", + "resourceType": "aws_security_group_rule", + "resourceName": "positive3-2", + "searchKey": "aws_security_group_rule[positive3-2]", + "searchValue": "", + "expectedValue": "aws_security_group_rule[positive3-2] should not open the HTTP port (80)", + "actualValue": "aws_security_group_rule[positive3-2] opens the HTTP port (80)", + "issueType": "IncorrectValue", + "similarityID": "a0421601e0fc225b1683faee790d122a9a4514368c69c0fa5386b6d81c185c7b", + "search_line": 17 }, { "queryName": "HTTP Port Open To Internet", "severity": "MEDIUM", "line": 11, - "fileName": "positive4.tf" + "fileName": "positive4.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[vote_service_sg_ipv4].ingress_with_cidr_blocks.0", + "searchValue": "", + "expectedValue": "module[vote_service_sg_ipv4].ingress_with_cidr_blocks.0 should not open the HTTP port (80)", + "actualValue": "module[vote_service_sg_ipv4].ingress_with_cidr_blocks.0 opens the HTTP port (80)", + "issueType": "IncorrectValue", + "similarityID": "16f7cac56b2ab440339f78719c1aa8560d4af920b2171691914b55e17afcb2ca", + "search_line": 11 }, { "queryName": "HTTP Port Open To Internet", "severity": "MEDIUM", "line": 30, - "fileName": "positive4.tf" + "fileName": "positive4.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[vote_service_sg_ipv6].ingress_with_ipv6_cidr_blocks.0", + "searchValue": "", + "expectedValue": "module[vote_service_sg_ipv6].ingress_with_ipv6_cidr_blocks.0 should not open the HTTP port (80)", + "actualValue": "module[vote_service_sg_ipv6].ingress_with_ipv6_cidr_blocks.0 opens the HTTP port (80)", + "issueType": "IncorrectValue", + "similarityID": "36c51aa104e4c878ac9cefecff0f1e9d401237dc661b1187446c40ad261fe139", + "search_line": 30 }, { "queryName": "HTTP Port Open To Internet", "severity": "MEDIUM", "line": 49, - "fileName": "positive4.tf" + "fileName": "positive4.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[vote_service_sg_ipv4_array].ingress_with_cidr_blocks.0", + "searchValue": "", + "expectedValue": "module[vote_service_sg_ipv4_array].ingress_with_cidr_blocks.0 should not open the HTTP port (80)", + "actualValue": "module[vote_service_sg_ipv4_array].ingress_with_cidr_blocks.0 opens the HTTP port (80)", + "issueType": "IncorrectValue", + "similarityID": "a082cd2b2307b1d9ede02f67ba0c61a17bb55126be13c05c60c0a16bea967d0e", + "search_line": 49 }, { "queryName": "HTTP Port Open To Internet", "severity": "MEDIUM", "line": 63, - "fileName": "positive4.tf" + "fileName": "positive4.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[vote_service_sg_ipv4_array].ingress_with_cidr_blocks.2", + "searchValue": "", + "expectedValue": "module[vote_service_sg_ipv4_array].ingress_with_cidr_blocks.2 should not open the HTTP port (80)", + "actualValue": "module[vote_service_sg_ipv4_array].ingress_with_cidr_blocks.2 opens the HTTP port (80)", + "issueType": "IncorrectValue", + "similarityID": "74361fac89b21c5987b636671897b7b32f6c44dbe32c8df1e244df365d314264", + "search_line": 63 }, { "queryName": "HTTP Port Open To Internet", "severity": "MEDIUM", "line": 82, - "fileName": "positive4.tf" + "fileName": "positive4.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[vote_service_sg_ipv6_array].ingress_with_ipv6_cidr_blocks.0", + "searchValue": "", + "expectedValue": "module[vote_service_sg_ipv6_array].ingress_with_ipv6_cidr_blocks.0 should not open the HTTP port (80)", + "actualValue": "module[vote_service_sg_ipv6_array].ingress_with_ipv6_cidr_blocks.0 opens the HTTP port (80)", + "issueType": "IncorrectValue", + "similarityID": "c213c7f9a2141042d05f2b694ba7e0452a6336b731997b0193e805f2d71365ae", + "search_line": 82 }, { "queryName": "HTTP Port Open To Internet", "severity": "MEDIUM", "line": 96, - "fileName": "positive4.tf" + "fileName": "positive4.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[vote_service_sg_ipv6_array].ingress_with_ipv6_cidr_blocks.2", + "searchValue": "", + "expectedValue": "module[vote_service_sg_ipv6_array].ingress_with_ipv6_cidr_blocks.2 should not open the HTTP port (80)", + "actualValue": "module[vote_service_sg_ipv6_array].ingress_with_ipv6_cidr_blocks.2 opens the HTTP port (80)", + "issueType": "IncorrectValue", + "similarityID": "9060bc96a1b6945ab712624e0c3f98e6f81e16ac5151efb08cdb05cbe03156fa", + "search_line": 96 } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/iam_access_analyzer_not_enabled/test/positive_expected_result.json b/assets/queries/terraform/aws/iam_access_analyzer_not_enabled/test/positive_expected_result.json index 9ffd7769e25..bbd35a4f393 100644 --- a/assets/queries/terraform/aws/iam_access_analyzer_not_enabled/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/iam_access_analyzer_not_enabled/test/positive_expected_result.json @@ -3,12 +3,30 @@ "queryName": "IAM Access Analyzer Not Enabled", "severity": "LOW", "line": 1, - "fileName": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "resource", + "searchValue": "", + "expectedValue": "'aws_accessanalyzer_analyzer' should be set", + "actualValue": "'aws_accessanalyzer_analyzer' is undefined", + "issueType": "MissingAttribute", + "similarityID": "f34520655676d457c206e3568b0d0231b554f4affb429f0fe1523a8b0fc05e98", + "search_line": 1 }, { "queryName": "IAM Access Analyzer Not Enabled", "severity": "LOW", "line": 6, - "fileName": "positive2.json" + "fileName": "positive2.json", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "resource", + "searchValue": "", + "expectedValue": "'aws_accessanalyzer_analyzer' should be set", + "actualValue": "'aws_accessanalyzer_analyzer' is undefined", + "issueType": "MissingAttribute", + "similarityID": "c87f9823a6940baf3c7c6aff6599ead520969ef8108a673624353352018f4f47", + "search_line": -1 } ] diff --git a/assets/queries/terraform/aws/iam_access_key_is_exposed/test/positive_expected_result.json b/assets/queries/terraform/aws/iam_access_key_is_exposed/test/positive_expected_result.json index 5cd10b3b788..dc317a5ed7b 100644 --- a/assets/queries/terraform/aws/iam_access_key_is_exposed/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/iam_access_key_is_exposed/test/positive_expected_result.json @@ -1,12 +1,32 @@ [ - { - "queryName": "IAM Access Key Is Exposed", - "severity": "MEDIUM", - "line": 2 - }, - { - "queryName": "IAM Access Key Is Exposed", - "severity": "MEDIUM", - "line": 7 - } + { + "queryName": "IAM Access Key Is Exposed", + "severity": "MEDIUM", + "line": 2, + "fileName": "positive.tf", + "resourceType": "aws_iam_access_key", + "resourceName": "positive1", + "searchKey": "aws_iam_access_key[positive1].user", + "searchValue": "", + "expectedValue": "'aws_iam_access_key[positive1].user' should not be 'root' for an active access key", + "actualValue": "'aws_iam_access_key[positive1].user' is 'root' for an active access key", + "issueType": "IncorrectValue", + "similarityID": "f0befacc003c12b7f430e75c031115320fa221b2e77ec88f5885d03b0cdf4439", + "search_line": -1 + }, + { + "queryName": "IAM Access Key Is Exposed", + "severity": "MEDIUM", + "line": 7, + "fileName": "positive.tf", + "resourceType": "aws_iam_access_key", + "resourceName": "positive2", + "searchKey": "aws_iam_access_key[positive2].user", + "searchValue": "", + "expectedValue": "'aws_iam_access_key[positive2].user' should not be 'root' for an active access key", + "actualValue": "'aws_iam_access_key[positive2].user' is 'root' for an active access key", + "issueType": "IncorrectValue", + "similarityID": "904f1ae9ace03bf30527565da9707dad040cf3853dedacbd3cf0f756d80b11ef", + "search_line": -1 + } ] diff --git a/assets/queries/terraform/aws/iam_database_auth_not_enabled/test/positive_expected_result.json b/assets/queries/terraform/aws/iam_database_auth_not_enabled/test/positive_expected_result.json index be5ed3840b6..d67451b36e6 100644 --- a/assets/queries/terraform/aws/iam_database_auth_not_enabled/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/iam_database_auth_not_enabled/test/positive_expected_result.json @@ -3,24 +3,60 @@ "queryName": "IAM Database Auth Not Enabled", "severity": "MEDIUM", "line": 10, - "fileName": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "aws_db_instance", + "resourceName": "mydb", + "searchKey": "aws_db_instance[positive1].iam_database_authentication_enabled", + "searchValue": "", + "expectedValue": "'iam_database_authentication_enabled' should be set to true", + "actualValue": "'iam_database_authentication_enabled' is set to false", + "issueType": "IncorrectValue", + "similarityID": "d9c28d9736e0abcf1a4aaaf34a3769f52a7334079747a28fff154537e73d74e6", + "search_line": 10 }, { "queryName": "IAM Database Auth Not Enabled", "severity": "MEDIUM", "line": 1, - "fileName": "positive2.tf" + "fileName": "positive2.tf", + "resourceType": "aws_db_instance", + "resourceName": "mydb", + "searchKey": "aws_db_instance[positive1]", + "searchValue": "", + "expectedValue": "'iam_database_authentication_enabled' should be set to true", + "actualValue": "'iam_database_authentication_enabled' is undefined or null", + "issueType": "MissingAttribute", + "similarityID": "f203394628604489c39b0ffd79cbc3befe720f738b95039da9cdb9b809bd3e27", + "search_line": 1 }, { "queryName": "IAM Database Auth Not Enabled", "severity": "MEDIUM", "line": 1, - "fileName": "positive3.tf" + "fileName": "positive3.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[db]", + "searchValue": "", + "expectedValue": "'iam_database_authentication_enabled' should be set to true", + "actualValue": "'iam_database_authentication_enabled' is undefined or null", + "issueType": "MissingAttribute", + "similarityID": "0f6495292348074ef7b7333f71be5dd1926769bb233d50b8b1818732baf935a0", + "search_line": 1 }, { "queryName": "IAM Database Auth Not Enabled", "severity": "MEDIUM", "line": 17, - "fileName": "positive4.tf" + "fileName": "positive4.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[db].iam_database_authentication_enabled", + "searchValue": "", + "expectedValue": "'iam_database_authentication_enabled' should be set to true", + "actualValue": "'iam_database_authentication_enabled' is set to false", + "issueType": "IncorrectValue", + "similarityID": "b34a95ffa93898546ae96d653099854591e389901c9550b5d48224b4f31f5b01", + "search_line": 17 } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/iam_db_cluster_auth_not_enabled/test/positive_expected_result.json b/assets/queries/terraform/aws/iam_db_cluster_auth_not_enabled/test/positive_expected_result.json index 9e6e6fe4df8..0655d3ed406 100644 --- a/assets/queries/terraform/aws/iam_db_cluster_auth_not_enabled/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/iam_db_cluster_auth_not_enabled/test/positive_expected_result.json @@ -3,120 +3,300 @@ "queryName": "IAM DB Cluster Auth Not Enabled", "severity": "MEDIUM", "line": 10, - "fileName": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "aws_rds_cluster", + "resourceName": "positive1", + "searchKey": "aws_rds_cluster[positive1].iam_database_authentication_enabled", + "searchValue": "", + "expectedValue": "'iam_database_authentication_enabled' should be set to true", + "actualValue": "'iam_database_authentication_enabled' is defined to false", + "issueType": "MissingAttribute", + "similarityID": "e57b44036f7e0cd66f6125b6f70cc584263c8a68509404bbf979feacaae78f1b", + "search_line": 10 }, { "queryName": "IAM DB Cluster Auth Not Enabled", "severity": "MEDIUM", "line": 1, - "fileName": "positive2.tf" + "fileName": "positive2.tf", + "resourceType": "aws_rds_cluster", + "resourceName": "positive2", + "searchKey": "aws_rds_cluster[positive2]", + "searchValue": "", + "expectedValue": "'iam_database_authentication_enabled' should be set to true", + "actualValue": "'iam_database_authentication_enabled' is undefined", + "issueType": "MissingAttribute", + "similarityID": "1f5fc5a33d1ae68a560e431c0a6d175320abb0f8ace6cc58695067c9ff72e0a5", + "search_line": 1 }, { "queryName": "IAM DB Cluster Auth Not Enabled", "severity": "MEDIUM", "line": 1, - "fileName": "positive3.tf" + "fileName": "positive3.tf", + "resourceType": "aws_rds_cluster", + "resourceName": "positive3", + "searchKey": "aws_rds_cluster[positive3]", + "searchValue": "", + "expectedValue": "'iam_database_authentication_enabled' should be set to true", + "actualValue": "'iam_database_authentication_enabled' is undefined", + "issueType": "MissingAttribute", + "similarityID": "736329302d4bc225cefb8974aad99733bd404d14119d95fbe2ae12d4f5aff7b1", + "search_line": 1 }, { "queryName": "IAM DB Cluster Auth Not Enabled", "severity": "MEDIUM", "line": 8, - "fileName": "positive4.tf" + "fileName": "positive4.tf", + "resourceType": "aws_rds_cluster", + "resourceName": "positive4", + "searchKey": "aws_rds_cluster[positive4].iam_database_authentication_enabled", + "searchValue": "", + "expectedValue": "'iam_database_authentication_enabled' should be set to true", + "actualValue": "'iam_database_authentication_enabled' is defined to false", + "issueType": "MissingAttribute", + "similarityID": "11d42bde2c056b1b55e6574f569edbf598c1a917f6c5386782c026f4997cedb9", + "search_line": 8 }, { "queryName": "IAM DB Cluster Auth Not Enabled", "severity": "MEDIUM", "line": 9, - "fileName": "positive5.tf" + "fileName": "positive5.tf", + "resourceType": "aws_rds_cluster", + "resourceName": "positive5", + "searchKey": "aws_rds_cluster[positive5].iam_database_authentication_enabled", + "searchValue": "", + "expectedValue": "'iam_database_authentication_enabled' should be set to true", + "actualValue": "'iam_database_authentication_enabled' is defined to false", + "issueType": "MissingAttribute", + "similarityID": "8475a866d0f4dbf7ef227bf35487fcb03253b6dcf46618c16e3731878605f2a7", + "search_line": 9 }, { "queryName": "IAM DB Cluster Auth Not Enabled", "severity": "MEDIUM", "line": 1, - "fileName": "positive6.tf" + "fileName": "positive6.tf", + "resourceType": "aws_rds_cluster", + "resourceName": "positive6", + "searchKey": "aws_rds_cluster[positive6]", + "searchValue": "", + "expectedValue": "'iam_database_authentication_enabled' should be set to true", + "actualValue": "'iam_database_authentication_enabled' is undefined", + "issueType": "MissingAttribute", + "similarityID": "a77fd2b0bec11fdca6cd65c7f93e73b557694f713c67777fc8aa81c7d65a82db", + "search_line": 1 }, { "queryName": "IAM DB Cluster Auth Not Enabled", "severity": "MEDIUM", "line": 10, - "fileName": "positive7.tf" + "fileName": "positive7.tf", + "resourceType": "aws_rds_cluster", + "resourceName": "example_postgres", + "searchKey": "aws_rds_cluster[example_postgres].iam_database_authentication_enabled", + "searchValue": "", + "expectedValue": "'iam_database_authentication_enabled' should be set to true", + "actualValue": "'iam_database_authentication_enabled' is defined to false", + "issueType": "MissingAttribute", + "similarityID": "df8849b76192614bfcd5489203c12a38e6a5f0e17852f7fe000300b963044070", + "search_line": 10 }, { "queryName": "IAM DB Cluster Auth Not Enabled", "severity": "MEDIUM", "line": 1, - "fileName": "positive8.tf" + "fileName": "positive8.tf", + "resourceType": "aws_rds_cluster", + "resourceName": "example_postgres", + "searchKey": "aws_rds_cluster[example_postgres]", + "searchValue": "", + "expectedValue": "'iam_database_authentication_enabled' should be set to true", + "actualValue": "'iam_database_authentication_enabled' is undefined", + "issueType": "MissingAttribute", + "similarityID": "3a938c04a5e9761b0894038254a73f9b3ff5745522bab66f8cf16bc261c2873a", + "search_line": 1 }, { "queryName": "IAM DB Cluster Auth Not Enabled", "severity": "MEDIUM", "line": 9, - "fileName": "positive9.tf" + "fileName": "positive9.tf", + "resourceType": "aws_rds_cluster", + "resourceName": "example_postgres", + "searchKey": "aws_rds_cluster[example_postgres].iam_database_authentication_enabled", + "searchValue": "", + "expectedValue": "'iam_database_authentication_enabled' should be set to true", + "actualValue": "'iam_database_authentication_enabled' is defined to false", + "issueType": "MissingAttribute", + "similarityID": "678268eaf1e48a29b0dc0e770e3d4493c609233da4346fa556c1635334aa82a5", + "search_line": 9 }, { "queryName": "IAM DB Cluster Auth Not Enabled", "severity": "MEDIUM", "line": 1, - "fileName": "positive10.tf" + "fileName": "positive10.tf", + "resourceType": "aws_rds_cluster", + "resourceName": "example_postgres", + "searchKey": "aws_rds_cluster[example_postgres]", + "searchValue": "", + "expectedValue": "'iam_database_authentication_enabled' should be set to true", + "actualValue": "'iam_database_authentication_enabled' is undefined", + "issueType": "MissingAttribute", + "similarityID": "376d1a54cffeebda1365847a4eafb7713c4a1d181f2ebbc39b9c7413adca5059", + "search_line": 1 }, { "queryName": "IAM DB Cluster Auth Not Enabled", "severity": "MEDIUM", "line": 10, - "fileName": "positive11.tf" + "fileName": "positive11.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[aurora_cluster].iam_database_authentication_enabled", + "searchValue": "", + "expectedValue": "'iam_database_authentication_enabled' should be set to true", + "actualValue": "'iam_database_authentication_enabled' is defined to false", + "issueType": "MissingAttribute", + "similarityID": "8a61360585578e69fa5f773034c4c03a397c5e61b28eea44630885b52376e9a2", + "search_line": 10 }, { "queryName": "IAM DB Cluster Auth Not Enabled", "severity": "MEDIUM", "line": 1, - "fileName": "positive12.tf" + "fileName": "positive12.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[aurora_cluster]", + "searchValue": "", + "expectedValue": "'iam_database_authentication_enabled' should be set to true", + "actualValue": "'iam_database_authentication_enabled' is undefined", + "issueType": "MissingAttribute", + "similarityID": "1dc366abe592302e02cd1d602a350a327d4765b1b6dce4e53ef775c857f53880", + "search_line": 1 }, { "queryName": "IAM DB Cluster Auth Not Enabled", "severity": "MEDIUM", "line": 1, - "fileName": "positive13.tf" + "fileName": "positive13.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[aurora_cluster]", + "searchValue": "", + "expectedValue": "'iam_database_authentication_enabled' should be set to true", + "actualValue": "'iam_database_authentication_enabled' is undefined", + "issueType": "MissingAttribute", + "similarityID": "55df7905bb732c79a737bded0afc1703ef880af3b451c813dd431c7e4821d71f", + "search_line": 1 }, { "queryName": "IAM DB Cluster Auth Not Enabled", "severity": "MEDIUM", "line": 8, - "fileName": "positive14.tf" + "fileName": "positive14.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[aurora_cluster].iam_database_authentication_enabled", + "searchValue": "", + "expectedValue": "'iam_database_authentication_enabled' should be set to true", + "actualValue": "'iam_database_authentication_enabled' is defined to false", + "issueType": "MissingAttribute", + "similarityID": "49f01c234f1f4a2beda34490d14d28c7a5d4cbd3e4611c10d6e50df242fbbc0c", + "search_line": 8 }, { "queryName": "IAM DB Cluster Auth Not Enabled", "severity": "MEDIUM", "line": 10, - "fileName": "positive15.tf" + "fileName": "positive15.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[aurora_cluster].iam_database_authentication_enabled", + "searchValue": "", + "expectedValue": "'iam_database_authentication_enabled' should be set to true", + "actualValue": "'iam_database_authentication_enabled' is defined to false", + "issueType": "MissingAttribute", + "similarityID": "c1c68d8c48b59b3578a269508e93b08ae8993ffcf8466d819770564dc67eb809", + "search_line": 10 }, { "queryName": "IAM DB Cluster Auth Not Enabled", "severity": "MEDIUM", "line": 1, - "fileName": "positive16.tf" + "fileName": "positive16.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[aurora_cluster]", + "searchValue": "", + "expectedValue": "'iam_database_authentication_enabled' should be set to true", + "actualValue": "'iam_database_authentication_enabled' is undefined", + "issueType": "MissingAttribute", + "similarityID": "d30fb956a283bf8c9f30452c9105ee397ff320ae094016f719da22afb1a02153", + "search_line": 1 }, { "queryName": "IAM DB Cluster Auth Not Enabled", "severity": "MEDIUM", "line": 10, - "fileName": "positive17.tf" + "fileName": "positive17.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[aurora_cluster].iam_database_authentication_enabled", + "searchValue": "", + "expectedValue": "'iam_database_authentication_enabled' should be set to true", + "actualValue": "'iam_database_authentication_enabled' is defined to false", + "issueType": "MissingAttribute", + "similarityID": "abca721991034a77c3c29d0173fbfdafc2b99d4a97181c8fb095001ed527c481", + "search_line": 10 }, { "queryName": "IAM DB Cluster Auth Not Enabled", "severity": "MEDIUM", "line": 1, - "fileName": "positive18.tf" + "fileName": "positive18.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[aurora_cluster]", + "searchValue": "", + "expectedValue": "'iam_database_authentication_enabled' should be set to true", + "actualValue": "'iam_database_authentication_enabled' is undefined", + "issueType": "MissingAttribute", + "similarityID": "b9c91b7396e5a9302e071e0fa976cdca23bf2ae67e0fbfaae23091c301ed5297", + "search_line": 1 }, { "queryName": "IAM DB Cluster Auth Not Enabled", "severity": "MEDIUM", "line": 9, - "fileName": "positive19.tf" + "fileName": "positive19.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[aurora_cluster].iam_database_authentication_enabled", + "searchValue": "", + "expectedValue": "'iam_database_authentication_enabled' should be set to true", + "actualValue": "'iam_database_authentication_enabled' is defined to false", + "issueType": "MissingAttribute", + "similarityID": "ff51a61d855012fc433815ed61c28256b294f475cd693f038f260520dc1ed268", + "search_line": 9 }, { "queryName": "IAM DB Cluster Auth Not Enabled", "severity": "MEDIUM", "line": 1, - "fileName": "positive20.tf" + "fileName": "positive20.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[aurora_cluster]", + "searchValue": "", + "expectedValue": "'iam_database_authentication_enabled' should be set to true", + "actualValue": "'iam_database_authentication_enabled' is undefined", + "issueType": "MissingAttribute", + "similarityID": "a4fece82966add883b72c765dd6bceb9bc7eb3d6d9654ba0aa8d568e9d7f1480", + "search_line": 1 } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/iam_group_without_users/test/positive2/positive_expected_result.json b/assets/queries/terraform/aws/iam_group_without_users/test/positive2/positive_expected_result.json index 9694db417c6..cc2b6ffd206 100644 --- a/assets/queries/terraform/aws/iam_group_without_users/test/positive2/positive_expected_result.json +++ b/assets/queries/terraform/aws/iam_group_without_users/test/positive2/positive_expected_result.json @@ -2,13 +2,31 @@ { "queryName": "IAM Group Without Users", "severity": "MEDIUM", + "line": 1, "fileName": "positive2_1.tf", - "line": 1 + "resourceType": "aws_iam_group", + "resourceName": "test-group", + "searchKey": "aws_iam_group[group2]", + "searchValue": "", + "expectedValue": "aws_iam_group[group2] should be associated with an aws_iam_group_membership that has at least one user set", + "actualValue": "aws_iam_group[group2] is not associated with an aws_iam_group_membership that has at least one user set", + "issueType": "MissingAttribute", + "similarityID": "e5f84e4e5faaa58244860280fc17f6a7a740eb8432f9a748d222d75b1b38f9fe", + "search_line": 1 }, { "queryName": "IAM Group Without Users", "severity": "MEDIUM", + "line": 5, "fileName": "positive2_1.tf", - "line": 5 + "resourceType": "aws_iam_group", + "resourceName": "test-group", + "searchKey": "aws_iam_group[group3]", + "searchValue": "", + "expectedValue": "aws_iam_group[group3] should be associated with an aws_iam_group_membership that has at least one user set", + "actualValue": "aws_iam_group[group3] is not associated with an aws_iam_group_membership that has at least one user set", + "issueType": "MissingAttribute", + "similarityID": "d89c6846023c0cf79dac5ef5220429ce6c152c23486d708e40a99fdf9381792c", + "search_line": 5 } ] diff --git a/assets/queries/terraform/aws/iam_group_without_users/test/positive_expected_result.json b/assets/queries/terraform/aws/iam_group_without_users/test/positive_expected_result.json index 88912a3df2c..ca19de9020b 100644 --- a/assets/queries/terraform/aws/iam_group_without_users/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/iam_group_without_users/test/positive_expected_result.json @@ -2,13 +2,31 @@ { "queryName": "IAM Group Without Users", "severity": "MEDIUM", + "line": 12, "fileName": "positive1.tf", - "line": 12 + "resourceType": "aws_iam_group", + "resourceName": "test-group", + "searchKey": "aws_iam_group[group2]", + "searchValue": "", + "expectedValue": "aws_iam_group[group2] should be associated with an aws_iam_group_membership that has at least one user set", + "actualValue": "aws_iam_group[group2] is not associated with an aws_iam_group_membership that has at least one user set", + "issueType": "MissingAttribute", + "similarityID": "7084ae70a8adf6772099d00a303edb6f62ec9ee40396c18b70b30f65cef0633d", + "search_line": 12 }, { "queryName": "IAM Group Without Users", "severity": "MEDIUM", + "line": 33, "fileName": "positive1.tf", - "line": 33 + "resourceType": "aws_iam_group", + "resourceName": "test-group", + "searchKey": "aws_iam_group[group3]", + "searchValue": "", + "expectedValue": "aws_iam_group[group3] should be associated with an aws_iam_group_membership that has at least one user set", + "actualValue": "aws_iam_group[group3] is not associated with an aws_iam_group_membership that has at least one user set", + "issueType": "MissingAttribute", + "similarityID": "1dbe2a8c5de9f97f381661d49bc406f639d3254842d1c415f56a4dc6ff35b4db", + "search_line": 33 } ] diff --git a/assets/queries/terraform/aws/iam_password_without_minimum_length/test/positive_expected_result.json b/assets/queries/terraform/aws/iam_password_without_minimum_length/test/positive_expected_result.json index fe66c904973..e2d4e3611e7 100644 --- a/assets/queries/terraform/aws/iam_password_without_minimum_length/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/iam_password_without_minimum_length/test/positive_expected_result.json @@ -2,11 +2,31 @@ { "queryName": "IAM Password Without Minimum Length", "severity": "LOW", - "line": 1 + "line": 1, + "fileName": "positive.tf", + "resourceType": "aws_iam_account_password_policy", + "resourceName": "positive1", + "searchKey": "aws_iam_account_password_policy[positive1]", + "searchValue": "", + "expectedValue": "'minimum_password_length' should be set and no less than 14", + "actualValue": "'minimum_password_length' is undefined", + "issueType": "MissingAttribute", + "similarityID": "dfa2870019b84502e3b1a120a7c3112a8b6800387e1177cac8b6df4cafa9d73b", + "search_line": 1 }, { "queryName": "IAM Password Without Minimum Length", "severity": "LOW", - "line": 10 + "line": 10, + "fileName": "positive.tf", + "resourceType": "aws_iam_account_password_policy", + "resourceName": "positive2", + "searchKey": "aws_iam_account_password_policy[positive2].minimum_password_length", + "searchValue": "", + "expectedValue": "'minimum_password_length' should be set and no less than 14", + "actualValue": "'minimum_password_length' is less than 14", + "issueType": "IncorrectValue", + "similarityID": "2fc1f7da3d462653d7d9b65941c2f56cda3c5206e84976c8454b0f91b906524a", + "search_line": 10 } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/iam_policies_attached_to_user/test/positive_expected_result.json b/assets/queries/terraform/aws/iam_policies_attached_to_user/test/positive_expected_result.json index 4d1f265f81a..bc4ab093c8a 100755 --- a/assets/queries/terraform/aws/iam_policies_attached_to_user/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/iam_policies_attached_to_user/test/positive_expected_result.json @@ -3,18 +3,45 @@ "queryName": "IAM Policies Attached To User", "severity": "MEDIUM", "line": 18, - "filename": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "aws_iam_policy_attachment", + "resourceName": "excess_policy", + "searchKey": "aws_iam_policy_attachment[{{positive1_3}}].users", + "searchValue": "", + "expectedValue": "'users' is redundant", + "actualValue": "'users' exists", + "issueType": "RedundantAttribute", + "similarityID": "05e99bd2d4d483edd29a08d2f4d97639558c1b9c78ee95e68415432e580bae67", + "search_line": -1 }, { "queryName": "IAM Policies Attached To User", "severity": "MEDIUM", "line": 18, - "filename": "positive2.tf" + "fileName": "positive2.tf", + "resourceType": "aws_iam_user_policy", + "resourceName": "excess_policy", + "searchKey": "aws_iam_user_policy[{{positive2_3}}].user", + "searchValue": "", + "expectedValue": "'user' is redundant", + "actualValue": "'user' exists", + "issueType": "RedundantAttribute", + "similarityID": "60239549bf82e006353275e32c4e2413d5fe852818ade9417c92c5838bd9c4c3", + "search_line": -1 }, { "queryName": "IAM Policies Attached To User", "severity": "MEDIUM", "line": 27, - "filename": "positive3.tf" + "fileName": "positive3.tf", + "resourceType": "aws_iam_user_policy_attachment", + "resourceName": "test-attach", + "searchKey": "aws_iam_user_policy_attachment[{{test-attach}}].user", + "searchValue": "", + "expectedValue": "'user' is redundant", + "actualValue": "'user' exists", + "issueType": "RedundantAttribute", + "similarityID": "f260469ac90b1bf29c54ef848971d48e70a189696ac409d7cf4d667463817351", + "search_line": -1 } ] diff --git a/assets/queries/terraform/aws/iam_policies_with_full_privileges/test/positive_expected_result.json b/assets/queries/terraform/aws/iam_policies_with_full_privileges/test/positive_expected_result.json index 3c68baf6f98..b44955fd25a 100644 --- a/assets/queries/terraform/aws/iam_policies_with_full_privileges/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/iam_policies_with_full_privileges/test/positive_expected_result.json @@ -3,72 +3,180 @@ "queryName": "IAM Policies With Full Privileges", "severity": "MEDIUM", "line": 5, - "fileName": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "aws_iam_role_policy", + "resourceName": "apigateway-cloudwatch-logging", + "searchKey": "aws_iam_role_policy[positive1].policy", + "searchValue": "", + "expectedValue": "'policy.Statement.Action' shouldn't contain '*' or 'iam:*'", + "actualValue": "'policy.Statement.Action' contains '*' or 'iam:*'", + "issueType": "IncorrectValue", + "similarityID": "f253b6f864a89b357bf77afe1769ac17848448d4e7cf938fb550dceaaeb251e4", + "search_line": 5 }, { "queryName": "IAM Policies With Full Privileges", "severity": "MEDIUM", "line": 20, - "fileName": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "aws_iam_policy_document", + "resourceName": "example", + "searchKey": "aws_iam_policy_document[example].statement", + "searchValue": "", + "expectedValue": "'statement.actions' shouldn't contain '*' or 'iam:*'", + "actualValue": "'statement.actions' contains '*' or 'iam:*'", + "issueType": "IncorrectValue", + "similarityID": "85fc492d2daba51fe679f08daa0573379a5445201d2517c1f333fd8d5635d8ce", + "search_line": 20 }, { "queryName": "IAM Policies With Full Privileges", "severity": "MEDIUM", "line": 13, - "fileName": "positive2.tf" + "fileName": "positive2.tf", + "resourceType": "aws_iam_policy_document", + "resourceName": "example", + "searchKey": "aws_iam_policy_document[example].statement[1]", + "searchValue": "", + "expectedValue": "'statement.actions' shouldn't contain '*' or 'iam:*'", + "actualValue": "'statement.actions' contains '*' or 'iam:*'", + "issueType": "IncorrectValue", + "similarityID": "1e8f07153635712ffb03e362dd9a7794db12313746323729eb2fa9f28c41d3bb", + "search_line": 13 }, { "queryName": "IAM Policies With Full Privileges", "severity": "MEDIUM", "line": 24, - "fileName": "positive2.tf" + "fileName": "positive2.tf", + "resourceType": "aws_iam_policy_document", + "resourceName": "example", + "searchKey": "aws_iam_policy_document[example].statement[2]", + "searchValue": "", + "expectedValue": "'statement.actions' shouldn't contain '*' or 'iam:*'", + "actualValue": "'statement.actions' contains '*' or 'iam:*'", + "issueType": "IncorrectValue", + "similarityID": "2fdb12e1caffe47b60d010b64687653c8120b065b672f5e303f66b68326ee05f", + "search_line": 24 }, { "queryName": "IAM Policies With Full Privileges", "severity": "MEDIUM", "line": 5, - "fileName": "positive3.tf" + "fileName": "positive3.tf", + "resourceType": "aws_iam_role_policy", + "resourceName": "apigateway-cloudwatch-logging", + "searchKey": "aws_iam_role_policy[positive3].policy", + "searchValue": "", + "expectedValue": "'policy.Statement.Action' shouldn't contain '*' or 'iam:*'", + "actualValue": "'policy.Statement.Action' contains '*' or 'iam:*'", + "issueType": "IncorrectValue", + "similarityID": "8faf12f7064e2170a04c3794096fef163f6662a581c045d7e321858a7d17125b", + "search_line": 5 }, { "queryName": "IAM Policies With Full Privileges", "severity": "MEDIUM", "line": 20, - "fileName": "positive3.tf" + "fileName": "positive3.tf", + "resourceType": "aws_iam_policy_document", + "resourceName": "example", + "searchKey": "aws_iam_policy_document[example].statement", + "searchValue": "", + "expectedValue": "'statement.actions' shouldn't contain '*' or 'iam:*'", + "actualValue": "'statement.actions' contains '*' or 'iam:*'", + "issueType": "IncorrectValue", + "similarityID": "39eb326bb84d2439d237a5304750556308a7e44003369fb4773fdbbaeabf9427", + "search_line": 20 }, { "queryName": "IAM Policies With Full Privileges", "severity": "MEDIUM", "line": 4, - "fileName": "positive4.tf" + "fileName": "positive4.tf", + "resourceType": "aws_iam_user_policy", + "resourceName": "test", + "searchKey": "aws_iam_user_policy[positive4-1].policy", + "searchValue": "", + "expectedValue": "'policy.Statement.Action' shouldn't contain '*' or 'iam:*'", + "actualValue": "'policy.Statement.Action' contains '*' or 'iam:*'", + "issueType": "IncorrectValue", + "similarityID": "7aa65d03fef434ecef4781933c944cc75b8baab8793503664c1d599ddbc3518e", + "search_line": 4 }, { "queryName": "IAM Policies With Full Privileges", "severity": "MEDIUM", "line": 21, - "fileName": "positive4.tf" + "fileName": "positive4.tf", + "resourceType": "aws_iam_user_policy", + "resourceName": "test", + "searchKey": "aws_iam_user_policy[positive4-2].policy", + "searchValue": "", + "expectedValue": "'policy.Statement.Action' shouldn't contain '*' or 'iam:*'", + "actualValue": "'policy.Statement.Action' contains '*' or 'iam:*'", + "issueType": "IncorrectValue", + "similarityID": "d5726c45e3cf2afba83a72ac98ad6f9d5bf031d506291e98abcfb65bcdf615bf", + "search_line": 21 }, { "queryName": "IAM Policies With Full Privileges", "severity": "MEDIUM", "line": 4, - "fileName": "positive5.tf" + "fileName": "positive5.tf", + "resourceType": "aws_iam_group_policy", + "resourceName": "my_developer_policy", + "searchKey": "aws_iam_group_policy[positive5-1].policy", + "searchValue": "", + "expectedValue": "'policy.Statement.Action' shouldn't contain '*' or 'iam:*'", + "actualValue": "'policy.Statement.Action' contains '*' or 'iam:*'", + "issueType": "IncorrectValue", + "similarityID": "91668317b711e40d92eeba1f192048ccb71236701b3e060662ea60eef470aa41", + "search_line": 4 }, { "queryName": "IAM Policies With Full Privileges", "severity": "MEDIUM", "line": 21, - "fileName": "positive5.tf" + "fileName": "positive5.tf", + "resourceType": "aws_iam_group_policy", + "resourceName": "my_developer_policy", + "searchKey": "aws_iam_group_policy[positive5-2].policy", + "searchValue": "", + "expectedValue": "'policy.Statement.Action' shouldn't contain '*' or 'iam:*'", + "actualValue": "'policy.Statement.Action' contains '*' or 'iam:*'", + "issueType": "IncorrectValue", + "similarityID": "3950abe495ba37f57640fe80559538bf4a40a5943ee8cebd59d4e91280a86c81", + "search_line": 21 }, { "queryName": "IAM Policies With Full Privileges", "severity": "MEDIUM", "line": 2, - "fileName": "positive6.tf" + "fileName": "positive6.tf", + "resourceType": "aws_iam_policy", + "resourceName": "positive6-1", + "searchKey": "aws_iam_policy[positive6-1].policy", + "searchValue": "", + "expectedValue": "'policy.Statement.Action' shouldn't contain '*' or 'iam:*'", + "actualValue": "'policy.Statement.Action' contains '*' or 'iam:*'", + "issueType": "IncorrectValue", + "similarityID": "1b1eacbe0b1140bc943a4702f9ddbb5cce1a3ad6caa7ce8f8446f819f4a0beb9", + "search_line": 2 }, { "queryName": "IAM Policies With Full Privileges", "severity": "MEDIUM", "line": 17, - "fileName": "positive6.tf" + "fileName": "positive6.tf", + "resourceType": "aws_iam_policy", + "resourceName": "positive6-2", + "searchKey": "aws_iam_policy[positive6-2].policy", + "searchValue": "", + "expectedValue": "'policy.Statement.Action' shouldn't contain '*' or 'iam:*'", + "actualValue": "'policy.Statement.Action' contains '*' or 'iam:*'", + "issueType": "IncorrectValue", + "similarityID": "6403ea62736160f8658e77c77b5ac7643833287dbd8cc862b173b98593fbdc2b", + "search_line": 17 } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/iam_policy_allows_for_data_exfiltration/test/positive_expected_result.json b/assets/queries/terraform/aws/iam_policy_allows_for_data_exfiltration/test/positive_expected_result.json index 15320368fd3..59f4572ae1b 100644 --- a/assets/queries/terraform/aws/iam_policy_allows_for_data_exfiltration/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/iam_policy_allows_for_data_exfiltration/test/positive_expected_result.json @@ -3,78 +3,195 @@ "queryName": "IAM policy allows for data exfiltration", "severity": "MEDIUM", "line": 5, - "fileName": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "aws_iam_policy", + "resourceName": "positive1_${var.environment}", + "searchKey": "aws_iam_policy[positive1].policy", + "searchValue": "secretsmanager:GetSecretValue", + "expectedValue": "'positive1.policy.Statement.Action[0]' shouldn't contain illegal actions", + "actualValue": "'positive1.policy.Statement.Action[0]' contains [secretsmanager:GetSecretValue]", + "issueType": "IncorrectValue", + "similarityID": "3d52412d0f9e68d6bc3d85ffcc8debd4a5780d8599cc34b12142f405f1ce2f3d", + "search_line": 5 }, { "queryName": "IAM policy allows for data exfiltration", "severity": "MEDIUM", "line": 5, - "fileName": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "aws_iam_policy", + "resourceName": "positive1_${var.environment}", + "searchKey": "aws_iam_policy[positive1].policy", + "searchValue": "ssm:GetParameters, ssm:GetParameter, s3:GetObject, ssm:GetParametersByPath, secretsmanager:GetSecretValue", + "expectedValue": "'positive1.policy.Statement.Action[1]' shouldn't contain illegal actions", + "actualValue": "'positive1.policy.Statement.Action[1]' contains [ssm:GetParameters, ssm:GetParameter, s3:GetObject, ssm:GetParametersByPath, secretsmanager:GetSecretValue]", + "issueType": "IncorrectValue", + "similarityID": "cc8af380cf36c22fdd947692161ea879f51fb180684617b510530c32503a1f0c", + "search_line": 5 }, { "queryName": "IAM policy allows for data exfiltration", "severity": "MEDIUM", "line": 4, - "fileName": "positive2.tf" + "fileName": "positive2.tf", + "resourceType": "aws_iam_policy", + "resourceName": "positive2", + "searchKey": "aws_iam_policy[positive2].policy", + "searchValue": "*", + "expectedValue": "'positive2.policy.Statement.Action[0]' shouldn't contain illegal actions", + "actualValue": "'positive2.policy.Statement.Action[0]' contains [*]", + "issueType": "IncorrectValue", + "similarityID": "78cc8874c372d7876245afd1b72ec0dc7f647c0a9b7c24a61542eb60016fb5e7", + "search_line": 4 }, { "queryName": "IAM policy allows for data exfiltration", "severity": "MEDIUM", "line": 5, - "fileName": "positive3.tf" + "fileName": "positive3.tf", + "resourceType": "aws_iam_group_policy", + "resourceName": "positive3_${var.environment}", + "searchKey": "aws_iam_group_policy[positive3].policy", + "searchValue": "*", + "expectedValue": "'positive3.policy.Statement.Action[0]' shouldn't contain illegal actions", + "actualValue": "'positive3.policy.Statement.Action[0]' contains [*]", + "issueType": "IncorrectValue", + "similarityID": "e26a399cc27105a0fabc399063aa5134f7ece99c6cf6fc45159f9724d3af5b8b", + "search_line": 5 }, { "queryName": "IAM policy allows for data exfiltration", "severity": "MEDIUM", "line": 5, - "fileName": "positive3.tf" + "fileName": "positive3.tf", + "resourceType": "aws_iam_group_policy", + "resourceName": "positive3_${var.environment}", + "searchKey": "aws_iam_group_policy[positive3].policy", + "searchValue": "*", + "expectedValue": "'positive3.policy.Statement.Action[1]' shouldn't contain illegal actions", + "actualValue": "'positive3.policy.Statement.Action[1]' contains [*]", + "issueType": "IncorrectValue", + "similarityID": "e26a399cc27105a0fabc399063aa5134f7ece99c6cf6fc45159f9724d3af5b8b", + "search_line": 5 }, { "queryName": "IAM policy allows for data exfiltration", "severity": "MEDIUM", "line": 5, - "fileName": "positive4.tf" + "fileName": "positive4.tf", + "resourceType": "aws_iam_user_policy", + "resourceName": "positive4_${var.environment}", + "searchKey": "aws_iam_user_policy[positive4].policy", + "searchValue": "s3:GetObject", + "expectedValue": "'positive4.policy.Statement.Action[0]' shouldn't contain illegal actions", + "actualValue": "'positive4.policy.Statement.Action[0]' contains [s3:GetObject]", + "issueType": "IncorrectValue", + "similarityID": "10063bfa54e91647b030682c3306d9849336d490c6564cd8a82e2dae602ce4cd", + "search_line": 5 }, { "queryName": "IAM policy allows for data exfiltration", "severity": "MEDIUM", "line": 5, - "fileName": "positive4.tf" + "fileName": "positive4.tf", + "resourceType": "aws_iam_user_policy", + "resourceName": "positive4_${var.environment}", + "searchKey": "aws_iam_user_policy[positive4].policy", + "searchValue": "s3:GetObject", + "expectedValue": "'positive4.policy.Statement.Action[1]' shouldn't contain illegal actions", + "actualValue": "'positive4.policy.Statement.Action[1]' contains [s3:GetObject]", + "issueType": "IncorrectValue", + "similarityID": "10063bfa54e91647b030682c3306d9849336d490c6564cd8a82e2dae602ce4cd", + "search_line": 5 }, { "queryName": "IAM policy allows for data exfiltration", "severity": "MEDIUM", "line": 5, - "fileName": "positive5.tf" + "fileName": "positive5.tf", + "resourceType": "aws_iam_role_policy", + "resourceName": "positive5_${var.environment}", + "searchKey": "aws_iam_role_policy[positive5].policy", + "searchValue": "ssm:GetParameters", + "expectedValue": "'positive5.policy.Statement.Action[0]' shouldn't contain illegal actions", + "actualValue": "'positive5.policy.Statement.Action[0]' contains [ssm:GetParameters]", + "issueType": "IncorrectValue", + "similarityID": "3ebf9cdcfc4f05cbe189b467497c440fd261960da902152fa11325ee76bc16c6", + "search_line": 5 }, { "queryName": "IAM policy allows for data exfiltration", "severity": "MEDIUM", "line": 5, - "fileName": "positive5.tf" + "fileName": "positive5.tf", + "resourceType": "aws_iam_role_policy", + "resourceName": "positive5_${var.environment}", + "searchKey": "aws_iam_role_policy[positive5].policy", + "searchValue": "ssm:GetParameters", + "expectedValue": "'positive5.policy.Statement.Action[1]' shouldn't contain illegal actions", + "actualValue": "'positive5.policy.Statement.Action[1]' contains [ssm:GetParameters]", + "issueType": "IncorrectValue", + "similarityID": "3ebf9cdcfc4f05cbe189b467497c440fd261960da902152fa11325ee76bc16c6", + "search_line": 5 }, { "queryName": "IAM policy allows for data exfiltration", "severity": "MEDIUM", "line": 5, - "fileName": "positive6.tf" + "fileName": "positive6.tf", + "resourceType": "aws_iam_policy_document", + "resourceName": "positive6", + "searchKey": "aws_iam_policy_document[positive6].statement.actions", + "searchValue": "s3:GetObject, ssm:GetParameter, ssm:GetParameters, ssm:GetParametersByPath, secretsmanager:GetSecretValue, *, s3:*", + "expectedValue": "'aws_iam_policy_document[positive6].statement.actions' shouldn't contain illegal actions", + "actualValue": "'aws_iam_policy_document[positive6].statement.actions' contains [s3:GetObject, ssm:GetParameter, ssm:GetParameters, ssm:GetParametersByPath, secretsmanager:GetSecretValue, *, s3:*]", + "issueType": "IncorrectValue", + "similarityID": "822fb50ccf067b70a3ca5737f8b6c416f9d4502fcb8cfb39155860342e7d6e59", + "search_line": 5 }, { "queryName": "IAM policy allows for data exfiltration", "severity": "MEDIUM", "line": 22, - "fileName": "positive6.tf" + "fileName": "positive6.tf", + "resourceType": "aws_iam_policy_document", + "resourceName": "positive6_array", + "searchKey": "aws_iam_policy_document[positive6_array].statement[0].actions", + "searchValue": "s3:GetObject", + "expectedValue": "'aws_iam_policy_document[positive6_array].statement[0].actions' shouldn't contain illegal actions", + "actualValue": "'aws_iam_policy_document[positive6_array].statement[0].actions' contains [s3:GetObject]", + "issueType": "IncorrectValue", + "similarityID": "6c9250f1ccf82514ef22a809c09526456b241c70104d8d08bc161e86de05b3c1", + "search_line": 22 }, { "queryName": "IAM policy allows for data exfiltration", "severity": "MEDIUM", "line": 30, - "fileName": "positive6.tf" + "fileName": "positive6.tf", + "resourceType": "aws_iam_policy_document", + "resourceName": "positive6_array", + "searchKey": "aws_iam_policy_document[positive6_array].statement[1].actions", + "searchValue": "*", + "expectedValue": "'aws_iam_policy_document[positive6_array].statement[1].actions' shouldn't contain illegal actions", + "actualValue": "'aws_iam_policy_document[positive6_array].statement[1].actions' contains [*]", + "issueType": "IncorrectValue", + "similarityID": "b80e056d34f3b4e3d0b80d25b7152212eb6157b7d0c6a810099e75ead36ec434", + "search_line": 30 }, { "queryName": "IAM policy allows for data exfiltration", "severity": "MEDIUM", "line": 8, - "fileName": "positive7.tf" + "fileName": "positive7.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "iam_policy.policy", + "searchValue": "secretsmanager:GetSecretValue", + "expectedValue": "'iam_policy.policy.Statement.Action[0]' shouldn't contain illegal actions", + "actualValue": "'iam_policy.policy.Statement.Action[0]' contains [secretsmanager:GetSecretValue]", + "issueType": "IncorrectValue", + "similarityID": "b43e384f9185d66d18f8f6cd950f2160627ad469610179e266f759b9b670735d", + "search_line": 8 } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/iam_policy_grants_assumerole_permission_across_all_services/test/positive_expected_result.json b/assets/queries/terraform/aws/iam_policy_grants_assumerole_permission_across_all_services/test/positive_expected_result.json index ceff30e7ae2..50927627b95 100644 --- a/assets/queries/terraform/aws/iam_policy_grants_assumerole_permission_across_all_services/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/iam_policy_grants_assumerole_permission_across_all_services/test/positive_expected_result.json @@ -2,11 +2,31 @@ { "queryName": "IAM Policy Grants 'AssumeRole' Permission Across All Services", "severity": "MEDIUM", - "line": 7 + "line": 7, + "fileName": "positive.tf", + "resourceType": "aws_iam_role", + "resourceName": "${var.name_tag_prefix}-openshift-instance-role", + "searchKey": "aws_iam_role[positive1].assume_role_policy", + "searchValue": "", + "expectedValue": "'assume_role_policy.Statement.Principal' shouldn't contain '*'", + "actualValue": "'assume_role_policy.Statement.Principal' contains '*'", + "issueType": "IncorrectValue", + "similarityID": "4f1967df5cc16fe581ccfeeb8fe248672266d10d638beccf2839e53ab5ae61e0", + "search_line": 7 }, { "queryName": "IAM Policy Grants 'AssumeRole' Permission Across All Services", "severity": "MEDIUM", - "line": 70 + "line": 70, + "fileName": "positive.tf", + "resourceType": "aws_iam_role", + "resourceName": "${var.name_tag_prefix}-openshift-instance-role", + "searchKey": "aws_iam_role[positive2].assume_role_policy", + "searchValue": "", + "expectedValue": "'assume_role_policy.Statement.Principal' shouldn't contain '*'", + "actualValue": "'assume_role_policy.Statement.Principal' contains '*'", + "issueType": "IncorrectValue", + "similarityID": "f89fbc199d7e88f1555b7b180fe9afe3552ba9fe6feaf551896a6383c92a519a", + "search_line": 70 } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/iam_policy_grants_full_permissions/test/positive_expected_result.json b/assets/queries/terraform/aws/iam_policy_grants_full_permissions/test/positive_expected_result.json index 8a981228a0e..578c7f68bf8 100644 --- a/assets/queries/terraform/aws/iam_policy_grants_full_permissions/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/iam_policy_grants_full_permissions/test/positive_expected_result.json @@ -3,30 +3,75 @@ "queryName": "IAM Policy Grants Full Permissions", "severity": "HIGH", "line": 20, - "fileName": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "aws_iam_user_policy", + "resourceName": "excess_policy", + "searchKey": "aws_iam_user_policy[positive3].policy", + "searchValue": "", + "expectedValue": "'policy.Statement.Resource' and 'policy.Statement.Action' should not equal '*'", + "actualValue": "'policy.Statement.Resource' and 'policy.Statement.Action' are equal to '*'", + "issueType": "IncorrectValue", + "similarityID": "e58fac367dc10286b5668baefd86ff2452e8a9127ff7b1ca724b6cef87bfc72f", + "search_line": 20 }, { "queryName": "IAM Policy Grants Full Permissions", "severity": "HIGH", "line": 3, - "fileName": "positive2.tf" + "fileName": "positive2.tf", + "resourceType": "aws_iam_policy", + "resourceName": "s3-permission", + "searchKey": "aws_iam_policy[s3-permission].policy", + "searchValue": "", + "expectedValue": "'policy.Statement.Resource' and 'policy.Statement.Action' should not equal '*'", + "actualValue": "'policy.Statement.Resource' and 'policy.Statement.Action' are equal to '*'", + "issueType": "IncorrectValue", + "similarityID": "a8464d5e4c49030bd4f4cda351e7641d07d8261fa5e4af1a52a585ac28880c70", + "search_line": 3 }, { "queryName": "IAM Policy Grants Full Permissions", "severity": "HIGH", "line": 12, - "fileName": "positive3.tf" + "fileName": "positive3.tf", + "resourceType": "aws_iam_policy_document", + "resourceName": "example-0", + "searchKey": "aws_iam_policy_document[example-0]", + "searchValue": "", + "expectedValue": "'statement.resources' and 'statement.actions' should not contain '*'", + "actualValue": "'statement.resources' and 'statement.actions' contain '*'", + "issueType": "IncorrectValue", + "similarityID": "fd6836a02eadfbc0e63703a6293a341bae9fc34c7f39d61f7aaaaf41a8474ba8", + "search_line": 12 }, { "queryName": "IAM Policy Grants Full Permissions", "severity": "HIGH", "line": 38, - "fileName": "positive3.tf" + "fileName": "positive3.tf", + "resourceType": "aws_iam_policy_document", + "resourceName": "example-1", + "searchKey": "aws_iam_policy_document[example-1]", + "searchValue": "", + "expectedValue": "'statement.resources' and 'statement.actions' should not contain '*'", + "actualValue": "'statement.resources' and 'statement.actions' contain '*'", + "issueType": "IncorrectValue", + "similarityID": "108af488b1a0887be2adf3dfd046ae98188b0e46f618d61f1769f220415aa552", + "search_line": 38 }, { "queryName": "IAM Policy Grants Full Permissions", "severity": "HIGH", "line": 64, - "fileName": "positive3.tf" + "fileName": "positive3.tf", + "resourceType": "aws_iam_policy_document", + "resourceName": "example-2", + "searchKey": "aws_iam_policy_document[example-2]", + "searchValue": "", + "expectedValue": "'statement.resources' and 'statement.actions' should not contain '*'", + "actualValue": "'statement.resources' and 'statement.actions' contain '*'", + "issueType": "IncorrectValue", + "similarityID": "332a1ce1d5b504ab119dff1de8cbd980168129de4f7f80926221d8a8385ededa", + "search_line": 64 } ] diff --git a/assets/queries/terraform/aws/iam_role_allows_all_principals_to_assume/test/positive_expected_result.json b/assets/queries/terraform/aws/iam_role_allows_all_principals_to_assume/test/positive_expected_result.json index cd0a7ead479..05287125b5e 100644 --- a/assets/queries/terraform/aws/iam_role_allows_all_principals_to_assume/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/iam_role_allows_all_principals_to_assume/test/positive_expected_result.json @@ -2,6 +2,16 @@ { "queryName": "IAM Role Allows All Principals To Assume", "severity": "MEDIUM", - "line": 37 + "line": 37, + "fileName": "positive.tf", + "resourceType": "aws_iam_role", + "resourceName": "${var.name_tag_prefix}-openshift-instance-forward-logs", + "searchKey": "aws_iam_role[positive2].assume_role_policy.Principal.AWS", + "searchValue": "", + "expectedValue": "'assume_role_policy.Statement.Principal.AWS' should not contain ':root'", + "actualValue": "'assume_role_policy.Statement.Principal.AWS' contains ':root'", + "issueType": "IncorrectValue", + "similarityID": "a252fecaaeb0d722dc24be334f5a00ac8c1faa2e25129656194fe84e717fb2ac", + "search_line": -1 } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/iam_role_policy_passrole_allows_all/test/positive_expected_result.json b/assets/queries/terraform/aws/iam_role_policy_passrole_allows_all/test/positive_expected_result.json index 08ff9253edb..e48914b7b56 100644 --- a/assets/queries/terraform/aws/iam_role_policy_passrole_allows_all/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/iam_role_policy_passrole_allows_all/test/positive_expected_result.json @@ -3,6 +3,15 @@ "queryName": "IAM Role Policy passRole Allows All", "severity": "MEDIUM", "line": 5, - "fileName": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "aws_iam_role_policy", + "resourceName": "test_policy", + "searchKey": "aws_iam_role_policy[test_policy].policy", + "searchValue": "", + "expectedValue": "'aws_iam_role_policy.policy.Statement.Action' iam:passrole shouldn't have Resource '*'", + "actualValue": "'aws_iam_role_policy.policy.Statement.Action' iam:passrole has Resource '*'", + "issueType": "IncorrectValue", + "similarityID": "402675e657828d1b40721672d17f87a3d06262698b3b85505fbd3c5b17820e2a", + "search_line": 5 } ] diff --git a/assets/queries/terraform/aws/iam_role_with_full_privileges/test/positive_expected_result.json b/assets/queries/terraform/aws/iam_role_with_full_privileges/test/positive_expected_result.json index 9382f8cea04..b93b0782f5c 100644 --- a/assets/queries/terraform/aws/iam_role_with_full_privileges/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/iam_role_with_full_privileges/test/positive_expected_result.json @@ -2,11 +2,31 @@ { "queryName": "IAM Role With Full Privileges", "severity": "HIGH", - "line": 4 + "line": 4, + "fileName": "positive.tf", + "resourceType": "aws_iam_role", + "resourceName": "test_role", + "searchKey": "aws_iam_role[positive1].assume_role_policy", + "searchValue": "", + "expectedValue": "assume_role_policy.Statement.Action should not equal to, nor contain '*'", + "actualValue": "assume_role_policy.Statement.Action is equal to or contains '*'", + "issueType": "IncorrectValue", + "similarityID": "9cc1af4313a0deb6f32e88f8e09a2f435f413e6408b70d9f47ba0a5142de95ff", + "search_line": 4 }, { "queryName": "IAM Role With Full Privileges", "severity": "HIGH", - "line": 29 + "line": 29, + "fileName": "positive.tf", + "resourceType": "aws_iam_role", + "resourceName": "test_role2", + "searchKey": "aws_iam_role[positive2].assume_role_policy", + "searchValue": "", + "expectedValue": "assume_role_policy.Statement.Action should not equal to, nor contain '*'", + "actualValue": "assume_role_policy.Statement.Action is equal to or contains '*'", + "issueType": "IncorrectValue", + "similarityID": "0e7d3e367f5fd58867a2b7980bbd55283a8154f86b1d59c08826799a5b68ba06", + "search_line": 29 } ] diff --git a/assets/queries/terraform/aws/iam_user_policy_without_mfa/test/positive_expected_result.json b/assets/queries/terraform/aws/iam_user_policy_without_mfa/test/positive_expected_result.json index 9aeb404ff39..9d9ed2437b7 100644 --- a/assets/queries/terraform/aws/iam_user_policy_without_mfa/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/iam_user_policy_without_mfa/test/positive_expected_result.json @@ -2,6 +2,16 @@ { "queryName": "IAM User Policy Without MFA", "severity": "LOW", - "line": 18 + "line": 18, + "fileName": "positive.tf", + "resourceType": "aws_iam_user_policy", + "resourceName": "test", + "searchKey": "aws_iam_user_policy[positive3].policy", + "searchValue": "", + "expectedValue": "'policy.Statement.Principal.AWS' should contain ':mfa/' or 'policy.Statement.Condition.BoolIfExists.aws:MultiFactorAuthPresent' should be set to true", + "actualValue": "'policy.Statement.Principal.AWS' doesn't contain ':mfa/' or 'policy.Statement.Condition.BoolIfExists.aws:MultiFactorAuthPresent' is set to false", + "issueType": "IncorrectValue", + "similarityID": "9af1a712978b374a638c34db8fa8385dc5209ebd2aa75a04157898e0374d58c0", + "search_line": 18 } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/iam_user_too_many_access_keys/test/positive_expected_result.json b/assets/queries/terraform/aws/iam_user_too_many_access_keys/test/positive_expected_result.json index ff82e6a3810..185622db231 100644 --- a/assets/queries/terraform/aws/iam_user_too_many_access_keys/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/iam_user_too_many_access_keys/test/positive_expected_result.json @@ -2,11 +2,31 @@ { "queryName": "IAM User Has Too Many Access Keys", "severity": "MEDIUM", - "line": 2 + "line": 2, + "fileName": "positive.tf", + "resourceType": "aws_iam_access_key", + "resourceName": "positive1", + "searchKey": "aws_iam_access_key[positive1].user", + "searchValue": "", + "expectedValue": "One Access Key associated with the same IAM User", + "actualValue": "More than one Access Key associated with the same IAM User", + "issueType": "IncorrectValue", + "similarityID": "be2120d0d20ba417ba6ae417dad444578ee4cff2fa70e948b60666a42f1ea7f2", + "search_line": -1 }, { "queryName": "IAM User Has Too Many Access Keys", "severity": "MEDIUM", - "line": 7 + "line": 7, + "fileName": "positive.tf", + "resourceType": "aws_iam_access_key", + "resourceName": "positive2", + "searchKey": "aws_iam_access_key[positive2].user", + "searchValue": "", + "expectedValue": "One Access Key associated with the same IAM User", + "actualValue": "More than one Access Key associated with the same IAM User", + "issueType": "IncorrectValue", + "similarityID": "9b7128dcf939866a878759da16c2b77d8abd809d71268f46d05ff60c20845536", + "search_line": -1 } ] diff --git a/assets/queries/terraform/aws/iam_user_with_access_to_console/test/positive_expected_result.json b/assets/queries/terraform/aws/iam_user_with_access_to_console/test/positive_expected_result.json index 80c7bbe8b3e..c9c95f7c098 100644 --- a/assets/queries/terraform/aws/iam_user_with_access_to_console/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/iam_user_with_access_to_console/test/positive_expected_result.json @@ -3,6 +3,15 @@ "queryName": "IAM User With Access To Console", "severity": "MEDIUM", "line": 2, - "filename": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "aws_iam_user_login_profile", + "resourceName": "example_login", + "searchKey": "aws_iam_user.example.name", + "searchValue": "", + "expectedValue": "aws_iam_user.example.name shouldn't have aws_iam_user_login_profile", + "actualValue": "aws_iam_user.example.name has aws_iam_user_login_profile", + "issueType": "IncorrectValue", + "similarityID": "c1b4550c848a33e1754bc43d6bfad03ff0be2d59078ba314bec4091fb80358db", + "search_line": -1 } ] diff --git a/assets/queries/terraform/aws/instance_uses_metadata_service_IMDSv1/test/positive_expected_result.json b/assets/queries/terraform/aws/instance_uses_metadata_service_IMDSv1/test/positive_expected_result.json index 43fdf288455..6df97a071fc 100644 --- a/assets/queries/terraform/aws/instance_uses_metadata_service_IMDSv1/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/instance_uses_metadata_service_IMDSv1/test/positive_expected_result.json @@ -1,152 +1,377 @@ [ - { - "queryName": "Instance Uses Metadata Service IMDSv1", - "severity": "LOW", - "line": 10, - "fileName": "positive1.tf" - }, - { - "queryName": "Instance Uses Metadata Service IMDSv1", - "severity": "LOW", - "line": 19, - "fileName": "positive1.tf" - }, - { - "queryName": "Instance Uses Metadata Service IMDSv1", - "severity": "LOW", - "line": 28, - "fileName": "positive1.tf" - }, - { - "queryName": "Instance Uses Metadata Service IMDSv1", - "severity": "LOW", - "line": 11, - "fileName": "positive2.tf" - }, - { - "queryName": "Instance Uses Metadata Service IMDSv1", - "severity": "LOW", - "line": 21, - "fileName": "positive2.tf" - }, - { - "queryName": "Instance Uses Metadata Service IMDSv1", - "severity": "LOW", - "line": 31, - "fileName": "positive2.tf" - }, - { - "queryName": "Instance Uses Metadata Service IMDSv1", - "severity": "LOW", - "line": 9, - "fileName": "positive3.tf" - }, - { - "queryName": "Instance Uses Metadata Service IMDSv1", - "severity": "LOW", - "line": 18, - "fileName": "positive3.tf" - }, - { - "queryName": "Instance Uses Metadata Service IMDSv1", - "severity": "LOW", - "line": 27, - "fileName": "positive3.tf" - }, - { - "queryName": "Instance Uses Metadata Service IMDSv1", - "severity": "LOW", - "line": 5, - "fileName": "positive4.tf" - }, - { - "queryName": "Instance Uses Metadata Service IMDSv1", - "severity": "LOW", - "line": 10, - "fileName": "positive4.tf" - }, - { - "queryName": "Instance Uses Metadata Service IMDSv1", - "severity": "LOW", - "line": 15, - "fileName": "positive4.tf" - }, - { - "queryName": "Instance Uses Metadata Service IMDSv1", - "severity": "LOW", - "line": 9, - "fileName": "positive5.tf" - }, - { - "queryName": "Instance Uses Metadata Service IMDSv1", - "severity": "LOW", - "line": 18, - "fileName": "positive5.tf" - }, - { - "queryName": "Instance Uses Metadata Service IMDSv1", - "severity": "LOW", - "line": 27, - "fileName": "positive5.tf" - }, - { - "queryName": "Instance Uses Metadata Service IMDSv1", - "severity": "LOW", - "line": 10, - "fileName": "positive6.tf" - }, - { - "queryName": "Instance Uses Metadata Service IMDSv1", - "severity": "LOW", - "line": 19, - "fileName": "positive6.tf" - }, - { - "queryName": "Instance Uses Metadata Service IMDSv1", - "severity": "LOW", - "line": 11, - "fileName": "positive7.tf" - }, - { - "queryName": "Instance Uses Metadata Service IMDSv1", - "severity": "LOW", - "line": 21, - "fileName": "positive7.tf" - }, - { - "queryName": "Instance Uses Metadata Service IMDSv1", - "severity": "LOW", - "line": 9, - "fileName": "positive8.tf" - }, - { - "queryName": "Instance Uses Metadata Service IMDSv1", - "severity": "LOW", - "line": 18, - "fileName": "positive8.tf" - }, - { - "queryName": "Instance Uses Metadata Service IMDSv1", - "severity": "LOW", - "line": 5, - "fileName": "positive9.tf" - }, - { - "queryName": "Instance Uses Metadata Service IMDSv1", - "severity": "LOW", - "line": 13, - "fileName": "positive9.tf" - }, - { - "queryName": "Instance Uses Metadata Service IMDSv1", - "severity": "LOW", - "line": 9, - "fileName": "positive10.tf" - }, - { - "queryName": "Instance Uses Metadata Service IMDSv1", - "severity": "LOW", - "line": 18, - "fileName": "positive10.tf" - } + { + "queryName": "Instance Uses Metadata Service IMDSv1", + "severity": "LOW", + "line": 10, + "fileName": "positive1.tf", + "resourceType": "aws_instance", + "resourceName": "positive1_1", + "searchKey": "aws_instance[positive1_1].metadata_options.http_tokens", + "searchValue": "", + "expectedValue": "'aws_instance[positive1_1].metadata_options.http_tokens' should be defined to 'required'", + "actualValue": "'aws_instance[positive1_1].metadata_options.http_tokens' is not defined to 'required'", + "issueType": "IncorrectValue", + "similarityID": "acc6b57bb29f346f56b1f15e6ecdea91b48cb6d803a6ddf85a13893327772fdd", + "search_line": 10 + }, + { + "queryName": "Instance Uses Metadata Service IMDSv1", + "severity": "LOW", + "line": 19, + "fileName": "positive1.tf", + "resourceType": "aws_instance", + "resourceName": "positive1_2", + "searchKey": "aws_launch_configuration[positive1_2].metadata_options.http_tokens", + "searchValue": "", + "expectedValue": "'aws_launch_configuration[positive1_2].metadata_options.http_tokens' should be defined to 'required'", + "actualValue": "'aws_launch_configuration[positive1_2].metadata_options.http_tokens' is not defined to 'required'", + "issueType": "IncorrectValue", + "similarityID": "97aed452212d326ebcdf701adaf7eb2aebea5c3dcfc72ac3cda25d07c6015ccf", + "search_line": 19 + }, + { + "queryName": "Instance Uses Metadata Service IMDSv1", + "severity": "LOW", + "line": 28, + "fileName": "positive1.tf", + "resourceType": "aws_instance", + "resourceName": "positive1_3", + "searchKey": "aws_launch_template[positive1_3].metadata_options.http_tokens", + "searchValue": "", + "expectedValue": "'aws_launch_template[positive1_3].metadata_options.http_tokens' should be defined to 'required'", + "actualValue": "'aws_launch_template[positive1_3].metadata_options.http_tokens' is not defined to 'required'", + "issueType": "IncorrectValue", + "similarityID": "8b86bbb44946391a9747a15f5a7ddf04bd1290c0e08303a93156495ebfbb6e19", + "search_line": 28 + }, + { + "queryName": "Instance Uses Metadata Service IMDSv1", + "severity": "LOW", + "line": 11, + "fileName": "positive2.tf", + "resourceType": "aws_instance", + "resourceName": "positive2_1", + "searchKey": "aws_instance[positive2_1].metadata_options.http_tokens", + "searchValue": "", + "expectedValue": "'aws_instance[positive2_1].metadata_options.http_tokens' should be defined to 'required'", + "actualValue": "'aws_instance[positive2_1].metadata_options.http_tokens' is not defined to 'required'", + "issueType": "IncorrectValue", + "similarityID": "d141de68b7c8f26461339067e7715320ea4f5b63d442a0e339dde85e4cdd61ed", + "search_line": 11 + }, + { + "queryName": "Instance Uses Metadata Service IMDSv1", + "severity": "LOW", + "line": 21, + "fileName": "positive2.tf", + "resourceType": "aws_instance", + "resourceName": "positive2_2", + "searchKey": "aws_launch_configuration[positive2_2].metadata_options.http_tokens", + "searchValue": "", + "expectedValue": "'aws_launch_configuration[positive2_2].metadata_options.http_tokens' should be defined to 'required'", + "actualValue": "'aws_launch_configuration[positive2_2].metadata_options.http_tokens' is not defined to 'required'", + "issueType": "IncorrectValue", + "similarityID": "6438cade595f4ab22f9da61b6d6ffa17555d92e69abdfa85255c2ca99521d61b", + "search_line": 21 + }, + { + "queryName": "Instance Uses Metadata Service IMDSv1", + "severity": "LOW", + "line": 31, + "fileName": "positive2.tf", + "resourceType": "aws_instance", + "resourceName": "positive2_3", + "searchKey": "aws_launch_template[positive2_3].metadata_options.http_tokens", + "searchValue": "", + "expectedValue": "'aws_launch_template[positive2_3].metadata_options.http_tokens' should be defined to 'required'", + "actualValue": "'aws_launch_template[positive2_3].metadata_options.http_tokens' is not defined to 'required'", + "issueType": "IncorrectValue", + "similarityID": "6ef3900aac2dd5e155e005a6b46072cfd0b1de7dbc92e499f9caad4b99d973eb", + "search_line": 31 + }, + { + "queryName": "Instance Uses Metadata Service IMDSv1", + "severity": "LOW", + "line": 9, + "fileName": "positive3.tf", + "resourceType": "aws_instance", + "resourceName": "positive3_1", + "searchKey": "aws_instance[positive3_1].metadata_options", + "searchValue": "", + "expectedValue": "'aws_instance[positive3_1].metadata_options.http_tokens' should be defined to 'required'", + "actualValue": "'aws_instance[positive3_1].metadata_options.http_tokens' is not defined", + "issueType": "MissingAttribute", + "similarityID": "038a246c42cf330c9ef79fe929218e6d801ef6282dea3544f05e6774ce929825", + "search_line": 9 + }, + { + "queryName": "Instance Uses Metadata Service IMDSv1", + "severity": "LOW", + "line": 18, + "fileName": "positive3.tf", + "resourceType": "aws_instance", + "resourceName": "positive3_2", + "searchKey": "aws_launch_configuration[positive3_2].metadata_options", + "searchValue": "", + "expectedValue": "'aws_launch_configuration[positive3_2].metadata_options.http_tokens' should be defined to 'required'", + "actualValue": "'aws_launch_configuration[positive3_2].metadata_options.http_tokens' is not defined", + "issueType": "MissingAttribute", + "similarityID": "9e9bfb0a352872b04651954983bf590078148eeda748f2267129dd206bda0c26", + "search_line": 18 + }, + { + "queryName": "Instance Uses Metadata Service IMDSv1", + "severity": "LOW", + "line": 27, + "fileName": "positive3.tf", + "resourceType": "aws_instance", + "resourceName": "positive3_3", + "searchKey": "aws_launch_template[positive3_3].metadata_options", + "searchValue": "", + "expectedValue": "'aws_launch_template[positive3_3].metadata_options.http_tokens' should be defined to 'required'", + "actualValue": "'aws_launch_template[positive3_3].metadata_options.http_tokens' is not defined", + "issueType": "MissingAttribute", + "similarityID": "a741d1bb463cf07cb780b1f272fcef493b49e61fff70987214b3e2dfbecb0b08", + "search_line": 27 + }, + { + "queryName": "Instance Uses Metadata Service IMDSv1", + "severity": "LOW", + "line": 5, + "fileName": "positive4.tf", + "resourceType": "aws_instance", + "resourceName": "positive4_1", + "searchKey": "aws_instance[positive4_1]", + "searchValue": "", + "expectedValue": "'aws_instance[positive4_1].metadata_options' should be defined with 'http_tokens' field set to 'required'", + "actualValue": "'aws_instance[positive4_1].metadata_options' is not defined", + "issueType": "MissingAttribute", + "similarityID": "67d5fb29b87420a01820a75c49ec00898302d5a70870a60af7c188284bceccec", + "search_line": 5 + }, + { + "queryName": "Instance Uses Metadata Service IMDSv1", + "severity": "LOW", + "line": 10, + "fileName": "positive4.tf", + "resourceType": "aws_instance", + "resourceName": "positive4_2", + "searchKey": "aws_launch_configuration[positive4_2]", + "searchValue": "", + "expectedValue": "'aws_launch_configuration[positive4_2].metadata_options' should be defined with 'http_tokens' field set to 'required'", + "actualValue": "'aws_launch_configuration[positive4_2].metadata_options' is not defined", + "issueType": "MissingAttribute", + "similarityID": "8707e9655dbf194ae1f5c0338181879a94113cc133d23409f354eca172d0c41a", + "search_line": 10 + }, + { + "queryName": "Instance Uses Metadata Service IMDSv1", + "severity": "LOW", + "line": 15, + "fileName": "positive4.tf", + "resourceType": "aws_instance", + "resourceName": "positive4_3", + "searchKey": "aws_launch_template[positive4_3]", + "searchValue": "", + "expectedValue": "'aws_launch_template[positive4_3].metadata_options' should be defined with 'http_tokens' field set to 'required'", + "actualValue": "'aws_launch_template[positive4_3].metadata_options' is not defined", + "issueType": "MissingAttribute", + "similarityID": "f051fbc3e2ca2384d5e50b0e4df02f5448534221677253a291ad233be3c3deb7", + "search_line": 15 + }, + { + "queryName": "Instance Uses Metadata Service IMDSv1", + "severity": "LOW", + "line": 9, + "fileName": "positive5.tf", + "resourceType": "aws_instance", + "resourceName": "positive5_1", + "searchKey": "aws_instance[positive5_1].metadata_options", + "searchValue": "", + "expectedValue": "'aws_instance[positive5_1].metadata_options.http_tokens' should be defined to 'required'", + "actualValue": "'aws_instance[positive5_1].metadata_options.http_tokens' is not defined", + "issueType": "MissingAttribute", + "similarityID": "d2aae6533c086d790471e4f5b69c743073c1d914d77535bce1c8cc5f6c883e98", + "search_line": 9 + }, + { + "queryName": "Instance Uses Metadata Service IMDSv1", + "severity": "LOW", + "line": 18, + "fileName": "positive5.tf", + "resourceType": "aws_instance", + "resourceName": "positive5_2", + "searchKey": "aws_launch_configuration[positive5_2].metadata_options", + "searchValue": "", + "expectedValue": "'aws_launch_configuration[positive5_2].metadata_options.http_tokens' should be defined to 'required'", + "actualValue": "'aws_launch_configuration[positive5_2].metadata_options.http_tokens' is not defined", + "issueType": "MissingAttribute", + "similarityID": "21fb08d2717dd3726cb62d505d441314918b03cd12001bb3040041f39501f371", + "search_line": 18 + }, + { + "queryName": "Instance Uses Metadata Service IMDSv1", + "severity": "LOW", + "line": 27, + "fileName": "positive5.tf", + "resourceType": "aws_instance", + "resourceName": "positive5_3", + "searchKey": "aws_launch_template[positive5_3].metadata_options", + "searchValue": "", + "expectedValue": "'aws_launch_template[positive5_3].metadata_options.http_tokens' should be defined to 'required'", + "actualValue": "'aws_launch_template[positive5_3].metadata_options.http_tokens' is not defined", + "issueType": "MissingAttribute", + "similarityID": "9fd5d6d3a6620061974a1b36586cc8eb90265f4e65b7c0fc942ab5a79ed1bb29", + "search_line": 27 + }, + { + "queryName": "Instance Uses Metadata Service IMDSv1", + "severity": "LOW", + "line": 10, + "fileName": "positive6.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[positive6_instance].metadata_options.http_tokens", + "searchValue": "", + "expectedValue": "'module[positive6_instance].metadata_options.http_tokens' should be defined to 'required'", + "actualValue": "'module[positive6_instance].metadata_options.http_tokens' is not defined to 'required'", + "issueType": "IncorrectValue", + "similarityID": "2285f3b1157b5477fc53410b48264b3d81857b40d0b6505aefe92987df58fe87", + "search_line": 10 + }, + { + "queryName": "Instance Uses Metadata Service IMDSv1", + "severity": "LOW", + "line": 19, + "fileName": "positive6.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[positive6_launch_config].metadata_options.http_tokens", + "searchValue": "", + "expectedValue": "'module[positive6_launch_config].metadata_options.http_tokens' should be defined to 'required'", + "actualValue": "'module[positive6_launch_config].metadata_options.http_tokens' is not defined to 'required'", + "issueType": "IncorrectValue", + "similarityID": "ed51f3abce36e17aa8894da473213c4127f5babed97724d8e97e7435ea3a3c67", + "search_line": 19 + }, + { + "queryName": "Instance Uses Metadata Service IMDSv1", + "severity": "LOW", + "line": 11, + "fileName": "positive7.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[positive7_instance].metadata_options.http_tokens", + "searchValue": "", + "expectedValue": "'module[positive7_instance].metadata_options.http_tokens' should be defined to 'required'", + "actualValue": "'module[positive7_instance].metadata_options.http_tokens' is not defined to 'required'", + "issueType": "IncorrectValue", + "similarityID": "d896645139c49664620c995f7178d85f433f74ba64291ab0873c53fb646c9978", + "search_line": 11 + }, + { + "queryName": "Instance Uses Metadata Service IMDSv1", + "severity": "LOW", + "line": 21, + "fileName": "positive7.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[positive7_launch_config].metadata_options.http_tokens", + "searchValue": "", + "expectedValue": "'module[positive7_launch_config].metadata_options.http_tokens' should be defined to 'required'", + "actualValue": "'module[positive7_launch_config].metadata_options.http_tokens' is not defined to 'required'", + "issueType": "IncorrectValue", + "similarityID": "5ee2111f255f7d43d4180f065266effd095d19c059c9ee08aa36e24ccbdcfdc3", + "search_line": 21 + }, + { + "queryName": "Instance Uses Metadata Service IMDSv1", + "severity": "LOW", + "line": 9, + "fileName": "positive8.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[positive8_instance].metadata_options", + "searchValue": "", + "expectedValue": "'module[positive8_instance].metadata_options.http_tokens' should be defined to 'required'", + "actualValue": "'module[positive8_instance].metadata_options.http_tokens' is not defined", + "issueType": "MissingAttribute", + "similarityID": "71e18b01b98195bcf59e3e85252d168b3d4a4fc7ec7bc52bb72cb39b9e64e453", + "search_line": 9 + }, + { + "queryName": "Instance Uses Metadata Service IMDSv1", + "severity": "LOW", + "line": 18, + "fileName": "positive8.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[positive8_launch_config].metadata_options", + "searchValue": "", + "expectedValue": "'module[positive8_launch_config].metadata_options.http_tokens' should be defined to 'required'", + "actualValue": "'module[positive8_launch_config].metadata_options.http_tokens' is not defined", + "issueType": "MissingAttribute", + "similarityID": "08b7a3c5be5ca53081809a96054897fd1ab6e24e485d054d77d2ec98f3729d54", + "search_line": 18 + }, + { + "queryName": "Instance Uses Metadata Service IMDSv1", + "severity": "LOW", + "line": 5, + "fileName": "positive9.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[positive9_instance]", + "searchValue": "", + "expectedValue": "'module[positive9_instance].metadata_options' should be defined with 'http_tokens' field set to 'required'", + "actualValue": "'module[positive9_instance].metadata_options' is not defined", + "issueType": "MissingAttribute", + "similarityID": "09aa11fcdde959f75955d32188eaa32ccde7e13ecaf1ece4a740aa5afc440690", + "search_line": 5 + }, + { + "queryName": "Instance Uses Metadata Service IMDSv1", + "severity": "LOW", + "line": 13, + "fileName": "positive9.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[positive9_launch_config]", + "searchValue": "", + "expectedValue": "'module[positive9_launch_config].metadata_options' should be defined with 'http_tokens' field set to 'required'", + "actualValue": "'module[positive9_launch_config].metadata_options' is not defined", + "issueType": "MissingAttribute", + "similarityID": "85014796ba5160f7e0b53e68d447495c7aaf71c3e292277e1ba2fbb0eed9dc67", + "search_line": 13 + }, + { + "queryName": "Instance Uses Metadata Service IMDSv1", + "severity": "LOW", + "line": 9, + "fileName": "positive10.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[positive10_instance].metadata_options", + "searchValue": "", + "expectedValue": "'module[positive10_instance].metadata_options.http_tokens' should be defined to 'required'", + "actualValue": "'module[positive10_instance].metadata_options.http_tokens' is not defined", + "issueType": "MissingAttribute", + "similarityID": "b88a0160d74f8fb9a752f1676df853afeb491b12ff896cc0500a0925f24b7055", + "search_line": 9 + }, + { + "queryName": "Instance Uses Metadata Service IMDSv1", + "severity": "LOW", + "line": 18, + "fileName": "positive10.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[positive10_launch_config].metadata_options", + "searchValue": "", + "expectedValue": "'module[positive10_launch_config].metadata_options.http_tokens' should be defined to 'required'", + "actualValue": "'module[positive10_launch_config].metadata_options.http_tokens' is not defined", + "issueType": "MissingAttribute", + "similarityID": "40e2d6633a05df4752fecf197a5ec2df69b69b0b629a93c4bd8858b08f467d20", + "search_line": 18 + } ] diff --git a/assets/queries/terraform/aws/instance_with_no_vpc/test/positive_expected_result.json b/assets/queries/terraform/aws/instance_with_no_vpc/test/positive_expected_result.json index 83a88cc559d..1a1bfc1f89e 100644 --- a/assets/queries/terraform/aws/instance_with_no_vpc/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/instance_with_no_vpc/test/positive_expected_result.json @@ -3,12 +3,30 @@ "queryName": "Instance With No VPC", "severity": "LOW", "line": 1, - "fileName": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "aws_instance", + "resourceName": "positive1", + "searchKey": "aws_instance[positive1]", + "searchValue": "", + "expectedValue": "Attribute 'vpc_security_group_ids' should be defined and not null", + "actualValue": "Attribute 'vpc_security_group_ids' is undefined or null", + "issueType": "MissingAttribute", + "similarityID": "20e5be65d10dda3cf1ae8afe532112f60000dcdb4ceabbb7485f83667c689964", + "search_line": 1 }, { "queryName": "Instance With No VPC", "severity": "LOW", "line": 1, - "fileName": "positive2.tf" + "fileName": "positive2.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[ec2_instance]", + "searchValue": "", + "expectedValue": "Attribute 'vpc_security_group_ids' should be defined and not null", + "actualValue": "Attribute 'vpc_security_group_ids' is undefined or null", + "issueType": "MissingAttribute", + "similarityID": "1bca73d41de2026923dcd1aeacdbc67877aae9d792bcb1d44a2ccab13c5a43e1", + "search_line": 1 } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/kinesis_not_encrypted_with_kms/test/positive_expected_result.json b/assets/queries/terraform/aws/kinesis_not_encrypted_with_kms/test/positive_expected_result.json index 96de2c7e663..61e0d425b5b 100644 --- a/assets/queries/terraform/aws/kinesis_not_encrypted_with_kms/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/kinesis_not_encrypted_with_kms/test/positive_expected_result.json @@ -2,16 +2,46 @@ { "queryName": "Kinesis Not Encrypted With KMS", "severity": "HIGH", - "line": 1 + "line": 1, + "fileName": "positive.tf", + "resourceType": "aws_kinesis_stream", + "resourceName": "terraform-kinesis-test", + "searchKey": "aws_kinesis_stream[positive1]", + "searchValue": "", + "expectedValue": "aws_kinesis_stream[positive1].encryption_type should be set", + "actualValue": "aws_kinesis_stream[positive1].encryption_type is undefined", + "issueType": "MissingAttribute", + "similarityID": "fbe88529a8fd1060f45a6f59d0a653583764dce1815ee410eda667a664bb9d00", + "search_line": -1 }, { "queryName": "Kinesis Not Encrypted With KMS", "severity": "HIGH", - "line": 34 + "line": 34, + "fileName": "positive.tf", + "resourceType": "aws_kinesis_stream", + "resourceName": "terraform-kinesis-test", + "searchKey": "aws_kinesis_stream[positive2].encryption_type", + "searchValue": "", + "expectedValue": "aws_kinesis_stream[positive2].encryption_type should be set and not NONE", + "actualValue": "aws_kinesis_stream[positive2].encryption_type is set but NONE", + "issueType": "IncorrectValue", + "similarityID": "43ec41aa40492e0de63e3741df6c47311dcae88ad4da6e58640b188b6dbb9b1e", + "search_line": -1 }, { "queryName": "Kinesis Not Encrypted With KMS", "severity": "HIGH", - "line": 41 + "line": 41, + "fileName": "positive.tf", + "resourceType": "aws_kinesis_stream", + "resourceName": "terraform-kinesis-test", + "searchKey": "aws_kinesis_stream[positive3]", + "searchValue": "", + "expectedValue": "aws_kinesis_stream[positive3].kms_key_id should be set", + "actualValue": "aws_kinesis_stream[positive3].kms_key_id is undefined", + "issueType": "MissingAttribute", + "similarityID": "dd55b927bd9a0916a6cd61ac2eb03ebdc9c31e9a234cdc44d2c437498d7ce62e", + "search_line": -1 } ] diff --git a/assets/queries/terraform/aws/kinesis_sse_not_configured/test/positive_expected_result.json b/assets/queries/terraform/aws/kinesis_sse_not_configured/test/positive_expected_result.json index abc47c8bd1f..d824c006325 100644 --- a/assets/queries/terraform/aws/kinesis_sse_not_configured/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/kinesis_sse_not_configured/test/positive_expected_result.json @@ -2,21 +2,61 @@ { "queryName": "Kinesis SSE Not Configured", "severity": "HIGH", - "line": 12 + "line": 12, + "fileName": "positive.tf", + "resourceType": "aws_kinesis_firehose_delivery_stream", + "resourceName": "${aws_s3_bucket.logs.bucket}-firehose", + "searchKey": "aws_kinesis_firehose_delivery_stream[positive2]", + "searchValue": "", + "expectedValue": "Attribute 'server_side_encryption' should be set", + "actualValue": "Attribute 'server_side_encryption' is undefined", + "issueType": "MissingAttribute", + "similarityID": "f521cbff597be147bc4bca0f49458cca5b6314ba1fb4b59cdd2f99c7530776a0", + "search_line": -1 }, { "queryName": "Kinesis SSE Not Configured", "severity": "HIGH", - "line": 23 + "line": 23, + "fileName": "positive.tf", + "resourceType": "aws_kinesis_firehose_delivery_stream", + "resourceName": "${aws_s3_bucket.logs.bucket}-firehose", + "searchKey": "aws_kinesis_firehose_delivery_stream[positive3].server_side_encryption.enabled", + "searchValue": "", + "expectedValue": "Attribute 'server_side_encryption' should be enabled", + "actualValue": "Attribute 'server_side_encryption' is not enabled", + "issueType": "IncorrectValue", + "similarityID": "f7dc8589c41d9032f525cfe85945918a8962ddc62bfec9d752bc8ba3bcb92ee8", + "search_line": -1 }, { "queryName": "Kinesis SSE Not Configured", "severity": "HIGH", - "line": 34 + "line": 34, + "fileName": "positive.tf", + "resourceType": "aws_kinesis_firehose_delivery_stream", + "resourceName": "${aws_s3_bucket.logs.bucket}-firehose", + "searchKey": "aws_kinesis_firehose_delivery_stream[positive4].server_side_encryption.key_type", + "searchValue": "", + "expectedValue": "Attribute 'key_type' should be valid", + "actualValue": "Attribute 'key_type' is invalid", + "issueType": "IncorrectValue", + "similarityID": "b58b537173a617b690061c53eb22a069399053010ee2a7ccb7de66a2590a9c7e", + "search_line": -1 }, { "queryName": "Kinesis SSE Not Configured", "severity": "HIGH", - "line": 42 + "line": 42, + "fileName": "positive.tf", + "resourceType": "aws_kinesis_firehose_delivery_stream", + "resourceName": "${aws_s3_bucket.logs.bucket}-firehose", + "searchKey": "aws_kinesis_firehose_delivery_stream[positive5].server_side_encryption", + "searchValue": "", + "expectedValue": "Attribute 'key_type' should be CUSTOMER_MANAGED_CMK and attribute 'key_arn' should be set", + "actualValue": "Attribute 'key_type' is CUSTOMER_MANAGED_CMK and attribute 'key_arn' is undefined", + "issueType": "MissingAttribute", + "similarityID": "7b13cecf3b901433a59554d3d6edf2d98e1fbfa0f56cd815f4732e3610728738", + "search_line": -1 } ] diff --git a/assets/queries/terraform/aws/kms_key_with_full_permissions/test/positive_expected_result.json b/assets/queries/terraform/aws/kms_key_with_full_permissions/test/positive_expected_result.json index ecd69b65494..bb100f587d5 100644 --- a/assets/queries/terraform/aws/kms_key_with_full_permissions/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/kms_key_with_full_permissions/test/positive_expected_result.json @@ -3,18 +3,45 @@ "queryName": "KMS Key With Vulnerable Policy", "severity": "HIGH", "line": 5, - "fileName": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "aws_kms_key", + "resourceName": "positive1", + "searchKey": "aws_kms_key[positive1].policy", + "searchValue": "", + "expectedValue": "aws_kms_key[positive1].policy should not have wildcard in 'Action' and 'Principal'", + "actualValue": "aws_kms_key[positive1].policy has wildcard in 'Action' or 'Principal'", + "issueType": "IncorrectValue", + "similarityID": "b814622c3974c61491b93b15259efa5ce179a23d7b7c741f1801f1fda7643948", + "search_line": 5 }, { "queryName": "KMS Key With Vulnerable Policy", "severity": "HIGH", "line": 5, - "fileName": "positive2.tf" + "fileName": "positive2.tf", + "resourceType": "aws_kms_key", + "resourceName": "positive1", + "searchKey": "aws_kms_key[positive1].policy", + "searchValue": "", + "expectedValue": "aws_kms_key[positive1].policy should not have wildcard in 'Action' and 'Principal'", + "actualValue": "aws_kms_key[positive1].policy has wildcard in 'Action' or 'Principal'", + "issueType": "IncorrectValue", + "similarityID": "485e6a3f0c29a8b38fcbeef7fc96bbe91755343a709c2da83149c79e73530e2f", + "search_line": 5 }, { "queryName": "KMS Key With Vulnerable Policy", "severity": "HIGH", "line": 1, - "fileName": "positive3.tf" + "fileName": "positive3.tf", + "resourceType": "aws_kms_key", + "resourceName": "positive3", + "searchKey": "aws_kms_key[positive3]", + "searchValue": "", + "expectedValue": "aws_kms_key[positive3].policy should be defined and not null", + "actualValue": "aws_kms_key[positive3].policy is undefined or null", + "issueType": "MissingAttribute", + "similarityID": "f9ed4491c19505c5b51d839ce4f221a64eeebf19424845e7fcc10a1c4a512b37", + "search_line": 1 } ] diff --git a/assets/queries/terraform/aws/kms_key_with_no_deletion_window/test/positive_expected_result.json b/assets/queries/terraform/aws/kms_key_with_no_deletion_window/test/positive_expected_result.json index 086ae05195e..11dd2bb0d76 100644 --- a/assets/queries/terraform/aws/kms_key_with_no_deletion_window/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/kms_key_with_no_deletion_window/test/positive_expected_result.json @@ -2,11 +2,31 @@ { "queryName": "KMS Key With No Deletion Window", "severity": "LOW", - "line": 1 + "line": 1, + "fileName": "positive.tf", + "resourceType": "aws_kms_key", + "resourceName": "positive1", + "searchKey": "aws_kms_key[positive1]", + "searchValue": "", + "expectedValue": "aws_kms_key[positive1].deletion_window_in_days should be set and valid", + "actualValue": "aws_kms_key[positive1].deletion_window_in_days is undefined", + "issueType": "MissingAttribute", + "similarityID": "2a6c3811dccd6726d4158bcc8b17651fa463d2de9e6fac286acffa7726df4175", + "search_line": 1 }, { "queryName": "KMS Key With No Deletion Window", "severity": "LOW", - "line": 18 + "line": 18, + "fileName": "positive.tf", + "resourceType": "aws_kms_key", + "resourceName": "positive2", + "searchKey": "aws_kms_key[positive2].deletion_window_in_days", + "searchValue": "", + "expectedValue": "aws_kms_key[positive2].deletion_window_in_days should be set and valid", + "actualValue": "aws_kms_key[positive2].deletion_window_in_days is set but invalid", + "issueType": "IncorrectValue", + "similarityID": "fff7459d623f66fdcff1004b94c15e3a67899a891a8ed68c4fdd88f7a658f9b5", + "search_line": 18 } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/lambda_function_with_privileged_role/test/positive_expected_result.json b/assets/queries/terraform/aws/lambda_function_with_privileged_role/test/positive_expected_result.json index 526c7c5a52c..4be389f9c79 100644 --- a/assets/queries/terraform/aws/lambda_function_with_privileged_role/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/lambda_function_with_privileged_role/test/positive_expected_result.json @@ -3,30 +3,75 @@ "queryName": "Lambda Function With Privileged Role", "severity": "HIGH", "line": 4, - "fileName": "positive.tf" + "fileName": "positive.tf", + "resourceType": "aws_lambda_function", + "resourceName": "lambda", + "searchKey": "aws_lambda_function[positivefunction1].role", + "searchValue": "positiverole1/aws_iam_policy_attachment[positivedirectpolicyattachment1]/positivecustomermanagedpolicy2/0", + "expectedValue": "aws_lambda_function[positivefunction1].role shouldn't have privileged permissions through attached managed policy", + "actualValue": "aws_lambda_function[positivefunction1].role has been provided privileged permissions through attached managed policy 'positivecustomermanagedpolicy2'. Provided privileged permissions: 'sts:AssumeRole'. List of privileged permissions '[\"iam:CreatePolicyVersion\", \"iam:SetDefaultPolicyVersion\", \"iam:CreateAccessKey\", \"iam:CreateLoginProfile\", \"iam:UpdateLoginProfile\", \"iam:AttachUserPolicy\", \"iam:AttachGroupPolicy\", \"iam:AttachRolePolicy\", \"iam:PutUserPolicy\", \"iam:PutGroupPolicy\", \"iam:PutRolePolicy\", \"iam:AddUserToGroup\", \"iam:UpdateAssumeRolePolicy\", \"iam:PassRole\", \"iam:CreateServiceLinkedRole\", \"sts:AssumeRole\", \"iam:*\", \"sts:*\"]'", + "issueType": "IncorrectValue", + "similarityID": "2f746a027f5271f2c40053feb619d5c813667d34dd743ded8d076bf0efd60139", + "search_line": 4 }, { "queryName": "Lambda Function With Privileged Role", "severity": "HIGH", "line": 4, - "fileName": "positive.tf" + "fileName": "positive.tf", + "resourceType": "aws_lambda_function", + "resourceName": "lambda", + "searchKey": "aws_lambda_function[positivefunction1].role", + "searchValue": "positiverole1/aws_iam_role_policy_attachment[positiverolepolicyattachment1]/positivecustomermanagedpolicy1/0", + "expectedValue": "aws_lambda_function[positivefunction1].role shouldn't have privileged permissions through attached managed policy", + "actualValue": "aws_lambda_function[positivefunction1].role has been provided privileged permissions through attached managed policy 'positivecustomermanagedpolicy1'. Provided privileged permissions: 'sts:AssumeRole'. List of privileged permissions '[\"iam:CreatePolicyVersion\", \"iam:SetDefaultPolicyVersion\", \"iam:CreateAccessKey\", \"iam:CreateLoginProfile\", \"iam:UpdateLoginProfile\", \"iam:AttachUserPolicy\", \"iam:AttachGroupPolicy\", \"iam:AttachRolePolicy\", \"iam:PutUserPolicy\", \"iam:PutGroupPolicy\", \"iam:PutRolePolicy\", \"iam:AddUserToGroup\", \"iam:UpdateAssumeRolePolicy\", \"iam:PassRole\", \"iam:CreateServiceLinkedRole\", \"sts:AssumeRole\", \"iam:*\", \"sts:*\"]'", + "issueType": "IncorrectValue", + "similarityID": "e92b81f243a6c954ebf736654bcc1ca74761dcf0c1f0f8cd4dcb2b69cbbccbb2", + "search_line": 4 }, { "queryName": "Lambda Function With Privileged Role", "severity": "HIGH", "line": 4, - "fileName": "positive.tf" + "fileName": "positive.tf", + "resourceType": "aws_lambda_function", + "resourceName": "lambda", + "searchKey": "aws_lambda_function[positivefunction1].role", + "searchValue": "positiverole1/aws_iam_role_policy_attachment[positiverolepolicyattachment1]/positivecustomermanagedpolicy1/1", + "expectedValue": "aws_lambda_function[positivefunction1].role shouldn't have privileged permissions through attached managed policy", + "actualValue": "aws_lambda_function[positivefunction1].role has been provided privileged permissions through attached managed policy 'positivecustomermanagedpolicy1'. Provided privileged permissions: 'iam:CreateLoginProfile'. List of privileged permissions '[\"iam:CreatePolicyVersion\", \"iam:SetDefaultPolicyVersion\", \"iam:CreateAccessKey\", \"iam:CreateLoginProfile\", \"iam:UpdateLoginProfile\", \"iam:AttachUserPolicy\", \"iam:AttachGroupPolicy\", \"iam:AttachRolePolicy\", \"iam:PutUserPolicy\", \"iam:PutGroupPolicy\", \"iam:PutRolePolicy\", \"iam:AddUserToGroup\", \"iam:UpdateAssumeRolePolicy\", \"iam:PassRole\", \"iam:CreateServiceLinkedRole\", \"sts:AssumeRole\", \"iam:*\", \"sts:*\"]'", + "issueType": "IncorrectValue", + "similarityID": "94b052422a9ceb4f68426adf040348727c8d58eb3b37360db4212f6a1543b544", + "search_line": 4 }, { "queryName": "Lambda Function With Privileged Role", "severity": "HIGH", "line": 4, - "fileName": "positive.tf" + "fileName": "positive.tf", + "resourceType": "aws_lambda_function", + "resourceName": "lambda", + "searchKey": "aws_lambda_function[positivefunction1].role", + "searchValue": "positiverole1/positiveinlinepolicy1/0", + "expectedValue": "aws_lambda_function[positivefunction1].role shouldn't have privileged permissions through attached inline policy.", + "actualValue": "aws_lambda_function[positivefunction1].role has been provided privileged permissions through attached inline policy. Provided privileged permissions: 'iam:*'. List of privileged permissions '[\"iam:CreatePolicyVersion\", \"iam:SetDefaultPolicyVersion\", \"iam:CreateAccessKey\", \"iam:CreateLoginProfile\", \"iam:UpdateLoginProfile\", \"iam:AttachUserPolicy\", \"iam:AttachGroupPolicy\", \"iam:AttachRolePolicy\", \"iam:PutUserPolicy\", \"iam:PutGroupPolicy\", \"iam:PutRolePolicy\", \"iam:AddUserToGroup\", \"iam:UpdateAssumeRolePolicy\", \"iam:PassRole\", \"iam:CreateServiceLinkedRole\", \"sts:AssumeRole\", \"iam:*\", \"sts:*\"]'", + "issueType": "IncorrectValue", + "similarityID": "34a3b509ad9600b0d691e8abaeb59ae1bdcc7a6b5cc27f462cdcd74cc74d3287", + "search_line": 4 }, { "queryName": "Lambda Function With Privileged Role", "severity": "HIGH", "line": 23, - "fileName": "positive.tf" + "fileName": "positive.tf", + "resourceType": "aws_lambda_function", + "resourceName": "lambda", + "searchKey": "aws_lambda_function[positivefunction2].role", + "searchValue": "positiverole2/aws_iam_policy_attachment[positivedirectpolicyattachment2]", + "expectedValue": "aws_lambda_function[positivefunction2].role shouldn't have privileged permissions", + "actualValue": "aws_lambda_function[positivefunction2].role has been provided privileged permissions through attached pre-existing managed policy 'arn:aws:iam::policy/AmazonPersonalizeFullAccess'.", + "issueType": "IncorrectValue", + "similarityID": "c945ef20dbdd1eb0aecc20b20ec118f4b3bfa959951550efa41aed052e49d4b9", + "search_line": 23 } ] diff --git a/assets/queries/terraform/aws/lambda_function_without_dead_letter_queue/test/positive_expected_result.json b/assets/queries/terraform/aws/lambda_function_without_dead_letter_queue/test/positive_expected_result.json index 11ef1ad0bc3..fd7baa01cca 100644 --- a/assets/queries/terraform/aws/lambda_function_without_dead_letter_queue/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/lambda_function_without_dead_letter_queue/test/positive_expected_result.json @@ -3,24 +3,60 @@ "queryName": "Lambda Function Without Dead Letter Queue", "severity": "LOW", "line": 16, - "fileName": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "aws_lambda_function", + "resourceName": "lambda_without_dlq", + "searchKey": "aws_lambda_function[lambda_without_dlq]", + "searchValue": "", + "expectedValue": "'aws_lambda_function[lambda_without_dlq].dead_letter_config' should be defined and not null", + "actualValue": "'aws_lambda_function[lambda_without_dlq].dead_letter_config' is undefined or null", + "issueType": "MissingAttribute", + "similarityID": "1a06ad2d793906385851a49538cccdfa1ef5647c5db0759ee2b95721da0d4b43", + "search_line": 16 }, { "queryName": "Lambda Function Without Dead Letter Queue", "severity": "LOW", "line": 24, - "fileName": "positive2.tf" + "fileName": "positive2.tf", + "resourceType": "aws_lambda_function", + "resourceName": "lambda_with_incomplete_dlq", + "searchKey": "aws_lambda_function[lambda_with_incomplete_dlq].dead_letter_config.target_arn", + "searchValue": "", + "expectedValue": "'aws_lambda_function[lambda_with_incomplete_dlq].dead_letter_config.target_arn' should be defined and not empty", + "actualValue": "'aws_lambda_function[lambda_with_incomplete_dlq].dead_letter_config.target_arn' is empty", + "issueType": "MissingAttribute", + "similarityID": "f653dbd3c33b6a31003730b317fb7f4ec8b5a882c4e77c9cc3304efc4ee5edd5", + "search_line": 24 }, { "queryName": "Lambda Function Without Dead Letter Queue", "severity": "LOW", "line": 16, - "fileName": "positive3.tf" + "fileName": "positive3.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[lambda_with_incomplete_dlq]", + "searchValue": "", + "expectedValue": "'module[lambda_with_incomplete_dlq].dead_letter_target_arn' should be defined and not null", + "actualValue": "'module[lambda_with_incomplete_dlq].dead_letter_target_arn' is undefined or null", + "issueType": "MissingAttribute", + "similarityID": "a530b627f536e7fb44c26658626f640f7fb35ac3f46698df1f8e60f51fadc55b", + "search_line": 16 }, { "queryName": "Lambda Function Without Dead Letter Queue", "severity": "LOW", "line": 26, - "fileName": "positive4.tf" + "fileName": "positive4.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[lambda_with_incomplete_dlq].dead_letter_target_arn", + "searchValue": "", + "expectedValue": "'module[lambda_with_incomplete_dlq].dead_letter_target_arn' should be defined and not empty", + "actualValue": "'module[lambda_with_incomplete_dlq].dead_letter_target_arn' is empty", + "issueType": "MissingAttribute", + "similarityID": "28228e3174387e4a8e25bbdef7396a072adf039c47a8439c8903581574338dc0", + "search_line": 26 } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/lambda_functions_without_x-ray_tracing/test/positive_expected_result.json b/assets/queries/terraform/aws/lambda_functions_without_x-ray_tracing/test/positive_expected_result.json index 806f660a9a0..215f17c4a52 100644 --- a/assets/queries/terraform/aws/lambda_functions_without_x-ray_tracing/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/lambda_functions_without_x-ray_tracing/test/positive_expected_result.json @@ -1,12 +1,32 @@ [ { - "line": 28, "queryName": "Lambda Functions Without X-Ray Tracing", - "severity": "LOW" + "severity": "LOW", + "line": 28, + "fileName": "positive.tf", + "resourceType": "aws_lambda_function", + "resourceName": "test_lambda2", + "searchKey": "aws_lambda_function[test_lambda2].tracing_config.mode", + "searchValue": "", + "expectedValue": "aws_lambda_function[test_lambda2].tracing_config.mode should be set to 'Active'", + "actualValue": "aws_lambda_function[test_lambda2].tracing_config.mode is set to 'PassThrough'", + "issueType": "IncorrectValue", + "similarityID": "2c4824e39084c04cd1f7dbec33243a9d95998c080598796e6bd037162bbbc0c3", + "search_line": 28 }, { "queryName": "Lambda Functions Without X-Ray Tracing", "severity": "LOW", - "line": 45 + "line": 45, + "fileName": "positive.tf", + "resourceType": "aws_lambda_function", + "resourceName": "test_lambda3", + "searchKey": "aws_lambda_function[test_lambda3]", + "searchValue": "", + "expectedValue": "aws_lambda_function[test_lambda3].tracing_config should be defined and not null", + "actualValue": "aws_lambda_function[test_lambda3].tracing_config is undefined or null", + "issueType": "MissingAttribute", + "similarityID": "746ddcb7318416d277f5b9a06be4b6073bb2e4439c060630a289d42b0357f7a0", + "search_line": 45 } ] diff --git a/assets/queries/terraform/aws/lambda_iam_invokefunction_misconfigured/test/positive_expected_result.json b/assets/queries/terraform/aws/lambda_iam_invokefunction_misconfigured/test/positive_expected_result.json index 7951f5675f9..ed3d78cd101 100644 --- a/assets/queries/terraform/aws/lambda_iam_invokefunction_misconfigured/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/lambda_iam_invokefunction_misconfigured/test/positive_expected_result.json @@ -1,38 +1,92 @@ [ - { - "queryName": "Lambda IAM InvokeFunction Misconfigured", - "severity": "LOW", - "line": 8, - "filename": "positive1.tf" - }, - { - "queryName": "Lambda IAM InvokeFunction Misconfigured", - "severity": "LOW", - "line": 8, - "filename": "positive2.tf" - }, - { - "queryName": "Lambda IAM InvokeFunction Misconfigured", - "severity": "LOW", - "line": 8, - "filename": "positive3.tf" - }, - { - "queryName": "Lambda IAM InvokeFunction Misconfigured", - "severity": "LOW", - "line": 5, - "filename": "positive4.tf" - }, - { - "queryName": "Lambda IAM InvokeFunction Misconfigured", - "severity": "LOW", - "line": 8, - "filename": "positive5.tf" - }, - { - "queryName": "Lambda IAM InvokeFunction Misconfigured", - "severity": "LOW", - "line": 8, - "filename": "positive6.tf" - } + { + "queryName": "Lambda IAM InvokeFunction Misconfigured", + "severity": "LOW", + "line": 8, + "fileName": "positive1.tf", + "resourceType": "aws_iam_policy", + "resourceName": "positive1policy", + "searchKey": "aws_iam_policy[positive1policy].policy", + "searchValue": "", + "expectedValue": "[positive1policy].policy should be misconfigured", + "actualValue": "[positive1policy].policy allows access to function (unqualified ARN) and its sub-resources, add another statement with \":*\" to function name", + "issueType": "IncorrectValue", + "similarityID": "a0ba36953c9836056c21a95a71b60a5b0cc559b659b94c48fe077879bd25b044", + "search_line": -1 + }, + { + "queryName": "Lambda IAM InvokeFunction Misconfigured", + "severity": "LOW", + "line": 8, + "fileName": "positive2.tf", + "resourceType": "aws_iam_policy", + "resourceName": "positive2policy", + "searchKey": "aws_iam_policy[positive2policy].policy", + "searchValue": "", + "expectedValue": "[positive2policy].policy should be misconfigured", + "actualValue": "[positive2policy].policy allows access to function (unqualified ARN) and its sub-resources, add another statement with \":*\" to function name", + "issueType": "IncorrectValue", + "similarityID": "3779e20958e132a63d17fe864587434a32b5cf644ae331ad78430bbd4934d73f", + "search_line": -1 + }, + { + "queryName": "Lambda IAM InvokeFunction Misconfigured", + "severity": "LOW", + "line": 8, + "fileName": "positive3.tf", + "resourceType": "aws_iam_policy", + "resourceName": "positive3policy", + "searchKey": "aws_iam_policy[positive3policy].policy", + "searchValue": "", + "expectedValue": "[positive3policy].policy should be misconfigured", + "actualValue": "[positive3policy].policy allows access to function (unqualified ARN) and its sub-resources, add another statement with \":*\" to function name", + "issueType": "IncorrectValue", + "similarityID": "866270da9775226c6d60eefeeb382905cf065201c4d8488a6f180f553478d947", + "search_line": -1 + }, + { + "queryName": "Lambda IAM InvokeFunction Misconfigured", + "severity": "LOW", + "line": 5, + "fileName": "positive4.tf", + "resourceType": "aws_iam_policy", + "resourceName": "positive4policy", + "searchKey": "aws_iam_policy[positive4policy].policy", + "searchValue": "", + "expectedValue": "[positive4policy].policy should be misconfigured", + "actualValue": "[positive4policy].policy allows access to function (unqualified ARN) and its sub-resources, add another statement with \":*\" to function name", + "issueType": "IncorrectValue", + "similarityID": "86b0f67e3349f362d9929c1ee302f594924255fc451b174da7371ac724ed3caa", + "search_line": -1 + }, + { + "queryName": "Lambda IAM InvokeFunction Misconfigured", + "severity": "LOW", + "line": 8, + "fileName": "positive5.tf", + "resourceType": "aws_iam_policy", + "resourceName": "positive5policy", + "searchKey": "aws_iam_policy[positive5policy].policy", + "searchValue": "", + "expectedValue": "[positive5policy].policy should be misconfigured", + "actualValue": "[positive5policy].policy allows access to function (unqualified ARN) and its sub-resources, add another statement with \":*\" to function name", + "issueType": "IncorrectValue", + "similarityID": "a5b1363280c9289ebf0993f07684307aa902ac1c5c2840b8c8392b24877a626d", + "search_line": -1 + }, + { + "queryName": "Lambda IAM InvokeFunction Misconfigured", + "severity": "LOW", + "line": 8, + "fileName": "positive6.tf", + "resourceType": "aws_iam_policy", + "resourceName": "positive6policy", + "searchKey": "aws_iam_policy[positive6policy].policy", + "searchValue": "", + "expectedValue": "[positive6policy].policy should be misconfigured", + "actualValue": "[positive6policy].policy allows access to function (unqualified ARN) and its sub-resources, add another statement with \":*\" to function name", + "issueType": "IncorrectValue", + "similarityID": "cf42107e12ffc8b17f7d295b46287c1433f8bc4386197a15af82c39dae7c809b", + "search_line": -1 + } ] diff --git a/assets/queries/terraform/aws/lambda_permission_misconfigured/test/positive_expected_result.json b/assets/queries/terraform/aws/lambda_permission_misconfigured/test/positive_expected_result.json index 4d4185aebc6..86a80c73bdb 100644 --- a/assets/queries/terraform/aws/lambda_permission_misconfigured/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/lambda_permission_misconfigured/test/positive_expected_result.json @@ -2,6 +2,16 @@ { "queryName": "Lambda Permission Misconfigured", "severity": "LOW", - "line": 2 + "line": 2, + "fileName": "positive.tf", + "resourceType": "aws_lambda_permission", + "resourceName": "positive1", + "searchKey": "aws_lambda_permission[positive1].action", + "searchValue": "", + "expectedValue": "aws_lambda_permission[name].action should be 'lambda:InvokeFunction'%!(EXTRA string=positive1)", + "actualValue": "aws_lambda_permission[name].action is positive1%!(EXTRA string=lambda:DeleteFunction)", + "issueType": "IncorrectValue", + "similarityID": "893a591e640cc1873874f7ce28a0b2013391cd6d7e17b5b5939a753270962eb2", + "search_line": 2 } ] diff --git a/assets/queries/terraform/aws/lambda_permission_principal_is_wildcard/test/positive_expected_result.json b/assets/queries/terraform/aws/lambda_permission_principal_is_wildcard/test/positive_expected_result.json index bfc56e78a38..08c138090cd 100644 --- a/assets/queries/terraform/aws/lambda_permission_principal_is_wildcard/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/lambda_permission_principal_is_wildcard/test/positive_expected_result.json @@ -1,7 +1,17 @@ [ { - "line": 5, "queryName": "Lambda Permission Principal Is Wildcard", - "severity": "MEDIUM" + "severity": "MEDIUM", + "line": 5, + "fileName": "positive.tf", + "resourceType": "aws_lambda_permission", + "resourceName": "positive1", + "searchKey": "aws_lambda_permission[positive1].principal", + "searchValue": "", + "expectedValue": "aws_lambda_permission[positive1].principal shouldn't contain a wildcard", + "actualValue": "aws_lambda_permission[positive1].principal contains a wildcard", + "issueType": "IncorrectValue", + "similarityID": "fe778075549628e73a6c907a8e1b46e83d09d4f9c76c0d4b5b74dcbe70573d76", + "search_line": -1 } ] diff --git a/assets/queries/terraform/aws/lambda_with_vulnerable_policy/test/positive_expected_result.json b/assets/queries/terraform/aws/lambda_with_vulnerable_policy/test/positive_expected_result.json index 971cd176054..22b0a65be7a 100644 --- a/assets/queries/terraform/aws/lambda_with_vulnerable_policy/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/lambda_with_vulnerable_policy/test/positive_expected_result.json @@ -3,6 +3,15 @@ "queryName": "Lambda With Vulnerable Policy", "severity": "HIGH", "line": 35, - "fileName": "positive.tf" + "fileName": "positive.tf", + "resourceType": "aws_lambda_permission", + "resourceName": "all", + "searchKey": "aws_lambda_permission[all].action", + "searchValue": "", + "expectedValue": "aws_lambda_permission[all].action should not have wildcard", + "actualValue": "aws_lambda_permission[all].action has wildcard", + "issueType": "IncorrectValue", + "similarityID": "7407677c5289cdf7a8c339406ac9984e0c78d6e11a61a1d946ec0db2a6209159", + "search_line": -1 } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/misconfigured_password_policy_expiration/test/positive_expected_result.json b/assets/queries/terraform/aws/misconfigured_password_policy_expiration/test/positive_expected_result.json index 94deefb61b9..0160f41a3db 100644 --- a/assets/queries/terraform/aws/misconfigured_password_policy_expiration/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/misconfigured_password_policy_expiration/test/positive_expected_result.json @@ -2,11 +2,31 @@ { "queryName": "Misconfigured Password Policy Expiration", "severity": "LOW", - "line": 12 + "line": 8, + "fileName": "positive.tf", + "resourceType": "aws_iam_account_password_policy", + "resourceName": "positive1", + "searchKey": "aws_iam_account_password_policy[positive1].max_password_age", + "searchValue": "", + "expectedValue": "'max_password_age' should be lower than 90", + "actualValue": "'max_password_age' is higher than 90", + "issueType": "IncorrectValue", + "similarityID": "ae5236c8fd393098c2b87cf6e203135ce6fb3b64085dce28a8f5efb3db4c243d", + "search_line": 8 }, { "queryName": "Misconfigured Password Policy Expiration", "severity": "LOW", - "line": 8 + "line": 12, + "fileName": "positive.tf", + "resourceType": "aws_iam_account_password_policy", + "resourceName": "positive2", + "searchKey": "aws_iam_account_password_policy[positive2]", + "searchValue": "", + "expectedValue": "'max_password_age' should exist", + "actualValue": "'max_password_age' is missing", + "issueType": "MissingAttribute", + "similarityID": "2916155480237f0520be7ae42d925dc3601056cd74c0c5a7a7ef28056a632dea", + "search_line": 12 } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/missing_cluster_log_types/test/positive_expected_result.json b/assets/queries/terraform/aws/missing_cluster_log_types/test/positive_expected_result.json index 137f7b0ae88..84546089b6a 100755 --- a/assets/queries/terraform/aws/missing_cluster_log_types/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/missing_cluster_log_types/test/positive_expected_result.json @@ -2,6 +2,16 @@ { "queryName": "Missing Cluster Log Types", "severity": "MEDIUM", - "line": 9 + "line": 9, + "fileName": "positive.tf", + "resourceType": "aws_eks_cluster", + "resourceName": "example", + "searchKey": "aws_eks_cluster[positive1].enabled_cluster_log_types", + "searchValue": "", + "expectedValue": "'enabled_cluster_log_types' has all log types", + "actualValue": "'enabled_cluster_log_types' has missing log types", + "issueType": "IncorrectValue", + "similarityID": "586c5fe9c45c09def412bad722619a656ee4518cdff439fc210db647db7991d0", + "search_line": -1 } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/mq_broker_is_publicly_accessible/test/positive_expected_result.json b/assets/queries/terraform/aws/mq_broker_is_publicly_accessible/test/positive_expected_result.json index 144dcfe9c92..a96ddf748a2 100644 --- a/assets/queries/terraform/aws/mq_broker_is_publicly_accessible/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/mq_broker_is_publicly_accessible/test/positive_expected_result.json @@ -2,6 +2,16 @@ { "queryName": "MQ Broker Is Publicly Accessible", "severity": "HIGH", - "line": 19 + "line": 19, + "fileName": "positive.tf", + "resourceType": "aws_mq_broker", + "resourceName": "example", + "searchKey": "aws_mq_broker[positive1].publicly_accessible", + "searchValue": "", + "expectedValue": "'publicly_accessible' should be undefined or set to false", + "actualValue": "'publicly_accessible' is set to true", + "issueType": "IncorrectValue", + "similarityID": "9736e1c4513e18ea99876ec8a527a2594c5a15ac3bbc8e15e703d9325aebe0a4", + "search_line": 19 } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/mq_broker_logging_disabled/test/positive_expected_result.json b/assets/queries/terraform/aws/mq_broker_logging_disabled/test/positive_expected_result.json index 3aa5e012477..9695c7dd3b2 100644 --- a/assets/queries/terraform/aws/mq_broker_logging_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/mq_broker_logging_disabled/test/positive_expected_result.json @@ -1,17 +1,47 @@ [ - { - "queryName": "MQ Broker Logging Disabled", - "severity": "MEDIUM", - "line": 1 - }, - { - "queryName": "MQ Broker Logging Disabled", - "severity": "MEDIUM", - "line": 8 - }, - { - "queryName": "MQ Broker Logging Disabled", - "severity": "MEDIUM", - "line": 17 - } + { + "queryName": "MQ Broker Logging Disabled", + "severity": "MEDIUM", + "line": 1, + "fileName": "positive.tf", + "resourceType": "aws_mq_broker", + "resourceName": "no-logging", + "searchKey": "aws_mq_broker[positive1]", + "searchValue": "", + "expectedValue": "'logs' should be set and enabling general AND audit logging", + "actualValue": "'logs' is undefined", + "issueType": "MissingAttribute", + "similarityID": "b95395b11a38b1da4260fe5535bacb4f1e6cf27e326d2780b4f231c988104cce", + "search_line": -1 + }, + { + "queryName": "MQ Broker Logging Disabled", + "severity": "MEDIUM", + "line": 8, + "fileName": "positive.tf", + "resourceType": "aws_mq_broker", + "resourceName": "partial-logging", + "searchKey": "aws_mq_broker[positive2].logs", + "searchValue": "", + "expectedValue": "'general' and 'audit' logging should be set to true", + "actualValue": "'general' and/or 'audit' is undefined", + "issueType": "MissingAttribute", + "similarityID": "287a87753eb3eec58f3038eddab8973621baaa41120f455f577884880ef5e03e", + "search_line": -1 + }, + { + "queryName": "MQ Broker Logging Disabled", + "severity": "MEDIUM", + "line": 17, + "fileName": "positive.tf", + "resourceType": "aws_mq_broker", + "resourceName": "disabled-logging", + "searchKey": "aws_mq_broker[positive3].logs.general", + "searchValue": "", + "expectedValue": "'general' and 'audit' logging should be set to true", + "actualValue": "'general' is set to false", + "issueType": "IncorrectValue", + "similarityID": "2ccc16e21b009cbb359662560960b397c90a34ea6ce4d0065238cd88e2a9536e", + "search_line": -1 + } ] diff --git a/assets/queries/terraform/aws/msk_broker_is_publicly_accessible/test/positive_expected_result.json b/assets/queries/terraform/aws/msk_broker_is_publicly_accessible/test/positive_expected_result.json index ff0007ac59d..6e63ca13dfc 100644 --- a/assets/queries/terraform/aws/msk_broker_is_publicly_accessible/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/msk_broker_is_publicly_accessible/test/positive_expected_result.json @@ -3,6 +3,15 @@ "queryName": "MSK Broker Is Publicly Accessible", "severity": "HIGH", "line": 9, - "fileName": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "aws_msk_cluster", + "resourceName": "example", + "searchKey": "aws_msk_cluster[positive1].broker_node_group_info.connectivity_info.public_access.type", + "searchValue": "", + "expectedValue": "aws_msk_cluster[positive1].broker_node_group_info.connectivity_info.public_access.type should be set to 'DISABLED' or undefined", + "actualValue": "aws_msk_cluster[positive1].broker_node_group_info.connectivity_info.public_access.type is set to 'SERVICE_PROVIDED_EIPS'", + "issueType": "IncorrectValue", + "similarityID": "38bcdf83fafb78377b7da42efc4d247d76e406bf1564c31beafc425f6b2a218e", + "search_line": 9 } ] diff --git a/assets/queries/terraform/aws/msk_cluster_encryption_disabled/test/positive_expected_result.json b/assets/queries/terraform/aws/msk_cluster_encryption_disabled/test/positive_expected_result.json index 87cb85d9130..43f2ff9dd99 100644 --- a/assets/queries/terraform/aws/msk_cluster_encryption_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/msk_cluster_encryption_disabled/test/positive_expected_result.json @@ -2,21 +2,61 @@ { "queryName": "MSK Cluster Encryption Disabled", "severity": "HIGH", - "line": 1 + "line": 1, + "fileName": "positive.tf", + "resourceType": "aws_msk_cluster", + "resourceName": "example", + "searchKey": "msk_cluster[positive1]", + "searchValue": "", + "expectedValue": "Should have 'rule.encryption_info' and, if 'rule.encryption_info.encryption_in_transit' is assigned, 'in_cluster' should be 'true' and 'client_broker' should be TLS", + "actualValue": "'rule.encryption_info' is unassigned or property 'in_cluster' is 'false' or property 'client_broker' is not 'TLS'", + "issueType": "MissingAttribute", + "similarityID": "09f9449f81375f45a319c63470c9f246137ded45fbb3387939f095296ff213d5", + "search_line": -1 }, { "queryName": "MSK Cluster Encryption Disabled", "severity": "HIGH", - "line": 14 + "line": 14, + "fileName": "positive.tf", + "resourceType": "aws_msk_cluster", + "resourceName": "example", + "searchKey": "msk_cluster[positive2].encryption_info.encryption_in_transit.client_broker", + "searchValue": "", + "expectedValue": "Should have 'rule.encryption_info' and, if 'rule.encryption_info.encryption_in_transit' is assigned, 'in_cluster' should be 'true' and 'client_broker' should be TLS", + "actualValue": "'rule.encryption_info' is unassigned or property 'in_cluster' is 'false' or property 'client_broker' is not 'TLS'", + "issueType": "IncorrectValue", + "similarityID": "f9231c201c260442bdebea27ec23c5ec87a495a852a8f284d9e76fe38baae004", + "search_line": -1 }, { "queryName": "MSK Cluster Encryption Disabled", "severity": "HIGH", - "line": 26 + "line": 26, + "fileName": "positive.tf", + "resourceType": "aws_msk_cluster", + "resourceName": "example", + "searchKey": "msk_cluster[positive3].encryption_info.encryption_in_transit.in_cluster", + "searchValue": "", + "expectedValue": "Should have 'rule.encryption_info' and, if 'rule.encryption_info.encryption_in_transit' is assigned, 'in_cluster' should be 'true' and 'client_broker' should be TLS", + "actualValue": "'rule.encryption_info' is unassigned or property 'in_cluster' is 'false' or property 'client_broker' is not 'TLS'", + "issueType": "IncorrectValue", + "similarityID": "2dc1f8feead0215839e61a84829c3b785fe06fc1e90e108c153806f7f72cad4b", + "search_line": -1 }, { "queryName": "MSK Cluster Encryption Disabled", "severity": "HIGH", - "line": 37 + "line": 37, + "fileName": "positive.tf", + "resourceType": "aws_msk_cluster", + "resourceName": "example", + "searchKey": "msk_cluster[positive4].encryption_info.encryption_in_transit.in_cluster and msk_cluster[positive4].encryption_infoencryption_in_transit.client_broker", + "searchValue": "", + "expectedValue": "Should have 'rule.encryption_info' and, if 'rule.encryption_info.encryption_in_transit' is assigned, 'in_cluster' should be 'true' and 'client_broker' should be TLS", + "actualValue": "'rule.encryption_info' is unassigned or property 'in_cluster' is 'false' or property 'client_broker' is not 'TLS'", + "issueType": "IncorrectValue", + "similarityID": "b740f0cc999483d2eacda41502d47fe93f73cc08173f299c29f77345c6dbe035", + "search_line": -1 } ] diff --git a/assets/queries/terraform/aws/msk_cluster_logging_disabled/test/positive_expected_result.json b/assets/queries/terraform/aws/msk_cluster_logging_disabled/test/positive_expected_result.json index 77aee52c4db..47893b92850 100644 --- a/assets/queries/terraform/aws/msk_cluster_logging_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/msk_cluster_logging_disabled/test/positive_expected_result.json @@ -2,16 +2,46 @@ { "queryName": "MSK Cluster Logging Disabled", "severity": "MEDIUM", - "line": 5 + "line": 5, + "fileName": "positive.tf", + "resourceType": "aws_msk_cluster", + "resourceName": "positive1", + "searchKey": "aws_msk_cluster[positive1].logging_info.broker_logs.cloudwatch_logs.enabled", + "searchValue": "", + "expectedValue": "'rule.logging_info.broker_logs.enabled' should be 'true' in every entry", + "actualValue": "msk_cluster[positive1].logging_info.broker_logs.cloudwatch_logs.enabled is false", + "issueType": "IncorrectValue", + "similarityID": "eaa9ef12ede4868f337a87b330ba2c84390c3d505b56cccd6afeae27a3cacbaf", + "search_line": -1 }, { "queryName": "MSK Cluster Logging Disabled", "severity": "MEDIUM", - "line": 8 + "line": 8, + "fileName": "positive.tf", + "resourceType": "aws_msk_cluster", + "resourceName": "positive1", + "searchKey": "aws_msk_cluster[positive1].logging_info.broker_logs.firehose", + "searchValue": "", + "expectedValue": "'rule.logging_info.broker_logs.enabled' should be 'true' in every entry", + "actualValue": "msk_cluster[positive1].logging_info.broker_logs.firehose.enabled is missing", + "issueType": "MissingAttribute", + "similarityID": "f55201ea9486c9615623a3619e9054ba784da846abaeccd387380a805d12fc4c", + "search_line": -1 }, { "queryName": "MSK Cluster Logging Disabled", "severity": "MEDIUM", - "line": 15 + "line": 15, + "fileName": "positive.tf", + "resourceType": "aws_msk_cluster", + "resourceName": "positive2", + "searchKey": "aws_msk_cluster[positive2]", + "searchValue": "", + "expectedValue": "'rule.logging_info' should exist", + "actualValue": "'rule.logging_info' does not exist", + "issueType": "MissingAttribute", + "similarityID": "29f1906cd31f80338ce31b8ac4aa0274e8fab03229959ea290a89da27545be29", + "search_line": -1 } ] diff --git a/assets/queries/terraform/aws/neptune_cluster_instance_is_publicly_accessible/test/positive_expected_result.json b/assets/queries/terraform/aws/neptune_cluster_instance_is_publicly_accessible/test/positive_expected_result.json index 5ff36a69dda..fbc4f9bc8c9 100644 --- a/assets/queries/terraform/aws/neptune_cluster_instance_is_publicly_accessible/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/neptune_cluster_instance_is_publicly_accessible/test/positive_expected_result.json @@ -3,6 +3,15 @@ "queryName": "Neptune Cluster Instance is Publicly Accessible", "severity": "HIGH", "line": 7, - "fileName": "positive.tf" + "fileName": "positive.tf", + "resourceType": "aws_neptune_cluster_instance", + "resourceName": "example", + "searchKey": "aws_neptune_cluster_instance[example].publicly_accessible", + "searchValue": "", + "expectedValue": "aws_neptune_cluster_instance[example].publicly_accessible should be set to false", + "actualValue": "aws_neptune_cluster_instance[example].publicly_accessible is set to true", + "issueType": "IncorrectValue", + "similarityID": "ff9dc058c096dad4bc82850f8a52569462d893c262e28d78864f69cd9052118f", + "search_line": 7 } ] diff --git a/assets/queries/terraform/aws/neptune_cluster_with_iam_database_authentication_disabled/test/positive_expected_result.json b/assets/queries/terraform/aws/neptune_cluster_with_iam_database_authentication_disabled/test/positive_expected_result.json index b659dde30dd..645c26fa13f 100644 --- a/assets/queries/terraform/aws/neptune_cluster_with_iam_database_authentication_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/neptune_cluster_with_iam_database_authentication_disabled/test/positive_expected_result.json @@ -2,11 +2,31 @@ { "queryName": "Neptune Cluster With IAM Database Authentication Disabled", "severity": "HIGH", - "line": 1 + "line": 1, + "fileName": "positive.tf", + "resourceType": "aws_neptune_cluster", + "resourceName": "positive1", + "searchKey": "aws_neptune_cluster[positive1]", + "searchValue": "", + "expectedValue": "'iam_database_authentication_enabled' should be set to true", + "actualValue": "'iam_database_authentication_enabled' is undefined", + "issueType": "MissingAttribute", + "similarityID": "f11f915fd8e3706dddb9b9e1ea37daa47e55a1e95042acd3b0426d6d2dcd56cd", + "search_line": 1 }, { "queryName": "Neptune Cluster With IAM Database Authentication Disabled", "severity": "HIGH", - "line": 17 + "line": 17, + "fileName": "positive.tf", + "resourceType": "aws_neptune_cluster", + "resourceName": "positive2", + "searchKey": "aws_neptune_cluster[positive2].iam_database_authentication_enabled", + "searchValue": "", + "expectedValue": "'iam_database_authentication_enabled' should be set to true", + "actualValue": "'iam_database_authentication_enabled' is set to false", + "issueType": "IncorrectValue", + "similarityID": "67cb1deafa9f3ebdf97af16aff22efb8d0d4f4bbece4df55ba9d7a591c2d5477", + "search_line": 17 } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/neptune_database_cluster_encryption_disabled/test/positive_expected_result.json b/assets/queries/terraform/aws/neptune_database_cluster_encryption_disabled/test/positive_expected_result.json index 9847f928c55..c166966cae4 100644 --- a/assets/queries/terraform/aws/neptune_database_cluster_encryption_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/neptune_database_cluster_encryption_disabled/test/positive_expected_result.json @@ -2,11 +2,31 @@ { "queryName": "Neptune Database Cluster Encryption Disabled", "severity": "HIGH", - "line": 1 + "line": 1, + "fileName": "positive.tf", + "resourceType": "aws_neptune_cluster", + "resourceName": "positive1", + "searchKey": "aws_neptune_cluster[positive1]", + "searchValue": "", + "expectedValue": "'storage_encrypted' should be set with value true", + "actualValue": "'storage_encrypted' is undefined", + "issueType": "MissingAttribute", + "similarityID": "d9a71cffae1a611b3d234ce656c76a91f1d788be99bd809909aa3da58b55d9f0", + "search_line": 1 }, { "queryName": "Neptune Database Cluster Encryption Disabled", "severity": "HIGH", - "line": 19 + "line": 19, + "fileName": "positive.tf", + "resourceType": "aws_neptune_cluster", + "resourceName": "positive2", + "searchKey": "aws_neptune_cluster[positive2].storage_encrypted", + "searchValue": "", + "expectedValue": "'storage_encrypted' should be true", + "actualValue": "'storage_encrypted' is false", + "issueType": "IncorrectValue", + "similarityID": "d662f0a8643e9debfeb78be2e2e994c31bbbc07481508db47e93612e22f8bafc", + "search_line": 19 } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/neptune_logging_disabled/test/positive_expected_result.json b/assets/queries/terraform/aws/neptune_logging_disabled/test/positive_expected_result.json index 0b3cecc98a8..f594db7006d 100644 --- a/assets/queries/terraform/aws/neptune_logging_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/neptune_logging_disabled/test/positive_expected_result.json @@ -3,24 +3,60 @@ "queryName": "Neptune Logging Is Disabled", "severity": "MEDIUM", "line": 1, - "filename": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "aws_neptune_cluster", + "resourceName": "postive1", + "searchKey": "aws_neptune_cluster[{{postive1}}]", + "searchValue": "", + "expectedValue": "aws_neptune_cluster.enable_cloudwatch_logs_exports should be defined", + "actualValue": "aws_neptune_cluster.enable_cloudwatch_logs_exports is undefined", + "issueType": "MissingAttribute", + "similarityID": "d733bbd3b8647fa3efb8b707fdc17a40417495234ef1909c0e2d339bd7b15a9e", + "search_line": -1 }, { "queryName": "Neptune Logging Is Disabled", "severity": "MEDIUM", "line": 9, - "filename": "positive2.tf" + "fileName": "positive2.tf", + "resourceType": "aws_neptune_cluster", + "resourceName": "postive2", + "searchKey": "aws_neptune_cluster[{{postive2}}].enable_cloudwatch_logs_exports", + "searchValue": "", + "expectedValue": "aws_neptune_cluster.enable_cloudwatch_logs_exports should have all following values: audit", + "actualValue": "aws_neptune_cluster.enable_cloudwatch_logs_exports is empty", + "issueType": "IncorrectValue", + "similarityID": "ec3112c8ec7278a1b6db16e66fe5cc6f4c733a2966253c57a69c70c909ae03fe", + "search_line": -1 }, { "queryName": "Neptune Logging Is Disabled", "severity": "MEDIUM", "line": 9, - "filename": "positive3.tf" + "fileName": "positive3.tf", + "resourceType": "aws_neptune_cluster", + "resourceName": "postive3", + "searchKey": "aws_neptune_cluster[{{postive3}}].enable_cloudwatch_logs_exports", + "searchValue": "", + "expectedValue": "aws_neptune_cluster.enable_cloudwatch_logs_exports should have all following values: audit", + "actualValue": "aws_neptune_cluster.enable_cloudwatch_logs_exports has the following missing values: audit", + "issueType": "IncorrectValue", + "similarityID": "78f6f42de9784c6415e433085b21a274e7c4488438f71ac5e84fa7dfea496468", + "search_line": -1 }, { "queryName": "Neptune Logging Is Disabled", "severity": "MEDIUM", "line": 9, - "filename": "positive4.tf" + "fileName": "positive4.tf", + "resourceType": "aws_neptune_cluster", + "resourceName": "postive3", + "searchKey": "aws_neptune_cluster[{{postive3}}].enable_cloudwatch_logs_exports", + "searchValue": "", + "expectedValue": "aws_neptune_cluster.enable_cloudwatch_logs_exports should have all following values: audit", + "actualValue": "aws_neptune_cluster.enable_cloudwatch_logs_exports has the following missing values: audit", + "issueType": "IncorrectValue", + "similarityID": "7e9b25c3aed0d9e44e6b663663f42a62071f8f7b2d1fbc9dca9fb95f3c1dafa4", + "search_line": -1 } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/network_acl_with_unrestricted_access_to_rdp/test/positive_expected_result.json b/assets/queries/terraform/aws/network_acl_with_unrestricted_access_to_rdp/test/positive_expected_result.json index 37fe8ca81bf..e29f71a4cdc 100644 --- a/assets/queries/terraform/aws/network_acl_with_unrestricted_access_to_rdp/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/network_acl_with_unrestricted_access_to_rdp/test/positive_expected_result.json @@ -3,24 +3,60 @@ "queryName": "Network ACL With Unrestricted Access To RDP", "severity": "HIGH", "line": 30, - "fileName": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "aws_network_acl", + "resourceName": "main", + "searchKey": "aws_network_acl[positive1].ingress", + "searchValue": "", + "expectedValue": "aws_network_acl[positive1].ingress[0] 'RDP' (TCP:3389) should not be public", + "actualValue": "aws_network_acl[positive1].ingress[0] 'RDP' (TCP:3389) is public", + "issueType": "IncorrectValue", + "similarityID": "b52a2c5fadfa12605890034025c7a84c7cdea20a73237e30d77ad6faacf42d48", + "search_line": 30 }, { "queryName": "Network ACL With Unrestricted Access To RDP", "severity": "HIGH", "line": 22, - "fileName": "positive2.tf" + "fileName": "positive2.tf", + "resourceType": "aws_network_acl_rule", + "resourceName": "postive2", + "searchKey": "aws_network_acl_rule[postive2]", + "searchValue": "", + "expectedValue": "aws_network_acl[postive2] 'RDP' (TCP:3389) should not be public", + "actualValue": "aws_network_acl[postive2] 'RDP' (TCP:3389) is public", + "issueType": "IncorrectValue", + "similarityID": "f9b5fe0666cba080777fa8cf45d9c28d7e0012ab20ed5f27b8c206d0cdfbeb49", + "search_line": 22 }, { "queryName": "Network ACL With Unrestricted Access To RDP", "severity": "HIGH", "line": 26, - "fileName": "positive3.tf" + "fileName": "positive3.tf", + "resourceType": "aws_network_acl", + "resourceName": "main", + "searchKey": "aws_network_acl[positive3].ingress", + "searchValue": "", + "expectedValue": "aws_network_acl[positive3].ingress 'RDP' (TCP:3389) should not be public", + "actualValue": "aws_network_acl[positive3].ingress 'RDP' (TCP:3389) is public", + "issueType": "IncorrectValue", + "similarityID": "ac1d510655b1330ed3530b9441e94f13f0ab6603b7a0cb8f1d125ffd38587bbb", + "search_line": 26 }, { "queryName": "Network ACL With Unrestricted Access To RDP", "severity": "HIGH", "line": 14, - "fileName": "positive4.tf" + "fileName": "positive4.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[vpc].default_network_acl_ingress", + "searchValue": "", + "expectedValue": "module[vpc].default_network_acl_ingress[0] 'RDP' (TCP:3389) should not be public", + "actualValue": "module[vpc].default_network_acl_ingress[0] 'RDP' (TCP:3389) is public", + "issueType": "IncorrectValue", + "similarityID": "2c63fc67d478e24707f2962fd4cc62f2cd0f62774ac7951dc42df0af68623500", + "search_line": 14 } ] diff --git a/assets/queries/terraform/aws/network_acl_with_unrestricted_access_to_ssh/test/positive_expected_result.json b/assets/queries/terraform/aws/network_acl_with_unrestricted_access_to_ssh/test/positive_expected_result.json index ffe49a69896..c0b1213acd1 100644 --- a/assets/queries/terraform/aws/network_acl_with_unrestricted_access_to_ssh/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/network_acl_with_unrestricted_access_to_ssh/test/positive_expected_result.json @@ -3,24 +3,60 @@ "queryName": "Network ACL With Unrestricted Access To SSH", "severity": "MEDIUM", "line": 30, - "fileName": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "aws_network_acl", + "resourceName": "main", + "searchKey": "aws_network_acl[positive1].ingress", + "searchValue": "", + "expectedValue": "aws_network_acl[positive1].ingress[0] 'SSH' (Port:22) should not be public", + "actualValue": "aws_network_acl[positive1].ingress[0] 'SSH' (Port:22) is public", + "issueType": "IncorrectValue", + "similarityID": "b164b0ae57fb72acd9ff3dc5aeb03f9cbca8edf3971ee691afd32c923f1f37ff", + "search_line": 30 }, { "queryName": "Network ACL With Unrestricted Access To SSH", "severity": "MEDIUM", "line": 22, - "fileName": "positive2.tf" + "fileName": "positive2.tf", + "resourceType": "aaws_network_acl_rule", + "resourceName": "postive2", + "searchKey": "aws_network_acl_rule[postive2]", + "searchValue": "", + "expectedValue": "aws_network_acl[postive2] 'SSH' (TCP:22) should not be public", + "actualValue": "aws_network_acl[postive2] 'SSH' (TCP:22) is public", + "issueType": "IncorrectValue", + "similarityID": "92ff56c8d27129a18e96e9a32b0c1bf55f8aae728f08ad854f1c489c2e9f2e5e", + "search_line": 22 }, { "queryName": "Network ACL With Unrestricted Access To SSH", "severity": "MEDIUM", "line": 26, - "fileName": "positive3.tf" + "fileName": "positive3.tf", + "resourceType": "aws_network_acl", + "resourceName": "main", + "searchKey": "aws_network_acl[positive3].ingress", + "searchValue": "", + "expectedValue": "aws_network_acl[positive3].ingress 'SSH' (TCP:22) should not be public", + "actualValue": "aws_network_acl[positive3].ingress 'SSH' (TCP:22) is public", + "issueType": "IncorrectValue", + "similarityID": "a664f46d53fa538763ba12ba76c5088451eeda72479db0fa79e849870213d625", + "search_line": 26 }, { "queryName": "Network ACL With Unrestricted Access To SSH", "severity": "MEDIUM", "line": 14, - "fileName": "positive4.tf" + "fileName": "positive4.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[vpc].default_network_acl_ingress", + "searchValue": "", + "expectedValue": "aws_network_acl[vpc].ingress[0] 'SSH' (Port:22) should not be public", + "actualValue": "aws_network_acl[vpc].ingress[0] 'SSH' (Port:22) is public", + "issueType": "IncorrectValue", + "similarityID": "ecb1c3a83a1eecc0195d92117a7522480b6a20077403d13fb3c9d71cdcd9f389", + "search_line": 14 } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/no_password_policy_enabled/test/positive_expected_result.json b/assets/queries/terraform/aws/no_password_policy_enabled/test/positive_expected_result.json index 1c1519b011a..e31c73a4d6f 100644 --- a/assets/queries/terraform/aws/no_password_policy_enabled/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/no_password_policy_enabled/test/positive_expected_result.json @@ -2,26 +2,76 @@ { "queryName": "No Password Policy Enabled", "severity": "MEDIUM", - "line": 5 + "line": 5, + "fileName": "positive.tf", + "resourceType": "aws_iam_user_login_profile", + "resourceName": "positive2", + "searchKey": "aws_iam_user_login_profile[positive2].password_reset_required", + "searchValue": "", + "expectedValue": "Attribute 'password_reset_required' should be true", + "actualValue": "Attribute 'password_reset_required' is false", + "issueType": "IncorrectValue", + "similarityID": "f50299a4cc8e3d86d63ce93c29843b479384c786f469b5f67c31b8209a2afa62", + "search_line": -1 }, { "queryName": "No Password Policy Enabled", "severity": "MEDIUM", - "line": 16 + "line": 16, + "fileName": "positive.tf", + "resourceType": "aws_iam_user_login_profile", + "resourceName": "positive3", + "searchKey": "aws_iam_user_login_profile[positive3].password_length", + "searchValue": "", + "expectedValue": "Attribute 'password_length' should be 14 or greater", + "actualValue": "Attribute 'password_length' is smaller than 14", + "issueType": "IncorrectValue", + "similarityID": "08bb3a0fde898844af29c3e717fe7350ab8ae2a6d8437d02f145d76498019e4b", + "search_line": -1 }, { "queryName": "No Password Policy Enabled", "severity": "MEDIUM", - "line": 23 + "line": 23, + "fileName": "positive.tf", + "resourceType": "aws_iam_user_login_profile", + "resourceName": "positive6", + "searchKey": "aws_iam_user_login_profile[positive6].password_length", + "searchValue": "", + "expectedValue": "Attribute 'password_length' should be 14 or greater", + "actualValue": "Attribute 'password_length' is smaller than 14", + "issueType": "IncorrectValue", + "similarityID": "f033d84bdb025c36625e86f20a29f90cb72959531bf861a65e59824f984f64c6", + "search_line": -1 }, { "queryName": "No Password Policy Enabled", "severity": "MEDIUM", - "line": 30 + "line": 30, + "fileName": "positive.tf", + "resourceType": "aws_iam_user_login_profile", + "resourceName": "positive7", + "searchKey": "aws_iam_user_login_profile[positive7].password_reset_required", + "searchValue": "", + "expectedValue": "Attribute 'password_reset_required' should be true", + "actualValue": "Attribute 'password_reset_required' is false", + "issueType": "IncorrectValue", + "similarityID": "c7f17616c70a3ce627bb6ee693e325a6f900b6f2a15df8abc8213476bfb99bc3", + "search_line": -1 }, { "queryName": "No Password Policy Enabled", "severity": "MEDIUM", - "line": 31 + "line": 31, + "fileName": "positive.tf", + "resourceType": "aws_iam_user_login_profile", + "resourceName": "positive7", + "searchKey": "aws_iam_user_login_profile[positive7].password_length", + "searchValue": "", + "expectedValue": "Attribute 'password_length' should be 14 or greater", + "actualValue": "Attribute 'password_length' is smaller than 14", + "issueType": "IncorrectValue", + "similarityID": "54d5112b9f0db7dfaf7b336e4b66360f6293d5e51cbc196a5e1b65ca0cff35f7", + "search_line": -1 } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/no_stack_policy/test/positive_expected_result.json b/assets/queries/terraform/aws/no_stack_policy/test/positive_expected_result.json index cc22479597c..80a12da2bf3 100644 --- a/assets/queries/terraform/aws/no_stack_policy/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/no_stack_policy/test/positive_expected_result.json @@ -2,6 +2,16 @@ { "queryName": "No Stack Policy", "severity": "MEDIUM", - "line": 1 + "line": 1, + "fileName": "positive.tf", + "resourceType": "aws_cloudformation_stack", + "resourceName": "networking-stack", + "searchKey": "aws_cloudformation_stack[positive1]", + "searchValue": "", + "expectedValue": "Attribute 'policy_body' or Attribute 'policy_url' should be set", + "actualValue": "Both Attribute 'policy_body' and Attribute 'policy_url' are undefined", + "issueType": "MissingAttribute", + "similarityID": "bec8e2487c6e6661214767f91fed9c5e2b1109a64c54e79cd078877f9635e07f", + "search_line": -1 } ] diff --git a/assets/queries/terraform/aws/password_without_reuse_prevention/test/positive_expected_result.json b/assets/queries/terraform/aws/password_without_reuse_prevention/test/positive_expected_result.json index 14744faebfc..a45457ccd4b 100644 --- a/assets/queries/terraform/aws/password_without_reuse_prevention/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/password_without_reuse_prevention/test/positive_expected_result.json @@ -2,11 +2,31 @@ { "queryName": "Password Without Reuse Prevention", "severity": "LOW", - "line": 7 + "line": 7, + "fileName": "positive.tf", + "resourceType": "aws_iam_account_password_policy", + "resourceName": "positive1", + "searchKey": "aws_iam_account_password_policy[positive1].password_reuse_prevention", + "searchValue": "", + "expectedValue": "'password_reuse_prevention' should be 24", + "actualValue": "'password_reuse_prevention' is lower than 24", + "issueType": "IncorrectValue", + "similarityID": "d1dba111178e8377ef4dd2428437cba39fa7d6856d5776e195b981e8378332df", + "search_line": 7 }, { "queryName": "Password Without Reuse Prevention", "severity": "LOW", - "line": 10 + "line": 10, + "fileName": "positive.tf", + "resourceType": "aws_iam_account_password_policy", + "resourceName": "positive2", + "searchKey": "aws_iam_account_password_policy[positive2]", + "searchValue": "", + "expectedValue": "'password_reuse_prevention' should be set with value 24", + "actualValue": "'password_reuse_prevention' is undefined", + "issueType": "MissingAttribute", + "similarityID": "403b498455a4cdde1300135d3d0dc85bf251aed8cd1477b1386a2707fb0c5778", + "search_line": 10 } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/policy_without_principal/test/positive_expected_result.json b/assets/queries/terraform/aws/policy_without_principal/test/positive_expected_result.json index 47916ac2a8f..dd4ec8934f1 100644 --- a/assets/queries/terraform/aws/policy_without_principal/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/policy_without_principal/test/positive_expected_result.json @@ -3,6 +3,15 @@ "queryName": "Policy Without Principal", "severity": "MEDIUM", "line": 9, - "fileName": "positive.tf" + "fileName": "positive.tf", + "resourceType": "aws_kms_key", + "resourceName": "secure_policy", + "searchKey": "aws_kms_key[secure_policy].policy", + "searchValue": "", + "expectedValue": "'Principal' should be defined", + "actualValue": "'Principal' is undefined", + "issueType": "MissingAttribute", + "similarityID": "54e55b0269b6b4a341373068af5e9dbd0fb5434a1d822d8d246184310b0c9aca", + "search_line": 9 } ] diff --git a/assets/queries/terraform/aws/postgres_rds_logging_disabled/test/positive_expected_result.json b/assets/queries/terraform/aws/postgres_rds_logging_disabled/test/positive_expected_result.json index 945f584ea83..a9e75d4eacc 100644 --- a/assets/queries/terraform/aws/postgres_rds_logging_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/postgres_rds_logging_disabled/test/positive_expected_result.json @@ -3,36 +3,90 @@ "queryName": "Postgres RDS logging disabled", "severity": "LOW", "line": 1, - "fileName": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "aws_db_parameter_group", + "resourceName": "postgres-logging", + "searchKey": "aws_db_parameter_group.postgres_logging", + "searchValue": "", + "expectedValue": "aws_db_parameter_group's log_statement and log_min_duration_statement should be set to 'all' and '1'", + "actualValue": "aws_db_parameter_group's log_statement and log_min_duration_statement are not set or both have the wrong value", + "issueType": "IncorrectValue", + "similarityID": "6f5caae3f17d042b3a696b202d74891bfed227b610fa1056107cc97335e2d8ef", + "search_line": 1 }, { "queryName": "Postgres RDS logging disabled", "severity": "LOW", "line": 6, - "fileName": "positive2.tf" + "fileName": "positive2.tf", + "resourceType": "aws_db_parameter_group", + "resourceName": "postgres-logging", + "searchKey": "aws_db_parameter_group.postgres_logging", + "searchValue": "", + "expectedValue": "aws_db_parameter_group's log_statement and log_min_duration_statement should be set to 'all' and '1'", + "actualValue": "aws_db_parameter_group's log_statement has the wrong value", + "issueType": "IncorrectValue", + "similarityID": "09d152449d0fda100038e3e29f7ab44fa8a1de5ccb0932bff037d825c574de14", + "search_line": 6 }, { "queryName": "Postgres RDS logging disabled", "severity": "LOW", "line": 10, - "fileName": "positive3.tf" + "fileName": "positive3.tf", + "resourceType": "aws_db_parameter_group", + "resourceName": "postgres-logging", + "searchKey": "aws_db_parameter_group.postgres_logging", + "searchValue": "", + "expectedValue": "aws_db_parameter_group's log_statement and log_min_duration_statement should be set to 'all' and '1'", + "actualValue": "aws_db_parameter_group's log_min_duration_statement has the wrong value", + "issueType": "IncorrectValue", + "similarityID": "f57bd01856de98838095da5769c99253f4dbcc068e0e96e605e22a8d26c5cb6a", + "search_line": 10 }, { "queryName": "Postgres RDS logging disabled", "severity": "LOW", "line": 1, - "fileName": "positive4.tf" + "fileName": "positive4.tf", + "resourceType": "aws_db_parameter_group", + "resourceName": "postgres-logging", + "searchKey": "aws_db_parameter_group.postgres_logging", + "searchValue": "", + "expectedValue": "aws_db_parameter_group's log_statement and log_min_duration_statement should be defined", + "actualValue": "aws_db_parameter_group's log_statement and log_min_duration_statement are undefined", + "issueType": "MissingAttribute", + "similarityID": "bc9240d162ea2b53edd09b5006b5eab405f452834c72487536c43eee5b2ad0e7", + "search_line": 1 }, { "queryName": "Postgres RDS logging disabled", "severity": "LOW", "line": 1, - "fileName": "positive5.tf" + "fileName": "positive5.tf", + "resourceType": "aws_db_parameter_group", + "resourceName": "postgres-logging", + "searchKey": "aws_db_parameter_group.example", + "searchValue": "", + "expectedValue": "aws_db_parameter_group's log_statement and log_min_duration_statement should be defined", + "actualValue": "aws_db_parameter_group's log_statement and log_min_duration_statement are undefined", + "issueType": "MissingAttribute", + "similarityID": "43dabdd7c9482c89778f91d370d974b41acca530e47f16f3434bf92dd6faabed", + "search_line": 1 }, { "queryName": "Postgres RDS logging disabled", "severity": "LOW", "line": 1, - "fileName": "positive6.tf" + "fileName": "positive6.tf", + "resourceType": "aws_db_parameter_group", + "resourceName": "postgres-logging", + "searchKey": "aws_db_parameter_group.example", + "searchValue": "", + "expectedValue": "aws_db_parameter_group's log_statement and log_min_duration_statement should be defined", + "actualValue": "aws_db_parameter_group's log_statement and log_min_duration_statement are undefined", + "issueType": "MissingAttribute", + "similarityID": "d51be2a0f8ccf9f3ab770f73d0d64d7b63c3b8904ebaaede66a4a9bed8fd93d3", + "search_line": 1 } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/public_and_private_ec2_share_role/test/positive_expected_result.json b/assets/queries/terraform/aws/public_and_private_ec2_share_role/test/positive_expected_result.json index b398ade46bc..9c15a4c4f8d 100644 --- a/assets/queries/terraform/aws/public_and_private_ec2_share_role/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/public_and_private_ec2_share_role/test/positive_expected_result.json @@ -3,12 +3,30 @@ "queryName": "Public and Private EC2 Share Role", "severity": "MEDIUM", "line": 103, - "filename": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "aws_instance", + "resourceName": "pub_ins", + "searchKey": "aws_instance[pub_ins].iam_instance_profile", + "searchValue": "", + "expectedValue": "Public and private instances should not share the same role", + "actualValue": "Public and private instances share the same role", + "issueType": "IncorrectValue", + "similarityID": "b298ec946bd77f7e2face0090d3fb9abf563fd943ecaa0aeac10ddf96f3b5a27", + "search_line": 103 }, { "queryName": "Public and Private EC2 Share Role", "severity": "MEDIUM", "line": 38, - "filename": "positive2.tf" + "fileName": "positive2.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[ec2_public_instance].iam_instance_profile", + "searchValue": "", + "expectedValue": "Public and private instances should not share the same role", + "actualValue": "Public and private instances share the same role", + "issueType": "IncorrectValue", + "similarityID": "7ec00828620a4b8768092259084f7923419adc967693765ac61bfa863aa50635", + "search_line": 38 } ] diff --git a/assets/queries/terraform/aws/public_lambda_via_api_gateway/test/positive_expected_result.json b/assets/queries/terraform/aws/public_lambda_via_api_gateway/test/positive_expected_result.json index 8452e076a79..3a750914e41 100755 --- a/assets/queries/terraform/aws/public_lambda_via_api_gateway/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/public_lambda_via_api_gateway/test/positive_expected_result.json @@ -2,6 +2,16 @@ { "queryName": "Public Lambda via API Gateway", "severity": "MEDIUM", - "line": 9 + "line": 9, + "fileName": "positive.tf", + "resourceType": "aws_lambda_permission", + "resourceName": "example", + "searchKey": "aws_lambda_permission[apigw].source_arn", + "searchValue": "", + "expectedValue": "'source_arn' should not equal '/*/*'", + "actualValue": "'source_arn' is equal '/*/*'", + "issueType": "IncorrectValue", + "similarityID": "b49cb5d9e42ed314d4affd3ff57f70ef331a0340bea2e2ee50a8da4ba8fe2dc5", + "search_line": -1 } ] diff --git a/assets/queries/terraform/aws/rds_associated_with_public_subnet/test/positive_expected_result.json b/assets/queries/terraform/aws/rds_associated_with_public_subnet/test/positive_expected_result.json index 3acfce4737d..b0feacdf338 100644 --- a/assets/queries/terraform/aws/rds_associated_with_public_subnet/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/rds_associated_with_public_subnet/test/positive_expected_result.json @@ -3,12 +3,30 @@ "queryName": "RDS Associated with Public Subnet", "severity": "CRITICAL", "line": 11, - "fileName": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "aws_db_instance", + "resourceName": "mydb", + "searchKey": "aws_db_instance[positive1].db_subnet_group_name", + "searchValue": "", + "expectedValue": "RDS should not be running in a public subnet", + "actualValue": "RDS is running in a public subnet", + "issueType": "IncorrectValue", + "similarityID": "a4f2fb29d67f2d86912de970224f63a29655e72d9ba9132a0f44b5b127e9d087", + "search_line": 11 }, { "queryName": "RDS Associated with Public Subnet", "severity": "CRITICAL", "line": 11, - "fileName": "positive2.tf" + "fileName": "positive2.tf", + "resourceType": "aws_db_instance", + "resourceName": "mydb", + "searchKey": "aws_db_instance[positive2].db_subnet_group_name", + "searchValue": "", + "expectedValue": "RDS should not be running in a public subnet", + "actualValue": "RDS is running in a public subnet", + "issueType": "IncorrectValue", + "similarityID": "988743d0b20c07a0d0f40a5b674a0926afdd76da7b6b6242f7e020ef8a182001", + "search_line": 11 } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/rds_cluster_with_backup_disabled/test/positive_expected_result.json b/assets/queries/terraform/aws/rds_cluster_with_backup_disabled/test/positive_expected_result.json index ea9389945c2..2e404d78e92 100644 --- a/assets/queries/terraform/aws/rds_cluster_with_backup_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/rds_cluster_with_backup_disabled/test/positive_expected_result.json @@ -3,6 +3,15 @@ "queryName": "RDS Cluster With Backup Disabled", "severity": "MEDIUM", "line": 1, - "filename": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "aws_rds_cluster", + "resourceName": "postgresql", + "searchKey": "aws_rds_cluster[{{postgresql}}]", + "searchValue": "", + "expectedValue": "aws_rds_cluster.backup_retention_period should be defined and not null", + "actualValue": "aws_rds_cluster.backup_retention_period is undefined or null", + "issueType": "MissingAttribute", + "similarityID": "2232a05bf2e4ef95e2869948fb9672ebb1912dc17c9378fff13834a79c9ddbb2", + "search_line": -1 } ] diff --git a/assets/queries/terraform/aws/rds_database_cluster_not_encrypted/test/positive_expected_result.json b/assets/queries/terraform/aws/rds_database_cluster_not_encrypted/test/positive_expected_result.json index 187a78096da..6bb271805be 100644 --- a/assets/queries/terraform/aws/rds_database_cluster_not_encrypted/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/rds_database_cluster_not_encrypted/test/positive_expected_result.json @@ -3,12 +3,30 @@ "queryName": "RDS Database Cluster not Encrypted", "severity": "HIGH", "line": 1, - "fileName": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "aws_db_cluster_snapshot", + "resourceName": "positive1", + "searchKey": "aws_db_cluster_snapshot[positive1]", + "searchValue": "", + "expectedValue": "aws_db_cluster_snapshot.db_cluster_identifier' should be encrypted", + "actualValue": "aws_db_cluster_snapshot.db_cluster_identifier' is not encrypted", + "issueType": "IncorrectValue", + "similarityID": "5cad8b64d74706d44a28730322f5d966073b7c5ad06ac72e710d367551f4fe4e", + "search_line": 1 }, { "queryName": "RDS Database Cluster not Encrypted", "severity": "HIGH", "line": 1, - "fileName": "positive2.tf" + "fileName": "positive2.tf", + "resourceType": "aws_db_cluster_snapshot", + "resourceName": "positive2", + "searchKey": "aws_db_cluster_snapshot[positive2]", + "searchValue": "", + "expectedValue": "aws_db_cluster_snapshot.db_cluster_identifier' should be encrypted", + "actualValue": "aws_db_cluster_snapshot.db_cluster_identifier' is not encrypted", + "issueType": "IncorrectValue", + "similarityID": "de80b59af224d0281dacee071f1a3d3c934b8999ec20fc8a670957c840cd50c6", + "search_line": 1 } ] diff --git a/assets/queries/terraform/aws/rds_db_instance_publicly_accessible/test/positive_expected_result.json b/assets/queries/terraform/aws/rds_db_instance_publicly_accessible/test/positive_expected_result.json index a79d457a603..b053fa274b7 100644 --- a/assets/queries/terraform/aws/rds_db_instance_publicly_accessible/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/rds_db_instance_publicly_accessible/test/positive_expected_result.json @@ -3,12 +3,30 @@ "queryName": "RDS DB Instance Publicly Accessible", "severity": "CRITICAL", "line": 10, - "fileName": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "aws_db_instance", + "resourceName": "mydb", + "searchKey": "aws_db_instance[positive1].publicly_accessible", + "searchValue": "", + "expectedValue": "'publicly_accessible' should be set to false or undefined", + "actualValue": "'publicly_accessible' is set to true", + "issueType": "IncorrectValue", + "similarityID": "b202c2e7d437c4a2aee789abcdafbde0dfec1cb97809910c8b76db11650b57b6", + "search_line": -1 }, { "queryName": "RDS DB Instance Publicly Accessible", "severity": "CRITICAL", "line": 11, - "fileName": "positive2.tf" + "fileName": "positive2.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[db].publicly_accessible", + "searchValue": "", + "expectedValue": "'publicly_accessible' should be set to false or undefined", + "actualValue": "'publicly_accessible' is set to true", + "issueType": "IncorrectValue", + "similarityID": "fe028aa7de2723b4e89f77fb5a3a010acb9a2ca243da80cd21fcb7e8e5197df5", + "search_line": 11 } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/rds_storage_not_encrypted/test/positive_expected_result.json b/assets/queries/terraform/aws/rds_storage_not_encrypted/test/positive_expected_result.json index 2869dacdeb1..a60461159e5 100644 --- a/assets/queries/terraform/aws/rds_storage_not_encrypted/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/rds_storage_not_encrypted/test/positive_expected_result.json @@ -3,12 +3,30 @@ "queryName": "RDS Storage Not Encrypted", "severity": "HIGH", "line": 1, - "fileName": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "aws_rds_cluster", + "resourceName": "positive1", + "searchKey": "aws_rds_cluster[positive1]", + "searchValue": "", + "expectedValue": "aws_rds_cluster.storage_encrypted should be set to true", + "actualValue": "aws_rds_cluster.storage_encrypted is undefined", + "issueType": "MissingAttribute", + "similarityID": "223dd21b966a389a8c91a9c14230f63e549ff8047e80963f1afb9c73cc089dc1", + "search_line": 1 }, { "queryName": "RDS Storage Not Encrypted", "severity": "HIGH", "line": 10, - "fileName": "positive2.tf" + "fileName": "positive2.tf", + "resourceType": "aws_rds_cluster", + "resourceName": "positive3", + "searchKey": "aws_rds_cluster[positive3].storage_encrypted", + "searchValue": "", + "expectedValue": "aws_rds_cluster.storage_encrypted should be set to true", + "actualValue": "aws_rds_cluster.storage_encrypted is set to false", + "issueType": "IncorrectValue", + "similarityID": "15c814be92da6266eb196371fffade27d3ca6ce35ccdac53f9df59e67807619b", + "search_line": 10 } ] diff --git a/assets/queries/terraform/aws/rds_using_default_port/test/positive_expected_result.json b/assets/queries/terraform/aws/rds_using_default_port/test/positive_expected_result.json index b82590880cb..d83068a0e61 100644 --- a/assets/queries/terraform/aws/rds_using_default_port/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/rds_using_default_port/test/positive_expected_result.json @@ -3,24 +3,60 @@ "queryName": "RDS Using Default Port", "severity": "LOW", "line": 11, - "fileName": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "aws_db_instance", + "resourceName": "mydb", + "searchKey": "aws_db_instance[positive1].port", + "searchValue": "", + "expectedValue": "aws_db_instance[positive1].port should not be set to 3306", + "actualValue": "aws_db_instance[positive1].port is set to 3306", + "issueType": "IncorrectValue", + "similarityID": "0023c397899205051b446eb37ed10bbbbad2631ea7d8efb52a73fcaf385da517", + "search_line": 11 }, { "queryName": "RDS Using Default Port", "severity": "LOW", "line": 10, - "fileName": "positive2.tf" + "fileName": "positive2.tf", + "resourceType": "aws_db_instance", + "resourceName": "mydb", + "searchKey": "aws_db_instance[positive2].port", + "searchValue": "", + "expectedValue": "aws_db_instance[positive2].port should not be set to 5432", + "actualValue": "aws_db_instance[positive2].port is set to 5432", + "issueType": "IncorrectValue", + "similarityID": "c876a87bc99ecead23da907951cea456cba01a2fd99cd0cca837adbe30b520a5", + "search_line": 10 }, { "queryName": "RDS Using Default Port", "severity": "LOW", "line": 10, - "fileName": "positive3.tf" + "fileName": "positive3.tf", + "resourceType": "aws_db_instance", + "resourceName": "mydb", + "searchKey": "aws_db_instance[positive3].port", + "searchValue": "", + "expectedValue": "aws_db_instance[positive3].port should not be set to 1521", + "actualValue": "aws_db_instance[positive3].port is set to 1521", + "issueType": "IncorrectValue", + "similarityID": "bfd11ee735f26327c5cd5178aa4aeea17f22044270f9129210785e352181c28e", + "search_line": 10 }, { "queryName": "RDS Using Default Port", "severity": "LOW", "line": 10, - "fileName": "positive4.tf" + "fileName": "positive4.tf", + "resourceType": "aws_db_instance", + "resourceName": "mydb", + "searchKey": "aws_db_instance[positive4].port", + "searchValue": "", + "expectedValue": "aws_db_instance[positive4].port should not be set to 1433", + "actualValue": "aws_db_instance[positive4].port is set to 1433", + "issueType": "IncorrectValue", + "similarityID": "42910f31b199e4eeac0325e74fed7e6a206021dac957a5e81c0d09480c71cdb3", + "search_line": 10 } ] diff --git a/assets/queries/terraform/aws/rds_with_backup_disabled/test/positive_expected_result.json b/assets/queries/terraform/aws/rds_with_backup_disabled/test/positive_expected_result.json index 0d3fdfe8f93..594f350d4ff 100644 --- a/assets/queries/terraform/aws/rds_with_backup_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/rds_with_backup_disabled/test/positive_expected_result.json @@ -3,24 +3,60 @@ "queryName": "RDS With Backup Disabled", "severity": "MEDIUM", "line": 12, - "fileName": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "aws_db_instance", + "resourceName": "mydb", + "searchKey": "aws_db_instance[positive1].backup_retention_period", + "searchValue": "", + "expectedValue": "'backup_retention_period' should not equal '0'", + "actualValue": "'backup_retention_period' is equal '0'", + "issueType": "IncorrectValue", + "similarityID": "27cfff3a7ec5b83601084ac4df47c79f814610ad4bc2745c70e127331a5d2f1f", + "search_line": 12 }, { "queryName": "RDS With Backup Disabled", "severity": "MEDIUM", "line": 12, - "fileName": "positive2.tf" + "fileName": "positive2.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[db].backup_retention_period", + "searchValue": "", + "expectedValue": "'backup_retention_period' should not equal '0'", + "actualValue": "'backup_retention_period' is equal '0'", + "issueType": "IncorrectValue", + "similarityID": "f0be24f4a45feebe263249256bb49d3e474defb051e650eff39370bfbfdb0171", + "search_line": 12 }, { "queryName": "RDS With Backup Disabled", "severity": "MEDIUM", "line": 1, - "fileName": "positive3.tf" + "fileName": "positive3.tf", + "resourceType": "aws_db_instance", + "resourceName": "mydb", + "searchKey": "aws_db_instance[positive1]", + "searchValue": "", + "expectedValue": "'backup_retention_period' should be defined, and bigger than '0'", + "actualValue": "'backup_retention_period' is not defined", + "issueType": "MissingAttribute", + "similarityID": "65b372eee533a2130f146f6df54999bf79200719b67dfa6bcc8d237544d11f65", + "search_line": 1 }, { "queryName": "RDS With Backup Disabled", "severity": "MEDIUM", "line": 1, - "fileName": "positive4.tf" + "fileName": "positive4.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[db]", + "searchValue": "", + "expectedValue": "'backup_retention_period' should be defined, and bigger than '0'", + "actualValue": "'backup_retention_period' is not defined", + "issueType": "IncorrectValue", + "similarityID": "eeb9b295164943c33e3e4be22edd1ed9475f596c0129b04791cdfce6390f5daf", + "search_line": 1 } ] diff --git a/assets/queries/terraform/aws/rds_without_logging/test/positive_expected_result.json b/assets/queries/terraform/aws/rds_without_logging/test/positive_expected_result.json index 9454580d871..7ee21382711 100644 --- a/assets/queries/terraform/aws/rds_without_logging/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/rds_without_logging/test/positive_expected_result.json @@ -3,24 +3,60 @@ "queryName": "RDS Without Logging", "severity": "MEDIUM", "line": 1, - "fileName": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "aws_db_instance", + "resourceName": "positive1", + "searchKey": "aws_db_instance[positive1]", + "searchValue": "", + "expectedValue": "'enabled_cloudwatch_logs_exports' should be defined", + "actualValue": "'enabled_cloudwatch_logs_exports' is undefined", + "issueType": "MissingAttribute", + "similarityID": "6afb50b039516e2199fadd88c51d2b7202ca2350613ffffedd18540f6dfb0b1d", + "search_line": 1 }, { "queryName": "RDS Without Logging", "severity": "MEDIUM", "line": 7, - "fileName": "positive2.tf" + "fileName": "positive2.tf", + "resourceType": "aws_db_instance", + "resourceName": "positive2", + "searchKey": "aws_db_instance[positive2].enabled_cloudwatch_logs_exports", + "searchValue": "", + "expectedValue": "'enabled_cloudwatch_logs_exports' has one or more values", + "actualValue": "'enabled_cloudwatch_logs_exports' is empty", + "issueType": "IncorrectValue", + "similarityID": "486515aca15b2ce6c484502fe118bf3bf7b8e881c8cacb2b9b68fde4a26bc37d", + "search_line": 7 }, { "queryName": "RDS Without Logging", "severity": "MEDIUM", "line": 1, - "fileName": "positive3.tf" + "fileName": "positive3.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[db]", + "searchValue": "", + "expectedValue": "'enabled_cloudwatch_logs_exports' should be defined", + "actualValue": "'enabled_cloudwatch_logs_exports' is undefined", + "issueType": "MissingAttribute", + "similarityID": "68e20a03b605535ea24a346c762894cc68e19840011753208374c95622ee39a2", + "search_line": 1 }, { "queryName": "RDS Without Logging", "severity": "MEDIUM", "line": 11, - "fileName": "positive4.tf" + "fileName": "positive4.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[db].enabled_cloudwatch_logs_exports", + "searchValue": "", + "expectedValue": "'enabled_cloudwatch_logs_exports' has one or more values", + "actualValue": "'enabled_cloudwatch_logs_exports' is empty", + "issueType": "IncorrectValue", + "similarityID": "d24956106a485a4a14553d5774dd738704d7caba18adcf35d626b7714c096ea0", + "search_line": 11 } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/redis_disabled/test/positive_expected_result.json b/assets/queries/terraform/aws/redis_disabled/test/positive_expected_result.json index 39222e69fa7..f432b4bd8c3 100644 --- a/assets/queries/terraform/aws/redis_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/redis_disabled/test/positive_expected_result.json @@ -3,6 +3,15 @@ "queryName": "Redis Disabled", "severity": "LOW", "line": 4, - "fileName": "positive.tf" + "fileName": "positive.tf", + "resourceType": "aws_elasticache_cluster", + "resourceName": "cluster-example", + "searchKey": "resource.aws_elasticache_cluster[positive1].engine", + "searchValue": "", + "expectedValue": "resource.aws_elasticache_cluster[positive1].engine should have Redis enabled", + "actualValue": "resource.aws_elasticache_cluster[positive1].engine doesn't enable Redis", + "issueType": "IncorrectValue", + "similarityID": "22f055851807d5ed15970eba299eea95a22a5a857cbe8b27d8f8c91117adefe8", + "search_line": 4 } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/redis_not_compliant/test/positive_expected_result.json b/assets/queries/terraform/aws/redis_not_compliant/test/positive_expected_result.json index 2563388f8fa..44fd31fa312 100644 --- a/assets/queries/terraform/aws/redis_not_compliant/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/redis_not_compliant/test/positive_expected_result.json @@ -2,6 +2,16 @@ { "queryName": "Redis Not Compliant", "severity": "HIGH", - "line": 7 + "line": 7, + "fileName": "positive.tf", + "resourceType": "aws_elasticache_cluster", + "resourceName": "cluster-example", + "searchKey": "aws_elasticache_cluster[positive1].engine_version", + "searchValue": "", + "expectedValue": "aws_elasticache_cluster[positive1].engine_version should be compliant with the requirements", + "actualValue": "aws_elasticache_cluster[positive1].engine_version isn't compliant with the requirements", + "issueType": "IncorrectValue", + "similarityID": "3d747327caff865ee661c76312dfad61cce0a6dda4776302c522bdc621932ca4", + "search_line": -1 } ] diff --git a/assets/queries/terraform/aws/redshift_cluster_logging_disabled/test/positive_expected_result.json b/assets/queries/terraform/aws/redshift_cluster_logging_disabled/test/positive_expected_result.json index 40533ee61d3..1b2891716aa 100644 --- a/assets/queries/terraform/aws/redshift_cluster_logging_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/redshift_cluster_logging_disabled/test/positive_expected_result.json @@ -2,11 +2,31 @@ { "queryName": "Redshift Cluster Logging Disabled", "severity": "MEDIUM", - "line": 9 + "line": 9, + "fileName": "positive.tf", + "resourceType": "aws_redshift_cluster", + "resourceName": "positive1", + "searchKey": "aws_redshift_cluster[positive1].logging.enable", + "searchValue": "", + "expectedValue": "'aws_redshift_cluster.logging' should be true", + "actualValue": "'aws_redshift_cluster.logging' is false", + "issueType": "IncorrectValue", + "similarityID": "2ef2058c287d3e56e358b5f55801a74014dc0d0aeb68eccf25f24257d7988682", + "search_line": 9 }, { "queryName": "Redshift Cluster Logging Disabled", "severity": "MEDIUM", - "line": 13 + "line": 13, + "fileName": "positive.tf", + "resourceType": "aws_redshift_cluster", + "resourceName": "positive2", + "searchKey": "aws_redshift_cluster[positive2]", + "searchValue": "", + "expectedValue": "'aws_redshift_cluster.logging' should be true", + "actualValue": "'aws_redshift_cluster.logging' is undefined", + "issueType": "MissingAttribute", + "similarityID": "0d865259fdb2cdebe18bff2532ddf06f8c8a0d736687cb5a5bf9d887b6979273", + "search_line": 13 } ] diff --git a/assets/queries/terraform/aws/redshift_cluster_without_vpc/test/positive_expected_result.json b/assets/queries/terraform/aws/redshift_cluster_without_vpc/test/positive_expected_result.json index 25d75271b2d..dfd9a29887a 100644 --- a/assets/queries/terraform/aws/redshift_cluster_without_vpc/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/redshift_cluster_without_vpc/test/positive_expected_result.json @@ -2,11 +2,31 @@ { "queryName": "Redshift Cluster Without VPC", "severity": "LOW", - "line": 1 + "line": 1, + "fileName": "positive.tf", + "resourceType": "aws_redshift_cluster", + "resourceName": "positive1", + "searchKey": "aws_redshift_cluster[positive1]", + "searchValue": "cluster_subnet_group_name", + "expectedValue": "aws_redshift_cluster[positive1].cluster_subnet_group_name should be set", + "actualValue": "aws_redshift_cluster[positive1].cluster_subnet_group_name is undefined", + "issueType": "MissingAttribute", + "similarityID": "ff9cd85f05020f79b48927d3273581da974d864b403b7df1f1740b7505534c2b", + "search_line": -1 }, { "queryName": "Redshift Cluster Without VPC", "severity": "LOW", - "line": 1 + "line": 1, + "fileName": "positive.tf", + "resourceType": "aws_redshift_cluster", + "resourceName": "positive1", + "searchKey": "aws_redshift_cluster[positive1]", + "searchValue": "vpc_security_group_ids", + "expectedValue": "aws_redshift_cluster[positive1].vpc_security_group_ids should be set", + "actualValue": "aws_redshift_cluster[positive1].vpc_security_group_ids is undefined", + "issueType": "MissingAttribute", + "similarityID": "4a2cac6a007d392a409812e1227009c5d1188b4912c586af5d3d45b391ecc4fc", + "search_line": -1 } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/redshift_not_encrypted/test/positive_expected_result.json b/assets/queries/terraform/aws/redshift_not_encrypted/test/positive_expected_result.json index 5b4ce2d77c9..9886a81bfef 100644 --- a/assets/queries/terraform/aws/redshift_not_encrypted/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/redshift_not_encrypted/test/positive_expected_result.json @@ -1,12 +1,32 @@ [ - { - "queryName": "Redshift Not Encrypted", - "severity": "HIGH", - "line": 1 - }, - { - "queryName": "Redshift Not Encrypted", - "severity": "HIGH", - "line": 17 - } + { + "queryName": "Redshift Not Encrypted", + "severity": "HIGH", + "line": 1, + "fileName": "positive.tf", + "resourceType": "aws_redshift_cluster", + "resourceName": "positive1", + "searchKey": "aws_redshift_cluster[positive1]", + "searchValue": "", + "expectedValue": "aws_redshift_cluster.encrypted should be defined and not null", + "actualValue": "aws_redshift_cluster.encrypted is undefined or null", + "issueType": "MissingAttribute", + "similarityID": "8b251b091035a8bd6eda099bb70b7419a0cb659d7ac0fc0d2a31cd6bd15a4831", + "search_line": 1 + }, + { + "queryName": "Redshift Not Encrypted", + "severity": "HIGH", + "line": 17, + "fileName": "positive.tf", + "resourceType": "aws_redshift_cluster", + "resourceName": "positive2", + "searchKey": "aws_redshift_cluster[positive2].encrypted", + "searchValue": "", + "expectedValue": "aws_redshift_cluster.encrypted should be set to false", + "actualValue": "aws_redshift_cluster.encrypted is true", + "issueType": "IncorrectValue", + "similarityID": "adff59fba363f12b3be8a56b25c3d2c18ba2e4f3e974e4850605d7d88f1503c3", + "search_line": 17 + } ] diff --git a/assets/queries/terraform/aws/redshift_publicly_accessible/test/positive_expected_result.json b/assets/queries/terraform/aws/redshift_publicly_accessible/test/positive_expected_result.json index 548637b2980..61c021690f0 100644 --- a/assets/queries/terraform/aws/redshift_publicly_accessible/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/redshift_publicly_accessible/test/positive_expected_result.json @@ -2,11 +2,31 @@ { "queryName": "Redshift Publicly Accessible", "severity": "HIGH", - "line": 1 + "line": 1, + "fileName": "positive.tf", + "resourceType": "aws_redshift_cluster", + "resourceName": "positive1", + "searchKey": "aws_redshift_cluster[positive1]", + "searchValue": "", + "expectedValue": "aws_redshift_cluster.publicly_accessible should be defined and not null", + "actualValue": "aws_redshift_cluster.publicly_accessible is undefined or null", + "issueType": "MissingAttribute", + "similarityID": "5d891e06add3825e102f943d47d2c8dcb0c4d1579228d83b984a0e48c0bb6f5d", + "search_line": -1 }, { "queryName": "Redshift Publicly Accessible", "severity": "HIGH", - "line": 17 + "line": 17, + "fileName": "positive.tf", + "resourceType": "aws_redshift_cluster", + "resourceName": "positive2", + "searchKey": "aws_redshift_cluster[positive2].publicly_accessible", + "searchValue": "", + "expectedValue": "aws_redshift_cluster.publicly_accessible should be set to false", + "actualValue": "aws_redshift_cluster.publicly_accessible is true", + "issueType": "IncorrectValue", + "similarityID": "8142d56535d2c3e5fbcd1e1f19eb856870dd3f2ce7bd42e8cd650257360a7a3f", + "search_line": -1 } ] diff --git a/assets/queries/terraform/aws/redshift_using_default_port/test/positive_expected_result.json b/assets/queries/terraform/aws/redshift_using_default_port/test/positive_expected_result.json index e8e8737ce7a..5eaba97d094 100644 --- a/assets/queries/terraform/aws/redshift_using_default_port/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/redshift_using_default_port/test/positive_expected_result.json @@ -3,12 +3,30 @@ "queryName": "Redshift Using Default Port", "severity": "LOW", "line": 1, - "fileName": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "aws_redshift_cluster", + "resourceName": "positive1", + "searchKey": "aws_redshift_cluster[positive1]", + "searchValue": "", + "expectedValue": "aws_redshift_cluster.port should be defined and not null", + "actualValue": "aws_redshift_cluster.port is undefined or null", + "issueType": "MissingAttribute", + "similarityID": "1064291b9a80aad25c95151b0ed8765c147110704725eb6e85d23f08c3968a1b", + "search_line": 1 }, { "queryName": "Redshift Using Default Port", "severity": "LOW", "line": 9, - "fileName": "positive2.tf" + "fileName": "positive2.tf", + "resourceType": "aws_redshift_cluster", + "resourceName": "positive2", + "searchKey": "aws_redshift_cluster[positive2].port", + "searchValue": "", + "expectedValue": "aws_redshift_cluster.port should not be set to 5439", + "actualValue": "aws_redshift_cluster.port is set to 5439", + "issueType": "IncorrectValue", + "similarityID": "a6b17ce635b83074481371e2ece44f165e1455a14e3a8038a5b5976c0424fe3f", + "search_line": 9 } ] diff --git a/assets/queries/terraform/aws/remote_desktop_port_open_to_internet/test/positive_expected_result.json b/assets/queries/terraform/aws/remote_desktop_port_open_to_internet/test/positive_expected_result.json index 8ea304c9c6f..1a6128e3a3b 100644 --- a/assets/queries/terraform/aws/remote_desktop_port_open_to_internet/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/remote_desktop_port_open_to_internet/test/positive_expected_result.json @@ -3,102 +3,255 @@ "queryName": "Remote Desktop Port Open To Internet", "severity": "HIGH", "line": 5, - "fileName": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "aws_security_group", + "resourceName": "allow_tls", + "searchKey": "aws_security_group[positive1-1].ingress", + "searchValue": "", + "expectedValue": "aws_security_group[positive1-1].ingress shouldn't open the remote desktop port (3389)", + "actualValue": "aws_security_group[positive1-1].ingress opens the remote desktop port (3389)", + "issueType": "IncorrectValue", + "similarityID": "a79627090c3a18dd3e7e726483550cb1364164ec2b663355fcf50e9aff4b2748", + "search_line": 5 }, { "queryName": "Remote Desktop Port Open To Internet", "severity": "HIGH", "line": 26, - "fileName": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "aws_security_group", + "resourceName": "allow_tls", + "searchKey": "aws_security_group[positive1-2].ingress[1]", + "searchValue": "", + "expectedValue": "aws_security_group[positive1-2].ingress[1] shouldn't open the remote desktop port (3389)", + "actualValue": "aws_security_group[positive1-2].ingress[1] opens the remote desktop port (3389)", + "issueType": "IncorrectValue", + "similarityID": "8b7522eb56af6ecdb4efa40679420512d47dc48503e386bf694e360238337907", + "search_line": 26 }, { "queryName": "Remote Desktop Port Open To Internet", "severity": "HIGH", "line": 39, - "fileName": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "aws_security_group", + "resourceName": "allow_tls", + "searchKey": "aws_security_group[positive1-3].ingress", + "searchValue": "", + "expectedValue": "aws_security_group[positive1-3].ingress shouldn't open the remote desktop port (3389)", + "actualValue": "aws_security_group[positive1-3].ingress opens the remote desktop port (3389)", + "issueType": "IncorrectValue", + "similarityID": "d955dcdce3ca86dbb18da30545e9f88bbcc842ad64ebe31346515ff01fb7690f", + "search_line": 39 }, { "queryName": "Remote Desktop Port Open To Internet", "severity": "HIGH", "line": 60, - "fileName": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "aws_security_group", + "resourceName": "allow_tls", + "searchKey": "aws_security_group[positive1-4].ingress[1]", + "searchValue": "", + "expectedValue": "aws_security_group[positive1-4].ingress[1] shouldn't open the remote desktop port (3389)", + "actualValue": "aws_security_group[positive1-4].ingress[1] opens the remote desktop port (3389)", + "issueType": "IncorrectValue", + "similarityID": "804d63b9126e385d61073f3a26543e87eca0ad9a1f0e848a0d2d7d166092a38b", + "search_line": 60 }, { "queryName": "Remote Desktop Port Open To Internet", "severity": "HIGH", "line": 73, - "fileName": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "aws_security_group", + "resourceName": "allow_tls", + "searchKey": "aws_security_group[positive1-5].ingress", + "searchValue": "", + "expectedValue": "aws_security_group[positive1-5].ingress shouldn't open the remote desktop port (3389)", + "actualValue": "aws_security_group[positive1-5].ingress opens the remote desktop port (3389)", + "issueType": "IncorrectValue", + "similarityID": "2e983cdb0d85bffadad5debf1201bd38d8acfadea5694d5a36d50f41863495d7", + "search_line": 73 }, { "queryName": "Remote Desktop Port Open To Internet", "severity": "HIGH", "line": 87, - "fileName": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "aws_security_group", + "resourceName": "allow_tls", + "searchKey": "aws_security_group[positive1-6].ingress", + "searchValue": "", + "expectedValue": "aws_security_group[positive1-6].ingress shouldn't open the remote desktop port (3389)", + "actualValue": "aws_security_group[positive1-6].ingress opens the remote desktop port (3389)", + "issueType": "IncorrectValue", + "similarityID": "c5b765348574a3cf433e3b56e8c614be992100ecebeb96733448bf3724b20005", + "search_line": 87 }, { "queryName": "Remote Desktop Port Open To Internet", "severity": "HIGH", "line": 101, - "fileName": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "aws_security_group", + "resourceName": "allow_tls", + "searchKey": "aws_security_group[positive1-7].ingress", + "searchValue": "", + "expectedValue": "aws_security_group[positive1-7].ingress shouldn't open the remote desktop port (3389)", + "actualValue": "aws_security_group[positive1-7].ingress opens the remote desktop port (3389)", + "issueType": "IncorrectValue", + "similarityID": "a7cca2e6fcc6712415cad28e652089cf286bfbb3e4b5d423c281bbbb9d3dc416", + "search_line": 101 }, { "queryName": "Remote Desktop Port Open To Internet", "severity": "HIGH", "line": 7, - "fileName": "positive2.tf" + "fileName": "positive2.tf", + "resourceType": "aws_vpc_security_group_ingress_rule", + "resourceName": "positive2-1", + "searchKey": "aws_vpc_security_group_ingress_rule[positive2-1]", + "searchValue": "", + "expectedValue": "aws_vpc_security_group_ingress_rule[positive2-1] shouldn't open the remote desktop port (3389)", + "actualValue": "aws_vpc_security_group_ingress_rule[positive2-1] opens the remote desktop port (3389)", + "issueType": "IncorrectValue", + "similarityID": "2d8496e366cd47bcb3f351aed6d8ea1404518d20731633e97a62b1deb5a2cd9a", + "search_line": 7 }, { "queryName": "Remote Desktop Port Open To Internet", "severity": "HIGH", "line": 17, - "fileName": "positive2.tf" + "fileName": "positive2.tf", + "resourceType": "aws_vpc_security_group_ingress_rule", + "resourceName": "positive2-2", + "searchKey": "aws_vpc_security_group_ingress_rule[positive2-2]", + "searchValue": "", + "expectedValue": "aws_vpc_security_group_ingress_rule[positive2-2] shouldn't open the remote desktop port (3389)", + "actualValue": "aws_vpc_security_group_ingress_rule[positive2-2] opens the remote desktop port (3389)", + "issueType": "IncorrectValue", + "similarityID": "37d0c8dc06aeac7fa82590b3d163db213527d66b3d504d0b1db2d6bab103243c", + "search_line": 17 }, { "queryName": "Remote Desktop Port Open To Internet", "severity": "HIGH", "line": 7, - "fileName": "positive3.tf" + "fileName": "positive3.tf", + "resourceType": "aws_security_group_rule", + "resourceName": "positive3-1", + "searchKey": "aws_security_group_rule[positive3-1]", + "searchValue": "", + "expectedValue": "aws_security_group_rule[positive3-1] shouldn't open the remote desktop port (3389)", + "actualValue": "aws_security_group_rule[positive3-1] opens the remote desktop port (3389)", + "issueType": "IncorrectValue", + "similarityID": "7ebdc80c87657b152fc1bca1796e98b1dedba47ef80b62cea3aef455a7c4cde3", + "search_line": 7 }, { "queryName": "Remote Desktop Port Open To Internet", "severity": "HIGH", "line": 17, - "fileName": "positive3.tf" + "fileName": "positive3.tf", + "resourceType": "aws_security_group_rule", + "resourceName": "positive3-2", + "searchKey": "aws_security_group_rule[positive3-2]", + "searchValue": "", + "expectedValue": "aws_security_group_rule[positive3-2] shouldn't open the remote desktop port (3389)", + "actualValue": "aws_security_group_rule[positive3-2] opens the remote desktop port (3389)", + "issueType": "IncorrectValue", + "similarityID": "c8a97b4e7cf317890befc0fdf196d99dd4f1fecdb3250cdabaaef7c02c3073f4", + "search_line": 17 }, { "queryName": "Remote Desktop Port Open To Internet", "severity": "HIGH", "line": 11, - "fileName": "positive4.tf" + "fileName": "positive4.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[vote_service_sg_ipv4].ingress_with_cidr_blocks.0", + "searchValue": "", + "expectedValue": "module[vote_service_sg_ipv4].ingress_with_cidr_blocks.0 shouldn't open the remote desktop port (3389)", + "actualValue": "module[vote_service_sg_ipv4].ingress_with_cidr_blocks.0 opens the remote desktop port (3389)", + "issueType": "IncorrectValue", + "similarityID": "b6a2875d4890032fbea83cf87e66ee450d1cbc7afdb3a5fefafb4ddcea9ee3f8", + "search_line": 11 }, { "queryName": "Remote Desktop Port Open To Internet", "severity": "HIGH", "line": 30, - "fileName": "positive4.tf" + "fileName": "positive4.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[vote_service_sg_ipv6].ingress_with_ipv6_cidr_blocks.0", + "searchValue": "", + "expectedValue": "module[vote_service_sg_ipv6].ingress_with_ipv6_cidr_blocks.0 shouldn't open the remote desktop port (3389)", + "actualValue": "module[vote_service_sg_ipv6].ingress_with_ipv6_cidr_blocks.0 opens the remote desktop port (3389)", + "issueType": "IncorrectValue", + "similarityID": "8337a41a8dc862739eee6acc6177826095ce248113098e5a5545f790fe7157b3", + "search_line": 30 }, { "queryName": "Remote Desktop Port Open To Internet", "severity": "HIGH", "line": 49, - "fileName": "positive4.tf" + "fileName": "positive4.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[vote_service_sg_ipv4_array].ingress_with_cidr_blocks.0", + "searchValue": "", + "expectedValue": "module[vote_service_sg_ipv4_array].ingress_with_cidr_blocks.0 shouldn't open the remote desktop port (3389)", + "actualValue": "module[vote_service_sg_ipv4_array].ingress_with_cidr_blocks.0 opens the remote desktop port (3389)", + "issueType": "IncorrectValue", + "similarityID": "a6dec9e10cde623b6a7fc3c0e103118967a8cdf9205281d629d24488452ee678", + "search_line": 49 }, { "queryName": "Remote Desktop Port Open To Internet", "severity": "HIGH", "line": 63, - "fileName": "positive4.tf" + "fileName": "positive4.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[vote_service_sg_ipv4_array].ingress_with_cidr_blocks.2", + "searchValue": "", + "expectedValue": "module[vote_service_sg_ipv4_array].ingress_with_cidr_blocks.2 shouldn't open the remote desktop port (3389)", + "actualValue": "module[vote_service_sg_ipv4_array].ingress_with_cidr_blocks.2 opens the remote desktop port (3389)", + "issueType": "IncorrectValue", + "similarityID": "bed5e7c420ef720fd14399386c1a2a75f8dddf4cb55634f10a2254f64d5c19b4", + "search_line": 63 }, { "queryName": "Remote Desktop Port Open To Internet", "severity": "HIGH", "line": 82, - "fileName": "positive4.tf" + "fileName": "positive4.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[vote_service_sg_ipv6_array].ingress_with_ipv6_cidr_blocks.0", + "searchValue": "", + "expectedValue": "module[vote_service_sg_ipv6_array].ingress_with_ipv6_cidr_blocks.0 shouldn't open the remote desktop port (3389)", + "actualValue": "module[vote_service_sg_ipv6_array].ingress_with_ipv6_cidr_blocks.0 opens the remote desktop port (3389)", + "issueType": "IncorrectValue", + "similarityID": "40542eedf7c2b41a155f88968e46151fa63484b25ecd2512d29c124dce889f60", + "search_line": 82 }, { "queryName": "Remote Desktop Port Open To Internet", "severity": "HIGH", "line": 96, - "fileName": "positive4.tf" + "fileName": "positive4.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[vote_service_sg_ipv6_array].ingress_with_ipv6_cidr_blocks.2", + "searchValue": "", + "expectedValue": "module[vote_service_sg_ipv6_array].ingress_with_ipv6_cidr_blocks.2 shouldn't open the remote desktop port (3389)", + "actualValue": "module[vote_service_sg_ipv6_array].ingress_with_ipv6_cidr_blocks.2 opens the remote desktop port (3389)", + "issueType": "IncorrectValue", + "similarityID": "e762e57ef877efa51165c1db24152ebb49db29e996f75fb81f5230e38957367f", + "search_line": 96 } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/resource_not_using_tags/test/positive_expected_result.json b/assets/queries/terraform/aws/resource_not_using_tags/test/positive_expected_result.json index 337633981da..6e4f35aed07 100644 --- a/assets/queries/terraform/aws/resource_not_using_tags/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/resource_not_using_tags/test/positive_expected_result.json @@ -3,12 +3,30 @@ "queryName": "Resource Not Using Tags", "severity": "INFO", "line": 1, - "filename": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "aws_acm_certificate", + "resourceName": "cert", + "searchKey": "aws_acm_certificate[{{cert}}]", + "searchValue": "", + "expectedValue": "aws_acm_certificate[{{cert}}].tags should be defined and not null", + "actualValue": "aws_acm_certificate[{{cert}}].tags is undefined or null", + "issueType": "MissingAttribute", + "similarityID": "e0a09c54386ce7210267c7e67d1df83a66c17d3aa63bacdf181c729819f0b139", + "search_line": -1 }, { "queryName": "Resource Not Using Tags", "severity": "INFO", "line": 14, - "filename": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "aws_acm_certificate", + "resourceName": "test", + "searchKey": "aws_acm_certificate[{{cert_2}}].tags", + "searchValue": "", + "expectedValue": "aws_acm_certificate[{{cert_2}}].tags has additional tags defined other than 'Name'", + "actualValue": "aws_acm_certificate[{{cert_2}}].tags does not have additional tags defined other than 'Name'", + "issueType": "MissingAttribute", + "similarityID": "3babc833d0df5400b7d19e88163f2f8abcb94dc3f5876cdf432b179e29b29361", + "search_line": -1 } ] diff --git a/assets/queries/terraform/aws/rest_api_with_vulnerable_policy/test/positive_expected_result.json b/assets/queries/terraform/aws/rest_api_with_vulnerable_policy/test/positive_expected_result.json index 33e55eeedda..eb0a7d97c3c 100644 --- a/assets/queries/terraform/aws/rest_api_with_vulnerable_policy/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/rest_api_with_vulnerable_policy/test/positive_expected_result.json @@ -3,6 +3,15 @@ "queryName": "REST API With Vulnerable Policy", "severity": "MEDIUM", "line": 15, - "fileName": "positive.tf" + "fileName": "positive.tf", + "resourceType": "aws_api_gateway_rest_api_policy", + "resourceName": "test", + "searchKey": "aws_api_gateway_rest_api_policy[test].policy", + "searchValue": "", + "expectedValue": "aws_api_gateway_rest_api_policy[test].policy should not have wildcard in 'Action' and 'Principal'", + "actualValue": "aws_api_gateway_rest_api_policy[test].policy has wildcard in 'Action' or 'Principal'", + "issueType": "IncorrectValue", + "similarityID": "e404fa00b7b5f1bc19864e7ae11418fe843707b9843dbd5b826cb6a044dd4bbe", + "search_line": 15 } ] diff --git a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_glue_UpdateDevEndpoint/test/positive_expected_result.json b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_glue_UpdateDevEndpoint/test/positive_expected_result.json index b9701be2aa2..58b61337ab7 100644 --- a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_glue_UpdateDevEndpoint/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_glue_UpdateDevEndpoint/test/positive_expected_result.json @@ -3,6 +3,15 @@ "queryName": "Role With Privilege Escalation By Actions 'glue:UpdateDevEndpoint'", "severity": "MEDIUM", "line": 1, - "fileName": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "aws_iam_role", + "resourceName": "cosmic", + "searchKey": "aws_iam_role[cosmic]", + "searchValue": "", + "expectedValue": "role cosmic shouldn't be associated with a policy that has Action set to 'glue:UpdateDevEndpoint' and Resource set to '*'", + "actualValue": "role cosmic is associated with a policy that has Action set to 'glue:UpdateDevEndpoint' and Resource set to '*'", + "issueType": "IncorrectValue", + "similarityID": "73ba99a21b218c2922bb96d05409c1309f70ac26fd342b11d6edeb824c800de5", + "search_line": 1 } ] diff --git a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_AddUserToGroup/test/positive_expected_result.json b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_AddUserToGroup/test/positive_expected_result.json index 87e158ac96f..66f0944678f 100644 --- a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_AddUserToGroup/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_AddUserToGroup/test/positive_expected_result.json @@ -3,6 +3,15 @@ "queryName": "Role With Privilege Escalation By Actions 'iam:AddUserToGroup'", "severity": "MEDIUM", "line": 1, - "fileName": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "aws_iam_role", + "resourceName": "cosmic", + "searchKey": "aws_iam_role[cosmic]", + "searchValue": "", + "expectedValue": "role cosmic shouldn't be associated with a policy that has Action set to 'iam:AddUserToGroup' and Resource set to '*'", + "actualValue": "role cosmic is associated with a policy that has Action set to 'iam:AddUserToGroup' and Resource set to '*'", + "issueType": "IncorrectValue", + "similarityID": "4766cbaccf4705dfee23c739ba1c10aab8a381339838d089a23680ca7ad86878", + "search_line": 1 } ] diff --git a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_AttachGroupPolicy/test/positive_expected_result.json b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_AttachGroupPolicy/test/positive_expected_result.json index a5ef5c51455..876879e6b6a 100644 --- a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_AttachGroupPolicy/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_AttachGroupPolicy/test/positive_expected_result.json @@ -3,6 +3,15 @@ "queryName": "Role With Privilege Escalation By Actions 'iam:AttachGroupPolicy'", "severity": "MEDIUM", "line": 1, - "fileName": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "aws_iam_role", + "resourceName": "cosmic", + "searchKey": "aws_iam_role[cosmic]", + "searchValue": "", + "expectedValue": "role cosmic shouldn't be associated with a policy that has Action set to 'iam:AttachGroupPolicy' and Resource set to '*'", + "actualValue": "role cosmic is associated with a policy that has Action set to 'iam:AttachGroupPolicy' and Resource set to '*'", + "issueType": "IncorrectValue", + "similarityID": "71414104c70e7bb443e013272f18790263a7f7f7031a145b2ea504a36212c09d", + "search_line": 1 } ] diff --git a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_AttachRolePolicy/test/positive_expected_result.json b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_AttachRolePolicy/test/positive_expected_result.json index 778b7cad94f..2419361197b 100644 --- a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_AttachRolePolicy/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_AttachRolePolicy/test/positive_expected_result.json @@ -3,6 +3,15 @@ "queryName": "Role With Privilege Escalation By Actions 'iam:AttachRolePolicy'", "severity": "MEDIUM", "line": 1, - "fileName": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "aws_iam_role", + "resourceName": "cosmic", + "searchKey": "aws_iam_role[cosmic]", + "searchValue": "", + "expectedValue": "role cosmic shouldn't be associated with a policy that has Action set to 'iam:AttachRolePolicy' and Resource set to '*'", + "actualValue": "role cosmic is associated with a policy that has Action set to 'iam:AttachRolePolicy' and Resource set to '*'", + "issueType": "IncorrectValue", + "similarityID": "80bae8da667b55f8120f6b002a22c3f31a53e0b6b5cc77adcae54f3e54405c90", + "search_line": 1 } ] diff --git a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_AttachUserPolicy/test/positive_expected_result.json b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_AttachUserPolicy/test/positive_expected_result.json index 235e2957902..ce5b93e60bd 100644 --- a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_AttachUserPolicy/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_AttachUserPolicy/test/positive_expected_result.json @@ -3,6 +3,15 @@ "queryName": "Role With Privilege Escalation By Actions 'iam:AttachUserPolicy'", "severity": "MEDIUM", "line": 1, - "fileName": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "aws_iam_role", + "resourceName": "cosmic", + "searchKey": "aws_iam_role[cosmic]", + "searchValue": "", + "expectedValue": "role cosmic shouldn't be associated with a policy that has Action set to 'iam:AttachUserPolicy' and Resource set to '*'", + "actualValue": "role cosmic is associated with a policy that has Action set to 'iam:AttachUserPolicy' and Resource set to '*'", + "issueType": "IncorrectValue", + "similarityID": "f27046286c8e05a5da6d1c58e8c0912965df3761e441eb2716331ab635073b4b", + "search_line": 1 } ] diff --git a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_CreateAccessKey/test/positive_expected_result.json b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_CreateAccessKey/test/positive_expected_result.json index 26052310d14..dc18f244955 100644 --- a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_CreateAccessKey/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_CreateAccessKey/test/positive_expected_result.json @@ -3,6 +3,15 @@ "queryName": "Role With Privilege Escalation By Actions 'iam:CreateAccessKey'", "severity": "MEDIUM", "line": 1, - "fileName": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "aws_iam_role", + "resourceName": "cosmic", + "searchKey": "aws_iam_role[cosmic]", + "searchValue": "", + "expectedValue": "role cosmic shouldn't be associated with a policy that has Action set to 'iam:CreateAccessKey' and Resource set to '*'", + "actualValue": "role cosmic is associated with a policy that has Action set to 'iam:CreateAccessKey' and Resource set to '*'", + "issueType": "IncorrectValue", + "similarityID": "3a97ac32386bce32c6cfa958dfda6e7503cd0c7ea38257f736f7d0c6aa79016f", + "search_line": 1 } ] diff --git a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_CreateLoginProfile/test/positive_expected_result.json b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_CreateLoginProfile/test/positive_expected_result.json index b95a680f239..401292b7281 100644 --- a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_CreateLoginProfile/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_CreateLoginProfile/test/positive_expected_result.json @@ -3,6 +3,15 @@ "queryName": "Role With Privilege Escalation By Actions 'iam:CreateLoginProfile'", "severity": "MEDIUM", "line": 1, - "fileName": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "aws_iam_role", + "resourceName": "cosmic", + "searchKey": "aws_iam_role[cosmic]", + "searchValue": "", + "expectedValue": "role cosmic shouldn't be associated with a policy that has Action set to 'iam:CreateLoginProfile' and Resource set to '*'", + "actualValue": "role cosmic is associated with a policy that has Action set to 'iam:CreateLoginProfile' and Resource set to '*'", + "issueType": "IncorrectValue", + "similarityID": "2b36391dfb8c23c3abd826a6d4d430db2b3cddb51efbe36d951d1a31e6efb0fd", + "search_line": 1 } ] diff --git a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_CreatePolicyVersion/test/positive_expected_result.json b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_CreatePolicyVersion/test/positive_expected_result.json index ed344d9f4b6..1400675d45d 100644 --- a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_CreatePolicyVersion/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_CreatePolicyVersion/test/positive_expected_result.json @@ -3,6 +3,15 @@ "queryName": "Role With Privilege Escalation By Actions 'iam:CreatePolicyVersion'", "severity": "MEDIUM", "line": 1, - "fileName": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "aws_iam_role", + "resourceName": "cosmic", + "searchKey": "aws_iam_role[cosmic]", + "searchValue": "", + "expectedValue": "role cosmic shouldn't be associated with a policy that has Action set to 'iam:CreatePolicyVersion' and Resource set to '*'", + "actualValue": "role cosmic is associated with a policy that has Action set to 'iam:CreatePolicyVersion' and Resource set to '*'", + "issueType": "IncorrectValue", + "similarityID": "2621bfdc803d9eb5bd63313e3b90c76984b82f3ad608fdf3f6def71b86a32bbc", + "search_line": 1 } ] diff --git a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PassRole_and_cloudformation_CreateStack/test/positive_expected_result.json b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PassRole_and_cloudformation_CreateStack/test/positive_expected_result.json index 525fe5c1c92..76275c8369f 100644 --- a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PassRole_and_cloudformation_CreateStack/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PassRole_and_cloudformation_CreateStack/test/positive_expected_result.json @@ -3,6 +3,15 @@ "queryName": "Role With Privilege Escalation By Actions 'cloudformation:CreateStack' And 'iam:PassRole'", "severity": "MEDIUM", "line": 1, - "fileName": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "aws_iam_role", + "resourceName": "cosmic", + "searchKey": "aws_iam_role[cosmic]", + "searchValue": "", + "expectedValue": "role cosmic shouldn't be associated with a policy that has Action set to 'cloudformation:CreateStack' and 'iam:PassRole' and Resource set to '*'", + "actualValue": "role cosmic is associated with a policy that has Action set to 'cloudformation:CreateStack' and 'iam:PassRole' and Resource set to '*'", + "issueType": "IncorrectValue", + "similarityID": "b8277fe6901ae07d393f4e3c9e3bc2a13c8100e0205e89fa320f38189fba9bb1", + "search_line": 1 } ] diff --git a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PassRole_and_ec2_RunInstances/test/positive_expected_result.json b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PassRole_and_ec2_RunInstances/test/positive_expected_result.json index 832085a4c0e..52d2b4a6ab5 100644 --- a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PassRole_and_ec2_RunInstances/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PassRole_and_ec2_RunInstances/test/positive_expected_result.json @@ -3,6 +3,15 @@ "queryName": "Role With Privilege Escalation By Actions 'ec2:RunInstances' And 'iam:PassRole'", "severity": "MEDIUM", "line": 1, - "fileName": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "aws_iam_role", + "resourceName": "cosmic", + "searchKey": "aws_iam_role[cosmic]", + "searchValue": "", + "expectedValue": "role cosmic shouldn't be associated with a policy that has Action set to 'ec2:RunInstances' and 'iam:PassRole' and Resource set to '*'", + "actualValue": "role cosmic is associated with a policy that has Action set to 'ec2:RunInstances' and 'iam:PassRole' and Resource set to '*'", + "issueType": "IncorrectValue", + "similarityID": "0b1062f2eb65bdb961fab15f41aa0168b1bb06bc6d83e5963edcf4b698b9cedc", + "search_line": 1 } ] diff --git a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PassRole_and_glue_CreateDevEndpoint/test/positive_expected_result.json b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PassRole_and_glue_CreateDevEndpoint/test/positive_expected_result.json index ab36af18cc2..5d94ec11dde 100644 --- a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PassRole_and_glue_CreateDevEndpoint/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PassRole_and_glue_CreateDevEndpoint/test/positive_expected_result.json @@ -3,6 +3,15 @@ "queryName": "Role With Privilege Escalation By Actions 'glue:CreateDevEndpoint' And 'iam:PassRole'", "severity": "MEDIUM", "line": 1, - "fileName": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "aws_iam_role", + "resourceName": "cosmic", + "searchKey": "aws_iam_role[cosmic]", + "searchValue": "", + "expectedValue": "role cosmic shouldn't be associated with a policy that has Action set to 'glue:CreateDevEndpoint' and 'iam:PassRole' and Resource set to '*'", + "actualValue": "role cosmic is associated with a policy that has Action set to 'glue:CreateDevEndpoint' and 'iam:PassRole' and Resource set to '*'", + "issueType": "IncorrectValue", + "similarityID": "e645d3046256014e806ef88eaa547c941db75c7a4efbc9839499a69f2f835782", + "search_line": 1 } ] diff --git a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PassRole_and_lambda_CreateFunction_lambda_InvokeFunction/test/positive_expected_result.json b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PassRole_and_lambda_CreateFunction_lambda_InvokeFunction/test/positive_expected_result.json index 15cbd75d72d..eebd1f772bf 100644 --- a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PassRole_and_lambda_CreateFunction_lambda_InvokeFunction/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PassRole_and_lambda_CreateFunction_lambda_InvokeFunction/test/positive_expected_result.json @@ -3,6 +3,15 @@ "queryName": "Role With Privilege Escalation By Actions 'lambda:CreateFunction' And 'iam:PassRole' And 'lambda:InvokeFunction'", "severity": "MEDIUM", "line": 1, - "fileName": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "aws_iam_role", + "resourceName": "cosmic", + "searchKey": "aws_iam_role[cosmic]", + "searchValue": "", + "expectedValue": "role cosmic shouldn't be associated with a policy that has Action set to 'lambda:CreateFunction' and 'iam:PassRole' and 'lambda:InvokeFunction' and Resource set to '*'", + "actualValue": "role cosmic is associated with a policy that has Action set to 'lambda:CreateFunction' and 'iam:PassRole' and 'lambda:InvokeFunction' and Resource set to '*'", + "issueType": "IncorrectValue", + "similarityID": "4c478a1ed9a7ea4c4756561a25edd065d74038015380355aa3e301220a515c98", + "search_line": 1 } ] diff --git a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PutGroupPolicy/test/positive_expected_result.json b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PutGroupPolicy/test/positive_expected_result.json index fd4e74f0462..f58ce098ca1 100644 --- a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PutGroupPolicy/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PutGroupPolicy/test/positive_expected_result.json @@ -3,6 +3,15 @@ "queryName": "Role With Privilege Escalation By Actions 'iam:PutGroupPolicy'", "severity": "MEDIUM", "line": 1, - "fileName": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "aws_iam_role", + "resourceName": "cosmic", + "searchKey": "aws_iam_role[cosmic]", + "searchValue": "", + "expectedValue": "role cosmic shouldn't be associated with a policy that has Action set to 'iam:PutGroupPolicy' and Resource set to '*'", + "actualValue": "role cosmic is associated with a policy that has Action set to 'iam:PutGroupPolicy' and Resource set to '*'", + "issueType": "IncorrectValue", + "similarityID": "3f7e244cf5f79f21897cd6816ae570d319a7b60a14ad76bb5129eedfc8c5b88a", + "search_line": 1 } ] diff --git a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PutRolePolicy/test/positive_expected_result.json b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PutRolePolicy/test/positive_expected_result.json index 6d0b68ceaa4..d323df2a863 100644 --- a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PutRolePolicy/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PutRolePolicy/test/positive_expected_result.json @@ -3,6 +3,15 @@ "queryName": "Role With Privilege Escalation By Actions 'iam:PutRolePolicy'", "severity": "MEDIUM", "line": 1, - "fileName": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "aws_iam_role", + "resourceName": "cosmic", + "searchKey": "aws_iam_role[cosmic]", + "searchValue": "", + "expectedValue": "role cosmic should not be associated with a policy that has Action set to 'iam:PutRolePolicy' and Resource set to '*'", + "actualValue": "role cosmic is associated with a policy that has Action set to 'iam:PutRolePolicy' and Resource set to '*'", + "issueType": "IncorrectValue", + "similarityID": "da97eb0477d18fee8d19bcb96933a12497e8020446e39a34fc79bab0cd93d948", + "search_line": 1 } ] diff --git a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PutUserPolicy/test/positive_expected_result.json b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PutUserPolicy/test/positive_expected_result.json index f69e886cad1..f50145e93c5 100644 --- a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PutUserPolicy/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PutUserPolicy/test/positive_expected_result.json @@ -3,6 +3,15 @@ "queryName": "Role With Privilege Escalation By Actions 'iam:PutUserPolicy'", "severity": "MEDIUM", "line": 1, - "fileName": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "aws_iam_role", + "resourceName": "cosmic", + "searchKey": "aws_iam_role[cosmic]", + "searchValue": "", + "expectedValue": "role cosmic should not be associated with a policy that has Action set to 'iam:PutUserPolicy' and Resource set to '*'", + "actualValue": "role cosmic is associated with a policy that has Action set to 'iam:PutUserPolicy' and Resource set to '*'", + "issueType": "IncorrectValue", + "similarityID": "67a32292852e306440cd16945a8305c1e15686427a2e8334ec60e4920663ea46", + "search_line": 1 } ] diff --git a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_SetDefaultPolicyVersion/test/positive_expected_result.json b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_SetDefaultPolicyVersion/test/positive_expected_result.json index 4c3ee4591ee..9db3eac9adb 100644 --- a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_SetDefaultPolicyVersion/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_SetDefaultPolicyVersion/test/positive_expected_result.json @@ -3,6 +3,15 @@ "queryName": "Role With Privilege Escalation By Actions 'iam:SetDefaultPolicyVersion'", "severity": "MEDIUM", "line": 1, - "fileName": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "aws_iam_role", + "resourceName": "cosmic", + "searchKey": "aws_iam_role[cosmic]", + "searchValue": "", + "expectedValue": "role cosmic shouldn't be associated with a policy that has Action set to 'iam:SetDefaultPolicyVersion' and Resource set to '*'", + "actualValue": "role cosmic is associated with a policy that has Action set to 'iam:SetDefaultPolicyVersion' and Resource set to '*'", + "issueType": "IncorrectValue", + "similarityID": "fc7c33f0b52abf485e0724a9920ba04b646cc9cdfeecc31768113342adc3934b", + "search_line": 1 } ] diff --git a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_UpdateAssumeRolePolicy_and_sts_AssumeRole/test/positive_expected_result.json b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_UpdateAssumeRolePolicy_and_sts_AssumeRole/test/positive_expected_result.json index eff25985df7..ec103fd0910 100644 --- a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_UpdateAssumeRolePolicy_and_sts_AssumeRole/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_UpdateAssumeRolePolicy_and_sts_AssumeRole/test/positive_expected_result.json @@ -3,6 +3,15 @@ "queryName": "Role With Privilege Escalation By Actions 'iam:UpdateAssumeRolePolicy' And 'sts:AssumeRole'", "severity": "MEDIUM", "line": 1, - "fileName": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "aws_iam_role", + "resourceName": "cosmic", + "searchKey": "aws_iam_role[cosmic]", + "searchValue": "", + "expectedValue": "role cosmic shouldn't be associated with a policy that has Action set to 'iam:UpdateAssumeRolePolicy' and 'sts:AssumeRole' and Resource set to '*'", + "actualValue": "role cosmic is associated with a policy that has Action set to 'iam:UpdateAssumeRolePolicy' and 'sts:AssumeRole' and Resource set to '*'", + "issueType": "IncorrectValue", + "similarityID": "3071c50cb39f178f84a9f7aaaf34dc129e2455473f82101cbcb5715b84e6f52f", + "search_line": 1 } ] diff --git a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_UpdateLoginProfile/test/positive_expected_result.json b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_UpdateLoginProfile/test/positive_expected_result.json index d8772c4e53d..6d341630d9d 100644 --- a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_UpdateLoginProfile/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_UpdateLoginProfile/test/positive_expected_result.json @@ -3,6 +3,15 @@ "queryName": "Role With Privilege Escalation By Actions 'iam:UpdateLoginProfile'", "severity": "MEDIUM", "line": 1, - "fileName": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "aws_iam_role", + "resourceName": "cosmic", + "searchKey": "aws_iam_role[cosmic]", + "searchValue": "", + "expectedValue": "role cosmic shouldn't be associated with a policy that has Action set to 'iam:UpdateLoginProfile' and Resource set to '*'", + "actualValue": "role cosmic is associated with a policy that has Action set to 'iam:UpdateLoginProfile' and Resource set to '*'", + "issueType": "IncorrectValue", + "similarityID": "0e6b13a3828dc10c5f6dd0333f46c5410c540280d77b453c8c8dbc814fe5f01c", + "search_line": 1 } ] diff --git a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_lambda_UpdateFunctionCode/test/positive_expected_result.json b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_lambda_UpdateFunctionCode/test/positive_expected_result.json index c0d1c5dc6c7..c3467476722 100644 --- a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_lambda_UpdateFunctionCode/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_lambda_UpdateFunctionCode/test/positive_expected_result.json @@ -3,6 +3,15 @@ "queryName": "Role With Privilege Escalation By Actions 'lambda:UpdateFunctionCode'", "severity": "MEDIUM", "line": 1, - "fileName": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "aws_iam_role", + "resourceName": "cosmic", + "searchKey": "aws_iam_role[cosmic]", + "searchValue": "", + "expectedValue": "role cosmic shouldn't be associated with a policy that has Action set to 'lambda:UpdateFunctionCode' and Resource set to '*'", + "actualValue": "role cosmic is associated with a policy that has Action set to 'lambda:UpdateFunctionCode' and Resource set to '*'", + "issueType": "IncorrectValue", + "similarityID": "82e47520323e832670b5ee109c04e1fb840a386fa417869a6a9e8b46593ccc7d", + "search_line": 1 } ] diff --git a/assets/queries/terraform/aws/root_account_has_active_access_keys/test/positive_expected_result.json b/assets/queries/terraform/aws/root_account_has_active_access_keys/test/positive_expected_result.json index 8ba4d93171e..9c65eb53a84 100644 --- a/assets/queries/terraform/aws/root_account_has_active_access_keys/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/root_account_has_active_access_keys/test/positive_expected_result.json @@ -3,12 +3,30 @@ "queryName": "Root Account Has Active Access Keys", "severity": "HIGH", "line": 2, - "fileName": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "aws_iam_access_key", + "resourceName": "positive1", + "searchKey": "aws_iam_access_key[positive1]", + "searchValue": "", + "expectedValue": "'aws_iam_access_key[positive1].status' should be defined and set to 'Inactive'", + "actualValue": "'aws_iam_access_key[positive1].status' is undefined, that defaults to 'Active'", + "issueType": "MissingAttribute", + "similarityID": "a0944e450bb63638a06446f201e9b6774af828c66c5a65088b1af24b478bcef0", + "search_line": -1 }, { "queryName": "Root Account Has Active Access Keys", "severity": "HIGH", "line": 4, - "fileName": "positive2.tf" + "fileName": "positive2.tf", + "resourceType": "aws_iam_access_key", + "resourceName": "positive2", + "searchKey": "aws_iam_access_key[positive2].status", + "searchValue": "", + "expectedValue": "'aws_iam_access_key[positive2].status' should be defined and set to 'Inactive'", + "actualValue": "'aws_iam_access_key[positive2].status' is set to 'Active'", + "issueType": "IncorrectValue", + "similarityID": "9f16c88061d4db8ed049cc3d00c5db28d2dc67dcec50baa36294e3dd9aaf4006", + "search_line": -1 } ] diff --git a/assets/queries/terraform/aws/route53_record_undefined/test/positive_expected_result.json b/assets/queries/terraform/aws/route53_record_undefined/test/positive_expected_result.json index 77946d4c1b8..e3dba10aa66 100644 --- a/assets/queries/terraform/aws/route53_record_undefined/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/route53_record_undefined/test/positive_expected_result.json @@ -1,7 +1,17 @@ [ - { - "queryName": "Route53 Record Undefined", - "severity": "HIGH", - "line": 8 - } + { + "queryName": "Route53 Record Undefined", + "severity": "HIGH", + "line": 8, + "fileName": "positive.tf", + "resourceType": "aws_route53_record", + "resourceName": "test.example.com", + "searchKey": "aws_route53_record[example].records", + "searchValue": "", + "expectedValue": "aws_route53_record.records should be defined", + "actualValue": "aws_route53_record.records is undefined", + "issueType": "MissingAttribute", + "similarityID": "d0a37d30adc8f7cd040cbd3b27c8c684447c6e64495f237b59eec9ff9277c39b", + "search_line": -1 + } ] diff --git a/assets/queries/terraform/aws/s3_bucket_access_to_any_principal/test/positive_expected_result.json b/assets/queries/terraform/aws/s3_bucket_access_to_any_principal/test/positive_expected_result.json index 6bbb854489c..bd6e57a02ea 100644 --- a/assets/queries/terraform/aws/s3_bucket_access_to_any_principal/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/s3_bucket_access_to_any_principal/test/positive_expected_result.json @@ -3,12 +3,30 @@ "queryName": "S3 Bucket Access to Any Principal", "severity": "CRITICAL", "line": 4, - "fileName": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "aws_s3_bucket_policy", + "resourceName": "${aws_s3_bucket.b.id}", + "searchKey": "aws_s3_bucket_policy[positive1].policy", + "searchValue": "", + "expectedValue": "aws_s3_bucket_policy[positive1].policy.Principal should not equal to, nor contain '*'", + "actualValue": "aws_s3_bucket_policy[positive1].policy.Principal is equal to or contains '*'", + "issueType": "IncorrectValue", + "similarityID": "34f30494bdad1f92fb293165f9e5db0522187c832489e1e6d0f42ad674050a5e", + "search_line": 4 }, { "queryName": "S3 Bucket Access to Any Principal", "severity": "CRITICAL", "line": 12, - "fileName": "positive2.tf" + "fileName": "positive2.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[s3_bucket].policy", + "searchValue": "", + "expectedValue": "'policy.Principal' should not equal to, nor contain '*'", + "actualValue": "'policy.Principal' is equal to or contains '*'", + "issueType": "IncorrectValue", + "similarityID": "143e6e7b34b6bb0a6855abcc8de381a7604eca3903d9819ecc60e3920e8df96a", + "search_line": 12 } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/s3_bucket_acl_allows_read_or_write_to_all_users/test/positive_expected_result.json b/assets/queries/terraform/aws/s3_bucket_acl_allows_read_or_write_to_all_users/test/positive_expected_result.json index 67dc0436485..4a336863cc4 100644 --- a/assets/queries/terraform/aws/s3_bucket_acl_allows_read_or_write_to_all_users/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/s3_bucket_acl_allows_read_or_write_to_all_users/test/positive_expected_result.json @@ -3,36 +3,90 @@ "queryName": "S3 Bucket ACL Allows Read Or Write to All Users", "severity": "CRITICAL", "line": 15, - "fileName": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "aws_s3_bucket", + "resourceName": "my-tf-test-bucket", + "searchKey": "aws_s3_bucket[positive1].acl=public-read", + "searchValue": "", + "expectedValue": "'acl' should equal to 'private'", + "actualValue": "'acl' is equal 'public-read'", + "issueType": "IncorrectValue", + "similarityID": "e11ca8d3feaee8224e8d1493dcf9b5d3d9d087935d57e2163e68ac7232812122", + "search_line": 15 }, { "queryName": "S3 Bucket ACL Allows Read Or Write to All Users", "severity": "CRITICAL", "line": 16, - "fileName": "positive2.tf" + "fileName": "positive2.tf", + "resourceType": "aws_s3_bucket", + "resourceName": "my-tf-test-bucket", + "searchKey": "aws_s3_bucket[positive2].acl=public-read-write", + "searchValue": "", + "expectedValue": "'acl' should equal to 'private'", + "actualValue": "'acl' is equal 'public-read-write'", + "issueType": "IncorrectValue", + "similarityID": "fdcaa992f7092fe7dcd1d54876d33becd71b87f22775f201e2ac07841ff957a4", + "search_line": 16 }, { "queryName": "S3 Bucket ACL Allows Read Or Write to All Users", "severity": "CRITICAL", "line": 6, - "fileName": "positive3.tf" + "fileName": "positive3.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[s3_bucket].acl", + "searchValue": "", + "expectedValue": "'acl' should equal to 'private'", + "actualValue": "'acl' is equal 'public-read'", + "issueType": "IncorrectValue", + "similarityID": "4f74e85577b38317cb3c92fbcd3dbb2b33b191396cd81be8c41d96fa62e83a0b", + "search_line": 6 }, { "queryName": "S3 Bucket ACL Allows Read Or Write to All Users", "severity": "CRITICAL", "line": 6, - "fileName": "positive4.tf" + "fileName": "positive4.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[s3_bucket].acl", + "searchValue": "", + "expectedValue": "'acl' should equal to 'private'", + "actualValue": "'acl' is equal 'public-read-write'", + "issueType": "IncorrectValue", + "similarityID": "ed8888cdfb3a908b7fb336a084689ccbadcdf1a3341b020cfb9cc02f0adec0ac", + "search_line": 6 }, { "queryName": "S3 Bucket ACL Allows Read Or Write to All Users", "severity": "CRITICAL", "line": 20, - "fileName": "positive5.tf" + "fileName": "positive5.tf", + "resourceType": "aws_s3_bucket_acl", + "resourceName": "example_bucket_acl", + "searchKey": "aws_s3_bucket_acl[example_bucket_acl].acl", + "searchValue": "", + "expectedValue": "aws_s3_bucket_acl[example_bucket_acl].acl should be private", + "actualValue": "aws_s3_bucket_acl[public-read].acl is %!s(MISSING)", + "issueType": "IncorrectValue", + "similarityID": "1266e396d1f2d0e841c099b1c2bb7d8a21a35940d98ec971bbc88d897cd1e703", + "search_line": 20 }, { "queryName": "S3 Bucket ACL Allows Read Or Write to All Users", "severity": "CRITICAL", "line": 20, - "fileName": "positive6.tf" + "fileName": "positive6.tf", + "resourceType": "aws_s3_bucket_acl", + "resourceName": "example_bucket_acl", + "searchKey": "aws_s3_bucket_acl[example_bucket_acl].acl", + "searchValue": "", + "expectedValue": "aws_s3_bucket_acl[example_bucket_acl].acl should be private", + "actualValue": "aws_s3_bucket_acl[public-read-write].acl is %!s(MISSING)", + "issueType": "IncorrectValue", + "similarityID": "0611862ab606ac02476d81363bd794e4a685b122b595b45521ef5c36978c9fb2", + "search_line": 20 } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/s3_bucket_acl_allows_read_to_any_authenticated_user/test/positive_expected_result.json b/assets/queries/terraform/aws/s3_bucket_acl_allows_read_to_any_authenticated_user/test/positive_expected_result.json index 61a32dc2ac8..7e73a174764 100644 --- a/assets/queries/terraform/aws/s3_bucket_acl_allows_read_to_any_authenticated_user/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/s3_bucket_acl_allows_read_to_any_authenticated_user/test/positive_expected_result.json @@ -3,18 +3,45 @@ "queryName": "S3 Bucket ACL Allows Read to Any Authenticated User", "severity": "HIGH", "line": 16, - "fileName": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "aws_s3_bucket", + "resourceName": "my-tf-test-bucket", + "searchKey": "aws_s3_bucket[positive1].acl", + "searchValue": "", + "expectedValue": "aws_s3_bucket[positive1].acl should be private", + "actualValue": "aws_s3_bucket[positive1].acl is authenticated-read", + "issueType": "IncorrectValue", + "similarityID": "dbb85405b43a2dae36ebf28a2046a3f2934cc8092c8a52dcd077247d134a752f", + "search_line": 16 }, { "queryName": "S3 Bucket ACL Allows Read to Any Authenticated User", "severity": "HIGH", "line": 6, - "fileName": "positive2.tf" + "fileName": "positive2.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[s3_bucket].acl", + "searchValue": "", + "expectedValue": "'acl' should be private", + "actualValue": "'acl' is authenticated-read", + "issueType": "IncorrectValue", + "similarityID": "fab7aaa65f9a184521081f4086e0262c65aaa22090d09106a2995326b7938c3c", + "search_line": 6 }, { "queryName": "S3 Bucket ACL Allows Read to Any Authenticated User", "severity": "HIGH", "line": 20, - "fileName": "positive3.tf" + "fileName": "positive3.tf", + "resourceType": "aws_s3_bucket_acl", + "resourceName": "example_bucket_acl", + "searchKey": "aws_s3_bucket_acl[example_bucket_acl].acl", + "searchValue": "", + "expectedValue": "aws_s3_bucket_acl[example_bucket_acl].acl should be private", + "actualValue": "aws_s3_bucket_acl[example_bucket_acl].acl is authenticated-read", + "issueType": "IncorrectValue", + "similarityID": "b9c29d2cef8cba916b3060c6fb3604319a15c2de8e507caa218e2b24e169a9fb", + "search_line": 20 } ] diff --git a/assets/queries/terraform/aws/s3_bucket_acl_grants_write_acp_permission/test/positive_expected_result.json b/assets/queries/terraform/aws/s3_bucket_acl_grants_write_acp_permission/test/positive_expected_result.json index 856b0ebf754..9b166ab436c 100644 --- a/assets/queries/terraform/aws/s3_bucket_acl_grants_write_acp_permission/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/s3_bucket_acl_grants_write_acp_permission/test/positive_expected_result.json @@ -3,12 +3,30 @@ "queryName": "S3 Bucket ACL Grants WRITE_ACP Permission", "severity": "CRITICAL", "line": 16, - "filename": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "aws_s3_bucket_acl", + "resourceName": "example", + "searchKey": "aws_s3_bucket_acl[example].access_control_policy.grant.permission", + "searchValue": "", + "expectedValue": "Should not be granted Write_ACP permission to the aws_s3_bucket_acl", + "actualValue": "Write_ACP permission is granted to the aws_s3_bucket_acl", + "issueType": "IncorrectValue", + "similarityID": "75ad9caf2e2e3b4571fff5ddadc3285f6ca9657148ca2d6b770bfa6ac3af7e87", + "search_line": 16 }, { "queryName": "S3 Bucket ACL Grants WRITE_ACP Permission", "severity": "CRITICAL", "line": 23, - "filename": "positive2.tf" + "fileName": "positive2.tf", + "resourceType": "aws_s3_bucket_acl", + "resourceName": "example", + "searchKey": "aws_s3_bucket_acl[example].access_control_policy.grant[1].permission", + "searchValue": "", + "expectedValue": "Should not be granted Write_ACP permission to the aws_s3_bucket_acl", + "actualValue": "Write_ACP permission is granted to the aws_s3_bucket_acl", + "issueType": "IncorrectValue", + "similarityID": "040d9b13dd937e099c92707a594df59772bcacf587aef30d2736360bd77497ff", + "search_line": 23 } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/s3_bucket_allows_delete_action_from_all_principals/test/positive_expected_result.json b/assets/queries/terraform/aws/s3_bucket_allows_delete_action_from_all_principals/test/positive_expected_result.json index 41c4374ceb8..327d542d64e 100644 --- a/assets/queries/terraform/aws/s3_bucket_allows_delete_action_from_all_principals/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/s3_bucket_allows_delete_action_from_all_principals/test/positive_expected_result.json @@ -3,36 +3,90 @@ "queryName": "S3 Bucket Allows Delete Action From All Principals", "severity": "CRITICAL", "line": 4, - "fileName": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "aws_s3_bucket_policy", + "resourceName": "${aws_s3_bucket.b.id}", + "searchKey": "aws_s3_bucket_policy[positive1].policy", + "searchValue": "", + "expectedValue": "aws_s3_bucket_policy[positive1].policy.Action should not be a 'Delete' action", + "actualValue": "aws_s3_bucket_policy[positive1].policy.Action is a 'Delete' action", + "issueType": "IncorrectValue", + "similarityID": "12c9a0ba10edb786ed5f1bc19d8c8bee77d98455ec2872319ed7a46a1af75e83", + "search_line": 4 }, { "queryName": "S3 Bucket Allows Delete Action From All Principals", "severity": "CRITICAL", "line": 4, - "fileName": "positive2.tf" + "fileName": "positive2.tf", + "resourceType": "aws_s3_bucket_policy", + "resourceName": "${aws_s3_bucket.b.id}", + "searchKey": "aws_s3_bucket_policy[positive2].policy", + "searchValue": "", + "expectedValue": "aws_s3_bucket_policy[positive2].policy.Action should not be a 'Delete' action", + "actualValue": "aws_s3_bucket_policy[positive2].policy.Action is a 'Delete' action", + "issueType": "IncorrectValue", + "similarityID": "b56cb7953ce2fe19fa04552b2c7b2f872e296d6a39583958a29d710e2084d17e", + "search_line": 4 }, { "queryName": "S3 Bucket Allows Delete Action From All Principals", "severity": "CRITICAL", "line": 12, - "fileName": "positive3.tf" + "fileName": "positive3.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[s3_bucket].policy", + "searchValue": "", + "expectedValue": "'policy.Statement.Action' should not be a 'Delete' action", + "actualValue": "'policy.Statement.Action' is a 'Delete' action", + "issueType": "IncorrectValue", + "similarityID": "08e5156c4822569653dc190c041dd1b8e5844e68e9ee46b4202303fc5a1a21d0", + "search_line": 12 }, { "queryName": "S3 Bucket Allows Delete Action From All Principals", "severity": "CRITICAL", "line": 37, - "fileName": "positive4.tf" + "fileName": "positive4.tf", + "resourceType": "aws_s3_bucket_policy", + "resourceName": "${var.positive4}", + "searchKey": "aws_s3_bucket_policy[positive4].policy", + "searchValue": "", + "expectedValue": "aws_s3_bucket_policy[positive4].policy.Action should not be a 'Delete' action", + "actualValue": "aws_s3_bucket_policy[positive4].policy.Action is a 'Delete' action", + "issueType": "IncorrectValue", + "similarityID": "cbc96cef609bfb467f0324dd64c2410761c4d25b218d45f803767780d72c9172", + "search_line": 37 }, { "queryName": "S3 Bucket Allows Delete Action From All Principals", "severity": "CRITICAL", "line": 37, - "fileName": "positive5.tf" + "fileName": "positive5.tf", + "resourceType": "aws_s3_bucket_policy", + "resourceName": "${var.positive5}", + "searchKey": "aws_s3_bucket_policy[positive5].policy", + "searchValue": "", + "expectedValue": "aws_s3_bucket_policy[positive5].policy.Action should not be a 'Delete' action", + "actualValue": "aws_s3_bucket_policy[positive5].policy.Action is a 'Delete' action", + "issueType": "IncorrectValue", + "similarityID": "90c104ec5c7ff1e2e15500cae45cf0689d54f63c2a3b3f1f58a92b4458b6f9f5", + "search_line": 37 }, { "queryName": "S3 Bucket Allows Delete Action From All Principals", "severity": "CRITICAL", "line": 37, - "fileName": "positive6.tf" + "fileName": "positive6.tf", + "resourceType": "aws_s3_bucket_policy", + "resourceName": "${var.positive6}", + "searchKey": "aws_s3_bucket_policy[positive6].policy", + "searchValue": "", + "expectedValue": "aws_s3_bucket_policy[positive6].policy.Action should not be a 'Delete' action", + "actualValue": "aws_s3_bucket_policy[positive6].policy.Action is a 'Delete' action", + "issueType": "IncorrectValue", + "similarityID": "f9b1d86f722dda882e4aa14b0f2b6693088ee532e0a24bfb2af787e64e5c7457", + "search_line": 37 } ] diff --git a/assets/queries/terraform/aws/s3_bucket_allows_get_action_from_all_principals/test/positive_expected_result.json b/assets/queries/terraform/aws/s3_bucket_allows_get_action_from_all_principals/test/positive_expected_result.json index 7981794f047..66f0f3971b3 100644 --- a/assets/queries/terraform/aws/s3_bucket_allows_get_action_from_all_principals/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/s3_bucket_allows_get_action_from_all_principals/test/positive_expected_result.json @@ -3,18 +3,45 @@ "queryName": "S3 Bucket Allows Get Action From All Principals", "severity": "HIGH", "line": 17, - "filename": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "aws_s3_bucket_policy", + "resourceName": "${aws_s3_bucket.b.id}", + "searchKey": "aws_s3_bucket_policy[positive2].policy.Action", + "searchValue": "", + "expectedValue": "aws_s3_bucket_policy[positive2].policy.Action should not be a 'Get' action", + "actualValue": "aws_s3_bucket_policy[positive2].policy.Action is a 'Get' action", + "issueType": "IncorrectValue", + "similarityID": "0968989b05ee62d1c41c3e388e097f87df570579e2e29c88c9716105770db7c6", + "search_line": -1 }, { "queryName": "S3 Bucket Allows Get Action From All Principals", "severity": "HIGH", "line": 42, - "filename": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "aws_s3_bucket_policy", + "resourceName": "${aws_s3_bucket.b.id}", + "searchKey": "aws_s3_bucket_policy[positive3].policy.Action", + "searchValue": "", + "expectedValue": "aws_s3_bucket_policy[positive3].policy.Action should not be a 'Get' action", + "actualValue": "aws_s3_bucket_policy[positive3].policy.Action is a 'Get' action", + "issueType": "IncorrectValue", + "similarityID": "f5c6decad240116ed60566c7dcd953736d97880cb7768b4bd24b8caab4633214", + "search_line": -1 }, { "queryName": "S3 Bucket Allows Get Action From All Principals", "severity": "HIGH", "line": 23, - "filename": "positive2.tf" + "fileName": "positive2.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[s3_bucket].policy.Action", + "searchValue": "", + "expectedValue": "module[s3_bucket].policy.Action should not be a 'Get' action", + "actualValue": "module[s3_bucket].policy.Action is a 'Get' action", + "issueType": "IncorrectValue", + "similarityID": "efa9f36bbfd0f12a76346fc316dab471a3770c5c5c74bf6244703811c371a2c9", + "search_line": -1 } ] diff --git a/assets/queries/terraform/aws/s3_bucket_allows_list_action_from_all_principals/test/positive_expected_result.json b/assets/queries/terraform/aws/s3_bucket_allows_list_action_from_all_principals/test/positive_expected_result.json index 1e69808740d..f47675a005c 100644 --- a/assets/queries/terraform/aws/s3_bucket_allows_list_action_from_all_principals/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/s3_bucket_allows_list_action_from_all_principals/test/positive_expected_result.json @@ -3,18 +3,45 @@ "queryName": "S3 Bucket Allows List Action From All Principals", "severity": "HIGH", "line": 4, - "fileName": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "aws_s3_bucket_policy", + "resourceName": "${aws_s3_bucket.b.id}", + "searchKey": "aws_s3_bucket_policy[positive1].policy", + "searchValue": "", + "expectedValue": "'policy.Statement.Action' should not be a 'List' action when 'policy.Statement.Principal' contains '*'", + "actualValue": "'policy.Statement.Action' is a 'List' action when 'policy.Statement.Principal' contains '*'", + "issueType": "IncorrectValue", + "similarityID": "64008ee65b8949de857e301e03f7898ef50759eacccfcc8705df0ff49c39a23a", + "search_line": 4 }, { "queryName": "S3 Bucket Allows List Action From All Principals", "severity": "HIGH", "line": 4, - "fileName": "positive2.tf" + "fileName": "positive2.tf", + "resourceType": "aws_s3_bucket_policy", + "resourceName": "${aws_s3_bucket.b.id}", + "searchKey": "aws_s3_bucket_policy[positive2].policy", + "searchValue": "", + "expectedValue": "'policy.Statement.Action' should not be a 'List' action when 'policy.Statement.Principal' contains '*'", + "actualValue": "'policy.Statement.Action' is a 'List' action when 'policy.Statement.Principal' contains '*'", + "issueType": "IncorrectValue", + "similarityID": "95253dd82765a9ec55c0067f18291de1e9ce82af6df873940c2acac8d9fc31f6", + "search_line": 4 }, { "queryName": "S3 Bucket Allows List Action From All Principals", "severity": "HIGH", "line": 12, - "fileName": "positive3.tf" + "fileName": "positive3.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[s3_bucket].policy", + "searchValue": "", + "expectedValue": "'policy.Statement.Action' should not be a 'List' action when 'policy.Statement.Principal' contains '*'", + "actualValue": "'policy.Statement.Action' is a 'List' action when 'policy.Statement.Principal' contains '*'", + "issueType": "IncorrectValue", + "similarityID": "4c65a85b6fd9fdf7241e795a1b2c66def114bdb5eb68d46ee51012298206d17a", + "search_line": 12 } ] diff --git a/assets/queries/terraform/aws/s3_bucket_allows_public_acl/test/positive_expected_result.json b/assets/queries/terraform/aws/s3_bucket_allows_public_acl/test/positive_expected_result.json index dfa66d99198..c7b407b4bf1 100644 --- a/assets/queries/terraform/aws/s3_bucket_allows_public_acl/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/s3_bucket_allows_public_acl/test/positive_expected_result.json @@ -2,25 +2,61 @@ { "queryName": "S3 Bucket Allows Public ACL", "severity": "MEDIUM", - "line": 18, - "filename": "positive1.tf" + "line": 8, + "fileName": "positive1.tf", + "resourceType": "aws_s3_bucket_public_access_block", + "resourceName": "positive2", + "searchKey": "aws_s3_bucket_public_access_block[positive2].block_public_acls", + "searchValue": "", + "expectedValue": "'block_public_acls' should equal 'true'", + "actualValue": "'block_public_acls' is equal 'false'", + "issueType": "IncorrectValue", + "similarityID": "99449a950ebe3a156dc6a179627a9271719bbcc1c16f249f17bbe9042e0c8275", + "search_line": 8 }, { "queryName": "S3 Bucket Allows Public ACL", "severity": "MEDIUM", - "line": 8, - "filename": "positive1.tf" + "line": 18, + "fileName": "positive1.tf", + "resourceType": "aws_s3_bucket_public_access_block", + "resourceName": "positive3", + "searchKey": "aws_s3_bucket_public_access_block[positive3]", + "searchValue": "", + "expectedValue": "'block_public_acls' should equal 'true'", + "actualValue": "'block_public_acls' is missing", + "issueType": "MissingAttribute", + "similarityID": "9c3e76e62c2da31d1d7c3cf68541ca99df94e3ab48187c1b6e42f06458aec1df", + "search_line": 18 }, { "queryName": "S3 Bucket Allows Public ACL", "severity": "MEDIUM", - "line": 1, - "filename": "positive3.tf" + "line": 8, + "fileName": "positive2.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[s3_bucket].block_public_acls", + "searchValue": "", + "expectedValue": "'block_public_acls' should equal 'true'", + "actualValue": "'block_public_acls' is equal 'false'", + "issueType": "IncorrectValue", + "similarityID": "66e66de1a4490061467de957cd42229c5efa51865fae479d3741a16f803ca4c7", + "search_line": 8 }, { "queryName": "S3 Bucket Allows Public ACL", "severity": "MEDIUM", - "line": 8, - "filename": "positive2.tf" + "line": 1, + "fileName": "positive3.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[s3_bucket]", + "searchValue": "", + "expectedValue": "'block_public_acls' should equal 'true'", + "actualValue": "'block_public_acls' is missing", + "issueType": "MissingAttribute", + "similarityID": "979463ce91a9d15b97fd93bba8aa03329bb75c9f2202e12d1e4151042ed37b87", + "search_line": 1 } ] diff --git a/assets/queries/terraform/aws/s3_bucket_allows_put_action_from_all_principals/test/positive_expected_result.json b/assets/queries/terraform/aws/s3_bucket_allows_put_action_from_all_principals/test/positive_expected_result.json index 0e3bc74d02b..d8a8623c437 100644 --- a/assets/queries/terraform/aws/s3_bucket_allows_put_action_from_all_principals/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/s3_bucket_allows_put_action_from_all_principals/test/positive_expected_result.json @@ -3,18 +3,45 @@ "queryName": "S3 Bucket Allows Put Action From All Principals", "severity": "CRITICAL", "line": 4, - "fileName": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "aws_s3_bucket_policy", + "resourceName": "${aws_s3_bucket.b.id}", + "searchKey": "aws_s3_bucket_policy[positive1].policy", + "searchValue": "", + "expectedValue": "aws_s3_bucket_policy[positive1].policy.Statement.Action should not be a 'Put' action", + "actualValue": "aws_s3_bucket_policy[positive1].policy.Statement.Action is a 'Put' action", + "issueType": "IncorrectValue", + "similarityID": "52128128ad8a85bb10dd521772c5f8b2af9e6a898e7ce2063da125cfc089538d", + "search_line": 4 }, { "queryName": "S3 Bucket Allows Put Action From All Principals", "severity": "CRITICAL", "line": 5, - "fileName": "positive2.tf" + "fileName": "positive2.tf", + "resourceType": "aws_s3_bucket_policy", + "resourceName": "${aws_s3_bucket.b.id}", + "searchKey": "aws_s3_bucket_policy[positive2].policy", + "searchValue": "", + "expectedValue": "aws_s3_bucket_policy[positive2].policy.Statement.Action should not be a 'Put' action", + "actualValue": "aws_s3_bucket_policy[positive2].policy.Statement.Action is a 'Put' action", + "issueType": "IncorrectValue", + "similarityID": "63394e035fa1f40cda95cb9b16b99f9b044a9112ab6e51a423c1c4053de5ee4e", + "search_line": 5 }, { "queryName": "S3 Bucket Allows Put Action From All Principals", "severity": "CRITICAL", "line": 12, - "fileName": "positive3.tf" + "fileName": "positive3.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[s3_bucket].policy", + "searchValue": "", + "expectedValue": "'policy.Statement.Action' should not be a 'Put' action", + "actualValue": "'policy.Statement.Action' is a 'Put' action", + "issueType": "IncorrectValue", + "similarityID": "05bc13108c0a6f60d3808975001550af2ca7d04cdf26ba71d7d94a4f44762ddf", + "search_line": 12 } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/s3_bucket_logging_disabled/test/positive_expected_result.json b/assets/queries/terraform/aws/s3_bucket_logging_disabled/test/positive_expected_result.json index 7bfe21c6235..fa4d3024231 100644 --- a/assets/queries/terraform/aws/s3_bucket_logging_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/s3_bucket_logging_disabled/test/positive_expected_result.json @@ -3,18 +3,45 @@ "queryName": "S3 Bucket Logging Disabled", "severity": "MEDIUM", "line": 14, - "fileName": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "aws_s3_bucket", + "resourceName": "my-tf-test-bucket", + "searchKey": "aws_s3_bucket[positive1]", + "searchValue": "", + "expectedValue": "'logging' should be defined and not null", + "actualValue": "'logging' is undefined or null", + "issueType": "MissingAttribute", + "similarityID": "c5bfbfcfbeb892b33511a79a6bffd823bb9b9b490a7d11925bcd1e59209181c2", + "search_line": 14 }, { "queryName": "S3 Bucket Logging Disabled", "severity": "MEDIUM", "line": 1, - "fileName": "positive2.tf" + "fileName": "positive2.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[s3_bucket]", + "searchValue": "", + "expectedValue": "'logging' should be defined and not null", + "actualValue": "'logging' is undefined or null", + "issueType": "MissingAttribute", + "similarityID": "c7d2bb1acaea85f3a4af934dce4b08f3020e233c6908b238458204c872d15acc", + "search_line": 1 }, { "queryName": "S3 Bucket Logging Disabled", "severity": "MEDIUM", "line": 14, - "fileName": "positive3.tf" + "fileName": "positive3.tf", + "resourceType": "aws_s3_bucket", + "resourceName": "my-tf-example-bucket", + "searchKey": "aws_s3_bucket[examplee]", + "searchValue": "", + "expectedValue": "'logging' should be defined and not null", + "actualValue": "'logging' is undefined or null", + "issueType": "MissingAttribute", + "similarityID": "f8a13afed64df0b67eedf5b80a23c7a84a345552e9ca92d87a7eee46f39839dc", + "search_line": 14 } ] diff --git a/assets/queries/terraform/aws/s3_bucket_notifications_disabled/test/positive_expected_result.json b/assets/queries/terraform/aws/s3_bucket_notifications_disabled/test/positive_expected_result.json index d2ca784af21..04e9e00cacf 100644 --- a/assets/queries/terraform/aws/s3_bucket_notifications_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/s3_bucket_notifications_disabled/test/positive_expected_result.json @@ -3,72 +3,180 @@ "queryName": "S3 bucket notifications disabled", "severity": "LOW", "line": 6, - "fileName": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "aws_sns_topic", + "resourceName": "s3-event-notification-topic", + "searchKey": "aws_sns_topic[topic2]", + "searchValue": "", + "expectedValue": "aws_sns_topic.topic2 should be evoked in aws_s3_bucket_notification ", + "actualValue": "aws_sns_topic.topic2 is not properly evoked in aws_s3_bucket_notification ", + "issueType": "MissingAttribute", + "similarityID": "83d7a77a5152f76974453de1eb2fe64714d7d6985cfce07c37ef4fd925108b90", + "search_line": 6 }, { "queryName": "S3 bucket notifications disabled", "severity": "LOW", "line": 6, - "fileName": "positive2.tf" + "fileName": "positive2.tf", + "resourceType": "aws_sqs_queue", + "resourceName": "s3-event-notification-queue", + "searchKey": "aws_sqs_queue[queue2]", + "searchValue": "", + "expectedValue": "aws_sqs_queue.queue2 should be evoked in aws_s3_bucket_notification ", + "actualValue": "aws_sqs_queue.queue2 is not properly evoked in aws_s3_bucket_notification ", + "issueType": "MissingAttribute", + "similarityID": "88564c1492b6694fd2e43b23e9c4b76cb5b0aea8cbd793a912cd0211a45f7c1a", + "search_line": 6 }, { "queryName": "S3 bucket notifications disabled", "severity": "LOW", "line": 14, - "fileName": "positive3.tf" + "fileName": "positive3.tf", + "resourceType": "aws_lambda_function", + "resourceName": "func2", + "searchKey": "aws_lambda_function[func2]", + "searchValue": "", + "expectedValue": "aws_lambda_function.func2 should be evoked in aws_s3_bucket_notification ", + "actualValue": "aws_lambda_function.func2 is not properly evoked in aws_s3_bucket_notification ", + "issueType": "MissingAttribute", + "similarityID": "c689bc0a1890a296149396e112ee06a669c6d773f7bddb9ebf59f040dea1ef55", + "search_line": 14 }, { "queryName": "S3 bucket notifications disabled", "severity": "LOW", "line": 1, - "fileName": "positive4.tf" + "fileName": "positive4.tf", + "resourceType": "aws_sns_topic", + "resourceName": "s3-event-notification-topic", + "searchKey": "aws_sns_topic[topic]", + "searchValue": "", + "expectedValue": "aws_sns_topic.topic should be evoked in aws_s3_bucket_notification ", + "actualValue": "aws_sns_topic.topic is not properly evoked in aws_s3_bucket_notification ", + "issueType": "MissingAttribute", + "similarityID": "ab958919b66b1b34857c70cf672aa5b10f1ea4c14b757b0d55fff9bb3775da8b", + "search_line": 1 }, { "queryName": "S3 bucket notifications disabled", "severity": "LOW", "line": 1, - "fileName": "positive5.tf" + "fileName": "positive5.tf", + "resourceType": "aws_sqs_queue", + "resourceName": "s3-event-notification-queue", + "searchKey": "aws_sqs_queue[queue]", + "searchValue": "", + "expectedValue": "aws_sqs_queue.queue should be evoked in aws_s3_bucket_notification ", + "actualValue": "aws_sqs_queue.queue is not properly evoked in aws_s3_bucket_notification ", + "issueType": "MissingAttribute", + "similarityID": "a104cf121ccf63d2be832b3eeba5217998668b596e85bbac6fb54790eb4a9ac0", + "search_line": 1 }, { "queryName": "S3 bucket notifications disabled", "severity": "LOW", "line": 6, - "fileName": "positive6.tf" + "fileName": "positive6.tf", + "resourceType": "aws_lambda_function", + "resourceName": "func", + "searchKey": "aws_lambda_function[func]", + "searchValue": "", + "expectedValue": "aws_lambda_function.func should be evoked in aws_s3_bucket_notification ", + "actualValue": "aws_lambda_function.func is not properly evoked in aws_s3_bucket_notification ", + "issueType": "MissingAttribute", + "similarityID": "31c36cda599616cd4967c6d5e7616b3e65deee93e778c01cb744d7ff655a0414", + "search_line": 6 }, { "queryName": "S3 bucket notifications disabled", "severity": "LOW", "line": 1, - "fileName": "positive7.tf" + "fileName": "positive7.tf", + "resourceType": "aws_sns_topic", + "resourceName": "s3-event-notification-topic", + "searchKey": "aws_sns_topic[topic]", + "searchValue": "", + "expectedValue": "aws_sns_topic.topic should be evoked in aws_s3_bucket_notification ", + "actualValue": "aws_sns_topic.topic is not properly evoked in aws_s3_bucket_notification ", + "issueType": "MissingAttribute", + "similarityID": "5aed46a5a9ca2617fa14b07ed30affe603bd72d86a81fe7730a409df1dbee97d", + "search_line": 1 }, { "queryName": "S3 bucket notifications disabled", "severity": "LOW", "line": 1, - "fileName": "positive8.tf" + "fileName": "positive8.tf", + "resourceType": "aws_sqs_queue", + "resourceName": "s3-event-notification-queue", + "searchKey": "aws_sqs_queue[queue]", + "searchValue": "", + "expectedValue": "aws_sqs_queue.queue should be evoked in aws_s3_bucket_notification ", + "actualValue": "aws_sqs_queue.queue is not properly evoked in aws_s3_bucket_notification ", + "issueType": "MissingAttribute", + "similarityID": "efc10e5c89bc414520cf00e566cb4e5ec56f640ebf3b71e8bc8f47ab86d6fd15", + "search_line": 1 }, { "queryName": "S3 bucket notifications disabled", "severity": "LOW", "line": 6, - "fileName": "positive9.tf" + "fileName": "positive9.tf", + "resourceType": "aws_lambda_function", + "resourceName": "func", + "searchKey": "aws_lambda_function[func]", + "searchValue": "", + "expectedValue": "aws_lambda_function.func should be evoked in aws_s3_bucket_notification ", + "actualValue": "aws_lambda_function.func is not properly evoked in aws_s3_bucket_notification ", + "issueType": "MissingAttribute", + "similarityID": "2b12764a14954a1b8620f035fdc4401257685afce196bdb09c437041e8f54911", + "search_line": 6 }, { "queryName": "S3 bucket notifications disabled", "severity": "LOW", "line": 1, - "fileName": "positive10.tf" + "fileName": "positive10.tf", + "resourceType": "aws_sns_topic", + "resourceName": "s3-event-notification-topic", + "searchKey": "aws_sns_topic[topic1]", + "searchValue": "", + "expectedValue": "'aws_s3_bucket_notification' should be defined and not null", + "actualValue": "'aws_s3_bucket_notification' is undefined or null", + "issueType": "MissingAttribute", + "similarityID": "eee78c0b491e0bf0c07666b19d41ecd7e023aebd107ac7c52a3fe23eabe72f19", + "search_line": 1 }, { "queryName": "S3 bucket notifications disabled", "severity": "LOW", "line": 1, - "fileName": "positive11.tf" + "fileName": "positive11.tf", + "resourceType": "aws_sqs_queue", + "resourceName": "s3-event-notification-queue", + "searchKey": "aws_sqs_queue[queue]", + "searchValue": "", + "expectedValue": "'aws_s3_bucket_notification' should be defined and not null", + "actualValue": "'aws_s3_bucket_notification' is undefined or null", + "issueType": "MissingAttribute", + "similarityID": "3e97ff166048ae26e0c2ebc26c47ffd713f74efc8ec0380e96c4b3a0b1a85c74", + "search_line": 1 }, { "queryName": "S3 bucket notifications disabled", "severity": "LOW", "line": 1, - "fileName": "positive12.tf" + "fileName": "positive12.tf", + "resourceType": "aws_lambda_function", + "resourceName": "aws_lambda_function", + "searchKey": "aws_lambda_function[func]", + "searchValue": "", + "expectedValue": "'aws_s3_bucket_notification' should be defined and not null", + "actualValue": "'aws_s3_bucket_notification' is undefined or null", + "issueType": "MissingAttribute", + "similarityID": "c8e8a062f338c558f26173b1c32c611693aa4fba32b33d1cbb0cdd7b9d89abae", + "search_line": 1 } ] diff --git a/assets/queries/terraform/aws/s3_bucket_object_level_cloudtrail_logging_disabled/test/positive_expected_result.json b/assets/queries/terraform/aws/s3_bucket_object_level_cloudtrail_logging_disabled/test/positive_expected_result.json index 63d60edca4a..33df4b11f1f 100644 --- a/assets/queries/terraform/aws/s3_bucket_object_level_cloudtrail_logging_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/s3_bucket_object_level_cloudtrail_logging_disabled/test/positive_expected_result.json @@ -3,12 +3,30 @@ "queryName": "S3 Bucket Object Level CloudTrail Logging Disabled", "severity": "MEDIUM", "line": 9, - "fileName": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "aws_cloudtrail", + "resourceName": "tf-trail-foobar", + "searchKey": "aws_cloudtrail[example].event_selector", + "searchValue": "", + "expectedValue": "'read_write_type' should be defined and not null", + "actualValue": "'read_write_type' is undefined or null", + "issueType": "MissingAttribute", + "similarityID": "1266c4e335363c9dae4898d18bcf45aecc1f661f84f24b6bf89f4d5482f79a23", + "search_line": -1 }, { "queryName": "S3 Bucket Object Level CloudTrail Logging Disabled", "severity": "MEDIUM", "line": 10, - "fileName": "positive2.tf" + "fileName": "positive2.tf", + "resourceType": "aws_cloudtrail", + "resourceName": "tf-trail-foobar", + "searchKey": "aws_cloudtrail[example2].event_selector.read_write_type", + "searchValue": "", + "expectedValue": "'read_write_type' should be set to 'All'", + "actualValue": "'read_write_type' is not set to 'All'", + "issueType": "IncorrectValue", + "similarityID": "e7da09921011fa5271df3e31640139733dc17e148ed85717675566d9fe7332ea", + "search_line": -1 } ] diff --git a/assets/queries/terraform/aws/s3_bucket_object_not_encrypted/test/positive_expected_result.json b/assets/queries/terraform/aws/s3_bucket_object_not_encrypted/test/positive_expected_result.json index 56dd83eff00..33f9044ce57 100644 --- a/assets/queries/terraform/aws/s3_bucket_object_not_encrypted/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/s3_bucket_object_not_encrypted/test/positive_expected_result.json @@ -3,6 +3,15 @@ "queryName": "S3 Bucket Object Not Encrypted", "severity": "HIGH", "line": 14, - "filename": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "aws_s3_bucket_object", + "resourceName": "${aws_s3_bucket.examplebucket.id}", + "searchKey": "aws_s3_bucket_object[{{examplebucket_object}}]", + "searchValue": "", + "expectedValue": "aws_s3_bucket_object.server_side_encryption should be defined and not null", + "actualValue": "aws_s3_bucket_object.server_side_encryption is undefined or null", + "issueType": "MissingAttribute", + "similarityID": "2981fbe41c815e5d6d5dbfe1e1d38ade5bed8d88d4335d1b85309c200edb5f13", + "search_line": -1 } ] diff --git a/assets/queries/terraform/aws/s3_bucket_policy_accepts_http_requests/test/positive_expected_result.json b/assets/queries/terraform/aws/s3_bucket_policy_accepts_http_requests/test/positive_expected_result.json index 8aeb9a50521..78077adc758 100644 --- a/assets/queries/terraform/aws/s3_bucket_policy_accepts_http_requests/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/s3_bucket_policy_accepts_http_requests/test/positive_expected_result.json @@ -3,30 +3,75 @@ "queryName": "S3 Bucket Policy Accepts HTTP Requests", "severity": "MEDIUM", "line": 8, - "fileName": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "aws_s3_bucket_policy", + "resourceName": "${aws_s3_bucket.b.id}", + "searchKey": "aws_s3_bucket_policy[b].policy", + "searchValue": "", + "expectedValue": "aws_s3_bucket_policy[b].policy should not accept HTTP Requests", + "actualValue": "aws_s3_bucket_policy[b].policy accepts HTTP Requests", + "issueType": "IncorrectValue", + "similarityID": "dc4faddf76ec4a9ff296e1cec93eb02d00f59c4915fb93d03ea33be0ba52d2b1", + "search_line": 8 }, { "queryName": "S3 Bucket Policy Accepts HTTP Requests", "severity": "MEDIUM", "line": 4, - "fileName": "positive2.tf" + "fileName": "positive2.tf", + "resourceType": "aws_s3_bucket", + "resourceName": "my-tf-test-bucket", + "searchKey": "aws_s3_bucket[b2].policy", + "searchValue": "", + "expectedValue": "aws_s3_bucket[b2].policy should not accept HTTP Requests", + "actualValue": "aws_s3_bucket[b2].policy accepts HTTP Requests", + "issueType": "IncorrectValue", + "similarityID": "6684724e69fde4713afd9615ceb1e055c4a8c2f8f572e462274083c57d2cedd6", + "search_line": 4 }, { "queryName": "S3 Bucket Policy Accepts HTTP Requests", "severity": "MEDIUM", "line": 12, - "fileName": "positive3.tf" + "fileName": "positive3.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[s3_bucket].policy", + "searchValue": "", + "expectedValue": "'policy' should not accept HTTP Requests", + "actualValue": "'policy' accepts HTTP Requests", + "issueType": "IncorrectValue", + "similarityID": "97c537f2c2b95ff08f095130b01ae5d4a5160dcf23b49a8b81802e62643ef9d1", + "search_line": 12 }, { "queryName": "S3 Bucket Policy Accepts HTTP Requests", "severity": "MEDIUM", "line": 32, - "fileName": "positive4.tf" + "fileName": "positive4.tf", + "resourceType": "aws_s3_bucket", + "resourceName": "a", + "searchKey": "aws_s3_bucket[pos4].policy", + "searchValue": "", + "expectedValue": "aws_s3_bucket[pos4].policy should not accept HTTP Requests", + "actualValue": "aws_s3_bucket[pos4].policy accepts HTTP Requests", + "issueType": "IncorrectValue", + "similarityID": "1870e438fb40cf93e2a40989a2086801e9ee7f8ba17f5f4ce87e4bf1729388ba", + "search_line": 32 }, { "queryName": "S3 Bucket Policy Accepts HTTP Requests", "severity": "MEDIUM", "line": 32, - "fileName": "positive5.tf" + "fileName": "positive5.tf", + "resourceType": "aws_s3_bucket", + "resourceName": "a", + "searchKey": "aws_s3_bucket[pos5].policy", + "searchValue": "", + "expectedValue": "aws_s3_bucket[pos5].policy should not accept HTTP Requests", + "actualValue": "aws_s3_bucket[pos5].policy accepts HTTP Requests", + "issueType": "IncorrectValue", + "similarityID": "4922ae95868316cdb4c656fc05791bc11a4c4536e44ff1a6a360ae41d30c882a", + "search_line": 32 } ] diff --git a/assets/queries/terraform/aws/s3_bucket_public_acl_overridden_by_public_access_block/test/positive_expected_result.json b/assets/queries/terraform/aws/s3_bucket_public_acl_overridden_by_public_access_block/test/positive_expected_result.json index ad88c555262..c3aecc6d53b 100644 --- a/assets/queries/terraform/aws/s3_bucket_public_acl_overridden_by_public_access_block/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/s3_bucket_public_acl_overridden_by_public_access_block/test/positive_expected_result.json @@ -3,18 +3,45 @@ "queryName": "S3 Bucket Public ACL Overridden By Public Access Block", "severity": "HIGH", "line": 16, - "filename": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "aws_s3_bucket", + "resourceName": "bucket-with-public-acl-3", + "searchKey": "aws_s3_bucket[public-bucket].acl", + "searchValue": "", + "expectedValue": "S3 Bucket public ACL to not be overridden by S3 bucket Public Access Block", + "actualValue": "S3 Bucket public ACL is overridden by S3 bucket Public Access Block", + "issueType": "IncorrectValue", + "similarityID": "c85d14b73aaf1412a898721d41ac09028ed148806cdb92ba963e18cb65421921", + "search_line": 16 }, { "queryName": "S3 Bucket Public ACL Overridden By Public Access Block", "severity": "HIGH", "line": 7, - "filename": "positive2.tf" + "fileName": "positive2.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[s3_bucket].acl", + "searchValue": "", + "expectedValue": "S3 Bucket public ACL to not be overridden by public access block", + "actualValue": "S3 Bucket public ACL is overridden by public access block", + "issueType": "IncorrectValue", + "similarityID": "308300e0223f5983f09bbc50bc5a337a314e8112416418c9499a748ab323bc55", + "search_line": 7 }, { "queryName": "S3 Bucket Public ACL Overridden By Public Access Block", "severity": "HIGH", "line": 20, - "filename": "positive3.tf" + "fileName": "positive3.tf", + "resourceType": "aws_s3_bucket_acl", + "resourceName": "example_bucket_acl", + "searchKey": "aws_s3_bucket_acl[example_bucket_acl].acl", + "searchValue": "", + "expectedValue": "S3 Bucket public ACL to not be overridden by S3 bucket Public Access Block", + "actualValue": "S3 Bucket public ACL is overridden by S3 bucket Public Access Block", + "issueType": "IncorrectValue", + "similarityID": "34713cc0137b5858667fd676d3d0c43374fe5f54d907b6413ac320deea2ba89b", + "search_line": 20 } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/s3_bucket_with_all_permissions/test/positive_expected_result.json b/assets/queries/terraform/aws/s3_bucket_with_all_permissions/test/positive_expected_result.json index 8d782699d0b..1a016755420 100644 --- a/assets/queries/terraform/aws/s3_bucket_with_all_permissions/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/s3_bucket_with_all_permissions/test/positive_expected_result.json @@ -3,12 +3,30 @@ "queryName": "S3 Bucket With All Permissions", "severity": "CRITICAL", "line": 5, - "fileName": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "aws_s3_bucket", + "resourceName": "S3B_181355", + "searchKey": "aws_s3_bucket[positive1].policy", + "searchValue": "", + "expectedValue": "'policy.Statement' should not allow all actions to all principal", + "actualValue": "'policy.Statement' allows all actions to all principal", + "issueType": "IncorrectValue", + "similarityID": "029a88e69190b8476b2930a495bfe57dda3f13fabf01ec1f15cc6a47836ad30a", + "search_line": 5 }, { "queryName": "S3 Bucket With All Permissions", "severity": "CRITICAL", "line": 12, - "fileName": "positive2.tf" + "fileName": "positive2.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[s3_bucket].policy", + "searchValue": "", + "expectedValue": "'policy.Statement' should not allow all actions to all principal", + "actualValue": "'policy.Statement' allows all actions to all principal", + "issueType": "IncorrectValue", + "similarityID": "3692cf1f5fb3f83f9f07eaf4de6390003d50a05e03099826750311181c3ff2d1", + "search_line": 12 } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/s3_bucket_with_public_policy/test/positive_expected_result.json b/assets/queries/terraform/aws/s3_bucket_with_public_policy/test/positive_expected_result.json index 8eb282dc0e2..97db932f832 100644 --- a/assets/queries/terraform/aws/s3_bucket_with_public_policy/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/s3_bucket_with_public_policy/test/positive_expected_result.json @@ -3,60 +3,150 @@ "queryName": "S3 Bucket Allows Public Policy", "severity": "MEDIUM", "line": 11, - "filename": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "aws_s3_bucket_public_access_block", + "resourceName": "allow_public", + "searchKey": "aws_s3_bucket_public_access_block[allow_public].block_public_policy", + "searchValue": "", + "expectedValue": "'aws_s3_bucket_public_access_block[allow_public].block_public_policy' should be defined to true", + "actualValue": "'aws_s3_bucket_public_access_block[allow_public].block_public_policy' is defined to false", + "issueType": "IncorrectValue", + "similarityID": "64d93d7de3ca7705f99de0db62c0e6406b48323beb013310e8f7d72cc21632b2", + "search_line": 11 }, { "queryName": "S3 Bucket Allows Public Policy", "severity": "MEDIUM", "line": 12, - "filename": "positive2.tf" + "fileName": "positive2.tf", + "resourceType": "aws_s3_bucket_public_access_block", + "resourceName": "allow_public", + "searchKey": "aws_s3_bucket_public_access_block[allow_public].block_public_policy", + "searchValue": "", + "expectedValue": "'aws_s3_bucket_public_access_block[allow_public].block_public_policy' should be defined to true", + "actualValue": "'aws_s3_bucket_public_access_block[allow_public].block_public_policy' is defined to false", + "issueType": "IncorrectValue", + "similarityID": "a2b86db2604c2350c0b4e6144aad100a6900750a3461b18c84e54afde6aa3e49", + "search_line": 12 }, { "queryName": "S3 Bucket Allows Public Policy", "severity": "MEDIUM", "line": 9, - "filename": "positive3.tf" + "fileName": "positive3.tf", + "resourceType": "aws_s3_bucket_public_access_block", + "resourceName": "allow_public", + "searchKey": "aws_s3_bucket_public_access_block[allow_public]", + "searchValue": "", + "expectedValue": "'aws_s3_bucket_public_access_block[allow_public].block_public_policy' should be defined to true", + "actualValue": "'aws_s3_bucket_public_access_block[allow_public].block_public_policy' is not defined (defaults to false)", + "issueType": "MissingAttribute", + "similarityID": "108d801a299bcf97818f05ecf4f0b214b7f6b2db409ff1602f1ac272f7f4d788", + "search_line": 9 }, { "queryName": "S3 Bucket Allows Public Policy", "severity": "MEDIUM", "line": 9, - "filename": "positive4.tf" + "fileName": "positive4.tf", + "resourceType": "aws_s3_bucket_public_access_block", + "resourceName": "allow_public", + "searchKey": "aws_s3_bucket_public_access_block[allow_public]", + "searchValue": "", + "expectedValue": "'aws_s3_bucket_public_access_block[allow_public].block_public_policy' should be defined to true", + "actualValue": "'aws_s3_bucket_public_access_block[allow_public].block_public_policy' is not defined (defaults to false)", + "issueType": "MissingAttribute", + "similarityID": "2ee6e08a100b9dc74f213cc6d99838833131554fbb802e99166862710c26b90b", + "search_line": 9 }, { "queryName": "S3 Bucket Allows Public Policy", "severity": "MEDIUM", "line": 11, - "filename": "positive5.tf" + "fileName": "positive5.tf", + "resourceType": "aws_s3_bucket_public_access_block", + "resourceName": "allow_public", + "searchKey": "aws_s3_bucket_public_access_block[allow_public].block_public_policy", + "searchValue": "", + "expectedValue": "'aws_s3_bucket_public_access_block[allow_public].block_public_policy' should be defined to true", + "actualValue": "'aws_s3_bucket_public_access_block[allow_public].block_public_policy' is defined to false", + "issueType": "IncorrectValue", + "similarityID": "2e34478ac3a331d0194537dbc50108664f126f073467f21c1ea59b1902d08fe8", + "search_line": 11 }, { "queryName": "S3 Bucket Allows Public Policy", "severity": "MEDIUM", "line": 5, - "filename": "positive6.tf" + "fileName": "positive6.tf", + "resourceType": "aws_s3_bucket_public_access_block", + "resourceName": "allow_public", + "searchKey": "aws_s3_bucket_public_access_block[allow_public]", + "searchValue": "", + "expectedValue": "'aws_s3_bucket_public_access_block[allow_public].block_public_policy' should be defined to true", + "actualValue": "'aws_s3_bucket_public_access_block[allow_public].block_public_policy' is not defined (defaults to false)", + "issueType": "MissingAttribute", + "similarityID": "c82c458d53346dba17a08634dd2524cba0142a2443eaa93d245af258b15a0e0b", + "search_line": 5 }, { "queryName": "S3 Bucket Allows Public Policy", "severity": "MEDIUM", "line": 7, - "filename": "positive7.tf" + "fileName": "positive7.tf", + "resourceType": "aws_s3_bucket_public_access_block", + "resourceName": "allow_public", + "searchKey": "aws_s3_bucket_public_access_block[allow_public].block_public_policy", + "searchValue": "", + "expectedValue": "'aws_s3_bucket_public_access_block[allow_public].block_public_policy' should be defined to true", + "actualValue": "'aws_s3_bucket_public_access_block[allow_public].block_public_policy' is defined to false", + "issueType": "IncorrectValue", + "similarityID": "9e935a352f6ed201698677981f5bd685faa6abf750c7635eef08cfb680616f01", + "search_line": 7 }, { "queryName": "S3 Bucket Allows Public Policy", "severity": "MEDIUM", "line": 11, - "filename": "positive8.tf" + "fileName": "positive8.tf", + "resourceType": "aws_s3_bucket_public_access_block", + "resourceName": "allow_public", + "searchKey": "aws_s3_bucket_public_access_block[allow_public].block_public_policy", + "searchValue": "", + "expectedValue": "'aws_s3_bucket_public_access_block[allow_public].block_public_policy' should be defined to true", + "actualValue": "'aws_s3_bucket_public_access_block[allow_public].block_public_policy' is defined to false", + "issueType": "IncorrectValue", + "similarityID": "f8f70b116bfa5d03497bbe0e5695f754dd40e79471a0fd864068288142fa28ba", + "search_line": 11 }, { "queryName": "S3 Bucket Allows Public Policy", "severity": "MEDIUM", "line": 2, - "filename": "positive9.tf" + "fileName": "positive9.tf", + "resourceType": "aws_s3_account_public_access_block", + "resourceName": "allow_public_acc", + "searchKey": "aws_s3_account_public_access_block[allow_public_acc].block_public_policy", + "searchValue": "", + "expectedValue": "'aws_s3_account_public_access_block[allow_public_acc].block_public_policy' should be defined to true", + "actualValue": "'aws_s3_account_public_access_block[allow_public_acc].block_public_policy' is defined to false", + "issueType": "IncorrectValue", + "similarityID": "7d6a022d1554b5a793068d4767643e5e701785ce3567a00d023e24792ca83a1f", + "search_line": 2 }, { "queryName": "S3 Bucket Allows Public Policy", "severity": "MEDIUM", "line": 1, - "filename": "positive10.tf" + "fileName": "positive10.tf", + "resourceType": "aws_s3_account_public_access_block", + "resourceName": "allow_public_acc", + "searchKey": "aws_s3_account_public_access_block[allow_public_acc]", + "searchValue": "", + "expectedValue": "'aws_s3_account_public_access_block[allow_public_acc].block_public_policy' should be defined to true", + "actualValue": "'aws_s3_account_public_access_block[allow_public_acc].block_public_policy' is not defined (defaults to false)", + "issueType": "MissingAttribute", + "similarityID": "15caea81ff4d009c12662d30fd5e52b88a755cd42110ef8803b41b1aefbc06b5", + "search_line": 1 } ] diff --git a/assets/queries/terraform/aws/s3_bucket_with_unsecured_cors_rule/test/positive_expected_result.json b/assets/queries/terraform/aws/s3_bucket_with_unsecured_cors_rule/test/positive_expected_result.json index 77bc3176924..76f3b470855 100644 --- a/assets/queries/terraform/aws/s3_bucket_with_unsecured_cors_rule/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/s3_bucket_with_unsecured_cors_rule/test/positive_expected_result.json @@ -3,30 +3,75 @@ "queryName": "S3 Bucket with Unsecured CORS Rule", "severity": "MEDIUM", "line": 27, - "fileName": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "aws_s3_bucket", + "resourceName": "my-tf-test-bucket", + "searchKey": "aws_s3_bucket[positive1].cors_rule", + "searchValue": "", + "expectedValue": "'cors_rule' to not allow all methods, all headers or several origins", + "actualValue": "'cors_rule' allows all methods, all headers or several origins", + "issueType": "IncorrectValue", + "similarityID": "32cfb31234e9c8e7cda9cd126e1045af6f46f240a05a65262294c4ae9235ba20", + "search_line": 27 }, { "queryName": "S3 Bucket with Unsecured CORS Rule", "severity": "MEDIUM", "line": 27, - "fileName": "positive2.tf" + "fileName": "positive2.tf", + "resourceType": "aws_s3_bucket", + "resourceName": "my-tf-test-bucket", + "searchKey": "aws_s3_bucket[positive2].cors_rule", + "searchValue": "", + "expectedValue": "'cors_rule' to not allow all methods, all headers or several origins", + "actualValue": "'cors_rule' allows all methods, all headers or several origins", + "issueType": "IncorrectValue", + "similarityID": "66399dbcb7ed08edbc724900391646d4e451ac7a75903c81a54ea776a436176d", + "search_line": 27 }, { "queryName": "S3 Bucket with Unsecured CORS Rule", "severity": "MEDIUM", "line": 16, - "fileName": "positive3.tf" + "fileName": "positive3.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[s3_bucket].cors_rule", + "searchValue": "", + "expectedValue": "'cors_rule' to not allow all methods, all headers or several origins", + "actualValue": "'cors_rule' allows all methods, all headers or several origins", + "issueType": "IncorrectValue", + "similarityID": "7935f5b4f176fe573d15a81076453fa1273742aaccdd7c887dfa5a435ed860ce", + "search_line": 16 }, { "queryName": "S3 Bucket with Unsecured CORS Rule", "severity": "MEDIUM", "line": 16, - "fileName": "positive4.tf" + "fileName": "positive4.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[s3_bucket].cors_rule", + "searchValue": "", + "expectedValue": "'cors_rule' to not allow all methods, all headers or several origins", + "actualValue": "'cors_rule' allows all methods, all headers or several origins", + "issueType": "IncorrectValue", + "similarityID": "13db4e20cdab81dbb59286314b7b95d01f95c944bc475626c16a1ca90eedce69", + "search_line": 16 }, { "queryName": "S3 Bucket with Unsecured CORS Rule", "severity": "MEDIUM", "line": 26, - "fileName": "positive5.tf" + "fileName": "positive5.tf", + "resourceType": "aws_s3_bucket_cors_configuration", + "resourceName": "example", + "searchKey": "aws_s3_bucket_cors_configuration[example].cors_rule", + "searchValue": "", + "expectedValue": "'cors_rule' to not allow all methods, all headers or several origins", + "actualValue": "'cors_rule' allows all methods, all headers or several origins", + "issueType": "IncorrectValue", + "similarityID": "cbd08b99b9f975c059d86ab99055ea6e2849c26866018e0a2141c493cd67726d", + "search_line": 26 } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/s3_bucket_without_enabled_mfa_delete/test/positive_expected_result.json b/assets/queries/terraform/aws/s3_bucket_without_enabled_mfa_delete/test/positive_expected_result.json index 63c2be9e202..6a27c96d6c8 100755 --- a/assets/queries/terraform/aws/s3_bucket_without_enabled_mfa_delete/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/s3_bucket_without_enabled_mfa_delete/test/positive_expected_result.json @@ -3,60 +3,150 @@ "queryName": "S3 Bucket Without Enabled MFA Delete", "severity": "LOW", "line": 23, - "fileName": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "aws_s3_bucket", + "resourceName": "my-tf-test-bucket", + "searchKey": "aws_s3_bucket[positive1].versioning", + "searchValue": "mfa_delete", + "expectedValue": "'mfa_delete' should be set to true", + "actualValue": "'mfa_delete' is undefined or null", + "issueType": "MissingAttribute", + "similarityID": "719c52e4706ea454d85d771e9e8d1efe5dea7eb31aa3487aed885e3f9954719b", + "search_line": 23 }, { "queryName": "S3 Bucket Without Enabled MFA Delete", "severity": "LOW", "line": 25, - "fileName": "positive2.tf" + "fileName": "positive2.tf", + "resourceType": "aws_s3_bucket", + "resourceName": "my-tf-test-bucket", + "searchKey": "aws_s3_bucket[positive2].versioning.mfa_delete", + "searchValue": "", + "expectedValue": "'mfa_delete' should be set to true", + "actualValue": "'mfa_delete' is set to false", + "issueType": "IncorrectValue", + "similarityID": "4076573afd078bc0ef09cfdebac5aabe43bc5db291326aef66518491dbff8009", + "search_line": 25 }, { "queryName": "S3 Bucket Without Enabled MFA Delete", "severity": "LOW", - "line": 24, - "fileName": "positive3.tf" + "line": 23, + "fileName": "positive3.tf", + "resourceType": "aws_s3_bucket", + "resourceName": "my-tf-test-bucket", + "searchKey": "aws_s3_bucket[positive3].versioning", + "searchValue": "mfa_delete", + "expectedValue": "'mfa_delete' should be set to true", + "actualValue": "'mfa_delete' is undefined or null", + "issueType": "MissingAttribute", + "similarityID": "35a835fc7e376e00c4ad7cec9b7ab901da659d0d8081dbf69ba8fa906f7ec9c6", + "search_line": 23 }, { "queryName": "S3 Bucket Without Enabled MFA Delete", "severity": "LOW", - "line": 23, - "fileName": "positive3.tf" + "line": 24, + "fileName": "positive3.tf", + "resourceType": "aws_s3_bucket", + "resourceName": "my-tf-test-bucket", + "searchKey": "aws_s3_bucket[positive3].versioning.enabled", + "searchValue": "", + "expectedValue": "'enabled' should be set to true", + "actualValue": "'enabled' is set to false", + "issueType": "IncorrectValue", + "similarityID": "8d41fa8b1832f56958c0b99fe97d539ee30c4dbac4c60e32f6044990304a5350", + "search_line": 24 }, { "queryName": "S3 Bucket Without Enabled MFA Delete", "severity": "LOW", "line": 8, - "fileName": "positive4.tf" + "fileName": "positive4.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[s3_bucket].versioning", + "searchValue": "mfa_delete", + "expectedValue": "'mfa_delete' should be set to true", + "actualValue": "'mfa_delete' is undefined or null", + "issueType": "MissingAttribute", + "similarityID": "d3588b5603b38f03cff3ddefcf83314e321605af98628f4fa60f4565172e2ad8", + "search_line": 8 }, { "queryName": "S3 Bucket Without Enabled MFA Delete", "severity": "LOW", "line": 10, - "fileName": "positive5.tf" + "fileName": "positive5.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[s3_bucket].versioning.mfa_delete", + "searchValue": "", + "expectedValue": "'mfa_delete' should be set to true", + "actualValue": "'mfa_delete' is set to false", + "issueType": "IncorrectValue", + "similarityID": "3a08983d73b2256c635a41c27bbca59d0b66cc302e266768d2d806a6424763f3", + "search_line": 10 }, { "queryName": "S3 Bucket Without Enabled MFA Delete", "severity": "LOW", "line": 8, - "fileName": "positive6.tf" + "fileName": "positive6.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[s3_bucket].versioning", + "searchValue": "mfa_delete", + "expectedValue": "'mfa_delete' should be set to true", + "actualValue": "'mfa_delete' is undefined or null", + "issueType": "MissingAttribute", + "similarityID": "47ac51036c392670f500ccf5d70f0076fe3e207ffb28968958c1c466f23923e9", + "search_line": 8 }, { "queryName": "S3 Bucket Without Enabled MFA Delete", "severity": "LOW", "line": 9, - "fileName": "positive6.tf" + "fileName": "positive6.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[s3_bucket].versioning.enabled", + "searchValue": "", + "expectedValue": "'enabled' should be set to true", + "actualValue": "'enabled' is set to false", + "issueType": "IncorrectValue", + "similarityID": "6835fc2e4136365668b1c357809f614a982642d1e8f61aff531b06134c9d9fd2", + "search_line": 9 }, { "queryName": "S3 Bucket Without Enabled MFA Delete", "severity": "LOW", "line": 28, - "fileName": "positive7.tf" + "fileName": "positive7.tf", + "resourceType": "aws_s3_bucket_versioning", + "resourceName": "example2", + "searchKey": "aws_s3_bucket_versioning[example2].versioning_configuration.mfa_delete", + "searchValue": "", + "expectedValue": "'versioning_configuration.mfa_delete' should be set to 'Enabled'", + "actualValue": "'versioning_configuration.mfa_delete' is set to 'Disabled'", + "issueType": "IncorrectValue", + "similarityID": "29c41e9081fda8c24325940fdae505a5b818babe9119562372ee5f089bde449c", + "search_line": 28 }, { "queryName": "S3 Bucket Without Enabled MFA Delete", "severity": "LOW", "line": 27, - "fileName": "positive8.tf" + "fileName": "positive8.tf", + "resourceType": "aws_s3_bucket_versioning", + "resourceName": "example", + "searchKey": "aws_s3_bucket_versioning[example].versioning_configuration.status", + "searchValue": "", + "expectedValue": "'versioning_configuration.status' should be set to 'Enabled'", + "actualValue": "'versioning_configuration.status' is set to 'Disabled'", + "issueType": "IncorrectValue", + "similarityID": "c065d470e7e1cd2a88b979969509298d45dc02f178729689f93d6c522dad9d52", + "search_line": 27 } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/s3_bucket_without_ignore_public_acl/test/positive_expected_result.json b/assets/queries/terraform/aws/s3_bucket_without_ignore_public_acl/test/positive_expected_result.json index 1eaad588316..1bb88ef7028 100755 --- a/assets/queries/terraform/aws/s3_bucket_without_ignore_public_acl/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/s3_bucket_without_ignore_public_acl/test/positive_expected_result.json @@ -3,24 +3,60 @@ "queryName": "S3 Bucket Without Ignore Public ACL", "severity": "MEDIUM", "line": 10, - "filename": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "aws_s3_bucket_public_access_block", + "resourceName": "positive2", + "searchKey": "aws_s3_bucket_public_access_block[positive2].ignore_public_acls", + "searchValue": "", + "expectedValue": "'ignore_public_acls' should equal 'true'", + "actualValue": "'ignore_public_acls' is equal 'false'", + "issueType": "IncorrectValue", + "similarityID": "1edbf8d94b2f8de41206d30074f378887c261ce4ce0c99a0028fa0a6933b963a", + "search_line": 10 }, { "queryName": "S3 Bucket Without Ignore Public ACL", "severity": "MEDIUM", "line": 7, - "filename": "positive2.tf" + "fileName": "positive2.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[s3_bucket].ignore_public_acls", + "searchValue": "", + "expectedValue": "'ignore_public_acls' should equal 'true'", + "actualValue": "'ignore_public_acls' is equal 'false'", + "issueType": "IncorrectValue", + "similarityID": "154eacbc10b1a4f7cf26332a7f2ca325fc829ca5a37afb78ed44e3d3092fb24b", + "search_line": 7 }, { "queryName": "S3 Bucket Without Ignore Public ACL", "severity": "MEDIUM", "line": 1, - "filename": "positive3.tf" + "fileName": "positive3.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[s3_bucket].ignore_public_acls", + "searchValue": "", + "expectedValue": "'ignore_public_acls' should equal 'true'", + "actualValue": "'ignore_public_acls' is missing", + "issueType": "MissingAttribute", + "similarityID": "cf6f2a7cc14ad30e2aea1e8f4b20cc996584e5700da88fc3c7785cf8ff0af346", + "search_line": 1 }, { "queryName": "S3 Bucket Without Ignore Public ACL", "severity": "MEDIUM", "line": 5, - "filename": "positive4.tf" + "fileName": "positive4.tf", + "resourceType": "aws_s3_bucket_public_access_block", + "resourceName": "positive2", + "searchKey": "aws_s3_bucket_public_access_block[positive2]", + "searchValue": "", + "expectedValue": "'ignore_public_acls' should equal 'true'", + "actualValue": "'ignore_public_acls' is missing", + "issueType": "MissingAttribute", + "similarityID": "e760b446a46b1658375245fd5b7bde7f85b5545e2e4c0d73d5125bc049a601a9", + "search_line": 5 } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/s3_bucket_without_restriction_of_public_bucket/test/positive_expected_result.json b/assets/queries/terraform/aws/s3_bucket_without_restriction_of_public_bucket/test/positive_expected_result.json index e50007430c7..c641c6ad9fc 100755 --- a/assets/queries/terraform/aws/s3_bucket_without_restriction_of_public_bucket/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/s3_bucket_without_restriction_of_public_bucket/test/positive_expected_result.json @@ -3,12 +3,30 @@ "queryName": "S3 Bucket Without Restriction Of Public Bucket", "severity": "MEDIUM", "line": 13, - "filename": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "aws_s3_bucket_public_access_block", + "resourceName": "restrict_public", + "searchKey": "aws_s3_bucket_public_access_block[restrict_public].restrict_public_buckets", + "searchValue": "", + "expectedValue": "'restrict_public_buckets' should equal 'true'", + "actualValue": "'restrict_public_buckets' is equal to 'false'", + "issueType": "IncorrectValue", + "similarityID": "2f09d1eb68af9fd31c48e47aca9baef3ac5c8ea21792d097253e3bf4c1307bc4", + "search_line": 13 }, { "queryName": "S3 Bucket Without Restriction Of Public Bucket", "severity": "MEDIUM", "line": 14, - "filename": "positive2.tf" + "fileName": "positive2.tf", + "resourceType": "aws_s3_bucket_public_access_block", + "resourceName": "restrict_public", + "searchKey": "aws_s3_bucket_public_access_block[restrict_public].restrict_public_buckets", + "searchValue": "", + "expectedValue": "'restrict_public_buckets' should equal 'true'", + "actualValue": "'restrict_public_buckets' is equal to 'false'", + "issueType": "IncorrectValue", + "similarityID": "41b5dd408718de9e00c1332be900917750c914adf07130ff5c24ab62b78d96e5", + "search_line": 14 } ] diff --git a/assets/queries/terraform/aws/s3_bucket_without_versioning/test/positive_expected_result.json b/assets/queries/terraform/aws/s3_bucket_without_versioning/test/positive_expected_result.json index 4676cedc78b..2ebda126a63 100755 --- a/assets/queries/terraform/aws/s3_bucket_without_versioning/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/s3_bucket_without_versioning/test/positive_expected_result.json @@ -3,48 +3,120 @@ "queryName": "S3 Bucket Without Versioning", "severity": "MEDIUM", "line": 24, - "fileName": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "aws_s3_bucket", + "resourceName": "my-tf-test-bucket", + "searchKey": "aws_s3_bucket[positive1].versioning.enabled", + "searchValue": "", + "expectedValue": "'versioning.enabled' should be true", + "actualValue": "'versioning.enabled' is set to false", + "issueType": "IncorrectValue", + "similarityID": "7df833e82e942f16d8323de4178e6c54eb9148044bf31cc18e80c3286e767967", + "search_line": 24 }, { "queryName": "S3 Bucket Without Versioning", "severity": "MEDIUM", "line": 14, - "fileName": "positive2.tf" + "fileName": "positive2.tf", + "resourceType": "aws_s3_bucket", + "resourceName": "my-tf-test-bucket", + "searchKey": "aws_s3_bucket[positive2]", + "searchValue": "", + "expectedValue": "'versioning' should be true", + "actualValue": "'versioning' is undefined or null", + "issueType": "MissingAttribute", + "similarityID": "d0d57725de7d1114b97cfb3d8a5ada694213dd9f2eef9ddfd96caa1e2addc16e", + "search_line": 14 }, { "queryName": "S3 Bucket Without Versioning", "severity": "MEDIUM", "line": 23, - "fileName": "positive3.tf" + "fileName": "positive3.tf", + "resourceType": "aws_s3_bucket", + "resourceName": "my-tf-test-bucket", + "searchKey": "aws_s3_bucket[positive3].versioning", + "searchValue": "", + "expectedValue": "'versioning.enabled' should be true", + "actualValue": "'versioning.enabled' is undefined or null", + "issueType": "MissingAttribute", + "similarityID": "397a364154ae58058d836a2c967d800524dd0436bad501e7153ad19142b593e5", + "search_line": 23 }, { "queryName": "S3 Bucket Without Versioning", "severity": "MEDIUM", "line": 10, - "fileName": "positive4.tf" + "fileName": "positive4.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[s3_bucket].versioning.enabled", + "searchValue": "", + "expectedValue": "'versioning.enabled' should be true", + "actualValue": "'versioning.enabled' is set to false", + "issueType": "IncorrectValue", + "similarityID": "6e97ed0b6b71ae55535ae5728e35ef56e1daaf0cbf3e03910b78614587a8dd45", + "search_line": -1 }, { "queryName": "S3 Bucket Without Versioning", "severity": "MEDIUM", "line": 9, - "fileName": "positive5.tf" + "fileName": "positive5.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[s3_bucket].versioning", + "searchValue": "", + "expectedValue": "'versioning.enabled' should be true", + "actualValue": "'versioning.enabled' is undefined or null", + "issueType": "MissingAttribute", + "similarityID": "9b54ea9f38f3421845037e0dcaebdd87ec0fbb788084c91b2a0f95e576eca9d6", + "search_line": 9 }, { "queryName": "S3 Bucket Without Versioning", "severity": "MEDIUM", "line": 1, - "fileName": "positive6.tf" + "fileName": "positive6.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[s3_bucket]", + "searchValue": "", + "expectedValue": "'versioning' should be true", + "actualValue": "'versioning' is undefined or null", + "issueType": "MissingAttribute", + "similarityID": "86071f0cc8d6f5fe4135695a5215b93f9e290f8ba67b64cffe72b5c44029d0bb", + "search_line": 1 }, { "queryName": "S3 Bucket Without Versioning", "severity": "MEDIUM", "line": 27, - "fileName": "positive7.tf" + "fileName": "positive7.tf", + "resourceType": "aws_s3_bucket_versioning", + "resourceName": "example", + "searchKey": "aws_s3_bucket_versioning[example].versioning_configuration.status", + "searchValue": "", + "expectedValue": "'versioning_configuration.status' should be set to 'Enabled'", + "actualValue": "'versioning_configuration.status' is set to 'Suspended'", + "issueType": "IncorrectValue", + "similarityID": "5e531b0c3c8252f13b9b3c88e8d85a181cacf968b062395b68322738dd199173", + "search_line": 27 }, { "queryName": "S3 Bucket Without Versioning", "severity": "MEDIUM", "line": 14, - "fileName": "positive8.tf" + "fileName": "positive8.tf", + "resourceType": "aws_s3_bucket", + "resourceName": "my-tf-test-bucket", + "searchKey": "aws_s3_bucket[b2]", + "searchValue": "", + "expectedValue": "'versioning' should be true", + "actualValue": "'versioning' is undefined or null", + "issueType": "MissingAttribute", + "similarityID": "8c4d008d181957221652c78cd85792dbb478904bef0d4cdf9847922f8cd245eb", + "search_line": 14 } ] diff --git a/assets/queries/terraform/aws/s3_static_website_host_enabled/test/positive_expected_result.json b/assets/queries/terraform/aws/s3_static_website_host_enabled/test/positive_expected_result.json index 1f7bdb12744..eaa187334a9 100644 --- a/assets/queries/terraform/aws/s3_static_website_host_enabled/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/s3_static_website_host_enabled/test/positive_expected_result.json @@ -3,18 +3,45 @@ "queryName": "S3 Static Website Host Enabled", "severity": "HIGH", "line": 18, - "fileName": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "aws_s3_bucket", + "resourceName": "s3-website-test.hashicorp.com", + "searchKey": "resource.aws_s3_bucket[positive1].website", + "searchValue": "", + "expectedValue": "resource.aws_s3_bucket[positive1].website to not have static websites inside", + "actualValue": "resource.aws_s3_bucket[positive1].website does have static websites inside", + "issueType": "IncorrectValue", + "similarityID": "8299c24126bdcca703e0a8867ab3950cc8b0e5843516742da9363f6ae5142c76", + "search_line": 18 }, { "queryName": "S3 Static Website Host Enabled", "severity": "HIGH", "line": 12, - "fileName": "positive2.tf" + "fileName": "positive2.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[s3_bucket].website", + "searchValue": "", + "expectedValue": "'website' to not have static websites inside", + "actualValue": "'website' does have static websites inside", + "issueType": "IncorrectValue", + "similarityID": "98243e3991885492641ed7999e02c61081436a2bf8eff695d2dbdc659c42a894", + "search_line": 12 }, { "queryName": "S3 Static Website Host Enabled", "severity": "HIGH", "line": 15, - "fileName": "positive3.tf" + "fileName": "positive3.tf", + "resourceType": "aws_s3_bucket", + "resourceName": "my-tf-test-bucket", + "searchKey": "aws_s3_bucket[buc]", + "searchValue": "", + "expectedValue": "'aws_s3_bucket' to not have 'aws_s3_bucket_website_configuration' associated", + "actualValue": "'aws_s3_bucket' has 'aws_s3_bucket_website_configuration' associated", + "issueType": "MissingAttribute", + "similarityID": "22a6443a0f0264d62a878d56206baa353f60b5d3299fee3405c14ea0f661f2e5", + "search_line": 15 } ] diff --git a/assets/queries/terraform/aws/sagemaker_endpoint_configuration_encryption_disabled/test/positive_expected_result.json b/assets/queries/terraform/aws/sagemaker_endpoint_configuration_encryption_disabled/test/positive_expected_result.json index fdcc66ac487..e4aa4debc5d 100644 --- a/assets/queries/terraform/aws/sagemaker_endpoint_configuration_encryption_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/sagemaker_endpoint_configuration_encryption_disabled/test/positive_expected_result.json @@ -3,6 +3,15 @@ "queryName": "Sagemaker Endpoint Configuration Encryption Disabled", "severity": "HIGH", "line": 1, - "fileName": "positive.tf" + "fileName": "positive.tf", + "resourceType": "aws_sagemaker_endpoint_configuration", + "resourceName": "my-endpoint-config", + "searchKey": "aws_sagemaker_endpoint_configuration[positive]", + "searchValue": "", + "expectedValue": "aws_sagemaker_endpoint_configuration[positive] should be defined and not null", + "actualValue": "aws_sagemaker_endpoint_configuration[positive] is undefined or null", + "issueType": "MissingAttribute", + "similarityID": "c5d4722dfa6a54e9418fd854a405dfa660faacb313abf7a119b44ff1de879d99", + "search_line": -1 } ] diff --git a/assets/queries/terraform/aws/sagemaker_notebook_instance_without_kms/test/positive_expected_result.json b/assets/queries/terraform/aws/sagemaker_notebook_instance_without_kms/test/positive_expected_result.json index 44f24216665..7c6df9c2b79 100644 --- a/assets/queries/terraform/aws/sagemaker_notebook_instance_without_kms/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/sagemaker_notebook_instance_without_kms/test/positive_expected_result.json @@ -3,6 +3,15 @@ "queryName": "Sagemaker Notebook Instance Without KMS", "severity": "HIGH", "line": 1, - "filename": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "aws_sagemaker_notebook_instance", + "resourceName": "my-notebook-instance", + "searchKey": "aws_sagemaker_notebook_instance[{{ni}}]", + "searchValue": "", + "expectedValue": "aws_sagemaker_notebook_instance.kms_key_id should be defined and not null", + "actualValue": "aws_sagemaker_notebook_instance.kms_key_id is undefined or null", + "issueType": "MissingAttribute", + "similarityID": "c07c71a6931bc67a82da63321a04a99a3cd604bb1ddcbc446901513cb7c44346", + "search_line": -1 } ] diff --git a/assets/queries/terraform/aws/secrets_manager_with_vulnerable_policy/test/positive_expected_result.json b/assets/queries/terraform/aws/secrets_manager_with_vulnerable_policy/test/positive_expected_result.json index cf616bbf4f3..5492eddfa0c 100644 --- a/assets/queries/terraform/aws/secrets_manager_with_vulnerable_policy/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/secrets_manager_with_vulnerable_policy/test/positive_expected_result.json @@ -3,6 +3,15 @@ "queryName": "Secrets Manager With Vulnerable Policy", "severity": "HIGH", "line": 12, - "fileName": "positive.tf" + "fileName": "positive.tf", + "resourceType": "aws_secretsmanager_secret_policy", + "resourceName": "example", + "searchKey": "aws_secretsmanager_secret_policy[example].policy", + "searchValue": "", + "expectedValue": "aws_secretsmanager_secret_policy[example].policy should not have wildcard in 'Principal' and 'Action'", + "actualValue": "aws_secretsmanager_secret_policy[example].policy has wildcard in 'Principal' or 'Action'", + "issueType": "IncorrectValue", + "similarityID": "f43e90b9e54b093b47d2c6ff2196d980c7ac80a1e1a83662e11bdf1cfb77bdff", + "search_line": 12 } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/secretsmanager_secret_encrypted_with_aws_managed_key/test/positive_expected_result.json b/assets/queries/terraform/aws/secretsmanager_secret_encrypted_with_aws_managed_key/test/positive_expected_result.json index aeec1843978..1f84d18b537 100644 --- a/assets/queries/terraform/aws/secretsmanager_secret_encrypted_with_aws_managed_key/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/secretsmanager_secret_encrypted_with_aws_managed_key/test/positive_expected_result.json @@ -3,12 +3,30 @@ "queryName": "Secretsmanager Secret Encrypted With AWS Managed Key", "severity": "MEDIUM", "line": 3, - "fileName": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "aws_secretsmanager_secret", + "resourceName": "test-cloudrail-1", + "searchKey": "aws_secretsmanager_secret[test2].kms_key_id", + "searchValue": "", + "expectedValue": "Secrets Manager secret should not be encrypted with AWS managed key", + "actualValue": "Secrets Manager secret is encrypted with AWS managed key", + "issueType": "IncorrectValue", + "similarityID": "5dbd8ea250e6b8022a0f3db1c9d9591ae8ea8dd4240517557113b89c22d90cb5", + "search_line": -1 }, { "queryName": "Secretsmanager Secret Encrypted With AWS Managed Key", "severity": "MEDIUM", "line": 11, - "fileName": "positive2.tf" + "fileName": "positive2.tf", + "resourceType": "aws_secretsmanager_secret", + "resourceName": "test-cloudrail-1", + "searchKey": "aws_secretsmanager_secret[test].kms_key_id", + "searchValue": "", + "expectedValue": "Secrets Manager secret should not be encrypted with AWS managed key", + "actualValue": "Secrets Manager secret is encrypted with AWS managed key", + "issueType": "IncorrectValue", + "similarityID": "bf7cace6475946809239bf625787969393ddbeb108723096019d3dcd9232538a", + "search_line": -1 } ] diff --git a/assets/queries/terraform/aws/secretsmanager_secret_without_kms/test/positive_expected_result.json b/assets/queries/terraform/aws/secretsmanager_secret_without_kms/test/positive_expected_result.json index d3799197712..feddd8920e0 100644 --- a/assets/queries/terraform/aws/secretsmanager_secret_without_kms/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/secretsmanager_secret_without_kms/test/positive_expected_result.json @@ -3,6 +3,15 @@ "queryName": "Secretsmanager Secret Without KMS", "severity": "MEDIUM", "line": 1, - "filename": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "aws_secretsmanager_secret", + "resourceName": "example", + "searchKey": "aws_secretsmanager_secret[{{example}}]", + "searchValue": "", + "expectedValue": "aws_secretsmanager_secret.kms_key_id should be defined and not null", + "actualValue": "aws_secretsmanager_secret.kms_key_id is undefined or null", + "issueType": "MissingAttribute", + "similarityID": "eb71d6ddc92412dd70fec3dccbeaee90795ea99435e0d2dbafd47bd7e1697c53", + "search_line": -1 } ] diff --git a/assets/queries/terraform/aws/secure_ciphers_disabled/test/positive_expected_result.json b/assets/queries/terraform/aws/secure_ciphers_disabled/test/positive_expected_result.json index 7de94a38420..91ca643a4e3 100644 --- a/assets/queries/terraform/aws/secure_ciphers_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/secure_ciphers_disabled/test/positive_expected_result.json @@ -2,6 +2,16 @@ { "queryName": "Secure Ciphers Disabled", "severity": "MEDIUM", - "line": 42 + "line": 42, + "fileName": "positive.tf", + "resourceType": "aws_cloudfront_distribution", + "resourceName": "positive1", + "searchKey": "resource.aws_cloudfront_distribution[positive1].viewer_certificate.minimum_protocol_version", + "searchValue": "", + "expectedValue": "resource.aws_cloudfront_distribution[positive1].viewer_certificate.minimum_protocol_version should start with TLSv1.1 or TLSv1.2", + "actualValue": "resource.aws_cloudfront_distribution[positive1].viewer_certificate.minimum_protocol_version doesn't start with TLSv1.1 or TLSv1.2", + "issueType": "IncorrectValue", + "similarityID": "5a5749e6e1956ad7de147c3dc3a6723300e5cfaad9314347a04494ef9f7b3318", + "search_line": -1 } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/security_group_rules_without_description/test/positive_expected_result.json b/assets/queries/terraform/aws/security_group_rules_without_description/test/positive_expected_result.json index d8ffad946ed..bce4bb14e81 100644 --- a/assets/queries/terraform/aws/security_group_rules_without_description/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/security_group_rules_without_description/test/positive_expected_result.json @@ -3,108 +3,270 @@ "queryName": "Security Group Rule Without Description", "severity": "INFO", "line": 3, - "filename": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "aws_security_group", + "resourceName": "positive1", + "searchKey": "aws_security_group[positive1].ingress", + "searchValue": "", + "expectedValue": "aws_security_group[positive1].ingress.description should be defined and not null", + "actualValue": "aws_security_group[positive1].ingress.description is undefined or null", + "issueType": "MissingAttribute", + "similarityID": "36c20bbdfcdfa1a0b1694a012903fee2da0a3f8006a291e75c86b4f2fa865590", + "search_line": 3 }, { "queryName": "Security Group Rule Without Description", "severity": "INFO", "line": 11, - "filename": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "aws_security_group", + "resourceName": "positive1", + "searchKey": "aws_security_group[positive1].egress", + "searchValue": "", + "expectedValue": "aws_security_group[positive1].egress.description should be defined and not null", + "actualValue": "aws_security_group[positive1].egress.description is undefined or null", + "issueType": "MissingAttribute", + "similarityID": "7a44791bc7460628c2912ae1fe6d52261f5f0dc0848e639b48a458df9347bff2", + "search_line": 11 }, { "queryName": "Security Group Rule Without Description", "severity": "INFO", "line": 3, - "filename": "positive2.tf" + "fileName": "positive2.tf", + "resourceType": "aws_security_group", + "resourceName": "positive2-1", + "searchKey": "aws_security_group[positive2-1].ingress.0", + "searchValue": "", + "expectedValue": "aws_security_group[positive2-1].ingress[0].description should be defined and not null", + "actualValue": "aws_security_group[positive2-1].ingress[0].description is undefined or null", + "issueType": "MissingAttribute", + "similarityID": "e26cc7ae65b6c01d5b5e1985faf6aee972201f20df73e37595231cc0f11c4b6b", + "search_line": 3 }, { "queryName": "Security Group Rule Without Description", "severity": "INFO", "line": 10, - "filename": "positive2.tf" + "fileName": "positive2.tf", + "resourceType": "aws_security_group", + "resourceName": "positive2-1", + "searchKey": "aws_security_group[positive2-1].ingress.1", + "searchValue": "", + "expectedValue": "aws_security_group[positive2-1].ingress[1].description should be defined and not null", + "actualValue": "aws_security_group[positive2-1].ingress[1].description is undefined or null", + "issueType": "MissingAttribute", + "similarityID": "e948d2b11d3f76002456c609d44509187d56c5c31f0980b9cdd97502555b0d86", + "search_line": 10 }, { "queryName": "Security Group Rule Without Description", "severity": "INFO", "line": 20, - "filename": "positive2.tf" + "fileName": "positive2.tf", + "resourceType": "aws_security_group", + "resourceName": "positive2-2", + "searchKey": "aws_security_group[positive2-2].egress.0", + "searchValue": "", + "expectedValue": "aws_security_group[positive2-2].egress[0].description should be defined and not null", + "actualValue": "aws_security_group[positive2-2].egress[0].description is undefined or null", + "issueType": "MissingAttribute", + "similarityID": "fcb90b036e1fc69494e1a99a19f569f5141571e6a3155469d07523ebf1172519", + "search_line": 20 }, { "queryName": "Security Group Rule Without Description", "severity": "INFO", "line": 27, - "filename": "positive2.tf" + "fileName": "positive2.tf", + "resourceType": "aws_security_group", + "resourceName": "positive2-2", + "searchKey": "aws_security_group[positive2-2].egress.1", + "searchValue": "", + "expectedValue": "aws_security_group[positive2-2].egress[1].description should be defined and not null", + "actualValue": "aws_security_group[positive2-2].egress[1].description is undefined or null", + "issueType": "MissingAttribute", + "similarityID": "510b4b8c4d6f423646cb7ec70ce4e3b8c960025241551a309e0ac9f8c33171dc", + "search_line": 27 }, { "queryName": "Security Group Rule Without Description", "severity": "INFO", "line": 1, - "filename": "positive3.tf" + "fileName": "positive3.tf", + "resourceType": "aws_security_group_rule", + "resourceName": "positive3-1", + "searchKey": "aws_security_group_rule[positive3-1]", + "searchValue": "", + "expectedValue": "aws_security_group_rule[positive3-1].description should be defined and not null", + "actualValue": "aws_security_group_rule[positive3-1].description is undefined or null", + "issueType": "MissingAttribute", + "similarityID": "4a2457659ea3027d0618662d6d2335f9e33967ea6b374f24696ede68e630d6e5", + "search_line": 1 }, { "queryName": "Security Group Rule Without Description", "severity": "INFO", "line": 10, - "filename": "positive3.tf" + "fileName": "positive3.tf", + "resourceType": "aws_security_group_rule", + "resourceName": "positive3-2", + "searchKey": "aws_security_group_rule[positive3-2]", + "searchValue": "", + "expectedValue": "aws_security_group_rule[positive3-2].description should be defined and not null", + "actualValue": "aws_security_group_rule[positive3-2].description is undefined or null", + "issueType": "MissingAttribute", + "similarityID": "197e410479fa7ff658b1048f2efcf4ac27757bee0f1019c52e724bf3d1806785", + "search_line": 10 }, { "queryName": "Security Group Rule Without Description", "severity": "INFO", "line": 1, - "filename": "positive4.tf" + "fileName": "positive4.tf", + "resourceType": "aws_vpc_security_group_ingress_rule", + "resourceName": "positive4-1", + "searchKey": "aws_vpc_security_group_ingress_rule[positive4-1]", + "searchValue": "", + "expectedValue": "aws_vpc_security_group_ingress_rule[positive4-1].description should be defined and not null", + "actualValue": "aws_vpc_security_group_ingress_rule[positive4-1].description is undefined or null", + "issueType": "MissingAttribute", + "similarityID": "b53bcacf27e60aeeb491e99314e4cfb0720ff10679a04efccf3b46643538a667", + "search_line": 1 }, { "queryName": "Security Group Rule Without Description", "severity": "INFO", "line": 8, - "filename": "positive4.tf" + "fileName": "positive4.tf", + "resourceType": "aws_vpc_security_group_egress_rule", + "resourceName": "positive4-2", + "searchKey": "aws_vpc_security_group_egress_rule[positive4-2]", + "searchValue": "", + "expectedValue": "aws_vpc_security_group_egress_rule[positive4-2].description should be defined and not null", + "actualValue": "aws_vpc_security_group_egress_rule[positive4-2].description is undefined or null", + "issueType": "MissingAttribute", + "similarityID": "063c7e47110f9d172817098208dd6eb19151ccc50bf9455c6146bcc804b773fd", + "search_line": 8 }, { "queryName": "Security Group Rule Without Description", "severity": "INFO", "line": 6, - "filename": "positive5.tf" + "fileName": "positive5.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[positive5_ipv4_array].ingress_with_cidr_blocks.0", + "searchValue": "", + "expectedValue": "module[positive5_ipv4_array].ingress_with_cidr_blocks.0.description should be defined and not null", + "actualValue": "module[positive5_ipv4_array].ingress_with_cidr_blocks.0.description is undefined or null", + "issueType": "MissingAttribute", + "similarityID": "77d2ec86237a6f464fdf099c321199ef827da1c13dd065db75235e0c1f82d8b0", + "search_line": 6 }, { "queryName": "Security Group Rule Without Description", "severity": "INFO", "line": 12, - "filename": "positive5.tf" + "fileName": "positive5.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[positive5_ipv4_array].ingress_with_cidr_blocks.1", + "searchValue": "", + "expectedValue": "module[positive5_ipv4_array].ingress_with_cidr_blocks.1.description should be defined and not null", + "actualValue": "module[positive5_ipv4_array].ingress_with_cidr_blocks.1.description is undefined or null", + "issueType": "MissingAttribute", + "similarityID": "13976dcda1ad87bc0122058afc93286bac943a139c7c20e9bb69d34792a91fe4", + "search_line": 12 }, { "queryName": "Security Group Rule Without Description", "severity": "INFO", "line": 21, - "filename": "positive5.tf" + "fileName": "positive5.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[positive5_ipv4_array].egress_with_cidr_blocks.0", + "searchValue": "", + "expectedValue": "module[positive5_ipv4_array].egress_with_cidr_blocks.0.description should be defined and not null", + "actualValue": "module[positive5_ipv4_array].egress_with_cidr_blocks.0.description is undefined or null", + "issueType": "MissingAttribute", + "similarityID": "757daad67951af9974705ea3971adf3691dc76ef91af0e76054755c9b1213847", + "search_line": 21 }, { "queryName": "Security Group Rule Without Description", "severity": "INFO", "line": 27, - "filename": "positive5.tf" + "fileName": "positive5.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[positive5_ipv4_array].egress_with_cidr_blocks.1", + "searchValue": "", + "expectedValue": "module[positive5_ipv4_array].egress_with_cidr_blocks.1.description should be defined and not null", + "actualValue": "module[positive5_ipv4_array].egress_with_cidr_blocks.1.description is undefined or null", + "issueType": "MissingAttribute", + "similarityID": "40295f2881ff1e810a2596832996aae392b8097c2e4341b57f562109a64e63be", + "search_line": 27 }, { "queryName": "Security Group Rule Without Description", "severity": "INFO", "line": 40, - "filename": "positive5.tf" + "fileName": "positive5.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[positive5_ipv6_array].ingress_with_ipv6_cidr_blocks.0", + "searchValue": "", + "expectedValue": "module[positive5_ipv6_array].ingress_with_ipv6_cidr_blocks.0.description should be defined and not null", + "actualValue": "module[positive5_ipv6_array].ingress_with_ipv6_cidr_blocks.0.description is undefined or null", + "issueType": "MissingAttribute", + "similarityID": "43117b9f68e08cdb66781ec73310a6eadfb94541d5f7ae343559c27c2c9b84d6", + "search_line": 40 }, { "queryName": "Security Group Rule Without Description", "severity": "INFO", "line": 46, - "filename": "positive5.tf" + "fileName": "positive5.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[positive5_ipv6_array].ingress_with_ipv6_cidr_blocks.1", + "searchValue": "", + "expectedValue": "module[positive5_ipv6_array].ingress_with_ipv6_cidr_blocks.1.description should be defined and not null", + "actualValue": "module[positive5_ipv6_array].ingress_with_ipv6_cidr_blocks.1.description is undefined or null", + "issueType": "MissingAttribute", + "similarityID": "a59342d7de7e40290c097d02160bd9006160b81f9f4d9d682cfc3521cbc4cb75", + "search_line": 46 }, { "queryName": "Security Group Rule Without Description", "severity": "INFO", "line": 55, - "filename": "positive5.tf" + "fileName": "positive5.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[positive5_ipv6_array].egress_with_ipv6_cidr_blocks.0", + "searchValue": "", + "expectedValue": "module[positive5_ipv6_array].egress_with_ipv6_cidr_blocks.0.description should be defined and not null", + "actualValue": "module[positive5_ipv6_array].egress_with_ipv6_cidr_blocks.0.description is undefined or null", + "issueType": "MissingAttribute", + "similarityID": "ae6381dd3c3a9f146beed6c80f28cd82b92d89b125bd25c2b289d150c2ecceb9", + "search_line": 55 }, { "queryName": "Security Group Rule Without Description", "severity": "INFO", "line": 61, - "filename": "positive5.tf" + "fileName": "positive5.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[positive5_ipv6_array].egress_with_ipv6_cidr_blocks.1", + "searchValue": "", + "expectedValue": "module[positive5_ipv6_array].egress_with_ipv6_cidr_blocks.1.description should be defined and not null", + "actualValue": "module[positive5_ipv6_array].egress_with_ipv6_cidr_blocks.1.description is undefined or null", + "issueType": "MissingAttribute", + "similarityID": "407bfe744d4f42a2145f48cefd71f6e7362d68df5f12c4b09452072773487f4e", + "search_line": 61 } ] diff --git a/assets/queries/terraform/aws/security_group_with_unrestricted_access_to_ssh/test/positive_expected_result.json b/assets/queries/terraform/aws/security_group_with_unrestricted_access_to_ssh/test/positive_expected_result.json index 989ca124d35..279e3170fea 100644 --- a/assets/queries/terraform/aws/security_group_with_unrestricted_access_to_ssh/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/security_group_with_unrestricted_access_to_ssh/test/positive_expected_result.json @@ -3,102 +3,255 @@ "queryName": "Security Group With Unrestricted Access To SSH", "severity": "MEDIUM", "line": 5, - "fileName": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "aws_security_group", + "resourceName": "allow_tls", + "searchKey": "aws_security_group[positive1-1].ingress", + "searchValue": "", + "expectedValue": "aws_security_group[positive1-1].ingress 'SSH' (Port:22) should not be open", + "actualValue": "aws_security_group[positive1-1].ingress 'SSH' (Port:22) is open", + "issueType": "IncorrectValue", + "similarityID": "c99c30c7311c83fac446b20b2cac6d230efbabe5ea47c3897aace86381466fce", + "search_line": 5 }, { "queryName": "Security Group With Unrestricted Access To SSH", "severity": "MEDIUM", "line": 26, - "fileName": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "aws_security_group", + "resourceName": "allow_tls", + "searchKey": "aws_security_group[positive1-2].ingress[1]", + "searchValue": "", + "expectedValue": "aws_security_group[positive1-2].ingress[1] 'SSH' (Port:22) should not be open", + "actualValue": "aws_security_group[positive1-2].ingress[1] 'SSH' (Port:22) is open", + "issueType": "IncorrectValue", + "similarityID": "d5ae6d082aa4b54289539ee65638788f2b265b58688f95e0269aa17bea2a512e", + "search_line": 26 }, { "queryName": "Security Group With Unrestricted Access To SSH", "severity": "MEDIUM", "line": 39, - "fileName": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "aws_security_group", + "resourceName": "allow_tls", + "searchKey": "aws_security_group[positive1-3].ingress", + "searchValue": "", + "expectedValue": "aws_security_group[positive1-3].ingress 'SSH' (Port:22) should not be open", + "actualValue": "aws_security_group[positive1-3].ingress 'SSH' (Port:22) is open", + "issueType": "IncorrectValue", + "similarityID": "40244c39579d8cdcb32fb73dd3669eb8d49802e64b54c3276f91d69c91563d44", + "search_line": 39 }, { "queryName": "Security Group With Unrestricted Access To SSH", "severity": "MEDIUM", "line": 60, - "fileName": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "aws_security_group", + "resourceName": "allow_tls", + "searchKey": "aws_security_group[positive1-4].ingress[1]", + "searchValue": "", + "expectedValue": "aws_security_group[positive1-4].ingress[1] 'SSH' (Port:22) should not be open", + "actualValue": "aws_security_group[positive1-4].ingress[1] 'SSH' (Port:22) is open", + "issueType": "IncorrectValue", + "similarityID": "8f77aaae2f53ae24ff0d9b7b086fbb781ad6c299f9fd4ce29248b9d0db686457", + "search_line": 60 }, { "queryName": "Security Group With Unrestricted Access To SSH", "severity": "MEDIUM", "line": 73, - "fileName": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "aws_security_group", + "resourceName": "allow_tls", + "searchKey": "aws_security_group[positive1-5].ingress", + "searchValue": "", + "expectedValue": "aws_security_group[positive1-5].ingress 'SSH' (Port:22) should not be open", + "actualValue": "aws_security_group[positive1-5].ingress 'SSH' (Port:22) is open", + "issueType": "IncorrectValue", + "similarityID": "a4c02b3cb83162fdde74e5fcada42e3752562b2a3bb5e2853dca3f06fb3d4d6d", + "search_line": 73 }, { "queryName": "Security Group With Unrestricted Access To SSH", "severity": "MEDIUM", "line": 87, - "fileName": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "aws_security_group", + "resourceName": "allow_tls", + "searchKey": "aws_security_group[positive1-6].ingress", + "searchValue": "", + "expectedValue": "aws_security_group[positive1-6].ingress 'SSH' (Port:22) should not be open", + "actualValue": "aws_security_group[positive1-6].ingress 'SSH' (Port:22) is open", + "issueType": "IncorrectValue", + "similarityID": "13e997bdea606d6ab4b0419e6dd057857e5b4aa93ebebbad7567c315b7dd0493", + "search_line": 87 }, { "queryName": "Security Group With Unrestricted Access To SSH", "severity": "MEDIUM", "line": 101, - "fileName": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "aws_security_group", + "resourceName": "allow_tls", + "searchKey": "aws_security_group[positive1-7].ingress", + "searchValue": "", + "expectedValue": "aws_security_group[positive1-7].ingress 'SSH' (Port:22) should not be open", + "actualValue": "aws_security_group[positive1-7].ingress 'SSH' (Port:22) is open", + "issueType": "IncorrectValue", + "similarityID": "e1e491da7dac31ddd27db75c4b99237e829a410e9103be9b4b7c68c0f4a7a0b5", + "search_line": 101 }, { "queryName": "Security Group With Unrestricted Access To SSH", "severity": "MEDIUM", "line": 7, - "fileName": "positive2.tf" + "fileName": "positive2.tf", + "resourceType": "aws_vpc_security_group_ingress_rule", + "resourceName": "positive2-1", + "searchKey": "aws_vpc_security_group_ingress_rule[positive2-1]", + "searchValue": "", + "expectedValue": "aws_vpc_security_group_ingress_rule[positive2-1] 'SSH' (Port:22) should not be open", + "actualValue": "aws_vpc_security_group_ingress_rule[positive2-1] 'SSH' (Port:22) is open", + "issueType": "IncorrectValue", + "similarityID": "133e8edd4dcca47c44685951af4fccfe8cabbfbdb88e9e45e0ed556a161c873f", + "search_line": 7 }, { "queryName": "Security Group With Unrestricted Access To SSH", "severity": "MEDIUM", "line": 17, - "fileName": "positive2.tf" + "fileName": "positive2.tf", + "resourceType": "aws_vpc_security_group_ingress_rule", + "resourceName": "positive2-2", + "searchKey": "aws_vpc_security_group_ingress_rule[positive2-2]", + "searchValue": "", + "expectedValue": "aws_vpc_security_group_ingress_rule[positive2-2] 'SSH' (Port:22) should not be open", + "actualValue": "aws_vpc_security_group_ingress_rule[positive2-2] 'SSH' (Port:22) is open", + "issueType": "IncorrectValue", + "similarityID": "9725abd5e733df4de93aaf181949885da7024d2fb4a29773b92b3a58caa27cf6", + "search_line": 17 }, { "queryName": "Security Group With Unrestricted Access To SSH", "severity": "MEDIUM", "line": 7, - "fileName": "positive3.tf" + "fileName": "positive3.tf", + "resourceType": "aws_security_group_rule", + "resourceName": "positive3-1", + "searchKey": "aws_security_group_rule[positive3-1]", + "searchValue": "", + "expectedValue": "aws_security_group_rule[positive3-1] 'SSH' (Port:22) should not be open", + "actualValue": "aws_security_group_rule[positive3-1] 'SSH' (Port:22) is open", + "issueType": "IncorrectValue", + "similarityID": "31ba8a960495818316ee2ed426b7251e0a2094935b1e831c215883cc96ae14b5", + "search_line": 7 }, { "queryName": "Security Group With Unrestricted Access To SSH", "severity": "MEDIUM", "line": 17, - "fileName": "positive3.tf" + "fileName": "positive3.tf", + "resourceType": "aws_security_group_rule", + "resourceName": "positive3-2", + "searchKey": "aws_security_group_rule[positive3-2]", + "searchValue": "", + "expectedValue": "aws_security_group_rule[positive3-2] 'SSH' (Port:22) should not be open", + "actualValue": "aws_security_group_rule[positive3-2] 'SSH' (Port:22) is open", + "issueType": "IncorrectValue", + "similarityID": "43a0bb6cd2f3ae48d1e0890f10b94b0f39597963123ca7d3b66bf10980a7ea3c", + "search_line": 17 }, { "queryName": "Security Group With Unrestricted Access To SSH", "severity": "MEDIUM", "line": 11, - "fileName": "positive4.tf" + "fileName": "positive4.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[vote_service_sg_ipv4].ingress_with_cidr_blocks.0", + "searchValue": "", + "expectedValue": "module[vote_service_sg_ipv4].ingress_with_cidr_blocks.0 'SSH' (Port:22) should not be open", + "actualValue": "module[vote_service_sg_ipv4].ingress_with_cidr_blocks.0 'SSH' (Port:22) is open", + "issueType": "IncorrectValue", + "similarityID": "8beb8f24898b894c43d3789edce10827cd74ad36e10893887f09a93cb1ee3924", + "search_line": 11 }, { "queryName": "Security Group With Unrestricted Access To SSH", "severity": "MEDIUM", "line": 30, - "fileName": "positive4.tf" + "fileName": "positive4.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[vote_service_sg_ipv6].ingress_with_ipv6_cidr_blocks.0", + "searchValue": "", + "expectedValue": "module[vote_service_sg_ipv6].ingress_with_ipv6_cidr_blocks.0 'SSH' (Port:22) should not be open", + "actualValue": "module[vote_service_sg_ipv6].ingress_with_ipv6_cidr_blocks.0 'SSH' (Port:22) is open", + "issueType": "IncorrectValue", + "similarityID": "85795be27eda57ae1b6e79c264504e2b22d6c90ae15a50662d4a4f4e08ae6881", + "search_line": 30 }, { "queryName": "Security Group With Unrestricted Access To SSH", "severity": "MEDIUM", "line": 49, - "fileName": "positive4.tf" + "fileName": "positive4.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[vote_service_sg_ipv4_array].ingress_with_cidr_blocks.0", + "searchValue": "", + "expectedValue": "module[vote_service_sg_ipv4_array].ingress_with_cidr_blocks.0 'SSH' (Port:22) should not be open", + "actualValue": "module[vote_service_sg_ipv4_array].ingress_with_cidr_blocks.0 'SSH' (Port:22) is open", + "issueType": "IncorrectValue", + "similarityID": "19957fdcb03e81a109a92b0265224d53adb2b6335c9d9fcd6870b653c70115aa", + "search_line": 49 }, { "queryName": "Security Group With Unrestricted Access To SSH", "severity": "MEDIUM", "line": 63, - "fileName": "positive4.tf" + "fileName": "positive4.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[vote_service_sg_ipv4_array].ingress_with_cidr_blocks.2", + "searchValue": "", + "expectedValue": "module[vote_service_sg_ipv4_array].ingress_with_cidr_blocks.2 'SSH' (Port:22) should not be open", + "actualValue": "module[vote_service_sg_ipv4_array].ingress_with_cidr_blocks.2 'SSH' (Port:22) is open", + "issueType": "IncorrectValue", + "similarityID": "26c1e0b6671114d1cf74a341a0d1fc56a77807cfd25ca3402d40e0b8bf8191ff", + "search_line": 63 }, { "queryName": "Security Group With Unrestricted Access To SSH", "severity": "MEDIUM", "line": 82, - "fileName": "positive4.tf" + "fileName": "positive4.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[vote_service_sg_ipv6_array].ingress_with_ipv6_cidr_blocks.0", + "searchValue": "", + "expectedValue": "module[vote_service_sg_ipv6_array].ingress_with_ipv6_cidr_blocks.0 'SSH' (Port:22) should not be open", + "actualValue": "module[vote_service_sg_ipv6_array].ingress_with_ipv6_cidr_blocks.0 'SSH' (Port:22) is open", + "issueType": "IncorrectValue", + "similarityID": "c9d61c753c74891163e9f658cffec0e45513a275f9d1ab25ece67b5d7534fb25", + "search_line": 82 }, { "queryName": "Security Group With Unrestricted Access To SSH", "severity": "MEDIUM", "line": 96, - "fileName": "positive4.tf" + "fileName": "positive4.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[vote_service_sg_ipv6_array].ingress_with_ipv6_cidr_blocks.2", + "searchValue": "", + "expectedValue": "module[vote_service_sg_ipv6_array].ingress_with_ipv6_cidr_blocks.2 'SSH' (Port:22) should not be open", + "actualValue": "module[vote_service_sg_ipv6_array].ingress_with_ipv6_cidr_blocks.2 'SSH' (Port:22) is open", + "issueType": "IncorrectValue", + "similarityID": "ae4fb522b8cb09c4691c46fd2aaf483c824d5f3e9f2f2eaa299498be54974249", + "search_line": 96 } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/security_group_without_description/test/positive_expected_result.json b/assets/queries/terraform/aws/security_group_without_description/test/positive_expected_result.json index a5367983018..eb614fb1b95 100644 --- a/assets/queries/terraform/aws/security_group_without_description/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/security_group_without_description/test/positive_expected_result.json @@ -3,24 +3,60 @@ "queryName": "Security Group Without Description", "severity": "INFO", "line": 1, - "filename": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "aws_security_group", + "resourceName": "positive1-1", + "searchKey": "aws_security_group[positive1-1]", + "searchValue": "", + "expectedValue": "aws_security_group[positive1-1] description should be defined and not null", + "actualValue": "aws_security_group[positive1-1] description is undefined or null", + "issueType": "MissingAttribute", + "similarityID": "960de85fdf1c4db8375f9b248a031bfc0367113fdac8d6c818f222ef74382907", + "search_line": 1 }, { "queryName": "Security Group Without Description", "severity": "INFO", "line": 7, - "filename": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "aws_security_group", + "resourceName": "positive1-2", + "searchKey": "aws_security_group[positive1-2]", + "searchValue": "", + "expectedValue": "aws_security_group[positive1-2] description should be defined and not null", + "actualValue": "aws_security_group[positive1-2] description is undefined or null", + "issueType": "MissingAttribute", + "similarityID": "681a8f97ac1b877046bd99b549b785ca8a8e44891d5f9939bb46ea121bf78221", + "search_line": 7 }, { "queryName": "Security Group Without Description", "severity": "INFO", "line": 1, - "filename": "positive2.tf" + "fileName": "positive2.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[positive2-1]", + "searchValue": "", + "expectedValue": "module[positive2-1] description should be defined and not null", + "actualValue": "module[positive2-1] description is undefined or null", + "issueType": "IncorrectValue", + "similarityID": "4a69f3682342a52de2beb7256a7fac28bfc828f9ee777bd9d66da6d86bc694f1", + "search_line": 1 }, { "queryName": "Security Group Without Description", "severity": "INFO", "line": 10, - "filename": "positive2.tf" + "fileName": "positive2.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[positive2-2]", + "searchValue": "", + "expectedValue": "module[positive2-2] description should be defined and not null", + "actualValue": "module[positive2-2] description is undefined or null", + "issueType": "IncorrectValue", + "similarityID": "3e654d209ab4a20f7bf46e32f751f2e8330c62685eac489676c7fa5826986101", + "search_line": 10 } ] diff --git a/assets/queries/terraform/aws/security_groups_not_used/test/positive_expected_result.json b/assets/queries/terraform/aws/security_groups_not_used/test/positive_expected_result.json index 3ccca1415d6..8be967cdbb9 100644 --- a/assets/queries/terraform/aws/security_groups_not_used/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/security_groups_not_used/test/positive_expected_result.json @@ -3,48 +3,120 @@ "queryName": "Security Group Not Used", "severity": "INFO", "line": 8, - "filename": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "aws_security_group", + "resourceName": "allow_tls", + "searchKey": "aws_security_group[allow_tls]", + "searchValue": "", + "expectedValue": "'aws_security_group[allow_tls]' should be used", + "actualValue": "'aws_security_group[allow_tls]' is not used", + "issueType": "IncorrectValue", + "similarityID": "81168bb1a9d1c26ffa9d8b0e93648dd001c6262b380fb661f05821e5e7d239b8", + "search_line": -1 }, { "queryName": "Security Group Not Used", "severity": "INFO", "line": 15, - "filename": "positive2.tf" + "fileName": "positive2.tf", + "resourceType": "aws_security_group", + "resourceName": "unused-sg", + "searchKey": "aws_security_group[unused-sg]", + "searchValue": "", + "expectedValue": "'aws_security_group[unused-sg]' should be used", + "actualValue": "'aws_security_group[unused-sg]' is not used", + "issueType": "IncorrectValue", + "similarityID": "e348068d6878c5e78f3a30606a3101a4cd5f5dbbdf16a67f26efe48605482a87", + "search_line": -1 }, { "queryName": "Security Group Not Used", "severity": "INFO", "line": 19, - "filename": "positive3.tf" + "fileName": "positive3.tf", + "resourceType": "aws_security_group", + "resourceName": "unused-sg", + "searchKey": "aws_security_group[unused_sg]", + "searchValue": "", + "expectedValue": "'aws_security_group[unused_sg]' should be used", + "actualValue": "'aws_security_group[unused_sg]' is not used", + "issueType": "IncorrectValue", + "similarityID": "25ca04b9b6ff0637b9412159c71bdfa456acc437b0c9f8ec3c8d46badc7715f6", + "search_line": -1 }, { "queryName": "Security Group Not Used", "severity": "INFO", "line": 21, - "filename": "positive4.tf" + "fileName": "positive4.tf", + "resourceType": "aws_security_group", + "resourceName": "unused-sg", + "searchKey": "aws_security_group[unused_sg]", + "searchValue": "", + "expectedValue": "'aws_security_group[unused_sg]' should be used", + "actualValue": "'aws_security_group[unused_sg]' is not used", + "issueType": "IncorrectValue", + "similarityID": "94683f50317f67355fb3f69c5be85e4e3be2bb857c29f17cfe03ed8be782d4d1", + "search_line": -1 }, { "queryName": "Security Group Not Used", "severity": "INFO", "line": 1, - "filename": "positive5.tf" + "fileName": "positive5.tf", + "resourceType": "aws_security_group", + "resourceName": "example", + "searchKey": "aws_security_group[example]", + "searchValue": "", + "expectedValue": "'aws_security_group[example]' should be used", + "actualValue": "'aws_security_group[example]' is not used", + "issueType": "IncorrectValue", + "similarityID": "1d376de713d1b2c112d6dafe11ab9ad9261bd1e5c05f0c844a21878df377c169", + "search_line": -1 }, { "queryName": "Security Group Not Used", "severity": "INFO", "line": 1, - "filename": "positive6.tf" + "fileName": "positive6.tf", + "resourceType": "aws_security_group", + "resourceName": "default_name", + "searchKey": "aws_security_group[default_name]", + "searchValue": "", + "expectedValue": "'aws_security_group[default_name]' should be used", + "actualValue": "'aws_security_group[default_name]' is not used", + "issueType": "IncorrectValue", + "similarityID": "37cd8cdd71d846cf251a68b83a619b574fa0b13564bdb3001e6f7bac3fcdd5c2", + "search_line": -1 }, { "queryName": "Security Group Not Used", "severity": "INFO", "line": 19, - "filename": "positive7.tf" + "fileName": "positive7.tf", + "resourceType": "aws_security_group", + "resourceName": "unused-sg", + "searchKey": "aws_security_group[unused_sg]", + "searchValue": "", + "expectedValue": "'aws_security_group[unused_sg]' should be used", + "actualValue": "'aws_security_group[unused_sg]' is not used", + "issueType": "IncorrectValue", + "similarityID": "01a7238bf31d2e9f8665d91c556bf9678cccda16f7bf2faae58fe303e88a08ef", + "search_line": -1 }, { "queryName": "Security Group Not Used", "severity": "INFO", "line": 1, - "filename": "positive8.tf" + "fileName": "positive8.tf", + "resourceType": "aws_security_group", + "resourceName": "default_name", + "searchKey": "aws_security_group[default_name]", + "searchValue": "", + "expectedValue": "'aws_security_group[default_name]' should be used", + "actualValue": "'aws_security_group[default_name]' is not used", + "issueType": "IncorrectValue", + "similarityID": "1e979882e388fb1b811ee73e3cb87883414bced891014d0eb659a400cb85aa55", + "search_line": -1 } ] diff --git a/assets/queries/terraform/aws/sensitive_port_is_exposed_to_entire_network/test/positive_expected_result.json b/assets/queries/terraform/aws/sensitive_port_is_exposed_to_entire_network/test/positive_expected_result.json index c23d7e9ca83..9e0aee2a3b7 100644 --- a/assets/queries/terraform/aws/sensitive_port_is_exposed_to_entire_network/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/sensitive_port_is_exposed_to_entire_network/test/positive_expected_result.json @@ -3,240 +3,600 @@ "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 3, - "filename": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "aws_security_group", + "resourceName": "positive1_ipv4_1", + "searchKey": "aws_security_group[positive1_ipv4_1].ingress", + "searchValue": "TCP,22", + "expectedValue": "SSH (TCP:22) should not be allowed", + "actualValue": "SSH (TCP:22) is allowed", + "issueType": "IncorrectValue", + "similarityID": "197835cd05f441839d599cf2eb50da022e3c67e776d024c7c020ea33f67b9427", + "search_line": 3 }, { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 3, - "filename": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "aws_security_group", + "resourceName": "positive1_ipv4_1", + "searchKey": "aws_security_group[positive1_ipv4_1].ingress", + "searchValue": "UDP,22", + "expectedValue": "SSH (UDP:22) should not be allowed", + "actualValue": "SSH (UDP:22) is allowed", + "issueType": "IncorrectValue", + "similarityID": "7c3097db4a97ebfc92cae55437ae8b6e1563feef5138267700ac98c31e24b601", + "search_line": 3 }, { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 12, - "filename": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "aws_security_group", + "resourceName": "positive1_ipv4_2", + "searchKey": "aws_security_group[positive1_ipv4_2].ingress", + "searchValue": "TCP,22", + "expectedValue": "SSH (TCP:22) should not be allowed", + "actualValue": "SSH (TCP:22) is allowed", + "issueType": "IncorrectValue", + "similarityID": "24b8d82f95585d172628dbcfb813fb138cbe68f157c4e3c40d1537f3109425af", + "search_line": 12 }, { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 21, - "filename": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "aws_security_group", + "resourceName": "positive1_array_test_ipv4", + "searchKey": "aws_security_group[positive1_array_test_ipv4].ingress[0]", + "searchValue": "UDP,22", + "expectedValue": "SSH (UDP:22) should not be allowed", + "actualValue": "SSH (UDP:22) is allowed", + "issueType": "IncorrectValue", + "similarityID": "42adb6854ba8bf69d9e4b23450b7aff684989c06414bf9351d4594e50e0502f4", + "search_line": 21 }, { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 27, - "filename": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "aws_security_group", + "resourceName": "positive1_array_test_ipv4", + "searchKey": "aws_security_group[positive1_array_test_ipv4].ingress[1]", + "searchValue": "UDP,110", + "expectedValue": "POP3 (UDP:110) should not be allowed", + "actualValue": "POP3 (UDP:110) is allowed", + "issueType": "IncorrectValue", + "similarityID": "438c3c04d2a4be33b4225c47b41f526f9ec5d61bd7877531c160a693f4ad5f29", + "search_line": 27 }, { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 38, - "filename": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "aws_security_group", + "resourceName": "positive1_ipv6_1", + "searchKey": "aws_security_group[positive1_ipv6_1].ingress", + "searchValue": "TCP,22", + "expectedValue": "SSH (TCP:22) should not be allowed", + "actualValue": "SSH (TCP:22) is allowed", + "issueType": "IncorrectValue", + "similarityID": "6e660200871c5b819390fe05fcb7f2a4a914c7d2ab0a88ec8a6be021ba456a6e", + "search_line": 38 }, { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 38, - "filename": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "aws_security_group", + "resourceName": "positive1_ipv6_1", + "searchKey": "aws_security_group[positive1_ipv6_1].ingress", + "searchValue": "UDP,22", + "expectedValue": "SSH (UDP:22) should not be allowed", + "actualValue": "SSH (UDP:22) is allowed", + "issueType": "IncorrectValue", + "similarityID": "be13f5076374829e2ba2266e32f6c0019eaa6fd5d2a298cb1d0357284d1e2d9d", + "search_line": 38 }, { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 47, - "filename": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "aws_security_group", + "resourceName": "positive1_ipv6_2", + "searchKey": "aws_security_group[positive1_ipv6_2].ingress", + "searchValue": "TCP,22", + "expectedValue": "SSH (TCP:22) should not be allowed", + "actualValue": "SSH (TCP:22) is allowed", + "issueType": "IncorrectValue", + "similarityID": "1952e3b68198094e4537b5803f1984427a6519508cbdb9ccba134cc7f8bb1523", + "search_line": 47 }, { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 56, - "filename": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "aws_security_group", + "resourceName": "positive1_array_test_ipv6", + "searchKey": "aws_security_group[positive1_array_test_ipv6].ingress[0]", + "searchValue": "UDP,22", + "expectedValue": "SSH (UDP:22) should not be allowed", + "actualValue": "SSH (UDP:22) is allowed", + "issueType": "IncorrectValue", + "similarityID": "9506300a4deba794644979a06ffb172a4814ce72140bb9047000b0f83286659f", + "search_line": 56 }, { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 63, - "filename": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "aws_security_group", + "resourceName": "positive1_array_test_ipv6", + "searchKey": "aws_security_group[positive1_array_test_ipv6].ingress[1]", + "searchValue": "UDP,110", + "expectedValue": "POP3 (UDP:110) should not be allowed", + "actualValue": "POP3 (UDP:110) is allowed", + "issueType": "IncorrectValue", + "similarityID": "aaeceb46e6c1469eaa839a68536d7837036ab58b36d6c1fb9d7a311f69e6013d", + "search_line": 63 }, { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 2, - "filename": "positive2.tf" + "fileName": "positive2.tf", + "resourceType": "aws_vpc_security_group_ingress_rule", + "resourceName": "positive2_ipv4_1", + "searchKey": "aws_vpc_security_group_ingress_rule[positive2_ipv4_1]", + "searchValue": "TCP,22", + "expectedValue": "SSH (TCP:22) should not be allowed", + "actualValue": "SSH (TCP:22) is allowed", + "issueType": "IncorrectValue", + "similarityID": "44c1322ab2304063fe0e2339aa67c093087b5edadf220644bf8b060bcc246e47", + "search_line": 2 }, { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 2, - "filename": "positive2.tf" + "fileName": "positive2.tf", + "resourceType": "aws_vpc_security_group_ingress_rule", + "resourceName": "positive2_ipv4_1", + "searchKey": "aws_vpc_security_group_ingress_rule[positive2_ipv4_1]", + "searchValue": "UDP,22", + "expectedValue": "SSH (UDP:22) should not be allowed", + "actualValue": "SSH (UDP:22) is allowed", + "issueType": "IncorrectValue", + "similarityID": "d70de24545bc585e17dbdacdd4113c3729378fd060a0d4508f151b356ac349f4", + "search_line": 2 }, { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 9, - "filename": "positive2.tf" + "fileName": "positive2.tf", + "resourceType": "aws_vpc_security_group_ingress_rule", + "resourceName": "positive2_ipv4_2", + "searchKey": "aws_vpc_security_group_ingress_rule[positive2_ipv4_2]", + "searchValue": "TCP,22", + "expectedValue": "SSH (TCP:22) should not be allowed", + "actualValue": "SSH (TCP:22) is allowed", + "issueType": "IncorrectValue", + "similarityID": "328a908227cdaa4035105b3ec4992deff303a8c249807ca84d99a7aceeb1584e", + "search_line": 9 }, { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 16, - "filename": "positive2.tf" + "fileName": "positive2.tf", + "resourceType": "aws_vpc_security_group_ingress_rule", + "resourceName": "positive2_ipv4_3", + "searchKey": "aws_vpc_security_group_ingress_rule[positive2_ipv4_3]", + "searchValue": "UDP,22", + "expectedValue": "SSH (UDP:22) should not be allowed", + "actualValue": "SSH (UDP:22) is allowed", + "issueType": "IncorrectValue", + "similarityID": "3b7e0558391d9c6051c6edb894e34da5bd6d765140ee5a69f32fabe305ed3918", + "search_line": 16 }, { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 23, - "filename": "positive2.tf" + "fileName": "positive2.tf", + "resourceType": "aws_vpc_security_group_ingress_rule", + "resourceName": "positive2_ipv4_4", + "searchKey": "aws_vpc_security_group_ingress_rule[positive2_ipv4_4]", + "searchValue": "UDP,110", + "expectedValue": "POP3 (UDP:110) should not be allowed", + "actualValue": "POP3 (UDP:110) is allowed", + "issueType": "IncorrectValue", + "similarityID": "cf9e2764ed1890ad2f9604e5875b1daaa0d459cd7fd3d8d700a4832be730e037", + "search_line": 23 }, { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 32, - "filename": "positive2.tf" + "fileName": "positive2.tf", + "resourceType": "aws_vpc_security_group_ingress_rule", + "resourceName": "positive2_ipv6_1", + "searchKey": "aws_vpc_security_group_ingress_rule[positive2_ipv6_1]", + "searchValue": "TCP,22", + "expectedValue": "SSH (TCP:22) should not be allowed", + "actualValue": "SSH (TCP:22) is allowed", + "issueType": "IncorrectValue", + "similarityID": "608945abb99535af5f2e8b56961927f51e581e505e9e010c47834b25bbe557df", + "search_line": 32 }, { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 32, - "filename": "positive2.tf" + "fileName": "positive2.tf", + "resourceType": "aws_vpc_security_group_ingress_rule", + "resourceName": "positive2_ipv6_1", + "searchKey": "aws_vpc_security_group_ingress_rule[positive2_ipv6_1]", + "searchValue": "UDP,22", + "expectedValue": "SSH (UDP:22) should not be allowed", + "actualValue": "SSH (UDP:22) is allowed", + "issueType": "IncorrectValue", + "similarityID": "8d595f396afd4d0d82a5e469618681d423a3ebda92079f782cb1d9a4de879a7e", + "search_line": 32 }, { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 39, - "filename": "positive2.tf" + "fileName": "positive2.tf", + "resourceType": "aws_vpc_security_group_ingress_rule", + "resourceName": "positive2_ipv6_2", + "searchKey": "aws_vpc_security_group_ingress_rule[positive2_ipv6_2]", + "searchValue": "TCP,22", + "expectedValue": "SSH (TCP:22) should not be allowed", + "actualValue": "SSH (TCP:22) is allowed", + "issueType": "IncorrectValue", + "similarityID": "57ab621af8b86ffdc8c558a2a329d28a0038728a2522e2bdc2007bef525e4e92", + "search_line": 39 }, { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 46, - "filename": "positive2.tf" + "fileName": "positive2.tf", + "resourceType": "aws_vpc_security_group_ingress_rule", + "resourceName": "positive2_ipv6_3", + "searchKey": "aws_vpc_security_group_ingress_rule[positive2_ipv6_3]", + "searchValue": "UDP,22", + "expectedValue": "SSH (UDP:22) should not be allowed", + "actualValue": "SSH (UDP:22) is allowed", + "issueType": "IncorrectValue", + "similarityID": "3a02e3a46b8d04c2d8fd7459407cd47a8820ee87d80bd19ec9471c715c476be3", + "search_line": 46 }, { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 53, - "filename": "positive2.tf" + "fileName": "positive2.tf", + "resourceType": "aws_vpc_security_group_ingress_rule", + "resourceName": "positive2_ipv6_4", + "searchKey": "aws_vpc_security_group_ingress_rule[positive2_ipv6_4]", + "searchValue": "UDP,110", + "expectedValue": "POP3 (UDP:110) should not be allowed", + "actualValue": "POP3 (UDP:110) is allowed", + "issueType": "IncorrectValue", + "similarityID": "261dddc425b1254d98cb44e33473f078322553aab54e16e74afd77480627e504", + "search_line": 53 }, { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 2, - "filename": "positive3.tf" + "fileName": "positive3.tf", + "resourceType": "aws_security_group_rule", + "resourceName": "positive3_ipv4_1", + "searchKey": "aws_security_group_rule[positive3_ipv4_1]", + "searchValue": "TCP,22", + "expectedValue": "SSH (TCP:22) should not be allowed", + "actualValue": "SSH (TCP:22) is allowed", + "issueType": "IncorrectValue", + "similarityID": "7d1b2ffe230e3c570011220f3ef5b702d9fbb76107bb0d50fc7c1e8f4017a67f", + "search_line": 2 }, { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 2, - "filename": "positive3.tf" + "fileName": "positive3.tf", + "resourceType": "aws_security_group_rule", + "resourceName": "positive3_ipv4_1", + "searchKey": "aws_security_group_rule[positive3_ipv4_1]", + "searchValue": "UDP,22", + "expectedValue": "SSH (UDP:22) should not be allowed", + "actualValue": "SSH (UDP:22) is allowed", + "issueType": "IncorrectValue", + "similarityID": "fe4d67f9f6b0e1298bb292d18e5d5dfc594b36b92221a12480603ec19dde10cc", + "search_line": 2 }, { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 10, - "filename": "positive3.tf" + "fileName": "positive3.tf", + "resourceType": "aws_security_group_rule", + "resourceName": "positive3_ipv4_2", + "searchKey": "aws_security_group_rule[positive3_ipv4_2]", + "searchValue": "TCP,22", + "expectedValue": "SSH (TCP:22) should not be allowed", + "actualValue": "SSH (TCP:22) is allowed", + "issueType": "IncorrectValue", + "similarityID": "521d00fa7335aa999030bcfee46429c77a82b494bb4e7a2ad38954d5811b84f4", + "search_line": 10 }, { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 18, - "filename": "positive3.tf" + "fileName": "positive3.tf", + "resourceType": "aws_security_group_rule", + "resourceName": "positive3_ipv4_3", + "searchKey": "aws_security_group_rule[positive3_ipv4_3]", + "searchValue": "UDP,22", + "expectedValue": "SSH (UDP:22) should not be allowed", + "actualValue": "SSH (UDP:22) is allowed", + "issueType": "IncorrectValue", + "similarityID": "a6506763156043425b797f2aab021f69e37797da53e8f094acc0cd62e0c7f8cd", + "search_line": 18 }, { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 26, - "filename": "positive3.tf" + "fileName": "positive3.tf", + "resourceType": "aws_security_group_rule", + "resourceName": "positive3_ipv4_4", + "searchKey": "aws_security_group_rule[positive3_ipv4_4]", + "searchValue": "UDP,110", + "expectedValue": "POP3 (UDP:110) should not be allowed", + "actualValue": "POP3 (UDP:110) is allowed", + "issueType": "IncorrectValue", + "similarityID": "ae986a649277494db5c8b710787c9a46e0c2903a7dd5d6bf4f4d2f8c5cc4a37e", + "search_line": 26 }, { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 36, - "filename": "positive3.tf" + "fileName": "positive3.tf", + "resourceType": "aws_security_group_rule", + "resourceName": "positive3_ipv6_1", + "searchKey": "aws_security_group_rule[positive3_ipv6_1]", + "searchValue": "TCP,22", + "expectedValue": "SSH (TCP:22) should not be allowed", + "actualValue": "SSH (TCP:22) is allowed", + "issueType": "IncorrectValue", + "similarityID": "c22f65efacfb5da50c1feca4a3bc35a66fc874b72f046f33ac362a8ebd17fae1", + "search_line": 36 }, { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 36, - "filename": "positive3.tf" + "fileName": "positive3.tf", + "resourceType": "aws_security_group_rule", + "resourceName": "positive3_ipv6_1", + "searchKey": "aws_security_group_rule[positive3_ipv6_1]", + "searchValue": "UDP,22", + "expectedValue": "SSH (UDP:22) should not be allowed", + "actualValue": "SSH (UDP:22) is allowed", + "issueType": "IncorrectValue", + "similarityID": "c1850ce8c40fd31115db4c6e53bd86b8ad1549dafbffbd80c52f22a430565bf9", + "search_line": 36 }, { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 44, - "filename": "positive3.tf" + "fileName": "positive3.tf", + "resourceType": "aws_security_group_rule", + "resourceName": "positive3_ipv6_2", + "searchKey": "aws_security_group_rule[positive3_ipv6_2]", + "searchValue": "TCP,22", + "expectedValue": "SSH (TCP:22) should not be allowed", + "actualValue": "SSH (TCP:22) is allowed", + "issueType": "IncorrectValue", + "similarityID": "9a38955fe341ae01e8e60965bc0427d10ae00a5b01b1deca873282a67057f37d", + "search_line": 44 }, { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 52, - "filename": "positive3.tf" + "fileName": "positive3.tf", + "resourceType": "aws_security_group_rule", + "resourceName": "positive3_ipv6_3", + "searchKey": "aws_security_group_rule[positive3_ipv6_3]", + "searchValue": "UDP,22", + "expectedValue": "SSH (UDP:22) should not be allowed", + "actualValue": "SSH (UDP:22) is allowed", + "issueType": "IncorrectValue", + "similarityID": "8c29d323f5b575b6fa17836460975320924e0ff0f25acbdb64d181c99a0e81eb", + "search_line": 52 }, { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 60, - "filename": "positive3.tf" + "fileName": "positive3.tf", + "resourceType": "aws_security_group_rule", + "resourceName": "positive3_ipv6_4", + "searchKey": "aws_security_group_rule[positive3_ipv6_4]", + "searchValue": "UDP,110", + "expectedValue": "POP3 (UDP:110) should not be allowed", + "actualValue": "POP3 (UDP:110) is allowed", + "issueType": "IncorrectValue", + "similarityID": "b9d4dee9568111cfcc17844de617165b196a679164c156da5a7d6ab5f1164a50", + "search_line": 60 }, { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 5, - "filename": "positive4.tf" + "fileName": "positive4.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[positive4_ipv4_1].ingress_with_cidr_blocks.0", + "searchValue": "TCP,22", + "expectedValue": "SSH (TCP:22) should not be allowed", + "actualValue": "SSH (TCP:22) is allowed", + "issueType": "IncorrectValue", + "similarityID": "d7cf33a65439d3041cec0c8985d9eac72d66e33bce68c8a659bc5d4dc4828bd7", + "search_line": 5 }, { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 5, - "filename": "positive4.tf" + "fileName": "positive4.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[positive4_ipv4_1].ingress_with_cidr_blocks.0", + "searchValue": "UDP,22", + "expectedValue": "SSH (UDP:22) should not be allowed", + "actualValue": "SSH (UDP:22) is allowed", + "issueType": "IncorrectValue", + "similarityID": "2c4e7c075a500b809e3355e05ba4df75b2e4be9e78d25b5ed16a63c0dc8f2c50", + "search_line": 5 }, { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 11, - "filename": "positive4.tf" + "fileName": "positive4.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[positive4_ipv4_1].ingress_with_cidr_blocks.1", + "searchValue": "TCP,22", + "expectedValue": "SSH (TCP:22) should not be allowed", + "actualValue": "SSH (TCP:22) is allowed", + "issueType": "IncorrectValue", + "similarityID": "02e8d065dfb0479d155779e9afe147c1ee3bf11726d1b8cc7352a6cc5e0e752a", + "search_line": 11 }, { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 17, - "filename": "positive4.tf" + "fileName": "positive4.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[positive4_ipv4_1].ingress_with_cidr_blocks.2", + "searchValue": "UDP,22", + "expectedValue": "SSH (UDP:22) should not be allowed", + "actualValue": "SSH (UDP:22) is allowed", + "issueType": "IncorrectValue", + "similarityID": "e0cc7b430a05877521e84d5d0528ff369aaa3ee1a1510d418ccbbc00c98197a1", + "search_line": 17 }, { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 23, - "filename": "positive4.tf" + "fileName": "positive4.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[positive4_ipv4_1].ingress_with_cidr_blocks.3", + "searchValue": "UDP,110", + "expectedValue": "POP3 (UDP:110) should not be allowed", + "actualValue": "POP3 (UDP:110) is allowed", + "issueType": "IncorrectValue", + "similarityID": "c522af6d6251154e26b98bd34218b534dfb35be6619257667341b602665b315f", + "search_line": 23 }, { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 35, - "filename": "positive4.tf" + "fileName": "positive4.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[positive4_ipv6_1].ingress_with_ipv6_cidr_blocks.0", + "searchValue": "TCP,22", + "expectedValue": "SSH (TCP:22) should not be allowed", + "actualValue": "SSH (TCP:22) is allowed", + "issueType": "IncorrectValue", + "similarityID": "dc6ea155ea5705d918d09ecc25d25f6390d482e91679b695b61da312ba9c90a6", + "search_line": 35 }, { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 35, - "filename": "positive4.tf" + "fileName": "positive4.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[positive4_ipv6_1].ingress_with_ipv6_cidr_blocks.0", + "searchValue": "UDP,22", + "expectedValue": "SSH (UDP:22) should not be allowed", + "actualValue": "SSH (UDP:22) is allowed", + "issueType": "IncorrectValue", + "similarityID": "166b01e0967bc60433250f02e8917bf0b1d19db52134ae5605d1b7ee2de33120", + "search_line": 35 }, { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 41, - "filename": "positive4.tf" + "fileName": "positive4.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[positive4_ipv6_1].ingress_with_ipv6_cidr_blocks.1", + "searchValue": "TCP,22", + "expectedValue": "SSH (TCP:22) should not be allowed", + "actualValue": "SSH (TCP:22) is allowed", + "issueType": "IncorrectValue", + "similarityID": "d2c57ccba17ce6f85febe790b98883f5ba0ac6b0ba2c80249ed10197bc074281", + "search_line": 41 }, { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 47, - "filename": "positive4.tf" + "fileName": "positive4.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[positive4_ipv6_1].ingress_with_ipv6_cidr_blocks.2", + "searchValue": "UDP,22", + "expectedValue": "SSH (UDP:22) should not be allowed", + "actualValue": "SSH (UDP:22) is allowed", + "issueType": "IncorrectValue", + "similarityID": "fa1eda550974d3a4a6af913d0148f6d6ec24a801d731c9f25892182a38742e46", + "search_line": 47 }, { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", "line": 53, - "filename": "positive4.tf" + "fileName": "positive4.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[positive4_ipv6_1].ingress_with_ipv6_cidr_blocks.3", + "searchValue": "UDP,110", + "expectedValue": "POP3 (UDP:110) should not be allowed", + "actualValue": "POP3 (UDP:110) is allowed", + "issueType": "IncorrectValue", + "similarityID": "7a405c5b9c3d2342f9783cb7d95b2e8ca02a7f36fb5eb0bfeca746121dec69fc", + "search_line": 53 } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/sensitive_port_is_exposed_to_small_public_network/test/positive_expected_result.json b/assets/queries/terraform/aws/sensitive_port_is_exposed_to_small_public_network/test/positive_expected_result.json index 96931d2a0c3..d3da77e177b 100644 --- a/assets/queries/terraform/aws/sensitive_port_is_exposed_to_small_public_network/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/sensitive_port_is_exposed_to_small_public_network/test/positive_expected_result.json @@ -1,242 +1,602 @@ [ { "queryName": "Sensitive Port Is Exposed To Small Public Network", - "severity": "MEDIUM", + "severity": "MEDIUM", "line": 3, - "filename": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "aws_security_group", + "resourceName": "positive1_ipv4_1", + "searchKey": "aws_security_group[positive1_ipv4_1].ingress", + "searchValue": "TCP,22", + "expectedValue": "SSH (TCP:22) should not be allowed", + "actualValue": "SSH (TCP:22) is allowed", + "issueType": "IncorrectValue", + "similarityID": "1e947f49fab2b7666e0084b859c0bfd7edeeafbb8419743dc90684747eb7985a", + "search_line": 3 }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", - "severity": "MEDIUM", + "severity": "MEDIUM", "line": 3, - "filename": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "aws_security_group", + "resourceName": "positive1_ipv4_1", + "searchKey": "aws_security_group[positive1_ipv4_1].ingress", + "searchValue": "UDP,22", + "expectedValue": "SSH (UDP:22) should not be allowed", + "actualValue": "SSH (UDP:22) is allowed", + "issueType": "IncorrectValue", + "similarityID": "1c11be1f165aa8dbd83991657c0b054614d31c27370b93dacca3820fd2c1f5d7", + "search_line": 3 }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", - "severity": "MEDIUM", + "severity": "MEDIUM", "line": 12, - "filename": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "aws_security_group", + "resourceName": "positive1_ipv4_2", + "searchKey": "aws_security_group[positive1_ipv4_2].ingress", + "searchValue": "TCP,22", + "expectedValue": "SSH (TCP:22) should not be allowed", + "actualValue": "SSH (TCP:22) is allowed", + "issueType": "IncorrectValue", + "similarityID": "d90336100511ebd1969b3658903efa16796346c594d7ba9a00f253dc775f45a3", + "search_line": 12 }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", - "severity": "MEDIUM", + "severity": "MEDIUM", "line": 21, - "filename": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "aws_security_group", + "resourceName": "positive1_array_test_ipv4", + "searchKey": "aws_security_group[positive1_array_test_ipv4].ingress[0]", + "searchValue": "UDP,22", + "expectedValue": "SSH (UDP:22) should not be allowed", + "actualValue": "SSH (UDP:22) is allowed", + "issueType": "IncorrectValue", + "similarityID": "00f817619e396c0a6a9f8a744e61c1080aa1f25bd5b4f10aa398f3a5fdf9e146", + "search_line": 21 }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", - "severity": "MEDIUM", + "severity": "MEDIUM", "line": 27, - "filename": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "aws_security_group", + "resourceName": "positive1_array_test_ipv4", + "searchKey": "aws_security_group[positive1_array_test_ipv4].ingress[1]", + "searchValue": "UDP,110", + "expectedValue": "POP3 (UDP:110) should not be allowed", + "actualValue": "POP3 (UDP:110) is allowed", + "issueType": "IncorrectValue", + "similarityID": "617990cc708701ca9bd911ccce50beb758dd4000009a1db087e923d373fc3156", + "search_line": 27 }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", - "severity": "MEDIUM", + "severity": "MEDIUM", "line": 38, - "filename": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "aws_security_group", + "resourceName": "positive1_ipv6_1", + "searchKey": "aws_security_group[positive1_ipv6_1].ingress", + "searchValue": "TCP,22", + "expectedValue": "SSH (TCP:22) should not be allowed", + "actualValue": "SSH (TCP:22) is allowed", + "issueType": "IncorrectValue", + "similarityID": "1c1defe9423ec4ef75cf9e6465ba38541b79ab7dc6a980eedfa00b8aca505c60", + "search_line": 38 }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", - "severity": "MEDIUM", + "severity": "MEDIUM", "line": 38, - "filename": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "aws_security_group", + "resourceName": "positive1_ipv6_1", + "searchKey": "aws_security_group[positive1_ipv6_1].ingress", + "searchValue": "UDP,22", + "expectedValue": "SSH (UDP:22) should not be allowed", + "actualValue": "SSH (UDP:22) is allowed", + "issueType": "IncorrectValue", + "similarityID": "f3a863b89d90c8b5a35c85067b18ad71b9d470a94d3ff5aeea6b9ac0e3c430e5", + "search_line": 38 }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", - "severity": "MEDIUM", + "severity": "MEDIUM", "line": 47, - "filename": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "aws_security_group", + "resourceName": "positive1_ipv6_2", + "searchKey": "aws_security_group[positive1_ipv6_2].ingress", + "searchValue": "TCP,22", + "expectedValue": "SSH (TCP:22) should not be allowed", + "actualValue": "SSH (TCP:22) is allowed", + "issueType": "IncorrectValue", + "similarityID": "765c465d345265e00a51f63e913b6fc1a8d6447163f235f11a27da041fa5711d", + "search_line": 47 }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", - "severity": "MEDIUM", + "severity": "MEDIUM", "line": 56, - "filename": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "aws_security_group", + "resourceName": "positive1_array_test_ipv6", + "searchKey": "aws_security_group[positive1_array_test_ipv6].ingress[0]", + "searchValue": "UDP,22", + "expectedValue": "SSH (UDP:22) should not be allowed", + "actualValue": "SSH (UDP:22) is allowed", + "issueType": "IncorrectValue", + "similarityID": "7ffecd2f628d1a57831492e88ae83d64f7eec40abf49b52ea15d0f3347332125", + "search_line": 56 }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", - "severity": "MEDIUM", + "severity": "MEDIUM", "line": 63, - "filename": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "aws_security_group", + "resourceName": "positive1_array_test_ipv6", + "searchKey": "aws_security_group[positive1_array_test_ipv6].ingress[1]", + "searchValue": "UDP,110", + "expectedValue": "POP3 (UDP:110) should not be allowed", + "actualValue": "POP3 (UDP:110) is allowed", + "issueType": "IncorrectValue", + "similarityID": "c0c818cd8c8817bdf312e2f60cfd22e9b0adb115c41f30aae2db033bdf38501f", + "search_line": 63 }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", - "severity": "MEDIUM", + "severity": "MEDIUM", "line": 2, - "filename": "positive2.tf" + "fileName": "positive2.tf", + "resourceType": "aws_vpc_security_group_ingress_rule", + "resourceName": "positive2_ipv4_1", + "searchKey": "aws_vpc_security_group_ingress_rule[positive2_ipv4_1]", + "searchValue": "TCP,22", + "expectedValue": "SSH (TCP:22) should not be allowed", + "actualValue": "SSH (TCP:22) is allowed", + "issueType": "IncorrectValue", + "similarityID": "1225e4686f21716a73e2152d4711aed12991e552446e0ddefa675dd9c1fe17da", + "search_line": 2 }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", - "severity": "MEDIUM", + "severity": "MEDIUM", "line": 2, - "filename": "positive2.tf" + "fileName": "positive2.tf", + "resourceType": "aws_vpc_security_group_ingress_rule", + "resourceName": "positive2_ipv4_1", + "searchKey": "aws_vpc_security_group_ingress_rule[positive2_ipv4_1]", + "searchValue": "UDP,22", + "expectedValue": "SSH (UDP:22) should not be allowed", + "actualValue": "SSH (UDP:22) is allowed", + "issueType": "IncorrectValue", + "similarityID": "ed37377331573926d769eb7117f6fd5ee23f7ac9914c2f621de7ff4a769dae00", + "search_line": 2 }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", - "severity": "MEDIUM", + "severity": "MEDIUM", "line": 9, - "filename": "positive2.tf" + "fileName": "positive2.tf", + "resourceType": "aws_vpc_security_group_ingress_rule", + "resourceName": "positive2_ipv4_2", + "searchKey": "aws_vpc_security_group_ingress_rule[positive2_ipv4_2]", + "searchValue": "TCP,22", + "expectedValue": "SSH (TCP:22) should not be allowed", + "actualValue": "SSH (TCP:22) is allowed", + "issueType": "IncorrectValue", + "similarityID": "c3fd3fe42ca1940313565ad8026e5d3ed0312cd8c30f928a5a9a4c819d1fe83b", + "search_line": 9 }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", - "severity": "MEDIUM", + "severity": "MEDIUM", "line": 16, - "filename": "positive2.tf" + "fileName": "positive2.tf", + "resourceType": "aws_vpc_security_group_ingress_rule", + "resourceName": "positive2_ipv4_3", + "searchKey": "aws_vpc_security_group_ingress_rule[positive2_ipv4_3]", + "searchValue": "UDP,22", + "expectedValue": "SSH (UDP:22) should not be allowed", + "actualValue": "SSH (UDP:22) is allowed", + "issueType": "IncorrectValue", + "similarityID": "2b36586dd198ff01fe0738f8ec45817fe4dbcc0ae435e17b4b5faca580401c61", + "search_line": 16 }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", - "severity": "MEDIUM", + "severity": "MEDIUM", "line": 23, - "filename": "positive2.tf" + "fileName": "positive2.tf", + "resourceType": "aws_vpc_security_group_ingress_rule", + "resourceName": "positive2_ipv4_4", + "searchKey": "aws_vpc_security_group_ingress_rule[positive2_ipv4_4]", + "searchValue": "UDP,110", + "expectedValue": "POP3 (UDP:110) should not be allowed", + "actualValue": "POP3 (UDP:110) is allowed", + "issueType": "IncorrectValue", + "similarityID": "578b5eac4db7cde0c5035c24f16a37cfd51402003834cd131da3c42aa27c96ac", + "search_line": 23 }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", - "severity": "MEDIUM", + "severity": "MEDIUM", "line": 32, - "filename": "positive2.tf" + "fileName": "positive2.tf", + "resourceType": "aws_vpc_security_group_ingress_rule", + "resourceName": "positive2_ipv6_1", + "searchKey": "aws_vpc_security_group_ingress_rule[positive2_ipv6_1]", + "searchValue": "TCP,22", + "expectedValue": "SSH (TCP:22) should not be allowed", + "actualValue": "SSH (TCP:22) is allowed", + "issueType": "IncorrectValue", + "similarityID": "c323fa087e86cb06fed2dda66c21562028629eacbc21f267742cb51a82bcade0", + "search_line": 32 }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", - "severity": "MEDIUM", + "severity": "MEDIUM", "line": 32, - "filename": "positive2.tf" + "fileName": "positive2.tf", + "resourceType": "aws_vpc_security_group_ingress_rule", + "resourceName": "positive2_ipv6_1", + "searchKey": "aws_vpc_security_group_ingress_rule[positive2_ipv6_1]", + "searchValue": "UDP,22", + "expectedValue": "SSH (UDP:22) should not be allowed", + "actualValue": "SSH (UDP:22) is allowed", + "issueType": "IncorrectValue", + "similarityID": "9a2751d8a6ae76a4d2f5b3cfb70bfce5dd427d8d91ec551c8435065ceb941117", + "search_line": 32 }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", - "severity": "MEDIUM", + "severity": "MEDIUM", "line": 39, - "filename": "positive2.tf" + "fileName": "positive2.tf", + "resourceType": "aws_vpc_security_group_ingress_rule", + "resourceName": "positive2_ipv6_2", + "searchKey": "aws_vpc_security_group_ingress_rule[positive2_ipv6_2]", + "searchValue": "TCP,22", + "expectedValue": "SSH (TCP:22) should not be allowed", + "actualValue": "SSH (TCP:22) is allowed", + "issueType": "IncorrectValue", + "similarityID": "79033ac10475f3b5463934e67fc31d2ebc99afc28a92ce4c2fa4ac96786b568e", + "search_line": 39 }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", - "severity": "MEDIUM", + "severity": "MEDIUM", "line": 46, - "filename": "positive2.tf" + "fileName": "positive2.tf", + "resourceType": "aws_vpc_security_group_ingress_rule", + "resourceName": "positive2_ipv6_3", + "searchKey": "aws_vpc_security_group_ingress_rule[positive2_ipv6_3]", + "searchValue": "UDP,22", + "expectedValue": "SSH (UDP:22) should not be allowed", + "actualValue": "SSH (UDP:22) is allowed", + "issueType": "IncorrectValue", + "similarityID": "d28195ee338cccaa7d63bcf1a6ffc95d078ff2238e6511f45ca5e222e221af6a", + "search_line": 46 }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", - "severity": "MEDIUM", + "severity": "MEDIUM", "line": 53, - "filename": "positive2.tf" + "fileName": "positive2.tf", + "resourceType": "aws_vpc_security_group_ingress_rule", + "resourceName": "positive2_ipv6_4", + "searchKey": "aws_vpc_security_group_ingress_rule[positive2_ipv6_4]", + "searchValue": "UDP,110", + "expectedValue": "POP3 (UDP:110) should not be allowed", + "actualValue": "POP3 (UDP:110) is allowed", + "issueType": "IncorrectValue", + "similarityID": "94703db66849d14e144fc3d279f0386c1d728ca251adb95e83abd1e2c375ae78", + "search_line": 53 }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", - "severity": "MEDIUM", + "severity": "MEDIUM", "line": 2, - "filename": "positive3.tf" + "fileName": "positive3.tf", + "resourceType": "aws_security_group_rule", + "resourceName": "positive3_ipv4_1", + "searchKey": "aws_security_group_rule[positive3_ipv4_1]", + "searchValue": "TCP,22", + "expectedValue": "SSH (TCP:22) should not be allowed", + "actualValue": "SSH (TCP:22) is allowed", + "issueType": "IncorrectValue", + "similarityID": "22c7573df5a6af93aa3c998e1f8eabaccbbe17e2b05104c59a0dac6fd136ae8c", + "search_line": 2 }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", - "severity": "MEDIUM", + "severity": "MEDIUM", "line": 2, - "filename": "positive3.tf" + "fileName": "positive3.tf", + "resourceType": "aws_security_group_rule", + "resourceName": "positive3_ipv4_1", + "searchKey": "aws_security_group_rule[positive3_ipv4_1]", + "searchValue": "UDP,22", + "expectedValue": "SSH (UDP:22) should not be allowed", + "actualValue": "SSH (UDP:22) is allowed", + "issueType": "IncorrectValue", + "similarityID": "9b03a79535a7c47cb7db6922a4f9bf8ae6164bca36027c9e35a095adb87895c5", + "search_line": 2 }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", - "severity": "MEDIUM", + "severity": "MEDIUM", "line": 10, - "filename": "positive3.tf" + "fileName": "positive3.tf", + "resourceType": "aws_security_group_rule", + "resourceName": "positive3_ipv4_2", + "searchKey": "aws_security_group_rule[positive3_ipv4_2]", + "searchValue": "TCP,22", + "expectedValue": "SSH (TCP:22) should not be allowed", + "actualValue": "SSH (TCP:22) is allowed", + "issueType": "IncorrectValue", + "similarityID": "6fd83369e706788d3029feb436aca2129f1d33aef12f55255d71f895dd58a4ea", + "search_line": 10 }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", - "severity": "MEDIUM", + "severity": "MEDIUM", "line": 18, - "filename": "positive3.tf" + "fileName": "positive3.tf", + "resourceType": "aws_security_group_rule", + "resourceName": "positive3_ipv4_3", + "searchKey": "aws_security_group_rule[positive3_ipv4_3]", + "searchValue": "UDP,22", + "expectedValue": "SSH (UDP:22) should not be allowed", + "actualValue": "SSH (UDP:22) is allowed", + "issueType": "IncorrectValue", + "similarityID": "d3f9f335fa6a5847d2adc8d93c8119b659a29d570df97470a4c08dbf3ef04c3a", + "search_line": 18 }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", - "severity": "MEDIUM", + "severity": "MEDIUM", "line": 26, - "filename": "positive3.tf" + "fileName": "positive3.tf", + "resourceType": "aws_security_group_rule", + "resourceName": "positive3_ipv4_4", + "searchKey": "aws_security_group_rule[positive3_ipv4_4]", + "searchValue": "UDP,110", + "expectedValue": "POP3 (UDP:110) should not be allowed", + "actualValue": "POP3 (UDP:110) is allowed", + "issueType": "IncorrectValue", + "similarityID": "bd3412ec5f90cc00fcbd59dc857817ef06a791672cf2c6a3e3006bf04ca3e08a", + "search_line": 26 }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", - "severity": "MEDIUM", + "severity": "MEDIUM", "line": 36, - "filename": "positive3.tf" + "fileName": "positive3.tf", + "resourceType": "aws_security_group_rule", + "resourceName": "positive3_ipv6_1", + "searchKey": "aws_security_group_rule[positive3_ipv6_1]", + "searchValue": "TCP,22", + "expectedValue": "SSH (TCP:22) should not be allowed", + "actualValue": "SSH (TCP:22) is allowed", + "issueType": "IncorrectValue", + "similarityID": "31dcbaa2d2a9148a9dc8a178e34596df34f184853c9623fb6cc020a773dcd22b", + "search_line": 36 }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", - "severity": "MEDIUM", + "severity": "MEDIUM", "line": 36, - "filename": "positive3.tf" + "fileName": "positive3.tf", + "resourceType": "aws_security_group_rule", + "resourceName": "positive3_ipv6_1", + "searchKey": "aws_security_group_rule[positive3_ipv6_1]", + "searchValue": "UDP,22", + "expectedValue": "SSH (UDP:22) should not be allowed", + "actualValue": "SSH (UDP:22) is allowed", + "issueType": "IncorrectValue", + "similarityID": "11e5b5d3a109d36c468070ee558511c9091e17857d581bd53bf77bfa3d221f42", + "search_line": 36 }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", - "severity": "MEDIUM", + "severity": "MEDIUM", "line": 44, - "filename": "positive3.tf" + "fileName": "positive3.tf", + "resourceType": "aws_security_group_rule", + "resourceName": "positive3_ipv6_2", + "searchKey": "aws_security_group_rule[positive3_ipv6_2]", + "searchValue": "TCP,22", + "expectedValue": "SSH (TCP:22) should not be allowed", + "actualValue": "SSH (TCP:22) is allowed", + "issueType": "IncorrectValue", + "similarityID": "1293f520e13ee65cbdb984b61838f16818284300c30b2accec4ecf21d725b788", + "search_line": 44 }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", - "severity": "MEDIUM", + "severity": "MEDIUM", "line": 52, - "filename": "positive3.tf" + "fileName": "positive3.tf", + "resourceType": "aws_security_group_rule", + "resourceName": "positive3_ipv6_3", + "searchKey": "aws_security_group_rule[positive3_ipv6_3]", + "searchValue": "UDP,22", + "expectedValue": "SSH (UDP:22) should not be allowed", + "actualValue": "SSH (UDP:22) is allowed", + "issueType": "IncorrectValue", + "similarityID": "3e64e59a7c715d5a63aadcc54937fa135125487f013fae42c13e84254bb7b791", + "search_line": 52 }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", - "severity": "MEDIUM", + "severity": "MEDIUM", "line": 60, - "filename": "positive3.tf" + "fileName": "positive3.tf", + "resourceType": "aws_security_group_rule", + "resourceName": "positive3_ipv6_4", + "searchKey": "aws_security_group_rule[positive3_ipv6_4]", + "searchValue": "UDP,110", + "expectedValue": "POP3 (UDP:110) should not be allowed", + "actualValue": "POP3 (UDP:110) is allowed", + "issueType": "IncorrectValue", + "similarityID": "89a438bfc258faf7dfc096efd9ae771132fc470f59173d4ebc19099461b033bf", + "search_line": 60 }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", - "severity": "MEDIUM", + "severity": "MEDIUM", "line": 5, - "filename": "positive4.tf" + "fileName": "positive4.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[positive4_ipv4_1].ingress_with_cidr_blocks.0", + "searchValue": "TCP,22", + "expectedValue": "SSH (TCP:22) should not be allowed", + "actualValue": "SSH (TCP:22) is allowed", + "issueType": "IncorrectValue", + "similarityID": "01ad60d7cdff52fc59a1bf54151400caf7895ca95cb2304c792cf095fa8dc96f", + "search_line": 5 }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", - "severity": "MEDIUM", + "severity": "MEDIUM", "line": 5, - "filename": "positive4.tf" + "fileName": "positive4.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[positive4_ipv4_1].ingress_with_cidr_blocks.0", + "searchValue": "UDP,22", + "expectedValue": "SSH (UDP:22) should not be allowed", + "actualValue": "SSH (UDP:22) is allowed", + "issueType": "IncorrectValue", + "similarityID": "d202b577cc55e2d5c2736d8bdeddda9a389e4bb75468d3f3c61c1da51a9fa086", + "search_line": 5 }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", - "severity": "MEDIUM", + "severity": "MEDIUM", "line": 11, - "filename": "positive4.tf" + "fileName": "positive4.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[positive4_ipv4_1].ingress_with_cidr_blocks.1", + "searchValue": "TCP,22", + "expectedValue": "SSH (TCP:22) should not be allowed", + "actualValue": "SSH (TCP:22) is allowed", + "issueType": "IncorrectValue", + "similarityID": "9003f7ef879715138a0fc42d8e5cbc63445bbe68ef504944bcc5cde15143d8e6", + "search_line": 11 }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", - "severity": "MEDIUM", + "severity": "MEDIUM", "line": 17, - "filename": "positive4.tf" + "fileName": "positive4.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[positive4_ipv4_1].ingress_with_cidr_blocks.2", + "searchValue": "UDP,22", + "expectedValue": "SSH (UDP:22) should not be allowed", + "actualValue": "SSH (UDP:22) is allowed", + "issueType": "IncorrectValue", + "similarityID": "60d81446184bb49678f0433dec1850d8755f74d433a192f46b8c5147554f4f1c", + "search_line": 17 }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", - "severity": "MEDIUM", + "severity": "MEDIUM", "line": 23, - "filename": "positive4.tf" + "fileName": "positive4.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[positive4_ipv4_1].ingress_with_cidr_blocks.3", + "searchValue": "UDP,110", + "expectedValue": "POP3 (UDP:110) should not be allowed", + "actualValue": "POP3 (UDP:110) is allowed", + "issueType": "IncorrectValue", + "similarityID": "104c1263e6862652ca9d1f93b1b8e95120cf0f6d9f7a5d5a82c62c6dcd8baacf", + "search_line": 23 }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", - "severity": "MEDIUM", + "severity": "MEDIUM", "line": 35, - "filename": "positive4.tf" + "fileName": "positive4.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[positive4_ipv6_1].ingress_with_ipv6_cidr_blocks.0", + "searchValue": "TCP,22", + "expectedValue": "SSH (TCP:22) should not be allowed", + "actualValue": "SSH (TCP:22) is allowed", + "issueType": "IncorrectValue", + "similarityID": "9b064efa7759376eedf6c35d1f6c43e8c25372994973f2320255677501349dfb", + "search_line": 35 }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", - "severity": "MEDIUM", + "severity": "MEDIUM", "line": 35, - "filename": "positive4.tf" + "fileName": "positive4.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[positive4_ipv6_1].ingress_with_ipv6_cidr_blocks.0", + "searchValue": "UDP,22", + "expectedValue": "SSH (UDP:22) should not be allowed", + "actualValue": "SSH (UDP:22) is allowed", + "issueType": "IncorrectValue", + "similarityID": "0310fe61af1ae5c96443f209c9374965fa9902f4c62a3b512641539994cfb0b5", + "search_line": 35 }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", - "severity": "MEDIUM", + "severity": "MEDIUM", "line": 41, - "filename": "positive4.tf" + "fileName": "positive4.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[positive4_ipv6_1].ingress_with_ipv6_cidr_blocks.1", + "searchValue": "TCP,22", + "expectedValue": "SSH (TCP:22) should not be allowed", + "actualValue": "SSH (TCP:22) is allowed", + "issueType": "IncorrectValue", + "similarityID": "87dd95bea0b690302701c6411843d59c3cad47de172f6cd584436467d1e38c3c", + "search_line": 41 }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", - "severity": "MEDIUM", + "severity": "MEDIUM", "line": 47, - "filename": "positive4.tf" + "fileName": "positive4.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[positive4_ipv6_1].ingress_with_ipv6_cidr_blocks.2", + "searchValue": "UDP,22", + "expectedValue": "SSH (UDP:22) should not be allowed", + "actualValue": "SSH (UDP:22) is allowed", + "issueType": "IncorrectValue", + "similarityID": "68d10d106c7c36c90584a69fce07cfa87753c4f3b59a4abd4fc7d7757d8e64ad", + "search_line": 47 }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", - "severity": "MEDIUM", + "severity": "MEDIUM", "line": 53, - "filename": "positive4.tf" + "fileName": "positive4.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[positive4_ipv6_1].ingress_with_ipv6_cidr_blocks.3", + "searchValue": "UDP,110", + "expectedValue": "POP3 (UDP:110) should not be allowed", + "actualValue": "POP3 (UDP:110) is allowed", + "issueType": "IncorrectValue", + "similarityID": "79fbf04ac1f3428ec796fe7b770caaf6df608eb87d8ebc5ca10454d0b87d7824", + "search_line": 53 } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/sensitive_port_is_exposed_to_wide_private_network/test/positive_expected_result.json b/assets/queries/terraform/aws/sensitive_port_is_exposed_to_wide_private_network/test/positive_expected_result.json index 721ee508a9a..64dcc55512e 100644 --- a/assets/queries/terraform/aws/sensitive_port_is_exposed_to_wide_private_network/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/sensitive_port_is_exposed_to_wide_private_network/test/positive_expected_result.json @@ -3,240 +3,600 @@ "queryName": "Sensitive Port Is Exposed To Wide Private Network", "severity": "LOW", "line": 3, - "filename": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "aws_security_group", + "resourceName": "positive1_ipv4_1", + "searchKey": "aws_security_group[positive1_ipv4_1].ingress", + "searchValue": "TCP,22", + "expectedValue": "SSH (TCP:22) should not be allowed", + "actualValue": "SSH (TCP:22) is allowed", + "issueType": "IncorrectValue", + "similarityID": "ee7bf6b16ea99647fb6de31cea0286dfe4c2cbbe5b7c8d017215ad5ba2ed36e7", + "search_line": 3 }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", "severity": "LOW", "line": 3, - "filename": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "aws_security_group", + "resourceName": "positive1_ipv4_1", + "searchKey": "aws_security_group[positive1_ipv4_1].ingress", + "searchValue": "UDP,22", + "expectedValue": "SSH (UDP:22) should not be allowed", + "actualValue": "SSH (UDP:22) is allowed", + "issueType": "IncorrectValue", + "similarityID": "559865e65a21904e874b21e2762a43ec9df570cee84c734b61dc57659021ca35", + "search_line": 3 }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", "severity": "LOW", "line": 12, - "filename": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "aws_security_group", + "resourceName": "positive1_ipv4_2", + "searchKey": "aws_security_group[positive1_ipv4_2].ingress", + "searchValue": "TCP,22", + "expectedValue": "SSH (TCP:22) should not be allowed", + "actualValue": "SSH (TCP:22) is allowed", + "issueType": "IncorrectValue", + "similarityID": "e4e29da0b93609b90c367596d8fcb7d1114ad60ac3b408b1373be9c6da2676f0", + "search_line": 12 }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", "severity": "LOW", "line": 21, - "filename": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "aws_security_group", + "resourceName": "positive1_array_test_ipv4", + "searchKey": "aws_security_group[positive1_array_test_ipv4].ingress[0]", + "searchValue": "UDP,22", + "expectedValue": "SSH (UDP:22) should not be allowed", + "actualValue": "SSH (UDP:22) is allowed", + "issueType": "IncorrectValue", + "similarityID": "475d94fa58e367cccb939789d60caf85cb93a31e99df38496510064a9e8d96dc", + "search_line": 21 }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", "severity": "LOW", "line": 27, - "filename": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "aws_security_group", + "resourceName": "positive1_array_test_ipv4", + "searchKey": "aws_security_group[positive1_array_test_ipv4].ingress[1]", + "searchValue": "UDP,110", + "expectedValue": "POP3 (UDP:110) should not be allowed", + "actualValue": "POP3 (UDP:110) is allowed", + "issueType": "IncorrectValue", + "similarityID": "cc3328d575155eb06dbbd52bb5949725722183d7f2ab0c82dcb988ba5de71d9e", + "search_line": 27 }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", "severity": "LOW", "line": 38, - "filename": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "aws_security_group", + "resourceName": "positive1_ipv6_1", + "searchKey": "aws_security_group[positive1_ipv6_1].ingress", + "searchValue": "TCP,22", + "expectedValue": "SSH (TCP:22) should not be allowed", + "actualValue": "SSH (TCP:22) is allowed", + "issueType": "IncorrectValue", + "similarityID": "b84223869a80f3ba3b0e3b6d057b8d94b329aa0fadbfdef311a7102e45ed7458", + "search_line": 38 }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", "severity": "LOW", "line": 38, - "filename": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "aws_security_group", + "resourceName": "positive1_ipv6_1", + "searchKey": "aws_security_group[positive1_ipv6_1].ingress", + "searchValue": "UDP,22", + "expectedValue": "SSH (UDP:22) should not be allowed", + "actualValue": "SSH (UDP:22) is allowed", + "issueType": "IncorrectValue", + "similarityID": "d27d955662c42498752cf003f0e727d421779d7aed31a31b797edfc39b5b0235", + "search_line": 38 }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", "severity": "LOW", "line": 47, - "filename": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "aws_security_group", + "resourceName": "positive1_ipv6_2", + "searchKey": "aws_security_group[positive1_ipv6_2].ingress", + "searchValue": "TCP,22", + "expectedValue": "SSH (TCP:22) should not be allowed", + "actualValue": "SSH (TCP:22) is allowed", + "issueType": "IncorrectValue", + "similarityID": "cd7f21286e611191af53d20c8b4b0cebcd8703b163d74879606c88a8d0c07166", + "search_line": 47 }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", "severity": "LOW", "line": 56, - "filename": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "aws_security_group", + "resourceName": "positive1_array_test_ipv6", + "searchKey": "aws_security_group[positive1_array_test_ipv6].ingress[0]", + "searchValue": "UDP,22", + "expectedValue": "SSH (UDP:22) should not be allowed", + "actualValue": "SSH (UDP:22) is allowed", + "issueType": "IncorrectValue", + "similarityID": "9f0438291c1b9d21703a5e976204b225f7faff3a4e24a00fe85b696574ce02df", + "search_line": 56 }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", "severity": "LOW", "line": 63, - "filename": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "aws_security_group", + "resourceName": "positive1_array_test_ipv6", + "searchKey": "aws_security_group[positive1_array_test_ipv6].ingress[1]", + "searchValue": "UDP,110", + "expectedValue": "POP3 (UDP:110) should not be allowed", + "actualValue": "POP3 (UDP:110) is allowed", + "issueType": "IncorrectValue", + "similarityID": "55e8a9f5caa730a4ceba98e2bcf73b24eef28ef46d9aef9e5c41a853a758bb45", + "search_line": 63 }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", "severity": "LOW", "line": 2, - "filename": "positive2.tf" + "fileName": "positive2.tf", + "resourceType": "aws_vpc_security_group_ingress_rule", + "resourceName": "positive2_ipv4_1", + "searchKey": "aws_vpc_security_group_ingress_rule[positive2_ipv4_1]", + "searchValue": "TCP,22", + "expectedValue": "SSH (TCP:22) should not be allowed", + "actualValue": "SSH (TCP:22) is allowed", + "issueType": "IncorrectValue", + "similarityID": "f41ed50c48b336ad13c6cff8fc59e1933b1310c87be38fa23a8375df62ad2a2f", + "search_line": 2 }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", "severity": "LOW", "line": 2, - "filename": "positive2.tf" + "fileName": "positive2.tf", + "resourceType": "aws_vpc_security_group_ingress_rule", + "resourceName": "positive2_ipv4_1", + "searchKey": "aws_vpc_security_group_ingress_rule[positive2_ipv4_1]", + "searchValue": "UDP,22", + "expectedValue": "SSH (UDP:22) should not be allowed", + "actualValue": "SSH (UDP:22) is allowed", + "issueType": "IncorrectValue", + "similarityID": "bff1c904cb6fe967b26ffa636cd029d0ee35c5b41e1f16c745cc4d837d181250", + "search_line": 2 }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", "severity": "LOW", "line": 9, - "filename": "positive2.tf" + "fileName": "positive2.tf", + "resourceType": "aws_vpc_security_group_ingress_rule", + "resourceName": "positive2_ipv4_2", + "searchKey": "aws_vpc_security_group_ingress_rule[positive2_ipv4_2]", + "searchValue": "TCP,22", + "expectedValue": "SSH (TCP:22) should not be allowed", + "actualValue": "SSH (TCP:22) is allowed", + "issueType": "IncorrectValue", + "similarityID": "a528be8d1389113301a1a7d1f6c3c4b8e84a9fbbb6435e8e313e162236df1a74", + "search_line": 9 }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", "severity": "LOW", "line": 16, - "filename": "positive2.tf" + "fileName": "positive2.tf", + "resourceType": "aws_vpc_security_group_ingress_rule", + "resourceName": "positive2_ipv4_3", + "searchKey": "aws_vpc_security_group_ingress_rule[positive2_ipv4_3]", + "searchValue": "UDP,22", + "expectedValue": "SSH (UDP:22) should not be allowed", + "actualValue": "SSH (UDP:22) is allowed", + "issueType": "IncorrectValue", + "similarityID": "bfca6c2114c03bd9157fe0cb6686f00f5514d8d239e101fc028990787477cf02", + "search_line": 16 }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", "severity": "LOW", "line": 23, - "filename": "positive2.tf" + "fileName": "positive2.tf", + "resourceType": "aws_vpc_security_group_ingress_rule", + "resourceName": "positive2_ipv4_4", + "searchKey": "aws_vpc_security_group_ingress_rule[positive2_ipv4_4]", + "searchValue": "UDP,110", + "expectedValue": "POP3 (UDP:110) should not be allowed", + "actualValue": "POP3 (UDP:110) is allowed", + "issueType": "IncorrectValue", + "similarityID": "6ea0822c926b531bedf4c77553dcd4df639680c49b2ed7dabd07ef753bfb7448", + "search_line": 23 }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", "severity": "LOW", "line": 32, - "filename": "positive2.tf" + "fileName": "positive2.tf", + "resourceType": "aws_vpc_security_group_ingress_rule", + "resourceName": "positive2_ipv6_1", + "searchKey": "aws_vpc_security_group_ingress_rule[positive2_ipv6_1]", + "searchValue": "TCP,22", + "expectedValue": "SSH (TCP:22) should not be allowed", + "actualValue": "SSH (TCP:22) is allowed", + "issueType": "IncorrectValue", + "similarityID": "3456fa524875d8a17dcf22b7ccb903223a7a8b157062633aef7efd0211bce3f4", + "search_line": 32 }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", "severity": "LOW", "line": 32, - "filename": "positive2.tf" + "fileName": "positive2.tf", + "resourceType": "aws_vpc_security_group_ingress_rule", + "resourceName": "positive2_ipv6_1", + "searchKey": "aws_vpc_security_group_ingress_rule[positive2_ipv6_1]", + "searchValue": "UDP,22", + "expectedValue": "SSH (UDP:22) should not be allowed", + "actualValue": "SSH (UDP:22) is allowed", + "issueType": "IncorrectValue", + "similarityID": "28c770dbe380db11da1fb1973c6a57a5a3373ce37407b63f2e9603297bed5ef8", + "search_line": 32 }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", "severity": "LOW", "line": 39, - "filename": "positive2.tf" + "fileName": "positive2.tf", + "resourceType": "aws_vpc_security_group_ingress_rule", + "resourceName": "positive2_ipv6_2", + "searchKey": "aws_vpc_security_group_ingress_rule[positive2_ipv6_2]", + "searchValue": "TCP,22", + "expectedValue": "SSH (TCP:22) should not be allowed", + "actualValue": "SSH (TCP:22) is allowed", + "issueType": "IncorrectValue", + "similarityID": "ebb6a99c7622c8483da6807bf610f76bf6d70eeeab55fe633b2eff86eb203541", + "search_line": 39 }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", "severity": "LOW", "line": 46, - "filename": "positive2.tf" + "fileName": "positive2.tf", + "resourceType": "aws_vpc_security_group_ingress_rule", + "resourceName": "positive2_ipv6_3", + "searchKey": "aws_vpc_security_group_ingress_rule[positive2_ipv6_3]", + "searchValue": "UDP,22", + "expectedValue": "SSH (UDP:22) should not be allowed", + "actualValue": "SSH (UDP:22) is allowed", + "issueType": "IncorrectValue", + "similarityID": "04a790748427cedc3dfdef5478ae6a23027c8108faf25b43b50825308a63a031", + "search_line": 46 }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", "severity": "LOW", "line": 53, - "filename": "positive2.tf" + "fileName": "positive2.tf", + "resourceType": "aws_vpc_security_group_ingress_rule", + "resourceName": "positive2_ipv6_4", + "searchKey": "aws_vpc_security_group_ingress_rule[positive2_ipv6_4]", + "searchValue": "UDP,110", + "expectedValue": "POP3 (UDP:110) should not be allowed", + "actualValue": "POP3 (UDP:110) is allowed", + "issueType": "IncorrectValue", + "similarityID": "46e0ea9bedf6dfc1d337184e018c945235e0f9896031dd90a2bf5b38599a61df", + "search_line": 53 }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", "severity": "LOW", "line": 2, - "filename": "positive3.tf" + "fileName": "positive3.tf", + "resourceType": "aws_security_group_rule", + "resourceName": "positive3_ipv4_1", + "searchKey": "aws_security_group_rule[positive3_ipv4_1]", + "searchValue": "TCP,22", + "expectedValue": "SSH (TCP:22) should not be allowed", + "actualValue": "SSH (TCP:22) is allowed", + "issueType": "IncorrectValue", + "similarityID": "7cae211f77d409de582dbe7435eaf22d02c1a62aba2d2877a6c393b7438fd795", + "search_line": 2 }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", "severity": "LOW", "line": 2, - "filename": "positive3.tf" + "fileName": "positive3.tf", + "resourceType": "aws_security_group_rule", + "resourceName": "positive3_ipv4_1", + "searchKey": "aws_security_group_rule[positive3_ipv4_1]", + "searchValue": "UDP,22", + "expectedValue": "SSH (UDP:22) should not be allowed", + "actualValue": "SSH (UDP:22) is allowed", + "issueType": "IncorrectValue", + "similarityID": "468de113b2941f9e2bbb75a6a91204f24b5a1bba975c6f241f27fbe84b689327", + "search_line": 2 }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", "severity": "LOW", "line": 10, - "filename": "positive3.tf" + "fileName": "positive3.tf", + "resourceType": "aws_security_group_rule", + "resourceName": "positive3_ipv4_2", + "searchKey": "aws_security_group_rule[positive3_ipv4_2]", + "searchValue": "TCP,22", + "expectedValue": "SSH (TCP:22) should not be allowed", + "actualValue": "SSH (TCP:22) is allowed", + "issueType": "IncorrectValue", + "similarityID": "86e5ea7db831f964d5a91814c5b682ea3f954304c005c13bc67df2be96eda567", + "search_line": 10 }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", "severity": "LOW", "line": 18, - "filename": "positive3.tf" + "fileName": "positive3.tf", + "resourceType": "aws_security_group_rule", + "resourceName": "positive3_ipv4_3", + "searchKey": "aws_security_group_rule[positive3_ipv4_3]", + "searchValue": "UDP,22", + "expectedValue": "SSH (UDP:22) should not be allowed", + "actualValue": "SSH (UDP:22) is allowed", + "issueType": "IncorrectValue", + "similarityID": "745dc01cf833d7c7c9030179a866c553b4badb73c7c3ef71c9da937ba090f097", + "search_line": 18 }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", "severity": "LOW", "line": 26, - "filename": "positive3.tf" + "fileName": "positive3.tf", + "resourceType": "aws_security_group_rule", + "resourceName": "positive3_ipv4_4", + "searchKey": "aws_security_group_rule[positive3_ipv4_4]", + "searchValue": "UDP,110", + "expectedValue": "POP3 (UDP:110) should not be allowed", + "actualValue": "POP3 (UDP:110) is allowed", + "issueType": "IncorrectValue", + "similarityID": "410c2651484fdfccdffd5f8f2b4a7ab097c534e093f060a06ff1014debd254a8", + "search_line": 26 }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", "severity": "LOW", "line": 36, - "filename": "positive3.tf" + "fileName": "positive3.tf", + "resourceType": "aws_security_group_rule", + "resourceName": "positive3_ipv6_1", + "searchKey": "aws_security_group_rule[positive3_ipv6_1]", + "searchValue": "TCP,22", + "expectedValue": "SSH (TCP:22) should not be allowed", + "actualValue": "SSH (TCP:22) is allowed", + "issueType": "IncorrectValue", + "similarityID": "bd17f86ae416887a34a90b0f2ae6423dcda1dea2f01c190b6f3b84663ac68aaf", + "search_line": 36 }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", "severity": "LOW", "line": 36, - "filename": "positive3.tf" + "fileName": "positive3.tf", + "resourceType": "aws_security_group_rule", + "resourceName": "positive3_ipv6_1", + "searchKey": "aws_security_group_rule[positive3_ipv6_1]", + "searchValue": "UDP,22", + "expectedValue": "SSH (UDP:22) should not be allowed", + "actualValue": "SSH (UDP:22) is allowed", + "issueType": "IncorrectValue", + "similarityID": "29db5753dd47383fdea3e8dc070a55365c8a94ff669214427ab0d151d6508a71", + "search_line": 36 }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", "severity": "LOW", "line": 44, - "filename": "positive3.tf" + "fileName": "positive3.tf", + "resourceType": "aws_security_group_rule", + "resourceName": "positive3_ipv6_2", + "searchKey": "aws_security_group_rule[positive3_ipv6_2]", + "searchValue": "TCP,22", + "expectedValue": "SSH (TCP:22) should not be allowed", + "actualValue": "SSH (TCP:22) is allowed", + "issueType": "IncorrectValue", + "similarityID": "245d2290b07882c6d20171b1f542f3943a91a92e9e2af8a24c16f7fef9642340", + "search_line": 44 }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", "severity": "LOW", "line": 52, - "filename": "positive3.tf" + "fileName": "positive3.tf", + "resourceType": "aws_security_group_rule", + "resourceName": "positive3_ipv6_3", + "searchKey": "aws_security_group_rule[positive3_ipv6_3]", + "searchValue": "UDP,22", + "expectedValue": "SSH (UDP:22) should not be allowed", + "actualValue": "SSH (UDP:22) is allowed", + "issueType": "IncorrectValue", + "similarityID": "f7762123c7d97317cad3b8d1be395e26bfdf5d8fbb8c68bdd4f698c871dfb1d2", + "search_line": 52 }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", "severity": "LOW", "line": 60, - "filename": "positive3.tf" + "fileName": "positive3.tf", + "resourceType": "aws_security_group_rule", + "resourceName": "positive3_ipv6_4", + "searchKey": "aws_security_group_rule[positive3_ipv6_4]", + "searchValue": "UDP,110", + "expectedValue": "POP3 (UDP:110) should not be allowed", + "actualValue": "POP3 (UDP:110) is allowed", + "issueType": "IncorrectValue", + "similarityID": "5f5767923115ae09b96bc7cbfbff8378124a335bc70b827b1f78dde9cc0a6687", + "search_line": 60 }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", "severity": "LOW", "line": 5, - "filename": "positive4.tf" + "fileName": "positive4.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[positive4_ipv4_1].ingress_with_cidr_blocks.0", + "searchValue": "TCP,22", + "expectedValue": "SSH (TCP:22) should not be allowed", + "actualValue": "SSH (TCP:22) is allowed", + "issueType": "IncorrectValue", + "similarityID": "c251a9bd0d6a98a9b03ed7de59ba49673ee7f41caabc503120f628570109094c", + "search_line": 5 }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", "severity": "LOW", "line": 5, - "filename": "positive4.tf" + "fileName": "positive4.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[positive4_ipv4_1].ingress_with_cidr_blocks.0", + "searchValue": "UDP,22", + "expectedValue": "SSH (UDP:22) should not be allowed", + "actualValue": "SSH (UDP:22) is allowed", + "issueType": "IncorrectValue", + "similarityID": "637a5b359eaa95d5ab8f0b03039b20b8a5cb10aedf2c90651e2f1ee26980b285", + "search_line": 5 }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", "severity": "LOW", "line": 11, - "filename": "positive4.tf" + "fileName": "positive4.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[positive4_ipv4_1].ingress_with_cidr_blocks.1", + "searchValue": "TCP,22", + "expectedValue": "SSH (TCP:22) should not be allowed", + "actualValue": "SSH (TCP:22) is allowed", + "issueType": "IncorrectValue", + "similarityID": "0c6ba7b00944712633dc2b25594c0e817cfc702fdea2426de10d7b0bcbeb9eae", + "search_line": 11 }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", "severity": "LOW", "line": 17, - "filename": "positive4.tf" + "fileName": "positive4.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[positive4_ipv4_1].ingress_with_cidr_blocks.2", + "searchValue": "UDP,22", + "expectedValue": "SSH (UDP:22) should not be allowed", + "actualValue": "SSH (UDP:22) is allowed", + "issueType": "IncorrectValue", + "similarityID": "9b905fc5be14b6666aeb956d0adb8cd84734e8adb8d18ff7da4c63a155475c6d", + "search_line": 17 }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", "severity": "LOW", "line": 23, - "filename": "positive4.tf" + "fileName": "positive4.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[positive4_ipv4_1].ingress_with_cidr_blocks.3", + "searchValue": "UDP,110", + "expectedValue": "POP3 (UDP:110) should not be allowed", + "actualValue": "POP3 (UDP:110) is allowed", + "issueType": "IncorrectValue", + "similarityID": "60546b4f167913531d0311bb7c6436811bd9ffa5679b80d91005ffeaa4522932", + "search_line": 23 }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", "severity": "LOW", "line": 35, - "filename": "positive4.tf" + "fileName": "positive4.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[positive4_ipv6_1].ingress_with_ipv6_cidr_blocks.0", + "searchValue": "TCP,22", + "expectedValue": "SSH (TCP:22) should not be allowed", + "actualValue": "SSH (TCP:22) is allowed", + "issueType": "IncorrectValue", + "similarityID": "465fe68e8041150d817f8c565440c8c39eebc895be15772e5abcd1a05053eebd", + "search_line": 35 }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", "severity": "LOW", "line": 35, - "filename": "positive4.tf" + "fileName": "positive4.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[positive4_ipv6_1].ingress_with_ipv6_cidr_blocks.0", + "searchValue": "UDP,22", + "expectedValue": "SSH (UDP:22) should not be allowed", + "actualValue": "SSH (UDP:22) is allowed", + "issueType": "IncorrectValue", + "similarityID": "e94c7ab6622506582280d2eda337c87e6558ba81c6419841489e4f7145e96ea6", + "search_line": 35 }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", "severity": "LOW", "line": 41, - "filename": "positive4.tf" + "fileName": "positive4.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[positive4_ipv6_1].ingress_with_ipv6_cidr_blocks.1", + "searchValue": "TCP,22", + "expectedValue": "SSH (TCP:22) should not be allowed", + "actualValue": "SSH (TCP:22) is allowed", + "issueType": "IncorrectValue", + "similarityID": "1b1c8d0834019b8f9717cd09376a6c75f0695ee51b1fb2f5faee0406976b4929", + "search_line": 41 }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", "severity": "LOW", "line": 47, - "filename": "positive4.tf" + "fileName": "positive4.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[positive4_ipv6_1].ingress_with_ipv6_cidr_blocks.2", + "searchValue": "UDP,22", + "expectedValue": "SSH (UDP:22) should not be allowed", + "actualValue": "SSH (UDP:22) is allowed", + "issueType": "IncorrectValue", + "similarityID": "e8e4e7552e4ad1832771799fde090b91dd48a2dda23cf3c663ccd121ad2ceed7", + "search_line": 47 }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", "severity": "LOW", "line": 53, - "filename": "positive4.tf" + "fileName": "positive4.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[positive4_ipv6_1].ingress_with_ipv6_cidr_blocks.3", + "searchValue": "UDP,110", + "expectedValue": "POP3 (UDP:110) should not be allowed", + "actualValue": "POP3 (UDP:110) is allowed", + "issueType": "IncorrectValue", + "similarityID": "f627afa1d62c5e18691ee5ac5605780e9cfbffe73466e7632aa9c445a4247c55", + "search_line": 53 } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/service_control_policies_disabled/test/positive_expected_result.json b/assets/queries/terraform/aws/service_control_policies_disabled/test/positive_expected_result.json index 54eabf1329b..c4ec62a3aae 100644 --- a/assets/queries/terraform/aws/service_control_policies_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/service_control_policies_disabled/test/positive_expected_result.json @@ -3,6 +3,15 @@ "queryName": "Service Control Policies Disabled", "severity": "MEDIUM", "line": 7, - "fileName": "positive.tf" + "fileName": "positive.tf", + "resourceType": "aws_organizations_organization", + "resourceName": "positive1", + "searchKey": "aws_organizations_organization[positive1].feature_set", + "searchValue": "", + "expectedValue": "'feature_set' should be set to 'ALL' or undefined", + "actualValue": "'feature_set' is set to 'CONSOLIDATED_BILLING'", + "issueType": "IncorrectValue", + "similarityID": "12ef0a3fd657751c00a12deeb1663a1fe050c0cbeb6adc446ba5760d6dfac285", + "search_line": 7 } ] diff --git a/assets/queries/terraform/aws/ses_policy_with_allowed_iam_actions/test/positive_expected_result.json b/assets/queries/terraform/aws/ses_policy_with_allowed_iam_actions/test/positive_expected_result.json index e4ff470c989..63c6f2d4426 100644 --- a/assets/queries/terraform/aws/ses_policy_with_allowed_iam_actions/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/ses_policy_with_allowed_iam_actions/test/positive_expected_result.json @@ -3,6 +3,15 @@ "queryName": "SES Policy With Allowed IAM Actions", "severity": "HIGH", "line": 4, - "fileName": "positive.tf" + "fileName": "positive.tf", + "resourceType": "aws_ses_identity_policy", + "resourceName": "example", + "searchKey": "aws_ses_identity_policy[positive1].policy", + "searchValue": "", + "expectedValue": "'policy' should not allow IAM actions to all principals", + "actualValue": "'policy' allows IAM actions to all principals", + "issueType": "IncorrectValue", + "similarityID": "823218e9ed20841b76b9a6f3728f02681609abd5d98d7b82d7a7e3da9d83f9ad", + "search_line": 4 } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/shield_advanced_not_in_use/test/positive_expected_result.json b/assets/queries/terraform/aws/shield_advanced_not_in_use/test/positive_expected_result.json index 28729391b1d..abecde18fb8 100644 --- a/assets/queries/terraform/aws/shield_advanced_not_in_use/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/shield_advanced_not_in_use/test/positive_expected_result.json @@ -3,12 +3,30 @@ "queryName": "Shield Advanced Not In Use", "severity": "LOW", "line": 5, - "fileName": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "aws_eip", + "resourceName": "positive1", + "searchKey": "aws_eip[positive1]", + "searchValue": "", + "expectedValue": "aws_eip has shield advanced associated", + "actualValue": "aws_eip does not have shield advanced associated", + "issueType": "MissingAttribute", + "similarityID": "4ab175a0230164a1d2d3060fac7ede0ea0651ad2075ef47fc3fc1d1f7e0fad37", + "search_line": 5 }, { "queryName": "Shield Advanced Not In Use", "severity": "LOW", "line": 1, - "fileName": "positive2.tf" + "fileName": "positive2.tf", + "resourceType": "aws_route53_zone", + "resourceName": "example.com", + "searchKey": "aws_route53_zone[positive2]", + "searchValue": "", + "expectedValue": "aws_route53_zone has shield advanced associated", + "actualValue": "aws_route53_zone does not have shield advanced associated", + "issueType": "MissingAttribute", + "similarityID": "27cf6d4aff829eef51e68d92ff5e900a96b3b7aec147bfcc7f7083d222afc7be", + "search_line": 1 } ] diff --git a/assets/queries/terraform/aws/sns_topic_encrypted_with_aws_managed_key/test/positive_expected_result.json b/assets/queries/terraform/aws/sns_topic_encrypted_with_aws_managed_key/test/positive_expected_result.json index 0981ea3bf62..6a8e131e9c0 100644 --- a/assets/queries/terraform/aws/sns_topic_encrypted_with_aws_managed_key/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/sns_topic_encrypted_with_aws_managed_key/test/positive_expected_result.json @@ -3,12 +3,30 @@ "queryName": "SNS Topic Encrypted With AWS Managed Key", "severity": "MEDIUM", "line": 3, - "fileName": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "aws_sns_topic", + "resourceName": "user-updates-topic", + "searchKey": "aws_sns_topic[user_updates].kms_master_key_id", + "searchValue": "", + "expectedValue": "SNS Topic should not be encrypted with AWS managed key", + "actualValue": "SNS Topic is encrypted with AWS managed key", + "issueType": "IncorrectValue", + "similarityID": "74f283a327c3bd176e10b6fc518b9c1ba89dde224e68ab22c468ba00331b9768", + "search_line": -1 }, { "queryName": "SNS Topic Encrypted With AWS Managed Key", "severity": "MEDIUM", "line": 11, - "fileName": "positive2.tf" + "fileName": "positive2.tf", + "resourceType": "aws_sns_topic", + "resourceName": "sns_ecnrypted", + "searchKey": "aws_sns_topic[test].kms_master_key_id", + "searchValue": "", + "expectedValue": "SNS Topic should not be encrypted with AWS managed key", + "actualValue": "SNS Topic is encrypted with AWS managed key", + "issueType": "IncorrectValue", + "similarityID": "110ac83128258badb311205e60e11478233b2dd0dbef1a511f959e50b6b92530", + "search_line": -1 } ] diff --git a/assets/queries/terraform/aws/sns_topic_is_publicly_accessible/test/positive_expected_result.json b/assets/queries/terraform/aws/sns_topic_is_publicly_accessible/test/positive_expected_result.json index cd70fcac674..01d369071f8 100644 --- a/assets/queries/terraform/aws/sns_topic_is_publicly_accessible/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/sns_topic_is_publicly_accessible/test/positive_expected_result.json @@ -3,60 +3,150 @@ "queryName": "SNS Topic is Publicly Accessible", "severity": "CRITICAL", "line": 2, - "fileName": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "aws_sns_topic", + "resourceName": "positive1", + "searchKey": "aws_sns_topic[positive1].policy", + "searchValue": "0", + "expectedValue": "'Statement[0].Principal.AWS' shouldn't contain '*'", + "actualValue": "'Statement[0].Principal.AWS' contains '*'", + "issueType": "IncorrectValue", + "similarityID": "fdc7ab0bc6ffe82f6aadd6c4b42f78472eaf86a8173725f5f9a0a2464026ed92", + "search_line": 2 }, { "queryName": "SNS Topic is Publicly Accessible", "severity": "CRITICAL", "line": 7, - "fileName": "positive2.tf" + "fileName": "positive2.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "topic_policy", + "searchValue": "0", + "expectedValue": "'Statement[0].Principal.AWS' shouldn't contain '*'", + "actualValue": "'Statement[0].Principal.AWS' contains '*'", + "issueType": "IncorrectValue", + "similarityID": "208ea7ecec267639448cd4e30fc1f8b1dc4107fb5a9da8f6fdb6d44a2123e04e", + "search_line": 7 }, { "queryName": "SNS Topic is Publicly Accessible", "severity": "CRITICAL", "line": 12, - "fileName": "positive3.tf" + "fileName": "positive3.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[sns_topic_with_policy_statements_valid].topic_policy_statements[0].principals", + "searchValue": "", + "expectedValue": "'topic_policy_statements[0].principals[0].identifiers' shouldn't contain '*' for an AWS Principal", + "actualValue": "'topic_policy_statements[0].principals[0].identifiers' contains '*' for an AWS Principal", + "issueType": "IncorrectValue", + "similarityID": "352c940424822a78f5b2abb752c096ab4cc8b480222563d24fb9e125fd046249", + "search_line": 12 }, { "queryName": "SNS Topic is Publicly Accessible", "severity": "CRITICAL", "line": 12, - "fileName": "positive4.tf" + "fileName": "positive4.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[sns_topic_with_policy_statements_not_limited_access].topic_policy_statements[0].principals", + "searchValue": "", + "expectedValue": "'topic_policy_statements[0].principals[0].identifiers' shouldn't contain '*' for an AWS Principal", + "actualValue": "'topic_policy_statements[0].principals[0].identifiers' contains '*' for an AWS Principal", + "issueType": "IncorrectValue", + "similarityID": "24ddcb5d89380b83f41ed60b3fd35b344768fba7d80588159d1bb6cb63d235fa", + "search_line": 12 }, { "queryName": "SNS Topic is Publicly Accessible", "severity": "CRITICAL", "line": 2, - "fileName": "positive5.tf" + "fileName": "positive5.tf", + "resourceType": "aws_sns_topic", + "resourceName": "positive1", + "searchKey": "aws_sns_topic[positive1].policy", + "searchValue": "0", + "expectedValue": "'Statement[0].Principal.AWS' shouldn't contain '*'", + "actualValue": "'Statement[0].Principal.AWS' contains '*'", + "issueType": "IncorrectValue", + "similarityID": "9c96ea434c570033aea36fe731fdbf3181f9734b8b7d4d8478175276230fa458", + "search_line": 2 }, { "queryName": "SNS Topic is Publicly Accessible", "severity": "CRITICAL", "line": 2, - "fileName": "positive5.tf" + "fileName": "positive5.tf", + "resourceType": "aws_sns_topic", + "resourceName": "positive1", + "searchKey": "aws_sns_topic[positive1].policy", + "searchValue": "2", + "expectedValue": "'Statement[2].Principal.AWS' shouldn't contain '*'", + "actualValue": "'Statement[2].Principal.AWS' contains '*'", + "issueType": "IncorrectValue", + "similarityID": "38ee19b5d175a208758e6b902339d248948ffad258b126f2062a06e651bba1ac", + "search_line": 2 }, { "queryName": "SNS Topic is Publicly Accessible", "severity": "CRITICAL", "line": 7, - "fileName": "positive6.tf" + "fileName": "positive6.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "topic_policy", + "searchValue": "0", + "expectedValue": "'Statement[0].Principal.AWS' shouldn't contain '*'", + "actualValue": "'Statement[0].Principal.AWS' contains '*'", + "issueType": "IncorrectValue", + "similarityID": "c8deabe58d37e7fd8355a45e6d9e60308bffa51d3e7cb1dd091efe3569d53ca0", + "search_line": 7 }, { "queryName": "SNS Topic is Publicly Accessible", "severity": "CRITICAL", "line": 7, - "fileName": "positive6.tf" + "fileName": "positive6.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "topic_policy", + "searchValue": "2", + "expectedValue": "'Statement[2].Principal.AWS' shouldn't contain '*'", + "actualValue": "'Statement[2].Principal.AWS' contains '*'", + "issueType": "IncorrectValue", + "similarityID": "0134864e0e75df8ab5b3d1129d596a7e3a8a6b738a812ba43dd30e70fa5db572", + "search_line": 7 }, { "queryName": "SNS Topic is Publicly Accessible", "severity": "CRITICAL", "line": 12, - "fileName": "positive7.tf" + "fileName": "positive7.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[sns_topic_with_policy_statements_valid].topic_policy_statements[0].principals", + "searchValue": "", + "expectedValue": "'topic_policy_statements[0].principals[0].identifiers' shouldn't contain '*' for an AWS Principal", + "actualValue": "'topic_policy_statements[0].principals[0].identifiers' contains '*' for an AWS Principal", + "issueType": "IncorrectValue", + "similarityID": "678b201781b3e2b28e309075f9c7f9c6dc19b0f8810c0155721a847b660368c2", + "search_line": 12 }, { "queryName": "SNS Topic is Publicly Accessible", "severity": "CRITICAL", "line": 34, - "fileName": "positive7.tf" + "fileName": "positive7.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[sns_topic_with_policy_statements_valid].topic_policy_statements[2].principals", + "searchValue": "", + "expectedValue": "'topic_policy_statements[2].principals[0].identifiers' shouldn't contain '*' for an AWS Principal", + "actualValue": "'topic_policy_statements[2].principals[0].identifiers' contains '*' for an AWS Principal", + "issueType": "IncorrectValue", + "similarityID": "fcbd3d529535f3562ec9972efad2ff52bfc47dc01faab5a236e0cc8f8bf6a062", + "search_line": 34 } ] diff --git a/assets/queries/terraform/aws/sns_topic_not_encrypted/test/positive_expected_result.json b/assets/queries/terraform/aws/sns_topic_not_encrypted/test/positive_expected_result.json index 3e178210b87..eaf5956e6c0 100644 --- a/assets/queries/terraform/aws/sns_topic_not_encrypted/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/sns_topic_not_encrypted/test/positive_expected_result.json @@ -3,12 +3,30 @@ "queryName": "SNS Topic Not Encrypted", "severity": "HIGH", "line": 3, - "fileName": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "aws_sns_topic", + "resourceName": "user-updates-topic", + "searchKey": "aws_sns_topic[user_updates].kms_master_key_id", + "searchValue": "", + "expectedValue": "SNS Topic should be encrypted", + "actualValue": "SNS Topic is not encrypted", + "issueType": "IncorrectValue", + "similarityID": "9d67ba7201456f369908f4c969c8c176cdfe8380124beee7daeb5b5a9de1af3e", + "search_line": -1 }, { "queryName": "SNS Topic Not Encrypted", "severity": "HIGH", "line": 5, - "fileName": "positive2.tf" + "fileName": "positive2.tf", + "resourceType": "aws_sns_topic", + "resourceName": "sns_not_ecnrypted", + "searchKey": "aws_sns_topic[test]", + "searchValue": "", + "expectedValue": "SNS Topic should be encrypted", + "actualValue": "SNS Topic is not encrypted", + "issueType": "MissingAttribute", + "similarityID": "590d003c990ef84a61b553ab819388bd6e69b2f1604e0031cf2517a21d5e5dc1", + "search_line": -1 } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/sns_topic_publicity_has_allow_and_not_action_simultaneously/test/positive_expected_result.json b/assets/queries/terraform/aws/sns_topic_publicity_has_allow_and_not_action_simultaneously/test/positive_expected_result.json index 560428c2142..b3639359058 100644 --- a/assets/queries/terraform/aws/sns_topic_publicity_has_allow_and_not_action_simultaneously/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/sns_topic_publicity_has_allow_and_not_action_simultaneously/test/positive_expected_result.json @@ -3,12 +3,30 @@ "queryName": "SNS Topic Publicity Has Allow and NotAction Simultaneously", "severity": "MEDIUM", "line": 8, - "filename": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "aws_sns_topic_policy", + "resourceName": "positive2", + "searchKey": "aws_sns_topic_policy[positive2].policy", + "searchValue": "", + "expectedValue": "aws_sns_topic_policy[positive2].policy shouldn't have 'Effect: Allow' and 'NotAction' simultaneously", + "actualValue": "aws_sns_topic_policy[positive2].policy has 'Effect: Allow' and 'NotAction' simultaneously", + "issueType": "IncorrectValue", + "similarityID": "e0cd92a5578f9e7b933e70b784ed95c8960b78160099baeceff836b0b1142329", + "search_line": 8 }, { "queryName": "SNS Topic Publicity Has Allow and NotAction Simultaneously", "severity": "MEDIUM", "line": 12, - "filename": "positive2.tf" + "fileName": "positive2.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[s3_bucket].policy", + "searchValue": "", + "expectedValue": "module[s3_bucket].policy shouldn't have 'Effect: Allow' and 'NotAction' simultaneously", + "actualValue": "module[s3_bucket].policy has 'Effect: Allow' and 'NotAction' simultaneously", + "issueType": "IncorrectValue", + "similarityID": "d3df40e113eb123fd09953a88659ba7811ef4c5370d70c2b3a78c0ea31d1ea1e", + "search_line": 12 } ] diff --git a/assets/queries/terraform/aws/sql_analysis_services_port_2383_is_publicly_accessible/test/positive_expected_result.json b/assets/queries/terraform/aws/sql_analysis_services_port_2383_is_publicly_accessible/test/positive_expected_result.json index 9f4fb9ef38f..04745b295d4 100644 --- a/assets/queries/terraform/aws/sql_analysis_services_port_2383_is_publicly_accessible/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/sql_analysis_services_port_2383_is_publicly_accessible/test/positive_expected_result.json @@ -3,102 +3,255 @@ "queryName": "SQL Analysis Services Port 2383 (TCP) Is Publicly Accessible", "severity": "MEDIUM", "line": 5, - "fileName": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "aws_security_group", + "resourceName": "allow_tls", + "searchKey": "aws_security_group[positive1-1].ingress", + "searchValue": "", + "expectedValue": "aws_security_group[positive1-1].ingress shouldn't open SQL Analysis Services Port 2383", + "actualValue": "aws_security_group[positive1-1].ingress opens SQL Analysis Services Port 2383", + "issueType": "IncorrectValue", + "similarityID": "e5780cc4055b1e2c73491677dbc6c10ddadbe59eb9d85e7f97f1aaa6c39b0068", + "search_line": 5 }, { "queryName": "SQL Analysis Services Port 2383 (TCP) Is Publicly Accessible", "severity": "MEDIUM", "line": 26, - "fileName": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "aws_security_group", + "resourceName": "allow_tls", + "searchKey": "aws_security_group[positive1-2].ingress[1]", + "searchValue": "", + "expectedValue": "aws_security_group[positive1-2].ingress[1] shouldn't open SQL Analysis Services Port 2383", + "actualValue": "aws_security_group[positive1-2].ingress[1] opens SQL Analysis Services Port 2383", + "issueType": "IncorrectValue", + "similarityID": "b8d29144a095c75b2d0e09f9706b87ccffa1dd2a368d06539c15fded57aadf49", + "search_line": 26 }, { "queryName": "SQL Analysis Services Port 2383 (TCP) Is Publicly Accessible", "severity": "MEDIUM", "line": 39, - "fileName": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "aws_security_group", + "resourceName": "allow_tls", + "searchKey": "aws_security_group[positive1-3].ingress", + "searchValue": "", + "expectedValue": "aws_security_group[positive1-3].ingress shouldn't open SQL Analysis Services Port 2383", + "actualValue": "aws_security_group[positive1-3].ingress opens SQL Analysis Services Port 2383", + "issueType": "IncorrectValue", + "similarityID": "c528525dad861c3595ba06f46832042dbeda9cc931a18ba8df1dbfb7cd1230ea", + "search_line": 39 }, { "queryName": "SQL Analysis Services Port 2383 (TCP) Is Publicly Accessible", "severity": "MEDIUM", "line": 60, - "fileName": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "aws_security_group", + "resourceName": "allow_tls", + "searchKey": "aws_security_group[positive1-4].ingress[1]", + "searchValue": "", + "expectedValue": "aws_security_group[positive1-4].ingress[1] shouldn't open SQL Analysis Services Port 2383", + "actualValue": "aws_security_group[positive1-4].ingress[1] opens SQL Analysis Services Port 2383", + "issueType": "IncorrectValue", + "similarityID": "0a062d32eec34fbaafb1ba649767d721ab20654f92ba29526560f73a033eb517", + "search_line": 60 }, { "queryName": "SQL Analysis Services Port 2383 (TCP) Is Publicly Accessible", "severity": "MEDIUM", "line": 73, - "fileName": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "aws_security_group", + "resourceName": "allow_tls", + "searchKey": "aws_security_group[positive1-5].ingress", + "searchValue": "", + "expectedValue": "aws_security_group[positive1-5].ingress shouldn't open SQL Analysis Services Port 2383", + "actualValue": "aws_security_group[positive1-5].ingress opens SQL Analysis Services Port 2383", + "issueType": "IncorrectValue", + "similarityID": "ce55b86f582c2d2b0a89cf7f4114a6cf65e9f1fb64679dbddf74db67f26d9d2d", + "search_line": 73 }, { "queryName": "SQL Analysis Services Port 2383 (TCP) Is Publicly Accessible", "severity": "MEDIUM", "line": 87, - "fileName": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "aws_security_group", + "resourceName": "allow_tls", + "searchKey": "aws_security_group[positive1-6].ingress", + "searchValue": "", + "expectedValue": "aws_security_group[positive1-6].ingress shouldn't open SQL Analysis Services Port 2383", + "actualValue": "aws_security_group[positive1-6].ingress opens SQL Analysis Services Port 2383", + "issueType": "IncorrectValue", + "similarityID": "9e64c3a156c89e868ce3bbcd5baabdde1af2fbe5c4c79e5e499bab894da7eabc", + "search_line": 87 }, { "queryName": "SQL Analysis Services Port 2383 (TCP) Is Publicly Accessible", "severity": "MEDIUM", "line": 101, - "fileName": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "aws_security_group", + "resourceName": "allow_tls", + "searchKey": "aws_security_group[positive1-7].ingress", + "searchValue": "", + "expectedValue": "aws_security_group[positive1-7].ingress shouldn't open SQL Analysis Services Port 2383", + "actualValue": "aws_security_group[positive1-7].ingress opens SQL Analysis Services Port 2383", + "issueType": "IncorrectValue", + "similarityID": "d275719dd2649c97c0803bdf9df5297d28dc986866c758dcbff87f7ec5ba8231", + "search_line": 101 }, { "queryName": "SQL Analysis Services Port 2383 (TCP) Is Publicly Accessible", "severity": "MEDIUM", "line": 7, - "fileName": "positive2.tf" + "fileName": "positive2.tf", + "resourceType": "aws_vpc_security_group_ingress_rule", + "resourceName": "positive2-1", + "searchKey": "aws_vpc_security_group_ingress_rule[positive2-1]", + "searchValue": "", + "expectedValue": "aws_vpc_security_group_ingress_rule[positive2-1] shouldn't open SQL Analysis Services Port 2383", + "actualValue": "aws_vpc_security_group_ingress_rule[positive2-1] opens SQL Analysis Services Port 2383", + "issueType": "IncorrectValue", + "similarityID": "c15dce7b7f7e3683da12122fe157e20e167f492a5ee578d622a691586bdba1dd", + "search_line": 7 }, { "queryName": "SQL Analysis Services Port 2383 (TCP) Is Publicly Accessible", "severity": "MEDIUM", "line": 17, - "fileName": "positive2.tf" + "fileName": "positive2.tf", + "resourceType": "aws_vpc_security_group_ingress_rule", + "resourceName": "positive2-2", + "searchKey": "aws_vpc_security_group_ingress_rule[positive2-2]", + "searchValue": "", + "expectedValue": "aws_vpc_security_group_ingress_rule[positive2-2] shouldn't open SQL Analysis Services Port 2383", + "actualValue": "aws_vpc_security_group_ingress_rule[positive2-2] opens SQL Analysis Services Port 2383", + "issueType": "IncorrectValue", + "similarityID": "6347a721b53d2de28494a352c79f1d1f7fb0dcb1a7ab47234a1c990298d7c2c7", + "search_line": 17 }, { "queryName": "SQL Analysis Services Port 2383 (TCP) Is Publicly Accessible", "severity": "MEDIUM", "line": 7, - "fileName": "positive3.tf" + "fileName": "positive3.tf", + "resourceType": "aws_security_group_rule", + "resourceName": "positive3-1", + "searchKey": "aws_security_group_rule[positive3-1]", + "searchValue": "", + "expectedValue": "aws_security_group_rule[positive3-1] shouldn't open SQL Analysis Services Port 2383", + "actualValue": "aws_security_group_rule[positive3-1] opens SQL Analysis Services Port 2383", + "issueType": "IncorrectValue", + "similarityID": "a1f1b9268187830bb6d6bc8894509090525283701993b9cad45ccb7358011f0b", + "search_line": 7 }, { "queryName": "SQL Analysis Services Port 2383 (TCP) Is Publicly Accessible", "severity": "MEDIUM", "line": 17, - "fileName": "positive3.tf" + "fileName": "positive3.tf", + "resourceType": "aws_security_group_rule", + "resourceName": "positive3-2", + "searchKey": "aws_security_group_rule[positive3-2]", + "searchValue": "", + "expectedValue": "aws_security_group_rule[positive3-2] shouldn't open SQL Analysis Services Port 2383", + "actualValue": "aws_security_group_rule[positive3-2] opens SQL Analysis Services Port 2383", + "issueType": "IncorrectValue", + "similarityID": "3cb015912fed0b62c24ebb05aada7cbf8cbcd3015eba1fa61741f0044f66a3dd", + "search_line": 17 }, { "queryName": "SQL Analysis Services Port 2383 (TCP) Is Publicly Accessible", "severity": "MEDIUM", "line": 11, - "fileName": "positive4.tf" + "fileName": "positive4.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[vote_service_sg_ipv4].ingress_with_cidr_blocks.0", + "searchValue": "", + "expectedValue": "module[vote_service_sg_ipv4].ingress_with_cidr_blocks.0 shouldn't open SQL Analysis Services Port 2383", + "actualValue": "module[vote_service_sg_ipv4].ingress_with_cidr_blocks.0 opens SQL Analysis Services Port 2383", + "issueType": "IncorrectValue", + "similarityID": "ccb7314d8d71f121c30e3b729bff9c16769994e5629a289627552a3a33b3e8b8", + "search_line": 11 }, { "queryName": "SQL Analysis Services Port 2383 (TCP) Is Publicly Accessible", "severity": "MEDIUM", "line": 30, - "fileName": "positive4.tf" + "fileName": "positive4.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[vote_service_sg_ipv6].ingress_with_ipv6_cidr_blocks.0", + "searchValue": "", + "expectedValue": "module[vote_service_sg_ipv6].ingress_with_ipv6_cidr_blocks.0 shouldn't open SQL Analysis Services Port 2383", + "actualValue": "module[vote_service_sg_ipv6].ingress_with_ipv6_cidr_blocks.0 opens SQL Analysis Services Port 2383", + "issueType": "IncorrectValue", + "similarityID": "b3b70959f86c54955e55b63f1d6c10197f17c0b7bea8da9c0d7209a346b6f3f3", + "search_line": 30 }, { "queryName": "SQL Analysis Services Port 2383 (TCP) Is Publicly Accessible", "severity": "MEDIUM", "line": 49, - "fileName": "positive4.tf" + "fileName": "positive4.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[vote_service_sg_ipv4_array].ingress_with_cidr_blocks.0", + "searchValue": "", + "expectedValue": "module[vote_service_sg_ipv4_array].ingress_with_cidr_blocks.0 shouldn't open SQL Analysis Services Port 2383", + "actualValue": "module[vote_service_sg_ipv4_array].ingress_with_cidr_blocks.0 opens SQL Analysis Services Port 2383", + "issueType": "IncorrectValue", + "similarityID": "1b9fd6f2897c56331ddd56afc377c25ea9a4539cb7168f053473bdefa0e00974", + "search_line": 49 }, { "queryName": "SQL Analysis Services Port 2383 (TCP) Is Publicly Accessible", "severity": "MEDIUM", "line": 63, - "fileName": "positive4.tf" + "fileName": "positive4.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[vote_service_sg_ipv4_array].ingress_with_cidr_blocks.2", + "searchValue": "", + "expectedValue": "module[vote_service_sg_ipv4_array].ingress_with_cidr_blocks.2 shouldn't open SQL Analysis Services Port 2383", + "actualValue": "module[vote_service_sg_ipv4_array].ingress_with_cidr_blocks.2 opens SQL Analysis Services Port 2383", + "issueType": "IncorrectValue", + "similarityID": "4e8c385bcea44e25245562af586991011c73266c6e102665fb838c507881adf2", + "search_line": 63 }, { "queryName": "SQL Analysis Services Port 2383 (TCP) Is Publicly Accessible", "severity": "MEDIUM", "line": 82, - "fileName": "positive4.tf" + "fileName": "positive4.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[vote_service_sg_ipv6_array].ingress_with_ipv6_cidr_blocks.0", + "searchValue": "", + "expectedValue": "module[vote_service_sg_ipv6_array].ingress_with_ipv6_cidr_blocks.0 shouldn't open SQL Analysis Services Port 2383", + "actualValue": "module[vote_service_sg_ipv6_array].ingress_with_ipv6_cidr_blocks.0 opens SQL Analysis Services Port 2383", + "issueType": "IncorrectValue", + "similarityID": "17177f5c8c5135ed77df67d323d08384f6fcd331ee926fa11482bbd3ccf87940", + "search_line": 82 }, { "queryName": "SQL Analysis Services Port 2383 (TCP) Is Publicly Accessible", "severity": "MEDIUM", "line": 96, - "fileName": "positive4.tf" + "fileName": "positive4.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[vote_service_sg_ipv6_array].ingress_with_ipv6_cidr_blocks.2", + "searchValue": "", + "expectedValue": "module[vote_service_sg_ipv6_array].ingress_with_ipv6_cidr_blocks.2 shouldn't open SQL Analysis Services Port 2383", + "actualValue": "module[vote_service_sg_ipv6_array].ingress_with_ipv6_cidr_blocks.2 opens SQL Analysis Services Port 2383", + "issueType": "IncorrectValue", + "similarityID": "73d99e63d6011598477f582da2b94a2ac0283d18a78b326358b250e0b654c0d0", + "search_line": 96 } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/sqs_policy_allows_all_actions/test/positive_expected_result.json b/assets/queries/terraform/aws/sqs_policy_allows_all_actions/test/positive_expected_result.json index 28b216d8473..747513f1d31 100644 --- a/assets/queries/terraform/aws/sqs_policy_allows_all_actions/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/sqs_policy_allows_all_actions/test/positive_expected_result.json @@ -3,12 +3,30 @@ "queryName": "SQS Policy Allows All Actions", "severity": "HIGH", "line": 8, - "filename": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "aws_sqs_queue_policy", + "resourceName": "positive2", + "searchKey": "aws_sqs_queue_policy[positive2].policy", + "searchValue": "", + "expectedValue": "'policy.Statement.Action' should not equal '*'", + "actualValue": "'policy.Statement.Action' is equal '*'", + "issueType": "IncorrectValue", + "similarityID": "c6de685373cc5be93dbd5b1e1e9dd1934a9e549437d780694f71490e4d32818a", + "search_line": 8 }, { "queryName": "SQS Policy Allows All Actions", "severity": "HIGH", "line": 12, - "filename": "positive2.tf" + "fileName": "positive2.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[s3_bucket].policy", + "searchValue": "", + "expectedValue": "'policy.Statement.Action' should not equal '*'", + "actualValue": "'policy.Statement.Action' is equal '*'", + "issueType": "IncorrectValue", + "similarityID": "43b20bf6fe0b98ee0aaa9ebfcde4e21459fed02b8b5e24fc2345f78047812ad7", + "search_line": 12 } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/sqs_policy_with_public_access/test/positive_expected_result.json b/assets/queries/terraform/aws/sqs_policy_with_public_access/test/positive_expected_result.json index 6e7fbd9b231..0f6447c523a 100755 --- a/assets/queries/terraform/aws/sqs_policy_with_public_access/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/sqs_policy_with_public_access/test/positive_expected_result.json @@ -2,16 +2,46 @@ { "queryName": "SQS Policy With Public Access", "severity": "MEDIUM", - "line": 8 + "line": 8, + "fileName": "positive.tf", + "resourceType": "aws_sqs_queue_policy", + "resourceName": "test", + "searchKey": "aws_sqs_queue_policy[test].policy", + "searchValue": "", + "expectedValue": "'policy.Statement.Principal.AWS' should not equal '*'", + "actualValue": "'policy.Statement.Principal.AWS' is equal '*'", + "issueType": "IncorrectValue", + "similarityID": "43b56f3d679637409e5a920ae2b481cfc8b19a3b4e62ebb5d02b999d0de63737", + "search_line": 8 }, { "queryName": "SQS Policy With Public Access", "severity": "MEDIUM", - "line": 39 + "line": 39, + "fileName": "positive.tf", + "resourceType": "aws_sqs_queue_policy", + "resourceName": "test_aws", + "searchKey": "aws_sqs_queue_policy[test_aws].policy", + "searchValue": "", + "expectedValue": "'policy.Statement.Principal.AWS' should not equal '*'", + "actualValue": "'policy.Statement.Principal.AWS' is equal '*'", + "issueType": "IncorrectValue", + "similarityID": "ae5613e51a60bf36866c59de1a03f0138ea6c31843e3020a553e5786639de33d", + "search_line": 39 }, { "queryName": "SQS Policy With Public Access", "severity": "MEDIUM", - "line": 64 + "line": 64, + "fileName": "positive.tf", + "resourceType": "aws_sqs_queue_policy", + "resourceName": "test_aws_array", + "searchKey": "aws_sqs_queue_policy[test_aws_array].policy", + "searchValue": "", + "expectedValue": "'policy.Statement.Principal.AWS' should not equal '*'", + "actualValue": "'policy.Statement.Principal.AWS' is equal '*'", + "issueType": "IncorrectValue", + "similarityID": "c045bde33bcc9aff29ee47c0ff12f348ae79ed7686465efe0fd55a26e00af6f3", + "search_line": 64 } ] diff --git a/assets/queries/terraform/aws/sqs_queue_exposed/test/positive_expected_result.json b/assets/queries/terraform/aws/sqs_queue_exposed/test/positive_expected_result.json index f2110c7add2..aebe6daaa6b 100644 --- a/assets/queries/terraform/aws/sqs_queue_exposed/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/sqs_queue_exposed/test/positive_expected_result.json @@ -3,12 +3,30 @@ "queryName": "SQS Queue Exposed", "severity": "HIGH", "line": 4, - "fileName": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "aws_sqs_queue", + "resourceName": "examplequeue", + "searchKey": "aws_sqs_queue[positive1].policy", + "searchValue": "", + "expectedValue": "resource.aws_sqs_queue[positive1].policy.Principal shouldn't get the queue publicly accessible", + "actualValue": "resource.aws_sqs_queue[positive1].policy.Principal does get the queue publicly accessible", + "issueType": "IncorrectValue", + "similarityID": "919a58e17bba64467dd0314b5f004623b3b2d6834c9ad87910f43f252618f430", + "search_line": 4 }, { "queryName": "SQS Queue Exposed", "severity": "HIGH", "line": 12, - "fileName": "positive2.tf" + "fileName": "positive2.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[user_queue]", + "searchValue": "", + "expectedValue": "'policy.Principal' shouldn't get the queue publicly accessible", + "actualValue": "'policy.Principal' does get the queue publicly accessible", + "issueType": "IncorrectValue", + "similarityID": "a0858c7fb4c0b4587af4a6ff8ecc207afdc4695870255b6125dcb14bf9ffd7cd", + "search_line": 12 } ] diff --git a/assets/queries/terraform/aws/sqs_vpc_endpoint_without_dns_resolution/test/positive_expected_result.json b/assets/queries/terraform/aws/sqs_vpc_endpoint_without_dns_resolution/test/positive_expected_result.json index eb09d54acff..009083e5087 100644 --- a/assets/queries/terraform/aws/sqs_vpc_endpoint_without_dns_resolution/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/sqs_vpc_endpoint_without_dns_resolution/test/positive_expected_result.json @@ -3,12 +3,30 @@ "queryName": "SQS VPC Endpoint Without DNS Resolution", "severity": "LOW", "line": 95, - "fileName": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "aws_vpc_endpoint", + "resourceName": "sqs-vpc-endpoint", + "searchKey": "aws_vpc_endpoint[sqs-vpc-endpoint].vpc_id", + "searchValue": "", + "expectedValue": "'enable_dns_support' should be set to true or undefined", + "actualValue": "'enable_dns_support' is set to false", + "issueType": "IncorrectValue", + "similarityID": "b2ccd35897345723f316b494a71e26e1b976b573031b96a7fc048736de08d7f3", + "search_line": 95 }, { "queryName": "SQS VPC Endpoint Without DNS Resolution", "severity": "LOW", "line": 13, - "fileName": "positive2.tf" + "fileName": "positive2.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[vpc].enable_dns_support", + "searchValue": "", + "expectedValue": "'enable_dns_support' should be set to true or undefined", + "actualValue": "'enable_dns_support' is set to false", + "issueType": "IncorrectValue", + "similarityID": "f001cb4b4900659052d80d0ef42c861c074a9f56977e775a860b82dc48674561", + "search_line": -1 } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/sqs_with_sse_disabled/test/positive_expected_result.json b/assets/queries/terraform/aws/sqs_with_sse_disabled/test/positive_expected_result.json index b83429dea8f..9b883e1c7f0 100644 --- a/assets/queries/terraform/aws/sqs_with_sse_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/sqs_with_sse_disabled/test/positive_expected_result.json @@ -3,42 +3,105 @@ "queryName": "SQS With SSE Disabled", "severity": "MEDIUM", "line": 1, - "fileName": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "aws_sqs_queue", + "resourceName": "terraform-example-queue", + "searchKey": "aws_sqs_queue[positive1]", + "searchValue": "", + "expectedValue": "aws_sqs_queue[positive1].kms_master_key_id or aws_sqs_queue[positive1].sqs_managed_sse_enabled should be defined and not null", + "actualValue": "aws_sqs_queue[positive1].kms_master_key_id and aws_sqs_queue[positive1].sqs_managed_sse_enabled are undefined or null", + "issueType": "MissingAttribute", + "similarityID": "0e61c8a128201749b6c5f3533f37c8d041d24e1d468c3d1f9d2e47cc525dfaef", + "search_line": 1 }, { "queryName": "SQS With SSE Disabled", "severity": "MEDIUM", "line": 3, - "fileName": "positive2.tf" + "fileName": "positive2.tf", + "resourceType": "aws_sqs_queue", + "resourceName": "terraform-example-queue", + "searchKey": "aws_sqs_queue[positive2].kms_master_key_id", + "searchValue": "", + "expectedValue": "aws_sqs_queue.kms_master_key_id should not be ''", + "actualValue": "aws_sqs_queue.kms_master_key_id is ''", + "issueType": "IncorrectValue", + "similarityID": "ce5d62f8219fb79cec3d1259179c60505fd72129f2121a4a2923d1a89662af93", + "search_line": 3 }, { "queryName": "SQS With SSE Disabled", "severity": "MEDIUM", "line": 1, - "fileName": "positive3.tf" + "fileName": "positive3.tf", + "resourceType": "aws_sqs_queue", + "resourceName": "terraform-example-queue", + "searchKey": "aws_sqs_queue[positive3]", + "searchValue": "", + "expectedValue": "aws_sqs_queue[positive3].kms_master_key_id or aws_sqs_queue[positive3].sqs_managed_sse_enabled should be defined and not null", + "actualValue": "aws_sqs_queue[positive3].kms_master_key_id and aws_sqs_queue[positive3].sqs_managed_sse_enabled are undefined or null", + "issueType": "MissingAttribute", + "similarityID": "e59efa5113d74320917e9d10522eb1445c23e210eb1571e3ee69cff79962b030", + "search_line": 1 }, { "queryName": "SQS With SSE Disabled", "severity": "MEDIUM", "line": 1, - "fileName": "positive4.tf" + "fileName": "positive4.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[user_queue]", + "searchValue": "", + "expectedValue": "'kms_master_key_id' should be defined and not null", + "actualValue": "'kms_master_key_id' is undefined or null", + "issueType": "MissingAttribute", + "similarityID": "fe641ce7a47b135a2501338d5169e83a97c6806f2dae94fe6041eb3e91323ce6", + "search_line": 1 }, { "queryName": "SQS With SSE Disabled", "severity": "MEDIUM", "line": 12, - "fileName": "positive5.tf" + "fileName": "positive5.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[user_queue]", + "searchValue": "", + "expectedValue": "'kms_master_key_id' should not be empty", + "actualValue": "'kms_master_key_id' is empty", + "issueType": "IncorrectValue", + "similarityID": "9e8bdca2cfc4a79d4ebd477a50ce95c8c2a333f934b5d9336cc9879910946ca0", + "search_line": 12 }, { "queryName": "SQS With SSE Disabled", "severity": "MEDIUM", "line": 1, - "fileName": "positive6.tf" + "fileName": "positive6.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[user_queue]", + "searchValue": "", + "expectedValue": "'kms_master_key_id' should be defined and not null", + "actualValue": "'kms_master_key_id' is undefined or null", + "issueType": "MissingAttribute", + "similarityID": "8d861ad2b5733322792403c4c702174619f37d7096959ce2f515cb7b2a4fa16d", + "search_line": 1 }, { "queryName": "SQS With SSE Disabled", "severity": "MEDIUM", "line": 3, - "fileName": "positive7.tf" + "fileName": "positive7.tf", + "resourceType": "aws_sqs_queue", + "resourceName": "terraform-example-queue", + "searchKey": "aws_sqs_queue[positive7].sqs_managed_sse_enabled", + "searchValue": "", + "expectedValue": "aws_sqs_queue[positive7].sqs_managed_sse_enabled must be set to true", + "actualValue": "aws_sqs_queue[positive7].sqs_managed_sse_enabled is set to false", + "issueType": "IncorrectValue", + "similarityID": "dea1d56ff7732ee2b7730edeb507712acd33c1ccebf86489c6e284bb3b622e91", + "search_line": 3 } ] diff --git a/assets/queries/terraform/aws/ssm_session_transit_encryption_disabled/test/positive_expected_result.json b/assets/queries/terraform/aws/ssm_session_transit_encryption_disabled/test/positive_expected_result.json index f7a3c9b578d..3056cfc4405 100644 --- a/assets/queries/terraform/aws/ssm_session_transit_encryption_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/ssm_session_transit_encryption_disabled/test/positive_expected_result.json @@ -3,12 +3,30 @@ "queryName": "SSM Session Transit Encryption Disabled", "severity": "MEDIUM", "line": 5, - "fileName": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "aws_ssm_document", + "resourceName": "test_document", + "searchKey": "aws_ssm_document[positive1].content", + "searchValue": "", + "expectedValue": "'inputs' should be defined and not null", + "actualValue": "'inputs' is undefined or null", + "issueType": "MissingAttribute", + "similarityID": "dd5aeb15543d03b5ba5233acd3787b7fde01e36168a02b8960f5b3b30791d5cd", + "search_line": 5 }, { "queryName": "SSM Session Transit Encryption Disabled", "severity": "MEDIUM", "line": 5, - "fileName": "positive2.tf" + "fileName": "positive2.tf", + "resourceType": "aws_ssm_document", + "resourceName": "test_document", + "searchKey": "aws_ssm_document[positive2].content", + "searchValue": "", + "expectedValue": "'inputs.kmsKeyId' should be defined and not null", + "actualValue": "'inputs.kmsKeyId' is undefined or null", + "issueType": "MissingAttribute", + "similarityID": "942235e4ff9395317b7aae600d5b433b5363b4650f38bd5473cd3fc1095cd4a1", + "search_line": 5 } ] diff --git a/assets/queries/terraform/aws/sso_permission_with_inadequate_user_session_duration/test/positive_expected_result.json b/assets/queries/terraform/aws/sso_permission_with_inadequate_user_session_duration/test/positive_expected_result.json index 2cf5ed333b9..db867c04f85 100644 --- a/assets/queries/terraform/aws/sso_permission_with_inadequate_user_session_duration/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/sso_permission_with_inadequate_user_session_duration/test/positive_expected_result.json @@ -3,12 +3,30 @@ "queryName": "SSO Permission With Inadequate User Session Duration", "severity": "LOW", "line": 6, - "fileName": "positive.tf" + "fileName": "positive.tf", + "resourceType": "aws_ssoadmin_permission_set_inline_policy", + "resourceName": "Example", + "searchKey": "aws_ssoadmin_permission_set[example3].session_duration", + "searchValue": "", + "expectedValue": "session_duration should not be higher than 1 hour", + "actualValue": "session_duration is higher than 1 hour", + "issueType": "IncorrectValue", + "similarityID": "526a20b76e655cf18d52f6d95f9a49961db2dceff3cfc682bd4c6bbabfd5c989", + "search_line": -1 }, { "queryName": "SSO Permission With Inadequate User Session Duration", "severity": "LOW", "line": 14, - "fileName": "positive.tf" + "fileName": "positive.tf", + "resourceType": "aws_ssoadmin_permission_set_inline_policy", + "resourceName": "Example", + "searchKey": "aws_ssoadmin_permission_set[example4].session_duration", + "searchValue": "", + "expectedValue": "session_duration should not be higher than 1 hour", + "actualValue": "session_duration is higher than 1 hour", + "issueType": "IncorrectValue", + "similarityID": "89baf188082f257f261459dafc13a949a15172292a3b50f7616c6a4d70a02959", + "search_line": -1 } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/sso_policy_with_full_priveleges/test/positive_expected_result.json b/assets/queries/terraform/aws/sso_policy_with_full_priveleges/test/positive_expected_result.json index 664f7349db6..4e05fcb2fba 100644 --- a/assets/queries/terraform/aws/sso_policy_with_full_priveleges/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/sso_policy_with_full_priveleges/test/positive_expected_result.json @@ -3,6 +3,15 @@ "queryName": "SSO Policy with full privileges", "severity": "MEDIUM", "line": 4, - "fileName": "positive.tf" + "fileName": "positive.tf", + "resourceType": "aws_ssoadmin_permission_set_inline_policy", + "resourceName": "pos1", + "searchKey": "aws_ssoadmin_permission_set_inline_policy[pos1].inline_policy", + "searchValue": "", + "expectedValue": "inline_policy.Statement.Action should not equal to, nor contain '*'", + "actualValue": "inline_policy.Statement.Action is equal to or contains '*'", + "issueType": "IncorrectValue", + "similarityID": "91d44f602d69e6bde276b1dbd81cfad513a3978467ce9fb17f77b7723acb2210", + "search_line": 4 } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/sso_policy_with_full_priveleges_copy/test/positive_expected_result.json b/assets/queries/terraform/aws/sso_policy_with_full_priveleges_copy/test/positive_expected_result.json index 68cd68bf846..ba8cb9d281e 100644 --- a/assets/queries/terraform/aws/sso_policy_with_full_priveleges_copy/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/sso_policy_with_full_priveleges_copy/test/positive_expected_result.json @@ -3,6 +3,15 @@ "queryName": "SSO Identity User Unsafe Creation", "severity": "MEDIUM", "line": 1, - "fileName": "positive.tf" + "fileName": "positive.tf", + "resourceType": "aws_identitystore_user", + "resourceName": "", + "searchKey": "aws_identitystore_user[example]", + "searchValue": "", + "expectedValue": "aws_identitystore_user resource should not be used", + "actualValue": "aws_identitystore_user resource is used", + "issueType": "IncorrectValue", + "similarityID": "7a26b16612bcd6c88c2ba37f37a7dd5e2e323deb03ea0b69561f0e94f17a54a6", + "search_line": 1 } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/stack_notifications_disabled/test/positive_expected_result.json b/assets/queries/terraform/aws/stack_notifications_disabled/test/positive_expected_result.json index 43f3b791e09..0698d45a3db 100644 --- a/assets/queries/terraform/aws/stack_notifications_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/stack_notifications_disabled/test/positive_expected_result.json @@ -2,6 +2,16 @@ { "queryName": "Stack Notifications Disabled", "severity": "LOW", - "line": 1 + "line": 1, + "fileName": "positive.tf", + "resourceType": "aws_cloudformation_stack", + "resourceName": "networking-stack", + "searchKey": "aws_cloudformation_stack[positive1]", + "searchValue": "", + "expectedValue": "Attribute 'notification_arns' should be set", + "actualValue": "Attribute 'notification_arns' is undefined", + "issueType": "MissingAttribute", + "similarityID": "fee3590430d03c015a86ef0b8c13a4aa2b1b73c857b210ee514f4882afc23089", + "search_line": -1 } ] diff --git a/assets/queries/terraform/aws/stack_retention_disabled/test/positive_expected_result.json b/assets/queries/terraform/aws/stack_retention_disabled/test/positive_expected_result.json index 7a4a46d716e..e05924e40d2 100644 --- a/assets/queries/terraform/aws/stack_retention_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/stack_retention_disabled/test/positive_expected_result.json @@ -2,11 +2,31 @@ { "queryName": "Stack Retention Disabled", "severity": "MEDIUM", - "line": 5 + "line": 5, + "fileName": "positive.tf", + "resourceType": "aws_cloudformation_stack_set_instance", + "resourceName": "positive1", + "searchKey": "aws_cloudformation_stack_set_instance[positive1].retain_stack", + "searchValue": "", + "expectedValue": "aws_cloudformation_stack_set_instance[positive1].retain_stack should be true ", + "actualValue": "aws_cloudformation_stack_set_instance[positive1].retain_stack is false", + "issueType": "IncorrectValue", + "similarityID": "95237a7cac7e3e9b4df62d8f85acc0f2dab83d7eea8537fd63fcf7957cb4d1d1", + "search_line": 5 }, { "queryName": "Stack Retention Disabled", "severity": "MEDIUM", - "line": 8 + "line": 8, + "fileName": "positive.tf", + "resourceType": "aws_cloudformation_stack_set_instance", + "resourceName": "positive2", + "searchKey": "aws_cloudformation_stack_set_instance[positive2]", + "searchValue": "", + "expectedValue": "aws_cloudformation_stack_set_instance[positive2].retain_stack should be defined and not null", + "actualValue": "aws_cloudformation_stack_set_instance[positive2].retain_stack is undefined or null", + "issueType": "MissingAttribute", + "similarityID": "d036846a45b2af2cfab916932449e08a8bda48a1f0769a319624843d5ce75eb9", + "search_line": 8 } ] diff --git a/assets/queries/terraform/aws/stack_without_template/test/positive_expected_result.json b/assets/queries/terraform/aws/stack_without_template/test/positive_expected_result.json index eb17c05fc24..1d644b5598d 100644 --- a/assets/queries/terraform/aws/stack_without_template/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/stack_without_template/test/positive_expected_result.json @@ -2,6 +2,16 @@ { "queryName": "Stack Without Template", "severity": "LOW", - "line": 1 + "line": 1, + "fileName": "positive.tf", + "resourceType": "aws_cloudformation_stack", + "resourceName": "networking-stack", + "searchKey": "aws_cloudformation_stack[positive1]", + "searchValue": "", + "expectedValue": "Attribute 'template_body' or Attribute 'template_url' should be set", + "actualValue": "Both Attribute 'template_body' and Attribute 'template_url' are undefined", + "issueType": "MissingAttribute", + "similarityID": "cf28fe3675b0f96dbfa5faf71dc0d56b40c9db6033f351d1a22a4355ed4a874c", + "search_line": -1 } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/tags_not_copied_to_rds_cluster_snapshot/test/positive_expected_result.json b/assets/queries/terraform/aws/tags_not_copied_to_rds_cluster_snapshot/test/positive_expected_result.json index db60b61449e..d07eecba1f0 100644 --- a/assets/queries/terraform/aws/tags_not_copied_to_rds_cluster_snapshot/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/tags_not_copied_to_rds_cluster_snapshot/test/positive_expected_result.json @@ -1,38 +1,92 @@ [ - { - "queryName": "Tags Not Copied to RDS Cluster Snapshot", - "severity": "LOW", - "line": 8, - "fileName": "positive1.tf" - }, - { - "queryName": "Tags Not Copied to RDS Cluster Snapshot", - "severity": "LOW", - "line": 1, - "fileName": "positive2.tf" - }, - { - "queryName": "Tags Not Copied to RDS Cluster Snapshot", - "severity": "LOW", - "line": 11, - "fileName": "positive3.tf" - }, - { - "queryName": "Tags Not Copied to RDS Cluster Snapshot", - "severity": "LOW", - "line": 1, - "fileName": "positive4.tf" - }, - { - "queryName": "Tags Not Copied to RDS Cluster Snapshot", - "severity": "LOW", - "line": 9, - "fileName": "positive5.tf" - }, - { - "queryName": "Tags Not Copied to RDS Cluster Snapshot", - "severity": "LOW", - "line": 1, - "fileName": "positive6.tf" - } -] \ No newline at end of file + { + "queryName": "Tags Not Copied to RDS Cluster Snapshot", + "severity": "LOW", + "line": 8, + "fileName": "positive1.tf", + "resourceType": "aws_rds_cluster", + "resourceName": "example", + "searchKey": "aws_rds_cluster[example].copy_tags_to_snapshot", + "searchValue": "", + "expectedValue": "'aws_rds_cluster[example].copy_tags_to_snapshot' should be set to true", + "actualValue": "'aws_rds_cluster[example].copy_tags_to_snapshot' is set to false", + "issueType": "IncorrectValue", + "similarityID": "5fc6803581f699a25279d91d541fdabfa2371600bb6f38acfceab012ef5d151f", + "search_line": 8 + }, + { + "queryName": "Tags Not Copied to RDS Cluster Snapshot", + "severity": "LOW", + "line": 1, + "fileName": "positive2.tf", + "resourceType": "aws_rds_cluster", + "resourceName": "example", + "searchKey": "aws_rds_cluster[example]", + "searchValue": "", + "expectedValue": "'aws_rds_cluster[example].copy_tags_to_snapshot' should be defined to true", + "actualValue": "'aws_rds_cluster[example].copy_tags_to_snapshot' is not defined", + "issueType": "MissingAttribute", + "similarityID": "32db63f4a407cf6b5e6fe595dcb01f70ff94c8e091a37e75de0b309f3d9fd419", + "search_line": 1 + }, + { + "queryName": "Tags Not Copied to RDS Cluster Snapshot", + "severity": "LOW", + "line": 11, + "fileName": "positive3.tf", + "resourceType": "aws_db_instance", + "resourceName": "example", + "searchKey": "aws_db_instance[example].copy_tags_to_snapshot", + "searchValue": "", + "expectedValue": "'aws_db_instance[example].copy_tags_to_snapshot' should be set to true", + "actualValue": "'aws_db_instance[example].copy_tags_to_snapshot' is set to false", + "issueType": "IncorrectValue", + "similarityID": "333c12b9b9713b0c9398d245d5d4a6b487f0ab0df26eb36362de30f6a751fdfc", + "search_line": 11 + }, + { + "queryName": "Tags Not Copied to RDS Cluster Snapshot", + "severity": "LOW", + "line": 1, + "fileName": "positive4.tf", + "resourceType": "aws_db_instance", + "resourceName": "example", + "searchKey": "aws_db_instance[example]", + "searchValue": "", + "expectedValue": "'aws_db_instance[example].copy_tags_to_snapshot' should be defined to true", + "actualValue": "'aws_db_instance[example].copy_tags_to_snapshot' is not defined", + "issueType": "MissingAttribute", + "similarityID": "3abb59ffba0d0b5c0297bef20b93081e9a01ab75796d47d48bd75fdd5765d7fa", + "search_line": 1 + }, + { + "queryName": "Tags Not Copied to RDS Cluster Snapshot", + "severity": "LOW", + "line": 9, + "fileName": "positive5.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[rds_cluster].copy_tags_to_snapshot", + "searchValue": "", + "expectedValue": "'module[rds_cluster].copy_tags_to_snapshot' should be set to true", + "actualValue": "'module[rds_cluster].copy_tags_to_snapshot' is set to false", + "issueType": "IncorrectValue", + "similarityID": "986e22045f4d0d1ed956918b6505b584a6017b6fb68fcc6aea8f9fa0c8790233", + "search_line": 9 + }, + { + "queryName": "Tags Not Copied to RDS Cluster Snapshot", + "severity": "LOW", + "line": 1, + "fileName": "positive6.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[rds_cluster]", + "searchValue": "", + "expectedValue": "'module[rds_cluster].copy_tags_to_snapshot' should be defined to true", + "actualValue": "'module[rds_cluster].copy_tags_to_snapshot' is not defined", + "issueType": "MissingAttribute", + "similarityID": "cc921cbfb949870485428f416af54c4d4ba374d08dd58b870ca30f84d207c9d2", + "search_line": 1 + } +] diff --git a/assets/queries/terraform/aws/unknown_port_exposed_to_internet/test/positive_expected_result.json b/assets/queries/terraform/aws/unknown_port_exposed_to_internet/test/positive_expected_result.json index cf294ab2f7e..65711e442df 100644 --- a/assets/queries/terraform/aws/unknown_port_exposed_to_internet/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/unknown_port_exposed_to_internet/test/positive_expected_result.json @@ -3,102 +3,255 @@ "queryName": "Unknown Port Exposed To Internet", "severity": "HIGH", "line": 5, - "fileName": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "aws_security_group", + "resourceName": "allow_tls", + "searchKey": "aws_security_group[positive1-1].ingress", + "searchValue": "", + "expectedValue": "aws_security_group[positive1-1].ingress ports are known", + "actualValue": "aws_security_group[positive1-1].ingress ports are unknown and exposed to the entire Internet", + "issueType": "IncorrectValue", + "similarityID": "64982eaeb72e5969ba1da02a7f1252cf95bd9e2717d2acfc372e357c2b2c4ec4", + "search_line": 5 }, { "queryName": "Unknown Port Exposed To Internet", "severity": "HIGH", "line": 26, - "fileName": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "aws_security_group", + "resourceName": "allow_tls", + "searchKey": "aws_security_group[positive1-2].ingress[1]", + "searchValue": "", + "expectedValue": "aws_security_group[positive1-2].ingress[1] ports are known", + "actualValue": "aws_security_group[positive1-2].ingress[1] ports are unknown and exposed to the entire Internet", + "issueType": "IncorrectValue", + "similarityID": "9cc867c132c896138834371234ad8d8e3deb56be370fdd8b4765d0041bb8daca", + "search_line": 26 }, { "queryName": "Unknown Port Exposed To Internet", "severity": "HIGH", "line": 39, - "fileName": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "aws_security_group", + "resourceName": "allow_tls", + "searchKey": "aws_security_group[positive1-3].ingress", + "searchValue": "", + "expectedValue": "aws_security_group[positive1-3].ingress ports are known", + "actualValue": "aws_security_group[positive1-3].ingress ports are unknown and exposed to the entire Internet", + "issueType": "IncorrectValue", + "similarityID": "7b3c2bfc5df4208cbd2685d6c8ef9c24c07b8a548077f233007dcd8730092883", + "search_line": 39 }, { "queryName": "Unknown Port Exposed To Internet", "severity": "HIGH", "line": 60, - "fileName": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "aws_security_group", + "resourceName": "allow_tls", + "searchKey": "aws_security_group[positive1-4].ingress[1]", + "searchValue": "", + "expectedValue": "aws_security_group[positive1-4].ingress[1] ports are known", + "actualValue": "aws_security_group[positive1-4].ingress[1] ports are unknown and exposed to the entire Internet", + "issueType": "IncorrectValue", + "similarityID": "06248953b1910c1080df06b0b15702ef45c182a6c00fbd54d2cb21b0cd748dc5", + "search_line": 60 }, { "queryName": "Unknown Port Exposed To Internet", "severity": "HIGH", "line": 73, - "fileName": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "aws_security_group", + "resourceName": "allow_tls", + "searchKey": "aws_security_group[positive1-5].ingress", + "searchValue": "", + "expectedValue": "aws_security_group[positive1-5].ingress ports are known", + "actualValue": "aws_security_group[positive1-5].ingress ports are unknown and exposed to the entire Internet", + "issueType": "IncorrectValue", + "similarityID": "a725682d667a497c87c8e130d197e8c5a5e4019290bf84d5f0841d45851af79d", + "search_line": 73 }, { "queryName": "Unknown Port Exposed To Internet", "severity": "HIGH", "line": 87, - "fileName": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "aws_security_group", + "resourceName": "allow_tls", + "searchKey": "aws_security_group[positive1-6].ingress", + "searchValue": "", + "expectedValue": "aws_security_group[positive1-6].ingress ports are known", + "actualValue": "aws_security_group[positive1-6].ingress ports are unknown and exposed to the entire Internet", + "issueType": "IncorrectValue", + "similarityID": "982041c126798500de6a1720c8a80249f52662f00be3405f3c0cd46ba43dd8ff", + "search_line": 87 }, { "queryName": "Unknown Port Exposed To Internet", "severity": "HIGH", "line": 101, - "fileName": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "aws_security_group", + "resourceName": "allow_tls", + "searchKey": "aws_security_group[positive1-7].ingress", + "searchValue": "", + "expectedValue": "aws_security_group[positive1-7].ingress ports are known", + "actualValue": "aws_security_group[positive1-7].ingress ports are unknown and exposed to the entire Internet", + "issueType": "IncorrectValue", + "similarityID": "81050efab889d26cd40185b1a01554549a602a24f54d91241127f0169ef23001", + "search_line": 101 }, { "queryName": "Unknown Port Exposed To Internet", "severity": "HIGH", "line": 7, - "fileName": "positive2.tf" + "fileName": "positive2.tf", + "resourceType": "aws_vpc_security_group_ingress_rule", + "resourceName": "positive2-1", + "searchKey": "aws_vpc_security_group_ingress_rule[positive2-1]", + "searchValue": "", + "expectedValue": "aws_vpc_security_group_ingress_rule[positive2-1] ports are known", + "actualValue": "aws_vpc_security_group_ingress_rule[positive2-1] ports are unknown and exposed to the entire Internet", + "issueType": "IncorrectValue", + "similarityID": "02456100dd2e46b0594dbaef56acafd0008f1efd3da0cddb92f2fc165cb44990", + "search_line": 7 }, { "queryName": "Unknown Port Exposed To Internet", "severity": "HIGH", "line": 17, - "fileName": "positive2.tf" + "fileName": "positive2.tf", + "resourceType": "aws_vpc_security_group_ingress_rule", + "resourceName": "positive2-2", + "searchKey": "aws_vpc_security_group_ingress_rule[positive2-2]", + "searchValue": "", + "expectedValue": "aws_vpc_security_group_ingress_rule[positive2-2] ports are known", + "actualValue": "aws_vpc_security_group_ingress_rule[positive2-2] ports are unknown and exposed to the entire Internet", + "issueType": "IncorrectValue", + "similarityID": "e2e0d1298f58bab85e4cb981cb736d10276f10614fb2107e7ebe78b3482e3844", + "search_line": 17 }, { "queryName": "Unknown Port Exposed To Internet", "severity": "HIGH", "line": 7, - "fileName": "positive3.tf" + "fileName": "positive3.tf", + "resourceType": "aws_security_group_rule", + "resourceName": "positive3-1", + "searchKey": "aws_security_group_rule[positive3-1]", + "searchValue": "", + "expectedValue": "aws_security_group_rule[positive3-1] ports are known", + "actualValue": "aws_security_group_rule[positive3-1] ports are unknown and exposed to the entire Internet", + "issueType": "IncorrectValue", + "similarityID": "e8d5d7f37a60dff37e9dbcab034927ca77279ee6dade3e28e4693343bb426c53", + "search_line": 7 }, { "queryName": "Unknown Port Exposed To Internet", "severity": "HIGH", "line": 17, - "fileName": "positive3.tf" + "fileName": "positive3.tf", + "resourceType": "aws_security_group_rule", + "resourceName": "positive3-2", + "searchKey": "aws_security_group_rule[positive3-2]", + "searchValue": "", + "expectedValue": "aws_security_group_rule[positive3-2] ports are known", + "actualValue": "aws_security_group_rule[positive3-2] ports are unknown and exposed to the entire Internet", + "issueType": "IncorrectValue", + "similarityID": "8858271bd8d19748a8628de7e38a62c5f0ad82513ca0bc84259d554f23e9d18a", + "search_line": 17 }, { "queryName": "Unknown Port Exposed To Internet", "severity": "HIGH", "line": 11, - "fileName": "positive4.tf" + "fileName": "positive4.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[vote_service_sg_ipv4].ingress_with_cidr_blocks.0", + "searchValue": "", + "expectedValue": "module[vote_service_sg_ipv4].ingress_with_cidr_blocks.0 ports are known", + "actualValue": "module[vote_service_sg_ipv4].ingress_with_cidr_blocks.0 ports are unknown and exposed to the entire Internet", + "issueType": "IncorrectValue", + "similarityID": "8146da3ab4cda092dface0c3188f09e9c1f5f48b7df7e24ac3fa6fc0906b7a4e", + "search_line": 11 }, { "queryName": "Unknown Port Exposed To Internet", "severity": "HIGH", "line": 30, - "fileName": "positive4.tf" + "fileName": "positive4.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[vote_service_sg_ipv4_array].ingress_with_cidr_blocks.0", + "searchValue": "", + "expectedValue": "module[vote_service_sg_ipv4_array].ingress_with_cidr_blocks.0 ports are known", + "actualValue": "module[vote_service_sg_ipv4_array].ingress_with_cidr_blocks.0 ports are unknown and exposed to the entire Internet", + "issueType": "IncorrectValue", + "similarityID": "c55aaf9c6896439f325c74312006cdbeac8166fd3ab25c7a4d580f363e422298", + "search_line": 30 }, { "queryName": "Unknown Port Exposed To Internet", "severity": "HIGH", "line": 44, - "fileName": "positive4.tf" + "fileName": "positive4.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[vote_service_sg_ipv4_array].ingress_with_cidr_blocks.2", + "searchValue": "", + "expectedValue": "module[vote_service_sg_ipv4_array].ingress_with_cidr_blocks.2 ports are known", + "actualValue": "module[vote_service_sg_ipv4_array].ingress_with_cidr_blocks.2 ports are unknown and exposed to the entire Internet", + "issueType": "IncorrectValue", + "similarityID": "fc93745e6898d934240e78de8f2a0cda3bf0a0f9c629c151c6d5a1fb26726c02", + "search_line": 44 }, { "queryName": "Unknown Port Exposed To Internet", "severity": "HIGH", "line": 63, - "fileName": "positive4.tf" + "fileName": "positive4.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[vote_service_sg_ipv6].ingress_with_ipv6_cidr_blocks.0", + "searchValue": "", + "expectedValue": "module[vote_service_sg_ipv6].ingress_with_ipv6_cidr_blocks.0 ports are known", + "actualValue": "module[vote_service_sg_ipv6].ingress_with_ipv6_cidr_blocks.0 ports are unknown and exposed to the entire Internet", + "issueType": "IncorrectValue", + "similarityID": "d85c21a0c7fce27dc436a225b031e5f637ba7d3359772ba053beac81c84dfc15", + "search_line": 63 }, { "queryName": "Unknown Port Exposed To Internet", "severity": "HIGH", "line": 82, - "fileName": "positive4.tf" + "fileName": "positive4.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[vote_service_sg_ipv6_array].ingress_with_ipv6_cidr_blocks.0", + "searchValue": "", + "expectedValue": "module[vote_service_sg_ipv6_array].ingress_with_ipv6_cidr_blocks.0 ports are known", + "actualValue": "module[vote_service_sg_ipv6_array].ingress_with_ipv6_cidr_blocks.0 ports are unknown and exposed to the entire Internet", + "issueType": "IncorrectValue", + "similarityID": "c008b50a6fd8455d89b05587e699ca6921eed44ff38864294a1910af27235787", + "search_line": 82 }, { "queryName": "Unknown Port Exposed To Internet", "severity": "HIGH", "line": 96, - "fileName": "positive4.tf" + "fileName": "positive4.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[vote_service_sg_ipv6_array].ingress_with_ipv6_cidr_blocks.2", + "searchValue": "", + "expectedValue": "module[vote_service_sg_ipv6_array].ingress_with_ipv6_cidr_blocks.2 ports are known", + "actualValue": "module[vote_service_sg_ipv6_array].ingress_with_ipv6_cidr_blocks.2 ports are unknown and exposed to the entire Internet", + "issueType": "IncorrectValue", + "similarityID": "dd398e2e9222a8e9ed19a2bf2515765b7bae3d92d7932e9821fb80e54d406867", + "search_line": 96 } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/unrestricted_security_group_ingress/test/positive_expected_result.json b/assets/queries/terraform/aws/unrestricted_security_group_ingress/test/positive_expected_result.json index 7dd42051ddc..98f3245abff 100644 --- a/assets/queries/terraform/aws/unrestricted_security_group_ingress/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/unrestricted_security_group_ingress/test/positive_expected_result.json @@ -3,108 +3,270 @@ "queryName": "Unrestricted Security Group Ingress", "severity": "HIGH", "line": 6, - "filename": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "aws_security_group", + "resourceName": "positive1-ipv4", + "searchKey": "aws_security_group[positive1-ipv4].ingress.cidr_blocks", + "searchValue": "", + "expectedValue": "aws_security_group[positive1-ipv4].ingress.cidr_blocks should not contain '0.0.0.0/0'", + "actualValue": "aws_security_group[positive1-ipv4].ingress.cidr_blocks contains '0.0.0.0/0'", + "issueType": "IncorrectValue", + "similarityID": "c353b11f2999101cf8d87511fc48d9ba10ef729e55192f25ae9f26d07d1640fb", + "search_line": 6 }, { "queryName": "Unrestricted Security Group Ingress", "severity": "HIGH", "line": 16, - "filename": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "aws_security_group", + "resourceName": "positive1-ipv6", + "searchKey": "aws_security_group[positive1-ipv6].ingress.ipv6_cidr_blocks", + "searchValue": "", + "expectedValue": "aws_security_group[positive1-ipv6].ingress.ipv6_cidr_blocks should not contain '::/0'", + "actualValue": "aws_security_group[positive1-ipv6].ingress.ipv6_cidr_blocks contains '::/0'", + "issueType": "IncorrectValue", + "similarityID": "9ef898b97742d2f8a401de377de0d042d5ebe00b6ddb60961d3f693edb2f6f84", + "search_line": 16 }, { "queryName": "Unrestricted Security Group Ingress", "severity": "HIGH", "line": 33, - "filename": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "aws_security_group", + "resourceName": "positive1-ipv4_array", + "searchKey": "aws_security_group[positive1-ipv4_array].ingress[1].cidr_blocks", + "searchValue": "", + "expectedValue": "aws_security_group[positive1-ipv4_array].ingress[1].cidr_blocks should not contain '0.0.0.0/0'", + "actualValue": "aws_security_group[positive1-ipv4_array].ingress[1].cidr_blocks contains '0.0.0.0/0'", + "issueType": "IncorrectValue", + "similarityID": "ee604d2731c0ff7c0ed340b69f0a4bd85c8be18f4ea8655aae629b8d8e3aab79", + "search_line": 33 }, { "queryName": "Unrestricted Security Group Ingress", "severity": "HIGH", "line": 49, - "filename": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "aws_security_group", + "resourceName": "positive1-ipv6_array", + "searchKey": "aws_security_group[positive1-ipv6_array].ingress[1].ipv6_cidr_blocks", + "searchValue": "", + "expectedValue": "aws_security_group[positive1-ipv6_array].ingress[1].ipv6_cidr_blocks should not contain '::/0'", + "actualValue": "aws_security_group[positive1-ipv6_array].ingress[1].ipv6_cidr_blocks contains '::/0'", + "issueType": "IncorrectValue", + "similarityID": "9c08f2c522ff376c6c9f989aa34e0d7dbe982392167e77d93782f5e13c5566ee", + "search_line": 49 }, { "queryName": "Unrestricted Security Group Ingress", "severity": "HIGH", "line": 6, - "filename": "positive2.tf" + "fileName": "positive2.tf", + "resourceType": "aws_vpc_security_group_ingress_rule", + "resourceName": "positive2-ipv4", + "searchKey": "aws_vpc_security_group_ingress_rule[positive2-ipv4].cidr_ipv4", + "searchValue": "", + "expectedValue": "aws_vpc_security_group_ingress_rule[positive2-ipv4].cidr_ipv4 should not be equal to '0.0.0.0/0'", + "actualValue": "aws_vpc_security_group_ingress_rule[positive2-ipv4].cidr_ipv4 is equal to '0.0.0.0/0'", + "issueType": "IncorrectValue", + "similarityID": "65195912c8aaa0fda26287dae0d6834ed9c2382e6e6fffc50357942cd5514589", + "search_line": 6 }, { "queryName": "Unrestricted Security Group Ingress", "severity": "HIGH", "line": 15, - "filename": "positive2.tf" + "fileName": "positive2.tf", + "resourceType": "aws_vpc_security_group_ingress_rule", + "resourceName": "positive2-ipv6_1", + "searchKey": "aws_vpc_security_group_ingress_rule[positive2-ipv6_1].cidr_ipv6", + "searchValue": "", + "expectedValue": "aws_vpc_security_group_ingress_rule[positive2-ipv6_1].cidr_ipv6 should not be equal to '::/0'", + "actualValue": "aws_vpc_security_group_ingress_rule[positive2-ipv6_1].cidr_ipv6 is equal to '::/0'", + "issueType": "IncorrectValue", + "similarityID": "d91301630b442009e8b0eb674ea88deff89fff11d4fb7d118b5862e943bc0045", + "search_line": 15 }, { "queryName": "Unrestricted Security Group Ingress", "severity": "HIGH", "line": 24, - "filename": "positive2.tf" + "fileName": "positive2.tf", + "resourceType": "aws_vpc_security_group_ingress_rule", + "resourceName": "positive2-ipv6_2", + "searchKey": "aws_vpc_security_group_ingress_rule[positive2-ipv6_2].cidr_ipv6", + "searchValue": "", + "expectedValue": "aws_vpc_security_group_ingress_rule[positive2-ipv6_2].cidr_ipv6 should not be equal to '0000:0000:0000:0000:0000:0000:0000:0000/0'", + "actualValue": "aws_vpc_security_group_ingress_rule[positive2-ipv6_2].cidr_ipv6 is equal to '0000:0000:0000:0000:0000:0000:0000:0000/0'", + "issueType": "IncorrectValue", + "similarityID": "66bd7e0fc11803f334c734fd50bc3e2a93ea8300eac21076e189fa1faa31ff12", + "search_line": 24 }, { "queryName": "Unrestricted Security Group Ingress", "severity": "HIGH", "line": 6, - "filename": "positive3.tf" + "fileName": "positive3.tf", + "resourceType": "aws_security_group_rule", + "resourceName": "positive3-ipv4", + "searchKey": "aws_security_group_rule[positive3-ipv4].cidr_blocks", + "searchValue": "", + "expectedValue": "aws_security_group_rule[positive3-ipv4].cidr_blocks' should not contain '0.0.0.0/0'", + "actualValue": "aws_security_group_rule[positive3-ipv4].cidr_blocks' contains '0.0.0.0/0'", + "issueType": "IncorrectValue", + "similarityID": "b0c25fefdf548e3d430f4b5699fbe58992da84fd1b6eda8d93356ee8a7e44c72", + "search_line": 6 }, { "queryName": "Unrestricted Security Group Ingress", "severity": "HIGH", "line": 15, - "filename": "positive3.tf" + "fileName": "positive3.tf", + "resourceType": "aws_security_group_rule", + "resourceName": "positive3-ipv6_1", + "searchKey": "aws_security_group_rule[positive3-ipv6_1].ipv6_cidr_blocks", + "searchValue": "", + "expectedValue": "aws_security_group_rule[positive3-ipv6_1].ipv6_cidr_blocks should not contain '::/0'", + "actualValue": "aws_security_group_rule[positive3-ipv6_1].ipv6_cidr_blocks contains '::/0'", + "issueType": "IncorrectValue", + "similarityID": "7abcfda062a2572e98d1aef12ecb1b2d1d936a1b712c74bdba6b08cc9afbe0c7", + "search_line": 15 }, { "queryName": "Unrestricted Security Group Ingress", "severity": "HIGH", "line": 24, - "filename": "positive3.tf" + "fileName": "positive3.tf", + "resourceType": "aws_security_group_rule", + "resourceName": "positive3-ipv6_2", + "searchKey": "aws_security_group_rule[positive3-ipv6_2].ipv6_cidr_blocks", + "searchValue": "", + "expectedValue": "aws_security_group_rule[positive3-ipv6_2].ipv6_cidr_blocks should not contain '0:0:0:0:0:0:0:0/0'", + "actualValue": "aws_security_group_rule[positive3-ipv6_2].ipv6_cidr_blocks contains '0:0:0:0:0:0:0:0/0'", + "issueType": "IncorrectValue", + "similarityID": "d8db80e6d398f3650cdde617abb5438e6208116515480d4f11fdd9830ade0aec", + "search_line": 24 }, { "queryName": "Unrestricted Security Group Ingress", "severity": "HIGH", "line": 4, - "filename": "positive4.tf" + "fileName": "positive4.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[positive4-ipv4].ingress_cidr_blocks", + "searchValue": "", + "expectedValue": "module[positive4-ipv4].ingress_cidr_blocks should not contain '0.0.0.0/0'", + "actualValue": "module[positive4-ipv4].ingress_cidr_blocks contains '0.0.0.0/0'", + "issueType": "IncorrectValue", + "similarityID": "6b8acdb089fbe77338d0de3037dd3ac65d9bd14e7b97cfb7df6d1d0745fcbe9b", + "search_line": 4 }, { "queryName": "Unrestricted Security Group Ingress", "severity": "HIGH", "line": 10, - "filename": "positive4.tf" + "fileName": "positive4.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[positive4-ipv4_array].ingress_cidr_blocks", + "searchValue": "", + "expectedValue": "module[positive4-ipv4_array].ingress_cidr_blocks should not contain '0.0.0.0/0'", + "actualValue": "module[positive4-ipv4_array].ingress_cidr_blocks contains '0.0.0.0/0'", + "issueType": "IncorrectValue", + "similarityID": "1ea2cfeb1ace6ddba86f8740b1e9c8f98309d55a323066bb1b55f17c4aa4d379", + "search_line": 10 }, { "queryName": "Unrestricted Security Group Ingress", "severity": "HIGH", "line": 16, - "filename": "positive4.tf" + "fileName": "positive4.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[positive4-ipv6].ingress_ipv6_cidr_blocks", + "searchValue": "", + "expectedValue": "module[positive4-ipv6].ingress_ipv6_cidr_blocks should not contain '::/0'", + "actualValue": "module[positive4-ipv6].ingress_ipv6_cidr_blocks contains '::/0'", + "issueType": "IncorrectValue", + "similarityID": "dd88b815ae7d505cd1d70683b0d86830fde6d4c74a95ef90e2e10f7abc6fb05c", + "search_line": 16 }, { "queryName": "Unrestricted Security Group Ingress", "severity": "HIGH", "line": 22, - "filename": "positive4.tf" + "fileName": "positive4.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[positive4-ipv6_array].ingress_ipv6_cidr_blocks", + "searchValue": "", + "expectedValue": "module[positive4-ipv6_array].ingress_ipv6_cidr_blocks should not contain '::/0'", + "actualValue": "module[positive4-ipv6_array].ingress_ipv6_cidr_blocks contains '::/0'", + "issueType": "IncorrectValue", + "similarityID": "21d15b630965aa7e19fd10d83f4a280145093d50772b2a9bbb5cf655a639c4b0", + "search_line": 22 }, { "queryName": "Unrestricted Security Group Ingress", "severity": "HIGH", "line": 34, - "filename": "positive4.tf" + "fileName": "positive4.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[positive4-whole_ingresses].ingress_with_cidr_blocks[0].cidr_blocks", + "searchValue": "", + "expectedValue": "module[positive4-whole_ingresses].ingress_with_cidr_blocks[0].cidr_blocks should not contain '0.0.0.0/0'", + "actualValue": "module[positive4-whole_ingresses].ingress_with_cidr_blocks[0].cidr_blocks contains '0.0.0.0/0'", + "issueType": "IncorrectValue", + "similarityID": "82a37ca73e65d35f25ca481f453b3604beace22a393bbea655b4b98ee3e82941", + "search_line": 34 }, { "queryName": "Unrestricted Security Group Ingress", "severity": "HIGH", "line": 48, - "filename": "positive4.tf" + "fileName": "positive4.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[positive4-whole_ingresses].ingress_with_cidr_blocks[2].cidr_blocks", + "searchValue": "", + "expectedValue": "module[positive4-whole_ingresses].ingress_with_cidr_blocks[2].cidr_blocks should not contain '0.0.0.0/0'", + "actualValue": "module[positive4-whole_ingresses].ingress_with_cidr_blocks[2].cidr_blocks contains '0.0.0.0/0'", + "issueType": "IncorrectValue", + "similarityID": "3b07719894fd63848d0d7ea32605af0f617e22cd56cb69a280dbc8a6768842d4", + "search_line": 48 }, { "queryName": "Unrestricted Security Group Ingress", "severity": "HIGH", "line": 58, - "filename": "positive4.tf" + "fileName": "positive4.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[positive4-whole_ingresses].ingress_with_ipv6_cidr_blocks[0].ipv6_cidr_blocks", + "searchValue": "", + "expectedValue": "module[positive4-whole_ingresses].ingress_with_ipv6_cidr_blocks[0].ipv6_cidr_blocks should not contain '::/0'", + "actualValue": "module[positive4-whole_ingresses].ingress_with_ipv6_cidr_blocks[0].ipv6_cidr_blocks contains '::/0'", + "issueType": "IncorrectValue", + "similarityID": "e2e781bdf361b1df28c50618396f36a3e694923ad69a79ac04fba98f860f2909", + "search_line": 58 }, { "queryName": "Unrestricted Security Group Ingress", "severity": "HIGH", "line": 72, - "filename": "positive4.tf" + "fileName": "positive4.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[positive4-whole_ingresses].ingress_with_ipv6_cidr_blocks[2].ipv6_cidr_blocks", + "searchValue": "", + "expectedValue": "module[positive4-whole_ingresses].ingress_with_ipv6_cidr_blocks[2].ipv6_cidr_blocks should not contain '::/0'", + "actualValue": "module[positive4-whole_ingresses].ingress_with_ipv6_cidr_blocks[2].ipv6_cidr_blocks contains '::/0'", + "issueType": "IncorrectValue", + "similarityID": "e8a620777888c0dcaa34eedd4774f80408dd676755874a949c4db9145c8953d4", + "search_line": 72 } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/unscanned_ecr_image/test/positive_expected_result.json b/assets/queries/terraform/aws/unscanned_ecr_image/test/positive_expected_result.json index 7b15042be08..51e3c57b78d 100644 --- a/assets/queries/terraform/aws/unscanned_ecr_image/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/unscanned_ecr_image/test/positive_expected_result.json @@ -2,11 +2,31 @@ { "queryName": "Unscanned ECR Image", "severity": "LOW", - "line": 1 + "line": 1, + "fileName": "positive.tf", + "resourceType": "aws_ecr_repository", + "resourceName": "img_p_2", + "searchKey": "aws_ecr_repository[positive1]", + "searchValue": "", + "expectedValue": "aws_ecr_repository[positive1].image_scanning_configuration should be defined", + "actualValue": "aws_ecr_repository[positive1].image_scanning_configuration is undefined", + "issueType": "MissingAttribute", + "similarityID": "67e0445ccba8ae94167cd967c4f2a2357ae6052152287b0c37bc2b33a0da0026", + "search_line": 1 }, { "queryName": "Unscanned ECR Image", "severity": "LOW", - "line": 11 + "line": 11, + "fileName": "positive.tf", + "resourceType": "aws_ecr_repository", + "resourceName": "img_p_1", + "searchKey": "aws_ecr_repository[positive2].image_scanning_configuration.scan_on_push", + "searchValue": "", + "expectedValue": "aws_ecr_repository[positive2].image_scanning_configuration.scan_on_push is true", + "actualValue": "aws_ecr_repository[positive2].image_scanning_configuration.scan_on_push is false", + "issueType": "IncorrectValue", + "similarityID": "7b0aeeaaef2089b7551f160222464b56bb54faa8a10cf92f153841d6325f77df", + "search_line": 11 } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/user_data_contains_encoded_private_key/test/positive_expected_result.json b/assets/queries/terraform/aws/user_data_contains_encoded_private_key/test/positive_expected_result.json index fed5ff19d06..a4212354afb 100644 --- a/assets/queries/terraform/aws/user_data_contains_encoded_private_key/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/user_data_contains_encoded_private_key/test/positive_expected_result.json @@ -3,18 +3,45 @@ "queryName": "User Data Contains Encoded Private Key", "severity": "HIGH", "line": 5, - "fileName": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "aws_launch_configuration", + "resourceName": "positive1", + "searchKey": "aws_launch_configuration[positive1].user_data_base64", + "searchValue": "", + "expectedValue": "aws_launch_configuration[positive1].user_data_base64 shouldn't contain RSA Private Key", + "actualValue": "aws_launch_configuration[positive1].user_data_base64 contains RSA Private Key", + "issueType": "IncorrectValue", + "similarityID": "4546afc8042eb58d377bc5be783ac14398aa9852c2b158ffbb3ff7e8e122f825", + "search_line": 5 }, { "queryName": "User Data Contains Encoded Private Key", "severity": "HIGH", "line": 11, - "fileName": "positive2.tf" + "fileName": "positive2.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[positive2].user_data_base64", + "searchValue": "", + "expectedValue": "'user_data_base64' shouldn't contain RSA Private Key", + "actualValue": "'user_data_base64' contains RSA Private Key", + "issueType": "IncorrectValue", + "similarityID": "0d4463d83ee1491b2b549c6b353f56bdde047e7e4e49baeaefaa4211e982cb82", + "search_line": 11 }, { "queryName": "User Data Contains Encoded Private Key", "severity": "HIGH", "line": 11, - "fileName": "positive3.tf" + "fileName": "positive3.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module[positive3].user_data_base64", + "searchValue": "", + "expectedValue": "'user_data_base64' shouldn't contain RSA Private Key", + "actualValue": "'user_data_base64' contains RSA Private Key", + "issueType": "IncorrectValue", + "similarityID": "a132ddd8ec371b695670bcf12b74a6603e2279207e9ee35f968660f6d96961e6", + "search_line": 11 } ] diff --git a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_glue_UpdateDevEndpoint/test/positive_expected_result.json b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_glue_UpdateDevEndpoint/test/positive_expected_result.json index a5187a85df5..3e45719a3a6 100644 --- a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_glue_UpdateDevEndpoint/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_glue_UpdateDevEndpoint/test/positive_expected_result.json @@ -3,6 +3,15 @@ "queryName": "User With Privilege Escalation By Actions 'glue:UpdateDevEndpoint'", "severity": "MEDIUM", "line": 1, - "fileName": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "aws_iam_user", + "resourceName": "cosmic", + "searchKey": "aws_iam_user[cosmic]", + "searchValue": "", + "expectedValue": "user cosmic shouldn't be associated with a policy that has Action set to 'glue:UpdateDevEndpoint' and Resource set to '*'", + "actualValue": "user cosmic is associated with a policy that has Action set to 'glue:UpdateDevEndpoint' and Resource set to '*'", + "issueType": "IncorrectValue", + "similarityID": "7f31a3600aeb8718d152be44a8aa2be6f89643d1cf1b54a5fcc62e95bfed3862", + "search_line": 1 } ] diff --git a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_AddUserToGroup/test/positive_expected_result.json b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_AddUserToGroup/test/positive_expected_result.json index fadf1f82e70..78bbaadc24b 100644 --- a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_AddUserToGroup/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_AddUserToGroup/test/positive_expected_result.json @@ -3,6 +3,15 @@ "queryName": "User With Privilege Escalation By Actions 'iam:AddUserToGroup'", "severity": "MEDIUM", "line": 1, - "fileName": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "aws_iam_user", + "resourceName": "cosmic", + "searchKey": "aws_iam_user[cosmic]", + "searchValue": "", + "expectedValue": "user cosmic should not be associated with a policy that has Action set to 'iam:AddUserToGroup' and Resource set to '*'", + "actualValue": "user cosmic is associated with a policy that has Action set to 'iam:AddUserToGroup' and Resource set to '*'", + "issueType": "IncorrectValue", + "similarityID": "41f589073a370f836e7af03844ef5be59dc77141945546ed7d8eb56396290fd0", + "search_line": 1 } ] diff --git a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_AttachGroupPolicy/test/positive_expected_result.json b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_AttachGroupPolicy/test/positive_expected_result.json index cc364849975..b7261f4e06d 100644 --- a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_AttachGroupPolicy/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_AttachGroupPolicy/test/positive_expected_result.json @@ -3,6 +3,15 @@ "queryName": "User With Privilege Escalation By Actions 'iam:AttachGroupPolicy'", "severity": "MEDIUM", "line": 1, - "fileName": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "aws_iam_user", + "resourceName": "cosmic", + "searchKey": "aws_iam_user[cosmic]", + "searchValue": "", + "expectedValue": "user cosmic shouldn't be associated with a policy that has Action set to 'iam:AttachGroupPolicy' and Resource set to '*'", + "actualValue": "user cosmic is associated with a policy that has Action set to 'iam:AttachGroupPolicy' and Resource set to '*'", + "issueType": "IncorrectValue", + "similarityID": "ca24377bb3a32dd99d68d584fd6a9434775681d2089c363766b9d48badb35250", + "search_line": 1 } ] diff --git a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_AttachRolePolicy/test/positive_expected_result.json b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_AttachRolePolicy/test/positive_expected_result.json index f13a564510c..43ae84354f1 100644 --- a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_AttachRolePolicy/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_AttachRolePolicy/test/positive_expected_result.json @@ -3,6 +3,15 @@ "queryName": "User With Privilege Escalation By Actions 'iam:AttachRolePolicy'", "severity": "MEDIUM", "line": 1, - "fileName": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "aws_iam_user", + "resourceName": "cosmic", + "searchKey": "aws_iam_user[cosmic]", + "searchValue": "", + "expectedValue": "user cosmic shouldn't be associated with a policy that has Action set to 'iam:AttachRolePolicy' and Resource set to '*'", + "actualValue": "user cosmic is associated with a policy that has Action set to 'iam:AttachRolePolicy' and Resource set to '*'", + "issueType": "IncorrectValue", + "similarityID": "b8a0b5d2766125844e2230fd756f63b232cd61b98aa01be98cdeb88cf3b710e0", + "search_line": 1 } ] diff --git a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_AttachUserPolicy/test/positive_expected_result.json b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_AttachUserPolicy/test/positive_expected_result.json index cfa007e434e..7ca86718fd3 100644 --- a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_AttachUserPolicy/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_AttachUserPolicy/test/positive_expected_result.json @@ -3,6 +3,15 @@ "queryName": "User With Privilege Escalation By Actions 'iam:AttachUserPolicy'", "severity": "MEDIUM", "line": 1, - "fileName": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "aws_iam_user", + "resourceName": "cosmic", + "searchKey": "aws_iam_user[cosmic]", + "searchValue": "", + "expectedValue": "user cosmic shouldn't be associated with a policy that has Action set to 'iam:AttachUserPolicy' and Resource set to '*'", + "actualValue": "user cosmic is associated with a policy that has Action set to 'iam:AttachUserPolicy' and Resource set to '*'", + "issueType": "IncorrectValue", + "similarityID": "05b4f4f9ddb3521296df91748ad8ee71b524bbef37fc8c6690515b7b07b6ae83", + "search_line": 1 } ] diff --git a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_CreateAccessKey/test/positive_expected_result.json b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_CreateAccessKey/test/positive_expected_result.json index 91f4cdc0430..e305d6b2694 100644 --- a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_CreateAccessKey/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_CreateAccessKey/test/positive_expected_result.json @@ -3,6 +3,15 @@ "queryName": "User With Privilege Escalation By Actions 'iam:CreateAccessKey'", "severity": "MEDIUM", "line": 1, - "fileName": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "aws_iam_user", + "resourceName": "cosmic", + "searchKey": "aws_iam_user[cosmic]", + "searchValue": "", + "expectedValue": "user cosmic shouldn't be associated with a policy that has Action set to 'iam:CreateAccessKey' and Resource set to '*'", + "actualValue": "user cosmic is associated with a policy that has Action set to 'iam:CreateAccessKey' and Resource set to '*'", + "issueType": "IncorrectValue", + "similarityID": "14cbf6522227f5d21a6b271d9c7ec9e96058e469bcbeea900b210dd6d8230cea", + "search_line": 1 } ] diff --git a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_CreateLoginProfile/test/positive_expected_result.json b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_CreateLoginProfile/test/positive_expected_result.json index 143dfff1de7..cf39b75558e 100644 --- a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_CreateLoginProfile/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_CreateLoginProfile/test/positive_expected_result.json @@ -3,6 +3,15 @@ "queryName": "User With Privilege Escalation By Actions 'iam:CreateLoginProfile'", "severity": "MEDIUM", "line": 1, - "fileName": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "aws_iam_user", + "resourceName": "cosmic", + "searchKey": "aws_iam_user[cosmic]", + "searchValue": "", + "expectedValue": "user cosmic shouldn't be associated with a policy that has Action set to 'iam:CreateLoginProfile' and Resource set to '*'", + "actualValue": "user cosmic is associated with a policy that has Action set to 'iam:CreateLoginProfile' and Resource set to '*'", + "issueType": "IncorrectValue", + "similarityID": "c5657e661da9cf276e2fd35c2955f6da4fcdcf212d365db67172cc373494aade", + "search_line": 1 } ] diff --git a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_CreatePolicyVersion/test/positive_expected_result.json b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_CreatePolicyVersion/test/positive_expected_result.json index b352f43641b..c6f5018c838 100644 --- a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_CreatePolicyVersion/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_CreatePolicyVersion/test/positive_expected_result.json @@ -3,6 +3,15 @@ "queryName": "User With Privilege Escalation By Actions 'iam:CreatePolicyVersion'", "severity": "MEDIUM", "line": 1, - "fileName": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "aws_iam_user", + "resourceName": "cosmic", + "searchKey": "aws_iam_user[cosmic]", + "searchValue": "", + "expectedValue": "user cosmic shouldn't be associated with a policy that has Action set to 'iam:CreatePolicyVersion' and Resource set to '*'", + "actualValue": "user cosmic is associated with a policy that has Action set to 'iam:CreatePolicyVersion' and Resource set to '*'", + "issueType": "IncorrectValue", + "similarityID": "0d3a0dfa5bba0cd89048d7bc1524924edcb626f68e6fb0891e28eb4142f1e6f2", + "search_line": 1 } ] diff --git a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PassRole_and_cloudformation_CreateStack/test/positive_expected_result.json b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PassRole_and_cloudformation_CreateStack/test/positive_expected_result.json index 879bd188148..e88ebb9ce25 100644 --- a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PassRole_and_cloudformation_CreateStack/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PassRole_and_cloudformation_CreateStack/test/positive_expected_result.json @@ -3,6 +3,15 @@ "queryName": "User With Privilege Escalation By Actions 'cloudformation:CreateStack' And 'iam:PassRole'", "severity": "MEDIUM", "line": 1, - "fileName": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "aws_iam_user", + "resourceName": "cosmic", + "searchKey": "aws_iam_user[cosmic]", + "searchValue": "", + "expectedValue": "user cosmic shouldn't be associated with a policy that has Action set to 'cloudformation:CreateStack' and 'iam:PassRole' and Resource set to '*'", + "actualValue": "user cosmic is associated with a policy that has Action set to 'cloudformation:CreateStack' and 'iam:PassRole' and Resource set to '*'", + "issueType": "IncorrectValue", + "similarityID": "9c72bad5b58cbf618d66bc6edd64d3c5291373a5ea8ce1d285e2dca07817e598", + "search_line": 1 } ] diff --git a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PassRole_and_ec2_RunInstances/test/positive_expected_result.json b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PassRole_and_ec2_RunInstances/test/positive_expected_result.json index 0c13f4076a7..fcf70a63cbb 100644 --- a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PassRole_and_ec2_RunInstances/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PassRole_and_ec2_RunInstances/test/positive_expected_result.json @@ -3,6 +3,15 @@ "queryName": "User With Privilege Escalation By Actions 'ec2:RunInstances' And 'iam:PassRole'", "severity": "MEDIUM", "line": 1, - "fileName": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "aws_iam_user", + "resourceName": "cosmic", + "searchKey": "aws_iam_user[cosmic]", + "searchValue": "", + "expectedValue": "user cosmic shouldn't be associated with a policy that has Action set to 'ec2:RunInstances' and 'iam:PassRole' and Resource set to '*'", + "actualValue": "user cosmic is associated with a policy that has Action set to 'ec2:RunInstances' and 'iam:PassRole' and Resource set to '*'", + "issueType": "IncorrectValue", + "similarityID": "2425bc2b5fb6c285c0bd87775a4f534ae1b569e4bd155cd96c33b39a0347201a", + "search_line": 1 } ] diff --git a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PassRole_and_glue_CreateDevEndpoint/test/positive_expected_result.json b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PassRole_and_glue_CreateDevEndpoint/test/positive_expected_result.json index 1a3d09d345f..e2804cd776c 100644 --- a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PassRole_and_glue_CreateDevEndpoint/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PassRole_and_glue_CreateDevEndpoint/test/positive_expected_result.json @@ -3,6 +3,15 @@ "queryName": "User With Privilege Escalation By Actions 'glue:CreateDevEndpoint' And 'iam:PassRole'", "severity": "MEDIUM", "line": 1, - "fileName": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "aws_iam_user", + "resourceName": "cosmic", + "searchKey": "aws_iam_user[cosmic]", + "searchValue": "", + "expectedValue": "user cosmic shouldn't be associated with a policy that has Action set to 'glue:CreateDevEndpoint' and 'iam:PassRole' and Resource set to '*'", + "actualValue": "user cosmic is associated with a policy that has Action set to 'glue:CreateDevEndpoint' and 'iam:PassRole' and Resource set to '*'", + "issueType": "IncorrectValue", + "similarityID": "f6e2107ad9f9524de5be1167d127b18e8b98ced070ed265ac35570d595a70f80", + "search_line": 1 } ] diff --git a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PassRole_and_lambda_CreateFunction_and_lambda_InvokeFunction/test/positive_expected_result.json b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PassRole_and_lambda_CreateFunction_and_lambda_InvokeFunction/test/positive_expected_result.json index 4cee4fa0fd8..19955658e14 100644 --- a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PassRole_and_lambda_CreateFunction_and_lambda_InvokeFunction/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PassRole_and_lambda_CreateFunction_and_lambda_InvokeFunction/test/positive_expected_result.json @@ -3,6 +3,15 @@ "queryName": "User With Privilege Escalation By Actions 'lambda:CreateFunction' And 'iam:PassRole' And 'lambda:InvokeFunction'", "severity": "MEDIUM", "line": 1, - "fileName": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "aws_iam_user", + "resourceName": "cosmic", + "searchKey": "aws_iam_user[cosmic]", + "searchValue": "", + "expectedValue": "user cosmic shouldn't be associated with a policy that has Action set to 'lambda:CreateFunction' and 'iam:PassRole' and 'lambda:InvokeFunction' and Resource set to '*'", + "actualValue": "user cosmic is associated with a policy that has Action set to 'lambda:CreateFunction' and 'iam:PassRole' and 'lambda:InvokeFunction' and Resource set to '*'", + "issueType": "IncorrectValue", + "similarityID": "bd6b650a731f0c592f85f2b78e0f710ddf2ee90175ec48d9aa28ac7e189c486d", + "search_line": 1 } ] diff --git a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PutGroupPolicy/test/positive_expected_result.json b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PutGroupPolicy/test/positive_expected_result.json index a91dbda2cc9..59e50927cf9 100644 --- a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PutGroupPolicy/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PutGroupPolicy/test/positive_expected_result.json @@ -3,6 +3,15 @@ "queryName": "User With Privilege Escalation By Actions 'iam:PutGroupPolicy'", "severity": "MEDIUM", "line": 1, - "fileName": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "aws_iam_user", + "resourceName": "cosmic", + "searchKey": "aws_iam_user[cosmic]", + "searchValue": "", + "expectedValue": "user cosmic should not be associated with a policy that has Action set to 'iam:PutGroupPolicy' and Resource set to '*'", + "actualValue": "user cosmic is associated with a policy that has Action set to 'iam:PutGroupPolicy' and Resource set to '*'", + "issueType": "IncorrectValue", + "similarityID": "34a317c183ba95f0152de3da1e783fe6c25f4c508fefd93247404e477ef8bdc7", + "search_line": 1 } ] diff --git a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PutRolePolicy/test/positive_expected_result.json b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PutRolePolicy/test/positive_expected_result.json index 8b92368e2b1..41939315704 100644 --- a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PutRolePolicy/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PutRolePolicy/test/positive_expected_result.json @@ -3,6 +3,15 @@ "queryName": "User With Privilege Escalation By Actions 'iam:PutRolePolicy'", "severity": "MEDIUM", "line": 1, - "fileName": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "aws_iam_user", + "resourceName": "cosmic", + "searchKey": "aws_iam_user[cosmic]", + "searchValue": "", + "expectedValue": "user cosmic should not be associated with a policy that has Action set to 'iam:PutRolePolicy' and Resource set to '*'", + "actualValue": "user cosmic is associated with a policy that has Action set to 'iam:PutRolePolicy' and Resource set to '*'", + "issueType": "IncorrectValue", + "similarityID": "8dd547e802db7754c723418f6ab0dd9c61af19b3b98848e64444abd05fc324bc", + "search_line": 1 } ] diff --git a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PutUserPolicy/test/positive_expected_result.json b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PutUserPolicy/test/positive_expected_result.json index 77d75f77411..13f4ee33d51 100644 --- a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PutUserPolicy/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PutUserPolicy/test/positive_expected_result.json @@ -3,6 +3,15 @@ "queryName": "User With Privilege Escalation By Actions 'iam:PutUserPolicy'", "severity": "MEDIUM", "line": 1, - "fileName": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "aws_iam_user", + "resourceName": "cosmic", + "searchKey": "aws_iam_user[cosmic]", + "searchValue": "", + "expectedValue": "user cosmic should not be associated with a policy that has Action set to 'iam:PutUserPolicy' and Resource set to '*'", + "actualValue": "user cosmic is associated with a policy that has Action set to 'iam:PutUserPolicy' and Resource set to '*'", + "issueType": "IncorrectValue", + "similarityID": "6df9d8b3df1f6fdcbd14d14fb3ad8946acef4b527beeb9f0740c339c41fbcb61", + "search_line": 1 } ] diff --git a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_SetDefaultPolicyVersion/test/positive_expected_result.json b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_SetDefaultPolicyVersion/test/positive_expected_result.json index 2f7cf644813..00e00906a2c 100644 --- a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_SetDefaultPolicyVersion/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_SetDefaultPolicyVersion/test/positive_expected_result.json @@ -3,6 +3,15 @@ "queryName": "User With Privilege Escalation By Actions 'iam:SetDefaultPolicyVersion'", "severity": "MEDIUM", "line": 1, - "fileName": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "aws_iam_user", + "resourceName": "cosmic", + "searchKey": "aws_iam_user[cosmic]", + "searchValue": "", + "expectedValue": "user cosmic shouldn't be associated with a policy that has Action set to 'iam:SetDefaultPolicyVersion' and Resource set to '*'", + "actualValue": "user cosmic is associated with a policy that has Action set to 'iam:SetDefaultPolicyVersion' and Resource set to '*'", + "issueType": "IncorrectValue", + "similarityID": "8adcc2463c4a9f9b3ba7a4641f7f0b01de5af63b36ea573260f3e3ac872f5cad", + "search_line": 1 } ] diff --git a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_UpdateAssumeRolePolicy_and_sts_AssumeRole/test/positive_expected_result.json b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_UpdateAssumeRolePolicy_and_sts_AssumeRole/test/positive_expected_result.json index 89f59bd7941..f0569bbe62d 100644 --- a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_UpdateAssumeRolePolicy_and_sts_AssumeRole/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_UpdateAssumeRolePolicy_and_sts_AssumeRole/test/positive_expected_result.json @@ -3,6 +3,15 @@ "queryName": "User With Privilege Escalation By Actions 'iam:UpdateAssumeRolePolicy' And 'sts:AssumeRole'", "severity": "MEDIUM", "line": 1, - "fileName": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "aws_iam_user", + "resourceName": "cosmic", + "searchKey": "aws_iam_user[cosmic]", + "searchValue": "", + "expectedValue": "user cosmic shouldn't be associated with a policy that has Action set to 'iam:UpdateAssumeRolePolicy' and 'sts:AssumeRole' and Resource set to '*'", + "actualValue": "user cosmic is associated with a policy that has Action set to 'iam:UpdateAssumeRolePolicy' and 'sts:AssumeRole' and Resource set to '*'", + "issueType": "IncorrectValue", + "similarityID": "eed6c5b182e0d7b74f67f3e14785d7841524a39c0ea5bd474a364b46524e47ab", + "search_line": 1 } ] diff --git a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_UpdateLoginProfile/test/positive_expected_result.json b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_UpdateLoginProfile/test/positive_expected_result.json index f7792753ab7..10a9bdada22 100644 --- a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_UpdateLoginProfile/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_UpdateLoginProfile/test/positive_expected_result.json @@ -3,6 +3,15 @@ "queryName": "User With Privilege Escalation By Actions 'iam:UpdateLoginProfile'", "severity": "MEDIUM", "line": 1, - "fileName": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "aws_iam_user", + "resourceName": "cosmic", + "searchKey": "aws_iam_user[cosmic]", + "searchValue": "", + "expectedValue": "user cosmic shouldn't be associated with a policy that has Action set to 'iam:UpdateLoginProfile' and Resource set to '*'", + "actualValue": "user cosmic is associated with a policy that has Action set to 'iam:UpdateLoginProfile' and Resource set to '*'", + "issueType": "IncorrectValue", + "similarityID": "8cf8f28c0c527e1a9a545694f24ed75e5175dae90786686056c3cc9d6bbb0067", + "search_line": 1 } ] diff --git a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_lambda_UpdateFunctionCode/test/positive_expected_result.json b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_lambda_UpdateFunctionCode/test/positive_expected_result.json index 86b7d699b34..fc4c5c48c41 100644 --- a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_lambda_UpdateFunctionCode/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_lambda_UpdateFunctionCode/test/positive_expected_result.json @@ -3,6 +3,15 @@ "queryName": "User With Privilege Escalation By Actions 'lambda:UpdateFunctionCode'", "severity": "MEDIUM", "line": 1, - "fileName": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "aws_iam_user", + "resourceName": "cosmic", + "searchKey": "aws_iam_user[cosmic]", + "searchValue": "", + "expectedValue": "user cosmic shouldn't be associated with a policy that has Action set to 'lambda:UpdateFunctionCode' and Resource set to '*'", + "actualValue": "user cosmic is associated with a policy that has Action set to 'lambda:UpdateFunctionCode' and Resource set to '*'", + "issueType": "IncorrectValue", + "similarityID": "d9a3c0c4f9d573d13ebc50c8a13f2ea65f7d10254f47b3c4ab6204d23ee6496c", + "search_line": 1 } ] diff --git a/assets/queries/terraform/aws/vpc_default_security_group_accepts_all_traffic/test/positive_expected_result.json b/assets/queries/terraform/aws/vpc_default_security_group_accepts_all_traffic/test/positive_expected_result.json index 01328bc7e3e..285cf6fa6c3 100644 --- a/assets/queries/terraform/aws/vpc_default_security_group_accepts_all_traffic/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/vpc_default_security_group_accepts_all_traffic/test/positive_expected_result.json @@ -3,36 +3,90 @@ "queryName": "VPC Default Security Group Accepts All Traffic", "severity": "HIGH", "line": 8, - "fileName": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "aws_default_security_group", + "resourceName": "default", + "searchKey": "aws_default_security_group[{{default}}].ingress", + "searchValue": "", + "expectedValue": "aws_default_security_group[{{default}}] should not have 'ingress' defined", + "actualValue": "aws_default_security_group[{{default}}] has 'ingress' defined", + "issueType": "IncorrectValue", + "similarityID": "2d41938f078290a68058b1041f34e642cbff3c9aa04c62a234c4abee6bb02d2d", + "search_line": -1 }, { "queryName": "VPC Default Security Group Accepts All Traffic", "severity": "HIGH", "line": 17, - "fileName": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "aws_default_security_group", + "resourceName": "default", + "searchKey": "aws_default_security_group[{{default}}].egress", + "searchValue": "", + "expectedValue": "aws_default_security_group[{{default}}] should not have 'egress' defined", + "actualValue": "aws_default_security_group[{{default}}] has 'egress' defined", + "issueType": "IncorrectValue", + "similarityID": "7cb0ecff5496140f1cd56c1d0ae886dc75d4cd784df31c6a358897cef2103e36", + "search_line": -1 }, { "queryName": "VPC Default Security Group Accepts All Traffic", "severity": "HIGH", "line": 8, - "fileName": "positive2.tf" + "fileName": "positive2.tf", + "resourceType": "aws_default_security_group", + "resourceName": "default3", + "searchKey": "aws_default_security_group[{{default3}}].ingress", + "searchValue": "", + "expectedValue": "aws_default_security_group[{{default3}}] should not have 'ingress' defined", + "actualValue": "aws_default_security_group[{{default3}}] has 'ingress' defined", + "issueType": "IncorrectValue", + "similarityID": "8075855f077644c953ac72e5c38feab75739bebd80c41c0593f8749659b7c518", + "search_line": -1 }, { "queryName": "VPC Default Security Group Accepts All Traffic", "severity": "HIGH", - "line": 18, - "fileName": "positive2.tf" + "line": 14, + "fileName": "positive2.tf", + "resourceType": "aws_default_security_group", + "resourceName": "default3", + "searchKey": "aws_default_security_group[{{default3}}].ingress.ipv6_cidr_blocks", + "searchValue": "", + "expectedValue": "'ingress' should be undefined", + "actualValue": "'ingress' accepts all traffic", + "issueType": "IncorrectValue", + "similarityID": "180894021b0e212631593ec78585f4be9ac9f27e2a79cc213d931e49a90091ea", + "search_line": -1 }, { "queryName": "VPC Default Security Group Accepts All Traffic", "severity": "HIGH", - "line": 14, - "fileName": "positive2.tf" + "line": 18, + "fileName": "positive2.tf", + "resourceType": "aws_default_security_group", + "resourceName": "default3", + "searchKey": "aws_default_security_group[{{default3}}].egress", + "searchValue": "", + "expectedValue": "aws_default_security_group[{{default3}}] should not have 'egress' defined", + "actualValue": "aws_default_security_group[{{default3}}] has 'egress' defined", + "issueType": "IncorrectValue", + "similarityID": "cb4da3c25cc2de33aa6287b85903649e0f2f080cf0c3fa5fc036da434cc2a8a2", + "search_line": -1 }, { "queryName": "VPC Default Security Group Accepts All Traffic", "severity": "HIGH", "line": 23, - "fileName": "positive2.tf" + "fileName": "positive2.tf", + "resourceType": "aws_default_security_group", + "resourceName": "default3", + "searchKey": "aws_default_security_group[{{default3}}].egress.cidr_blocks", + "searchValue": "", + "expectedValue": "'egress' should be undefined", + "actualValue": "'egress' accepts all traffic", + "issueType": "IncorrectValue", + "similarityID": "e465f654ceaae27e9405b5b39ad91fd2d708840c44095d7e463263e5360e5168", + "search_line": -1 } ] diff --git a/assets/queries/terraform/aws/vpc_flowlogs_disabled/test/positive_expected_result.json b/assets/queries/terraform/aws/vpc_flowlogs_disabled/test/positive_expected_result.json index 3785d8deeae..10645c639ac 100644 --- a/assets/queries/terraform/aws/vpc_flowlogs_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/vpc_flowlogs_disabled/test/positive_expected_result.json @@ -3,24 +3,60 @@ "queryName": "VPC FlowLogs Disabled", "severity": "MEDIUM", "line": 5, - "filename": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "aws_flow_log", + "resourceName": "example", + "searchKey": "aws_flow_log[example]", + "searchValue": "", + "expectedValue": "aws_flow_log[example].vpc_id should be defined and not null", + "actualValue": "aws_flow_log[example].vpc_id is undefined or null", + "issueType": "MissingAttribute", + "similarityID": "cd0675d3e6e0e228ea40e12e3a88cdb9a8e74d794e3367a8d98c74ad716e6887", + "search_line": 5 }, { "queryName": "VPC FlowLogs Disabled", "severity": "MEDIUM", "line": 1, - "filename": "positive2.tf" + "fileName": "positive2.tf", + "resourceType": "aws_vpc", + "resourceName": "main", + "searchKey": "aws_vpc[main]", + "searchValue": "", + "expectedValue": "aws_vpc[main] should be the same as Flow Logs VPC id", + "actualValue": "aws_vpc[main] is not the same as Flow Logs VPC id", + "issueType": "IncorrectValue", + "similarityID": "0e68ba0ab49ef7ff3b63feb3ae861a08cd3dd2749131d3b2a565d328511c4791", + "search_line": 1 }, { "queryName": "VPC FlowLogs Disabled", "severity": "MEDIUM", "line": 14, - "filename": "positive3.tf" + "fileName": "positive3.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "vpc.enable_flow_log", + "searchValue": "", + "expectedValue": "vpc.enable_flow_log should be set to true", + "actualValue": "vpc.enable_flow_log is set to false", + "issueType": "IncorrectValue", + "similarityID": "f7daab1edf2aa8756cc7057dfb56311f1086febd93b4403d6c6a0f6f71034ce9", + "search_line": 14 }, { "queryName": "VPC FlowLogs Disabled", "severity": "MEDIUM", "line": 1, - "filename": "positive4.tf" + "fileName": "positive4.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "vpc", + "searchValue": "", + "expectedValue": "vpc.enable_flow_log should be set to true", + "actualValue": "vpc.enable_flow_log is undefined", + "issueType": "MissingAttribute", + "similarityID": "442c5ac6dd364fef4df870215ac072eb5c9a07640fc66abce2094f3f55427ff4", + "search_line": 1 } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/vpc_peering_route_table_with_unrestricted_cidr/test/positive_expected_result.json b/assets/queries/terraform/aws/vpc_peering_route_table_with_unrestricted_cidr/test/positive_expected_result.json index ba50c0dd7dd..3fcbc2f4ec2 100644 --- a/assets/queries/terraform/aws/vpc_peering_route_table_with_unrestricted_cidr/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/vpc_peering_route_table_with_unrestricted_cidr/test/positive_expected_result.json @@ -3,24 +3,60 @@ "queryName": "VPC Peering Route Table with Unrestricted CIDR", "severity": "HIGH", "line": 118, - "fileName": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "aws_route", + "resourceName": "public_route_table", + "searchKey": "aws_route_table[public_route_table].route", + "searchValue": "", + "expectedValue": "aws_route_table[public_route_table].route restricts CIDR", + "actualValue": "aws_route_table[public_route_table].route does not restrict CIDR", + "issueType": "IncorrectValue", + "similarityID": "8996901e27b30b0172f6d139d96a93fe4999eeeea3b7fc6019a2d5bb8ddbb175", + "search_line": 118 }, { "queryName": "VPC Peering Route Table with Unrestricted CIDR", "severity": "HIGH", "line": 132, - "fileName": "positive2.tf" + "fileName": "positive2.tf", + "resourceType": "aws_route", + "resourceName": "private_route2", + "searchKey": "aws_route[private_route2]", + "searchValue": "", + "expectedValue": "aws_route[private_route2] restricts CIDR", + "actualValue": "aws_route[private_route2] does not restrict CIDR", + "issueType": "IncorrectValue", + "similarityID": "13d355f91521bc900e7d4098c592a87423ba92b4c57bc03bd274425318e58876", + "search_line": 132 }, { "queryName": "VPC Peering Route Table with Unrestricted CIDR", "severity": "HIGH", "line": 118, - "fileName": "positive3.tf" + "fileName": "positive3.tf", + "resourceType": "aws_route", + "resourceName": "public_route_table", + "searchKey": "aws_route_table[public_route_table].route", + "searchValue": "", + "expectedValue": "aws_route_table[public_route_table].route restricts CIDR", + "actualValue": "aws_route_table[public_route_table].route does not restrict CIDR", + "issueType": "IncorrectValue", + "similarityID": "03f6b8b26dbc56a4be10b6f779dbb6cdd410911bd4ea75727d9808f353e14728", + "search_line": 118 }, { "queryName": "VPC Peering Route Table with Unrestricted CIDR", "severity": "HIGH", "line": 9, - "fileName": "positive4.tf" + "fileName": "positive4.tf", + "resourceType": "aws_route", + "resourceName": "art_nat_gw_out", + "searchKey": "aws_route_table[art_nat_gw_out].route", + "searchValue": "", + "expectedValue": "aws_route_table[art_nat_gw_out].route restricts CIDR", + "actualValue": "aws_route_table[art_nat_gw_out].route does not restrict CIDR", + "issueType": "IncorrectValue", + "similarityID": "f548157cd667eda120ede54d7d57fdc59d65c95666caa744b3ecc9800e96f2f7", + "search_line": 9 } ] diff --git a/assets/queries/terraform/aws/vpc_subnet_assigns_public_ip/test/positive_expected_result.json b/assets/queries/terraform/aws/vpc_subnet_assigns_public_ip/test/positive_expected_result.json index a34fb706958..7bf133292c7 100644 --- a/assets/queries/terraform/aws/vpc_subnet_assigns_public_ip/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/vpc_subnet_assigns_public_ip/test/positive_expected_result.json @@ -3,18 +3,45 @@ "queryName": "VPC Subnet Assigns Public IP", "severity": "MEDIUM", "line": 13, - "fileName": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "aws_subnet", + "resourceName": "Positive", + "searchKey": "aws_subnet[positive].map_public_ip_on_launch", + "searchValue": "", + "expectedValue": "aws_subnet[positive].map_public_ip_on_launch should be set to false or undefined", + "actualValue": "aws_subnet[positive].map_public_ip_on_launch is set to true", + "issueType": "IncorrectValue", + "similarityID": "43ce7c5b9399bab79a1db9a2f01e0c2e656070c44b49a0c026ddcb617e949aa3", + "search_line": 13 }, { "queryName": "VPC Subnet Assigns Public IP", "severity": "MEDIUM", "line": 11, - "fileName": "positive2.tf" + "fileName": "positive2.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "vpc.map_public_ip_on_launch", + "searchValue": "", + "expectedValue": "vpc.map_public_ip_on_launch should be set to false", + "actualValue": "vpc.map_public_ip_on_launch is set to true", + "issueType": "IncorrectValue", + "similarityID": "21f94f00bb9121316ba110315b269f38ad85e5dc6778b7bca320723a925b0f03", + "search_line": 11 }, { "queryName": "VPC Subnet Assigns Public IP", "severity": "MEDIUM", "line": 1, - "fileName": "positive3.tf" + "fileName": "positive3.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "vpc", + "searchValue": "", + "expectedValue": "vpc.map_public_ip_on_launch should be set to false", + "actualValue": "vpc.map_public_ip_on_launch is set undefined", + "issueType": "IncorrectValue", + "similarityID": "1ff26d60e3bdb62fe483682b5532638ddd54b3ffee63d50db099cdaa9304a925", + "search_line": 1 } ] diff --git a/assets/queries/terraform/aws/vpc_without_network_firewall/test/positive_expected_result.json b/assets/queries/terraform/aws/vpc_without_network_firewall/test/positive_expected_result.json index 6894110f441..56d880d1ced 100644 --- a/assets/queries/terraform/aws/vpc_without_network_firewall/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/vpc_without_network_firewall/test/positive_expected_result.json @@ -2,6 +2,16 @@ { "queryName": "VPC Without Network Firewall", "severity": "MEDIUM", - "line": 1 + "line": 1, + "fileName": "positive.tf", + "resourceType": "aws_vpc", + "resourceName": "positive", + "searchKey": "aws_vpc[positive]", + "searchValue": "", + "expectedValue": "aws_vpc[positive] has an 'aws_networkfirewall_firewall' associated", + "actualValue": "aws_vpc[positive] does not have an 'aws_networkfirewall_firewall' associated", + "issueType": "MissingAttribute", + "similarityID": "4fb17d05000c6f7c98966593c4cec7fb099e84a65df2e1aa6e5af777299d519b", + "search_line": 1 } ] diff --git a/assets/queries/terraform/aws/vulnerable_default_ssl_certificate/test/positive_expected_result.json b/assets/queries/terraform/aws/vulnerable_default_ssl_certificate/test/positive_expected_result.json index 4c65ef315d2..ead65d66e1c 100644 --- a/assets/queries/terraform/aws/vulnerable_default_ssl_certificate/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/vulnerable_default_ssl_certificate/test/positive_expected_result.json @@ -2,21 +2,61 @@ { "queryName": "Vulnerable Default SSL Certificate", "severity": "MEDIUM", - "line": 5 + "line": 5, + "fileName": "positive.tf", + "resourceType": "aws_cloudfront_distribution", + "resourceName": "positive2", + "searchKey": "aws_cloudfront_distribution[positive2]", + "searchValue": "", + "expectedValue": "aws_cloudfront_distribution[positive2].viewer_certificate should be defined and not null", + "actualValue": "aws_cloudfront_distribution[positive2].viewer_certificate is undefined or null", + "issueType": "MissingAttribute", + "similarityID": "04613358f5d9894d3f8bafbc70f0ad2e8593e8ce9b290cdf6ebda42c1a0a78a5", + "search_line": 5 }, { "queryName": "Vulnerable Default SSL Certificate", "severity": "MEDIUM", - "line": 88 + "line": 88, + "fileName": "positive.tf", + "resourceType": "aws_cloudfront_distribution", + "resourceName": "positive3", + "searchKey": "aws_cloudfront_distribution[positive3].viewer_certificate", + "searchValue": "cloudfront_default_certificate", + "expectedValue": "Attribute 'cloudfront_default_certificate' should be 'false' or not defined", + "actualValue": "Attribute 'cloudfront_default_certificate' is 'true'", + "issueType": "IncorrectValue", + "similarityID": "02ea5713180d051ad60c0c5267dc95763e67d01ff275b934b64d1f090285cde1", + "search_line": 88 }, { "queryName": "Vulnerable Default SSL Certificate", "severity": "MEDIUM", - "line": 134 + "line": 134, + "fileName": "positive.tf", + "resourceType": "aws_cloudfront_distribution", + "resourceName": "positive4", + "searchKey": "aws_cloudfront_distribution[positive4].viewer_certificate", + "searchValue": "minimum_protocol_version", + "expectedValue": "Attributes 'ssl_support_method' and 'minimum_protocol_version' should be defined when one of 'acm_certificate_arn' or 'iam_certificate_id' is declared.", + "actualValue": "Attribute 'minimum_protocol_version' is not defined", + "issueType": "MissingAttribute", + "similarityID": "14972c3f54f6149c3c42ae7e0b682b59cac738d8f743a9e523642ac9df4b76b4", + "search_line": 134 }, { "queryName": "Vulnerable Default SSL Certificate", "severity": "MEDIUM", - "line": 134 + "line": 134, + "fileName": "positive.tf", + "resourceType": "aws_cloudfront_distribution", + "resourceName": "positive4", + "searchKey": "aws_cloudfront_distribution[positive4].viewer_certificate", + "searchValue": "ssl_support_method", + "expectedValue": "Attributes 'ssl_support_method' and 'minimum_protocol_version' should be defined when one of 'acm_certificate_arn' or 'iam_certificate_id' is declared.", + "actualValue": "Attribute 'ssl_support_method' is not defined", + "issueType": "MissingAttribute", + "similarityID": "dfc0d20281400f6ab5996a38b8cd5eb2f7f940255d26cb11b0b758b4c848e24b", + "search_line": 134 } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/aws/workspaces_workspace_volume_not_encrypted/test/positive_expected_result.json b/assets/queries/terraform/aws/workspaces_workspace_volume_not_encrypted/test/positive_expected_result.json index 73ed7cba6aa..de8efd7026d 100644 --- a/assets/queries/terraform/aws/workspaces_workspace_volume_not_encrypted/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/workspaces_workspace_volume_not_encrypted/test/positive_expected_result.json @@ -3,36 +3,90 @@ "queryName": "Workspaces Workspace Volume Not Encrypted", "severity": "HIGH", "line": 11, - "filename": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "aws_workspaces_workspace", + "resourceName": "example", + "searchKey": "aws_workspaces_workspace[{{example}}].workspace_properties.user_volume_size_gib", + "searchValue": "", + "expectedValue": "aws_workspaces_workspace.user_volume_encryption_enabled should be set to true", + "actualValue": "aws_workspaces_workspace.user_volume_encryption_enabled is missing", + "issueType": "MissingAttribute", + "similarityID": "49f80715fc6a179504e2ebeb428a355e78b7025609e96250a25386574082907a", + "search_line": -1 }, { "queryName": "Workspaces Workspace Volume Not Encrypted", "severity": "HIGH", "line": 12, - "filename": "positive2.tf" + "fileName": "positive2.tf", + "resourceType": "aws_workspaces_workspace", + "resourceName": "example_2", + "searchKey": "aws_workspaces_workspace[{{example_2}}].workspace_properties.root_volume_size_gib", + "searchValue": "", + "expectedValue": "aws_workspaces_workspace.root_volume_encryption_enabled should be set to true", + "actualValue": "aws_workspaces_workspace.root_volume_encryption_enabled is missing", + "issueType": "MissingAttribute", + "similarityID": "7734a3604e7cd1b4c8947166a14a86b017d5e1fc558650aa99c169e4350ddfef", + "search_line": -1 }, { "queryName": "Workspaces Workspace Volume Not Encrypted", "severity": "HIGH", - "line": 11, - "filename": "positive3.tf" + "line": 10, + "fileName": "positive3.tf", + "resourceType": "aws_workspaces_workspace", + "resourceName": "example_3", + "searchKey": "aws_workspaces_workspace[{{example_3}}].workspace_properties.user_volume_size_gib", + "searchValue": "", + "expectedValue": "aws_workspaces_workspace.user_volume_encryption_enabled should be set to true", + "actualValue": "aws_workspaces_workspace.user_volume_encryption_enabled is missing", + "issueType": "MissingAttribute", + "similarityID": "7068457c9675af31cb72f3f7d34c85de56a559ceaf67d59a0df4a79539cac9bc", + "search_line": -1 }, { "queryName": "Workspaces Workspace Volume Not Encrypted", "severity": "HIGH", - "line": 10, - "filename": "positive3.tf" + "line": 11, + "fileName": "positive3.tf", + "resourceType": "aws_workspaces_workspace", + "resourceName": "example_3", + "searchKey": "aws_workspaces_workspace[{{example_3}}].workspace_properties.root_volume_size_gib", + "searchValue": "", + "expectedValue": "aws_workspaces_workspace.root_volume_encryption_enabled should be set to true", + "actualValue": "aws_workspaces_workspace.root_volume_encryption_enabled is missing", + "issueType": "MissingAttribute", + "similarityID": "97f339a7c8e79a349e4857e260728f615d1a76a0ea3523bbbc0a107e050198c4", + "search_line": -1 }, { "queryName": "Workspaces Workspace Volume Not Encrypted", "severity": "HIGH", "line": 6, - "filename": "positive4.tf" + "fileName": "positive4.tf", + "resourceType": "aws_workspaces_workspace", + "resourceName": "example_4", + "searchKey": "aws_workspaces_workspace[{{example_4}}].root_volume_encryption_enabled", + "searchValue": "", + "expectedValue": "aws_workspaces_workspace.root_volume_encryption_enabled should be set to true", + "actualValue": "aws_workspaces_workspace.root_volume_encryption_enabled is set to false", + "issueType": "IncorrectValue", + "similarityID": "36f3481cb048a216958e6b0c3e13190d67662254f4edacf6f1e3457a7a920890", + "search_line": -1 }, { "queryName": "Workspaces Workspace Volume Not Encrypted", "severity": "HIGH", "line": 7, - "filename": "positive4.tf" + "fileName": "positive4.tf", + "resourceType": "aws_workspaces_workspace", + "resourceName": "example_4", + "searchKey": "aws_workspaces_workspace[{{example_4}}].user_volume_encryption_enabled", + "searchValue": "", + "expectedValue": "aws_workspaces_workspace.user_volume_encryption_enabled should be set to true", + "actualValue": "aws_workspaces_workspace.user_volume_encryption_enabled is set to false", + "issueType": "IncorrectValue", + "similarityID": "fd2f31370530a2bbee7054fd4599d6346112689bdcbbdea46c9b1ae19fe48709", + "search_line": -1 } ] diff --git a/assets/queries/terraform/aws_bom/dynamo/test/positive_expected_result.json b/assets/queries/terraform/aws_bom/dynamo/test/positive_expected_result.json index a7df71f21cb..0561730608b 100644 --- a/assets/queries/terraform/aws_bom/dynamo/test/positive_expected_result.json +++ b/assets/queries/terraform/aws_bom/dynamo/test/positive_expected_result.json @@ -3,24 +3,60 @@ "queryName": "BOM - AWS DynamoDB", "severity": "TRACE", "line": 21, - "fileName": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "", + "resourceName": "", + "searchKey": "aws_dynamodb_table[basic-dynamodb-table]", + "searchValue": "", + "expectedValue": "", + "actualValue": "", + "issueType": "BillOfMaterials", + "similarityID": "d945ecb2c2e557c0e17191454dd49f56ccee0b7d3e2e000246ce68ecc9a6deaa", + "search_line": 21 }, { "queryName": "BOM - AWS DynamoDB", "severity": "TRACE", "line": 21, - "fileName": "positive2.tf" + "fileName": "positive2.tf", + "resourceType": "", + "resourceName": "", + "searchKey": "aws_dynamodb_table[example2-table]", + "searchValue": "", + "expectedValue": "", + "actualValue": "", + "issueType": "BillOfMaterials", + "similarityID": "8853824a70e9ffdab994e5d2044272443d4d891bf3917a81e42d6b11c3459f79", + "search_line": 21 }, { "queryName": "BOM - AWS DynamoDB", "severity": "TRACE", "line": 21, - "fileName": "positive3.tf" + "fileName": "positive3.tf", + "resourceType": "", + "resourceName": "", + "searchKey": "aws_dynamodb_table[example3-table]", + "searchValue": "", + "expectedValue": "", + "actualValue": "", + "issueType": "BillOfMaterials", + "similarityID": "251a71ea24f2054eddf7c3f008dcb3df8faffcc0ca7d7b2a50ee0ffe2acd43bd", + "search_line": 21 }, { "queryName": "BOM - AWS DynamoDB", "severity": "TRACE", "line": 1, - "fileName": "positive4.tf" + "fileName": "positive4.tf", + "resourceType": "", + "resourceName": "", + "searchKey": "aws_dynamodb_table[example3-table]", + "searchValue": "", + "expectedValue": "", + "actualValue": "", + "issueType": "BillOfMaterials", + "similarityID": "4362f9951d6484291ce0de3eefa8b81338b440560d1b66ef5a67eeae47cce2a1", + "search_line": 1 } ] diff --git a/assets/queries/terraform/aws_bom/ebs/test/positive_expected_result.json b/assets/queries/terraform/aws_bom/ebs/test/positive_expected_result.json index d8e95f01d7b..f86d31875d1 100644 --- a/assets/queries/terraform/aws_bom/ebs/test/positive_expected_result.json +++ b/assets/queries/terraform/aws_bom/ebs/test/positive_expected_result.json @@ -3,12 +3,30 @@ "queryName": "BOM - AWS EBS", "severity": "TRACE", "line": 1, - "fileName": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "", + "resourceName": "", + "searchKey": "aws_ebs_volume[positive1]", + "searchValue": "", + "expectedValue": "", + "actualValue": "", + "issueType": "BillOfMaterials", + "similarityID": "7b09901116ba2f02de9382e79c867279afefa9264ec7947fe7b2cfa150d1a775", + "search_line": 1 }, { "queryName": "BOM - AWS EBS", "severity": "TRACE", "line": 1, - "fileName": "positive2.tf" + "fileName": "positive2.tf", + "resourceType": "", + "resourceName": "", + "searchKey": "aws_ebs_volume[positive2]", + "searchValue": "", + "expectedValue": "", + "actualValue": "", + "issueType": "BillOfMaterials", + "similarityID": "b117bf28948bf0d59f9d243b3724e463f9a375a633d5556fb0499a4bd302e3b2", + "search_line": 1 } ] diff --git a/assets/queries/terraform/aws_bom/efs/test/positive_expected_result.json b/assets/queries/terraform/aws_bom/efs/test/positive_expected_result.json index b6420a9e65f..3e0757c1274 100644 --- a/assets/queries/terraform/aws_bom/efs/test/positive_expected_result.json +++ b/assets/queries/terraform/aws_bom/efs/test/positive_expected_result.json @@ -3,12 +3,30 @@ "queryName": "BOM - AWS EFS", "severity": "TRACE", "line": 1, - "fileName": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "", + "resourceName": "", + "searchKey": "aws_efs_file_system[positive1]", + "searchValue": "", + "expectedValue": "", + "actualValue": "", + "issueType": "BillOfMaterials", + "similarityID": "605078a89809815594e244bc1f5d22ddb86d02d93ddd9e9f201db831439a42a8", + "search_line": 1 }, { "queryName": "BOM - AWS EFS", "severity": "TRACE", "line": 1, - "fileName": "positive2.tf" + "fileName": "positive2.tf", + "resourceType": "", + "resourceName": "", + "searchKey": "aws_efs_file_system[positive2]", + "searchValue": "", + "expectedValue": "", + "actualValue": "", + "issueType": "BillOfMaterials", + "similarityID": "c663a1738d748ead3dee223ff2b84dc277f11ba226a6ca36b77524826d22a240", + "search_line": 1 } ] diff --git a/assets/queries/terraform/aws_bom/elasticache/test/positive_expected_result.json b/assets/queries/terraform/aws_bom/elasticache/test/positive_expected_result.json index ef7120ad605..37f81fbc427 100644 --- a/assets/queries/terraform/aws_bom/elasticache/test/positive_expected_result.json +++ b/assets/queries/terraform/aws_bom/elasticache/test/positive_expected_result.json @@ -3,36 +3,90 @@ "queryName": "BOM - AWS Elasticache", "severity": "TRACE", "line": 1, - "fileName": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "", + "resourceName": "", + "searchKey": "aws_elasticache_cluster[positive1]", + "searchValue": "", + "expectedValue": "", + "actualValue": "", + "issueType": "BillOfMaterials", + "similarityID": "f5185ba36fcea0fa9be4e90d9ea969df518b9a0482932082d23c09fa85baf3b6", + "search_line": 1 }, { "queryName": "BOM - AWS Elasticache", "severity": "TRACE", "line": 1, - "fileName": "positive2.tf" + "fileName": "positive2.tf", + "resourceType": "", + "resourceName": "", + "searchKey": "aws_elasticache_cluster[positive2]", + "searchValue": "", + "expectedValue": "", + "actualValue": "", + "issueType": "BillOfMaterials", + "similarityID": "a02c56cb293db7c5d151c541bd87e944bbbe2b7f5cb8945fa88ae91df57c00a4", + "search_line": 1 }, { "queryName": "BOM - AWS Elasticache", "severity": "TRACE", "line": 33, - "fileName": "positive3.tf" + "fileName": "positive3.tf", + "resourceType": "", + "resourceName": "", + "searchKey": "aws_elasticache_cluster[positive3]", + "searchValue": "", + "expectedValue": "", + "actualValue": "", + "issueType": "BillOfMaterials", + "similarityID": "b5ac31f1067e40b4179a9f36163981b6bf3f58537628d84b1025b1ee44ddb8ea", + "search_line": 33 }, { "queryName": "BOM - AWS Elasticache", "severity": "TRACE", "line": 33, - "fileName": "positive4.tf" + "fileName": "positive4.tf", + "resourceType": "", + "resourceName": "", + "searchKey": "aws_elasticache_cluster[positive4]", + "searchValue": "", + "expectedValue": "", + "actualValue": "", + "issueType": "BillOfMaterials", + "similarityID": "29ce55a6ac55b7a412f48fa91f7a2a48ce6eab9ac0070a5bc0fff5dc84271395", + "search_line": 33 }, { "queryName": "BOM - AWS Elasticache", "severity": "TRACE", "line": 13, - "fileName": "positive5.tf" + "fileName": "positive5.tf", + "resourceType": "", + "resourceName": "", + "searchKey": "aws_elasticache_cluster[positive5]", + "searchValue": "", + "expectedValue": "", + "actualValue": "", + "issueType": "BillOfMaterials", + "similarityID": "05b6b63827b91b9e655bfbe478c4ad93d50d8e91cc312038d949275c6b498a8a", + "search_line": 13 }, { "queryName": "BOM - AWS Elasticache", "severity": "TRACE", "line": 13, - "fileName": "positive6.tf" + "fileName": "positive6.tf", + "resourceType": "", + "resourceName": "", + "searchKey": "aws_elasticache_cluster[positive6]", + "searchValue": "", + "expectedValue": "", + "actualValue": "", + "issueType": "BillOfMaterials", + "similarityID": "08598d5c4e9bf11eedfc14e2f497348a580924174f7305b5023c731433d38536", + "search_line": 13 } ] diff --git a/assets/queries/terraform/aws_bom/kinesis/test/positive_expected_result.json b/assets/queries/terraform/aws_bom/kinesis/test/positive_expected_result.json index 8e5a045180d..31050902077 100644 --- a/assets/queries/terraform/aws_bom/kinesis/test/positive_expected_result.json +++ b/assets/queries/terraform/aws_bom/kinesis/test/positive_expected_result.json @@ -3,12 +3,30 @@ "queryName": "BOM - AWS Kinesis", "severity": "TRACE", "line": 1, - "fileName": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "", + "resourceName": "", + "searchKey": "aws_kinesis_stream[positive1]", + "searchValue": "", + "expectedValue": "", + "actualValue": "", + "issueType": "BillOfMaterials", + "similarityID": "62e9f6b4858ff9a8b77482714ce70d441344a7e7208e0d4dd1a6e6ef4eab8e63", + "search_line": 1 }, { "queryName": "BOM - AWS Kinesis", "severity": "TRACE", "line": 20, - "fileName": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "", + "resourceName": "", + "searchKey": "aws_kinesis_stream[positive2]", + "searchValue": "", + "expectedValue": "", + "actualValue": "", + "issueType": "BillOfMaterials", + "similarityID": "bfcecc9e850dcbcb73f18201b369388930eb4d3eeaf02b19a892baa6bacf2651", + "search_line": 20 } ] diff --git a/assets/queries/terraform/aws_bom/mq/test/positive_expected_result.json b/assets/queries/terraform/aws_bom/mq/test/positive_expected_result.json index 01fc6d11c02..e1c2d8f632b 100644 --- a/assets/queries/terraform/aws_bom/mq/test/positive_expected_result.json +++ b/assets/queries/terraform/aws_bom/mq/test/positive_expected_result.json @@ -3,12 +3,30 @@ "queryName": "BOM - AWS MQ", "severity": "TRACE", "line": 1, - "fileName": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "", + "resourceName": "", + "searchKey": "aws_mq_broker[positive1]", + "searchValue": "", + "expectedValue": "", + "actualValue": "", + "issueType": "BillOfMaterials", + "similarityID": "03046bbe8286e437246fbd71698b86c909a0fcbdb34e6974159036184d015192", + "search_line": 1 }, { "queryName": "BOM - AWS MQ", "severity": "TRACE", "line": 1, - "fileName": "positive2.tf" + "fileName": "positive2.tf", + "resourceType": "", + "resourceName": "", + "searchKey": "aws_mq_broker[positive2]", + "searchValue": "", + "expectedValue": "", + "actualValue": "", + "issueType": "BillOfMaterials", + "similarityID": "43dc908a6561014a31109494e8c33fb58edcc39a76bac7ef46475a65e5ef8be5", + "search_line": 1 } ] diff --git a/assets/queries/terraform/aws_bom/msk/test/positive_expected_result.json b/assets/queries/terraform/aws_bom/msk/test/positive_expected_result.json index 7b47467ba0f..5ba5702b40e 100644 --- a/assets/queries/terraform/aws_bom/msk/test/positive_expected_result.json +++ b/assets/queries/terraform/aws_bom/msk/test/positive_expected_result.json @@ -3,12 +3,30 @@ "queryName": "BOM - AWS MSK", "severity": "TRACE", "line": 84, - "fileName": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "", + "resourceName": "", + "searchKey": "aws_msk_cluster[positive1]", + "searchValue": "", + "expectedValue": "", + "actualValue": "", + "issueType": "BillOfMaterials", + "similarityID": "935ff2aa0ade25bd53803dbae27feee4b3ee25ed0676f31d42031718ce5561bd", + "search_line": -1 }, { "queryName": "BOM - AWS MSK", "severity": "TRACE", "line": 84, - "fileName": "positive2.tf" + "fileName": "positive2.tf", + "resourceType": "", + "resourceName": "", + "searchKey": "aws_msk_cluster[positive2]", + "searchValue": "", + "expectedValue": "", + "actualValue": "", + "issueType": "BillOfMaterials", + "similarityID": "846640d104d81c70a06ac64bf7988cf77500a1fa3fea0688e5d99de8e1203a2d", + "search_line": -1 } ] diff --git a/assets/queries/terraform/aws_bom/rds/test/positive_expected_result.json b/assets/queries/terraform/aws_bom/rds/test/positive_expected_result.json index be834e67aa4..ef4616ab796 100644 --- a/assets/queries/terraform/aws_bom/rds/test/positive_expected_result.json +++ b/assets/queries/terraform/aws_bom/rds/test/positive_expected_result.json @@ -3,18 +3,45 @@ "queryName": "BOM - AWS RDS", "severity": "TRACE", "line": 1, - "fileName": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "", + "resourceName": "", + "searchKey": "aws_rds_cluster_instance[cluster_instances]", + "searchValue": "", + "expectedValue": "", + "actualValue": "", + "issueType": "BillOfMaterials", + "similarityID": "a4ec3ee0e21bff46ac0e7774c08be83fa59de514f6896d0a8ba04e022f8d003a", + "search_line": 1 }, { "queryName": "BOM - AWS RDS", "severity": "TRACE", "line": 23, - "fileName": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "", + "resourceName": "", + "searchKey": "aws_db_instance[default]", + "searchValue": "", + "expectedValue": "", + "actualValue": "", + "issueType": "BillOfMaterials", + "similarityID": "f96374e23f0656a0cdf362857cea8a0a4bcc42aa71e67927bcb51ba02d4aac9d", + "search_line": 23 }, { "queryName": "BOM - AWS RDS", "severity": "TRACE", "line": 35, - "fileName": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "", + "resourceName": "", + "searchKey": "aws_db_instance[sample3]", + "searchValue": "", + "expectedValue": "", + "actualValue": "", + "issueType": "BillOfMaterials", + "similarityID": "ecc401c273b49f3b4f16cd9aed51be897fb49661ae3182169c3d5815d139a334", + "search_line": 35 } ] diff --git a/assets/queries/terraform/aws_bom/s3_bucket/test/positive_expected_result.json b/assets/queries/terraform/aws_bom/s3_bucket/test/positive_expected_result.json index f72b42f7543..822249c6653 100644 --- a/assets/queries/terraform/aws_bom/s3_bucket/test/positive_expected_result.json +++ b/assets/queries/terraform/aws_bom/s3_bucket/test/positive_expected_result.json @@ -3,60 +3,150 @@ "queryName": "BOM - AWS S3 Buckets", "severity": "TRACE", "line": 14, - "fileName": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "", + "resourceName": "", + "searchKey": "aws_s3_bucket[positive1]", + "searchValue": "", + "expectedValue": "", + "actualValue": "", + "issueType": "BillOfMaterials", + "similarityID": "ae59dd3361aab4ee65ffda5198d9b83facb55d0df7f4271eafdffd47b7d9037b", + "search_line": 14 }, { "queryName": "BOM - AWS S3 Buckets", "severity": "TRACE", "line": 14, - "fileName": "positive2.tf" + "fileName": "positive2.tf", + "resourceType": "", + "resourceName": "", + "searchKey": "aws_s3_bucket[positive2]", + "searchValue": "", + "expectedValue": "", + "actualValue": "", + "issueType": "BillOfMaterials", + "similarityID": "17fead1c9a7e6c42011b7770e7961e3ea05240ef6aa29e57a90f1486be6e973e", + "search_line": 14 }, { "queryName": "BOM - AWS S3 Buckets", "severity": "TRACE", "line": 14, - "fileName": "positive3.tf" + "fileName": "positive3.tf", + "resourceType": "", + "resourceName": "", + "searchKey": "aws_s3_bucket[positive3]", + "searchValue": "", + "expectedValue": "", + "actualValue": "", + "issueType": "BillOfMaterials", + "similarityID": "e4f33a80b0ce604167458d237fd03a2f290a5688ca0694ef0747f622bee0ec99", + "search_line": 14 }, { "queryName": "BOM - AWS S3 Buckets", "severity": "TRACE", "line": 14, - "fileName": "positive4.tf" + "fileName": "positive4.tf", + "resourceType": "", + "resourceName": "", + "searchKey": "aws_s3_bucket[positive4]", + "searchValue": "", + "expectedValue": "", + "actualValue": "", + "issueType": "BillOfMaterials", + "similarityID": "76caedbca4541ea93cdb53fd7d696f9e8518cf4cc8ad85c24964fefa6868a395", + "search_line": 14 }, { "queryName": "BOM - AWS S3 Buckets", "severity": "TRACE", "line": 14, - "fileName": "positive5.tf" + "fileName": "positive5.tf", + "resourceType": "", + "resourceName": "", + "searchKey": "aws_s3_bucket[positive5]", + "searchValue": "", + "expectedValue": "", + "actualValue": "", + "issueType": "BillOfMaterials", + "similarityID": "48153bdded8d71ed03243e7351dd63e8c421f5a0c187a8a1156c02692d08761d", + "search_line": 14 }, { "queryName": "BOM - AWS S3 Buckets", "severity": "TRACE", "line": 14, - "fileName": "positive6.tf" + "fileName": "positive6.tf", + "resourceType": "", + "resourceName": "", + "searchKey": "aws_s3_bucket[positive6]", + "searchValue": "", + "expectedValue": "", + "actualValue": "", + "issueType": "BillOfMaterials", + "similarityID": "49ad34f21d7f5465be124159b80ea0606998687749904acf0581dd54dccaca51", + "search_line": 14 }, { "queryName": "BOM - AWS S3 Buckets", "severity": "TRACE", "line": 14, - "fileName": "positive7.tf" + "fileName": "positive7.tf", + "resourceType": "", + "resourceName": "", + "searchKey": "aws_s3_bucket[positive7]", + "searchValue": "", + "expectedValue": "", + "actualValue": "", + "issueType": "BillOfMaterials", + "similarityID": "f83c1d69d87fd1fa38d2f74aef2d131cf2ca7ca450dd448553aa4486f838744e", + "search_line": 14 }, { "queryName": "BOM - AWS S3 Buckets", "severity": "TRACE", "line": 14, - "fileName": "positive8.tf" + "fileName": "positive8.tf", + "resourceType": "", + "resourceName": "", + "searchKey": "aws_s3_bucket[positive8]", + "searchValue": "", + "expectedValue": "", + "actualValue": "", + "issueType": "BillOfMaterials", + "similarityID": "bdd8172c4b6550e6285493f60ec4c96a9a9899457bdc423012a26a3309da538b", + "search_line": 14 }, { "queryName": "BOM - AWS S3 Buckets", "severity": "TRACE", "line": 14, - "fileName": "positive9.tf" + "fileName": "positive9.tf", + "resourceType": "", + "resourceName": "", + "searchKey": "aws_s3_bucket[positive9]", + "searchValue": "", + "expectedValue": "", + "actualValue": "", + "issueType": "BillOfMaterials", + "similarityID": "c81cfe203fef3cc272763c4729e0b3bb929269ec2f43ebf601c994a25e080812", + "search_line": 14 }, { "queryName": "BOM - AWS S3 Buckets", "severity": "TRACE", "line": 14, - "fileName": "positive10.tf" + "fileName": "positive10.tf", + "resourceType": "", + "resourceName": "", + "searchKey": "aws_s3_bucket[positive10]", + "searchValue": "", + "expectedValue": "", + "actualValue": "", + "issueType": "BillOfMaterials", + "similarityID": "82a5a7413175526f5fd0456ba0f519d4ce4bad85eedd40351c98e55c2d361277", + "search_line": 14 } ] diff --git a/assets/queries/terraform/aws_bom/sns/test/positive_expected_result.json b/assets/queries/terraform/aws_bom/sns/test/positive_expected_result.json index 269154f3820..52b7dbab5b6 100644 --- a/assets/queries/terraform/aws_bom/sns/test/positive_expected_result.json +++ b/assets/queries/terraform/aws_bom/sns/test/positive_expected_result.json @@ -3,30 +3,75 @@ "queryName": "BOM - AWS SNS", "severity": "TRACE", "line": 1, - "fileName": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "", + "resourceName": "", + "searchKey": "aws_sns_topic[positive1]", + "searchValue": "", + "expectedValue": "", + "actualValue": "", + "issueType": "BillOfMaterials", + "similarityID": "3be9aa03070d890c043be3fc8ceff6cfa8947a7be4b1152f551d5a6fbe1fd413", + "search_line": 1 }, { "queryName": "BOM - AWS SNS", "severity": "TRACE", "line": 1, - "fileName": "positive2.tf" + "fileName": "positive2.tf", + "resourceType": "", + "resourceName": "", + "searchKey": "aws_sns_topic[positive2]", + "searchValue": "", + "expectedValue": "", + "actualValue": "", + "issueType": "BillOfMaterials", + "similarityID": "c61ea724011fcfad22043b0fb750ef8832e67e7d450e7b65c881fa5cc513b290", + "search_line": 1 }, { "queryName": "BOM - AWS SNS", "severity": "TRACE", "line": 1, - "fileName": "positive3.tf" + "fileName": "positive3.tf", + "resourceType": "", + "resourceName": "", + "searchKey": "aws_sns_topic[positive3]", + "searchValue": "", + "expectedValue": "", + "actualValue": "", + "issueType": "BillOfMaterials", + "similarityID": "a842f6a9e4033eddef511ad3ac38a08be0ede634033704a5a99a9bf15aa887aa", + "search_line": 1 }, { "queryName": "BOM - AWS SNS", "severity": "TRACE", "line": 1, - "fileName": "positive4.tf" + "fileName": "positive4.tf", + "resourceType": "", + "resourceName": "", + "searchKey": "aws_sns_topic[positive4]", + "searchValue": "", + "expectedValue": "", + "actualValue": "", + "issueType": "BillOfMaterials", + "similarityID": "3d5419c56db82dfd8918cb7b2c4f223df2bc8ebb23ae15332ad62beb055dcb84", + "search_line": 1 }, { "queryName": "BOM - AWS SNS", "severity": "TRACE", "line": 1, - "fileName": "positive5.tf" + "fileName": "positive5.tf", + "resourceType": "", + "resourceName": "", + "searchKey": "aws_sns_topic[positive5]", + "searchValue": "", + "expectedValue": "", + "actualValue": "", + "issueType": "BillOfMaterials", + "similarityID": "3fc98ab5dc12cc814e9785a44bb46101c8d2a7ee53ed7d0bd4e96f23ce9f38d5", + "search_line": 1 } ] diff --git a/assets/queries/terraform/aws_bom/sqs/test/positive_expected_result.json b/assets/queries/terraform/aws_bom/sqs/test/positive_expected_result.json index 442bcc91315..6c0610464a0 100644 --- a/assets/queries/terraform/aws_bom/sqs/test/positive_expected_result.json +++ b/assets/queries/terraform/aws_bom/sqs/test/positive_expected_result.json @@ -3,30 +3,75 @@ "queryName": "BOM - AWS SQS", "severity": "TRACE", "line": 1, - "fileName": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "", + "resourceName": "", + "searchKey": "aws_sqs_queue[positive1]", + "searchValue": "", + "expectedValue": "", + "actualValue": "", + "issueType": "BillOfMaterials", + "similarityID": "2e63546226d2fb661b60d65cba4958fca56f4784a562402324a10e997f0714bf", + "search_line": 1 }, { "queryName": "BOM - AWS SQS", "severity": "TRACE", "line": 1, - "fileName": "positive2.tf" + "fileName": "positive2.tf", + "resourceType": "", + "resourceName": "", + "searchKey": "aws_sqs_queue[positive2]", + "searchValue": "", + "expectedValue": "", + "actualValue": "", + "issueType": "BillOfMaterials", + "similarityID": "3e3a9634b243f858032680f73fd507677eb53031fc69d2ba106f3a12a57fdf47", + "search_line": 1 }, { "queryName": "BOM - AWS SQS", "severity": "TRACE", "line": 1, - "fileName": "positive3.tf" + "fileName": "positive3.tf", + "resourceType": "", + "resourceName": "", + "searchKey": "aws_sqs_queue[positive3]", + "searchValue": "", + "expectedValue": "", + "actualValue": "", + "issueType": "BillOfMaterials", + "similarityID": "16caac312f6bfb001590c626b28b7d079f376ecc0d7e685ebe97e51c1788caba", + "search_line": 1 }, { "queryName": "BOM - AWS SQS", "severity": "TRACE", "line": 1, - "fileName": "positive4.tf" + "fileName": "positive4.tf", + "resourceType": "", + "resourceName": "", + "searchKey": "aws_sqs_queue[positive4]", + "searchValue": "", + "expectedValue": "", + "actualValue": "", + "issueType": "BillOfMaterials", + "similarityID": "8e76924560ccedc82d1e04276b5d1a5c2f4020ca5cdb20e0f820274369e65109", + "search_line": 1 }, { "queryName": "BOM - AWS SQS", "severity": "TRACE", "line": 1, - "fileName": "positive5.tf" + "fileName": "positive5.tf", + "resourceType": "", + "resourceName": "", + "searchKey": "aws_sqs_queue[positive5]", + "searchValue": "", + "expectedValue": "", + "actualValue": "", + "issueType": "BillOfMaterials", + "similarityID": "0921d240285a046df8784b8e2fbdf1911dedc123632d87d3970f683aea6672bd", + "search_line": 1 } ] diff --git a/assets/queries/terraform/azure/activity_log_alert_for_create_or_update_network_security_group_not_configured/test/positive2/positive_expected_result.json b/assets/queries/terraform/azure/activity_log_alert_for_create_or_update_network_security_group_not_configured/test/positive2/positive_expected_result.json index 206cee271c3..a19aa12ba5b 100644 --- a/assets/queries/terraform/azure/activity_log_alert_for_create_or_update_network_security_group_not_configured/test/positive2/positive_expected_result.json +++ b/assets/queries/terraform/azure/activity_log_alert_for_create_or_update_network_security_group_not_configured/test/positive2/positive_expected_result.json @@ -3,42 +3,105 @@ "queryName": "Beta - Activity Log Alert For Create Or Update Network Security Group Not Configured", "severity": "MEDIUM", "line": 9, - "fileName": "positive2_1.tf" + "fileName": "positive2_1.tf", + "resourceType": "azurerm_monitor_activity_log_alert", + "resourceName": "example-activitylogalert", + "searchKey": "azurerm_monitor_activity_log_alert[positive2_1].criteria", + "searchValue": "", + "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'create or update network security group' events should be defined", + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_1]' resource monitors 'create or update network security group' events but sets 1 filter(s): caller", + "issueType": "IncorrectValue", + "similarityID": "8e08d14b174bb474c2a348d8397f2a36e3387dbebe18e6773a033ee71a6ef142", + "search_line": 9 }, { "queryName": "Beta - Activity Log Alert For Create Or Update Network Security Group Not Configured", "severity": "MEDIUM", "line": 28, - "fileName": "positive2_1.tf" + "fileName": "positive2_1.tf", + "resourceType": "azurerm_monitor_activity_log_alert", + "resourceName": "example-activitylogalert", + "searchKey": "azurerm_monitor_activity_log_alert[positive2_2].criteria", + "searchValue": "", + "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'create or update network security group' events should be defined", + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_2]' resource monitors 'create or update network security group' events but sets 1 filter(s): level", + "issueType": "IncorrectValue", + "similarityID": "f79398da6410fe2c3c79935d334c888341c7ee90db0171c2ea74ebff265bfc01", + "search_line": 28 }, { "queryName": "Beta - Activity Log Alert For Create Or Update Network Security Group Not Configured", "severity": "MEDIUM", "line": 47, - "fileName": "positive2_1.tf" + "fileName": "positive2_1.tf", + "resourceType": "azurerm_monitor_activity_log_alert", + "resourceName": "example-activitylogalert", + "searchKey": "azurerm_monitor_activity_log_alert[positive2_3].criteria", + "searchValue": "", + "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'create or update network security group' events should be defined", + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_3]' resource monitors 'create or update network security group' events but sets 1 filter(s): levels", + "issueType": "IncorrectValue", + "similarityID": "8a9f35cdd0e2e406b4b6d756a8c30c34e8fafc76421863a7d99a6aaaef351066", + "search_line": 47 }, { "queryName": "Beta - Activity Log Alert For Create Or Update Network Security Group Not Configured", "severity": "MEDIUM", "line": 66, - "fileName": "positive2_1.tf" + "fileName": "positive2_1.tf", + "resourceType": "azurerm_monitor_activity_log_alert", + "resourceName": "example-activitylogalert", + "searchKey": "azurerm_monitor_activity_log_alert[positive2_4].criteria", + "searchValue": "", + "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'create or update network security group' events should be defined", + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_4]' resource monitors 'create or update network security group' events but sets 1 filter(s): status", + "issueType": "IncorrectValue", + "similarityID": "31e88b1a8fddabf3183bb797b7f5c01a9184a44cab8f3bae8f3097112ed2b082", + "search_line": 66 }, { "queryName": "Beta - Activity Log Alert For Create Or Update Network Security Group Not Configured", "severity": "MEDIUM", "line": 8, - "fileName": "positive2_2.tf" + "fileName": "positive2_2.tf", + "resourceType": "azurerm_monitor_activity_log_alert", + "resourceName": "example-activitylogalert", + "searchKey": "azurerm_monitor_activity_log_alert[positive2_5].criteria", + "searchValue": "", + "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'create or update network security group' events should be defined", + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_5]' resource monitors 'create or update network security group' events but sets 1 filter(s): statuses", + "issueType": "IncorrectValue", + "similarityID": "a0e8178c575f875f895f88c6cfa86ec548eb38ed2f2589c63ea049098f1ec2ed", + "search_line": 8 }, { "queryName": "Beta - Activity Log Alert For Create Or Update Network Security Group Not Configured", "severity": "MEDIUM", "line": 27, - "fileName": "positive2_2.tf" + "fileName": "positive2_2.tf", + "resourceType": "azurerm_monitor_activity_log_alert", + "resourceName": "example-activitylogalert", + "searchKey": "azurerm_monitor_activity_log_alert[positive2_6].criteria", + "searchValue": "", + "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'create or update network security group' events should be defined", + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_6]' resource monitors 'create or update network security group' events but sets 1 filter(s): sub_status", + "issueType": "IncorrectValue", + "similarityID": "bee49fd948283076795c8f46a5488714ce703b96b1cb23f7bf9a37a1457ef7b4", + "search_line": 27 }, { "queryName": "Beta - Activity Log Alert For Create Or Update Network Security Group Not Configured", "severity": "MEDIUM", "line": 46, - "fileName": "positive2_2.tf" + "fileName": "positive2_2.tf", + "resourceType": "azurerm_monitor_activity_log_alert", + "resourceName": "example-activitylogalert", + "searchKey": "azurerm_monitor_activity_log_alert[positive2_7].criteria", + "searchValue": "", + "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'create or update network security group' events should be defined", + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_7]' resource monitors 'create or update network security group' events but sets 1 filter(s): sub_statuses", + "issueType": "IncorrectValue", + "similarityID": "624b1af29423ed837d2a49a34e5b6bfc65302a9a1fd7abedd31bdcfecbff8c5c", + "search_line": 46 } ] diff --git a/assets/queries/terraform/azure/activity_log_alert_for_create_or_update_network_security_group_not_configured/test/positive3/positive_expected_result.json b/assets/queries/terraform/azure/activity_log_alert_for_create_or_update_network_security_group_not_configured/test/positive3/positive_expected_result.json index ddf3d1cb713..9d56ea3e71e 100644 --- a/assets/queries/terraform/azure/activity_log_alert_for_create_or_update_network_security_group_not_configured/test/positive3/positive_expected_result.json +++ b/assets/queries/terraform/azure/activity_log_alert_for_create_or_update_network_security_group_not_configured/test/positive3/positive_expected_result.json @@ -3,12 +3,30 @@ "queryName": "Beta - Activity Log Alert For Create Or Update Network Security Group Not Configured", "severity": "MEDIUM", "line": 9, - "fileName": "positive3_1.tf" + "fileName": "positive3_1.tf", + "resourceType": "azurerm_monitor_activity_log_alert", + "resourceName": "example-activitylogalert", + "searchKey": "azurerm_monitor_activity_log_alert[positive3_1].criteria", + "searchValue": "", + "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'create or update network security group' events should be defined", + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive3_1]' resource monitors 'create or update network security group' events but is missing an 'action.action_group_id' field", + "issueType": "MissingAttribute", + "similarityID": "249eff4a8da93582b4f37571055457c8c8f41d0dc9363174952f2f569c51ef9d", + "search_line": 9 }, { "queryName": "Beta - Activity Log Alert For Create Or Update Network Security Group Not Configured", "severity": "MEDIUM", "line": 9, - "fileName": "positive3_2.tf" + "fileName": "positive3_2.tf", + "resourceType": "azurerm_monitor_activity_log_alert", + "resourceName": "example-activitylogalert", + "searchKey": "azurerm_monitor_activity_log_alert[positive3_2].criteria", + "searchValue": "", + "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'create or update network security group' events should be defined", + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive3_2]' resource monitors 'create or update network security group' events but is missing an 'action.action_group_id' field", + "issueType": "MissingAttribute", + "similarityID": "dc4b544a53f3f65bd66b9f6670eff83ecd917847c4db3da803e2c61e4300f553", + "search_line": 9 } ] diff --git a/assets/queries/terraform/azure/activity_log_alert_for_create_or_update_network_security_group_not_configured/test/positive4/positive_expected_result.json b/assets/queries/terraform/azure/activity_log_alert_for_create_or_update_network_security_group_not_configured/test/positive4/positive_expected_result.json index 834f8a946ff..8bf36fbba62 100644 --- a/assets/queries/terraform/azure/activity_log_alert_for_create_or_update_network_security_group_not_configured/test/positive4/positive_expected_result.json +++ b/assets/queries/terraform/azure/activity_log_alert_for_create_or_update_network_security_group_not_configured/test/positive4/positive_expected_result.json @@ -3,6 +3,15 @@ "queryName": "Beta - Activity Log Alert For Create Or Update Network Security Group Not Configured", "severity": "MEDIUM", "line": 9, - "fileName": "positive4_1.tf" + "fileName": "positive4_1.tf", + "resourceType": "azurerm_monitor_activity_log_alert", + "resourceName": "example-activitylogalert", + "searchKey": "azurerm_monitor_activity_log_alert[positive4_1].criteria", + "searchValue": "", + "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'create or update network security group' events should be defined", + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive4_1]' resource monitors 'create or update network security group' events but is missing an 'action.action_group_id' field", + "issueType": "MissingAttribute", + "similarityID": "8f94c874d11954d3283c41560affd32088b6cdd45cea89d686c3fdf93fc107fa", + "search_line": 9 } ] diff --git a/assets/queries/terraform/azure/activity_log_alert_for_create_or_update_network_security_group_not_configured/test/positive_expected_result.json b/assets/queries/terraform/azure/activity_log_alert_for_create_or_update_network_security_group_not_configured/test/positive_expected_result.json index 0d4f101c7a3..fe51488c706 100644 --- a/assets/queries/terraform/azure/activity_log_alert_for_create_or_update_network_security_group_not_configured/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/activity_log_alert_for_create_or_update_network_security_group_not_configured/test/positive_expected_result.json @@ -1,2 +1 @@ -[ -] +[] diff --git a/assets/queries/terraform/azure/activity_log_alert_for_create_or_update_public_ip_address_rule_not_configured/test/positive2/positive_expected_result.json b/assets/queries/terraform/azure/activity_log_alert_for_create_or_update_public_ip_address_rule_not_configured/test/positive2/positive_expected_result.json index 587344375d0..6833cf0471b 100644 --- a/assets/queries/terraform/azure/activity_log_alert_for_create_or_update_public_ip_address_rule_not_configured/test/positive2/positive_expected_result.json +++ b/assets/queries/terraform/azure/activity_log_alert_for_create_or_update_public_ip_address_rule_not_configured/test/positive2/positive_expected_result.json @@ -3,42 +3,105 @@ "queryName": "Beta - Activity Log Alert For Create or Update Public IP Address Rule Not Configured", "severity": "MEDIUM", "line": 9, - "fileName": "positive2_1.tf" + "fileName": "positive2_1.tf", + "resourceType": "azurerm_monitor_activity_log_alert", + "resourceName": "example-activitylogalert", + "searchKey": "azurerm_monitor_activity_log_alert[positive2_1].criteria", + "searchValue": "", + "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'create or update public ip address rule' events should be defined", + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_1]' resource monitors 'create or update public ip address rule' events but sets 1 filter(s): caller", + "issueType": "IncorrectValue", + "similarityID": "07879089627e9466155abbf8f40bbfa5a11e58184278db2ea781697da0ad6e23", + "search_line": 9 }, { "queryName": "Beta - Activity Log Alert For Create or Update Public IP Address Rule Not Configured", "severity": "MEDIUM", "line": 28, - "fileName": "positive2_1.tf" + "fileName": "positive2_1.tf", + "resourceType": "azurerm_monitor_activity_log_alert", + "resourceName": "example-activitylogalert", + "searchKey": "azurerm_monitor_activity_log_alert[positive2_2].criteria", + "searchValue": "", + "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'create or update public ip address rule' events should be defined", + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_2]' resource monitors 'create or update public ip address rule' events but sets 1 filter(s): level", + "issueType": "IncorrectValue", + "similarityID": "9ab738dee5be1ac616daa3e816c096349fbc1c045db88092303bb6f19d2be13d", + "search_line": 28 }, { "queryName": "Beta - Activity Log Alert For Create or Update Public IP Address Rule Not Configured", "severity": "MEDIUM", "line": 47, - "fileName": "positive2_1.tf" + "fileName": "positive2_1.tf", + "resourceType": "azurerm_monitor_activity_log_alert", + "resourceName": "example-activitylogalert", + "searchKey": "azurerm_monitor_activity_log_alert[positive2_3].criteria", + "searchValue": "", + "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'create or update public ip address rule' events should be defined", + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_3]' resource monitors 'create or update public ip address rule' events but sets 1 filter(s): levels", + "issueType": "IncorrectValue", + "similarityID": "5231ea529d389281f010a908ba5c7d4fb89077d2a6a79ae079a54b82a20bc3b1", + "search_line": 47 }, { "queryName": "Beta - Activity Log Alert For Create or Update Public IP Address Rule Not Configured", "severity": "MEDIUM", "line": 66, - "fileName": "positive2_1.tf" + "fileName": "positive2_1.tf", + "resourceType": "azurerm_monitor_activity_log_alert", + "resourceName": "example-activitylogalert", + "searchKey": "azurerm_monitor_activity_log_alert[positive2_4].criteria", + "searchValue": "", + "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'create or update public ip address rule' events should be defined", + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_4]' resource monitors 'create or update public ip address rule' events but sets 1 filter(s): status", + "issueType": "IncorrectValue", + "similarityID": "ef6001d81b21d18b15c002182f37931b885727f6fd5b156dee1a0fc339b7ab72", + "search_line": 66 }, { "queryName": "Beta - Activity Log Alert For Create or Update Public IP Address Rule Not Configured", "severity": "MEDIUM", "line": 8, - "fileName": "positive2_2.tf" + "fileName": "positive2_2.tf", + "resourceType": "azurerm_monitor_activity_log_alert", + "resourceName": "example-activitylogalert", + "searchKey": "azurerm_monitor_activity_log_alert[positive2_5].criteria", + "searchValue": "", + "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'create or update public ip address rule' events should be defined", + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_5]' resource monitors 'create or update public ip address rule' events but sets 1 filter(s): statuses", + "issueType": "IncorrectValue", + "similarityID": "66e983c5613aa6edccacf608b971d57899b1da7f54b8363db73890a8117498de", + "search_line": 8 }, { "queryName": "Beta - Activity Log Alert For Create or Update Public IP Address Rule Not Configured", "severity": "MEDIUM", "line": 27, - "fileName": "positive2_2.tf" + "fileName": "positive2_2.tf", + "resourceType": "azurerm_monitor_activity_log_alert", + "resourceName": "example-activitylogalert", + "searchKey": "azurerm_monitor_activity_log_alert[positive2_6].criteria", + "searchValue": "", + "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'create or update public ip address rule' events should be defined", + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_6]' resource monitors 'create or update public ip address rule' events but sets 1 filter(s): sub_status", + "issueType": "IncorrectValue", + "similarityID": "9025688b9c5535943538933c8e40e3faed37fc75a4f2c97a0706519d8a1faee2", + "search_line": 27 }, { "queryName": "Beta - Activity Log Alert For Create or Update Public IP Address Rule Not Configured", "severity": "MEDIUM", "line": 46, - "fileName": "positive2_2.tf" + "fileName": "positive2_2.tf", + "resourceType": "azurerm_monitor_activity_log_alert", + "resourceName": "example-activitylogalert", + "searchKey": "azurerm_monitor_activity_log_alert[positive2_7].criteria", + "searchValue": "", + "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'create or update public ip address rule' events should be defined", + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_7]' resource monitors 'create or update public ip address rule' events but sets 1 filter(s): sub_statuses", + "issueType": "IncorrectValue", + "similarityID": "e67b4e60d8439ac0bda70af6ccf7aa971d4361b2e70634eac1550c2349dd03fc", + "search_line": 46 } ] diff --git a/assets/queries/terraform/azure/activity_log_alert_for_create_or_update_public_ip_address_rule_not_configured/test/positive3/positive_expected_result.json b/assets/queries/terraform/azure/activity_log_alert_for_create_or_update_public_ip_address_rule_not_configured/test/positive3/positive_expected_result.json index 647418cc170..595b99c5089 100644 --- a/assets/queries/terraform/azure/activity_log_alert_for_create_or_update_public_ip_address_rule_not_configured/test/positive3/positive_expected_result.json +++ b/assets/queries/terraform/azure/activity_log_alert_for_create_or_update_public_ip_address_rule_not_configured/test/positive3/positive_expected_result.json @@ -3,12 +3,30 @@ "queryName": "Beta - Activity Log Alert For Create or Update Public IP Address Rule Not Configured", "severity": "MEDIUM", "line": 9, - "fileName": "positive3_1.tf" + "fileName": "positive3_1.tf", + "resourceType": "azurerm_monitor_activity_log_alert", + "resourceName": "example-activitylogalert", + "searchKey": "azurerm_monitor_activity_log_alert[positive3_1].criteria", + "searchValue": "", + "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'create or update public ip address rule' events should be defined", + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive3_1]' resource monitors 'create or update public ip address rule' events but is missing an 'action.action_group_id' field", + "issueType": "MissingAttribute", + "similarityID": "fce04fbebc1676ef25c78cc5a0ba98761619fcf86e9763790e9aed0b034d86db", + "search_line": 9 }, { "queryName": "Beta - Activity Log Alert For Create or Update Public IP Address Rule Not Configured", "severity": "MEDIUM", "line": 9, - "fileName": "positive3_2.tf" + "fileName": "positive3_2.tf", + "resourceType": "azurerm_monitor_activity_log_alert", + "resourceName": "example-activitylogalert", + "searchKey": "azurerm_monitor_activity_log_alert[positive3_2].criteria", + "searchValue": "", + "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'create or update public ip address rule' events should be defined", + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive3_2]' resource monitors 'create or update public ip address rule' events but is missing an 'action.action_group_id' field", + "issueType": "MissingAttribute", + "similarityID": "b814b923660749e51d35af9691364963236166c4422b5e71fdda755a882e026e", + "search_line": 9 } ] diff --git a/assets/queries/terraform/azure/activity_log_alert_for_create_or_update_public_ip_address_rule_not_configured/test/positive4/positive_expected_result.json b/assets/queries/terraform/azure/activity_log_alert_for_create_or_update_public_ip_address_rule_not_configured/test/positive4/positive_expected_result.json index d2b55122b20..eca73f857c9 100644 --- a/assets/queries/terraform/azure/activity_log_alert_for_create_or_update_public_ip_address_rule_not_configured/test/positive4/positive_expected_result.json +++ b/assets/queries/terraform/azure/activity_log_alert_for_create_or_update_public_ip_address_rule_not_configured/test/positive4/positive_expected_result.json @@ -3,6 +3,15 @@ "queryName": "Beta - Activity Log Alert For Create or Update Public IP Address Rule Not Configured", "severity": "MEDIUM", "line": 9, - "fileName": "positive4_1.tf" + "fileName": "positive4_1.tf", + "resourceType": "azurerm_monitor_activity_log_alert", + "resourceName": "example-activitylogalert", + "searchKey": "azurerm_monitor_activity_log_alert[positive4_1].criteria", + "searchValue": "", + "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'create or update public ip address rule' events should be defined", + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive4_1]' resource monitors 'create or update public ip address rule' events but is missing an 'action.action_group_id' field", + "issueType": "MissingAttribute", + "similarityID": "b3cb8b155c3e87a624b3948c5938aa335b5d1e51969220a35cf0a4c694d9d149", + "search_line": 9 } ] diff --git a/assets/queries/terraform/azure/activity_log_alert_for_create_or_update_public_ip_address_rule_not_configured/test/positive_expected_result.json b/assets/queries/terraform/azure/activity_log_alert_for_create_or_update_public_ip_address_rule_not_configured/test/positive_expected_result.json index 0d4f101c7a3..fe51488c706 100644 --- a/assets/queries/terraform/azure/activity_log_alert_for_create_or_update_public_ip_address_rule_not_configured/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/activity_log_alert_for_create_or_update_public_ip_address_rule_not_configured/test/positive_expected_result.json @@ -1,2 +1 @@ -[ -] +[] diff --git a/assets/queries/terraform/azure/activity_log_alert_for_create_or_update_security_solution_not_configured/test/positive2/positive_expected_result.json b/assets/queries/terraform/azure/activity_log_alert_for_create_or_update_security_solution_not_configured/test/positive2/positive_expected_result.json index 62976f6c962..40df07c54f5 100644 --- a/assets/queries/terraform/azure/activity_log_alert_for_create_or_update_security_solution_not_configured/test/positive2/positive_expected_result.json +++ b/assets/queries/terraform/azure/activity_log_alert_for_create_or_update_security_solution_not_configured/test/positive2/positive_expected_result.json @@ -3,42 +3,105 @@ "queryName": "Beta - Activity Log Alert For Create or Update Security Solution Not Configured", "severity": "MEDIUM", "line": 9, - "fileName": "positive2_1.tf" + "fileName": "positive2_1.tf", + "resourceType": "azurerm_monitor_activity_log_alert", + "resourceName": "example-activitylogalert", + "searchKey": "azurerm_monitor_activity_log_alert[positive2_1].criteria", + "searchValue": "", + "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'create or update security solution' events should be defined", + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_1]' resource monitors 'create or update security solution' events but sets 1 filter(s): caller", + "issueType": "IncorrectValue", + "similarityID": "4203c83188e99d4a3eee3289c98c00d25195a8be538d1d10f807002eca62070e", + "search_line": 9 }, { "queryName": "Beta - Activity Log Alert For Create or Update Security Solution Not Configured", "severity": "MEDIUM", "line": 28, - "fileName": "positive2_1.tf" + "fileName": "positive2_1.tf", + "resourceType": "azurerm_monitor_activity_log_alert", + "resourceName": "example-activitylogalert", + "searchKey": "azurerm_monitor_activity_log_alert[positive2_2].criteria", + "searchValue": "", + "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'create or update security solution' events should be defined", + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_2]' resource monitors 'create or update security solution' events but sets 1 filter(s): level", + "issueType": "IncorrectValue", + "similarityID": "79d8c5b19e7b126e35e9b0afb7decc1efea3c481aeeb513976e5eb6754e1e1ce", + "search_line": 28 }, { "queryName": "Beta - Activity Log Alert For Create or Update Security Solution Not Configured", "severity": "MEDIUM", "line": 47, - "fileName": "positive2_1.tf" + "fileName": "positive2_1.tf", + "resourceType": "azurerm_monitor_activity_log_alert", + "resourceName": "example-activitylogalert", + "searchKey": "azurerm_monitor_activity_log_alert[positive2_3].criteria", + "searchValue": "", + "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'create or update security solution' events should be defined", + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_3]' resource monitors 'create or update security solution' events but sets 1 filter(s): levels", + "issueType": "IncorrectValue", + "similarityID": "9b09082cfb8202b146a094fce400ab245760b9bf6f6d1829661f5c091fc08dce", + "search_line": 47 }, { "queryName": "Beta - Activity Log Alert For Create or Update Security Solution Not Configured", "severity": "MEDIUM", "line": 66, - "fileName": "positive2_1.tf" + "fileName": "positive2_1.tf", + "resourceType": "azurerm_monitor_activity_log_alert", + "resourceName": "example-activitylogalert", + "searchKey": "azurerm_monitor_activity_log_alert[positive2_4].criteria", + "searchValue": "", + "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'create or update security solution' events should be defined", + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_4]' resource monitors 'create or update security solution' events but sets 1 filter(s): status", + "issueType": "IncorrectValue", + "similarityID": "9885529ca74a38900949e07010e085b61b06230d6cc8f3e7bd7c7a34393ccf99", + "search_line": 66 }, { "queryName": "Beta - Activity Log Alert For Create or Update Security Solution Not Configured", "severity": "MEDIUM", "line": 8, - "fileName": "positive2_2.tf" + "fileName": "positive2_2.tf", + "resourceType": "azurerm_monitor_activity_log_alert", + "resourceName": "example-activitylogalert", + "searchKey": "azurerm_monitor_activity_log_alert[positive2_5].criteria", + "searchValue": "", + "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'create or update security solution' events should be defined", + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_5]' resource monitors 'create or update security solution' events but sets 1 filter(s): statuses", + "issueType": "IncorrectValue", + "similarityID": "f52d405c052eee5ac44da25175c482a0a73482141c59e0a525b92efb25515d45", + "search_line": 8 }, { "queryName": "Beta - Activity Log Alert For Create or Update Security Solution Not Configured", "severity": "MEDIUM", "line": 27, - "fileName": "positive2_2.tf" + "fileName": "positive2_2.tf", + "resourceType": "azurerm_monitor_activity_log_alert", + "resourceName": "example-activitylogalert", + "searchKey": "azurerm_monitor_activity_log_alert[positive2_6].criteria", + "searchValue": "", + "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'create or update security solution' events should be defined", + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_6]' resource monitors 'create or update security solution' events but sets 1 filter(s): sub_status", + "issueType": "IncorrectValue", + "similarityID": "7943e485d5974e192469ccc644f5e04adb66f0ac852fdece1c60724a8b700ff3", + "search_line": 27 }, { "queryName": "Beta - Activity Log Alert For Create or Update Security Solution Not Configured", "severity": "MEDIUM", "line": 46, - "fileName": "positive2_2.tf" + "fileName": "positive2_2.tf", + "resourceType": "azurerm_monitor_activity_log_alert", + "resourceName": "example-activitylogalert", + "searchKey": "azurerm_monitor_activity_log_alert[positive2_7].criteria", + "searchValue": "", + "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'create or update security solution' events should be defined", + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_7]' resource monitors 'create or update security solution' events but sets 1 filter(s): sub_statuses", + "issueType": "IncorrectValue", + "similarityID": "5b4c3c1ca8c58fcf4ba6b143301d69516861785cc068a6d0df017a4864f01ccd", + "search_line": 46 } ] diff --git a/assets/queries/terraform/azure/activity_log_alert_for_create_or_update_security_solution_not_configured/test/positive3/positive_expected_result.json b/assets/queries/terraform/azure/activity_log_alert_for_create_or_update_security_solution_not_configured/test/positive3/positive_expected_result.json index 5fc27a61d32..6ba6cdd91bb 100644 --- a/assets/queries/terraform/azure/activity_log_alert_for_create_or_update_security_solution_not_configured/test/positive3/positive_expected_result.json +++ b/assets/queries/terraform/azure/activity_log_alert_for_create_or_update_security_solution_not_configured/test/positive3/positive_expected_result.json @@ -3,12 +3,30 @@ "queryName": "Beta - Activity Log Alert For Create or Update Security Solution Not Configured", "severity": "MEDIUM", "line": 9, - "fileName": "positive3_1.tf" + "fileName": "positive3_1.tf", + "resourceType": "azurerm_monitor_activity_log_alert", + "resourceName": "example-activitylogalert", + "searchKey": "azurerm_monitor_activity_log_alert[positive3_1].criteria", + "searchValue": "", + "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'create or update security solution' events should be defined", + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive3_1]' resource monitors 'create or update security solution' events but is missing an 'action.action_group_id' field", + "issueType": "MissingAttribute", + "similarityID": "e5069c9438c4f4428252fa2a5f09a5a7abd750930094bdbb59fd7ff817b5d8de", + "search_line": 9 }, { "queryName": "Beta - Activity Log Alert For Create or Update Security Solution Not Configured", "severity": "MEDIUM", "line": 9, - "fileName": "positive3_2.tf" + "fileName": "positive3_2.tf", + "resourceType": "azurerm_monitor_activity_log_alert", + "resourceName": "example-activitylogalert", + "searchKey": "azurerm_monitor_activity_log_alert[positive3_2].criteria", + "searchValue": "", + "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'create or update security solution' events should be defined", + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive3_2]' resource monitors 'create or update security solution' events but is missing an 'action.action_group_id' field", + "issueType": "MissingAttribute", + "similarityID": "bb4a13ea0c98188e9ee1b071c5bfad12ce1962ec832daa46c226b0e7e9785ee9", + "search_line": 9 } ] diff --git a/assets/queries/terraform/azure/activity_log_alert_for_create_or_update_security_solution_not_configured/test/positive4/positive_expected_result.json b/assets/queries/terraform/azure/activity_log_alert_for_create_or_update_security_solution_not_configured/test/positive4/positive_expected_result.json index c2d325766f1..eccd81db382 100644 --- a/assets/queries/terraform/azure/activity_log_alert_for_create_or_update_security_solution_not_configured/test/positive4/positive_expected_result.json +++ b/assets/queries/terraform/azure/activity_log_alert_for_create_or_update_security_solution_not_configured/test/positive4/positive_expected_result.json @@ -3,6 +3,15 @@ "queryName": "Beta - Activity Log Alert For Create or Update Security Solution Not Configured", "severity": "MEDIUM", "line": 9, - "fileName": "positive4_1.tf" + "fileName": "positive4_1.tf", + "resourceType": "azurerm_monitor_activity_log_alert", + "resourceName": "example-activitylogalert", + "searchKey": "azurerm_monitor_activity_log_alert[positive4_1].criteria", + "searchValue": "", + "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'create or update security solution' events should be defined", + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive4_1]' resource monitors 'create or update security solution' events but is missing an 'action.action_group_id' field", + "issueType": "MissingAttribute", + "similarityID": "f51c42d9c3e9c596db49abf4128f333692125d74491ed3ac06eb3ac92b7f2774", + "search_line": 9 } ] diff --git a/assets/queries/terraform/azure/activity_log_alert_for_create_or_update_security_solution_not_configured/test/positive_expected_result.json b/assets/queries/terraform/azure/activity_log_alert_for_create_or_update_security_solution_not_configured/test/positive_expected_result.json index 0d4f101c7a3..fe51488c706 100644 --- a/assets/queries/terraform/azure/activity_log_alert_for_create_or_update_security_solution_not_configured/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/activity_log_alert_for_create_or_update_security_solution_not_configured/test/positive_expected_result.json @@ -1,2 +1 @@ -[ -] +[] diff --git a/assets/queries/terraform/azure/activity_log_alert_for_create_or_update_sql_server_firewall_rule_not_configured/test/positive2/positive_expected_result.json b/assets/queries/terraform/azure/activity_log_alert_for_create_or_update_sql_server_firewall_rule_not_configured/test/positive2/positive_expected_result.json index 62edf8ed52e..98f5aa3b097 100644 --- a/assets/queries/terraform/azure/activity_log_alert_for_create_or_update_sql_server_firewall_rule_not_configured/test/positive2/positive_expected_result.json +++ b/assets/queries/terraform/azure/activity_log_alert_for_create_or_update_sql_server_firewall_rule_not_configured/test/positive2/positive_expected_result.json @@ -3,42 +3,105 @@ "queryName": "Beta - Activity Log Alert For Create or Update SQL Server Firewall Rule Not Configured", "severity": "MEDIUM", "line": 9, - "fileName": "positive2_1.tf" + "fileName": "positive2_1.tf", + "resourceType": "azurerm_monitor_activity_log_alert", + "resourceName": "example-activitylogalert", + "searchKey": "azurerm_monitor_activity_log_alert[positive2_1].criteria", + "searchValue": "", + "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'create or update SQL server firewall rule' events should be defined", + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_1]' resource monitors 'create or update SQL server firewall rule' events but sets 1 filter(s): caller", + "issueType": "IncorrectValue", + "similarityID": "1c0564c8e43643908eee1c5a6fe66c5d9855d4c2efa324352d930384d94e647b", + "search_line": 9 }, { "queryName": "Beta - Activity Log Alert For Create or Update SQL Server Firewall Rule Not Configured", "severity": "MEDIUM", "line": 28, - "fileName": "positive2_1.tf" + "fileName": "positive2_1.tf", + "resourceType": "azurerm_monitor_activity_log_alert", + "resourceName": "example-activitylogalert", + "searchKey": "azurerm_monitor_activity_log_alert[positive2_2].criteria", + "searchValue": "", + "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'create or update SQL server firewall rule' events should be defined", + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_2]' resource monitors 'create or update SQL server firewall rule' events but sets 1 filter(s): level", + "issueType": "IncorrectValue", + "similarityID": "448495ea8fec2e606c7b99da74b2ee8e4f767bcfba2b3701a3fa06f87f784460", + "search_line": 28 }, { "queryName": "Beta - Activity Log Alert For Create or Update SQL Server Firewall Rule Not Configured", "severity": "MEDIUM", "line": 47, - "fileName": "positive2_1.tf" + "fileName": "positive2_1.tf", + "resourceType": "azurerm_monitor_activity_log_alert", + "resourceName": "example-activitylogalert", + "searchKey": "azurerm_monitor_activity_log_alert[positive2_3].criteria", + "searchValue": "", + "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'create or update SQL server firewall rule' events should be defined", + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_3]' resource monitors 'create or update SQL server firewall rule' events but sets 1 filter(s): levels", + "issueType": "IncorrectValue", + "similarityID": "d8d7e7694ef1f2bee8f1f3f0cfecf2cb843eeec80bdfd0752c100f9cdfbf8fc5", + "search_line": 47 }, { "queryName": "Beta - Activity Log Alert For Create or Update SQL Server Firewall Rule Not Configured", "severity": "MEDIUM", "line": 66, - "fileName": "positive2_1.tf" + "fileName": "positive2_1.tf", + "resourceType": "azurerm_monitor_activity_log_alert", + "resourceName": "example-activitylogalert", + "searchKey": "azurerm_monitor_activity_log_alert[positive2_4].criteria", + "searchValue": "", + "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'create or update SQL server firewall rule' events should be defined", + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_4]' resource monitors 'create or update SQL server firewall rule' events but sets 1 filter(s): status", + "issueType": "IncorrectValue", + "similarityID": "7bbc893d625d95ea8c6387a9b778208a3d91e491f6596a10806b7201750a38e0", + "search_line": 66 }, { "queryName": "Beta - Activity Log Alert For Create or Update SQL Server Firewall Rule Not Configured", "severity": "MEDIUM", "line": 8, - "fileName": "positive2_2.tf" + "fileName": "positive2_2.tf", + "resourceType": "azurerm_monitor_activity_log_alert", + "resourceName": "example-activitylogalert", + "searchKey": "azurerm_monitor_activity_log_alert[positive2_5].criteria", + "searchValue": "", + "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'create or update SQL server firewall rule' events should be defined", + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_5]' resource monitors 'create or update SQL server firewall rule' events but sets 1 filter(s): statuses", + "issueType": "IncorrectValue", + "similarityID": "e4ed4b1d15b44eeb72114c6cabff72a4d00ac5b32a02126f526b0b1246640c53", + "search_line": 8 }, { "queryName": "Beta - Activity Log Alert For Create or Update SQL Server Firewall Rule Not Configured", "severity": "MEDIUM", "line": 27, - "fileName": "positive2_2.tf" + "fileName": "positive2_2.tf", + "resourceType": "azurerm_monitor_activity_log_alert", + "resourceName": "example-activitylogalert", + "searchKey": "azurerm_monitor_activity_log_alert[positive2_6].criteria", + "searchValue": "", + "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'create or update SQL server firewall rule' events should be defined", + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_6]' resource monitors 'create or update SQL server firewall rule' events but sets 1 filter(s): sub_status", + "issueType": "IncorrectValue", + "similarityID": "5ff503b69463640fe9a44135753a1a918d39366979d935ea3e758e6dc285e9b6", + "search_line": 27 }, { "queryName": "Beta - Activity Log Alert For Create or Update SQL Server Firewall Rule Not Configured", "severity": "MEDIUM", "line": 46, - "fileName": "positive2_2.tf" + "fileName": "positive2_2.tf", + "resourceType": "azurerm_monitor_activity_log_alert", + "resourceName": "example-activitylogalert", + "searchKey": "azurerm_monitor_activity_log_alert[positive2_7].criteria", + "searchValue": "", + "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'create or update SQL server firewall rule' events should be defined", + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_7]' resource monitors 'create or update SQL server firewall rule' events but sets 1 filter(s): sub_statuses", + "issueType": "IncorrectValue", + "similarityID": "e38274822ba043edb10e1c76600fe412bd3a7ddf4b2f3e84cb7e71b7cbc91482", + "search_line": 46 } ] diff --git a/assets/queries/terraform/azure/activity_log_alert_for_create_or_update_sql_server_firewall_rule_not_configured/test/positive3/positive_expected_result.json b/assets/queries/terraform/azure/activity_log_alert_for_create_or_update_sql_server_firewall_rule_not_configured/test/positive3/positive_expected_result.json index 52d093a64fd..41c49295e5a 100644 --- a/assets/queries/terraform/azure/activity_log_alert_for_create_or_update_sql_server_firewall_rule_not_configured/test/positive3/positive_expected_result.json +++ b/assets/queries/terraform/azure/activity_log_alert_for_create_or_update_sql_server_firewall_rule_not_configured/test/positive3/positive_expected_result.json @@ -3,12 +3,30 @@ "queryName": "Beta - Activity Log Alert For Create or Update SQL Server Firewall Rule Not Configured", "severity": "MEDIUM", "line": 9, - "fileName": "positive3_1.tf" + "fileName": "positive3_1.tf", + "resourceType": "azurerm_monitor_activity_log_alert", + "resourceName": "example-activitylogalert", + "searchKey": "azurerm_monitor_activity_log_alert[positive3_1].criteria", + "searchValue": "", + "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'create or update SQL server firewall rule' events should be defined", + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive3_1]' resource monitors 'create or update SQL server firewall rule' events but is missing an 'action.action_group_id' field", + "issueType": "MissingAttribute", + "similarityID": "40e95ce38b5d393e6701d915efc4d46f4f799664d10ab930cb68fe3f0a917e9e", + "search_line": 9 }, { "queryName": "Beta - Activity Log Alert For Create or Update SQL Server Firewall Rule Not Configured", "severity": "MEDIUM", "line": 9, - "fileName": "positive3_2.tf" + "fileName": "positive3_2.tf", + "resourceType": "azurerm_monitor_activity_log_alert", + "resourceName": "example-activitylogalert", + "searchKey": "azurerm_monitor_activity_log_alert[positive3_2].criteria", + "searchValue": "", + "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'create or update SQL server firewall rule' events should be defined", + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive3_2]' resource monitors 'create or update SQL server firewall rule' events but is missing an 'action.action_group_id' field", + "issueType": "MissingAttribute", + "similarityID": "67bdad156a27020a92c1974cfc7d6d05c5e25dfcb5b75b15cae78cb0ab9d6199", + "search_line": 9 } ] diff --git a/assets/queries/terraform/azure/activity_log_alert_for_create_or_update_sql_server_firewall_rule_not_configured/test/positive4/positive_expected_result.json b/assets/queries/terraform/azure/activity_log_alert_for_create_or_update_sql_server_firewall_rule_not_configured/test/positive4/positive_expected_result.json index 7879a0cfd5d..7945b3f0769 100644 --- a/assets/queries/terraform/azure/activity_log_alert_for_create_or_update_sql_server_firewall_rule_not_configured/test/positive4/positive_expected_result.json +++ b/assets/queries/terraform/azure/activity_log_alert_for_create_or_update_sql_server_firewall_rule_not_configured/test/positive4/positive_expected_result.json @@ -3,6 +3,15 @@ "queryName": "Beta - Activity Log Alert For Create or Update SQL Server Firewall Rule Not Configured", "severity": "MEDIUM", "line": 9, - "fileName": "positive4_1.tf" + "fileName": "positive4_1.tf", + "resourceType": "azurerm_monitor_activity_log_alert", + "resourceName": "example-activitylogalert", + "searchKey": "azurerm_monitor_activity_log_alert[positive4_1].criteria", + "searchValue": "", + "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'create or update SQL server firewall rule' events should be defined", + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive4_1]' resource monitors 'create or update SQL server firewall rule' events but is missing an 'action.action_group_id' field", + "issueType": "MissingAttribute", + "similarityID": "ccdbd51d65aabb95d7aaad19e3353d0db1b0550522a507b40664bf018eb8c9ad", + "search_line": 9 } ] diff --git a/assets/queries/terraform/azure/activity_log_alert_for_create_or_update_sql_server_firewall_rule_not_configured/test/positive_expected_result.json b/assets/queries/terraform/azure/activity_log_alert_for_create_or_update_sql_server_firewall_rule_not_configured/test/positive_expected_result.json index 0d4f101c7a3..fe51488c706 100644 --- a/assets/queries/terraform/azure/activity_log_alert_for_create_or_update_sql_server_firewall_rule_not_configured/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/activity_log_alert_for_create_or_update_sql_server_firewall_rule_not_configured/test/positive_expected_result.json @@ -1,2 +1 @@ -[ -] +[] diff --git a/assets/queries/terraform/azure/activity_log_alert_for_create_policy_assignment_not_configured/test/positive2/positive_expected_result.json b/assets/queries/terraform/azure/activity_log_alert_for_create_policy_assignment_not_configured/test/positive2/positive_expected_result.json index 8d4334d067d..09f492a5fd8 100644 --- a/assets/queries/terraform/azure/activity_log_alert_for_create_policy_assignment_not_configured/test/positive2/positive_expected_result.json +++ b/assets/queries/terraform/azure/activity_log_alert_for_create_policy_assignment_not_configured/test/positive2/positive_expected_result.json @@ -3,42 +3,105 @@ "queryName": "Beta - Activity Log Alert For Create Policy Assignment Not Configured", "severity": "MEDIUM", "line": 9, - "fileName": "positive2_1.tf" + "fileName": "positive2_1.tf", + "resourceType": "azurerm_monitor_activity_log_alert", + "resourceName": "example-activitylogalert", + "searchKey": "azurerm_monitor_activity_log_alert[positive2_1].criteria", + "searchValue": "", + "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'create policy assignment' events should be defined", + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_1]' resource monitors 'create policy assignment' events but sets 1 filter(s): caller", + "issueType": "IncorrectValue", + "similarityID": "cf761a7427da4d1b7c6aef0469238ffe99de20e28dc26e3a9f7d2169c6ad2a9f", + "search_line": 9 }, { "queryName": "Beta - Activity Log Alert For Create Policy Assignment Not Configured", "severity": "MEDIUM", "line": 28, - "fileName": "positive2_1.tf" + "fileName": "positive2_1.tf", + "resourceType": "azurerm_monitor_activity_log_alert", + "resourceName": "example-activitylogalert", + "searchKey": "azurerm_monitor_activity_log_alert[positive2_2].criteria", + "searchValue": "", + "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'create policy assignment' events should be defined", + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_2]' resource monitors 'create policy assignment' events but sets 1 filter(s): level", + "issueType": "IncorrectValue", + "similarityID": "b7aa8e1b472a7338c58e2c978879534d38eb59c79f5ef2c554e27620b569b7bd", + "search_line": 28 }, { "queryName": "Beta - Activity Log Alert For Create Policy Assignment Not Configured", "severity": "MEDIUM", "line": 47, - "fileName": "positive2_1.tf" + "fileName": "positive2_1.tf", + "resourceType": "azurerm_monitor_activity_log_alert", + "resourceName": "example-activitylogalert", + "searchKey": "azurerm_monitor_activity_log_alert[positive2_3].criteria", + "searchValue": "", + "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'create policy assignment' events should be defined", + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_3]' resource monitors 'create policy assignment' events but sets 1 filter(s): levels", + "issueType": "IncorrectValue", + "similarityID": "43153230110a44420d3020ea62c8d4474f2640cd631ed8d4104878885e3b527d", + "search_line": 47 }, { "queryName": "Beta - Activity Log Alert For Create Policy Assignment Not Configured", "severity": "MEDIUM", "line": 66, - "fileName": "positive2_1.tf" + "fileName": "positive2_1.tf", + "resourceType": "azurerm_monitor_activity_log_alert", + "resourceName": "example-activitylogalert", + "searchKey": "azurerm_monitor_activity_log_alert[positive2_4].criteria", + "searchValue": "", + "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'create policy assignment' events should be defined", + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_4]' resource monitors 'create policy assignment' events but sets 1 filter(s): status", + "issueType": "IncorrectValue", + "similarityID": "fc65edb278a0f4fd672cff6560a1fd42bd3bc83a58153c68f412441d05737957", + "search_line": 66 }, { "queryName": "Beta - Activity Log Alert For Create Policy Assignment Not Configured", "severity": "MEDIUM", "line": 8, - "fileName": "positive2_2.tf" + "fileName": "positive2_2.tf", + "resourceType": "azurerm_monitor_activity_log_alert", + "resourceName": "example-activitylogalert", + "searchKey": "azurerm_monitor_activity_log_alert[positive2_5].criteria", + "searchValue": "", + "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'create policy assignment' events should be defined", + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_5]' resource monitors 'create policy assignment' events but sets 1 filter(s): statuses", + "issueType": "IncorrectValue", + "similarityID": "d7480da80c26e7514d4e21bf896c930918735b90cda046cb523a27777a3f3cc7", + "search_line": 8 }, { "queryName": "Beta - Activity Log Alert For Create Policy Assignment Not Configured", "severity": "MEDIUM", "line": 27, - "fileName": "positive2_2.tf" + "fileName": "positive2_2.tf", + "resourceType": "azurerm_monitor_activity_log_alert", + "resourceName": "example-activitylogalert", + "searchKey": "azurerm_monitor_activity_log_alert[positive2_6].criteria", + "searchValue": "", + "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'create policy assignment' events should be defined", + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_6]' resource monitors 'create policy assignment' events but sets 1 filter(s): sub_status", + "issueType": "IncorrectValue", + "similarityID": "c78ec96545e8f24cc1ad1641d6f536ef99307a762fde6576f30cc45db78a175a", + "search_line": 27 }, { "queryName": "Beta - Activity Log Alert For Create Policy Assignment Not Configured", "severity": "MEDIUM", "line": 46, - "fileName": "positive2_2.tf" + "fileName": "positive2_2.tf", + "resourceType": "azurerm_monitor_activity_log_alert", + "resourceName": "example-activitylogalert", + "searchKey": "azurerm_monitor_activity_log_alert[positive2_7].criteria", + "searchValue": "", + "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'create policy assignment' events should be defined", + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_7]' resource monitors 'create policy assignment' events but sets 1 filter(s): sub_statuses", + "issueType": "IncorrectValue", + "similarityID": "73f4b4ed38d091357ec8ef5546853bf15d77af7254081de065cb18761b45deee", + "search_line": 46 } ] diff --git a/assets/queries/terraform/azure/activity_log_alert_for_create_policy_assignment_not_configured/test/positive3/positive_expected_result.json b/assets/queries/terraform/azure/activity_log_alert_for_create_policy_assignment_not_configured/test/positive3/positive_expected_result.json index 3903474e1c3..82281616158 100644 --- a/assets/queries/terraform/azure/activity_log_alert_for_create_policy_assignment_not_configured/test/positive3/positive_expected_result.json +++ b/assets/queries/terraform/azure/activity_log_alert_for_create_policy_assignment_not_configured/test/positive3/positive_expected_result.json @@ -3,12 +3,30 @@ "queryName": "Beta - Activity Log Alert For Create Policy Assignment Not Configured", "severity": "MEDIUM", "line": 9, - "fileName": "positive3_1.tf" + "fileName": "positive3_1.tf", + "resourceType": "azurerm_monitor_activity_log_alert", + "resourceName": "example-activitylogalert", + "searchKey": "azurerm_monitor_activity_log_alert[positive3_1].criteria", + "searchValue": "", + "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'create policy assignment' events should be defined", + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive3_1]' resource monitors 'create policy assignment' events but is missing an 'action.action_group_id' field", + "issueType": "MissingAttribute", + "similarityID": "667f2ef9afe1374fef80204ae9b35c1211c563a2ac985560d52a6da6a600e1df", + "search_line": 9 }, { "queryName": "Beta - Activity Log Alert For Create Policy Assignment Not Configured", "severity": "MEDIUM", "line": 9, - "fileName": "positive3_2.tf" + "fileName": "positive3_2.tf", + "resourceType": "azurerm_monitor_activity_log_alert", + "resourceName": "example-activitylogalert", + "searchKey": "azurerm_monitor_activity_log_alert[positive3_2].criteria", + "searchValue": "", + "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'create policy assignment' events should be defined", + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive3_2]' resource monitors 'create policy assignment' events but is missing an 'action.action_group_id' field", + "issueType": "MissingAttribute", + "similarityID": "98ad4f8875ba4193a50f1d77186d3a79e73edd8a7f49e517d994ca4f655b81bc", + "search_line": 9 } ] diff --git a/assets/queries/terraform/azure/activity_log_alert_for_create_policy_assignment_not_configured/test/positive4/positive_expected_result.json b/assets/queries/terraform/azure/activity_log_alert_for_create_policy_assignment_not_configured/test/positive4/positive_expected_result.json index a5d81846400..b5dcfc643b8 100644 --- a/assets/queries/terraform/azure/activity_log_alert_for_create_policy_assignment_not_configured/test/positive4/positive_expected_result.json +++ b/assets/queries/terraform/azure/activity_log_alert_for_create_policy_assignment_not_configured/test/positive4/positive_expected_result.json @@ -3,6 +3,15 @@ "queryName": "Beta - Activity Log Alert For Create Policy Assignment Not Configured", "severity": "MEDIUM", "line": 9, - "fileName": "positive4_1.tf" + "fileName": "positive4_1.tf", + "resourceType": "azurerm_monitor_activity_log_alert", + "resourceName": "example-activitylogalert", + "searchKey": "azurerm_monitor_activity_log_alert[positive4_1].criteria", + "searchValue": "", + "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'create policy assignment' events should be defined", + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive4_1]' resource monitors 'create policy assignment' events but is missing an 'action.action_group_id' field", + "issueType": "MissingAttribute", + "similarityID": "71363a958a88a61266ae8df2dbf867fbd0a637b082acb360aabdc0ce66800221", + "search_line": 9 } ] diff --git a/assets/queries/terraform/azure/activity_log_alert_for_create_policy_assignment_not_configured/test/positive_expected_result.json b/assets/queries/terraform/azure/activity_log_alert_for_create_policy_assignment_not_configured/test/positive_expected_result.json index 0d4f101c7a3..fe51488c706 100644 --- a/assets/queries/terraform/azure/activity_log_alert_for_create_policy_assignment_not_configured/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/activity_log_alert_for_create_policy_assignment_not_configured/test/positive_expected_result.json @@ -1,2 +1 @@ -[ -] +[] diff --git a/assets/queries/terraform/azure/activity_log_alert_for_delete_network_security_group_not_configured/test/positive2/positive_expected_result.json b/assets/queries/terraform/azure/activity_log_alert_for_delete_network_security_group_not_configured/test/positive2/positive_expected_result.json index 9aa5be053c2..46dc8301e36 100644 --- a/assets/queries/terraform/azure/activity_log_alert_for_delete_network_security_group_not_configured/test/positive2/positive_expected_result.json +++ b/assets/queries/terraform/azure/activity_log_alert_for_delete_network_security_group_not_configured/test/positive2/positive_expected_result.json @@ -3,42 +3,105 @@ "queryName": "Beta - Activity Log Alert For Delete Network Security Group Not Configured", "severity": "MEDIUM", "line": 9, - "fileName": "positive2_1.tf" + "fileName": "positive2_1.tf", + "resourceType": "azurerm_monitor_activity_log_alert", + "resourceName": "example-activitylogalert", + "searchKey": "azurerm_monitor_activity_log_alert[positive2_1].criteria", + "searchValue": "", + "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'delete network security group' events should be defined", + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_1]' resource monitors 'delete network security group' events but sets 1 filter(s): caller", + "issueType": "IncorrectValue", + "similarityID": "64b244924f2a58c4902d8d75988ed3ac617585ca1ab0aaa799c33db4bc682b9f", + "search_line": 9 }, { "queryName": "Beta - Activity Log Alert For Delete Network Security Group Not Configured", "severity": "MEDIUM", "line": 28, - "fileName": "positive2_1.tf" + "fileName": "positive2_1.tf", + "resourceType": "azurerm_monitor_activity_log_alert", + "resourceName": "example-activitylogalert", + "searchKey": "azurerm_monitor_activity_log_alert[positive2_2].criteria", + "searchValue": "", + "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'delete network security group' events should be defined", + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_2]' resource monitors 'delete network security group' events but sets 1 filter(s): level", + "issueType": "IncorrectValue", + "similarityID": "4ffc640ebff515a578e9ee0264b48bba725ea7ab46b7fe97f0f7054e64f8d959", + "search_line": 28 }, { "queryName": "Beta - Activity Log Alert For Delete Network Security Group Not Configured", "severity": "MEDIUM", "line": 47, - "fileName": "positive2_1.tf" + "fileName": "positive2_1.tf", + "resourceType": "azurerm_monitor_activity_log_alert", + "resourceName": "example-activitylogalert", + "searchKey": "azurerm_monitor_activity_log_alert[positive2_3].criteria", + "searchValue": "", + "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'delete network security group' events should be defined", + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_3]' resource monitors 'delete network security group' events but sets 1 filter(s): levels", + "issueType": "IncorrectValue", + "similarityID": "388432cd48dac600dc22e51754c13af7ba40a29a69077e78abf5d350e6bf4ad5", + "search_line": 47 }, { "queryName": "Beta - Activity Log Alert For Delete Network Security Group Not Configured", "severity": "MEDIUM", "line": 66, - "fileName": "positive2_1.tf" + "fileName": "positive2_1.tf", + "resourceType": "azurerm_monitor_activity_log_alert", + "resourceName": "example-activitylogalert", + "searchKey": "azurerm_monitor_activity_log_alert[positive2_4].criteria", + "searchValue": "", + "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'delete network security group' events should be defined", + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_4]' resource monitors 'delete network security group' events but sets 1 filter(s): status", + "issueType": "IncorrectValue", + "similarityID": "97417870e322548628d1738d9091758230b4c096442ce618f025349d78e72b96", + "search_line": 66 }, { "queryName": "Beta - Activity Log Alert For Delete Network Security Group Not Configured", "severity": "MEDIUM", "line": 8, - "fileName": "positive2_2.tf" + "fileName": "positive2_2.tf", + "resourceType": "azurerm_monitor_activity_log_alert", + "resourceName": "example-activitylogalert", + "searchKey": "azurerm_monitor_activity_log_alert[positive2_5].criteria", + "searchValue": "", + "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'delete network security group' events should be defined", + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_5]' resource monitors 'delete network security group' events but sets 1 filter(s): statuses", + "issueType": "IncorrectValue", + "similarityID": "3d2c6d31662ee2e2844a4ae8c1d4f598fe251df7e4b218a3ad7bd03ea65018e9", + "search_line": 8 }, { "queryName": "Beta - Activity Log Alert For Delete Network Security Group Not Configured", "severity": "MEDIUM", "line": 27, - "fileName": "positive2_2.tf" + "fileName": "positive2_2.tf", + "resourceType": "azurerm_monitor_activity_log_alert", + "resourceName": "example-activitylogalert", + "searchKey": "azurerm_monitor_activity_log_alert[positive2_6].criteria", + "searchValue": "", + "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'delete network security group' events should be defined", + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_6]' resource monitors 'delete network security group' events but sets 1 filter(s): sub_status", + "issueType": "IncorrectValue", + "similarityID": "fbee015a1c0f667681b5c878939aee6a97f97ff5d765e2e4ba461e942f697d90", + "search_line": 27 }, { "queryName": "Beta - Activity Log Alert For Delete Network Security Group Not Configured", "severity": "MEDIUM", "line": 46, - "fileName": "positive2_2.tf" + "fileName": "positive2_2.tf", + "resourceType": "azurerm_monitor_activity_log_alert", + "resourceName": "example-activitylogalert", + "searchKey": "azurerm_monitor_activity_log_alert[positive2_7].criteria", + "searchValue": "", + "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'delete network security group' events should be defined", + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_7]' resource monitors 'delete network security group' events but sets 1 filter(s): sub_statuses", + "issueType": "IncorrectValue", + "similarityID": "b7fab856625bfb1e54fdfd1ff114564fb4d837bbe389f56b7f401585f63a3aaf", + "search_line": 46 } ] diff --git a/assets/queries/terraform/azure/activity_log_alert_for_delete_network_security_group_not_configured/test/positive3/positive_expected_result.json b/assets/queries/terraform/azure/activity_log_alert_for_delete_network_security_group_not_configured/test/positive3/positive_expected_result.json index 2d4adf5066b..2f68e470beb 100644 --- a/assets/queries/terraform/azure/activity_log_alert_for_delete_network_security_group_not_configured/test/positive3/positive_expected_result.json +++ b/assets/queries/terraform/azure/activity_log_alert_for_delete_network_security_group_not_configured/test/positive3/positive_expected_result.json @@ -3,12 +3,30 @@ "queryName": "Beta - Activity Log Alert For Delete Network Security Group Not Configured", "severity": "MEDIUM", "line": 9, - "fileName": "positive3_1.tf" + "fileName": "positive3_1.tf", + "resourceType": "azurerm_monitor_activity_log_alert", + "resourceName": "example-activitylogalert", + "searchKey": "azurerm_monitor_activity_log_alert[positive3_1].criteria", + "searchValue": "", + "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'delete network security group' events should be defined", + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive3_1]' resource monitors 'delete network security group' events but is missing an 'action.action_group_id' field", + "issueType": "MissingAttribute", + "similarityID": "3a0d2f4c5898e26f1c3d02547e0eb383d9d19fa16644292cc628436c01d0c6c8", + "search_line": 9 }, { "queryName": "Beta - Activity Log Alert For Delete Network Security Group Not Configured", "severity": "MEDIUM", "line": 9, - "fileName": "positive3_2.tf" + "fileName": "positive3_2.tf", + "resourceType": "azurerm_monitor_activity_log_alert", + "resourceName": "example-activitylogalert", + "searchKey": "azurerm_monitor_activity_log_alert[positive3_2].criteria", + "searchValue": "", + "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'delete network security group' events should be defined", + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive3_2]' resource monitors 'delete network security group' events but is missing an 'action.action_group_id' field", + "issueType": "MissingAttribute", + "similarityID": "3431a22f1352d563d860123d07d9e88fc45a7c60185aa3a49ca2efbfe3304a8c", + "search_line": 9 } ] diff --git a/assets/queries/terraform/azure/activity_log_alert_for_delete_network_security_group_not_configured/test/positive4/positive_expected_result.json b/assets/queries/terraform/azure/activity_log_alert_for_delete_network_security_group_not_configured/test/positive4/positive_expected_result.json index d9f4a65bc5e..92ed1242a39 100644 --- a/assets/queries/terraform/azure/activity_log_alert_for_delete_network_security_group_not_configured/test/positive4/positive_expected_result.json +++ b/assets/queries/terraform/azure/activity_log_alert_for_delete_network_security_group_not_configured/test/positive4/positive_expected_result.json @@ -3,6 +3,15 @@ "queryName": "Beta - Activity Log Alert For Delete Network Security Group Not Configured", "severity": "MEDIUM", "line": 9, - "fileName": "positive4_1.tf" + "fileName": "positive4_1.tf", + "resourceType": "azurerm_monitor_activity_log_alert", + "resourceName": "example-activitylogalert", + "searchKey": "azurerm_monitor_activity_log_alert[positive4_1].criteria", + "searchValue": "", + "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'delete network security group' events should be defined", + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive4_1]' resource monitors 'delete network security group' events but is missing an 'action.action_group_id' field", + "issueType": "MissingAttribute", + "similarityID": "0ae4481b93e9ff568b001c36e598711641778ef7fa5ad365ce09d28229019269", + "search_line": 9 } ] diff --git a/assets/queries/terraform/azure/activity_log_alert_for_delete_network_security_group_not_configured/test/positive_expected_result.json b/assets/queries/terraform/azure/activity_log_alert_for_delete_network_security_group_not_configured/test/positive_expected_result.json index 0d4f101c7a3..fe51488c706 100644 --- a/assets/queries/terraform/azure/activity_log_alert_for_delete_network_security_group_not_configured/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/activity_log_alert_for_delete_network_security_group_not_configured/test/positive_expected_result.json @@ -1,2 +1 @@ -[ -] +[] diff --git a/assets/queries/terraform/azure/activity_log_alert_for_delete_policy_assignment_not_configured/test/positive2/positive_expected_result.json b/assets/queries/terraform/azure/activity_log_alert_for_delete_policy_assignment_not_configured/test/positive2/positive_expected_result.json index b72188b5295..6df4365267d 100644 --- a/assets/queries/terraform/azure/activity_log_alert_for_delete_policy_assignment_not_configured/test/positive2/positive_expected_result.json +++ b/assets/queries/terraform/azure/activity_log_alert_for_delete_policy_assignment_not_configured/test/positive2/positive_expected_result.json @@ -3,42 +3,105 @@ "queryName": "Beta - Activity Log Alert For Delete Policy Assignment Not Configured", "severity": "MEDIUM", "line": 9, - "fileName": "positive2_1.tf" + "fileName": "positive2_1.tf", + "resourceType": "azurerm_monitor_activity_log_alert", + "resourceName": "example-activitylogalert", + "searchKey": "azurerm_monitor_activity_log_alert[positive2_1].criteria", + "searchValue": "", + "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'delete policy assignment' events should be defined", + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_1]' resource monitors 'delete policy assignment' events but sets 1 filter(s): caller", + "issueType": "IncorrectValue", + "similarityID": "72e3e91def92e0322a51dd415275d5941aca729e1498a1b63af8508733de0a87", + "search_line": 9 }, { "queryName": "Beta - Activity Log Alert For Delete Policy Assignment Not Configured", "severity": "MEDIUM", "line": 28, - "fileName": "positive2_1.tf" + "fileName": "positive2_1.tf", + "resourceType": "azurerm_monitor_activity_log_alert", + "resourceName": "example-activitylogalert", + "searchKey": "azurerm_monitor_activity_log_alert[positive2_2].criteria", + "searchValue": "", + "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'delete policy assignment' events should be defined", + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_2]' resource monitors 'delete policy assignment' events but sets 1 filter(s): level", + "issueType": "IncorrectValue", + "similarityID": "4238006f33d68d68e3adf4bbc30ff39cdc40b0019fb9d094949f012b99ca19e6", + "search_line": 28 }, { "queryName": "Beta - Activity Log Alert For Delete Policy Assignment Not Configured", "severity": "MEDIUM", "line": 47, - "fileName": "positive2_1.tf" + "fileName": "positive2_1.tf", + "resourceType": "azurerm_monitor_activity_log_alert", + "resourceName": "example-activitylogalert", + "searchKey": "azurerm_monitor_activity_log_alert[positive2_3].criteria", + "searchValue": "", + "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'delete policy assignment' events should be defined", + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_3]' resource monitors 'delete policy assignment' events but sets 1 filter(s): levels", + "issueType": "IncorrectValue", + "similarityID": "07a739c3002f2541914dfc6c8a6658c891010979b1789ee5c5d05414992bb9c2", + "search_line": 47 }, { "queryName": "Beta - Activity Log Alert For Delete Policy Assignment Not Configured", "severity": "MEDIUM", "line": 66, - "fileName": "positive2_1.tf" + "fileName": "positive2_1.tf", + "resourceType": "azurerm_monitor_activity_log_alert", + "resourceName": "example-activitylogalert", + "searchKey": "azurerm_monitor_activity_log_alert[positive2_4].criteria", + "searchValue": "", + "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'delete policy assignment' events should be defined", + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_4]' resource monitors 'delete policy assignment' events but sets 1 filter(s): status", + "issueType": "IncorrectValue", + "similarityID": "b2a6d5092210653954700be9fa433b259dc69736f439eb6fd2d30357f9f9effd", + "search_line": 66 }, { "queryName": "Beta - Activity Log Alert For Delete Policy Assignment Not Configured", "severity": "MEDIUM", "line": 8, - "fileName": "positive2_2.tf" + "fileName": "positive2_2.tf", + "resourceType": "azurerm_monitor_activity_log_alert", + "resourceName": "example-activitylogalert", + "searchKey": "azurerm_monitor_activity_log_alert[positive2_5].criteria", + "searchValue": "", + "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'delete policy assignment' events should be defined", + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_5]' resource monitors 'delete policy assignment' events but sets 1 filter(s): statuses", + "issueType": "IncorrectValue", + "similarityID": "0fc7f0651c6aed80d12807db302813f0f2c6f8a90a33518736e8857b55ff6ffd", + "search_line": 8 }, { "queryName": "Beta - Activity Log Alert For Delete Policy Assignment Not Configured", "severity": "MEDIUM", "line": 27, - "fileName": "positive2_2.tf" + "fileName": "positive2_2.tf", + "resourceType": "azurerm_monitor_activity_log_alert", + "resourceName": "example-activitylogalert", + "searchKey": "azurerm_monitor_activity_log_alert[positive2_6].criteria", + "searchValue": "", + "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'delete policy assignment' events should be defined", + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_6]' resource monitors 'delete policy assignment' events but sets 1 filter(s): sub_status", + "issueType": "IncorrectValue", + "similarityID": "fd8eb0238128e8dd9653edf3ed3579f1fd968ae745576c78273dd890960661c7", + "search_line": 27 }, { "queryName": "Beta - Activity Log Alert For Delete Policy Assignment Not Configured", "severity": "MEDIUM", "line": 46, - "fileName": "positive2_2.tf" + "fileName": "positive2_2.tf", + "resourceType": "azurerm_monitor_activity_log_alert", + "resourceName": "example-activitylogalert", + "searchKey": "azurerm_monitor_activity_log_alert[positive2_7].criteria", + "searchValue": "", + "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'delete policy assignment' events should be defined", + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_7]' resource monitors 'delete policy assignment' events but sets 1 filter(s): sub_statuses", + "issueType": "IncorrectValue", + "similarityID": "00bf1bfb206d0ce88dd1a89ef36778d47acf83c0ff8d3b3b7fd634b878307ebd", + "search_line": 46 } ] diff --git a/assets/queries/terraform/azure/activity_log_alert_for_delete_policy_assignment_not_configured/test/positive3/positive_expected_result.json b/assets/queries/terraform/azure/activity_log_alert_for_delete_policy_assignment_not_configured/test/positive3/positive_expected_result.json index 1ff51775942..58d533cb3e1 100644 --- a/assets/queries/terraform/azure/activity_log_alert_for_delete_policy_assignment_not_configured/test/positive3/positive_expected_result.json +++ b/assets/queries/terraform/azure/activity_log_alert_for_delete_policy_assignment_not_configured/test/positive3/positive_expected_result.json @@ -3,12 +3,30 @@ "queryName": "Beta - Activity Log Alert For Delete Policy Assignment Not Configured", "severity": "MEDIUM", "line": 9, - "fileName": "positive3_1.tf" + "fileName": "positive3_1.tf", + "resourceType": "azurerm_monitor_activity_log_alert", + "resourceName": "example-activitylogalert", + "searchKey": "azurerm_monitor_activity_log_alert[positive3_1].criteria", + "searchValue": "", + "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'delete policy assignment' events should be defined", + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive3_1]' resource monitors 'delete policy assignment' events but is missing an 'action.action_group_id' field", + "issueType": "MissingAttribute", + "similarityID": "06d9149b77448708e24a1e4c42d3dcc47a6dd8aac52fe3496117f8b385abd0c6", + "search_line": 9 }, { "queryName": "Beta - Activity Log Alert For Delete Policy Assignment Not Configured", "severity": "MEDIUM", "line": 9, - "fileName": "positive3_2.tf" + "fileName": "positive3_2.tf", + "resourceType": "azurerm_monitor_activity_log_alert", + "resourceName": "example-activitylogalert", + "searchKey": "azurerm_monitor_activity_log_alert[positive3_2].criteria", + "searchValue": "", + "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'delete policy assignment' events should be defined", + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive3_2]' resource monitors 'delete policy assignment' events but is missing an 'action.action_group_id' field", + "issueType": "MissingAttribute", + "similarityID": "1abc97d2443d1494c8e0c0fc47955757ada3dc62d4aa33e1d51ba83d81915a0d", + "search_line": 9 } ] diff --git a/assets/queries/terraform/azure/activity_log_alert_for_delete_policy_assignment_not_configured/test/positive4/positive_expected_result.json b/assets/queries/terraform/azure/activity_log_alert_for_delete_policy_assignment_not_configured/test/positive4/positive_expected_result.json index 1d75d906347..1cd52f82398 100644 --- a/assets/queries/terraform/azure/activity_log_alert_for_delete_policy_assignment_not_configured/test/positive4/positive_expected_result.json +++ b/assets/queries/terraform/azure/activity_log_alert_for_delete_policy_assignment_not_configured/test/positive4/positive_expected_result.json @@ -3,6 +3,15 @@ "queryName": "Beta - Activity Log Alert For Delete Policy Assignment Not Configured", "severity": "MEDIUM", "line": 9, - "fileName": "positive4_1.tf" + "fileName": "positive4_1.tf", + "resourceType": "azurerm_monitor_activity_log_alert", + "resourceName": "example-activitylogalert", + "searchKey": "azurerm_monitor_activity_log_alert[positive4_1].criteria", + "searchValue": "", + "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'delete policy assignment' events should be defined", + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive4_1]' resource monitors 'delete policy assignment' events but is missing an 'action.action_group_id' field", + "issueType": "MissingAttribute", + "similarityID": "782c8cb3592fec9f95af2a9ad8640d4afa65226ccd70f8ef61c9c01984c96e7a", + "search_line": 9 } ] diff --git a/assets/queries/terraform/azure/activity_log_alert_for_delete_policy_assignment_not_configured/test/positive_expected_result.json b/assets/queries/terraform/azure/activity_log_alert_for_delete_policy_assignment_not_configured/test/positive_expected_result.json index 0d4f101c7a3..fe51488c706 100644 --- a/assets/queries/terraform/azure/activity_log_alert_for_delete_policy_assignment_not_configured/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/activity_log_alert_for_delete_policy_assignment_not_configured/test/positive_expected_result.json @@ -1,2 +1 @@ -[ -] +[] diff --git a/assets/queries/terraform/azure/activity_log_alert_for_delete_public_ip_address_rule_not_configured/test/positive2/positive_expected_result.json b/assets/queries/terraform/azure/activity_log_alert_for_delete_public_ip_address_rule_not_configured/test/positive2/positive_expected_result.json index db0d5cb17e5..c7d242316a3 100644 --- a/assets/queries/terraform/azure/activity_log_alert_for_delete_public_ip_address_rule_not_configured/test/positive2/positive_expected_result.json +++ b/assets/queries/terraform/azure/activity_log_alert_for_delete_public_ip_address_rule_not_configured/test/positive2/positive_expected_result.json @@ -3,42 +3,105 @@ "queryName": "Beta - Activity Log Alert For Delete Public IP Address Rule Not Configured", "severity": "MEDIUM", "line": 9, - "fileName": "positive2_1.tf" + "fileName": "positive2_1.tf", + "resourceType": "azurerm_monitor_activity_log_alert", + "resourceName": "example-activitylogalert", + "searchKey": "azurerm_monitor_activity_log_alert[positive2_1].criteria", + "searchValue": "", + "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'delete public ip address rule' events should be defined", + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_1]' resource monitors 'delete public ip address rule' events but sets 1 filter(s): caller", + "issueType": "IncorrectValue", + "similarityID": "9bba42cfb1ec3df6535b1fd8fa957a2870f09b78f30c7bd06295e988393d6155", + "search_line": 9 }, { "queryName": "Beta - Activity Log Alert For Delete Public IP Address Rule Not Configured", "severity": "MEDIUM", "line": 28, - "fileName": "positive2_1.tf" + "fileName": "positive2_1.tf", + "resourceType": "azurerm_monitor_activity_log_alert", + "resourceName": "example-activitylogalert", + "searchKey": "azurerm_monitor_activity_log_alert[positive2_2].criteria", + "searchValue": "", + "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'delete public ip address rule' events should be defined", + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_2]' resource monitors 'delete public ip address rule' events but sets 1 filter(s): level", + "issueType": "IncorrectValue", + "similarityID": "124e73f81970f1157ef5fc677ab1d01030c8777fd7786f1766ca22843b303464", + "search_line": 28 }, { "queryName": "Beta - Activity Log Alert For Delete Public IP Address Rule Not Configured", "severity": "MEDIUM", "line": 47, - "fileName": "positive2_1.tf" + "fileName": "positive2_1.tf", + "resourceType": "azurerm_monitor_activity_log_alert", + "resourceName": "example-activitylogalert", + "searchKey": "azurerm_monitor_activity_log_alert[positive2_3].criteria", + "searchValue": "", + "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'delete public ip address rule' events should be defined", + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_3]' resource monitors 'delete public ip address rule' events but sets 1 filter(s): levels", + "issueType": "IncorrectValue", + "similarityID": "282118dc1263c80ee2051ff53ac679d8c5e2ac2c5b8457f35883b6511a1b7b95", + "search_line": 47 }, { "queryName": "Beta - Activity Log Alert For Delete Public IP Address Rule Not Configured", "severity": "MEDIUM", "line": 66, - "fileName": "positive2_1.tf" + "fileName": "positive2_1.tf", + "resourceType": "azurerm_monitor_activity_log_alert", + "resourceName": "example-activitylogalert", + "searchKey": "azurerm_monitor_activity_log_alert[positive2_4].criteria", + "searchValue": "", + "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'delete public ip address rule' events should be defined", + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_4]' resource monitors 'delete public ip address rule' events but sets 1 filter(s): status", + "issueType": "IncorrectValue", + "similarityID": "92f44501ad9edd63fd86a848d4a4110245f14aefbc5960a5c75b5df4317411ad", + "search_line": 66 }, { "queryName": "Beta - Activity Log Alert For Delete Public IP Address Rule Not Configured", "severity": "MEDIUM", "line": 8, - "fileName": "positive2_2.tf" + "fileName": "positive2_2.tf", + "resourceType": "azurerm_monitor_activity_log_alert", + "resourceName": "example-activitylogalert", + "searchKey": "azurerm_monitor_activity_log_alert[positive2_5].criteria", + "searchValue": "", + "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'delete public ip address rule' events should be defined", + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_5]' resource monitors 'delete public ip address rule' events but sets 1 filter(s): statuses", + "issueType": "IncorrectValue", + "similarityID": "979069d388f945b049501b46e8f2f9c2571974be586f007e8ac4935b54d69923", + "search_line": 8 }, { "queryName": "Beta - Activity Log Alert For Delete Public IP Address Rule Not Configured", "severity": "MEDIUM", "line": 27, - "fileName": "positive2_2.tf" + "fileName": "positive2_2.tf", + "resourceType": "azurerm_monitor_activity_log_alert", + "resourceName": "example-activitylogalert", + "searchKey": "azurerm_monitor_activity_log_alert[positive2_6].criteria", + "searchValue": "", + "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'delete public ip address rule' events should be defined", + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_6]' resource monitors 'delete public ip address rule' events but sets 1 filter(s): sub_status", + "issueType": "IncorrectValue", + "similarityID": "b8349eb1673c9b3b48485a9f0fe0618a54d45fa623adf030609e1bdc35adb2f4", + "search_line": 27 }, { "queryName": "Beta - Activity Log Alert For Delete Public IP Address Rule Not Configured", "severity": "MEDIUM", "line": 46, - "fileName": "positive2_2.tf" + "fileName": "positive2_2.tf", + "resourceType": "azurerm_monitor_activity_log_alert", + "resourceName": "example-activitylogalert", + "searchKey": "azurerm_monitor_activity_log_alert[positive2_7].criteria", + "searchValue": "", + "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'delete public ip address rule' events should be defined", + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_7]' resource monitors 'delete public ip address rule' events but sets 1 filter(s): sub_statuses", + "issueType": "IncorrectValue", + "similarityID": "901623189c3f5c4da0c4b3ce305ad17efae819786ce0781c0d4575262c7b3a6c", + "search_line": 46 } ] diff --git a/assets/queries/terraform/azure/activity_log_alert_for_delete_public_ip_address_rule_not_configured/test/positive3/positive_expected_result.json b/assets/queries/terraform/azure/activity_log_alert_for_delete_public_ip_address_rule_not_configured/test/positive3/positive_expected_result.json index 8f5b85d8d7b..9da34f750a4 100644 --- a/assets/queries/terraform/azure/activity_log_alert_for_delete_public_ip_address_rule_not_configured/test/positive3/positive_expected_result.json +++ b/assets/queries/terraform/azure/activity_log_alert_for_delete_public_ip_address_rule_not_configured/test/positive3/positive_expected_result.json @@ -3,12 +3,30 @@ "queryName": "Beta - Activity Log Alert For Delete Public IP Address Rule Not Configured", "severity": "MEDIUM", "line": 9, - "fileName": "positive3_1.tf" + "fileName": "positive3_1.tf", + "resourceType": "azurerm_monitor_activity_log_alert", + "resourceName": "example-activitylogalert", + "searchKey": "azurerm_monitor_activity_log_alert[positive3_1].criteria", + "searchValue": "", + "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'delete public ip address rule' events should be defined", + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive3_1]' resource monitors 'delete public ip address rule' events but is missing an 'action.action_group_id' field", + "issueType": "MissingAttribute", + "similarityID": "303be38d625d5a62ff23be05b55df8bce9f80d80f557c045ffb9b8474aa64b88", + "search_line": 9 }, { "queryName": "Beta - Activity Log Alert For Delete Public IP Address Rule Not Configured", "severity": "MEDIUM", "line": 9, - "fileName": "positive3_2.tf" + "fileName": "positive3_2.tf", + "resourceType": "azurerm_monitor_activity_log_alert", + "resourceName": "example-activitylogalert", + "searchKey": "azurerm_monitor_activity_log_alert[positive3_2].criteria", + "searchValue": "", + "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'delete public ip address rule' events should be defined", + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive3_2]' resource monitors 'delete public ip address rule' events but is missing an 'action.action_group_id' field", + "issueType": "MissingAttribute", + "similarityID": "84df02c463790f67d531862de25375929443139fe2db3ac9a8f7b8641072944b", + "search_line": 9 } ] diff --git a/assets/queries/terraform/azure/activity_log_alert_for_delete_public_ip_address_rule_not_configured/test/positive4/positive_expected_result.json b/assets/queries/terraform/azure/activity_log_alert_for_delete_public_ip_address_rule_not_configured/test/positive4/positive_expected_result.json index 9e174c03f4d..3e4627f358f 100644 --- a/assets/queries/terraform/azure/activity_log_alert_for_delete_public_ip_address_rule_not_configured/test/positive4/positive_expected_result.json +++ b/assets/queries/terraform/azure/activity_log_alert_for_delete_public_ip_address_rule_not_configured/test/positive4/positive_expected_result.json @@ -3,6 +3,15 @@ "queryName": "Beta - Activity Log Alert For Delete Public IP Address Rule Not Configured", "severity": "MEDIUM", "line": 9, - "fileName": "positive4_1.tf" + "fileName": "positive4_1.tf", + "resourceType": "azurerm_monitor_activity_log_alert", + "resourceName": "example-activitylogalert", + "searchKey": "azurerm_monitor_activity_log_alert[positive4_1].criteria", + "searchValue": "", + "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'delete public ip address rule' events should be defined", + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive4_1]' resource monitors 'delete public ip address rule' events but is missing an 'action.action_group_id' field", + "issueType": "MissingAttribute", + "similarityID": "41189d55566499ea6317a4fca1ede1732545ccb1ea10211c93dade6406952f89", + "search_line": 9 } ] diff --git a/assets/queries/terraform/azure/activity_log_alert_for_delete_public_ip_address_rule_not_configured/test/positive_expected_result.json b/assets/queries/terraform/azure/activity_log_alert_for_delete_public_ip_address_rule_not_configured/test/positive_expected_result.json index 0d4f101c7a3..fe51488c706 100644 --- a/assets/queries/terraform/azure/activity_log_alert_for_delete_public_ip_address_rule_not_configured/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/activity_log_alert_for_delete_public_ip_address_rule_not_configured/test/positive_expected_result.json @@ -1,2 +1 @@ -[ -] +[] diff --git a/assets/queries/terraform/azure/activity_log_alert_for_delete_security_solution_not_configured/test/positive2/positive_expected_result.json b/assets/queries/terraform/azure/activity_log_alert_for_delete_security_solution_not_configured/test/positive2/positive_expected_result.json index 48cd89dddfe..0d0f941cc3a 100644 --- a/assets/queries/terraform/azure/activity_log_alert_for_delete_security_solution_not_configured/test/positive2/positive_expected_result.json +++ b/assets/queries/terraform/azure/activity_log_alert_for_delete_security_solution_not_configured/test/positive2/positive_expected_result.json @@ -3,42 +3,105 @@ "queryName": "Beta - Activity Log Alert For Delete Security Solution Not Configured", "severity": "MEDIUM", "line": 9, - "fileName": "positive2_1.tf" + "fileName": "positive2_1.tf", + "resourceType": "azurerm_monitor_activity_log_alert", + "resourceName": "example-activitylogalert", + "searchKey": "azurerm_monitor_activity_log_alert[positive2_1].criteria", + "searchValue": "", + "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'delete security solution' events should be defined", + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_1]' resource monitors 'delete security solution' events but sets 1 filter(s): caller", + "issueType": "IncorrectValue", + "similarityID": "ca99662b7aafa1801e1626733e81f8ecec7083b0343eb737357456ae402f28d4", + "search_line": 9 }, { "queryName": "Beta - Activity Log Alert For Delete Security Solution Not Configured", "severity": "MEDIUM", "line": 28, - "fileName": "positive2_1.tf" + "fileName": "positive2_1.tf", + "resourceType": "azurerm_monitor_activity_log_alert", + "resourceName": "example-activitylogalert", + "searchKey": "azurerm_monitor_activity_log_alert[positive2_2].criteria", + "searchValue": "", + "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'delete security solution' events should be defined", + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_2]' resource monitors 'delete security solution' events but sets 1 filter(s): level", + "issueType": "IncorrectValue", + "similarityID": "7cda8111876aec9651d7ade31b0294c25e76593cd379b5e2a28e328cf49ae2b0", + "search_line": 28 }, { "queryName": "Beta - Activity Log Alert For Delete Security Solution Not Configured", "severity": "MEDIUM", "line": 47, - "fileName": "positive2_1.tf" + "fileName": "positive2_1.tf", + "resourceType": "azurerm_monitor_activity_log_alert", + "resourceName": "example-activitylogalert", + "searchKey": "azurerm_monitor_activity_log_alert[positive2_3].criteria", + "searchValue": "", + "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'delete security solution' events should be defined", + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_3]' resource monitors 'delete security solution' events but sets 1 filter(s): levels", + "issueType": "IncorrectValue", + "similarityID": "96fc7a360dfb21da0ef1fb193d24d6eccdf0139fbc8adace6f0e6a1e4b039874", + "search_line": 47 }, { "queryName": "Beta - Activity Log Alert For Delete Security Solution Not Configured", "severity": "MEDIUM", "line": 66, - "fileName": "positive2_1.tf" + "fileName": "positive2_1.tf", + "resourceType": "azurerm_monitor_activity_log_alert", + "resourceName": "example-activitylogalert", + "searchKey": "azurerm_monitor_activity_log_alert[positive2_4].criteria", + "searchValue": "", + "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'delete security solution' events should be defined", + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_4]' resource monitors 'delete security solution' events but sets 1 filter(s): status", + "issueType": "IncorrectValue", + "similarityID": "cde173faaf44f4fac8408da10bf61138ef77178d6c98f63f77d0daf9074811ce", + "search_line": 66 }, { "queryName": "Beta - Activity Log Alert For Delete Security Solution Not Configured", "severity": "MEDIUM", "line": 8, - "fileName": "positive2_2.tf" + "fileName": "positive2_2.tf", + "resourceType": "azurerm_monitor_activity_log_alert", + "resourceName": "example-activitylogalert", + "searchKey": "azurerm_monitor_activity_log_alert[positive2_5].criteria", + "searchValue": "", + "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'delete security solution' events should be defined", + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_5]' resource monitors 'delete security solution' events but sets 1 filter(s): statuses", + "issueType": "IncorrectValue", + "similarityID": "5b6730ec1ddc34ae4ef68da86dc23ad6ca6b6e8f985f9a3aa56717b76381dffd", + "search_line": 8 }, { "queryName": "Beta - Activity Log Alert For Delete Security Solution Not Configured", "severity": "MEDIUM", "line": 27, - "fileName": "positive2_2.tf" + "fileName": "positive2_2.tf", + "resourceType": "azurerm_monitor_activity_log_alert", + "resourceName": "example-activitylogalert", + "searchKey": "azurerm_monitor_activity_log_alert[positive2_6].criteria", + "searchValue": "", + "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'delete security solution' events should be defined", + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_6]' resource monitors 'delete security solution' events but sets 1 filter(s): sub_status", + "issueType": "IncorrectValue", + "similarityID": "044e5b046dd8006fb92e88bb8d07af1877739f364212c89b4b7cac88a9d26071", + "search_line": 27 }, { "queryName": "Beta - Activity Log Alert For Delete Security Solution Not Configured", "severity": "MEDIUM", "line": 46, - "fileName": "positive2_2.tf" + "fileName": "positive2_2.tf", + "resourceType": "azurerm_monitor_activity_log_alert", + "resourceName": "example-activitylogalert", + "searchKey": "azurerm_monitor_activity_log_alert[positive2_7].criteria", + "searchValue": "", + "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'delete security solution' events should be defined", + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_7]' resource monitors 'delete security solution' events but sets 1 filter(s): sub_statuses", + "issueType": "IncorrectValue", + "similarityID": "c1cb62de2a4f663f96f894786eb955ddb6544709124e8169501b8a4ae3edcd51", + "search_line": 46 } ] diff --git a/assets/queries/terraform/azure/activity_log_alert_for_delete_security_solution_not_configured/test/positive3/positive_expected_result.json b/assets/queries/terraform/azure/activity_log_alert_for_delete_security_solution_not_configured/test/positive3/positive_expected_result.json index df7ec6ee0e6..98c99edb9e3 100644 --- a/assets/queries/terraform/azure/activity_log_alert_for_delete_security_solution_not_configured/test/positive3/positive_expected_result.json +++ b/assets/queries/terraform/azure/activity_log_alert_for_delete_security_solution_not_configured/test/positive3/positive_expected_result.json @@ -3,12 +3,30 @@ "queryName": "Beta - Activity Log Alert For Delete Security Solution Not Configured", "severity": "MEDIUM", "line": 9, - "fileName": "positive3_1.tf" + "fileName": "positive3_1.tf", + "resourceType": "azurerm_monitor_activity_log_alert", + "resourceName": "example-activitylogalert", + "searchKey": "azurerm_monitor_activity_log_alert[positive3_1].criteria", + "searchValue": "", + "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'delete security solution' events should be defined", + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive3_1]' resource monitors 'delete security solution' events but is missing an 'action.action_group_id' field", + "issueType": "MissingAttribute", + "similarityID": "8418e544263c1cb5aeebbb1c04cf5bda45a8307dd571e9a041faa23c18a0c875", + "search_line": 9 }, { "queryName": "Beta - Activity Log Alert For Delete Security Solution Not Configured", "severity": "MEDIUM", "line": 9, - "fileName": "positive3_2.tf" + "fileName": "positive3_2.tf", + "resourceType": "azurerm_monitor_activity_log_alert", + "resourceName": "example-activitylogalert", + "searchKey": "azurerm_monitor_activity_log_alert[positive3_2].criteria", + "searchValue": "", + "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'delete security solution' events should be defined", + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive3_2]' resource monitors 'delete security solution' events but is missing an 'action.action_group_id' field", + "issueType": "MissingAttribute", + "similarityID": "002b768a855fb3b74ae0ffe3be014ca8ba5055778f296884613b51f8667c533d", + "search_line": 9 } ] diff --git a/assets/queries/terraform/azure/activity_log_alert_for_delete_security_solution_not_configured/test/positive4/positive_expected_result.json b/assets/queries/terraform/azure/activity_log_alert_for_delete_security_solution_not_configured/test/positive4/positive_expected_result.json index 0ec2da06fea..44094727159 100644 --- a/assets/queries/terraform/azure/activity_log_alert_for_delete_security_solution_not_configured/test/positive4/positive_expected_result.json +++ b/assets/queries/terraform/azure/activity_log_alert_for_delete_security_solution_not_configured/test/positive4/positive_expected_result.json @@ -3,6 +3,15 @@ "queryName": "Beta - Activity Log Alert For Delete Security Solution Not Configured", "severity": "MEDIUM", "line": 9, - "fileName": "positive4_1.tf" + "fileName": "positive4_1.tf", + "resourceType": "azurerm_monitor_activity_log_alert", + "resourceName": "example-activitylogalert", + "searchKey": "azurerm_monitor_activity_log_alert[positive4_1].criteria", + "searchValue": "", + "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'delete security solution' events should be defined", + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive4_1]' resource monitors 'delete security solution' events but is missing an 'action.action_group_id' field", + "issueType": "MissingAttribute", + "similarityID": "70984c4b9258fc82d344baca841ef46d293a67e27571f6ec7566cb922c9cf036", + "search_line": 9 } ] diff --git a/assets/queries/terraform/azure/activity_log_alert_for_delete_security_solution_not_configured/test/positive_expected_result.json b/assets/queries/terraform/azure/activity_log_alert_for_delete_security_solution_not_configured/test/positive_expected_result.json index 0d4f101c7a3..fe51488c706 100644 --- a/assets/queries/terraform/azure/activity_log_alert_for_delete_security_solution_not_configured/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/activity_log_alert_for_delete_security_solution_not_configured/test/positive_expected_result.json @@ -1,2 +1 @@ -[ -] +[] diff --git a/assets/queries/terraform/azure/activity_log_alert_for_delete_sql_server_firewall_rule_not_configured/test/positive2/positive_expected_result.json b/assets/queries/terraform/azure/activity_log_alert_for_delete_sql_server_firewall_rule_not_configured/test/positive2/positive_expected_result.json index 07f54508d55..be4c2037112 100644 --- a/assets/queries/terraform/azure/activity_log_alert_for_delete_sql_server_firewall_rule_not_configured/test/positive2/positive_expected_result.json +++ b/assets/queries/terraform/azure/activity_log_alert_for_delete_sql_server_firewall_rule_not_configured/test/positive2/positive_expected_result.json @@ -3,42 +3,105 @@ "queryName": "Beta - Activity Log Alert For Delete SQL Server Firewall Rule Not Configured", "severity": "MEDIUM", "line": 9, - "fileName": "positive2_1.tf" + "fileName": "positive2_1.tf", + "resourceType": "azurerm_monitor_activity_log_alert", + "resourceName": "example-activitylogalert", + "searchKey": "azurerm_monitor_activity_log_alert[positive2_1].criteria", + "searchValue": "", + "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'delete SQL server firewall rule' events should be defined", + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_1]' resource monitors 'delete SQL server firewall rule' events but sets 1 filter(s): caller", + "issueType": "IncorrectValue", + "similarityID": "75155fdb73326eacb7d2144f8e67dd551940ef0f1987ec4cb09a333cb728fc57", + "search_line": 9 }, { "queryName": "Beta - Activity Log Alert For Delete SQL Server Firewall Rule Not Configured", "severity": "MEDIUM", "line": 28, - "fileName": "positive2_1.tf" + "fileName": "positive2_1.tf", + "resourceType": "azurerm_monitor_activity_log_alert", + "resourceName": "example-activitylogalert", + "searchKey": "azurerm_monitor_activity_log_alert[positive2_2].criteria", + "searchValue": "", + "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'delete SQL server firewall rule' events should be defined", + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_2]' resource monitors 'delete SQL server firewall rule' events but sets 1 filter(s): level", + "issueType": "IncorrectValue", + "similarityID": "78210989791881f41949b1d6b5dede597a2beecf9a7728645a281734fb4e817e", + "search_line": 28 }, { "queryName": "Beta - Activity Log Alert For Delete SQL Server Firewall Rule Not Configured", "severity": "MEDIUM", "line": 47, - "fileName": "positive2_1.tf" + "fileName": "positive2_1.tf", + "resourceType": "azurerm_monitor_activity_log_alert", + "resourceName": "example-activitylogalert", + "searchKey": "azurerm_monitor_activity_log_alert[positive2_3].criteria", + "searchValue": "", + "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'delete SQL server firewall rule' events should be defined", + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_3]' resource monitors 'delete SQL server firewall rule' events but sets 1 filter(s): levels", + "issueType": "IncorrectValue", + "similarityID": "871fc35e72f4da8745f653b854343a8930fea3719324a980760bd2ef0a50ab1e", + "search_line": 47 }, { "queryName": "Beta - Activity Log Alert For Delete SQL Server Firewall Rule Not Configured", "severity": "MEDIUM", "line": 66, - "fileName": "positive2_1.tf" + "fileName": "positive2_1.tf", + "resourceType": "azurerm_monitor_activity_log_alert", + "resourceName": "example-activitylogalert", + "searchKey": "azurerm_monitor_activity_log_alert[positive2_4].criteria", + "searchValue": "", + "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'delete SQL server firewall rule' events should be defined", + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_4]' resource monitors 'delete SQL server firewall rule' events but sets 1 filter(s): status", + "issueType": "IncorrectValue", + "similarityID": "ad6a25081db95d1f6d747f60824c2350639a98c7a00660d103d10753d0706994", + "search_line": 66 }, { "queryName": "Beta - Activity Log Alert For Delete SQL Server Firewall Rule Not Configured", "severity": "MEDIUM", "line": 8, - "fileName": "positive2_2.tf" + "fileName": "positive2_2.tf", + "resourceType": "azurerm_monitor_activity_log_alert", + "resourceName": "example-activitylogalert", + "searchKey": "azurerm_monitor_activity_log_alert[positive2_5].criteria", + "searchValue": "", + "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'delete SQL server firewall rule' events should be defined", + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_5]' resource monitors 'delete SQL server firewall rule' events but sets 1 filter(s): statuses", + "issueType": "IncorrectValue", + "similarityID": "bbc856949ed2713bbdd2f6e3615e5d2d93240cf94f1315c47b4c18192fddaf8e", + "search_line": 8 }, { "queryName": "Beta - Activity Log Alert For Delete SQL Server Firewall Rule Not Configured", "severity": "MEDIUM", "line": 27, - "fileName": "positive2_2.tf" + "fileName": "positive2_2.tf", + "resourceType": "azurerm_monitor_activity_log_alert", + "resourceName": "example-activitylogalert", + "searchKey": "azurerm_monitor_activity_log_alert[positive2_6].criteria", + "searchValue": "", + "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'delete SQL server firewall rule' events should be defined", + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_6]' resource monitors 'delete SQL server firewall rule' events but sets 1 filter(s): sub_status", + "issueType": "IncorrectValue", + "similarityID": "a50c7eca744b4b9d7d17580c221e985bf4276ac397351d4f661fd0338e8dfcc6", + "search_line": 27 }, { "queryName": "Beta - Activity Log Alert For Delete SQL Server Firewall Rule Not Configured", "severity": "MEDIUM", "line": 46, - "fileName": "positive2_2.tf" + "fileName": "positive2_2.tf", + "resourceType": "azurerm_monitor_activity_log_alert", + "resourceName": "example-activitylogalert", + "searchKey": "azurerm_monitor_activity_log_alert[positive2_7].criteria", + "searchValue": "", + "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'delete SQL server firewall rule' events should be defined", + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_7]' resource monitors 'delete SQL server firewall rule' events but sets 1 filter(s): sub_statuses", + "issueType": "IncorrectValue", + "similarityID": "e33b0317c2291a6980e7791ca9849fff561ee870865d96c906ea831b2bc090ad", + "search_line": 46 } ] diff --git a/assets/queries/terraform/azure/activity_log_alert_for_delete_sql_server_firewall_rule_not_configured/test/positive3/positive_expected_result.json b/assets/queries/terraform/azure/activity_log_alert_for_delete_sql_server_firewall_rule_not_configured/test/positive3/positive_expected_result.json index c9a4b7e74c6..9a9be52dcda 100644 --- a/assets/queries/terraform/azure/activity_log_alert_for_delete_sql_server_firewall_rule_not_configured/test/positive3/positive_expected_result.json +++ b/assets/queries/terraform/azure/activity_log_alert_for_delete_sql_server_firewall_rule_not_configured/test/positive3/positive_expected_result.json @@ -3,12 +3,30 @@ "queryName": "Beta - Activity Log Alert For Delete SQL Server Firewall Rule Not Configured", "severity": "MEDIUM", "line": 9, - "fileName": "positive3_1.tf" + "fileName": "positive3_1.tf", + "resourceType": "azurerm_monitor_activity_log_alert", + "resourceName": "example-activitylogalert", + "searchKey": "azurerm_monitor_activity_log_alert[positive3_1].criteria", + "searchValue": "", + "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'delete SQL server firewall rule' events should be defined", + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive3_1]' resource monitors 'delete SQL server firewall rule' events but is missing an 'action.action_group_id' field", + "issueType": "MissingAttribute", + "similarityID": "687d1d0ba9be88d8e2bccd0b9c22ce1954cb4783ebbad33035c79e1f681025fc", + "search_line": 9 }, { "queryName": "Beta - Activity Log Alert For Delete SQL Server Firewall Rule Not Configured", "severity": "MEDIUM", "line": 9, - "fileName": "positive3_2.tf" + "fileName": "positive3_2.tf", + "resourceType": "azurerm_monitor_activity_log_alert", + "resourceName": "example-activitylogalert", + "searchKey": "azurerm_monitor_activity_log_alert[positive3_2].criteria", + "searchValue": "", + "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'delete SQL server firewall rule' events should be defined", + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive3_2]' resource monitors 'delete SQL server firewall rule' events but is missing an 'action.action_group_id' field", + "issueType": "MissingAttribute", + "similarityID": "0c33c38b066e228b03f4e56985fca4546cb189e88e34b2e4eaa1d53c0cf20863", + "search_line": 9 } ] diff --git a/assets/queries/terraform/azure/activity_log_alert_for_delete_sql_server_firewall_rule_not_configured/test/positive4/positive_expected_result.json b/assets/queries/terraform/azure/activity_log_alert_for_delete_sql_server_firewall_rule_not_configured/test/positive4/positive_expected_result.json index 315a11bcbfa..ca02c3dab09 100644 --- a/assets/queries/terraform/azure/activity_log_alert_for_delete_sql_server_firewall_rule_not_configured/test/positive4/positive_expected_result.json +++ b/assets/queries/terraform/azure/activity_log_alert_for_delete_sql_server_firewall_rule_not_configured/test/positive4/positive_expected_result.json @@ -3,6 +3,15 @@ "queryName": "Beta - Activity Log Alert For Delete SQL Server Firewall Rule Not Configured", "severity": "MEDIUM", "line": 9, - "fileName": "positive4_1.tf" + "fileName": "positive4_1.tf", + "resourceType": "azurerm_monitor_activity_log_alert", + "resourceName": "example-activitylogalert", + "searchKey": "azurerm_monitor_activity_log_alert[positive4_1].criteria", + "searchValue": "", + "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'delete SQL server firewall rule' events should be defined", + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive4_1]' resource monitors 'delete SQL server firewall rule' events but is missing an 'action.action_group_id' field", + "issueType": "MissingAttribute", + "similarityID": "d455006440bb7381f3d0068de6b2fba3b785d58665d4fc5e5c4e979e96b602af", + "search_line": 9 } ] diff --git a/assets/queries/terraform/azure/activity_log_alert_for_delete_sql_server_firewall_rule_not_configured/test/positive_expected_result.json b/assets/queries/terraform/azure/activity_log_alert_for_delete_sql_server_firewall_rule_not_configured/test/positive_expected_result.json index 0d4f101c7a3..fe51488c706 100644 --- a/assets/queries/terraform/azure/activity_log_alert_for_delete_sql_server_firewall_rule_not_configured/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/activity_log_alert_for_delete_sql_server_firewall_rule_not_configured/test/positive_expected_result.json @@ -1,2 +1 @@ -[ -] +[] diff --git a/assets/queries/terraform/azure/activity_log_alert_for_service_health_not_configured/test/positive2/positive_expected_result.json b/assets/queries/terraform/azure/activity_log_alert_for_service_health_not_configured/test/positive2/positive_expected_result.json index 8e854727ca9..be267f56b59 100644 --- a/assets/queries/terraform/azure/activity_log_alert_for_service_health_not_configured/test/positive2/positive_expected_result.json +++ b/assets/queries/terraform/azure/activity_log_alert_for_service_health_not_configured/test/positive2/positive_expected_result.json @@ -3,18 +3,45 @@ "queryName": "Beta - Activity Log Alert For Service Health Not Configured", "severity": "MEDIUM", "line": 8, - "fileName": "positive2_1.tf" + "fileName": "positive2_1.tf", + "resourceType": "azurerm_monitor_activity_log_alert", + "resourceName": "ServiceHealthActivityLogAlert", + "searchKey": "azurerm_monitor_activity_log_alert[positive2_1].criteria", + "searchValue": "", + "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'ServiceHealth' events should be defined for each subscription", + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_1]' resource monitors 'ServiceHealth' events but does not include 'Incident' in its 'criteria.service_health.events' array", + "issueType": "IncorrectValue", + "similarityID": "e3e1af35162b70ddcc1aeda34e50581b4242f559a5c4fbc7fc65a7c87330e3f0", + "search_line": 8 }, { "queryName": "Beta - Activity Log Alert For Service Health Not Configured", "severity": "MEDIUM", "line": 28, - "fileName": "positive2_1.tf" + "fileName": "positive2_1.tf", + "resourceType": "azurerm_monitor_activity_log_alert", + "resourceName": "ServiceHealthActivityLogAlert", + "searchKey": "azurerm_monitor_activity_log_alert[positive2_2].criteria", + "searchValue": "", + "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'ServiceHealth' events should be defined for each subscription", + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_2]' resource monitors 'ServiceHealth' events but does not include 'Incident' in its 'criteria.service_health.events' array", + "issueType": "MissingAttribute", + "similarityID": "a9f0e05a63eae10e2c74b1dcdd57f22eebaf1a93ee56b817adccde028f70afd7", + "search_line": 28 }, { "queryName": "Beta - Activity Log Alert For Service Health Not Configured", "severity": "MEDIUM", "line": 8, - "fileName": "positive2_2.tf" + "fileName": "positive2_2.tf", + "resourceType": "azurerm_monitor_activity_log_alert", + "resourceName": "ServiceHealthActivityLogAlert", + "searchKey": "azurerm_monitor_activity_log_alert[positive2_3].criteria", + "searchValue": "", + "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'ServiceHealth' events should be defined for each subscription", + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive2_3]' resource monitors 'ServiceHealth' events but does not include 'Incident' in its 'criteria.service_health.events' array", + "issueType": "MissingAttribute", + "similarityID": "b27ba8b52683b99d584529ac2aa76ff02ba06b957ccaf20891eac3a6d79b044c", + "search_line": 8 } ] diff --git a/assets/queries/terraform/azure/activity_log_alert_for_service_health_not_configured/test/positive3/positive_expected_result.json b/assets/queries/terraform/azure/activity_log_alert_for_service_health_not_configured/test/positive3/positive_expected_result.json index 7f2aecf8f06..8313ac83183 100644 --- a/assets/queries/terraform/azure/activity_log_alert_for_service_health_not_configured/test/positive3/positive_expected_result.json +++ b/assets/queries/terraform/azure/activity_log_alert_for_service_health_not_configured/test/positive3/positive_expected_result.json @@ -3,12 +3,30 @@ "queryName": "Beta - Activity Log Alert For Service Health Not Configured", "severity": "MEDIUM", "line": 9, - "fileName": "positive3_1.tf" + "fileName": "positive3_1.tf", + "resourceType": "azurerm_monitor_activity_log_alert", + "resourceName": "ServiceHealthActivityLogAlert", + "searchKey": "azurerm_monitor_activity_log_alert[positive3_1].criteria", + "searchValue": "", + "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'ServiceHealth' events should be defined for each subscription", + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive3_1]' resource monitors 'ServiceHealth' events but is missing an 'action.action_group_id' field", + "issueType": "MissingAttribute", + "similarityID": "f43817f4f68a9f0c78caca06775aa49308179a0eeacb655887363567819bb518", + "search_line": 9 }, { "queryName": "Beta - Activity Log Alert For Service Health Not Configured", "severity": "MEDIUM", "line": 9, - "fileName": "positive3_2.tf" + "fileName": "positive3_2.tf", + "resourceType": "azurerm_monitor_activity_log_alert", + "resourceName": "ServiceHealthActivityLogAlert", + "searchKey": "azurerm_monitor_activity_log_alert[positive3_2].criteria", + "searchValue": "", + "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'ServiceHealth' events should be defined for each subscription", + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive3_2]' resource monitors 'ServiceHealth' events but is missing an 'action.action_group_id' field", + "issueType": "MissingAttribute", + "similarityID": "124c1b4710721026e48d852902ccfc5fbe8101a67d745172120c493ffad61bde", + "search_line": 9 } ] diff --git a/assets/queries/terraform/azure/activity_log_alert_for_service_health_not_configured/test/positive4/positive_expected_result.json b/assets/queries/terraform/azure/activity_log_alert_for_service_health_not_configured/test/positive4/positive_expected_result.json index 0063cec5071..5a82bf09d65 100644 --- a/assets/queries/terraform/azure/activity_log_alert_for_service_health_not_configured/test/positive4/positive_expected_result.json +++ b/assets/queries/terraform/azure/activity_log_alert_for_service_health_not_configured/test/positive4/positive_expected_result.json @@ -3,12 +3,30 @@ "queryName": "Beta - Activity Log Alert For Service Health Not Configured", "severity": "MEDIUM", "line": 9, - "fileName": "positive4_1.tf" + "fileName": "positive4_1.tf", + "resourceType": "azurerm_monitor_activity_log_alert", + "resourceName": "ServiceHealthActivityLogAlert", + "searchKey": "azurerm_monitor_activity_log_alert[positive4_1].criteria", + "searchValue": "", + "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'ServiceHealth' events should be defined for each subscription", + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive4_1]' resource monitors 'ServiceHealth' events but does not include 'Incident' in its 'criteria.service_health.events' array", + "issueType": "IncorrectValue", + "similarityID": "e5342f44065b2c4e2ad8f7283730c43683e72063534a970e1e56c549d2ad9ca8", + "search_line": 9 }, { "queryName": "Beta - Activity Log Alert For Service Health Not Configured", "severity": "MEDIUM", "line": 29, - "fileName": "positive4_1.tf" + "fileName": "positive4_1.tf", + "resourceType": "azurerm_monitor_activity_log_alert", + "resourceName": "ServiceHealthActivityLogAlert", + "searchKey": "azurerm_monitor_activity_log_alert[positive4_2].criteria", + "searchValue": "", + "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'ServiceHealth' events should be defined for each subscription", + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive4_2]' resource monitors 'ServiceHealth' events but does not include 'Incident' in its 'criteria.service_health.events' array", + "issueType": "IncorrectValue", + "similarityID": "7b51a1f756292b4c58d341566937bd75b815906c768bd88a4304e4b9c0b8e3b1", + "search_line": 29 } ] diff --git a/assets/queries/terraform/azure/activity_log_alert_for_service_health_not_configured/test/positive5/positive_expected_result.json b/assets/queries/terraform/azure/activity_log_alert_for_service_health_not_configured/test/positive5/positive_expected_result.json index 55b26065a68..4587aa12ba9 100644 --- a/assets/queries/terraform/azure/activity_log_alert_for_service_health_not_configured/test/positive5/positive_expected_result.json +++ b/assets/queries/terraform/azure/activity_log_alert_for_service_health_not_configured/test/positive5/positive_expected_result.json @@ -3,6 +3,15 @@ "queryName": "Beta - Activity Log Alert For Service Health Not Configured", "severity": "MEDIUM", "line": 9, - "fileName": "positive5_1.tf" + "fileName": "positive5_1.tf", + "resourceType": "azurerm_monitor_activity_log_alert", + "resourceName": "ServiceHealthActivityLogAlert", + "searchKey": "azurerm_monitor_activity_log_alert[positive5_1].criteria", + "searchValue": "", + "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'ServiceHealth' events should be defined for each subscription", + "actualValue": "The 'azurerm_monitor_activity_log_alert[positive5_1]' resource monitors 'ServiceHealth' events but is missing an 'action.action_group_id' field", + "issueType": "MissingAttribute", + "similarityID": "dd613fbcc4e598a7041819c24c86671cf9acecd186ff29c364921338ace4153f", + "search_line": 9 } ] diff --git a/assets/queries/terraform/azure/activity_log_alert_for_service_health_not_configured/test/positive6/positive_expected_result.json b/assets/queries/terraform/azure/activity_log_alert_for_service_health_not_configured/test/positive6/positive_expected_result.json index 88278bcc16b..07139fadf46 100644 --- a/assets/queries/terraform/azure/activity_log_alert_for_service_health_not_configured/test/positive6/positive_expected_result.json +++ b/assets/queries/terraform/azure/activity_log_alert_for_service_health_not_configured/test/positive6/positive_expected_result.json @@ -3,6 +3,15 @@ "queryName": "Beta - Activity Log Alert For Service Health Not Configured", "severity": "MEDIUM", "line": 3, - "fileName": "positive6_1.tf" + "fileName": "positive6_1.tf", + "resourceType": "azurerm_monitor_activity_log_alert", + "resourceName": "", + "searchKey": "azurerm_subscription[positive6]", + "searchValue": "", + "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'ServiceHealth' events should be defined for each subscription", + "actualValue": "There is not a single 'azurerm_monitor_activity_log_alert' resource associated with the 'positive6' subscription", + "issueType": "MissingAttribute", + "similarityID": "2dc2e0dd57ee1409939954286fb090a54284a24c6b85341c118f5e0ef379eab3", + "search_line": 3 } ] diff --git a/assets/queries/terraform/azure/activity_log_alert_for_service_health_not_configured/test/positive_expected_result.json b/assets/queries/terraform/azure/activity_log_alert_for_service_health_not_configured/test/positive_expected_result.json index 3947db2a18e..3ad845808ba 100644 --- a/assets/queries/terraform/azure/activity_log_alert_for_service_health_not_configured/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/activity_log_alert_for_service_health_not_configured/test/positive_expected_result.json @@ -3,12 +3,30 @@ "queryName": "Beta - Activity Log Alert For Service Health Not Configured", "severity": "MEDIUM", "line": 8, - "fileName": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "azurerm_monitor_activity_log_alert", + "resourceName": "ServiceHealthActivityLogAlert", + "searchKey": "azurerm_monitor_activity_log_alert[positive1_1].criteria", + "searchValue": "", + "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'ServiceHealth' events should be defined for each subscription", + "actualValue": "None of the 'azurerm_monitor_activity_log_alert' resources monitor 'ServiceHealth' events", + "issueType": "IncorrectValue", + "similarityID": "e743812e90088e86801130f86970b939d81ccf94b36f4a40109156ee45e17df6", + "search_line": 8 }, { "queryName": "Beta - Activity Log Alert For Service Health Not Configured", "severity": "MEDIUM", "line": 28, - "fileName": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "azurerm_monitor_activity_log_alert", + "resourceName": "ServiceHealthActivityLogAlert", + "searchKey": "azurerm_monitor_activity_log_alert[positive1_2].criteria", + "searchValue": "", + "expectedValue": "A 'azurerm_monitor_activity_log_alert' resource that monitors 'ServiceHealth' events should be defined for each subscription", + "actualValue": "None of the 'azurerm_monitor_activity_log_alert' resources monitor 'ServiceHealth' events", + "issueType": "IncorrectValue", + "similarityID": "90f2ccd77a7292b0603db0d9d39f8bc1e1f7cd35c59cfb0b7161a555ca1fd545", + "search_line": 28 } ] diff --git a/assets/queries/terraform/azure/ad_admin_not_configured_for_sql_server/test/positive_expected_result.json b/assets/queries/terraform/azure/ad_admin_not_configured_for_sql_server/test/positive_expected_result.json index 8ef8308aeee..148c4ae0fd3 100644 --- a/assets/queries/terraform/azure/ad_admin_not_configured_for_sql_server/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/ad_admin_not_configured_for_sql_server/test/positive_expected_result.json @@ -2,6 +2,16 @@ { "queryName": "AD Admin Not Configured For SQL Server", "severity": "MEDIUM", - "line": 6 + "line": 6, + "fileName": "positive.tf", + "resourceType": "azurerm_sql_server", + "resourceName": "mysqlserver1", + "searchKey": "azurerm_sql_server[positive2]", + "searchValue": "", + "expectedValue": "A 'azurerm_sql_active_directory_administrator' should be defined for 'azurerm_sql_server[positive2]'", + "actualValue": "A 'azurerm_sql_active_directory_administrator' is not defined for 'azurerm_sql_server[positive2]'", + "issueType": "MissingAttribute", + "similarityID": "ced04c141d2e49976a06455f2a8970b6575da12bd2067cd0e9709b70ac6037bb", + "search_line": -1 } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/azure/admin_user_enabled_for_container_registry/test/positive_expected_result.json b/assets/queries/terraform/azure/admin_user_enabled_for_container_registry/test/positive_expected_result.json index 2c7d9931142..99c3c92e311 100644 --- a/assets/queries/terraform/azure/admin_user_enabled_for_container_registry/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/admin_user_enabled_for_container_registry/test/positive_expected_result.json @@ -2,6 +2,16 @@ { "queryName": "Admin User Enabled For Container Registry", "severity": "MEDIUM", - "line": 11 + "line": 11, + "fileName": "positive.tf", + "resourceType": "azurerm_container_registry", + "resourceName": "containerRegistry1", + "searchKey": "azurerm_container_registry[positive2].admin_enabled", + "searchValue": "", + "expectedValue": "'admin_enabled' equal 'false'", + "actualValue": "'admin_enabled' equal 'true'", + "issueType": "IncorrectValue", + "similarityID": "e8a2c3fe42c42441bb04c4882a8e9db173b8f5100678ed3e8aff3d59fbd4c38f", + "search_line": 11 } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/azure/aks_disk_encryption_set_id_undefined/test/positive_expected_result.json b/assets/queries/terraform/azure/aks_disk_encryption_set_id_undefined/test/positive_expected_result.json index 05ecb80f66a..eba5f1125e2 100644 --- a/assets/queries/terraform/azure/aks_disk_encryption_set_id_undefined/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/aks_disk_encryption_set_id_undefined/test/positive_expected_result.json @@ -3,6 +3,15 @@ "queryName": "AKS Disk Encryption Set ID Undefined", "severity": "LOW", "line": 1, - "fileName": "positive.tf" + "fileName": "positive.tf", + "resourceType": "azurerm_kubernetes_cluster", + "resourceName": "example-aks1", + "searchKey": "azurerm_kubernetes_cluster[positive]", + "searchValue": "", + "expectedValue": "'azurerm_kubernetes_cluster[positive].disk_encryption_set_id' should be defined and not null", + "actualValue": "'azurerm_kubernetes_cluster[positive].disk_encryption_set_id' is undefined or null", + "issueType": "MissingAttribute", + "similarityID": "c24366321a6de44ad5ceb085c37158287f1182406c3b3e133bf92e011a74de26", + "search_line": 1 } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/azure/aks_network_policy_misconfigured/test/positive_expected_result.json b/assets/queries/terraform/azure/aks_network_policy_misconfigured/test/positive_expected_result.json index 7006cce495b..03321e6b9ed 100644 --- a/assets/queries/terraform/azure/aks_network_policy_misconfigured/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/aks_network_policy_misconfigured/test/positive_expected_result.json @@ -2,16 +2,46 @@ { "queryName": "AKS Network Policy Misconfigured", "severity": "LOW", - "line": 21 + "line": 21, + "fileName": "positive.tf", + "resourceType": "azurerm_kubernetes_cluster", + "resourceName": "example-aks1", + "searchKey": "azurerm_kubernetes_cluster[positive1].network_profile", + "searchValue": "", + "expectedValue": "'azurerm_kubernetes_cluster[positive1].network_profile.network_policy' should be set to either 'azure' or 'calico'", + "actualValue": "'azurerm_kubernetes_cluster[positive1].network_profile.network_policy' is undefined", + "issueType": "MissingAttribute", + "similarityID": "513193251b07ce03fbdf70fd809867f3ecc1227023389b3403cb593e95fa5cb0", + "search_line": 21 }, { "queryName": "AKS Network Policy Misconfigured", "severity": "LOW", - "line": 26 + "line": 26, + "fileName": "positive.tf", + "resourceType": "azurerm_kubernetes_cluster", + "resourceName": "example-aks2", + "searchKey": "azurerm_kubernetes_cluster[positive2]", + "searchValue": "", + "expectedValue": "'azurerm_kubernetes_cluster[positive2].network_profile' should be set", + "actualValue": "'azurerm_kubernetes_cluster[positive2].network_profile' is undefined", + "issueType": "MissingAttribute", + "similarityID": "4034343d4c8a5d5345bc0df49f3155f810345ded0317a7a86dec26926cdf5343", + "search_line": 26 }, { "queryName": "AKS Network Policy Misconfigured", "severity": "LOW", - "line": 69 + "line": 69, + "fileName": "positive.tf", + "resourceType": "azurerm_kubernetes_cluster", + "resourceName": "example-aks1", + "searchKey": "azurerm_kubernetes_cluster[positive3].network_profile.network_policy", + "searchValue": "", + "expectedValue": "'azurerm_kubernetes_cluster[positive3].network_profile.network_policy' should be either 'azure' or 'calico'", + "actualValue": "'azurerm_kubernetes_cluster[positive3].network_profile.network_policy' is roxanne", + "issueType": "IncorrectValue", + "similarityID": "4fbd3479cbcbb2a5527a67bb7dec13720fae9626a0806cf28ef8e9b6e5bf6451", + "search_line": 69 } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/azure/aks_private_cluster_disabled/test/positive_expected_result.json b/assets/queries/terraform/azure/aks_private_cluster_disabled/test/positive_expected_result.json index 96f56ad6e79..bde9d920b49 100644 --- a/assets/queries/terraform/azure/aks_private_cluster_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/aks_private_cluster_disabled/test/positive_expected_result.json @@ -3,12 +3,30 @@ "queryName": "AKS Private Cluster Disabled", "severity": "MEDIUM", "line": 7, - "fileName": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "azurerm_kubernetes_cluster", + "resourceName": "example-aks1", + "searchKey": "azurerm_kubernetes_cluster[positive1].private_cluster_enabled", + "searchValue": "", + "expectedValue": "'azurerm_kubernetes_cluster[positive1].private_cluster_enabled' should be set to true", + "actualValue": "'azurerm_kubernetes_cluster[positive1].private_cluster_enabled' is set to false", + "issueType": "MissingAttribute", + "similarityID": "8c2fb1980a84a5c5b6a42bfe95b095e75b7fa56aeb48f05240b10c11fbc6100d", + "search_line": 7 }, { "queryName": "AKS Private Cluster Disabled", "severity": "MEDIUM", "line": 1, - "fileName": "positive2.tf" + "fileName": "positive2.tf", + "resourceType": "azurerm_kubernetes_cluster", + "resourceName": "example-aks1", + "searchKey": "azurerm_kubernetes_cluster[positive2]", + "searchValue": "", + "expectedValue": "'azurerm_kubernetes_cluster[positive2].private_cluster_enabled' should be defined and set to true", + "actualValue": "'azurerm_kubernetes_cluster[positive2].private_cluster_enabled' is undefined", + "issueType": "MissingAttribute", + "similarityID": "97b531a780e9b8ee6a5d5c307e38c4db66cfb312d6744a7174bf4b68d05f2e3f", + "search_line": 1 } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/azure/aks_rbac_disabled/test/positive_expected_result.json b/assets/queries/terraform/azure/aks_rbac_disabled/test/positive_expected_result.json index c846921fc48..b1ad1f0efc7 100644 --- a/assets/queries/terraform/azure/aks_rbac_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/aks_rbac_disabled/test/positive_expected_result.json @@ -3,12 +3,30 @@ "queryName": "AKS RBAC Disabled", "severity": "MEDIUM", "line": 7, - "fileName": "positive.tf" + "fileName": "positive.tf", + "resourceType": "azurerm_kubernetes_cluster", + "resourceName": "example-aks1", + "searchKey": "azurerm_kubernetes_cluster[positive1].role_based_access_control_enabled", + "searchValue": "", + "expectedValue": "'azurerm_kubernetes_cluster[positive1].role_based_access_control_enabled' should be set to true", + "actualValue": "'azurerm_kubernetes_cluster[positive1].role_based_access_control_enabled' is not set to true", + "issueType": "IncorrectValue", + "similarityID": "0d15309b68491031f4893783fc208eacad31a5bbc92778469ba2cacc50a8479e", + "search_line": 7 }, { "queryName": "AKS RBAC Disabled", "severity": "MEDIUM", "line": 35, - "fileName": "positive.tf" + "fileName": "positive.tf", + "resourceType": "azurerm_kubernetes_cluster", + "resourceName": "example-aks2", + "searchKey": "azurerm_kubernetes_cluster[positive2].role_based_access_control.enabled", + "searchValue": "", + "expectedValue": "'azurerm_kubernetes_cluster[positive2].role_based_access_control.enabled' should be set to true", + "actualValue": "'azurerm_kubernetes_cluster[positive2].role_based_access_control.enabled' is not set to true", + "issueType": "IncorrectValue", + "similarityID": "3786cb02aca05062c5369ebc20ca4cbbda1a1404324fe6269fb142c11015a8f1", + "search_line": 35 } ] diff --git a/assets/queries/terraform/azure/aks_uses_azure_policies_addon_disabled/test/positive_expected_result.json b/assets/queries/terraform/azure/aks_uses_azure_policies_addon_disabled/test/positive_expected_result.json index b2c5b7e2db4..619dafa8990 100644 --- a/assets/queries/terraform/azure/aks_uses_azure_policies_addon_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/aks_uses_azure_policies_addon_disabled/test/positive_expected_result.json @@ -3,24 +3,60 @@ "queryName": "AKS Uses Azure Policies Add-On Disabled", "severity": "LOW", "line": 11, - "fileName": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "azurerm_kubernetes_cluster", + "resourceName": "positive1", + "searchKey": "azurerm_kubernetes_cluster[positive1].addon_profile.azure_policy.enabled", + "searchValue": "", + "expectedValue": "'azurerm_kubernetes_cluster[positive1].addon_profile.azure_policy.enabled' should be set to true", + "actualValue": "'azurerm_kubernetes_cluster[positive1].addon_profile.azure_policy.enabled' is set to false", + "issueType": "IncorrectValue", + "similarityID": "87fedf234e19d5bc3d3a0f1cbe23d90d633d9f65843b4cdba89f9ba289291c96", + "search_line": 11 }, { "queryName": "AKS Uses Azure Policies Add-On Disabled", "severity": "LOW", "line": 7, - "fileName": "positive2.tf" + "fileName": "positive2.tf", + "resourceType": "azurerm_kubernetes_cluster", + "resourceName": "example-aks1", + "searchKey": "azurerm_kubernetes_cluster[positive2].azure_policy_enabled", + "searchValue": "", + "expectedValue": "'azurerm_kubernetes_cluster[positive2].azure_policy_enabled' should be set to true", + "actualValue": "'azurerm_kubernetes_cluster[positive2].azure_policy_enabled' is set to false", + "issueType": "IncorrectValue", + "similarityID": "c56d0e8026b4f71e9411e50ba2dcd76bb951eea39631693b1c258c6c52fcf0dc", + "search_line": 7 }, { "queryName": "AKS Uses Azure Policies Add-On Disabled", "severity": "LOW", "line": 7, - "fileName": "positive3.tf" + "fileName": "positive3.tf", + "resourceType": "azurerm_kubernetes_cluster", + "resourceName": "positive3", + "searchKey": "azurerm_kubernetes_cluster[positive3].addon_profile", + "searchValue": "", + "expectedValue": "'azurerm_kubernetes_cluster[positive3].addon_profile.azure_policy' should be defined and set to true", + "actualValue": "'azurerm_kubernetes_cluster[positive3].addon_profile.azure_policy' is undefined or null", + "issueType": "MissingAttribute", + "similarityID": "c3857f77b7ee8bf90ca1fc549b9f38b08f8e782f704a4d117639e0f48d6c09ae", + "search_line": 7 }, { "queryName": "AKS Uses Azure Policies Add-On Disabled", "severity": "LOW", "line": 1, - "fileName": "positive4.tf" + "fileName": "positive4.tf", + "resourceType": "azurerm_kubernetes_cluster", + "resourceName": "example-aks1", + "searchKey": "azurerm_kubernetes_cluster[positive4]", + "searchValue": "", + "expectedValue": "'azurerm_kubernetes_cluster[positive4]' should use Azure Policies", + "actualValue": "'azurerm_kubernetes_cluster[positive4]' does not use Azure Policies", + "issueType": "MissingAttribute", + "similarityID": "4c0bf4e0ed260aa972c2e18e10504e5e79c76996ab6b67bfaff5c80377959cbc", + "search_line": 1 } ] diff --git a/assets/queries/terraform/azure/aks_without_audit_logs/test/positive_expected_result.json b/assets/queries/terraform/azure/aks_without_audit_logs/test/positive_expected_result.json index 2ff2155dcde..441241fa6ec 100644 --- a/assets/queries/terraform/azure/aks_without_audit_logs/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/aks_without_audit_logs/test/positive_expected_result.json @@ -3,54 +3,135 @@ "queryName": "Beta - AKS Without Audit Logs", "severity": "MEDIUM", "line": 14, - "fileName": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "azurerm_monitor_diagnostic_setting", + "resourceName": "myAKSClusterLogs", + "searchKey": "azurerm_monitor_diagnostic_setting[aks_diagnostics_pos1_1].enabled_log.category", + "searchValue": "", + "expectedValue": "'azurerm_monitor_diagnostic_setting[aks_diagnostics_pos1_1].enabled_log.category' should be defined to 'kube-audit' or 'kube-audit-admin'", + "actualValue": "'azurerm_monitor_diagnostic_setting[aks_diagnostics_pos1_1].enabled_log.category' is not defined to 'kube-audit' or 'kube-audit-admin'", + "issueType": "IncorrectValue", + "similarityID": "618762bfb4523b2ff45b6ff0559dd95438ab77b207780df9f6ecef69acae12ff", + "search_line": 14 }, { "queryName": "Beta - AKS Without Audit Logs", "severity": "MEDIUM", "line": 31, - "fileName": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "azurerm_monitor_diagnostic_setting", + "resourceName": "myAKSClusterLogs", + "searchKey": "azurerm_monitor_diagnostic_setting[aks_diagnostics_pos1_2].enabled_log[0].category", + "searchValue": "", + "expectedValue": "'azurerm_monitor_diagnostic_setting[aks_diagnostics_pos1_2].enabled_log[0].category' should be defined to 'kube-audit' or 'kube-audit-admin'", + "actualValue": "'azurerm_monitor_diagnostic_setting[aks_diagnostics_pos1_2].enabled_log[0].category' is not defined to 'kube-audit' or 'kube-audit-admin'", + "issueType": "IncorrectValue", + "similarityID": "7966bbb0de02def9f4ad32bc73e9415fe3a34390599db2c5bb02b273cf401b3b", + "search_line": 31 }, { "queryName": "Beta - AKS Without Audit Logs", "severity": "MEDIUM", "line": 35, - "fileName": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "azurerm_monitor_diagnostic_setting", + "resourceName": "myAKSClusterLogs", + "searchKey": "azurerm_monitor_diagnostic_setting[aks_diagnostics_pos1_2].enabled_log[1].category", + "searchValue": "", + "expectedValue": "'azurerm_monitor_diagnostic_setting[aks_diagnostics_pos1_2].enabled_log[1].category' should be defined to 'kube-audit' or 'kube-audit-admin'", + "actualValue": "'azurerm_monitor_diagnostic_setting[aks_diagnostics_pos1_2].enabled_log[1].category' is not defined to 'kube-audit' or 'kube-audit-admin'", + "issueType": "IncorrectValue", + "similarityID": "f0ea4f12cb89d009db13a92a2a1859156ca1e54e48eee120bdfa842248c56351", + "search_line": 35 }, { "queryName": "Beta - AKS Without Audit Logs", "severity": "MEDIUM", "line": 15, - "fileName": "positive2.tf" + "fileName": "positive2.tf", + "resourceType": "azurerm_monitor_diagnostic_setting", + "resourceName": "myAKSClusterLogs", + "searchKey": "azurerm_monitor_diagnostic_setting[aks_diagnostics_pos2_1].log.category", + "searchValue": "", + "expectedValue": "'azurerm_monitor_diagnostic_setting[aks_diagnostics_pos2_1].log.category' should be defined to 'kube-audit' or 'kube-audit-admin' and 'enabled' field set to 'true'", + "actualValue": "'azurerm_monitor_diagnostic_setting[aks_diagnostics_pos2_1].log.category' is not defined to 'kube-audit' or 'kube-audit-admin'", + "issueType": "IncorrectValue", + "similarityID": "b649a870c82bbeb846044e176bd83f2ea1bd67677f396793fb5de667373f47c9", + "search_line": 15 }, { "queryName": "Beta - AKS Without Audit Logs", "severity": "MEDIUM", "line": 33, - "fileName": "positive2.tf" + "fileName": "positive2.tf", + "resourceType": "azurerm_monitor_diagnostic_setting", + "resourceName": "myAKSClusterLogs", + "searchKey": "azurerm_monitor_diagnostic_setting[aks_diagnostics_pos2_2].log[0].category", + "searchValue": "", + "expectedValue": "'azurerm_monitor_diagnostic_setting[aks_diagnostics_pos2_2].log[0].category' should be defined to 'kube-audit' or 'kube-audit-admin' and 'enabled' field set to 'true'", + "actualValue": "'azurerm_monitor_diagnostic_setting[aks_diagnostics_pos2_2].log[0].category' is not defined to 'kube-audit' or 'kube-audit-admin'", + "issueType": "IncorrectValue", + "similarityID": "e831158cb273faf014b41e3fb49f01878e3414228516d3be83d4466b44984c51", + "search_line": 33 }, { "queryName": "Beta - AKS Without Audit Logs", "severity": "MEDIUM", "line": 38, - "fileName": "positive2.tf" + "fileName": "positive2.tf", + "resourceType": "azurerm_monitor_diagnostic_setting", + "resourceName": "myAKSClusterLogs", + "searchKey": "azurerm_monitor_diagnostic_setting[aks_diagnostics_pos2_2].log[1].category", + "searchValue": "", + "expectedValue": "'azurerm_monitor_diagnostic_setting[aks_diagnostics_pos2_2].log[1].category' should be defined to 'kube-audit' or 'kube-audit-admin' and 'enabled' field set to 'true'", + "actualValue": "'azurerm_monitor_diagnostic_setting[aks_diagnostics_pos2_2].log[1].category' is not defined to 'kube-audit' or 'kube-audit-admin'", + "issueType": "IncorrectValue", + "similarityID": "49328c52855c9bf2408a3414c78286fa7761340f4fc78fb057f06a48489011f6", + "search_line": 38 }, { "queryName": "Beta - AKS Without Audit Logs", "severity": "MEDIUM", "line": 16, - "fileName": "positive3.tf" + "fileName": "positive3.tf", + "resourceType": "azurerm_monitor_diagnostic_setting", + "resourceName": "myAKSClusterLogs", + "searchKey": "azurerm_monitor_diagnostic_setting[aks_diagnostics_pos3_1].log.enabled", + "searchValue": "", + "expectedValue": "'azurerm_monitor_diagnostic_setting[aks_diagnostics_pos3_1]' should enable audit logging through a 'azurerm_monitor_diagnostic_setting'", + "actualValue": "'azurerm_monitor_diagnostic_setting[aks_diagnostics_pos3_1]' has the 'enabled' field set to 'false' instead of 'true'", + "issueType": "IncorrectValue", + "similarityID": "5d910b8d0cb42c5f3ded9c6fd5b35412d34939d41d0c5de5133652a67e39d557", + "search_line": 16 }, { "queryName": "Beta - AKS Without Audit Logs", "severity": "MEDIUM", "line": 34, - "fileName": "positive3.tf" + "fileName": "positive3.tf", + "resourceType": "azurerm_monitor_diagnostic_setting", + "resourceName": "myAKSClusterLogs", + "searchKey": "azurerm_monitor_diagnostic_setting[aks_diagnostics_pos3_2].log[0].enabled", + "searchValue": "", + "expectedValue": "'azurerm_monitor_diagnostic_setting[aks_diagnostics_pos3_2]' should enable audit logging through a 'azurerm_monitor_diagnostic_setting'", + "actualValue": "'azurerm_monitor_diagnostic_setting[aks_diagnostics_pos3_2]' has the 'enabled' field set to 'false' instead of 'true'", + "issueType": "IncorrectValue", + "similarityID": "88a79c7f817eae348b93700966eff3361b7e9e0fab4678a01016112bbc747a5a", + "search_line": 34 }, { "queryName": "Beta - AKS Without Audit Logs", "severity": "MEDIUM", "line": 39, - "fileName": "positive3.tf" + "fileName": "positive3.tf", + "resourceType": "azurerm_monitor_diagnostic_setting", + "resourceName": "myAKSClusterLogs", + "searchKey": "azurerm_monitor_diagnostic_setting[aks_diagnostics_pos3_2].log[1].enabled", + "searchValue": "", + "expectedValue": "'azurerm_monitor_diagnostic_setting[aks_diagnostics_pos3_2]' should enable audit logging through a 'azurerm_monitor_diagnostic_setting'", + "actualValue": "'azurerm_monitor_diagnostic_setting[aks_diagnostics_pos3_2]' has the 'enabled' field set to 'false' instead of 'true'", + "issueType": "IncorrectValue", + "similarityID": "fc618355e5cdd19e473e6a1e596ef1a45f04c8da092071528aefa2d7f83f1cb7", + "search_line": 39 } ] diff --git a/assets/queries/terraform/azure/app_service_authentication_disabled/test/positive_expected_result.json b/assets/queries/terraform/azure/app_service_authentication_disabled/test/positive_expected_result.json index d85adf37378..5a13fbb1621 100644 --- a/assets/queries/terraform/azure/app_service_authentication_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/app_service_authentication_disabled/test/positive_expected_result.json @@ -3,84 +3,210 @@ "queryName": "App Service Authentication Disabled", "severity": "MEDIUM", "line": 1, - "fileName": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "azurerm_app_service", + "resourceName": "example-app-service", + "searchKey": "azurerm_app_service[positive1]", + "searchValue": "", + "expectedValue": "'azurerm_app_service[positive1].auth_settings' should be defined", + "actualValue": "'azurerm_app_service[positive1].auth_settings' is not defined", + "issueType": "MissingAttribute", + "similarityID": "fd93efa7e026874a7df294f6511e363af0d7d99ce28350b2a5630185a317e082", + "search_line": 1 }, { "queryName": "App Service Authentication Disabled", "severity": "MEDIUM", "line": 17, - "fileName": "positive2.tf" + "fileName": "positive2.tf", + "resourceType": "azurerm_app_service", + "resourceName": "example-app-service", + "searchKey": "'azurerm_app_service[positive2].auth_settings.enabled'", + "searchValue": "", + "expectedValue": "'azurerm_app_service[positive2].auth_settings.enabled' should be defined to 'true'", + "actualValue": "'azurerm_app_service[positive2].auth_settings.enabled' is defined to 'false'", + "issueType": "IncorrectValue", + "similarityID": "b732c9bfdbb10eee95f53ee4153f2bacdecb95e8fce17923347348edef9ccf83", + "search_line": 17 }, { "queryName": "App Service Authentication Disabled", "severity": "MEDIUM", "line": 1, - "fileName": "positive3.tf" + "fileName": "positive3.tf", + "resourceType": "azurerm_linux_web_app", + "resourceName": "example-app-service", + "searchKey": "azurerm_linux_web_app[positive3]", + "searchValue": "", + "expectedValue": "'azurerm_linux_web_app[positive3].auth_settings' or 'azurerm_linux_web_app[positive3].auth_settings_v2' should be defined", + "actualValue": "'azurerm_linux_web_app[positive3].auth_settings' and 'azurerm_linux_web_app[positive3].auth_settings_v2' are not defined", + "issueType": "MissingAttribute", + "similarityID": "bfa3337e80f683a3630e04b0ea23cedfd7d1882a827b1ab3b39796b656000f08", + "search_line": 1 }, { "queryName": "App Service Authentication Disabled", "severity": "MEDIUM", "line": 7, - "fileName": "positive4.tf" + "fileName": "positive4.tf", + "resourceType": "azurerm_linux_web_app", + "resourceName": "example-app-service", + "searchKey": "'azurerm_linux_web_app[positive4].auth_settings.enabled'", + "searchValue": "", + "expectedValue": "'azurerm_linux_web_app[positive4].auth_settings.enabled' should be defined to 'true'", + "actualValue": "'azurerm_linux_web_app[positive4].auth_settings.enabled' is defined to 'false'", + "issueType": "IncorrectValue", + "similarityID": "9c3566b32de28602524975210b5c5ea6c651941cc3a46f300435d1808ab56121", + "search_line": 7 }, { "queryName": "App Service Authentication Disabled", "severity": "MEDIUM", "line": 6, - "fileName": "positive5.tf" + "fileName": "positive5.tf", + "resourceType": "azurerm_linux_web_app", + "resourceName": "example-app-service", + "searchKey": "azurerm_linux_web_app[positive5].auth_settings_v2", + "searchValue": "", + "expectedValue": "'azurerm_linux_web_app[positive5].auth_settings_v2.auth_enabled' should be defined (default value is 'false')", + "actualValue": "'azurerm_linux_web_app[positive5].auth_settings_v2.auth_enabled' is not defined", + "issueType": "MissingAttribute", + "similarityID": "cfceae66d687d0a2feb983efe774dea912e88ddaad9a2b0b9118f3fa70ea6cd0", + "search_line": 6 }, { "queryName": "App Service Authentication Disabled", "severity": "MEDIUM", "line": 8, - "fileName": "positive6.tf" + "fileName": "positive6.tf", + "resourceType": "azurerm_linux_web_app", + "resourceName": "example-app-service", + "searchKey": "azurerm_linux_web_app[positive6].auth_settings_v2.auth_enabled", + "searchValue": "", + "expectedValue": "'azurerm_linux_web_app[positive6].auth_settings_v2.auth_enabled' should be defined to 'true'", + "actualValue": "'azurerm_linux_web_app[positive6].auth_settings_v2.auth_enabled' is defined to 'false'", + "issueType": "IncorrectValue", + "similarityID": "394e3d08efb02b981da040aaa3850d41854a9dc470b69f5b831a9543dd76b2b9", + "search_line": 8 }, { "queryName": "App Service Authentication Disabled", "severity": "MEDIUM", "line": 1, - "fileName": "positive7.tf" + "fileName": "positive7.tf", + "resourceType": "azurerm_windows_web_app", + "resourceName": "example-app-service", + "searchKey": "azurerm_windows_web_app[positive7]", + "searchValue": "", + "expectedValue": "'azurerm_windows_web_app[positive7].auth_settings' or 'azurerm_windows_web_app[positive7].auth_settings_v2' should be defined", + "actualValue": "'azurerm_windows_web_app[positive7].auth_settings' and 'azurerm_windows_web_app[positive7].auth_settings_v2' are not defined", + "issueType": "MissingAttribute", + "similarityID": "4fa88a3e008967940a3113e89d0d8441b2dbd8407c6bde3903f9141e758318d3", + "search_line": 1 }, { "queryName": "App Service Authentication Disabled", "severity": "MEDIUM", "line": 7, - "fileName": "positive8.tf" + "fileName": "positive8.tf", + "resourceType": "azurerm_windows_web_app", + "resourceName": "example-app-service", + "searchKey": "'azurerm_windows_web_app[positive8].auth_settings.enabled'", + "searchValue": "", + "expectedValue": "'azurerm_windows_web_app[positive8].auth_settings.enabled' should be defined to 'true'", + "actualValue": "'azurerm_windows_web_app[positive8].auth_settings.enabled' is defined to 'false'", + "issueType": "IncorrectValue", + "similarityID": "437ed174b35bfbd0e49042bf86f8abb9e0afbab6017caa01da8f14d40ffc60a6", + "search_line": 7 }, { "queryName": "App Service Authentication Disabled", "severity": "MEDIUM", "line": 6, - "fileName": "positive9.tf" + "fileName": "positive9.tf", + "resourceType": "azurerm_windows_web_app", + "resourceName": "example-app-service", + "searchKey": "azurerm_windows_web_app[positive9].auth_settings_v2", + "searchValue": "", + "expectedValue": "'azurerm_windows_web_app[positive9].auth_settings_v2.auth_enabled' should be defined (default value is 'false')", + "actualValue": "'azurerm_windows_web_app[positive9].auth_settings_v2.auth_enabled' is not defined", + "issueType": "MissingAttribute", + "similarityID": "50e56546f00d4b024cb58e9c6bb982ce3d17a81a32b3a77a70c2f869c6b26923", + "search_line": 6 }, { "queryName": "App Service Authentication Disabled", "severity": "MEDIUM", "line": 8, - "fileName": "positive10.tf" + "fileName": "positive10.tf", + "resourceType": "azurerm_windows_web_app", + "resourceName": "example-app-service", + "searchKey": "azurerm_windows_web_app[positive10].auth_settings_v2.auth_enabled", + "searchValue": "", + "expectedValue": "'azurerm_windows_web_app[positive10].auth_settings_v2.auth_enabled' should be defined to 'true'", + "actualValue": "'azurerm_windows_web_app[positive10].auth_settings_v2.auth_enabled' is defined to 'false'", + "issueType": "IncorrectValue", + "similarityID": "a162cb277b5a27992fb074c72474eee331e5f9bdec724249c0a95dfe6b7bbf62", + "search_line": 8 }, { "queryName": "App Service Authentication Disabled", "severity": "MEDIUM", "line": 9, - "fileName": "positive11.tf" + "fileName": "positive11.tf", + "resourceType": "azurerm_windows_web_app", + "resourceName": "example-app-service", + "searchKey": "azurerm_windows_web_app[positive11].auth_settings_v2", + "searchValue": "", + "expectedValue": "'azurerm_windows_web_app[positive11].auth_settings_v2.auth_enabled' should be defined (default value is 'false')", + "actualValue": "'azurerm_windows_web_app[positive11].auth_settings_v2.auth_enabled' is not defined", + "issueType": "MissingAttribute", + "similarityID": "55ae36d9303bb060e00ad82b623251addc575b6c8ce6e55a09d864f542400133", + "search_line": 9 }, { "queryName": "App Service Authentication Disabled", "severity": "MEDIUM", "line": 11, - "fileName": "positive12.tf" + "fileName": "positive12.tf", + "resourceType": "azurerm_windows_web_app", + "resourceName": "example-app-service", + "searchKey": "azurerm_windows_web_app[positive12].auth_settings_v2.auth_enabled", + "searchValue": "", + "expectedValue": "'azurerm_windows_web_app[positive12].auth_settings_v2.auth_enabled' should be defined to 'true'", + "actualValue": "'azurerm_windows_web_app[positive12].auth_settings_v2.auth_enabled' is defined to 'false'", + "issueType": "IncorrectValue", + "similarityID": "d7c8e308f8f241cea9c6723234d1b87e6c9be813bbf18e7b4a5fca826cba622b", + "search_line": 11 }, { "queryName": "App Service Authentication Disabled", "severity": "MEDIUM", "line": 9, - "fileName": "positive13.tf" + "fileName": "positive13.tf", + "resourceType": "azurerm_linux_web_app", + "resourceName": "example-app-service", + "searchKey": "azurerm_linux_web_app[positive13].auth_settings_v2", + "searchValue": "", + "expectedValue": "'azurerm_linux_web_app[positive13].auth_settings_v2.auth_enabled' should be defined (default value is 'false')", + "actualValue": "'azurerm_linux_web_app[positive13].auth_settings_v2.auth_enabled' is not defined", + "issueType": "MissingAttribute", + "similarityID": "33edbade451100dfccd84b0b10dc9be05ca01e90fa77304303fcec377ff428ce", + "search_line": 9 }, { "queryName": "App Service Authentication Disabled", "severity": "MEDIUM", "line": 11, - "fileName": "positive14.tf" + "fileName": "positive14.tf", + "resourceType": "azurerm_linux_web_app", + "resourceName": "example-app-service", + "searchKey": "azurerm_linux_web_app[positive14].auth_settings_v2.auth_enabled", + "searchValue": "", + "expectedValue": "'azurerm_linux_web_app[positive14].auth_settings_v2.auth_enabled' should be defined to 'true'", + "actualValue": "'azurerm_linux_web_app[positive14].auth_settings_v2.auth_enabled' is defined to 'false'", + "issueType": "IncorrectValue", + "similarityID": "89d65ccd8b4140fbabdb6048de4af383693df8b5d5c9a8156a262079f445a50a", + "search_line": 11 } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/azure/app_service_ftps_enforce_disabled/test/positive_expected_result.json b/assets/queries/terraform/azure/app_service_ftps_enforce_disabled/test/positive_expected_result.json index b0b891fa9e1..3a9922797fd 100644 --- a/assets/queries/terraform/azure/app_service_ftps_enforce_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/app_service_ftps_enforce_disabled/test/positive_expected_result.json @@ -3,18 +3,45 @@ "queryName": "App Service FTPS Enforce Disabled", "severity": "MEDIUM", "line": 10, - "fileName": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "azurerm_app_service", + "resourceName": "example-app-service", + "searchKey": "azurerm_app_service[positive1].site_config.ftps_state", + "searchValue": "", + "expectedValue": "'azurerm_app_service[positive1].site_config.ftps_state' should not be set to 'AllAllowed'", + "actualValue": "'azurerm_app_service[positive1].site_config.ftps_state' is set to 'AllAllowed'", + "issueType": "IncorrectValue", + "similarityID": "9507d8895311e7f1095b635b94679a666b53f5593aae3c002ae65a0902769139", + "search_line": 10 }, { "queryName": "App Service FTPS Enforce Disabled", "severity": "MEDIUM", "line": 8, - "fileName": "positive2.tf" + "fileName": "positive2.tf", + "resourceType": "azurerm_linux_web_app", + "resourceName": "positive2", + "searchKey": "azurerm_linux_web_app[positive2].site_config.ftps_state", + "searchValue": "", + "expectedValue": "'azurerm_linux_web_app[positive2].site_config.ftps_state' should not be set to 'AllAllowed'", + "actualValue": "'azurerm_linux_web_app[positive2].site_config.ftps_state' is set to 'AllAllowed'", + "issueType": "IncorrectValue", + "similarityID": "57d562c4d1248f639afb968b47dcea4d6593d36c532e4c28eb27c4606f6b1ae3", + "search_line": 8 }, { "queryName": "App Service FTPS Enforce Disabled", "severity": "MEDIUM", "line": 8, - "fileName": "positive3.tf" + "fileName": "positive3.tf", + "resourceType": "azurerm_windows_web_app", + "resourceName": "positive3", + "searchKey": "azurerm_windows_web_app[positive3].site_config.ftps_state", + "searchValue": "", + "expectedValue": "'azurerm_windows_web_app[positive3].site_config.ftps_state' should not be set to 'AllAllowed'", + "actualValue": "'azurerm_windows_web_app[positive3].site_config.ftps_state' is set to 'AllAllowed'", + "issueType": "IncorrectValue", + "similarityID": "3a1fc2446b7ea476b1f7bbf55661d6078c4cbb8dd63bd8bf6fd73c210e5cba7b", + "search_line": 8 } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/azure/app_service_http2_disabled/test/positive_expected_result.json b/assets/queries/terraform/azure/app_service_http2_disabled/test/positive_expected_result.json index bd6cfd298dd..e2e7346b7ec 100644 --- a/assets/queries/terraform/azure/app_service_http2_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/app_service_http2_disabled/test/positive_expected_result.json @@ -3,54 +3,135 @@ "queryName": "App Service HTTP2 Disabled", "severity": "MEDIUM", "line": 1, - "fileName": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "azurerm_app_service", + "resourceName": "example-app-service", + "searchKey": "azurerm_app_service[positive1]", + "searchValue": "", + "expectedValue": "'azurerm_app_service[positive1].site_config' should be defined and not null", + "actualValue": "'azurerm_app_service[positive1].site_config' is undefined or null", + "issueType": "MissingAttribute", + "similarityID": "efb92953fd86102d4ec0188109d338a169a6b75e08c56fd510f862bae5af6a85", + "search_line": 1 }, { "queryName": "App Service HTTP2 Disabled", "severity": "MEDIUM", "line": 17, - "fileName": "positive2.tf" + "fileName": "positive2.tf", + "resourceType": "azurerm_app_service", + "resourceName": "example-app-service", + "searchKey": "azurerm_app_service[positive2].site_config", + "searchValue": "", + "expectedValue": "'azurerm_app_service[positive2].site_config.http2_enabled' should be defined and not null", + "actualValue": "'azurerm_app_service[positive2].site_config.http2_enabled' is undefined or null", + "issueType": "IncorrectValue", + "similarityID": "caef99ffa858dfff72a11ce1e020ad2386f3118e603486c0835fdd15603e45fc", + "search_line": 17 }, { "queryName": "App Service HTTP2 Disabled", "severity": "MEDIUM", "line": 21, - "fileName": "positive3.tf" + "fileName": "positive3.tf", + "resourceType": "azurerm_app_service", + "resourceName": "example-app-service", + "searchKey": "azurerm_app_service[positive3].site_config.http2_enabled", + "searchValue": "", + "expectedValue": "'azurerm_app_service[positive3].site_config.http2_enabled' should be set to true", + "actualValue": "'azurerm_app_service[positive3].site_config.http2_enabled' is set to false", + "issueType": "IncorrectValue", + "similarityID": "648dd02b62ee06dce7426f21e76c93bf2c3a6d41848c1b93b277758a7755d42b", + "search_line": 21 }, { "queryName": "App Service HTTP2 Disabled", "severity": "MEDIUM", "line": 7, - "fileName": "positive4.tf" + "fileName": "positive4.tf", + "resourceType": "azurerm_linux_web_app", + "resourceName": "example-app-service", + "searchKey": "azurerm_linux_web_app[positive4].site_config", + "searchValue": "", + "expectedValue": "'azurerm_linux_web_app[positive4].site_config.http2_enabled' should be defined and not null", + "actualValue": "'azurerm_linux_web_app[positive4].site_config.http2_enabled' is undefined or null", + "issueType": "IncorrectValue", + "similarityID": "d07ef2cd105fb4dbac562165767ce2f991c055e22da80948be60723c0aac9214", + "search_line": 7 }, { "queryName": "App Service HTTP2 Disabled", "severity": "MEDIUM", "line": 8, - "fileName": "positive5.tf" + "fileName": "positive5.tf", + "resourceType": "azurerm_linux_web_app", + "resourceName": "example-app-service", + "searchKey": "azurerm_linux_web_app[positive5].site_config.http2_enabled", + "searchValue": "", + "expectedValue": "'azurerm_linux_web_app[positive5].site_config.http2_enabled' should be set to true", + "actualValue": "'azurerm_linux_web_app[positive5].site_config.http2_enabled' is set to false", + "issueType": "IncorrectValue", + "similarityID": "5f790b6cd4d288db6d71311bf5dd900ac67193ae5af757eeb073cfb1e1449f15", + "search_line": 8 }, { "queryName": "App Service HTTP2 Disabled", "severity": "MEDIUM", "line": 8, - "fileName": "positive6.tf" + "fileName": "positive6.tf", + "resourceType": "azurerm_windows_web_app", + "resourceName": "example-app-service", + "searchKey": "azurerm_windows_web_app[positive6].site_config.http2_enabled", + "searchValue": "", + "expectedValue": "'azurerm_windows_web_app[positive6].site_config.http2_enabled' should be set to true", + "actualValue": "'azurerm_windows_web_app[positive6].site_config.http2_enabled' is set to false", + "issueType": "IncorrectValue", + "similarityID": "e9d23b4e9fd94c3e355860f6866851cfedfb53250d10c273fa2aa24f95173264", + "search_line": 8 }, { "queryName": "App Service HTTP2 Disabled", "severity": "MEDIUM", "line": 7, - "fileName": "positive7.tf" + "fileName": "positive7.tf", + "resourceType": "azurerm_windows_web_app", + "resourceName": "example-app-service", + "searchKey": "azurerm_windows_web_app[positive7].site_config", + "searchValue": "", + "expectedValue": "'azurerm_windows_web_app[positive7].site_config.http2_enabled' should be defined and not null", + "actualValue": "'azurerm_windows_web_app[positive7].site_config.http2_enabled' is undefined or null", + "issueType": "IncorrectValue", + "similarityID": "c7adedbdcf2a747ef3273d01849a3ef23acd2c9a596779fee4b35e905faf874b", + "search_line": 7 }, { "queryName": "App Service HTTP2 Disabled", "severity": "MEDIUM", "line": 1, - "fileName": "positive8.tf" + "fileName": "positive8.tf", + "resourceType": "azurerm_linux_web_app", + "resourceName": "example-app-service", + "searchKey": "azurerm_linux_web_app[positive8]", + "searchValue": "", + "expectedValue": "'azurerm_linux_web_app[positive8].site_config' should be defined and not null", + "actualValue": "'azurerm_linux_web_app[positive8].site_config' is undefined or null", + "issueType": "MissingAttribute", + "similarityID": "a88b2749d3f97cd28e5bd09c42357415f49b66a9010630537a685044e1dd5f35", + "search_line": 1 }, { "queryName": "App Service HTTP2 Disabled", "severity": "MEDIUM", "line": 1, - "fileName": "positive9.tf" + "fileName": "positive9.tf", + "resourceType": "azurerm_windows_web_app", + "resourceName": "example-app-service", + "searchKey": "azurerm_windows_web_app[positive9]", + "searchValue": "", + "expectedValue": "'azurerm_windows_web_app[positive9].site_config' should be defined and not null", + "actualValue": "'azurerm_windows_web_app[positive9].site_config' is undefined or null", + "issueType": "MissingAttribute", + "similarityID": "8d98b0f0672e899c1b52cb917d26b08b26d2137e4eb95733b531fb04f9ac0051", + "search_line": 1 } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/azure/app_service_managed_identity_disabled/test/positive_expected_result.json b/assets/queries/terraform/azure/app_service_managed_identity_disabled/test/positive_expected_result.json index b37828fec54..09cddd17fab 100644 --- a/assets/queries/terraform/azure/app_service_managed_identity_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/app_service_managed_identity_disabled/test/positive_expected_result.json @@ -3,18 +3,45 @@ "queryName": "App Service Managed Identity Disabled", "severity": "LOW", "line": 1, - "fileName": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "azurerm_app_service", + "resourceName": "example-app-service", + "searchKey": "azurerm_app_service[positive1-1]", + "searchValue": "", + "expectedValue": "'azurerm_app_service[positive1-1].identity' should be defined and not null", + "actualValue": "'azurerm_app_service[positive1-1].identity' is undefined or null", + "issueType": "MissingAttribute", + "similarityID": "dbb532f044526bcb5ac1e4a0cf1b6af0bd9598e7a021602f4d09f2df8d191d58", + "search_line": 1 }, { "queryName": "App Service Managed Identity Disabled", "severity": "LOW", "line": 8, - "fileName": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "azurerm_linux_web_app", + "resourceName": "example-app-service", + "searchKey": "azurerm_linux_web_app[positive1-2]", + "searchValue": "", + "expectedValue": "'azurerm_linux_web_app[positive1-2].identity' should be defined and not null", + "actualValue": "'azurerm_linux_web_app[positive1-2].identity' is undefined or null", + "issueType": "MissingAttribute", + "similarityID": "71ff87c44214a9ab81484f4f203e4c0642d288a745cd66aa35b83400fdd4bade", + "search_line": 8 }, { "queryName": "App Service Managed Identity Disabled", "severity": "LOW", "line": 15, - "fileName": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "azurerm_windows_web_app", + "resourceName": "example-app-service", + "searchKey": "azurerm_windows_web_app[positive1-3]", + "searchValue": "", + "expectedValue": "'azurerm_windows_web_app[positive1-3].identity' should be defined and not null", + "actualValue": "'azurerm_windows_web_app[positive1-3].identity' is undefined or null", + "issueType": "MissingAttribute", + "similarityID": "4c5d4aecff82d8cad028fec3ffd6aee23f6a90316eb698f38eba4509d66e7978", + "search_line": 15 } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/azure/app_service_not_using_latest_tls_encryption_version/test/positive_expected_result.json b/assets/queries/terraform/azure/app_service_not_using_latest_tls_encryption_version/test/positive_expected_result.json index 94a103e1fcd..d05b355ce99 100644 --- a/assets/queries/terraform/azure/app_service_not_using_latest_tls_encryption_version/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/app_service_not_using_latest_tls_encryption_version/test/positive_expected_result.json @@ -3,60 +3,150 @@ "queryName": "App Service Not Using Latest TLS Encryption Version", "severity": "MEDIUM", "line": 10, - "fileName": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "azurerm_app_service", + "resourceName": "example-app-service", + "searchKey": "azurerm_app_service[positive1-1].site_config.min_tls_version", + "searchValue": "", + "expectedValue": "'azurerm_app_service[positive1-1].site_config.min_tls_version' should be set to '1.2'", + "actualValue": "'azurerm_app_service[positive1-1].site_config.min_tls_version' is not set to '1.2'", + "issueType": "IncorrectValue", + "similarityID": "caa3673110f3638be704f994c9150d9840bdad8b813801ec3b585a04b2bf4914", + "search_line": 10 }, { "queryName": "App Service Not Using Latest TLS Encryption Version", "severity": "MEDIUM", "line": 23, - "fileName": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "azurerm_app_service", + "resourceName": "example-app-service", + "searchKey": "azurerm_app_service[positive1-2].site_config.min_tls_version", + "searchValue": "", + "expectedValue": "'azurerm_app_service[positive1-2].site_config.min_tls_version' should be set to '1.2'", + "actualValue": "'azurerm_app_service[positive1-2].site_config.min_tls_version' is not set to '1.2'", + "issueType": "IncorrectValue", + "similarityID": "33084f109e19874acf7e346c1eeda1d7ceb9ca134e3ce1bb972d6777ac1bf55b", + "search_line": 23 }, { "queryName": "App Service Not Using Latest TLS Encryption Version", "severity": "MEDIUM", "line": 10, - "fileName": "positive2.tf" + "fileName": "positive2.tf", + "resourceType": "azurerm_linux_web_app", + "resourceName": "example-app-service", + "searchKey": "azurerm_linux_web_app[positive2-1].site_config.minimum_tls_version", + "searchValue": "", + "expectedValue": "'azurerm_linux_web_app[positive2-1].site_config.minimum_tls_version' should be set to '1.3'", + "actualValue": "'azurerm_linux_web_app[positive2-1].site_config.minimum_tls_version' is not set to '1.3'", + "issueType": "IncorrectValue", + "similarityID": "16e3b317e78aa86aa538c0b73514b454b4d8500c9e1d0f588f23bbd47a80d7a5", + "search_line": 10 }, { "queryName": "App Service Not Using Latest TLS Encryption Version", "severity": "MEDIUM", "line": 20, - "fileName": "positive2.tf" + "fileName": "positive2.tf", + "resourceType": "azurerm_linux_web_app", + "resourceName": "example-app-service", + "searchKey": "azurerm_linux_web_app[positive2-2].site_config", + "searchValue": "", + "expectedValue": "'azurerm_linux_web_app[positive2-2].site_config.minimum_tls_version' should be defined and set to '1.3'", + "actualValue": "'azurerm_linux_web_app[positive2-2].site_config.minimum_tls_version' is not defined", + "issueType": "MissingAttribute", + "similarityID": "3c5b6ba1fe01536011d69d0fc64c7ffd07e3cf573abe1f96dcda15cf26a0e605", + "search_line": 20 }, { "queryName": "App Service Not Using Latest TLS Encryption Version", "severity": "MEDIUM", "line": 26, - "fileName": "positive2.tf" + "fileName": "positive2.tf", + "resourceType": "azurerm_linux_web_app", + "resourceName": "example-app-service", + "searchKey": "azurerm_linux_web_app[positive2-3]", + "searchValue": "", + "expectedValue": "'azurerm_linux_web_app[positive2-3].site_config.minimum_tls_version' should be defined and set to '1.3'", + "actualValue": "'azurerm_linux_web_app[positive2-3].site_config' is not defined", + "issueType": "MissingAttribute", + "similarityID": "21dbef8233e5640406fff829e7831fb3e1ed6b35456f6ae9811bee5e5d6ece21", + "search_line": 26 }, { "queryName": "App Service Not Using Latest TLS Encryption Version", "severity": "MEDIUM", "line": 43, - "fileName": "positive2.tf" + "fileName": "positive2.tf", + "resourceType": "azurerm_linux_web_app", + "resourceName": "example-app-service", + "searchKey": "azurerm_linux_web_app[positive2-4].site_config.minimum_tls_version", + "searchValue": "", + "expectedValue": "'azurerm_linux_web_app[positive2-4].site_config.minimum_tls_version' should be set to '1.3'", + "actualValue": "'azurerm_linux_web_app[positive2-4].site_config.minimum_tls_version' is not set to '1.3'", + "issueType": "IncorrectValue", + "similarityID": "0dc1387d45cd3c41fa19d582201fbbf1c67c8d5a1d5f3ec4ae09da8869321b82", + "search_line": 43 }, { "queryName": "App Service Not Using Latest TLS Encryption Version", "severity": "MEDIUM", "line": 10, - "fileName": "positive3.tf" + "fileName": "positive3.tf", + "resourceType": "azurerm_windows_web_app", + "resourceName": "example-app-service", + "searchKey": "azurerm_windows_web_app[positive3-1].site_config.minimum_tls_version", + "searchValue": "", + "expectedValue": "'azurerm_windows_web_app[positive3-1].site_config.minimum_tls_version' should be set to '1.3'", + "actualValue": "'azurerm_windows_web_app[positive3-1].site_config.minimum_tls_version' is not set to '1.3'", + "issueType": "IncorrectValue", + "similarityID": "22fbc5b91904d4a92648a8f545b987948a0b142ae17b4f43936d041f2f778a68", + "search_line": 10 }, { "queryName": "App Service Not Using Latest TLS Encryption Version", "severity": "MEDIUM", "line": 20, - "fileName": "positive3.tf" + "fileName": "positive3.tf", + "resourceType": "azurerm_windows_web_app", + "resourceName": "example-app-service", + "searchKey": "azurerm_windows_web_app[positive3-2].site_config", + "searchValue": "", + "expectedValue": "'azurerm_windows_web_app[positive3-2].site_config.minimum_tls_version' should be defined and set to '1.3'", + "actualValue": "'azurerm_windows_web_app[positive3-2].site_config.minimum_tls_version' is not defined", + "issueType": "MissingAttribute", + "similarityID": "9e35f62c725f37c91e4eafa57a4df27fdf1c6fba208e00a533f26e78de8d648a", + "search_line": 20 }, { "queryName": "App Service Not Using Latest TLS Encryption Version", "severity": "MEDIUM", "line": 26, - "fileName": "positive3.tf" + "fileName": "positive3.tf", + "resourceType": "azurerm_windows_web_app", + "resourceName": "example-app-service", + "searchKey": "azurerm_windows_web_app[positive3-3]", + "searchValue": "", + "expectedValue": "'azurerm_windows_web_app[positive3-3].site_config.minimum_tls_version' should be defined and set to '1.3'", + "actualValue": "'azurerm_windows_web_app[positive3-3].site_config' is not defined", + "issueType": "MissingAttribute", + "similarityID": "0d0f29ae0eeb7cbd6013d3f69f367faa845054c3bc2003075d4db6018f56ef5b", + "search_line": 26 }, { "queryName": "App Service Not Using Latest TLS Encryption Version", "severity": "MEDIUM", "line": 43, - "fileName": "positive3.tf" + "fileName": "positive3.tf", + "resourceType": "azurerm_windows_web_app", + "resourceName": "example-app-service", + "searchKey": "azurerm_windows_web_app[positive3-4].site_config.minimum_tls_version", + "searchValue": "", + "expectedValue": "'azurerm_windows_web_app[positive3-4].site_config.minimum_tls_version' should be set to '1.3'", + "actualValue": "'azurerm_windows_web_app[positive3-4].site_config.minimum_tls_version' is not set to '1.3'", + "issueType": "IncorrectValue", + "similarityID": "d01bec002b77fb88962c0c265da5449fa7d119f79f267a44b3f493fb791e0955", + "search_line": 43 } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/azure/app_service_slot_managed_identity_disabled/test/positive_expected_result.json b/assets/queries/terraform/azure/app_service_slot_managed_identity_disabled/test/positive_expected_result.json index af3369be556..1d78565327f 100644 --- a/assets/queries/terraform/azure/app_service_slot_managed_identity_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/app_service_slot_managed_identity_disabled/test/positive_expected_result.json @@ -3,18 +3,45 @@ "queryName": "Beta - App Service Slot Managed Identity Disabled", "severity": "MEDIUM", "line": 1, - "fileName": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "azurerm_app_service_slot", + "resourceName": "${random_id.server.hex}", + "searchKey": "azurerm_app_service_slot[positive1]", + "searchValue": "", + "expectedValue": "'type' field should have the values 'SystemAssigned' or 'UserAssigned' defined inside the 'identity' block", + "actualValue": "'identity' block is not defined", + "issueType": "MissingAttribute", + "similarityID": "be605b9c6ceaf7209be6a5c137ee698693cb929732f6cd0e216123c39ef64cfe", + "search_line": 1 }, { "queryName": "Beta - App Service Slot Managed Identity Disabled", "severity": "MEDIUM", "line": 1, - "fileName": "positive2.tf" + "fileName": "positive2.tf", + "resourceType": "azurerm_linux_web_app_slot", + "resourceName": "example-slot", + "searchKey": "azurerm_linux_web_app_slot[positive2]", + "searchValue": "", + "expectedValue": "'type' field should have the values 'SystemAssigned' or 'UserAssigned' defined inside the 'identity' block", + "actualValue": "'identity' block is not defined", + "issueType": "MissingAttribute", + "similarityID": "4fc1453ad480ecfc4aca7f94bff5f58cfec65e05989f37fb9c71ecb2450aad29", + "search_line": 1 }, { "queryName": "Beta - App Service Slot Managed Identity Disabled", "severity": "MEDIUM", "line": 1, - "fileName": "positive3.tf" + "fileName": "positive3.tf", + "resourceType": "azurerm_windows_web_app_slot", + "resourceName": "example-slot", + "searchKey": "azurerm_windows_web_app_slot[positive3]", + "searchValue": "", + "expectedValue": "'type' field should have the values 'SystemAssigned' or 'UserAssigned' defined inside the 'identity' block", + "actualValue": "'identity' block is not defined", + "issueType": "MissingAttribute", + "similarityID": "c9f62cbb28f0c5b637dcb390268b960179c31372d0143c3f382a96cb2ea8e461", + "search_line": 1 } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/azure/app_service_without_latest_php_version/test/positive_expected_result.json b/assets/queries/terraform/azure/app_service_without_latest_php_version/test/positive_expected_result.json index bbc8ad57827..37a1baca5af 100644 --- a/assets/queries/terraform/azure/app_service_without_latest_php_version/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/app_service_without_latest_php_version/test/positive_expected_result.json @@ -3,18 +3,45 @@ "queryName": "App Service Without Latest PHP Version", "severity": "LOW", "line": 11, - "fileName": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "azurerm_app_service", + "resourceName": "example4-app-service", + "searchKey": "azurerm_app_service[example4].site_config.php_version", + "searchValue": "", + "expectedValue": "for the attribute 'php_version' should be the latest avaliable stable version (8.1)", + "actualValue": "'php_version' is not the latest avaliable stable version (8.1)", + "issueType": "IncorrectValue", + "similarityID": "d9e5c6407aed9a8fd7ded9e306939cde70a51570f505a02e38501378bf5051f0", + "search_line": 11 }, { "queryName": "App Service Without Latest PHP Version", "severity": "LOW", "line": 25, - "fileName": "positive2.tf" + "fileName": "positive2.tf", + "resourceType": "azurerm_windows_web_app", + "resourceName": "example5", + "searchKey": "azurerm_windows_web_app[example5].site_config.application_stack.php_version", + "searchValue": "", + "expectedValue": "for the attribute 'php_version' should be the latest avaliable stable version (8.1)", + "actualValue": "'php_version' is not the latest avaliable stable version (8.1)", + "issueType": "IncorrectValue", + "similarityID": "ca81496de452e61c0e0f75571b7551df72212d3dce9cf6fbb95e57b8d927b2f6", + "search_line": 25 }, { "queryName": "App Service Without Latest PHP Version", "severity": "LOW", "line": 26, - "fileName": "positive3.tf" + "fileName": "positive3.tf", + "resourceType": "azurerm_linux_web_app", + "resourceName": "example6", + "searchKey": "azurerm_linux_web_app[example6].site_config.application_stack.php_version", + "searchValue": "", + "expectedValue": "for the attribute 'php_version' should be the latest avaliable stable version (8.1)", + "actualValue": "'php_version' is not the latest avaliable stable version (8.1)", + "issueType": "IncorrectValue", + "similarityID": "f7979369e7b38df23b43154cb9eaf1455b8fe9cd9435dd14e18b589fa2623238", + "search_line": 26 } ] diff --git a/assets/queries/terraform/azure/app_service_without_latest_python_version/test/positive_expected_result.json b/assets/queries/terraform/azure/app_service_without_latest_python_version/test/positive_expected_result.json index 1f732fee823..e7d0a6a8a33 100644 --- a/assets/queries/terraform/azure/app_service_without_latest_python_version/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/app_service_without_latest_python_version/test/positive_expected_result.json @@ -3,18 +3,45 @@ "queryName": "App Service Without Latest Python Version", "severity": "LOW", "line": 11, - "fileName": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "azurerm_app_service", + "resourceName": "example4-app-service", + "searchKey": "azurerm_app_service[example4].site_config.python_version", + "searchValue": "", + "expectedValue": "attribute 'python_version' should be the latest avaliable stable version (3.10)", + "actualValue": "'python_version' is not the latest avaliable stable version (3.10)", + "issueType": "IncorrectValue", + "similarityID": "9619487608a0b984b6fdfff8bcc27f93011f4f6f8db3f742164f88e372a65465", + "search_line": 11 }, { "queryName": "App Service Without Latest Python Version", "severity": "LOW", "line": 25, - "fileName": "positive2.tf" + "fileName": "positive2.tf", + "resourceType": "azurerm_windows_web_app", + "resourceName": "example5", + "searchKey": "azurerm_windows_web_app[example5].site_config.application_stack.python_version", + "searchValue": "", + "expectedValue": "attribute 'python_version' should be the latest avaliable stable version (3.10)", + "actualValue": "'python_version' is not the latest avaliable stable version (3.10)", + "issueType": "IncorrectValue", + "similarityID": "02aeb20721f8d20db0dd3093fa7e0956eebbd14fce3f239e634cf5291ca701d5", + "search_line": 25 }, { "queryName": "App Service Without Latest Python Version", "severity": "LOW", "line": 26, - "fileName": "positive3.tf" + "fileName": "positive3.tf", + "resourceType": "azurerm_linux_web_app", + "resourceName": "example6", + "searchKey": "azurerm_linux_web_app[example6].site_config.application_stack.python_version", + "searchValue": "", + "expectedValue": "attribute 'python_version' should be the latest avaliable stable version (3.10)", + "actualValue": "'python_version' is not the latest avaliable stable version (3.10)", + "issueType": "IncorrectValue", + "similarityID": "e6d055dab4ca8619800f4aa00cb5ef1488cae14284bd33bcee84cf94aefd77e5", + "search_line": 26 } ] diff --git a/assets/queries/terraform/azure/azure_active_directory_authentication/test/positive_expected_result.json b/assets/queries/terraform/azure/azure_active_directory_authentication/test/positive_expected_result.json index 91d2eee41fa..69aabaa4b77 100644 --- a/assets/queries/terraform/azure/azure_active_directory_authentication/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/azure_active_directory_authentication/test/positive_expected_result.json @@ -3,12 +3,30 @@ "queryName": "Azure Active Directory Authentication", "severity": "LOW", "line": 19, - "fileName": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "azurerm_service_fabric_cluster", + "resourceName": "positive1", + "searchKey": "azurerm_service_fabric_cluster[positive1].azure_active_directory", + "searchValue": "", + "expectedValue": "'azurerm_service_fabric_cluster[positive1].azure_active_directory.tenant_id' should be defined and not null", + "actualValue": "'azurerm_service_fabric_cluster[positive1].azure_active_directory.tenant_id' is undefined or null", + "issueType": "MissingAttribute", + "similarityID": "bcde9f7f274ae9a3d0920ec05d374376c230571bf0191c998ef343af2b5cfad7", + "search_line": 19 }, { "queryName": "Azure Active Directory Authentication", "severity": "LOW", "line": 1, - "fileName": "positive2.tf" + "fileName": "positive2.tf", + "resourceType": "azurerm_service_fabric_cluster", + "resourceName": "example-servicefabric", + "searchKey": "azurerm_service_fabric_cluster[positive2]", + "searchValue": "", + "expectedValue": "'azurerm_service_fabric_cluster[positive2].azure_active_directory' should be defined and not null", + "actualValue": "'azurerm_service_fabric_cluster[positive2].azure_active_directory' is undefined or null", + "issueType": "MissingAttribute", + "similarityID": "b86a7042457bdbf02da458989b5e6c4bf0299cbc7e1ce0255eb26010c85c65f9", + "search_line": 1 } ] diff --git a/assets/queries/terraform/azure/azure_app_service_client_certificate_disabled/test/positive_expected_result.json b/assets/queries/terraform/azure/azure_app_service_client_certificate_disabled/test/positive_expected_result.json index 51f53fa12ff..e57526a67a8 100644 --- a/assets/queries/terraform/azure/azure_app_service_client_certificate_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/azure_app_service_client_certificate_disabled/test/positive_expected_result.json @@ -3,84 +3,210 @@ "queryName": "Azure App Service Client Certificate Disabled", "severity": "MEDIUM", "line": 1, - "fileName": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "azurerm_app_service", + "resourceName": "example-app-service", + "searchKey": "azurerm_app_service[positive1-1]", + "searchValue": "", + "expectedValue": "'azurerm_app_service[positive1-1].client_cert_enabled' should be defined and set to true", + "actualValue": "'azurerm_app_service[positive1-1].client_cert_enabled' is undefined", + "issueType": "MissingAttribute", + "similarityID": "91e715e8d5607c02b87b75043def31424304af4fac597144d83cd2b2119f7940", + "search_line": 1 }, { "queryName": "Azure App Service Client Certificate Disabled", "severity": "MEDIUM", "line": 14, - "fileName": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "azurerm_app_service", + "resourceName": "example-app-service", + "searchKey": "azurerm_app_service[positive1-2].client_cert_enabled", + "searchValue": "", + "expectedValue": "'azurerm_app_service[positive1-2].client_cert_enabled' should be set to true", + "actualValue": "'azurerm_app_service[positive1-2].client_cert_enabled' is set to false", + "issueType": "IncorrectValue", + "similarityID": "ee18aca9811f7f6b3024b7fb014cde77650094f4987b81113c2f583b06d8c5e0", + "search_line": 14 }, { "queryName": "Azure App Service Client Certificate Disabled", "severity": "MEDIUM", "line": 27, - "fileName": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "azurerm_app_service", + "resourceName": "example-app-service", + "searchKey": "azurerm_app_service[positive1-3].client_cert_enabled", + "searchValue": "", + "expectedValue": "'azurerm_app_service[positive1-3].client_cert_enabled' or 'azurerm_app_service[positive1-3].site_config.http2_enabled' is true", + "actualValue": "'azurerm_app_service[positive1-3].client_cert_enabled' and 'azurerm_app_service[positive1-3].site_config.http2_enabled' are set to false", + "issueType": "IncorrectValue", + "similarityID": "10bcb095fb492cf5026a63490ccd15091c90abc5e27422499aac5d89727dcd25", + "search_line": 27 }, { "queryName": "Azure App Service Client Certificate Disabled", "severity": "MEDIUM", "line": 30, - "fileName": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "azurerm_app_service", + "resourceName": "example-app-service", + "searchKey": "azurerm_app_service[positive1-4]", + "searchValue": "", + "expectedValue": "'azurerm_app_service[positive1-4].client_cert_enabled' should be defined and set to true", + "actualValue": "'azurerm_app_service[positive1-4].client_cert_enabled' is undefined", + "issueType": "MissingAttribute", + "similarityID": "8fa34683c97fbe0a3730d7bc800af6e3a02b185dc4712e78b4bf2c217b62d4dc", + "search_line": 30 }, { "queryName": "Azure App Service Client Certificate Disabled", "severity": "MEDIUM", "line": 41, - "fileName": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "azurerm_app_service", + "resourceName": "example-app-service", + "searchKey": "azurerm_app_service[positive1-5]", + "searchValue": "", + "expectedValue": "'azurerm_app_service[positive1-5].client_cert_enabled' should be defined and set to true", + "actualValue": "'azurerm_app_service[positive1-5].client_cert_enabled' is undefined", + "issueType": "MissingAttribute", + "similarityID": "79d1b175528c5ba51fb361b05d502c109a8462c4d18c80dd841546bf4d315223", + "search_line": 41 }, { "queryName": "Azure App Service Client Certificate Disabled", "severity": "MEDIUM", "line": 58, - "fileName": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "azurerm_app_service", + "resourceName": "example-app-service", + "searchKey": "azurerm_app_service[positive1-6].client_cert_enabled", + "searchValue": "", + "expectedValue": "'azurerm_app_service[positive1-6].client_cert_enabled' should be set to true", + "actualValue": "'azurerm_app_service[positive1-6].client_cert_enabled' is set to false", + "issueType": "IncorrectValue", + "similarityID": "bcd6b4194c1aecc20ce219a9bd1a710dea2819f00a9db86e00a5f9cc5e8037dd", + "search_line": 58 }, { "queryName": "Azure App Service Client Certificate Disabled", "severity": "MEDIUM", "line": 1, - "fileName": "positive2.tf" + "fileName": "positive2.tf", + "resourceType": "azurerm_linux_web_app", + "resourceName": "example-app-service", + "searchKey": "azurerm_linux_web_app[positive2-1]", + "searchValue": "", + "expectedValue": "'azurerm_linux_web_app[positive2-1].client_certificate_enabled' should be defined and set to true", + "actualValue": "'azurerm_linux_web_app[positive2-1].client_cert_enabled' is undefined", + "issueType": "MissingAttribute", + "similarityID": "698c97c13b4b4bfe6b43f62d9f9dbd0f94d90a39e497655fd84931273dc84a0d", + "search_line": 1 }, { "queryName": "Azure App Service Client Certificate Disabled", "severity": "MEDIUM", "line": 17, - "fileName": "positive2.tf" + "fileName": "positive2.tf", + "resourceType": "azurerm_linux_web_app", + "resourceName": "example-app-service", + "searchKey": "azurerm_linux_web_app[positive2-2].client_certificate_enabled", + "searchValue": "", + "expectedValue": "'azurerm_linux_web_app[positive2-2].client_certificate_enabled' should be set to true", + "actualValue": "'azurerm_linux_web_app[positive2-2].client_certificate_enabled' is set to false", + "issueType": "IncorrectValue", + "similarityID": "553acca02ed182c8beede4a367f59e261226b0b61f6cd62f89dfb1582c81c8b3", + "search_line": 17 }, { "queryName": "Azure App Service Client Certificate Disabled", "severity": "MEDIUM", "line": 30, - "fileName": "positive2.tf" + "fileName": "positive2.tf", + "resourceType": "azurerm_linux_web_app", + "resourceName": "example-app-service", + "searchKey": "azurerm_linux_web_app[positive2-3].client_certificate_enabled", + "searchValue": "", + "expectedValue": "'azurerm_linux_web_app[positive2-3].client_certificate_enabled' or 'azurerm_linux_web_app[positive2-3].site_config.http2_enabled' is true", + "actualValue": "'azurerm_linux_web_app[positive2-3].client_certificate_enabled' and 'azurerm_linux_web_app[positive2-3].site_config.http2_enabled' are set to false", + "issueType": "IncorrectValue", + "similarityID": "2cf451226e2c2d9ecf572ef72285641ba401ee453856041964cade7bff5722ab", + "search_line": 30 }, { "queryName": "Azure App Service Client Certificate Disabled", "severity": "MEDIUM", "line": 33, - "fileName": "positive2.tf" + "fileName": "positive2.tf", + "resourceType": "azurerm_linux_web_app", + "resourceName": "example-app-service", + "searchKey": "azurerm_linux_web_app[positive2-4]", + "searchValue": "", + "expectedValue": "'azurerm_linux_web_app[positive2-4].client_certificate_enabled' should be defined and set to true", + "actualValue": "'azurerm_linux_web_app[positive2-4].client_cert_enabled' is undefined", + "issueType": "MissingAttribute", + "similarityID": "00a31f740aa1f49b00cc8661b17d60209301e786742816fa7cfdc4a841fc5864", + "search_line": 33 }, { "queryName": "Azure App Service Client Certificate Disabled", "severity": "MEDIUM", "line": 1, - "fileName": "positive3.tf" + "fileName": "positive3.tf", + "resourceType": "azurerm_windows_web_app", + "resourceName": "example-app-service", + "searchKey": "azurerm_windows_web_app[positive3-1]", + "searchValue": "", + "expectedValue": "'azurerm_windows_web_app[positive3-1].client_certificate_enabled' should be defined and set to true", + "actualValue": "'azurerm_windows_web_app[positive3-1].client_cert_enabled' is undefined", + "issueType": "MissingAttribute", + "similarityID": "4e0b9a8ce1eb71a1c81a8a02ef07882623770baa059fd0d984645ae57e6970bc", + "search_line": 1 }, { "queryName": "Azure App Service Client Certificate Disabled", "severity": "MEDIUM", "line": 17, - "fileName": "positive3.tf" + "fileName": "positive3.tf", + "resourceType": "azurerm_windows_web_app", + "resourceName": "example-app-service", + "searchKey": "azurerm_windows_web_app[positive3-2].client_certificate_enabled", + "searchValue": "", + "expectedValue": "'azurerm_windows_web_app[positive3-2].client_certificate_enabled' should be set to true", + "actualValue": "'azurerm_windows_web_app[positive3-2].client_certificate_enabled' is set to false", + "issueType": "IncorrectValue", + "similarityID": "a19090c5175edb39d4aa4f6ac970ea74097346645295eb318f2b55ad901a934c", + "search_line": 17 }, { "queryName": "Azure App Service Client Certificate Disabled", "severity": "MEDIUM", "line": 30, - "fileName": "positive3.tf" + "fileName": "positive3.tf", + "resourceType": "azurerm_windows_web_app", + "resourceName": "example-app-service", + "searchKey": "azurerm_windows_web_app[positive3-3].client_certificate_enabled", + "searchValue": "", + "expectedValue": "'azurerm_windows_web_app[positive3-3].client_certificate_enabled' or 'azurerm_windows_web_app[positive3-3].site_config.http2_enabled' is true", + "actualValue": "'azurerm_windows_web_app[positive3-3].client_certificate_enabled' and 'azurerm_windows_web_app[positive3-3].site_config.http2_enabled' are set to false", + "issueType": "IncorrectValue", + "similarityID": "7fffe1789edf26c302fa70d237142afaa21e596ec1ec90d8cec81fdfd598eb7e", + "search_line": 30 }, { "queryName": "Azure App Service Client Certificate Disabled", "severity": "MEDIUM", "line": 33, - "fileName": "positive3.tf" + "fileName": "positive3.tf", + "resourceType": "azurerm_windows_web_app", + "resourceName": "example-app-service", + "searchKey": "azurerm_windows_web_app[positive3-4]", + "searchValue": "", + "expectedValue": "'azurerm_windows_web_app[positive3-4].client_certificate_enabled' should be defined and set to true", + "actualValue": "'azurerm_windows_web_app[positive3-4].client_cert_enabled' is undefined", + "issueType": "MissingAttribute", + "similarityID": "cc3967344a9e6cd81c71b995b02dca0222bb2cfe38e900c68a4029472a8d1760", + "search_line": 33 } ] diff --git a/assets/queries/terraform/azure/azure_cognitive_search_public_network_access_enabled/test/positive_expected_result.json b/assets/queries/terraform/azure/azure_cognitive_search_public_network_access_enabled/test/positive_expected_result.json index 3e237b95c0c..88696edad42 100644 --- a/assets/queries/terraform/azure/azure_cognitive_search_public_network_access_enabled/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/azure_cognitive_search_public_network_access_enabled/test/positive_expected_result.json @@ -3,12 +3,30 @@ "queryName": "Azure Cognitive Search Public Network Access Enabled", "severity": "MEDIUM", "line": 6, - "fileName": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "azurerm_search_service", + "resourceName": "example-search-service", + "searchKey": "azurerm_search_service[positive1].public_network_access_enabled", + "searchValue": "", + "expectedValue": "'azurerm_search_service[positive1].public_network_access_enabled' should be set to false", + "actualValue": "'azurerm_search_service[positive1].public_network_access_enabled' is set to true", + "issueType": "IncorrectValue", + "similarityID": "6e0d3cb5a4a3a2cf8360dbdf5466b89d2031d2e38394021f4da5de8972efcb84", + "search_line": 6 }, { "queryName": "Azure Cognitive Search Public Network Access Enabled", "severity": "MEDIUM", "line": 1, - "fileName": "positive2.tf" + "fileName": "positive2.tf", + "resourceType": "azurerm_search_service", + "resourceName": "example-search-service", + "searchKey": "azurerm_search_service[positive2]", + "searchValue": "", + "expectedValue": "'azurerm_search_service[positive2].public_network_access_enabled' should be defined and set to false", + "actualValue": "'azurerm_search_service[positive2].public_network_access_enabled' is undefined or null", + "issueType": "MissingAttribute", + "similarityID": "f6d09b2dee31065a04b1d4c36aaeef09641ba1fa2f59412bc8ec50636316dcfb", + "search_line": 1 } ] diff --git a/assets/queries/terraform/azure/azure_container_registry_with_broad_permissions/test/positive_expected_result.json b/assets/queries/terraform/azure/azure_container_registry_with_broad_permissions/test/positive_expected_result.json index a55c056c993..8f3d7bd8df1 100644 --- a/assets/queries/terraform/azure/azure_container_registry_with_broad_permissions/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/azure_container_registry_with_broad_permissions/test/positive_expected_result.json @@ -2,11 +2,31 @@ { "queryName": "Beta - Azure Container Registry With Broad Permissions", "severity": "HIGH", - "line": 11 + "line": 11, + "fileName": "positive.tf", + "resourceType": "azurerm_role_assignment", + "resourceName": "positive1", + "searchKey": "azurerm_role_assignment[positive1].role_definition_name", + "searchValue": "", + "expectedValue": "'azurerm_role_assignment[positive1].role_definition_name' should be set to 'AcrPull'", + "actualValue": "'azurerm_role_assignment[positive1].role_definition_name' is set to 'AcrPush'", + "issueType": "IncorrectValue", + "similarityID": "cd4320bb6877dc750076dcb5732fe31b9f58b6062ccd51cd24aeca20ead5386f", + "search_line": 11 }, { "queryName": "Beta - Azure Container Registry With Broad Permissions", "severity": "HIGH", - "line": 17 + "line": 17, + "fileName": "positive.tf", + "resourceType": "azurerm_role_assignment", + "resourceName": "positive2", + "searchKey": "azurerm_role_assignment[positive2].role_definition_id", + "searchValue": "", + "expectedValue": "'azurerm_role_assignment[positive2].role_definition_id' should be set to '7f951dda-4ed3-4680-a7ca-43fe172d538d'", + "actualValue": "'azurerm_role_assignment[positive2].role_definition_id' is set to '8311e382-0749-4cb8-b61a-304f252e45ec'", + "issueType": "IncorrectValue", + "similarityID": "3133a26a2e8dd363627004d9df4b824ed14cae5f8b0189a25da89685bb1132d2", + "search_line": 17 } ] diff --git a/assets/queries/terraform/azure/azure_container_registry_with_no_locks/test/positive_expected_result.json b/assets/queries/terraform/azure/azure_container_registry_with_no_locks/test/positive_expected_result.json index a1135b0d7d6..649fe939b33 100644 --- a/assets/queries/terraform/azure/azure_container_registry_with_no_locks/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/azure_container_registry_with_no_locks/test/positive_expected_result.json @@ -2,6 +2,16 @@ { "queryName": "Azure Container Registry With No Locks", "severity": "HIGH", - "line": 1 + "line": 1, + "fileName": "positive.tf", + "resourceType": "azurerm_container_registry", + "resourceName": "containerRegistry1", + "searchKey": "azurerm_container_registry[acr]", + "searchValue": "", + "expectedValue": "'azurerm_container_registry[acr] scope' should contain azurerm_management_lock'", + "actualValue": "'azurerm_container_registry[acr] scope' does not contain azurerm_management_lock'", + "issueType": "MissingAttribute", + "similarityID": "a52e0d7e98b20e45e49634ffa1a016ee106d600849ae950a23d5f8535f4973d5", + "search_line": -1 } ] diff --git a/assets/queries/terraform/azure/azure_front_door_waf_disabled/test/positive_expected_result.json b/assets/queries/terraform/azure/azure_front_door_waf_disabled/test/positive_expected_result.json index 2963574a101..389a15a54e4 100644 --- a/assets/queries/terraform/azure/azure_front_door_waf_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/azure_front_door_waf_disabled/test/positive_expected_result.json @@ -3,6 +3,15 @@ "queryName": "Azure Front Door WAF Disabled", "severity": "LOW", "line": 38, - "fileName": "positive.tf" + "fileName": "positive.tf", + "resourceType": "azurerm_frontdoor", + "resourceName": "exampleFrontendEndpoint1", + "searchKey": "azurerm_frontdoor[positive].frontend_endpoint", + "searchValue": "", + "expectedValue": "'azurerm_frontdoor[positive].frontend_endpoint.web_application_firewall_policy_link_id' should be defined and not null", + "actualValue": "'azurerm_frontdoor[positive].frontend_endpoint.web_application_firewall_policy_link_id' is undefined or null", + "issueType": "MissingAttribute", + "similarityID": "f6cb1826fd49ea63842d9fb3f9159c6dc337b5b9565109b897f808e81103298f", + "search_line": 38 } ] diff --git a/assets/queries/terraform/azure/azure_instance_using_basic_authentication/test/positive_expected_result.json b/assets/queries/terraform/azure/azure_instance_using_basic_authentication/test/positive_expected_result.json index 43fe5a014b0..e520e37f2e1 100644 --- a/assets/queries/terraform/azure/azure_instance_using_basic_authentication/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/azure_instance_using_basic_authentication/test/positive_expected_result.json @@ -3,24 +3,60 @@ "queryName": "Azure Instance Using Basic Authentication", "severity": "MEDIUM", "line": 9, - "fileName": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "azurerm_virtual_machine", + "resourceName": "${var.prefix}-vm", + "searchKey": "azurerm_virtual_machine[positive1].os_profile_linux_config.disable_password_authentication", + "searchValue": "", + "expectedValue": "'azurerm_virtual_machine[positive1].os_profile_linux_config.disable_password_authentication' should be set to 'true'", + "actualValue": "'azurerm_virtual_machine[positive1].os_profile_linux_config.disable_password_authentication' is set to 'false'", + "issueType": "IncorrectValue", + "similarityID": "5e0d0c18ad643fee2e65408050e17822b3080ac25efedcc82f3e973a2f72f694", + "search_line": 9 }, { "queryName": "Azure Instance Using Basic Authentication", "severity": "MEDIUM", "line": 8, - "fileName": "positive2.tf" + "fileName": "positive2.tf", + "resourceType": "azurerm_linux_virtual_machine", + "resourceName": "${var.prefix}-vm", + "searchKey": "azurerm_linux_virtual_machine[positive2].disable_password_authentication", + "searchValue": "", + "expectedValue": "'azurerm_linux_virtual_machine[positive2].disable_password_authentication' should be set to 'true'", + "actualValue": "'azurerm_linux_virtual_machine[positive2].disable_password_authentication' is set to 'false'", + "issueType": "IncorrectValue", + "similarityID": "83b910b3ccefdc4f70bd49d5f2da569083de13389fe7966877bea9a9ed80ed5d", + "search_line": 8 }, { "queryName": "Azure Instance Using Basic Authentication", "severity": "MEDIUM", "line": 9, - "fileName": "positive3.tf" + "fileName": "positive3.tf", + "resourceType": "azurerm_linux_virtual_machine_scale_set", + "resourceName": "positive3-vmss", + "searchKey": "azurerm_linux_virtual_machine_scale_set[positive3].disable_password_authentication", + "searchValue": "", + "expectedValue": "'azurerm_linux_virtual_machine_scale_set[positive3].disable_password_authentication' should be set to 'true'", + "actualValue": "'azurerm_linux_virtual_machine_scale_set[positive3].disable_password_authentication' is set to 'false'", + "issueType": "IncorrectValue", + "similarityID": "9b78ce81f5d3cf5eb5c70891662a45e77a046c8e975e62f848c9c98e91dd5e57", + "search_line": 9 }, { "queryName": "Azure Instance Using Basic Authentication", "severity": "MEDIUM", "line": 7, - "fileName": "positive4.tf" + "fileName": "positive4.tf", + "resourceType": "azurerm_virtual_machine_scale_set", + "resourceName": "${var.prefix}-vm", + "searchKey": "azurerm_virtual_machine_scale_set[positive4].os_profile_linux_config.disable_password_authentication", + "searchValue": "", + "expectedValue": "'azurerm_virtual_machine_scale_set[positive4].os_profile_linux_config.disable_password_authentication' should be set to 'true'", + "actualValue": "'azurerm_virtual_machine_scale_set[positive4].os_profile_linux_config.disable_password_authentication' is set to 'false'", + "issueType": "IncorrectValue", + "similarityID": "559f64ce25cb06a05bd039560ee1980bc69a623156cddd5f38bfaa06fd64f9ad", + "search_line": 7 } ] diff --git a/assets/queries/terraform/azure/backup_vault_without_immutability/test/positive_expected_result.json b/assets/queries/terraform/azure/backup_vault_without_immutability/test/positive_expected_result.json index 28409aaffa7..0e1e021c982 100644 --- a/assets/queries/terraform/azure/backup_vault_without_immutability/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/backup_vault_without_immutability/test/positive_expected_result.json @@ -2,11 +2,31 @@ { "queryName": "Beta - Backup Vault Without Immutability", "severity": "HIGH", - "line": 1 + "line": 1, + "fileName": "positive1.tf", + "resourceType": "azurerm_data_protection_backup_vault", + "resourceName": "positive1-backup-vault", + "searchKey": "azurerm_data_protection_backup_vault[positive1]", + "searchValue": "", + "expectedValue": "'azurerm_data_protection_backup_vault[positive1].immutability' should be set and enabled", + "actualValue": "'azurerm_data_protection_backup_vault[positive1].immutability' is undefined or null", + "issueType": "MissingAttribute", + "similarityID": "0afd47d808175f82583e1d69ede3f91dc5c5739cc4120fd72a945ab6d68b4f9d", + "search_line": 1 }, { "queryName": "Beta - Backup Vault Without Immutability", "severity": "HIGH", - "line": 18 + "line": 18, + "fileName": "positive1.tf", + "resourceType": "azurerm_data_protection_backup_vault", + "resourceName": "positive2-backup-vault", + "searchKey": "azurerm_data_protection_backup_vault[positive2].immutability", + "searchValue": "", + "expectedValue": "'azurerm_data_protection_backup_vault[positive2].immutability' should be set and enabled", + "actualValue": "'azurerm_data_protection_backup_vault[positive2].immutability' is set to 'Disabled'", + "issueType": "IncorrectValue", + "similarityID": "44e7c828fd790b194e75eff3d0beea0bbc8bc9c87261be7f108fcac1edbd8028", + "search_line": 18 } ] diff --git a/assets/queries/terraform/azure/backup_vault_without_soft_delete/test/positive_expected_result.json b/assets/queries/terraform/azure/backup_vault_without_soft_delete/test/positive_expected_result.json index e8f3a037e3a..e04f51028bf 100644 --- a/assets/queries/terraform/azure/backup_vault_without_soft_delete/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/backup_vault_without_soft_delete/test/positive_expected_result.json @@ -2,6 +2,16 @@ { "queryName": "Beta - Backup Vault Without Soft Delete", "severity": "HIGH", - "line": 8 + "line": 8, + "fileName": "positive.tf", + "resourceType": "azurerm_data_protection_backup_vault", + "resourceName": "positive-backup-vault", + "searchKey": "azurerm_data_protection_backup_vault[positive].soft_delete", + "searchValue": "", + "expectedValue": "'azurerm_data_protection_backup_vault[positive].soft_delete' should not be set to 'off'", + "actualValue": "'azurerm_data_protection_backup_vault[positive].soft_delete' is set to 'off'", + "issueType": "IncorrectValue", + "similarityID": "42a3baf13950902ff7622687759fa4302c6739b6e6a61a4c4888fdb91ae44763", + "search_line": 8 } ] diff --git a/assets/queries/terraform/azure/blob_storage_without_soft_delete/test/positive_expected_result.json b/assets/queries/terraform/azure/blob_storage_without_soft_delete/test/positive_expected_result.json index a64968ceb9f..637fad94af3 100644 --- a/assets/queries/terraform/azure/blob_storage_without_soft_delete/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/blob_storage_without_soft_delete/test/positive_expected_result.json @@ -2,16 +2,46 @@ { "queryName": "Beta - Blob Storage Without Soft Delete", "severity": "HIGH", - "line": 1 + "line": 1, + "fileName": "positive.tf", + "resourceType": "azurerm_storage_account", + "resourceName": "positive1", + "searchKey": "azurerm_storage_account[positive1]", + "searchValue": "", + "expectedValue": "'azurerm_storage_account[positive1].blob_properties.delete_retention_policy' should be defined and not null", + "actualValue": "'azurerm_storage_account[positive1].blob_properties' is undefined or null", + "issueType": "MissingAttribute", + "similarityID": "53cd03350753996c65a5fa736d1a2720576b90757ab1a6a3c95554e5fb6454af", + "search_line": 1 }, { "queryName": "Beta - Blob Storage Without Soft Delete", "severity": "HIGH", - "line": 18 + "line": 18, + "fileName": "positive.tf", + "resourceType": "azurerm_storage_account", + "resourceName": "positive2", + "searchKey": "azurerm_storage_account[positive2].blob_properties", + "searchValue": "", + "expectedValue": "'azurerm_storage_account[positive2].blob_properties.delete_retention_policy' should be defined and not null", + "actualValue": "'azurerm_storage_account[positive2].blob_properties.delete_retention_policy' is undefined or null", + "issueType": "MissingAttribute", + "similarityID": "f3c2a55aee0263fd42b00840c36d32f2ce618fce55fd345a2f070f5e71e0eee7", + "search_line": 18 }, { "queryName": "Beta - Blob Storage Without Soft Delete", "severity": "HIGH", - "line": 32 + "line": 32, + "fileName": "positive.tf", + "resourceType": "azurerm_storage_account", + "resourceName": "positive3", + "searchKey": "azurerm_storage_account[positive3].blob_properties.delete_retention_policy.days", + "searchValue": "", + "expectedValue": "'azurerm_storage_account[positive3].blob_properties.delete_retention_policy.days' should be set to a value higher than '6'", + "actualValue": "'azurerm_storage_account[positive3].blob_properties.delete_retention_policy.days' is set to '5'", + "issueType": "IncorrectValue", + "similarityID": "4321cc0d20b3fb4cba1acac3eb4a9e6d8eef42211dda4ceb74df54aafb7614c8", + "search_line": 32 } ] diff --git a/assets/queries/terraform/azure/container_app_managed_identity_disabled/test/positive_expected_result.json b/assets/queries/terraform/azure/container_app_managed_identity_disabled/test/positive_expected_result.json index c7e794f2269..bb927c5b6b1 100644 --- a/assets/queries/terraform/azure/container_app_managed_identity_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/container_app_managed_identity_disabled/test/positive_expected_result.json @@ -3,6 +3,15 @@ "queryName": "Beta - Container App Managed Identity Disabled", "severity": "MEDIUM", "line": 1, - "fileName": "positive.tf" + "fileName": "positive.tf", + "resourceType": "azurerm_container_app", + "resourceName": "example-app", + "searchKey": "azurerm_container_app[positive]", + "searchValue": "", + "expectedValue": "'type' field should have the values 'SystemAssigned' or 'UserAssigned' defined inside the 'identity' block", + "actualValue": "'identity' block is not defined", + "issueType": "MissingAttribute", + "similarityID": "519feea8e80e99961b1230c3da82eded98ceee997a837ce806e7c5a516b8aab8", + "search_line": 1 } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/azure/container_group_managed_identity_disabled/test/positive_expected_result.json b/assets/queries/terraform/azure/container_group_managed_identity_disabled/test/positive_expected_result.json index 14401d8bbd1..50dcf61d9e8 100644 --- a/assets/queries/terraform/azure/container_group_managed_identity_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/container_group_managed_identity_disabled/test/positive_expected_result.json @@ -3,6 +3,15 @@ "queryName": "Beta - Container Group Managed Identity Disabled", "severity": "MEDIUM", "line": 1, - "fileName": "positive.tf" + "fileName": "positive.tf", + "resourceType": "azurerm_container_group", + "resourceName": "example-continst", + "searchKey": "azurerm_container_group[positive]", + "searchValue": "", + "expectedValue": "'type' field should have the values 'SystemAssigned' and 'UserAssigned' defined inside the 'identity' block", + "actualValue": "'identity' block is not defined", + "issueType": "MissingAttribute", + "similarityID": "d1adb26b442b49551b4d0dba9667968cc04d95808dc757aaa9e36c8e85c1ad3e", + "search_line": 1 } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/azure/container_instances_not_using_private_virtual_networks/test/positive_expected_result.json b/assets/queries/terraform/azure/container_instances_not_using_private_virtual_networks/test/positive_expected_result.json index 56b4b8144b1..b15eb75d9db 100644 --- a/assets/queries/terraform/azure/container_instances_not_using_private_virtual_networks/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/container_instances_not_using_private_virtual_networks/test/positive_expected_result.json @@ -3,18 +3,45 @@ "queryName": "Beta - Container Instances Not Using Private Virtual Networks", "severity": "LOW", "line": 1, - "filename": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "azurerm_container_group", + "resourceName": "cg-positive1", + "searchKey": "azurerm_container_group[positive1]", + "searchValue": "", + "expectedValue": "'ip_address_type' should be set to 'Private'", + "actualValue": "'ip_address_type' is not defined", + "issueType": "MissingAttribute", + "similarityID": "0dd343f62fcdeea5d96c6c0c5129f08d42650ac4eefb8f6207a54f59535c6b52", + "search_line": 1 }, { "queryName": "Beta - Container Instances Not Using Private Virtual Networks", "severity": "LOW", "line": 7, - "filename": "positive2.tf" + "fileName": "positive2.tf", + "resourceType": "azurerm_container_group", + "resourceName": "cg-positive2", + "searchKey": "azurerm_container_group[positive2].ip_address_type", + "searchValue": "", + "expectedValue": "'ip_address_type' should be set to 'Private'", + "actualValue": "'ip_address_type' is defined to 'Public'", + "issueType": "IncorrectValue", + "similarityID": "8dd4391cc0710e9dce7652c4c1eb3a91bd074b48de1d142af428eda23943c808", + "search_line": 7 }, { "queryName": "Beta - Container Instances Not Using Private Virtual Networks", "severity": "LOW", "line": 7, - "filename": "positive3.tf" + "fileName": "positive3.tf", + "resourceType": "azurerm_container_group", + "resourceName": "cg-positive3", + "searchKey": "azurerm_container_group[positive3].ip_address_type", + "searchValue": "", + "expectedValue": "'ip_address_type' should be set to 'Private'", + "actualValue": "'ip_address_type' is defined to 'None'", + "issueType": "IncorrectValue", + "similarityID": "2154f06a554b8c63e13894db3710fe22624a332c1ed8345d3bf12c90b75bbe9b", + "search_line": 7 } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/azure/containers_without_soft_delete/test/positive_expected_result.json b/assets/queries/terraform/azure/containers_without_soft_delete/test/positive_expected_result.json index a7af79fc475..df538337b93 100644 --- a/assets/queries/terraform/azure/containers_without_soft_delete/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/containers_without_soft_delete/test/positive_expected_result.json @@ -2,16 +2,46 @@ { "queryName": "Beta - Containers Without Soft Delete", "severity": "HIGH", - "line": 1 + "line": 1, + "fileName": "positive.tf", + "resourceType": "azurerm_storage_account", + "resourceName": "positive1", + "searchKey": "azurerm_storage_account[positive1]", + "searchValue": "", + "expectedValue": "'azurerm_storage_account[positive1].blob_properties.container_delete_retention_policy' should be defined and not null", + "actualValue": "'azurerm_storage_account[positive1].blob_properties' is undefined or null", + "issueType": "MissingAttribute", + "similarityID": "a314a72687b47709043bc54a7f7e88bcbb829ee7f71f0123d9492cf1098176ed", + "search_line": 1 }, { "queryName": "Beta - Containers Without Soft Delete", "severity": "HIGH", - "line": 18 + "line": 18, + "fileName": "positive.tf", + "resourceType": "azurerm_storage_account", + "resourceName": "positive2", + "searchKey": "azurerm_storage_account[positive2].blob_properties", + "searchValue": "", + "expectedValue": "'azurerm_storage_account[positive2].blob_properties.container_delete_retention_policy' should be defined and not null", + "actualValue": "'azurerm_storage_account[positive2].blob_properties.container_delete_retention_policy' is undefined or null", + "issueType": "MissingAttribute", + "similarityID": "52731f503c920874965dada45d4163f2fc3ac72a6d1fef485fbf268d20b7b925", + "search_line": 18 }, { "queryName": "Beta - Containers Without Soft Delete", "severity": "HIGH", - "line": 32 + "line": 32, + "fileName": "positive.tf", + "resourceType": "azurerm_storage_account", + "resourceName": "positive3", + "searchKey": "azurerm_storage_account[positive3].blob_properties.container_delete_retention_policy.days", + "searchValue": "", + "expectedValue": "'azurerm_storage_account[positive3].blob_properties.container_delete_retention_policy.days' should be set to a value higher than '6'", + "actualValue": "'azurerm_storage_account[positive3].blob_properties.container_delete_retention_policy' is set to '5'", + "issueType": "IncorrectValue", + "similarityID": "d8ea9b6a701c205353dcab157953677ac69761e9fde1f7180aae27b51d5f095b", + "search_line": 32 } ] diff --git a/assets/queries/terraform/azure/cosmos_db_account_without_tags/test/positive_expected_result.json b/assets/queries/terraform/azure/cosmos_db_account_without_tags/test/positive_expected_result.json index e8c803b83b9..69891df3c01 100644 --- a/assets/queries/terraform/azure/cosmos_db_account_without_tags/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/cosmos_db_account_without_tags/test/positive_expected_result.json @@ -2,6 +2,16 @@ { "queryName": "Cosmos DB Account Without Tags", "severity": "LOW", - "line": 1 + "line": 1, + "fileName": "positive.tf", + "resourceType": "azurerm_cosmosdb_account", + "resourceName": "tfex-cosmos-db-${random_integer.ri.result}", + "searchKey": "azurerm_cosmosdb_account[positive1]", + "searchValue": "", + "expectedValue": "azurerm_cosmosdb_account[positive1].tags should be defined'", + "actualValue": "azurerm_cosmosdb_account[positive1].tags is undefined'", + "issueType": "MissingAttribute", + "similarityID": "0a90aa649d02cb0d67e281974f1283e6f132a7895b087b3d0154a9b47ebc8207", + "search_line": -1 } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/azure/cosmosdb_account_ip_range_filter_not_set/test/positive_expected_result.json b/assets/queries/terraform/azure/cosmosdb_account_ip_range_filter_not_set/test/positive_expected_result.json index fedbf8ded29..85a3dda4054 100644 --- a/assets/queries/terraform/azure/cosmosdb_account_ip_range_filter_not_set/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/cosmosdb_account_ip_range_filter_not_set/test/positive_expected_result.json @@ -2,6 +2,16 @@ { "queryName": "CosmosDB Account IP Range Filter Not Set", "severity": "CRITICAL", - "line": 1 + "line": 1, + "fileName": "positive.tf", + "resourceType": "azurerm_cosmosdb_account", + "resourceName": "example", + "searchKey": "azurerm_cosmosdb_account[positive1].ip_range_filter", + "searchValue": "", + "expectedValue": "'azurerm_cosmosdb_account[positive1].ip_range_filter' should be set", + "actualValue": "'azurerm_cosmosdb_account[positive1].ip_range_filter' is undefined", + "issueType": "MissingAttribute", + "similarityID": "46f3cc1496e0ab66ca5372cd3a76cdd0a0c4db20ff2238f54aea3d8c0be63a44", + "search_line": -1 } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/azure/dashboard_is_enabled/test/positive_expected_result.json b/assets/queries/terraform/azure/dashboard_is_enabled/test/positive_expected_result.json index 923c8c0a0e3..3ff608cca6c 100644 --- a/assets/queries/terraform/azure/dashboard_is_enabled/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/dashboard_is_enabled/test/positive_expected_result.json @@ -2,6 +2,16 @@ { "queryName": "Dashboard Is Enabled", "severity": "LOW", - "line": 23 + "line": 23, + "fileName": "positive.tf", + "resourceType": "azurerm_kubernetes_cluster", + "resourceName": "example-aks1", + "searchKey": "azurerm_kubernetes_cluster[positive1].addon_profile.kube_dashboard.enabled", + "searchValue": "", + "expectedValue": "'azurerm_kubernetes_cluster[positive1].addon_profile.kube_dashboard.enabled' should be set to false or undefined", + "actualValue": "'azurerm_kubernetes_cluster[positive1].addon_profile.kube_dashboard.enabled' is true", + "issueType": "IncorrectValue", + "similarityID": "c1b004e50f9aa0e87f8a8ae5aed01952f7607a39f24b13f096d24c5fc63ce3db", + "search_line": 23 } ] diff --git a/assets/queries/terraform/azure/databricks_diagnostic_logging_not_configured/test/positive_expected_result.json b/assets/queries/terraform/azure/databricks_diagnostic_logging_not_configured/test/positive_expected_result.json index 187af373e28..2dd4cb98675 100644 --- a/assets/queries/terraform/azure/databricks_diagnostic_logging_not_configured/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/databricks_diagnostic_logging_not_configured/test/positive_expected_result.json @@ -3,30 +3,75 @@ "queryName": "Beta - Databricks Diagnostic Logging Not Configured", "severity": "MEDIUM", "line": 1, - "fileName": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "azurerm_databricks_workspace", + "resourceName": "secure-databricks-ws", + "searchKey": "azurerm_databricks_workspace[example_pos1]", + "searchValue": "", + "expectedValue": "'azurerm_databricks_workspace' should be associated with 'azurerm_monitor_diagnostic_setting' resources that log all required logs to valid destinations", + "actualValue": "'azurerm_databricks_workspace' is not associated with an 'azurerm_monitor_diagnostic_setting' resource", + "issueType": "MissingAttribute", + "similarityID": "516690994a6331ee6da6438a8c9b76d9f47ef463c2c652ce19d14c3767abf993", + "search_line": 1 }, { "queryName": "Beta - Databricks Diagnostic Logging Not Configured", "severity": "MEDIUM", "line": 36, - "fileName": "positive2.tf" + "fileName": "positive2.tf", + "resourceType": "azurerm_databricks_workspace", + "resourceName": "secure-databricks-ws", + "searchKey": "azurerm_databricks_workspace[example_pos2]", + "searchValue": "", + "expectedValue": "'azurerm_databricks_workspace' should be associated with 'azurerm_monitor_diagnostic_setting' resources that log all required logs to valid destinations", + "actualValue": "'azurerm_databricks_workspace' is associated with 3 'azurerm_monitor_diagnostic_setting' resource(s), but is missing logs for 3 category(s): 'Filesystem', 'jobs', 'notebook'", + "issueType": "MissingAttribute", + "similarityID": "766e4c3db796175cf344ca2f990cb83de6dba61131f2ef366e974f1acdb52e3a", + "search_line": 36 }, { "queryName": "Beta - Databricks Diagnostic Logging Not Configured", "severity": "MEDIUM", "line": 73, - "fileName": "positive3.tf" + "fileName": "positive3.tf", + "resourceType": "azurerm_databricks_workspace", + "resourceName": "secure-databricks-ws", + "searchKey": "azurerm_databricks_workspace[example_pos3]", + "searchValue": "", + "expectedValue": "'azurerm_databricks_workspace' should be associated with 'azurerm_monitor_diagnostic_setting' resources that log all required logs to valid destinations", + "actualValue": "'azurerm_databricks_workspace' is associated with 4 'azurerm_monitor_diagnostic_setting' resource(s), but is missing logs for 1 category(s): 'notebook'", + "issueType": "MissingAttribute", + "similarityID": "fefc36e73250d40a7ba5b472e0c1b16942780b1860b339010af6de8a8efae10e", + "search_line": 73 }, { "queryName": "Beta - Databricks Diagnostic Logging Not Configured", "severity": "MEDIUM", "line": 27, - "fileName": "positive4.tf" + "fileName": "positive4.tf", + "resourceType": "azurerm_databricks_workspace", + "resourceName": "secure-databricks-ws", + "searchKey": "azurerm_databricks_workspace[example_pos4]", + "searchValue": "", + "expectedValue": "'azurerm_databricks_workspace' should be associated with 'azurerm_monitor_diagnostic_setting' resources that log all required logs to valid destinations", + "actualValue": "'azurerm_databricks_workspace' is not associated with an 'azurerm_monitor_diagnostic_setting' resource", + "issueType": "MissingAttribute", + "similarityID": "0037c4b1dd4cc29ca3441eceddce8c167312a624edb343bf089edd81fac69e01", + "search_line": 27 }, { "queryName": "Beta - Databricks Diagnostic Logging Not Configured", "severity": "MEDIUM", "line": 60, - "fileName": "positive5.tf" + "fileName": "positive5.tf", + "resourceType": "azurerm_databricks_workspace", + "resourceName": "secure-databricks-ws", + "searchKey": "azurerm_databricks_workspace[example_pos5]", + "searchValue": "", + "expectedValue": "'azurerm_databricks_workspace' should be associated with 'azurerm_monitor_diagnostic_setting' resources that log all required logs to valid destinations", + "actualValue": "'azurerm_databricks_workspace' is associated with 2 'azurerm_monitor_diagnostic_setting' resource(s), but is missing logs for 5 category(s): 'Filesystem', 'accounts', 'clusters', 'jobs', 'notebook'", + "issueType": "MissingAttribute", + "similarityID": "9a211a184b83d33fb83dbf6ff487ab1e037a517b1f7a1d3fda1f164d65054073", + "search_line": 60 } ] diff --git a/assets/queries/terraform/azure/databricks_workspace_using_default_virtual_network/test/positive_expected_result.json b/assets/queries/terraform/azure/databricks_workspace_using_default_virtual_network/test/positive_expected_result.json index cc33fc2692e..bb756d875af 100644 --- a/assets/queries/terraform/azure/databricks_workspace_using_default_virtual_network/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/databricks_workspace_using_default_virtual_network/test/positive_expected_result.json @@ -2,11 +2,31 @@ { "queryName": "Beta - Databricks Workspace Using Default Virtual Network", "severity": "MEDIUM", - "line": 1 + "line": 1, + "fileName": "positive.tf", + "resourceType": "azurerm_databricks_workspace", + "resourceName": "example-dbw", + "searchKey": "azurerm_databricks_workspace[example_1]", + "searchValue": "", + "expectedValue": "'azurerm_databricks_workspace[example_1].custom_parameters.virtual_network_id' should be defined and not empty", + "actualValue": "'azurerm_databricks_workspace[example_1].custom_parameters' is undefined or empty", + "issueType": "MissingAttribute", + "similarityID": "3bf7a659018ed4038e5c6cd515300ceb0acd0b59437d4f64d301a42805e7f67d", + "search_line": 1 }, { "queryName": "Beta - Databricks Workspace Using Default Virtual Network", "severity": "MEDIUM", - "line": 18 + "line": 18, + "fileName": "positive.tf", + "resourceType": "azurerm_databricks_workspace", + "resourceName": "example-dbw", + "searchKey": "azurerm_databricks_workspace[example_2].custom_parameters", + "searchValue": "", + "expectedValue": "'azurerm_databricks_workspace[example_2].custom_parameters.virtual_network_id' should be defined and not null", + "actualValue": "'azurerm_databricks_workspace[example_2].custom_parameters.virtual_network_id' is undefined or null", + "issueType": "MissingAttribute", + "similarityID": "68e5b3e18e6d97ba57c7cabd20b5ba2d8c1cb700fb12eaf3ad21dd132af7d858", + "search_line": 18 } ] diff --git a/assets/queries/terraform/azure/databricks_workspace_without_cmk/test/positive_expected_result.json b/assets/queries/terraform/azure/databricks_workspace_without_cmk/test/positive_expected_result.json index 332b460e838..5216b2775c4 100644 --- a/assets/queries/terraform/azure/databricks_workspace_without_cmk/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/databricks_workspace_without_cmk/test/positive_expected_result.json @@ -2,26 +2,76 @@ { "queryName": "Beta - Databricks Workspace Without CMK", "severity": "MEDIUM", - "line": 1 + "line": 1, + "fileName": "positive.tf", + "resourceType": "azurerm_databricks_workspace", + "resourceName": "my-databricks-workspace", + "searchKey": "azurerm_databricks_workspace[positive1]", + "searchValue": "", + "expectedValue": "'azurerm_databricks_workspace[positive1].managed_disk_cmk_key_vault_key_id' should be defined and not null", + "actualValue": "'azurerm_databricks_workspace[positive1].managed_disk_cmk_key_vault_key_id' is undefined or null", + "issueType": "MissingAttribute", + "similarityID": "816ecceeba8fbe3473daeb5fff6035b0b9221c7e9ac3d9a44b41b57c94dae417", + "search_line": 1 }, { "queryName": "Beta - Databricks Workspace Without CMK", "severity": "MEDIUM", - "line": 17 + "line": 17, + "fileName": "positive.tf", + "resourceType": "azurerm_databricks_workspace", + "resourceName": "my-databricks-workspace", + "searchKey": "azurerm_databricks_workspace[positive2].customer_managed_key_enabled", + "searchValue": "", + "expectedValue": "'azurerm_databricks_workspace[positive2].customer_managed_key_enabled' should be defined and set to true", + "actualValue": "'azurerm_databricks_workspace[positive2].customer_managed_key_enabled' is set to false", + "issueType": "IncorrectValue", + "similarityID": "4961326ed2015fcb384a31110f22dd0a0a0dd35f51700864b821114b67953fc0", + "search_line": 17 }, { "queryName": "Beta - Databricks Workspace Without CMK", "severity": "MEDIUM", - "line": 27 + "line": 27, + "fileName": "positive.tf", + "resourceType": "azurerm_databricks_workspace", + "resourceName": "my-databricks-workspace", + "searchKey": "azurerm_databricks_workspace[positive3].customer_managed_key_enabled", + "searchValue": "", + "expectedValue": "'azurerm_databricks_workspace[positive3].customer_managed_key_enabled' should be defined and set to true", + "actualValue": "'azurerm_databricks_workspace[positive3].customer_managed_key_enabled' is set to false", + "issueType": "IncorrectValue", + "similarityID": "2b4c42f0172b49c9a4e9809d58d3b260d21c54335c848b347798497c90560be3", + "search_line": 27 }, { "queryName": "Beta - Databricks Workspace Without CMK", "severity": "MEDIUM", - "line": 31 + "line": 31, + "fileName": "positive.tf", + "resourceType": "azurerm_databricks_workspace", + "resourceName": "my-databricks-workspace", + "searchKey": "azurerm_databricks_workspace[positive4]", + "searchValue": "", + "expectedValue": "'azurerm_databricks_workspace[positive4].customer_managed_key_enabled' should be defined and set to true", + "actualValue": "'azurerm_databricks_workspace[positive4].customer_managed_key_enabled' is undefined or null", + "issueType": "MissingAttribute", + "similarityID": "cf8fbaa6315429fbdc054d40784021f7ec2f6d3fd0629efa82288f5464a756e2", + "search_line": 31 }, { "queryName": "Beta - Databricks Workspace Without CMK", "severity": "MEDIUM", - "line": 41 + "line": 41, + "fileName": "positive.tf", + "resourceType": "azurerm_databricks_workspace", + "resourceName": "my-databricks-workspace", + "searchKey": "azurerm_databricks_workspace[positive5]", + "searchValue": "", + "expectedValue": "'azurerm_databricks_workspace[positive5].customer_managed_key_enabled' should be defined and set to true", + "actualValue": "'azurerm_databricks_workspace[positive5].customer_managed_key_enabled' is undefined or null", + "issueType": "MissingAttribute", + "similarityID": "ae252ac438d6b7ad28b6e3f19d21a84481147744e523e9579425c73c0de80bf3", + "search_line": 41 } ] diff --git a/assets/queries/terraform/azure/default_azure_storage_account_network_access_is_too_permissive/test/positive_expected_result.json b/assets/queries/terraform/azure/default_azure_storage_account_network_access_is_too_permissive/test/positive_expected_result.json index eb2a0914d74..5bba360c068 100644 --- a/assets/queries/terraform/azure/default_azure_storage_account_network_access_is_too_permissive/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/default_azure_storage_account_network_access_is_too_permissive/test/positive_expected_result.json @@ -3,24 +3,60 @@ "queryName": "Default Azure Storage Account Network Access Is Too Permissive", "severity": "HIGH", "line": 30, - "filename": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "azurerm_storage_account", + "resourceName": "positive1storageaccount", + "searchKey": "azurerm_storage_account[positive1].network_rules.default_action", + "searchValue": "", + "expectedValue": "azurerm_storage_account.network_rules.default_action should be set to 'Deny'", + "actualValue": "azurerm_storage_account.network_rules.default_action is set to 'Allow'", + "issueType": "IncorrectValue", + "similarityID": "6bcd6add6d87b08e96e378c27353c740ec835ec05b32b9fafaccf5cc26490b67", + "search_line": 30 }, { "queryName": "Default Azure Storage Account Network Access Is Too Permissive", "severity": "HIGH", "line": 38, - "filename": "positive2.tf" + "fileName": "positive2.tf", + "resourceType": "azurerm_storage_account", + "resourceName": "positive2storageaccount", + "searchKey": "azurerm_storage_account_network_rules[positive2].default_action", + "searchValue": "", + "expectedValue": "azurerm_storage_account_network_rules.default_action should be set to 'Deny'", + "actualValue": "azurerm_storage_account_network_rules.default_action is set to 'Allow'", + "issueType": "IncorrectValue", + "similarityID": "f960dd29b68c2861d1663f234d246366e4adf194f21138f67df0dcd86f6dda20", + "search_line": 38 }, - { + { "queryName": "Default Azure Storage Account Network Access Is Too Permissive", "severity": "HIGH", "line": 12, - "fileName": "positive3.tf" + "fileName": "positive3.tf", + "resourceType": "azurerm_storage_account", + "resourceName": "positive3storageaccount", + "searchKey": "azurerm_storage_account[positive3].public_network_access_enabled", + "searchValue": "", + "expectedValue": "azurerm_storage_account.public_network_access_enabled should be set to 'false'", + "actualValue": "azurerm_storage_account.public_network_access_enabled set to 'true'", + "issueType": "IncorrectValue", + "similarityID": "6c893808d333850cd00a7fce9aad68fd5b92d510e123e4d9fd22c2e774f7405b", + "search_line": 12 }, { "queryName": "Default Azure Storage Account Network Access Is Too Permissive", "severity": "HIGH", "line": 6, - "fileName": "positive4.tf" + "fileName": "positive4.tf", + "resourceType": "azurerm_storage_account", + "resourceName": "positive4storageaccount", + "searchKey": "azurerm_storage_account[positive4].public_network_access_enabled", + "searchValue": "", + "expectedValue": "azurerm_storage_account.public_network_access_enabled should be set to 'false'", + "actualValue": "azurerm_storage_account.public_network_access_enabled is not set (default is 'true')", + "issueType": "MissingAttribute", + "similarityID": "a11ca2fb4677438fff0acc6349a52a387a30df35eb1c606b79376dc09b4eb533", + "search_line": -1 } ] diff --git a/assets/queries/terraform/azure/diagnostic_settings_without_appropriate_logging/test/positive_expected_result.json b/assets/queries/terraform/azure/diagnostic_settings_without_appropriate_logging/test/positive_expected_result.json index b1c5948ab12..ae165e6f4cb 100644 --- a/assets/queries/terraform/azure/diagnostic_settings_without_appropriate_logging/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/diagnostic_settings_without_appropriate_logging/test/positive_expected_result.json @@ -3,42 +3,105 @@ "queryName": "Beta - Diagnostic Settings Without Appropriate Logging", "severity": "MEDIUM", "line": 1, - "fileName": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "azurerm_monitor_diagnostic_setting", + "resourceName": "diagnostic-settings-name", + "searchKey": "azurerm_monitor_diagnostic_setting[positive1_1]", + "searchValue": "", + "expectedValue": "'azurerm_monitor_diagnostic_setting[positive1_1].enabled_log' objects should be defined for all 4 main categories", + "actualValue": "'azurerm_monitor_diagnostic_setting[positive1_1]' does not define a single 'enabled_log' object", + "issueType": "MissingAttribute", + "similarityID": "9b584778ac3cf8cbf828af0f2d5e06b5e08d3de2bc8f80302aca47588fe0f4d5", + "search_line": 1 }, { "queryName": "Beta - Diagnostic Settings Without Appropriate Logging", "severity": "MEDIUM", "line": 8, - "fileName": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "azurerm_monitor_diagnostic_setting", + "resourceName": "diagnostic-settings-name", + "searchKey": "azurerm_monitor_diagnostic_setting[positive1_2]", + "searchValue": "", + "expectedValue": "'azurerm_monitor_diagnostic_setting[positive1_2].enabled_log' objects should enable logging for all 4 main categories", + "actualValue": "'azurerm_monitor_diagnostic_setting[positive1_2].enabled_log' objects do not enable logging for 3 of the main categories: 'Alert', 'Policy', 'Security'", + "issueType": "MissingAttribute", + "similarityID": "df01f78758d84c30f9d9fdf4cac182be252cc2ea9a2d37ab27bfd88dff9abe4a", + "search_line": 8 }, { "queryName": "Beta - Diagnostic Settings Without Appropriate Logging", "severity": "MEDIUM", "line": 18, - "fileName": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "azurerm_monitor_diagnostic_setting", + "resourceName": "diagnostic-settings-name", + "searchKey": "azurerm_monitor_diagnostic_setting[positive1_3]", + "searchValue": "", + "expectedValue": "'azurerm_monitor_diagnostic_setting[positive1_3].enabled_log' objects should enable logging for all 4 main categories", + "actualValue": "'azurerm_monitor_diagnostic_setting[positive1_3].enabled_log' objects do not enable logging for 2 of the main categories: 'Policy', 'Security'", + "issueType": "MissingAttribute", + "similarityID": "cce8846c902de9fcf7ce14b178d9d62e42c03f5be28b679a16c94337fa9f7bc5", + "search_line": 18 }, { "queryName": "Beta - Diagnostic Settings Without Appropriate Logging", "severity": "MEDIUM", "line": 3, - "fileName": "positive2.tf" + "fileName": "positive2.tf", + "resourceType": "azurerm_monitor_diagnostic_setting", + "resourceName": "diagnostic-settings-name", + "searchKey": "azurerm_monitor_diagnostic_setting[positive2_1]", + "searchValue": "", + "expectedValue": "'azurerm_monitor_diagnostic_setting[positive2_1].log' objects should enable logging for all 4 main categories", + "actualValue": "'azurerm_monitor_diagnostic_setting[positive2_1].log' objects do not enable logging for 3 of the main categories: 'Alert', 'Policy', 'Security'", + "issueType": "MissingAttribute", + "similarityID": "a81d96c2c686e5a670885be1bd80015701e05482186b82e5c00e163ca95a0515", + "search_line": 3 }, { "queryName": "Beta - Diagnostic Settings Without Appropriate Logging", "severity": "MEDIUM", "line": 13, - "fileName": "positive2.tf" + "fileName": "positive2.tf", + "resourceType": "azurerm_monitor_diagnostic_setting", + "resourceName": "diagnostic-settings-name", + "searchKey": "azurerm_monitor_diagnostic_setting[positive2_2]", + "searchValue": "", + "expectedValue": "'azurerm_monitor_diagnostic_setting[positive2_2].log' objects should enable logging for all 4 main categories", + "actualValue": "'azurerm_monitor_diagnostic_setting[positive2_2].log' objects do not enable logging for 4 of the main categories: 'Administrative', 'Alert', 'Policy', 'Security'", + "issueType": "IncorrectValue", + "similarityID": "ec2d85eda1077ef252ae590e6d1206034c0900c2d9fad92522c4cff8b7b4d8f5", + "search_line": 13 }, { "queryName": "Beta - Diagnostic Settings Without Appropriate Logging", "severity": "MEDIUM", "line": 23, - "fileName": "positive2.tf" + "fileName": "positive2.tf", + "resourceType": "azurerm_monitor_diagnostic_setting", + "resourceName": "diagnostic-settings-name", + "searchKey": "azurerm_monitor_diagnostic_setting[positive2_3]", + "searchValue": "", + "expectedValue": "'azurerm_monitor_diagnostic_setting[positive2_3].log' objects should enable logging for all 4 main categories", + "actualValue": "'azurerm_monitor_diagnostic_setting[positive2_3].log' objects do not enable logging for 2 of the main categories: 'Alert', 'Policy'", + "issueType": "MissingAttribute", + "similarityID": "ced83c160d074ab40ca5643b0d1af558491f430dd942287c4fd3bd046095c3ed", + "search_line": 23 }, { "queryName": "Beta - Diagnostic Settings Without Appropriate Logging", "severity": "MEDIUM", "line": 39, - "fileName": "positive2.tf" + "fileName": "positive2.tf", + "resourceType": "azurerm_monitor_diagnostic_setting", + "resourceName": "diagnostic-settings-name", + "searchKey": "azurerm_monitor_diagnostic_setting[positive2_4]", + "searchValue": "", + "expectedValue": "'azurerm_monitor_diagnostic_setting[positive2_4].log' objects should enable logging for all 4 main categories", + "actualValue": "'azurerm_monitor_diagnostic_setting[positive2_4].log' objects do not enable logging for 1 of the main categories: 'Administrative'", + "issueType": "IncorrectValue", + "similarityID": "91643286de274ac5c75fe8955f3f75fdba808903aa141894001a3b0d428ffd57", + "search_line": 39 } ] diff --git a/assets/queries/terraform/azure/disk_encryption_on_managed_disk_disabled/test/positive_expected_result.json b/assets/queries/terraform/azure/disk_encryption_on_managed_disk_disabled/test/positive_expected_result.json index 578e1f6b4c9..19d0bcf10bf 100644 --- a/assets/queries/terraform/azure/disk_encryption_on_managed_disk_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/disk_encryption_on_managed_disk_disabled/test/positive_expected_result.json @@ -2,6 +2,16 @@ { "queryName": "Beta - Disk Encryption On Managed Disk Disabled", "severity": "MEDIUM", - "line": 1 + "line": 1, + "fileName": "positive.tf", + "resourceType": "azurerm_managed_disk", + "resourceName": "secure-vm-disk", + "searchKey": "azurerm_managed_disk[positive1]", + "searchValue": "", + "expectedValue": "'azurerm_managed_disk[positive1]' should set a 'disk_encryption_set_id' or 'secure_vm_disk_encryption_set_id'", + "actualValue": "'azurerm_managed_disk[positive1]' does not set a disk encryption id field", + "issueType": "MissingAttribute", + "similarityID": "f186b5ded8859302b2c053bbdbd5f70e84d8a8401077149a483538c557eed089", + "search_line": 1 } ] diff --git a/assets/queries/terraform/azure/email_alerts_disabled/test/positive_expected_result.json b/assets/queries/terraform/azure/email_alerts_disabled/test/positive_expected_result.json index 4c12200c167..da15925cb14 100644 --- a/assets/queries/terraform/azure/email_alerts_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/email_alerts_disabled/test/positive_expected_result.json @@ -2,6 +2,16 @@ { "queryName": "Email Alerts Disabled", "severity": "MEDIUM", - "line": 4 + "line": 4, + "fileName": "positive.tf", + "resourceType": "azurerm_security_center_contact", + "resourceName": "positive1", + "searchKey": "azurerm_security_center_contact[positive1].alert_notifications", + "searchValue": "", + "expectedValue": "'azurerm_security_center_contact.positive1.alert_notifications' should be true", + "actualValue": "'azurerm_security_center_contact.positive1.alert_notifications' is false", + "issueType": "IncorrectValue", + "similarityID": "daa433ec9111c0cbc59bfd0615476179eab4dfb18594c590c62e5ee4b09f64b2", + "search_line": 4 } ] diff --git a/assets/queries/terraform/azure/encryption_on_managed_disk_disabled/test/positive_expected_result.json b/assets/queries/terraform/azure/encryption_on_managed_disk_disabled/test/positive_expected_result.json index 22ca038752f..d3ef2d99f14 100644 --- a/assets/queries/terraform/azure/encryption_on_managed_disk_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/encryption_on_managed_disk_disabled/test/positive_expected_result.json @@ -2,21 +2,61 @@ { "queryName": "Encryption On Managed Disk Disabled", "severity": "MEDIUM", - "line": 10 + "line": 10, + "fileName": "positive.tf", + "resourceType": "azurerm_managed_disk", + "resourceName": "acctestmd", + "searchKey": "azurerm_managed_disk[positive1].encryption_settings.enabled", + "searchValue": "", + "expectedValue": "'azurerm_managed_disk[positive1].encryption_settings.enabled' should be set to true", + "actualValue": "'azurerm_managed_disk[positive1].encryption_settings.enabled' is set to false", + "issueType": "IncorrectValue", + "similarityID": "f4a70ac9bab03db4511991e6cdf33180ac50bb07bf6920fce36fdf24e678e830", + "search_line": 10 }, { "queryName": "Encryption On Managed Disk Disabled", "severity": "MEDIUM", - "line": 14 + "line": 14, + "fileName": "positive.tf", + "resourceType": "azurerm_managed_disk", + "resourceName": "acctestmd", + "searchKey": "azurerm_managed_disk[positive2]", + "searchValue": "", + "expectedValue": "'azurerm_managed_disk[positive2].encryption_settings' should be defined and not null", + "actualValue": "'azurerm_managed_disk[positive2].encryption_settings' is undefined or null", + "issueType": "MissingAttribute", + "similarityID": "a4adbbe7c7f2c537473e03402d68ebc10ab4e41bdc3b8026242c6093c877eba7", + "search_line": 14 }, { "queryName": "Encryption On Managed Disk Disabled", "severity": "MEDIUM", - "line": 33 + "line": 33, + "fileName": "positive.tf", + "resourceType": "azurerm_managed_disk", + "resourceName": "acctestmd", + "searchKey": "azurerm_managed_disk[positive3].encryption_settings", + "searchValue": "", + "expectedValue": "'azurerm_managed_disk[positive3].encryption_settings' should be defined and not null", + "actualValue": "'azurerm_managed_disk[positive3].encryption_settings' is set to '{}", + "issueType": "IncorrectValue", + "similarityID": "606fd0106e787886a5a7419716df799b57e98e507564cebad0e2412ecefb2cf4", + "search_line": 33 }, { "queryName": "Encryption On Managed Disk Disabled", "severity": "MEDIUM", - "line": 44 + "line": 44, + "fileName": "positive.tf", + "resourceType": "azurerm_managed_disk", + "resourceName": "acctestmd", + "searchKey": "azurerm_managed_disk[positive4].encryption_settings", + "searchValue": "", + "expectedValue": "'azurerm_managed_disk[positive4].encryption_settings' should be defined and not null", + "actualValue": "'azurerm_managed_disk[positive4].encryption_settings' is set to '[]", + "issueType": "IncorrectValue", + "similarityID": "f6478614828b1afcbfa5a825ebeb6d9aef70fae24782d95c4f6e95bff626f3df", + "search_line": 44 } ] diff --git a/assets/queries/terraform/azure/file_share_without_soft_delete/test/positive_expected_result.json b/assets/queries/terraform/azure/file_share_without_soft_delete/test/positive_expected_result.json index d4b428e8a74..1a01e875c4c 100644 --- a/assets/queries/terraform/azure/file_share_without_soft_delete/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/file_share_without_soft_delete/test/positive_expected_result.json @@ -2,11 +2,31 @@ { "queryName": "Beta - File Share Without Soft Delete", "severity": "HIGH", - "line": 1 + "line": 1, + "fileName": "positive.tf", + "resourceType": "azurerm_storage_account", + "resourceName": "positive1", + "searchKey": "azurerm_storage_account[positive1]", + "searchValue": "", + "expectedValue": "'azurerm_storage_account[positive1].share_properties.retention_policy' should be defined and not null", + "actualValue": "'azurerm_storage_account[positive1].share_properties' is undefined or null", + "issueType": "MissingAttribute", + "similarityID": "fead845bdaac8f62fc4f691d10fbd558b8b07f17c20f5928007ebbf5f645509f", + "search_line": 1 }, { "queryName": "Beta - File Share Without Soft Delete", "severity": "HIGH", - "line": 18 + "line": 18, + "fileName": "positive.tf", + "resourceType": "azurerm_storage_account", + "resourceName": "positive2", + "searchKey": "azurerm_storage_account[positive2].share_properties", + "searchValue": "", + "expectedValue": "'azurerm_storage_account[positive2].share_properties.retention_policy' should be defined and not null", + "actualValue": "'azurerm_storage_account[positive2].share_properties.retention_policy' is undefined or null", + "issueType": "MissingAttribute", + "similarityID": "a2ad90d0b45194ba096e8180d3fe04d8f1a53b57cc961b4af17c9d977266e77b", + "search_line": 18 } ] diff --git a/assets/queries/terraform/azure/firewall_rule_allows_too_many_hosts_to_access_redis_cache/test/positive_expected_result.json b/assets/queries/terraform/azure/firewall_rule_allows_too_many_hosts_to_access_redis_cache/test/positive_expected_result.json index 7e4bf7c151c..532e33a1466 100644 --- a/assets/queries/terraform/azure/firewall_rule_allows_too_many_hosts_to_access_redis_cache/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/firewall_rule_allows_too_many_hosts_to_access_redis_cache/test/positive_expected_result.json @@ -2,6 +2,16 @@ { "queryName": "Firewall Rule Allows Too Many Hosts To Access Redis Cache", "severity": "MEDIUM", - "line": 5 + "line": 5, + "fileName": "positive.tf", + "resourceType": "azurerm_redis_firewall_rule", + "resourceName": "someIPrange", + "searchKey": "azurerm_redis_firewall_rule[positive1].start_ip", + "searchValue": "", + "expectedValue": "'azurerm_redis_firewall_rule[positive1].start_ip' and 'end_ip' should allow no more than 255 hosts", + "actualValue": "'azurerm_redis_firewall_rule[positive1].start_ip' and 'end_ip' allow %!s(int=33554432) hosts", + "issueType": "IncorrectValue", + "similarityID": "34bf54701f41f5dad09c4a0dc2ff23cd45f96f78331d52f09e42fcfcc16e2711", + "search_line": -1 } ] diff --git a/assets/queries/terraform/azure/function_app_authentication_disabled/test/positive_expected_result.json b/assets/queries/terraform/azure/function_app_authentication_disabled/test/positive_expected_result.json index fa06e87e1af..d29d8af2d9e 100644 --- a/assets/queries/terraform/azure/function_app_authentication_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/function_app_authentication_disabled/test/positive_expected_result.json @@ -3,84 +3,210 @@ "queryName": "Function App Authentication Disabled", "severity": "MEDIUM", "line": 1, - "fileName": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "azurerm_function_app", + "resourceName": "example-app-service", + "searchKey": "azurerm_function_app[positive1-1]", + "searchValue": "", + "expectedValue": "'azurerm_function_app[positive1-1].auth_settings' should be defined", + "actualValue": "'azurerm_function_app[positive1-1].auth_settings' is not defined", + "issueType": "MissingAttribute", + "similarityID": "a8e8090f2349c30a55892e8331bc840593d206e0ead08f04e29d1133b19b4d43", + "search_line": 1 }, { "queryName": "Function App Authentication Disabled", "severity": "MEDIUM", "line": 25, - "fileName": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "azurerm_function_app", + "resourceName": "example-app-service", + "searchKey": "'azurerm_function_app[positive1-2].auth_settings.enabled'", + "searchValue": "", + "expectedValue": "'azurerm_function_app[positive1-2].auth_settings.enabled' should be defined to 'true'", + "actualValue": "'azurerm_function_app[positive1-2].auth_settings.enabled' is defined to 'false'", + "issueType": "IncorrectValue", + "similarityID": "96975fa749a0b227130f7f7756725af7860a3d51cad76178042486375fc2c7ad", + "search_line": 25 }, { "queryName": "Function App Authentication Disabled", "severity": "MEDIUM", "line": 1, - "fileName": "positive2.tf" + "fileName": "positive2.tf", + "resourceType": "azurerm_linux_function_app", + "resourceName": "example-app-service", + "searchKey": "azurerm_linux_function_app[positive2-1]", + "searchValue": "", + "expectedValue": "'azurerm_linux_function_app[positive2-1].auth_settings' or 'azurerm_linux_function_app[positive2-1].auth_settings_v2' should be defined", + "actualValue": "'azurerm_linux_function_app[positive2-1].auth_settings' and 'azurerm_linux_function_app[positive2-1].auth_settings_v2' are not defined", + "issueType": "MissingAttribute", + "similarityID": "f0549fc72bc7ffa4eb784e7f35aa3e974927dc3ab4c7c924bef195092293c726", + "search_line": 1 }, { "queryName": "Function App Authentication Disabled", "severity": "MEDIUM", "line": 16, - "fileName": "positive2.tf" + "fileName": "positive2.tf", + "resourceType": "azurerm_linux_function_app", + "resourceName": "example-app-service", + "searchKey": "'azurerm_linux_function_app[positive2-2].auth_settings.enabled'", + "searchValue": "", + "expectedValue": "'azurerm_linux_function_app[positive2-2].auth_settings.enabled' should be defined to 'true'", + "actualValue": "'azurerm_linux_function_app[positive2-2].auth_settings.enabled' is defined to 'false'", + "issueType": "IncorrectValue", + "similarityID": "f95b3ae3a489f2095ecdce7b82ef4ebdf728e5b8f55c68775695f26372202641", + "search_line": 16 }, { "queryName": "Function App Authentication Disabled", "severity": "MEDIUM", "line": 26, - "fileName": "positive2.tf" + "fileName": "positive2.tf", + "resourceType": "azurerm_linux_function_app", + "resourceName": "example-app-service", + "searchKey": "azurerm_linux_function_app[positive2-3].auth_settings_v2", + "searchValue": "", + "expectedValue": "'azurerm_linux_function_app[positive2-3].auth_settings_v2.auth_enabled' should be defined (default value is 'false')", + "actualValue": "'azurerm_linux_function_app[positive2-3].auth_settings_v2.auth_enabled' is not defined", + "issueType": "MissingAttribute", + "similarityID": "2ed20d6df924ec7662187c28c0a90bd0a29cccebe245346627420b80b4237fe5", + "search_line": 26 }, { "queryName": "Function App Authentication Disabled", "severity": "MEDIUM", "line": 39, - "fileName": "positive2.tf" + "fileName": "positive2.tf", + "resourceType": "azurerm_linux_function_app", + "resourceName": "example-app-service", + "searchKey": "azurerm_linux_function_app[positive2-4].auth_settings_v2.auth_enabled", + "searchValue": "", + "expectedValue": "'azurerm_linux_function_app[positive2-4].auth_settings_v2.auth_enabled' should be defined to 'true'", + "actualValue": "'azurerm_linux_function_app[positive2-4].auth_settings_v2.auth_enabled' is defined to 'false'", + "issueType": "IncorrectValue", + "similarityID": "15a9b83c86bab242ca3ffe247038fd6d8d15962822db06fb2848f6fc96ca13cf", + "search_line": 39 }, { "queryName": "Function App Authentication Disabled", "severity": "MEDIUM", "line": 52, - "fileName": "positive2.tf" + "fileName": "positive2.tf", + "resourceType": "azurerm_linux_function_app", + "resourceName": "example-app-service", + "searchKey": "azurerm_linux_function_app[positive2-5].auth_settings_v2", + "searchValue": "", + "expectedValue": "'azurerm_linux_function_app[positive2-5].auth_settings_v2.auth_enabled' should be defined (default value is 'false')", + "actualValue": "'azurerm_linux_function_app[positive2-5].auth_settings_v2.auth_enabled' is not defined", + "issueType": "MissingAttribute", + "similarityID": "b091b67897d1e4f32313851696a2855f96aa7d1b4d139cc274ef527405c4bbfd", + "search_line": 52 }, { "queryName": "Function App Authentication Disabled", "severity": "MEDIUM", "line": 68, - "fileName": "positive2.tf" + "fileName": "positive2.tf", + "resourceType": "azurerm_linux_function_app", + "resourceName": "example-app-service", + "searchKey": "azurerm_linux_function_app[positive2-6].auth_settings_v2.auth_enabled", + "searchValue": "", + "expectedValue": "'azurerm_linux_function_app[positive2-6].auth_settings_v2.auth_enabled' should be defined to 'true'", + "actualValue": "'azurerm_linux_function_app[positive2-6].auth_settings_v2.auth_enabled' is defined to 'false'", + "issueType": "IncorrectValue", + "similarityID": "246c09b147ac94defce3773a294b239ffa8e8b7d37c486fe291de6e9008046c8", + "search_line": 68 }, { "queryName": "Function App Authentication Disabled", "severity": "MEDIUM", "line": 1, - "fileName": "positive3.tf" + "fileName": "positive3.tf", + "resourceType": "azurerm_windows_function_app", + "resourceName": "example-app-service", + "searchKey": "azurerm_windows_function_app[positive3-1]", + "searchValue": "", + "expectedValue": "'azurerm_windows_function_app[positive3-1].auth_settings' or 'azurerm_windows_function_app[positive3-1].auth_settings_v2' should be defined", + "actualValue": "'azurerm_windows_function_app[positive3-1].auth_settings' and 'azurerm_windows_function_app[positive3-1].auth_settings_v2' are not defined", + "issueType": "MissingAttribute", + "similarityID": "713f2ab6b3745f329815b9f908c506ee4c324772e268f162c9393303241f6a9d", + "search_line": 1 }, { "queryName": "Function App Authentication Disabled", "severity": "MEDIUM", "line": 16, - "fileName": "positive3.tf" + "fileName": "positive3.tf", + "resourceType": "azurerm_windows_function_app", + "resourceName": "example-app-service", + "searchKey": "'azurerm_windows_function_app[positive3-2].auth_settings.enabled'", + "searchValue": "", + "expectedValue": "'azurerm_windows_function_app[positive3-2].auth_settings.enabled' should be defined to 'true'", + "actualValue": "'azurerm_windows_function_app[positive3-2].auth_settings.enabled' is defined to 'false'", + "issueType": "IncorrectValue", + "similarityID": "479a764d9af45c0429ac72697a05b3f049a686467f730fc2fea996a657134030", + "search_line": 16 }, { "queryName": "Function App Authentication Disabled", "severity": "MEDIUM", "line": 26, - "fileName": "positive3.tf" + "fileName": "positive3.tf", + "resourceType": "azurerm_windows_function_app", + "resourceName": "example-app-service", + "searchKey": "azurerm_windows_function_app[positive3-3].auth_settings_v2", + "searchValue": "", + "expectedValue": "'azurerm_windows_function_app[positive3-3].auth_settings_v2.auth_enabled' should be defined (default value is 'false')", + "actualValue": "'azurerm_windows_function_app[positive3-3].auth_settings_v2.auth_enabled' is not defined", + "issueType": "MissingAttribute", + "similarityID": "e2d44cc66b640772c7d101ed7dcbf502be144863e2fd7296f675da0e5feba4b4", + "search_line": 26 }, { "queryName": "Function App Authentication Disabled", "severity": "MEDIUM", "line": 39, - "fileName": "positive3.tf" + "fileName": "positive3.tf", + "resourceType": "azurerm_windows_function_app", + "resourceName": "example-app-service", + "searchKey": "azurerm_windows_function_app[positive3-4].auth_settings_v2.auth_enabled", + "searchValue": "", + "expectedValue": "'azurerm_windows_function_app[positive3-4].auth_settings_v2.auth_enabled' should be defined to 'true'", + "actualValue": "'azurerm_windows_function_app[positive3-4].auth_settings_v2.auth_enabled' is defined to 'false'", + "issueType": "IncorrectValue", + "similarityID": "bfacdc4ab7de1b5ed6e3f28719115778195864fc6786d047a9735f4c79f3d6f9", + "search_line": 39 }, { "queryName": "Function App Authentication Disabled", "severity": "MEDIUM", "line": 52, - "fileName": "positive3.tf" + "fileName": "positive3.tf", + "resourceType": "azurerm_windows_function_app", + "resourceName": "example-app-service", + "searchKey": "azurerm_windows_function_app[positive3-5].auth_settings_v2", + "searchValue": "", + "expectedValue": "'azurerm_windows_function_app[positive3-5].auth_settings_v2.auth_enabled' should be defined (default value is 'false')", + "actualValue": "'azurerm_windows_function_app[positive3-5].auth_settings_v2.auth_enabled' is not defined", + "issueType": "MissingAttribute", + "similarityID": "42ba9ae0367e29163957cf00533847bb3bbf45f1cbdb5e1b6cf734931ee41ded", + "search_line": 52 }, { "queryName": "Function App Authentication Disabled", "severity": "MEDIUM", "line": 68, - "fileName": "positive3.tf" + "fileName": "positive3.tf", + "resourceType": "azurerm_windows_function_app", + "resourceName": "example-app-service", + "searchKey": "azurerm_windows_function_app[positive3-6].auth_settings_v2.auth_enabled", + "searchValue": "", + "expectedValue": "'azurerm_windows_function_app[positive3-6].auth_settings_v2.auth_enabled' should be defined to 'true'", + "actualValue": "'azurerm_windows_function_app[positive3-6].auth_settings_v2.auth_enabled' is defined to 'false'", + "issueType": "IncorrectValue", + "similarityID": "bd8dd98424bfafaa1c77a4c1b84eb1e7275d672a32d7e656011f8e80efcfffff", + "search_line": 68 } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/azure/function_app_client_certificates_unrequired/test/positive_expected_result.json b/assets/queries/terraform/azure/function_app_client_certificates_unrequired/test/positive_expected_result.json index 08a4877d02b..191321a2484 100644 --- a/assets/queries/terraform/azure/function_app_client_certificates_unrequired/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/function_app_client_certificates_unrequired/test/positive_expected_result.json @@ -3,36 +3,90 @@ "queryName": "Function App Client Certificates Unrequired", "severity": "MEDIUM", "line": 1, - "fileName": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "azurerm_function_app", + "resourceName": "test-azure-functions", + "searchKey": "azurerm_function_app[positive1-1]", + "searchValue": "", + "expectedValue": "'azurerm_function_app[positive1-1].client_cert_mode' should be defined and not null", + "actualValue": "'azurerm_function_app[positive1-1].client_cert_mode' is undefined or null", + "issueType": "MissingAttribute", + "similarityID": "912dc6e95a6795a8eaa6e84328b515c9cce68036bc1732107cfe29f4a19ee65e", + "search_line": 1 }, { "queryName": "Function App Client Certificates Unrequired", "severity": "MEDIUM", "line": 14, - "fileName": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "azurerm_function_app", + "resourceName": "test-azure-functions", + "searchKey": "azurerm_function_app[positive1-2].client_cert_mode", + "searchValue": "", + "expectedValue": "'azurerm_function_app[positive1-2].client_cert_mode' should be set to 'Required'", + "actualValue": "'azurerm_function_app[positive1-2].client_cert_mode' is not set to 'Required'", + "issueType": "IncorrectValue", + "similarityID": "8b0f4aacd89a651366d7cb35a943819ccdf48bcbc0d15e47701cea281eff9d88", + "search_line": 14 }, { "queryName": "Function App Client Certificates Unrequired", "severity": "MEDIUM", "line": 1, - "fileName": "positive2.tf" + "fileName": "positive2.tf", + "resourceType": "azurerm_linux_function_app", + "resourceName": "test-azure-functions", + "searchKey": "azurerm_linux_function_app[positive2-1]", + "searchValue": "", + "expectedValue": "'azurerm_linux_function_app[positive2-1].client_certificate_mode' should be defined and not null", + "actualValue": "'azurerm_linux_function_app[positive2-1].client_certificate_mode' is undefined or null", + "issueType": "MissingAttribute", + "similarityID": "f3aea577b8e42b55c48740a3c1baec155f97f279c6ebd723fbd49a4c819764fa", + "search_line": 1 }, { "queryName": "Function App Client Certificates Unrequired", "severity": "MEDIUM", "line": 14, - "fileName": "positive2.tf" + "fileName": "positive2.tf", + "resourceType": "azurerm_linux_function_app", + "resourceName": "test-azure-functions", + "searchKey": "azurerm_linux_function_app[positive2-2].client_certificate_mode", + "searchValue": "", + "expectedValue": "'azurerm_linux_function_app[positive2-2].client_certificate_mode' should be set to 'Required'", + "actualValue": "'azurerm_linux_function_app[positive2-2].client_certificate_mode' is not set to 'Required'", + "issueType": "IncorrectValue", + "similarityID": "6bc1a242ff70d9b3faa862bba0b0293a245b45ca06da7da486cd7a9861298ba1", + "search_line": 14 }, { "queryName": "Function App Client Certificates Unrequired", "severity": "MEDIUM", "line": 1, - "fileName": "positive3.tf" + "fileName": "positive3.tf", + "resourceType": "azurerm_windows_function_app", + "resourceName": "test-azure-functions", + "searchKey": "azurerm_windows_function_app[positive3-1]", + "searchValue": "", + "expectedValue": "'azurerm_windows_function_app[positive3-1].client_certificate_mode' should be defined and not null", + "actualValue": "'azurerm_windows_function_app[positive3-1].client_certificate_mode' is undefined or null", + "issueType": "MissingAttribute", + "similarityID": "493133506b56125d5d839796e81d5b6e0e296160edb4971caeb911f996112abf", + "search_line": 1 }, { "queryName": "Function App Client Certificates Unrequired", "severity": "MEDIUM", "line": 14, - "fileName": "positive3.tf" + "fileName": "positive3.tf", + "resourceType": "azurerm_windows_function_app", + "resourceName": "test-azure-functions", + "searchKey": "azurerm_windows_function_app[positive3-2].client_certificate_mode", + "searchValue": "", + "expectedValue": "'azurerm_windows_function_app[positive3-2].client_certificate_mode' should be set to 'Required'", + "actualValue": "'azurerm_windows_function_app[positive3-2].client_certificate_mode' is not set to 'Required'", + "issueType": "IncorrectValue", + "similarityID": "3f6b3c96b1ec02b55da0aaad5d47c8c5d336b3fdcea05500632ea3b132d8b14d", + "search_line": 14 } ] diff --git a/assets/queries/terraform/azure/function_app_deployment_slot_not_using_latest_tls_encryption_version/test/positive_expected_result.json b/assets/queries/terraform/azure/function_app_deployment_slot_not_using_latest_tls_encryption_version/test/positive_expected_result.json index 2853e315054..aa9fd417f07 100644 --- a/assets/queries/terraform/azure/function_app_deployment_slot_not_using_latest_tls_encryption_version/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/function_app_deployment_slot_not_using_latest_tls_encryption_version/test/positive_expected_result.json @@ -3,12 +3,30 @@ "queryName": "Beta - Function App Deployment Slot Not Using Latest TLS Encryption Version", "severity": "MEDIUM", "line": 7, - "fileName": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "azurerm_linux_function_app_slot", + "resourceName": "example-linux-function-app-slot", + "searchKey": "azurerm_linux_function_app_slot[positive1].site_config.minimum_tls_version", + "searchValue": "", + "expectedValue": "'site_config.minimum_tls_version' should be defined to '1.2' or higher", + "actualValue": "'site_config.minimum_tls_version' is defined to '1.1'", + "issueType": "IncorrectValue", + "similarityID": "65ca133dce35535e8ca1e640a3db72cad1cd690f98feb3847c67d66de69c7b8d", + "search_line": 7 }, { "queryName": "Beta - Function App Deployment Slot Not Using Latest TLS Encryption Version", "severity": "MEDIUM", "line": 7, - "fileName": "positive2.tf" + "fileName": "positive2.tf", + "resourceType": "azurerm_windows_function_app_slot", + "resourceName": "example-slot", + "searchKey": "azurerm_windows_function_app_slot[positive2].site_config.minimum_tls_version", + "searchValue": "", + "expectedValue": "'site_config.minimum_tls_version' should be defined to '1.2' or higher", + "actualValue": "'site_config.minimum_tls_version' is defined to '1.1'", + "issueType": "IncorrectValue", + "similarityID": "f2b5fafc6dc1166c3351aaa6c80ae988b76975c7c8daa7b082130dc9e3dddb21", + "search_line": 7 } ] diff --git a/assets/queries/terraform/azure/function_app_ftps_enforce_disabled/test/positive_expected_result.json b/assets/queries/terraform/azure/function_app_ftps_enforce_disabled/test/positive_expected_result.json index add34a22f4a..1a64036463c 100644 --- a/assets/queries/terraform/azure/function_app_ftps_enforce_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/function_app_ftps_enforce_disabled/test/positive_expected_result.json @@ -3,30 +3,75 @@ "queryName": "Function App FTPS Enforce Disabled", "severity": "MEDIUM", "line": 9, - "fileName": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "azurerm_function_app", + "resourceName": "test-azure-functions", + "searchKey": "azurerm_function_app[positive1-1].site_config.ftps_state", + "searchValue": "", + "expectedValue": "'azurerm_function_app[positive1-1].site_config.ftps_state' should not be set to 'AllAllowed'", + "actualValue": "'azurerm_function_app[positive1-1].site_config.ftps_state' is set to 'AllAllowed'", + "issueType": "IncorrectValue", + "similarityID": "77bba5972d6d26cf843de7fdb61b0a97419452110739c80a906f09a11486c275", + "search_line": 9 }, { "queryName": "Function App FTPS Enforce Disabled", "severity": "MEDIUM", "line": 19, - "fileName": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "azurerm_function_app", + "resourceName": "test-azure-functions", + "searchKey": "azurerm_function_app[positive1-2].site_config'", + "searchValue": "", + "expectedValue": "'azurerm_function_app[positive1-2].site_config.ftps_state' should be defined and not null", + "actualValue": "'azurerm_function_app[positive1-2].site_config.ftps_state' is undefined or null", + "issueType": "MissingAttribute", + "similarityID": "719b5794023cef448812bb00f9c2e9afcf3a06023dc65df5b03de67c12bfaace", + "search_line": 19 }, { "queryName": "Function App FTPS Enforce Disabled", "severity": "MEDIUM", "line": 24, - "fileName": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "azurerm_function_app", + "resourceName": "test-azure-functions", + "searchKey": "azurerm_function_app[positive1-3]'", + "searchValue": "", + "expectedValue": "'azurerm_function_app[positive1-3].site_config.ftps_state' should be defined and not null", + "actualValue": "'azurerm_function_app[positive1-3].site_config.ftps_state' is undefined or null", + "issueType": "MissingAttribute", + "similarityID": "0f14a7497421fb1a5e646b15d068f626130b0af7a214adccd01ddb7fc540b403", + "search_line": 24 }, { "queryName": "Function App FTPS Enforce Disabled", "severity": "MEDIUM", "line": 9, - "fileName": "positive2.tf" + "fileName": "positive2.tf", + "resourceType": "azurerm_linux_function_app", + "resourceName": "test-azure-functions", + "searchKey": "azurerm_linux_function_app[positive2].site_config.ftps_state", + "searchValue": "", + "expectedValue": "'azurerm_linux_function_app[positive2].site_config.ftps_state' should not be set to 'AllAllowed'", + "actualValue": "'azurerm_linux_function_app[positive2].site_config.ftps_state' is set to 'AllAllowed'", + "issueType": "IncorrectValue", + "similarityID": "0140c0913d7e7d34d199959f4a61db51e91aa4dd8f39f3286c1375842c4ce008", + "search_line": 9 }, { "queryName": "Function App FTPS Enforce Disabled", "severity": "MEDIUM", "line": 9, - "fileName": "positive3.tf" + "fileName": "positive3.tf", + "resourceType": "azurerm_windows_function_app", + "resourceName": "test-azure-functions", + "searchKey": "azurerm_windows_function_app[positive3].site_config.ftps_state", + "searchValue": "", + "expectedValue": "'azurerm_windows_function_app[positive3].site_config.ftps_state' should not be set to 'AllAllowed'", + "actualValue": "'azurerm_windows_function_app[positive3].site_config.ftps_state' is set to 'AllAllowed'", + "issueType": "IncorrectValue", + "similarityID": "3da0252f6baeb2fe79c777912bbda20d50b89af2c452c3d6f49a25b8aa95678f", + "search_line": 9 } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/azure/function_app_http2_disabled/test/positive_expected_result.json b/assets/queries/terraform/azure/function_app_http2_disabled/test/positive_expected_result.json index d82199717ca..7d08dee6c02 100644 --- a/assets/queries/terraform/azure/function_app_http2_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/function_app_http2_disabled/test/positive_expected_result.json @@ -3,54 +3,135 @@ "queryName": "Function App HTTP2 Disabled", "severity": "MEDIUM", "line": 1, - "fileName": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "azurerm_function_app", + "resourceName": "test-azure-functions", + "searchKey": "azurerm_function_app[positive1-1]", + "searchValue": "", + "expectedValue": "'azurerm_function_app[positive1-1].site_config' should be defined and not null", + "actualValue": "'azurerm_function_app[positive1-1].site_config' is undefined or null", + "issueType": "MissingAttribute", + "similarityID": "4f653915c3e5bdae3bb70a342fc99eb68299aeb1c68ea4b9a3c1706cf4722fad", + "search_line": 1 }, { "queryName": "Function App HTTP2 Disabled", "severity": "MEDIUM", "line": 14, - "fileName": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "azurerm_function_app", + "resourceName": "test-azure-functions", + "searchKey": "azurerm_function_app[positive1-2].site_config", + "searchValue": "", + "expectedValue": "'azurerm_function_app[positive1-2].site_config.http2_enabled' should be defined and not null", + "actualValue": "'azurerm_function_app[positive1-2].site_config.http2_enabled' is undefined or null", + "issueType": "IncorrectValue", + "similarityID": "c7c1a4d1c8dbb8444e991b6645acd7d6b38bbfc8ed6891142323e5cfccba9db4", + "search_line": 14 }, { "queryName": "Function App HTTP2 Disabled", "severity": "MEDIUM", "line": 29, - "fileName": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "azurerm_function_app", + "resourceName": "test-azure-functions", + "searchKey": "azurerm_function_app[positive1-3].site_config.http2_enabled", + "searchValue": "", + "expectedValue": "'azurerm_function_app[positive1-3].site_config.http2_enabled' should be set to true", + "actualValue": "'azurerm_function_app[positive1-3].site_config.http2_enabled' is set to false", + "issueType": "IncorrectValue", + "similarityID": "da9ac028366b2a31129ca55ebad5335b012eec1c1dd08716f2f79f7fdef73e16", + "search_line": 29 }, { "queryName": "Function App HTTP2 Disabled", "severity": "MEDIUM", "line": 1, - "fileName": "positive2.tf" + "fileName": "positive2.tf", + "resourceType": "azurerm_linux_function_app", + "resourceName": "test-azure-functions", + "searchKey": "azurerm_linux_function_app[positive2-1]", + "searchValue": "", + "expectedValue": "'azurerm_linux_function_app[positive2-1].site_config' should be defined and not null", + "actualValue": "'azurerm_linux_function_app[positive2-1].site_config' is undefined or null", + "issueType": "MissingAttribute", + "similarityID": "412c163a574ea740b3fec0efbc48dc4ea094d55fc56f4398bd9b6781bce89f20", + "search_line": 1 }, { "queryName": "Function App HTTP2 Disabled", "severity": "MEDIUM", "line": 14, - "fileName": "positive2.tf" + "fileName": "positive2.tf", + "resourceType": "azurerm_linux_function_app", + "resourceName": "test-azure-functions", + "searchKey": "azurerm_linux_function_app[positive2-2].site_config", + "searchValue": "", + "expectedValue": "'azurerm_linux_function_app[positive2-2].site_config.http2_enabled' should be defined and not null", + "actualValue": "'azurerm_linux_function_app[positive2-2].site_config.http2_enabled' is undefined or null", + "issueType": "IncorrectValue", + "similarityID": "d36fae585b46fa0710a2350963c090996c2f655333955ace707ea4a9fb281f42", + "search_line": 14 }, { "queryName": "Function App HTTP2 Disabled", "severity": "MEDIUM", "line": 29, - "fileName": "positive2.tf" + "fileName": "positive2.tf", + "resourceType": "azurerm_linux_function_app", + "resourceName": "test-azure-functions", + "searchKey": "azurerm_linux_function_app[positive2-3].site_config.http2_enabled", + "searchValue": "", + "expectedValue": "'azurerm_linux_function_app[positive2-3].site_config.http2_enabled' should be set to true", + "actualValue": "'azurerm_linux_function_app[positive2-3].site_config.http2_enabled' is set to false", + "issueType": "IncorrectValue", + "similarityID": "7c0c5e941a75f789dccc3dbd6104d7cf7208465457609dc47dbf246a03d57384", + "search_line": 29 }, { "queryName": "Function App HTTP2 Disabled", "severity": "MEDIUM", "line": 1, - "fileName": "positive3.tf" + "fileName": "positive3.tf", + "resourceType": "azurerm_windows_function_app", + "resourceName": "test-azure-functions", + "searchKey": "azurerm_windows_function_app[positive3-1]", + "searchValue": "", + "expectedValue": "'azurerm_windows_function_app[positive3-1].site_config' should be defined and not null", + "actualValue": "'azurerm_windows_function_app[positive3-1].site_config' is undefined or null", + "issueType": "MissingAttribute", + "similarityID": "d004fe169ce84ce25a33efb00be06792a4dac255c72b626a896c39c849ece3fc", + "search_line": 1 }, { "queryName": "Function App HTTP2 Disabled", "severity": "MEDIUM", "line": 14, - "fileName": "positive3.tf" + "fileName": "positive3.tf", + "resourceType": "azurerm_windows_function_app", + "resourceName": "test-azure-functions", + "searchKey": "azurerm_windows_function_app[positive3-2].site_config", + "searchValue": "", + "expectedValue": "'azurerm_windows_function_app[positive3-2].site_config.http2_enabled' should be defined and not null", + "actualValue": "'azurerm_windows_function_app[positive3-2].site_config.http2_enabled' is undefined or null", + "issueType": "IncorrectValue", + "similarityID": "3c2f0af0e02c9ff43d5bc20c9813f75bd331363e01ce2ecfe8be6a6369871d79", + "search_line": 14 }, { "queryName": "Function App HTTP2 Disabled", "severity": "MEDIUM", "line": 29, - "fileName": "positive3.tf" + "fileName": "positive3.tf", + "resourceType": "azurerm_windows_function_app", + "resourceName": "test-azure-functions", + "searchKey": "azurerm_windows_function_app[positive3-3].site_config.http2_enabled", + "searchValue": "", + "expectedValue": "'azurerm_windows_function_app[positive3-3].site_config.http2_enabled' should be set to true", + "actualValue": "'azurerm_windows_function_app[positive3-3].site_config.http2_enabled' is set to false", + "issueType": "IncorrectValue", + "similarityID": "c96259a680cd14612f26b8a83d7f497ba2aeab4ab312e6f0f5abe9123112722e", + "search_line": 29 } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/azure/function_app_managed_identity_disabled/test/positive_expected_result.json b/assets/queries/terraform/azure/function_app_managed_identity_disabled/test/positive_expected_result.json index 260582022d7..697b1686ed2 100644 --- a/assets/queries/terraform/azure/function_app_managed_identity_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/function_app_managed_identity_disabled/test/positive_expected_result.json @@ -2,16 +2,46 @@ { "queryName": "Function App Managed Identity Disabled", "severity": "MEDIUM", - "line": 1 + "line": 1, + "fileName": "positive.tf", + "resourceType": "azurerm_function_app", + "resourceName": "test-azure-functions", + "searchKey": "azurerm_function_app[positive1]", + "searchValue": "", + "expectedValue": "'azurerm_function_app[positive1].identity' should be defined and not null", + "actualValue": "'azurerm_function_app[positive1].identity' is undefined or null", + "issueType": "MissingAttribute", + "similarityID": "fbf1621b7b1f241ed7d8c3694d38015014cd2264f33e8c388de4507b3ef02f40", + "search_line": 1 }, { "queryName": "Function App Managed Identity Disabled", "severity": "MEDIUM", - "line": 8 + "line": 8, + "fileName": "positive.tf", + "resourceType": "azurerm_linux_function_app", + "resourceName": "test-azure-functions", + "searchKey": "azurerm_linux_function_app[positive2]", + "searchValue": "", + "expectedValue": "'azurerm_linux_function_app[positive2].identity' should be defined and not null", + "actualValue": "'azurerm_linux_function_app[positive2].identity' is undefined or null", + "issueType": "MissingAttribute", + "similarityID": "725c2f00d33a2ff0a643ef10cf3fb1312283da350945635411b9035a8308484a", + "search_line": 8 }, { "queryName": "Function App Managed Identity Disabled", "severity": "MEDIUM", - "line": 15 + "line": 15, + "fileName": "positive.tf", + "resourceType": "azurerm_windows_function_app", + "resourceName": "test-azure-functions", + "searchKey": "azurerm_windows_function_app[positive3]", + "searchValue": "", + "expectedValue": "'azurerm_windows_function_app[positive3].identity' should be defined and not null", + "actualValue": "'azurerm_windows_function_app[positive3].identity' is undefined or null", + "issueType": "MissingAttribute", + "similarityID": "c8bbcb0c899072f71ac33f4b400ef9a131c8a92fbc01247a865311c49ad71f69", + "search_line": 15 } ] diff --git a/assets/queries/terraform/azure/function_app_not_using_latest_tls_encryption_version/test/positive_expected_result.json b/assets/queries/terraform/azure/function_app_not_using_latest_tls_encryption_version/test/positive_expected_result.json index ba44ed4278c..319885306ec 100644 --- a/assets/queries/terraform/azure/function_app_not_using_latest_tls_encryption_version/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/function_app_not_using_latest_tls_encryption_version/test/positive_expected_result.json @@ -3,60 +3,150 @@ "queryName": "Function App Not Using Latest TLS Encryption Version", "severity": "MEDIUM", "line": 9, - "fileName": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "azurerm_function_app", + "resourceName": "test-azure-functions", + "searchKey": "azurerm_function_app[positive1-1].site_config.min_tls_version", + "searchValue": "", + "expectedValue": "'azurerm_function_app[positive1-1].site_config.min_tls_version' should be set to '1.2'", + "actualValue": "'azurerm_function_app[positive1-1].site_config.min_tls_version' is not set to '1.2'", + "issueType": "IncorrectValue", + "similarityID": "2a275ce2d25c56dadf35eb9ffa1993e461034191142c566d1d08c627a2c7d8ce", + "search_line": 9 }, { "queryName": "Function App Not Using Latest TLS Encryption Version", "severity": "MEDIUM", "line": 21, - "fileName": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "azurerm_function_app", + "resourceName": "test-azure-functions", + "searchKey": "azurerm_function_app[positive1-2].site_config.min_tls_version", + "searchValue": "", + "expectedValue": "'azurerm_function_app[positive1-2].site_config.min_tls_version' should be set to '1.2'", + "actualValue": "'azurerm_function_app[positive1-2].site_config.min_tls_version' is not set to '1.2'", + "issueType": "IncorrectValue", + "similarityID": "001624e245ad5c2a256b5008c1e567e240b35f6f8642cf03fae2a9de22ec81c7", + "search_line": 21 }, { "queryName": "Function App Not Using Latest TLS Encryption Version", "severity": "MEDIUM", "line": 9, - "fileName": "positive2.tf" + "fileName": "positive2.tf", + "resourceType": "azurerm_linux_function_app", + "resourceName": "test-azure-functions", + "searchKey": "azurerm_linux_function_app[positive2-1].site_config.minimum_tls_version", + "searchValue": "", + "expectedValue": "'azurerm_linux_function_app[positive2-1].site_config.minimum_tls_version' should be set to '1.3'", + "actualValue": "'azurerm_linux_function_app[positive2-1].site_config.minimum_tls_version' is not set to '1.3'", + "issueType": "IncorrectValue", + "similarityID": "c70f945ea1ca1df20396e9f3bee0dead4fbc6eb0144d8cb1286a1a2f45395fe4", + "search_line": 9 }, { "queryName": "Function App Not Using Latest TLS Encryption Version", "severity": "MEDIUM", "line": 21, - "fileName": "positive2.tf" + "fileName": "positive2.tf", + "resourceType": "azurerm_linux_function_app", + "resourceName": "test-azure-functions", + "searchKey": "azurerm_linux_function_app[positive2-2].site_config.minimum_tls_version", + "searchValue": "", + "expectedValue": "'azurerm_linux_function_app[positive2-2].site_config.minimum_tls_version' should be set to '1.3'", + "actualValue": "'azurerm_linux_function_app[positive2-2].site_config.minimum_tls_version' is not set to '1.3'", + "issueType": "IncorrectValue", + "similarityID": "606c13b04c45936332be9bb13109e7efb04d585c673125fab1e45606fb6eb455", + "search_line": 21 }, { "queryName": "Function App Not Using Latest TLS Encryption Version", "severity": "MEDIUM", "line": 31, - "fileName": "positive2.tf" + "fileName": "positive2.tf", + "resourceType": "azurerm_linux_function_app", + "resourceName": "test-azure-functions", + "searchKey": "azurerm_linux_function_app[positive2-3].site_config", + "searchValue": "", + "expectedValue": "'azurerm_linux_function_app[positive2-3].site_config.minimum_tls_version' should be defined and set to '1.3'", + "actualValue": "'azurerm_linux_function_app[positive2-3].site_config.minimum_tls_version' is not defined", + "issueType": "MissingAttribute", + "similarityID": "5c0caa147af1bd392bc79be3fa87d697cc9f4394021a5f10247b009f3823f93f", + "search_line": 31 }, { "queryName": "Function App Not Using Latest TLS Encryption Version", "severity": "MEDIUM", "line": 37, - "fileName": "positive2.tf" + "fileName": "positive2.tf", + "resourceType": "azurerm_linux_function_app", + "resourceName": "test-azure-functions", + "searchKey": "azurerm_linux_function_app[positive2-4]", + "searchValue": "", + "expectedValue": "'azurerm_linux_function_app[positive2-4].site_config.minimum_tls_version' should be defined and set to '1.3'", + "actualValue": "'azurerm_linux_function_app[positive2-4].site_config' is not defined", + "issueType": "MissingAttribute", + "similarityID": "4fe81678ca20ebe51d85338a5cb16476fe539f40d5560e3121354e558f40da19", + "search_line": 37 }, { "queryName": "Function App Not Using Latest TLS Encryption Version", "severity": "MEDIUM", "line": 9, - "fileName": "positive3.tf" + "fileName": "positive3.tf", + "resourceType": "azurerm_windows_function_app", + "resourceName": "test-azure-functions", + "searchKey": "azurerm_windows_function_app[positive3-1].site_config.minimum_tls_version", + "searchValue": "", + "expectedValue": "'azurerm_windows_function_app[positive3-1].site_config.minimum_tls_version' should be set to '1.3'", + "actualValue": "'azurerm_windows_function_app[positive3-1].site_config.minimum_tls_version' is not set to '1.3'", + "issueType": "IncorrectValue", + "similarityID": "56f29d76479011a38427acf259d6b82ff37af976e5737a79bcb6f46c40977f98", + "search_line": 9 }, { "queryName": "Function App Not Using Latest TLS Encryption Version", "severity": "MEDIUM", "line": 21, - "fileName": "positive3.tf" + "fileName": "positive3.tf", + "resourceType": "azurerm_windows_function_app", + "resourceName": "test-azure-functions", + "searchKey": "azurerm_windows_function_app[positive3-2].site_config.minimum_tls_version", + "searchValue": "", + "expectedValue": "'azurerm_windows_function_app[positive3-2].site_config.minimum_tls_version' should be set to '1.3'", + "actualValue": "'azurerm_windows_function_app[positive3-2].site_config.minimum_tls_version' is not set to '1.3'", + "issueType": "IncorrectValue", + "similarityID": "8aa0685b5de454b2401f3fed826451c0561cc4dae7a90ab6925a48794f6af92b", + "search_line": 21 }, { "queryName": "Function App Not Using Latest TLS Encryption Version", "severity": "MEDIUM", "line": 31, - "fileName": "positive3.tf" + "fileName": "positive3.tf", + "resourceType": "azurerm_windows_function_app", + "resourceName": "test-azure-functions", + "searchKey": "azurerm_windows_function_app[positive3-3].site_config", + "searchValue": "", + "expectedValue": "'azurerm_windows_function_app[positive3-3].site_config.minimum_tls_version' should be defined and set to '1.3'", + "actualValue": "'azurerm_windows_function_app[positive3-3].site_config.minimum_tls_version' is not defined", + "issueType": "MissingAttribute", + "similarityID": "679192c25357335d8c8d303a49d8ab98a9304271f3062141bab197863bb9c0da", + "search_line": 31 }, { "queryName": "Function App Not Using Latest TLS Encryption Version", "severity": "MEDIUM", "line": 37, - "fileName": "positive3.tf" + "fileName": "positive3.tf", + "resourceType": "azurerm_windows_function_app", + "resourceName": "test-azure-functions", + "searchKey": "azurerm_windows_function_app[positive3-4]", + "searchValue": "", + "expectedValue": "'azurerm_windows_function_app[positive3-4].site_config.minimum_tls_version' should be defined and set to '1.3'", + "actualValue": "'azurerm_windows_function_app[positive3-4].site_config' is not defined", + "issueType": "MissingAttribute", + "similarityID": "6a21e0d0bc3eb164e842072aef1839d0c7a945999e49402860e4ab2682d5d726", + "search_line": 37 } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/azure/geo_redundancy_is_disabled/test/positive_expected_result.json b/assets/queries/terraform/azure/geo_redundancy_is_disabled/test/positive_expected_result.json index 46237c30c6e..1f12623500a 100644 --- a/assets/queries/terraform/azure/geo_redundancy_is_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/geo_redundancy_is_disabled/test/positive_expected_result.json @@ -2,11 +2,31 @@ { "queryName": "Geo Redundancy Is Disabled", "severity": "LOW", - "line": 2 + "line": 2, + "fileName": "positive.tf", + "resourceType": "azurerm_postgresql_server", + "resourceName": "dbserver", + "searchKey": "azurerm_postgresql_server[positive1]", + "searchValue": "", + "expectedValue": "'azurerm_postgresql_server.positive1.geo_redundant_backup_enabled' should be set", + "actualValue": "'azurerm_postgresql_server.positive1.geo_redundant_backup_enabled' is undefined", + "issueType": "MissingAttribute", + "similarityID": "d3eb8c911685ed872de16efc64c0b9c1159809ee3d45501787dd251a515ff126", + "search_line": 2 }, { "queryName": "Geo Redundancy Is Disabled", "severity": "LOW", - "line": 31 + "line": 31, + "fileName": "positive.tf", + "resourceType": "azurerm_postgresql_server", + "resourceName": "dbserver", + "searchKey": "azurerm_postgresql_server[positive2].geo_redundant_backup_enabled", + "searchValue": "", + "expectedValue": "'azurerm_postgresql_server.positive2.geo_redundant_backup_enabled' should be true", + "actualValue": "'azurerm_postgresql_server.positive2.geo_redundant_backup_enabled' is false", + "issueType": "IncorrectValue", + "similarityID": "ad14b4d5a2794dce578d0f198da239e4bc282a90e001cd57f44c22adf54bee56", + "search_line": 31 } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/azure/key_expiration_not_set/test/positive_expected_result.json b/assets/queries/terraform/azure/key_expiration_not_set/test/positive_expected_result.json index d7155771566..5ad5e61b897 100644 --- a/assets/queries/terraform/azure/key_expiration_not_set/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/key_expiration_not_set/test/positive_expected_result.json @@ -2,6 +2,16 @@ { "queryName": "Key Expiration Not Set", "severity": "MEDIUM", - "line": 1 + "line": 1, + "fileName": "positive.tf", + "resourceType": "azurerm_key_vault_key", + "resourceName": "generated-certificate", + "searchKey": "azurerm_key_vault_key[positive1]", + "searchValue": "", + "expectedValue": "'expiration_date' should exist", + "actualValue": "'expiration_date' is missing", + "issueType": "MissingAttribute", + "similarityID": "6da9074efe66673477b2115b1218d4aa349d4d1fa79532937320364b92ac17f7", + "search_line": -1 } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/azure/key_vault_purge_protection_is_enabled/test/positive_expected_result.json b/assets/queries/terraform/azure/key_vault_purge_protection_is_enabled/test/positive_expected_result.json index 97bfb0544c9..e3ad8184239 100644 --- a/assets/queries/terraform/azure/key_vault_purge_protection_is_enabled/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/key_vault_purge_protection_is_enabled/test/positive_expected_result.json @@ -3,12 +3,30 @@ "queryName": "Beta - Key Vault Purge Protection Is Enabled", "severity": "HIGH", "line": 8, - "fileName": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "azurerm_key_vault", + "resourceName": "examplekeyvault", + "searchKey": "azurerm_key_vault[positive1].purge_protection_enabled", + "searchValue": "", + "expectedValue": "'purge_protection_enabled' field should be set to true", + "actualValue": "'purge_protection_enabled' is not set to true", + "issueType": "IncorrectValue", + "similarityID": "1a4e98b9f4b2782770e4cddfa64835f6eecefa04b36f46f1bb6c1284348ee09c", + "search_line": 8 }, { "queryName": "Beta - Key Vault Purge Protection Is Enabled", "severity": "HIGH", "line": 1, - "fileName": "positive2.tf" + "fileName": "positive2.tf", + "resourceType": "azurerm_key_vault", + "resourceName": "examplekeyvault", + "searchKey": "azurerm_key_vault[positive2]", + "searchValue": "", + "expectedValue": "'purge_protection_enabled' should be defined and set to true", + "actualValue": "'purge_protection_enabled' is not defined", + "issueType": "MissingAttribute", + "similarityID": "85ce52b31b63348c8271301c48ba74871111c1a9482e86df67882d23bb172bbf", + "search_line": 1 } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/azure/key_vault_secrets_content_type_undefined/test/positive_expected_result.json b/assets/queries/terraform/azure/key_vault_secrets_content_type_undefined/test/positive_expected_result.json index ec725ac34b4..970412d227d 100644 --- a/assets/queries/terraform/azure/key_vault_secrets_content_type_undefined/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/key_vault_secrets_content_type_undefined/test/positive_expected_result.json @@ -3,6 +3,15 @@ "queryName": "Key Vault Secrets Content Type Undefined", "severity": "MEDIUM", "line": 1, - "fileName": "positive.tf" + "fileName": "positive.tf", + "resourceType": "azurerm_key_vault_secret", + "resourceName": "secret-sauce", + "searchKey": "azurerm_key_vault_secret[positive]", + "searchValue": "", + "expectedValue": "'azurerm_key_vault_secret[positive].content_type' should be defined and not null", + "actualValue": "'azurerm_key_vault_secret[positive].content_type' is undefined or null", + "issueType": "MissingAttribute", + "similarityID": "467c85d4fbf410a4e5c006ef12db6ef16534825fce76095fbd8f849b653cfffc", + "search_line": 1 } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/azure/key_vault_without_hsm_protection/test/positive_expected_result.json b/assets/queries/terraform/azure/key_vault_without_hsm_protection/test/positive_expected_result.json index 4193e97f2e6..0861f87eaf6 100644 --- a/assets/queries/terraform/azure/key_vault_without_hsm_protection/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/key_vault_without_hsm_protection/test/positive_expected_result.json @@ -2,11 +2,31 @@ { "queryName": "Beta - Key Vault Without HSM Protection", "severity": "LOW", - "line": 4 + "line": 4, + "fileName": "positive.tf", + "resourceType": "azurerm_key_vault_key", + "resourceName": "positive1-certificate", + "searchKey": "azurerm_key_vault_key[positive1].key_type", + "searchValue": "", + "expectedValue": "'azurerm_key_vault_key[positive1].key_type' should be set to an HSM-backed type ('RSA-HSM' or 'EC-HSM')", + "actualValue": "'azurerm_key_vault_key[positive1].key_type' is set to 'RSA'", + "issueType": "IncorrectValue", + "similarityID": "a974f6a5c284cc45236fafdf1b87fafbf4605a7f04e195e7ac3beca475c4813e", + "search_line": 4 }, { "queryName": "Beta - Key Vault Without HSM Protection", "severity": "LOW", - "line": 11 + "line": 11, + "fileName": "positive.tf", + "resourceType": "azurerm_key_vault_key", + "resourceName": "positive2-certificate", + "searchKey": "azurerm_key_vault_key[positive2].key_type", + "searchValue": "", + "expectedValue": "'azurerm_key_vault_key[positive2].key_type' should be set to an HSM-backed type ('RSA-HSM' or 'EC-HSM')", + "actualValue": "'azurerm_key_vault_key[positive2].key_type' is set to 'EC'", + "issueType": "IncorrectValue", + "similarityID": "a09804231c604faab0922d110033fc77d4eea3ddc4a7e0d6fa894d3257f1fb42", + "search_line": 11 } ] diff --git a/assets/queries/terraform/azure/kubernetes_cluster_managed_identity_disabled/test/positive_expected_result.json b/assets/queries/terraform/azure/kubernetes_cluster_managed_identity_disabled/test/positive_expected_result.json index 4fdc0d7828c..df237980300 100644 --- a/assets/queries/terraform/azure/kubernetes_cluster_managed_identity_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/kubernetes_cluster_managed_identity_disabled/test/positive_expected_result.json @@ -3,6 +3,15 @@ "queryName": "Beta - Kubernetes Cluster Managed Identity Disabled", "severity": "MEDIUM", "line": 1, - "fileName": "positive.tf" + "fileName": "positive.tf", + "resourceType": "azurerm_kubernetes_cluster", + "resourceName": "example-aks1", + "searchKey": "azurerm_kubernetes_cluster[positive]", + "searchValue": "", + "expectedValue": "'type' field should have the values 'SystemAssigned' or 'UserAssigned' defined inside the 'identity' block", + "actualValue": "'identity' block is not defined", + "issueType": "MissingAttribute", + "similarityID": "d267d23bedaf16afe1570e5bbe82d087ec628ca073b8f8a87c64bfa396a419eb", + "search_line": 1 } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/azure/log_retention_is_not_set/test/positive_expected_result.json b/assets/queries/terraform/azure/log_retention_is_not_set/test/positive_expected_result.json index 96fbc631e30..cbe8a794332 100644 --- a/assets/queries/terraform/azure/log_retention_is_not_set/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/log_retention_is_not_set/test/positive_expected_result.json @@ -2,16 +2,46 @@ { "queryName": "Log Retention Is Not Set", "severity": "MEDIUM", - "line": 5 + "line": 5, + "fileName": "positive.tf", + "resourceType": "azurerm_postgresql_configuration", + "resourceName": "log_retention", + "searchKey": "azurerm_postgresql_configuration[positive1].value", + "searchValue": "", + "expectedValue": "'azurerm_postgresql_configuration.positive1.value' should be 'ON'", + "actualValue": "'azurerm_postgresql_configuration.positive1.value' is 'OFF'", + "issueType": "IncorrectValue", + "similarityID": "d4f3ab9ea2edb266d61075c0737d577ddd81a49d5b7644fbdf4080a92cc8443f", + "search_line": 5 }, { "queryName": "Log Retention Is Not Set", "severity": "MEDIUM", - "line": 12 + "line": 12, + "fileName": "positive.tf", + "resourceType": "azurerm_postgresql_configuration", + "resourceName": "log_retention", + "searchKey": "azurerm_postgresql_configuration[positive2].value", + "searchValue": "", + "expectedValue": "'azurerm_postgresql_configuration.positive2.value' should be 'ON'", + "actualValue": "'azurerm_postgresql_configuration.positive2.value' is 'OFF'", + "issueType": "IncorrectValue", + "similarityID": "445c2925f93c44c27f319fa2407ec1cdd1a68b5ce6544cfbb00c887ce5d195bd", + "search_line": 12 }, { "queryName": "Log Retention Is Not Set", "severity": "MEDIUM", - "line": 19 + "line": 19, + "fileName": "positive.tf", + "resourceType": "azurerm_postgresql_configuration", + "resourceName": "log_retention", + "searchKey": "azurerm_postgresql_configuration[positive3].value", + "searchValue": "", + "expectedValue": "'azurerm_postgresql_configuration.positive3.value' should be 'ON'", + "actualValue": "'azurerm_postgresql_configuration.positive3.value' is 'OFF'", + "issueType": "IncorrectValue", + "similarityID": "75260292996c9800f48cb3ba8a47d942e4ae24630ecd0f880e22a0b9c4905edd", + "search_line": 19 } ] diff --git a/assets/queries/terraform/azure/logic_app_managed_identity_disabled/test/positive_expected_result.json b/assets/queries/terraform/azure/logic_app_managed_identity_disabled/test/positive_expected_result.json index 80f99405d25..05d6caa1963 100644 --- a/assets/queries/terraform/azure/logic_app_managed_identity_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/logic_app_managed_identity_disabled/test/positive_expected_result.json @@ -3,6 +3,15 @@ "queryName": "Beta - Logic App Managed Identity Disabled", "severity": "MEDIUM", "line": 1, - "fileName": "positive.tf" + "fileName": "positive.tf", + "resourceType": "azurerm_logic_app_standard", + "resourceName": "example-logic-app", + "searchKey": "azurerm_logic_app_standard[positive]", + "searchValue": "", + "expectedValue": "'type' field should have the values 'SystemAssigned' or 'UserAssigned' defined inside the 'identity' block", + "actualValue": "'identity' block is not defined", + "issueType": "MissingAttribute", + "similarityID": "25802d6ee6eebfd9c5e012f5634ea38e52e0214b9d98c2ba76960fa64e8ad5cf", + "search_line": 1 } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/azure/mariadb_public_network_access_enabled/test/positive_expected_result.json b/assets/queries/terraform/azure/mariadb_public_network_access_enabled/test/positive_expected_result.json index 0501fb48609..0ed50013492 100644 --- a/assets/queries/terraform/azure/mariadb_public_network_access_enabled/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/mariadb_public_network_access_enabled/test/positive_expected_result.json @@ -2,13 +2,31 @@ { "queryName": "MariaDB Server Public Network Access Enabled", "severity": "HIGH", - "line": 16, - "fileName": "positive.tf" + "line": 1, + "fileName": "positive2.tf", + "resourceType": "azurerm_mariadb_server", + "resourceName": "example-mariadb-server", + "searchKey": "azurerm_mariadb_server[positive2]", + "searchValue": "", + "expectedValue": "'azurerm_mariadb_server[positive2].public_network_access_enabled' should be defined and not null", + "actualValue": "'azurerm_mariadb_server[positive2].public_network_access_enabled' is undefined or null", + "issueType": "MissingAttribute", + "similarityID": "e7c6edad01d5b1e5507ac9aae430063285518b00e3d72a7391697635f028356d", + "search_line": 1 }, { "queryName": "MariaDB Server Public Network Access Enabled", "severity": "HIGH", - "line": 1, - "fileName": "positive2.tf" + "line": 16, + "fileName": "positive.tf", + "resourceType": "azurerm_mariadb_server", + "resourceName": "example-mariadb-server", + "searchKey": "azurerm_mariadb_server[positive].public_network_access_enabled", + "searchValue": "", + "expectedValue": "'azurerm_mariadb_server[positive].public_network_access_enabled.enabled' should be set to false", + "actualValue": "'azurerm_mariadb_server[positive].public_network_access_enabled.enabled' is not set to false", + "issueType": "IncorrectValue", + "similarityID": "39240d71abaa9cd635ab3ac5c966f8eccd1cc7a2aad19491bbfd3f6685be5f90", + "search_line": 16 } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/azure/mariadb_server_georedundant_backup_disabled/test/positive_expected_result.json b/assets/queries/terraform/azure/mariadb_server_georedundant_backup_disabled/test/positive_expected_result.json index 8fd6749c698..ca11f3cbed8 100644 --- a/assets/queries/terraform/azure/mariadb_server_georedundant_backup_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/mariadb_server_georedundant_backup_disabled/test/positive_expected_result.json @@ -3,12 +3,30 @@ "queryName": "MariaDB Server Geo-redundant Backup Disabled", "severity": "LOW", "line": 15, - "fileName": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "azurerm_mariadb_server", + "resourceName": "example-mariadb-server", + "searchKey": "azurerm_mariadb_server[positive1].geo_redundant_backup_enabled", + "searchValue": "", + "expectedValue": "'azurerm_mariadb_server[positive1].geo_redundant_backup_enabled' should be set to true", + "actualValue": "'azurerm_mariadb_server[positive1].geo_redundant_backup_enabled' is set to false", + "issueType": "IncorrectValue", + "similarityID": "0da54c681e1d3fbea90813b99114ffb7e0d82ae040cf798a3c8dbe51dbebec65", + "search_line": 15 }, { "queryName": "MariaDB Server Geo-redundant Backup Disabled", "severity": "LOW", "line": 1, - "fileName": "positive2.tf" + "fileName": "positive2.tf", + "resourceType": "azurerm_mariadb_server", + "resourceName": "example-mariadb-server", + "searchKey": "azurerm_mariadb_server[positive2]", + "searchValue": "", + "expectedValue": "'azurerm_mariadb_server[positive2].geo_redundant_backup_enabled' should be defined and set to true", + "actualValue": "'azurerm_mariadb_server[positive2].geo_redundant_backup_enabled' is undefined or null", + "issueType": "MissingAttribute", + "similarityID": "11139727c622d455c7c1d63df75a19e9d1c898f022c9c969bfa267344af8ef3f", + "search_line": 1 } ] diff --git a/assets/queries/terraform/azure/mssql_not_using_latest_tls_encryption_version/test/positive_expected_result.json b/assets/queries/terraform/azure/mssql_not_using_latest_tls_encryption_version/test/positive_expected_result.json index 73376a87e9c..5b11a604d5f 100644 --- a/assets/queries/terraform/azure/mssql_not_using_latest_tls_encryption_version/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/mssql_not_using_latest_tls_encryption_version/test/positive_expected_result.json @@ -3,6 +3,15 @@ "queryName": "Beta - MSSQL Not Using Latest TLS Encryption Version", "severity": "MEDIUM", "line": 8, - "fileName": "positive.tf" + "fileName": "positive.tf", + "resourceType": "azurerm_mssql_server", + "resourceName": "example-resource", + "searchKey": "azurerm_mssql_server[positive1].minimum_tls_version", + "searchValue": "", + "expectedValue": "'minimum_tls_version' should be defined to '1.2'", + "actualValue": "'minimum_tls_version' is defined to '1.1'", + "issueType": "IncorrectValue", + "similarityID": "d7052252d4eb675e2b4f7654e478acb028ea6447f7fb111aa89fdfd89d384dea", + "search_line": 8 } ] diff --git a/assets/queries/terraform/azure/mssql_server_auditing_disabled/test/positive_expected_result.json b/assets/queries/terraform/azure/mssql_server_auditing_disabled/test/positive_expected_result.json index 3a520528db2..71c10b0f2a1 100644 --- a/assets/queries/terraform/azure/mssql_server_auditing_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/mssql_server_auditing_disabled/test/positive_expected_result.json @@ -3,12 +3,30 @@ "queryName": "MSSQL Server Auditing Disabled", "severity": "MEDIUM", "line": 1, - "fileName": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "azurerm_mssql_server", + "resourceName": "mssqlserver", + "searchKey": "azurerm_mssql_server[example]", + "searchValue": "", + "expectedValue": "'azurerm_mssql_server[example]' resource should have a 'azurerm_mssql_server_extended_auditing_policy' resource associated", + "actualValue": "'azurerm_mssql_server[example]' resource does not have a 'azurerm_mssql_server_extended_auditing_policy' resource associated", + "issueType": "MissingAttribute", + "similarityID": "e011f3ba7e2f6609f2e9a904abf6ab483ebdeafce9a3e0336a10c57a374bbfd5", + "search_line": -1 }, { "queryName": "MSSQL Server Auditing Disabled", "severity": "MEDIUM", "line": 10, - "fileName": "positive2.tf" + "fileName": "positive2.tf", + "resourceType": "azurerm_mssql_server", + "resourceName": "mssqlserver", + "searchKey": "azurerm_mssql_server[example]", + "searchValue": "", + "expectedValue": "'azurerm_mssql_server[example]' resource should have a 'azurerm_mssql_server_extended_auditing_policy' resource associated", + "actualValue": "'azurerm_mssql_server[example]' resource does not have a 'azurerm_mssql_server_extended_auditing_policy' resource associated", + "issueType": "MissingAttribute", + "similarityID": "67fcc9b6a797e5a971e59d57223e1c03bca25fc0e48bbf0eea9d592584c4f331", + "search_line": -1 } ] diff --git a/assets/queries/terraform/azure/mssql_server_database_with_alerts_disabled/test/positive_expected_result.json b/assets/queries/terraform/azure/mssql_server_database_with_alerts_disabled/test/positive_expected_result.json index fa15c8d1679..505eff97746 100644 --- a/assets/queries/terraform/azure/mssql_server_database_with_alerts_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/mssql_server_database_with_alerts_disabled/test/positive_expected_result.json @@ -3,18 +3,45 @@ "queryName": "MSSQL Server Database With Alerts Disabled", "severity": "MEDIUM", "line": 17, - "filename": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "azurerm_mssql_server_security_alert_policy", + "resourceName": "positive1", + "searchKey": "azurerm_mssql_server_security_alert_policy[positive1].disabled_alerts", + "searchValue": "", + "expectedValue": "'azurerm_mssql_server_security_alert_policy.positive1.disabled_alerts' should be empty", + "actualValue": "'azurerm_mssql_server_security_alert_policy.positive1.disabled_alerts' is not empty", + "issueType": "IncorrectValue", + "similarityID": "af25e7640cc0025c4c0ef307c8ef2e501974c276a4f7df135b837fe278293cea", + "search_line": 17 }, { "queryName": "MSSQL Server Database With Alerts Disabled", "severity": "MEDIUM", "line": 14, - "filename": "positive2.tf" + "fileName": "positive2.tf", + "resourceType": "azurerm_mssql_server_security_alert_policy", + "resourceName": "positive2", + "searchKey": "azurerm_mssql_server_security_alert_policy[positive2].state", + "searchValue": "", + "expectedValue": "'azurerm_mssql_server_security_alert_policy.positive2.state' should be enabled", + "actualValue": "'azurerm_mssql_server_security_alert_policy.positive2.state' is not enabled", + "issueType": "IncorrectValue", + "similarityID": "e29cbd1c6efa6d43c78da25da97a8b80c904f7ad31ba98cf7becd8925f1b715d", + "search_line": 14 }, { "queryName": "MSSQL Server Database With Alerts Disabled", "severity": "MEDIUM", "line": 1, - "filename": "positive3.tf" + "fileName": "positive3.tf", + "resourceType": "azurerm_mssql_server", + "resourceName": "my-mssql-server", + "searchKey": "azurerm_mssql_server[example]", + "searchValue": "", + "expectedValue": "Security alert policy should be defined and enabled", + "actualValue": "Security alert policy is undefined", + "issueType": "MissingAttribute", + "similarityID": "784f31cd53dc2556166f78747b179e1d4930543651de0402ef95a2d4574e548b", + "search_line": 1 } ] diff --git a/assets/queries/terraform/azure/mssql_server_public_network_access_enabled/test/positive_expected_result.json b/assets/queries/terraform/azure/mssql_server_public_network_access_enabled/test/positive_expected_result.json index a44857a9524..d4d0922ccab 100644 --- a/assets/queries/terraform/azure/mssql_server_public_network_access_enabled/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/mssql_server_public_network_access_enabled/test/positive_expected_result.json @@ -3,13 +3,30 @@ "queryName": "MSSQL Server Public Network Access Enabled", "severity": "HIGH", "line": 1, - "fileName": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "azurerm_mssql_server", + "resourceName": "mssqlserver", + "searchKey": "azurerm_mssql_server[positive1]", + "searchValue": "", + "expectedValue": "'azurerm_mssql_server[positive1].public_network_access_enabled' should be defined and not null", + "actualValue": "'azurerm_mssql_server[positive1].public_network_access_enabled' is undefined or null", + "issueType": "MissingAttribute", + "similarityID": "3a15015c6dccb2bd641b4bcc371e3a035e92a9e06608f40b263588c01fa68d70", + "search_line": 1 }, { "queryName": "MSSQL Server Public Network Access Enabled", "severity": "HIGH", "line": 16, - "fileName": "positive2.tf" + "fileName": "positive2.tf", + "resourceType": "azurerm_mssql_server", + "resourceName": "mssqlserver", + "searchKey": "azurerm_mssql_server[positive2].public_network_access_enabled", + "searchValue": "", + "expectedValue": "'azurerm_mssql_server[positive2].public_network_access_enabled' should be set to false", + "actualValue": "'azurerm_mssql_server[positive2].public_network_access_enabled' is set to true", + "issueType": "IncorrectValue", + "similarityID": "89e9998237aa9e9e19c42ff6ca5e0a6e03ded5ad046dfdf18fe58917342fdfb6", + "search_line": 16 } ] - diff --git a/assets/queries/terraform/azure/mysql_server_public_access_enabled/test/positive_expected_result.json b/assets/queries/terraform/azure/mysql_server_public_access_enabled/test/positive_expected_result.json index e7f08b088ba..a0c28f1fa52 100644 --- a/assets/queries/terraform/azure/mysql_server_public_access_enabled/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/mysql_server_public_access_enabled/test/positive_expected_result.json @@ -3,12 +3,30 @@ "queryName": "MySQL Server Public Access Enabled", "severity": "HIGH", "line": 1, - "fileName": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "azurerm_mssql_server", + "resourceName": "example-mysqlserver", + "searchKey": "azurerm_mysql_server[positive1]", + "searchValue": "", + "expectedValue": "'azurerm_mysql_server[positive1].public_network_access_enabled' should be defined", + "actualValue": "'azurerm_mysql_server[positive1].public_network_access_enabled' is undefined", + "issueType": "MissingAttribute", + "similarityID": "cd96db8adb90dce1c6f971033b215738f0b70dad435f4be36c6767aecaac46c5", + "search_line": 1 }, { "queryName": "MySQL Server Public Access Enabled", "severity": "HIGH", "line": 17, - "fileName": "positive2.tf" + "fileName": "positive2.tf", + "resourceType": "azurerm_mssql_server", + "resourceName": "example-mysqlserver", + "searchKey": "azurerm_mysql_server[positive2].public_network_access_enabled", + "searchValue": "", + "expectedValue": "'azurerm_mysql_server[positive2].public_network_access_enabled' should be set to false", + "actualValue": "'azurerm_mysql_server[positive2].public_network_access_enabled' is set to true", + "issueType": "IncorrectValue", + "similarityID": "6847789e057e4fb0dffa73a1669034a6cc67565399134937e79965e6b6ca5d83", + "search_line": 17 } ] diff --git a/assets/queries/terraform/azure/mysql_ssl_connection_disabled/test/positive_expected_result.json b/assets/queries/terraform/azure/mysql_ssl_connection_disabled/test/positive_expected_result.json index 573fae9c01b..53aec29c77e 100644 --- a/assets/queries/terraform/azure/mysql_ssl_connection_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/mysql_ssl_connection_disabled/test/positive_expected_result.json @@ -2,6 +2,16 @@ { "queryName": "MySQL SSL Connection Disabled", "severity": "MEDIUM", - "line": 17 + "line": 17, + "fileName": "positive.tf", + "resourceType": "azurerm_mssql_server", + "resourceName": "webflux-mysql-${var.environment}${random_integer.rnd_int.result}", + "searchKey": "azurerm_mysql_server[positive1].ssl_enforcement_enabled", + "searchValue": "", + "expectedValue": "'azurerm_mysql_server.positive1.ssl_enforcement_enabled' should equal 'true'", + "actualValue": "'azurerm_mysql_server.positive1.ssl_enforcement_enabled' is equal 'false'", + "issueType": "IncorrectValue", + "similarityID": "519f63faf879d9fc2558c367ec8e40da325a95bcf8c01683542034d5acacf459", + "search_line": -1 } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/azure/network_interfaces_ip_forwarding_enabled/test/positive_expected_result.json b/assets/queries/terraform/azure/network_interfaces_ip_forwarding_enabled/test/positive_expected_result.json index 5f4588091b6..74dc0c33bd3 100644 --- a/assets/queries/terraform/azure/network_interfaces_ip_forwarding_enabled/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/network_interfaces_ip_forwarding_enabled/test/positive_expected_result.json @@ -3,6 +3,15 @@ "queryName": "Network Interfaces IP Forwarding Enabled", "severity": "MEDIUM", "line": 12, - "fileName": "positive.tf" + "fileName": "positive.tf", + "resourceType": "azurerm_network_interface", + "resourceName": "example-nic", + "searchKey": "azurerm_network_interface[positive].enable_ip_forwarding", + "searchValue": "", + "expectedValue": "'azurerm_network_interface[positive].enable_ip_forwarding' should be set to false or undefined", + "actualValue": "'azurerm_network_interface[positive].enable_ip_forwarding' is set to true", + "issueType": "IncorrectValue", + "similarityID": "7907f83ac31533d161e32f1576b3227092b6f28f697d5b170eba022a2ee7e784", + "search_line": 12 } ] diff --git a/assets/queries/terraform/azure/network_interfaces_with_public_ip/test/positive_expected_result.json b/assets/queries/terraform/azure/network_interfaces_with_public_ip/test/positive_expected_result.json index e0ea3ebc646..32669399148 100644 --- a/assets/queries/terraform/azure/network_interfaces_with_public_ip/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/network_interfaces_with_public_ip/test/positive_expected_result.json @@ -3,6 +3,15 @@ "queryName": "Network Interfaces With Public IP", "severity": "MEDIUM", "line": 10, - "fileName": "positive.tf" + "fileName": "positive.tf", + "resourceType": "azurerm_network_interface", + "resourceName": "example-nic", + "searchKey": "azurerm_network_interface[positive].ip_configuration.public_ip_address_id", + "searchValue": "", + "expectedValue": "'azurerm_network_interface[positive].ip_configuration.public_ip_address_id' should be undefined", + "actualValue": "'azurerm_network_interface[positive].ip_configuration.public_ip_address_id' is defined", + "issueType": "IncorrectValue", + "similarityID": "d8f85376e5cd8074e14d1b8852bb55b7e7370fa288dc8b11689856f8e41cfd1b", + "search_line": 10 } ] diff --git a/assets/queries/terraform/azure/network_watcher_flow_disabled/test/positive_expected_result.json b/assets/queries/terraform/azure/network_watcher_flow_disabled/test/positive_expected_result.json index b287a8f30d5..c6ed08bbeb6 100644 --- a/assets/queries/terraform/azure/network_watcher_flow_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/network_watcher_flow_disabled/test/positive_expected_result.json @@ -2,6 +2,16 @@ { "queryName": "Network Watcher Flow Disabled", "severity": "MEDIUM", - "line": 7 + "line": 7, + "fileName": "positive.tf", + "resourceType": "azurerm_network_watcher_flow_log", + "resourceName": "positive1", + "searchKey": "azurerm_network_watcher_flow_log[positive1].enable", + "searchValue": "", + "expectedValue": "azurerm_network_watcher_flow_log.enabled should be true", + "actualValue": "azurerm_network_watcher_flow_log.enabled is false", + "issueType": "IncorrectValue", + "similarityID": "50eb35e1a463bd6e577bb21e8a20b946efee4b9ae263d517ecb850e45da528fc", + "search_line": 7 } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/azure/postgresql_log_checkpoints_disabled/test/positive_expected_result.json b/assets/queries/terraform/azure/postgresql_log_checkpoints_disabled/test/positive_expected_result.json index b35ff583b46..0fca61340b6 100644 --- a/assets/queries/terraform/azure/postgresql_log_checkpoints_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/postgresql_log_checkpoints_disabled/test/positive_expected_result.json @@ -2,16 +2,46 @@ { "queryName": "PostgreSQL Log Checkpoints Disabled", "severity": "MEDIUM", - "line": 5 + "line": 5, + "fileName": "positive.tf", + "resourceType": "azurerm_postgresql_configuration", + "resourceName": "log_checkpoints", + "searchKey": "azurerm_postgresql_configuration[positive1].value", + "searchValue": "", + "expectedValue": "'azurerm_postgresql_configuration.positive1.value' should be 'ON'", + "actualValue": "'azurerm_postgresql_configuration.positive1.value' is 'OFF'", + "issueType": "IncorrectValue", + "similarityID": "b07f94b1e9e4b2ada0b6386b920d374f58deb0140dff988740ec63d42286858c", + "search_line": 5 }, { "queryName": "PostgreSQL Log Checkpoints Disabled", "severity": "MEDIUM", - "line": 12 + "line": 12, + "fileName": "positive.tf", + "resourceType": "azurerm_postgresql_configuration", + "resourceName": "log_checkpoints", + "searchKey": "azurerm_postgresql_configuration[positive2].value", + "searchValue": "", + "expectedValue": "'azurerm_postgresql_configuration.positive2.value' should be 'ON'", + "actualValue": "'azurerm_postgresql_configuration.positive2.value' is 'OFF'", + "issueType": "IncorrectValue", + "similarityID": "b3406fb6006cf89dde7fa9dea810d51d0667c3aa1e3c98bae526f073bf430270", + "search_line": 12 }, { "queryName": "PostgreSQL Log Checkpoints Disabled", "severity": "MEDIUM", - "line": 19 + "line": 19, + "fileName": "positive.tf", + "resourceType": "azurerm_postgresql_configuration", + "resourceName": "log_checkpoints", + "searchKey": "azurerm_postgresql_configuration[positive3].value", + "searchValue": "", + "expectedValue": "'azurerm_postgresql_configuration.positive3.value' should be 'ON'", + "actualValue": "'azurerm_postgresql_configuration.positive3.value' is 'OFF'", + "issueType": "IncorrectValue", + "similarityID": "dd93c45370ace22bb7bb9485d614843bf5771d9afcd2ddc475468f515d6df206", + "search_line": 19 } ] diff --git a/assets/queries/terraform/azure/postgresql_log_connections_not_set/test/positive_expected_result.json b/assets/queries/terraform/azure/postgresql_log_connections_not_set/test/positive_expected_result.json index abd85e253b5..8788db0b3fd 100644 --- a/assets/queries/terraform/azure/postgresql_log_connections_not_set/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/postgresql_log_connections_not_set/test/positive_expected_result.json @@ -2,16 +2,46 @@ { "queryName": "PostgreSQL Log Connections Not Set", "severity": "MEDIUM", - "line": 5 + "line": 5, + "fileName": "positive.tf", + "resourceType": "azurerm_postgresql_configuration", + "resourceName": "log_connections", + "searchKey": "azurerm_postgresql_configuration[positive1].value", + "searchValue": "", + "expectedValue": "'azurerm_postgresql_configuration.positive1.value' should be 'ON'", + "actualValue": "'azurerm_postgresql_configuration.positive1.value' is 'OFF'", + "issueType": "IncorrectValue", + "similarityID": "02b5c18fd1639bad86ecc51486b486b32e197161aba5829744e1d6b5a3049035", + "search_line": 5 }, { "queryName": "PostgreSQL Log Connections Not Set", "severity": "MEDIUM", - "line": 12 + "line": 12, + "fileName": "positive.tf", + "resourceType": "azurerm_postgresql_configuration", + "resourceName": "log_connections", + "searchKey": "azurerm_postgresql_configuration[positive2].value", + "searchValue": "", + "expectedValue": "'azurerm_postgresql_configuration.positive2.value' should be 'ON'", + "actualValue": "'azurerm_postgresql_configuration.positive2.value' is 'OFF'", + "issueType": "IncorrectValue", + "similarityID": "b1c3e3297adebb572fbefa494832c5a4b95b5136bcbb168d4f55e78cd20cbc6e", + "search_line": 12 }, { "queryName": "PostgreSQL Log Connections Not Set", "severity": "MEDIUM", - "line": 19 + "line": 19, + "fileName": "positive.tf", + "resourceType": "azurerm_postgresql_configuration", + "resourceName": "log_connections", + "searchKey": "azurerm_postgresql_configuration[positive3].value", + "searchValue": "", + "expectedValue": "'azurerm_postgresql_configuration.positive3.value' should be 'ON'", + "actualValue": "'azurerm_postgresql_configuration.positive3.value' is 'OFF'", + "issueType": "IncorrectValue", + "similarityID": "ccd027f9661bfafd74b914622c396faae4423d48e8d0b0915654d6ea0425e174", + "search_line": 19 } ] diff --git a/assets/queries/terraform/azure/postgresql_log_disconnections_not_set/test/positive_expected_result.json b/assets/queries/terraform/azure/postgresql_log_disconnections_not_set/test/positive_expected_result.json index 067ff6d8970..abf9581b93b 100644 --- a/assets/queries/terraform/azure/postgresql_log_disconnections_not_set/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/postgresql_log_disconnections_not_set/test/positive_expected_result.json @@ -2,16 +2,46 @@ { "queryName": "PostgreSQL Log Disconnections Not Set", "severity": "MEDIUM", - "line": 5 + "line": 5, + "fileName": "positive.tf", + "resourceType": "azurerm_postgresql_configuration", + "resourceName": "log_disconnections", + "searchKey": "azurerm_postgresql_configuration[positive1].value", + "searchValue": "", + "expectedValue": "'azurerm_postgresql_configuration.positive1.value' should be 'ON'", + "actualValue": "'azurerm_postgresql_configuration.positive1.value' is 'OFF'", + "issueType": "IncorrectValue", + "similarityID": "3af0e9385bc7b34bb0cca211b4f7da42cd7ebb3eb3f8ffaf72e1d66b89a8dcd5", + "search_line": -1 }, { "queryName": "PostgreSQL Log Disconnections Not Set", "severity": "MEDIUM", - "line": 12 + "line": 12, + "fileName": "positive.tf", + "resourceType": "azurerm_postgresql_configuration", + "resourceName": "log_disconnections", + "searchKey": "azurerm_postgresql_configuration[positive2].value", + "searchValue": "", + "expectedValue": "'azurerm_postgresql_configuration.positive2.value' should be 'ON'", + "actualValue": "'azurerm_postgresql_configuration.positive2.value' is 'OFF'", + "issueType": "IncorrectValue", + "similarityID": "e9c8484fbea7f713d32b35a34fd6f3cbbbcf0022ca9cee1311a40d66875d80c7", + "search_line": -1 }, { "queryName": "PostgreSQL Log Disconnections Not Set", "severity": "MEDIUM", - "line": 19 + "line": 19, + "fileName": "positive.tf", + "resourceType": "azurerm_postgresql_configuration", + "resourceName": "log_disconnections", + "searchKey": "azurerm_postgresql_configuration[positive3].value", + "searchValue": "", + "expectedValue": "'azurerm_postgresql_configuration.positive3.value' should be 'ON'", + "actualValue": "'azurerm_postgresql_configuration.positive3.value' is 'OFF'", + "issueType": "IncorrectValue", + "similarityID": "0552f4a6bbf8ccc5961ed23ac2090bb502ecb486962784f145d5cdb20e89398c", + "search_line": -1 } ] diff --git a/assets/queries/terraform/azure/postgresql_log_duration_not_set/test/positive_expected_result.json b/assets/queries/terraform/azure/postgresql_log_duration_not_set/test/positive_expected_result.json index 3863748c49d..b8db97f1e0d 100644 --- a/assets/queries/terraform/azure/postgresql_log_duration_not_set/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/postgresql_log_duration_not_set/test/positive_expected_result.json @@ -2,16 +2,46 @@ { "queryName": "PostgreSQL Log Duration Not Set", "severity": "MEDIUM", - "line": 6 + "line": 6, + "fileName": "positive.tf", + "resourceType": "azurerm_postgresql_configuration", + "resourceName": "log_duration", + "searchKey": "azurerm_postgresql_configuration[positive1].value", + "searchValue": "", + "expectedValue": "'azurerm_postgresql_configuration.positive1.value' should be 'ON'", + "actualValue": "'azurerm_postgresql_configuration.positive1.value' is 'OFF'", + "issueType": "IncorrectValue", + "similarityID": "3511d4cd4d3c882be1f8a95666bf5648b0e197bb0b12088d4abc4acf6aa44735", + "search_line": 6 }, { "queryName": "PostgreSQL Log Duration Not Set", "severity": "MEDIUM", - "line": 13 + "line": 13, + "fileName": "positive.tf", + "resourceType": "azurerm_postgresql_configuration", + "resourceName": "log_duration", + "searchKey": "azurerm_postgresql_configuration[positive2].value", + "searchValue": "", + "expectedValue": "'azurerm_postgresql_configuration.positive2.value' should be 'ON'", + "actualValue": "'azurerm_postgresql_configuration.positive2.value' is 'OFF'", + "issueType": "IncorrectValue", + "similarityID": "bc3e7df87447ff9236581cdc6df33431cd90e1147f568dd20150528884c26437", + "search_line": 13 }, { "queryName": "PostgreSQL Log Duration Not Set", "severity": "MEDIUM", - "line": 20 + "line": 20, + "fileName": "positive.tf", + "resourceType": "azurerm_postgresql_configuration", + "resourceName": "log_duration", + "searchKey": "azurerm_postgresql_configuration[positive3].value", + "searchValue": "", + "expectedValue": "'azurerm_postgresql_configuration.positive3.value' should be 'ON'", + "actualValue": "'azurerm_postgresql_configuration.positive3.value' is 'OFF'", + "issueType": "IncorrectValue", + "similarityID": "52b5cd6fd32e6ff8ed358516e5fcf04bd5c71d47fe359c42bb231cc52ecd9c11", + "search_line": 20 } ] diff --git a/assets/queries/terraform/azure/postgresql_not_using_latest_tls_encryption_version/test/positive_expected_result.json b/assets/queries/terraform/azure/postgresql_not_using_latest_tls_encryption_version/test/positive_expected_result.json index f316f34f23f..c16cbf7f0d8 100644 --- a/assets/queries/terraform/azure/postgresql_not_using_latest_tls_encryption_version/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/postgresql_not_using_latest_tls_encryption_version/test/positive_expected_result.json @@ -3,6 +3,15 @@ "queryName": "Beta - PostgreSQL Not Using Latest TLS Encryption Version", "severity": "MEDIUM", "line": 10, - "fileName": "positive.tf" + "fileName": "positive.tf", + "resourceType": "azurerm_postgresql_server", + "resourceName": "example-psqlserver", + "searchKey": "azurerm_postgresql_server[negative2].minimum_tls_version", + "searchValue": "", + "expectedValue": "'ssl_minimal_tls_version_enforced' should be defined to 'TLS1_2'", + "actualValue": "'ssl_minimal_tls_version_enforced' is defined to 'TLS1_1'", + "issueType": "IncorrectValue", + "similarityID": "ea35140c5682af776cda944589bb298454fa02dd1ca0eb42a9743d66ef7871e9", + "search_line": 10 } ] diff --git a/assets/queries/terraform/azure/postgresql_server_infrastructure_encryption_disabled/test/positive_expected_result.json b/assets/queries/terraform/azure/postgresql_server_infrastructure_encryption_disabled/test/positive_expected_result.json index ad6c13e0928..b69f7f3d79b 100644 --- a/assets/queries/terraform/azure/postgresql_server_infrastructure_encryption_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/postgresql_server_infrastructure_encryption_disabled/test/positive_expected_result.json @@ -3,12 +3,30 @@ "queryName": "PostgreSQL Server Infrastructure Encryption Disabled", "severity": "LOW", "line": 21, - "fileName": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "azurerm_postgresql_server", + "resourceName": "example-psqlserver", + "searchKey": "azurerm_postgresql_server[positive1].infrastructure_encryption_enabled", + "searchValue": "", + "expectedValue": "'azurerm_postgresql_server[positive1].infrastructure_encryption_enabled' should be set to true", + "actualValue": "'azurerm_postgresql_server[positive1].infrastructure_encryption_enabled' is set to false", + "issueType": "IncorrectValue", + "similarityID": "22659ccb85da49a3e928da4a387772f846232d5ebef1474ebe524e346458d3f5", + "search_line": 21 }, { "queryName": "PostgreSQL Server Infrastructure Encryption Disabled", "severity": "LOW", "line": 1, - "fileName": "positive2.tf" + "fileName": "positive2.tf", + "resourceType": "azurerm_postgresql_server", + "resourceName": "example-psqlserver", + "searchKey": "azurerm_postgresql_server[positive2]", + "searchValue": "", + "expectedValue": "'azurerm_postgresql_server[positive2].infrastructure_encryption_enabled' should be defined and set to true", + "actualValue": "'azurerm_postgresql_server[positive2].infrastructure_encryption_enabled' is undefined or null", + "issueType": "MissingAttribute", + "similarityID": "3531ccfbc6b6e5cf56dbd240404223bada54958d697e22f5bc1b422871efc890", + "search_line": 1 } ] diff --git a/assets/queries/terraform/azure/postgresql_server_threat_detection_policy_disabled/test/positive_expected_result.json b/assets/queries/terraform/azure/postgresql_server_threat_detection_policy_disabled/test/positive_expected_result.json index 14af965003f..4c00782d69a 100644 --- a/assets/queries/terraform/azure/postgresql_server_threat_detection_policy_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/postgresql_server_threat_detection_policy_disabled/test/positive_expected_result.json @@ -3,12 +3,30 @@ "queryName": "PostgreSQL Server Threat Detection Policy Disabled", "severity": "MEDIUM", "line": 22, - "fileName": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "azurerm_postgresql_server", + "resourceName": "example-psqlserver", + "searchKey": "azurerm_postgresql_server[positive1].threat_detection_policy.enabled", + "searchValue": "", + "expectedValue": "'azurerm_postgresql_server[positive1].threat_detection_policy.enabled' should be set to true", + "actualValue": "'azurerm_postgresql_server[positive1].threat_detection_policy.enabled' is set to false", + "issueType": "IncorrectValue", + "similarityID": "3fe8273ae8fb79cc34c969baec7bc73b357bfbb5933a6346fc286388d033cf06", + "search_line": 22 }, { "queryName": "PostgreSQL Server Threat Detection Policy Disabled", "severity": "MEDIUM", "line": 1, - "fileName": "positive2.tf" + "fileName": "positive2.tf", + "resourceType": "azurerm_postgresql_server", + "resourceName": "example-psqlserver", + "searchKey": "azurerm_postgresql_server[positive2]", + "searchValue": "", + "expectedValue": "'azurerm_postgresql_server[positive2].threat_detection_policy' is a defined object", + "actualValue": "'azurerm_postgresql_server[positive2].threat_detection_policy' is undefined or null", + "issueType": "MissingAttribute", + "similarityID": "1fbbffae4eba5f62c0286de5d377e6d654be0d083c1c4c9c3b4e904ebeec83b3", + "search_line": 1 } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/azure/postgresql_server_without_connection_throttling/test/positive_expected_result.json b/assets/queries/terraform/azure/postgresql_server_without_connection_throttling/test/positive_expected_result.json index 943c8a24cdc..e4222f90e1f 100644 --- a/assets/queries/terraform/azure/postgresql_server_without_connection_throttling/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/postgresql_server_without_connection_throttling/test/positive_expected_result.json @@ -2,16 +2,46 @@ { "queryName": "PostgreSQL Server Without Connection Throttling", "severity": "MEDIUM", - "line": 5 + "line": 5, + "fileName": "positive.tf", + "resourceType": "azurerm_postgresql_configuration", + "resourceName": "connection_throttling", + "searchKey": "azurerm_postgresql_configuration[positive1].value", + "searchValue": "", + "expectedValue": "'azurerm_postgresql_configuration.positive1.value' should be 'ON'", + "actualValue": "'azurerm_postgresql_configuration.positive1.value' is 'OFF'", + "issueType": "IncorrectValue", + "similarityID": "9baee9c3e3d1c20f6bc80f5016df9982a13b02efc82b4982545128a1c6380ef2", + "search_line": 5 }, { "queryName": "PostgreSQL Server Without Connection Throttling", "severity": "MEDIUM", - "line": 12 + "line": 12, + "fileName": "positive.tf", + "resourceType": "azurerm_postgresql_configuration", + "resourceName": "connection_throttling", + "searchKey": "azurerm_postgresql_configuration[positive2].value", + "searchValue": "", + "expectedValue": "'azurerm_postgresql_configuration.positive2.value' should be 'ON'", + "actualValue": "'azurerm_postgresql_configuration.positive2.value' is 'OFF'", + "issueType": "IncorrectValue", + "similarityID": "ad4aeb3e1afec0d4a373935514bdf23d4f5b216007846ea91727f109400c70c4", + "search_line": 12 }, { "queryName": "PostgreSQL Server Without Connection Throttling", "severity": "MEDIUM", - "line": 19 + "line": 19, + "fileName": "positive.tf", + "resourceType": "azurerm_postgresql_configuration", + "resourceName": "connection_throttling", + "searchKey": "azurerm_postgresql_configuration[positive3].value", + "searchValue": "", + "expectedValue": "'azurerm_postgresql_configuration.positive3.value' should be 'ON'", + "actualValue": "'azurerm_postgresql_configuration.positive3.value' is 'OFF'", + "issueType": "IncorrectValue", + "similarityID": "1ad3c8aecdf0f178b4a1c4a9c64d78d9af5009abbb813e6f9d72fbcbd31ea73e", + "search_line": 19 } ] diff --git a/assets/queries/terraform/azure/public_storage_account/test/positive_expected_result.json b/assets/queries/terraform/azure/public_storage_account/test/positive_expected_result.json index ea162bbcc22..f8a4df00ec5 100644 --- a/assets/queries/terraform/azure/public_storage_account/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/public_storage_account/test/positive_expected_result.json @@ -1,32 +1,77 @@ [ - { - "queryName": "Public Storage Account", - "severity": "HIGH", - "line": 11, - "fileName": "positive1.tf" - }, - { - "queryName": "Public Storage Account", - "severity": "HIGH", - "line": 28, - "fileName": "positive1.tf" - }, - { - "queryName": "Public Storage Account", - "severity": "HIGH", - "line": 43, - "fileName": "positive1.tf" - }, - { - "queryName": "Public Storage Account", - "severity": "HIGH", - "line": 48, - "fileName": "positive1.tf" - }, - { - "queryName": "Public Storage Account", - "severity": "HIGH", - "line": 8, - "fileName": "positive2.tf" - } + { + "queryName": "Public Storage Account", + "severity": "HIGH", + "line": 11, + "fileName": "positive1.tf", + "resourceType": "azurerm_storage_account", + "resourceName": "storageaccountname", + "searchKey": "azurerm_storage_account[positive1].network_rules.ip_rules", + "searchValue": "", + "expectedValue": "'network_rules.ip_rules' should not contain 0.0.0.0/0", + "actualValue": "'network_rules.ip_rules' contains 0.0.0.0/0", + "issueType": "IncorrectValue", + "similarityID": "2b35fd7f25e66b8988688c5fb85065d8406ac08f0ddb8e5ddaa8faa4049d0347", + "search_line": 11 + }, + { + "queryName": "Public Storage Account", + "severity": "HIGH", + "line": 28, + "fileName": "positive1.tf", + "resourceType": "azurerm_storage_account", + "resourceName": "storageaccountname", + "searchKey": "azurerm_storage_account[positive2].network_rules", + "searchValue": "", + "expectedValue": "'network_rules.ip_rules' should be defined and not null", + "actualValue": "'network_rules.default_action' is 'Allow' and 'network_rules.ip_rules' is undefined or null", + "issueType": "MissingAttribute", + "similarityID": "5c34a0b54247b98ed4ba18b97bc4c043ae6bec38993dfdf204c70e059e66100c", + "search_line": 28 + }, + { + "queryName": "Public Storage Account", + "severity": "HIGH", + "line": 43, + "fileName": "positive1.tf", + "resourceType": "azurerm_storage_account_network_rules", + "resourceName": "positive3", + "searchKey": "azurerm_storage_account_network_rules[positive3].ip_rules", + "searchValue": "", + "expectedValue": "ip_rules[0] should not contain 0.0.0.0/0", + "actualValue": "ip_rules[0] contains 0.0.0.0/0", + "issueType": "IncorrectValue", + "similarityID": "afd1aa1d88bc3a76a2e586b8f35b286fa14f58c59b0851700de67f4541178181", + "search_line": 43 + }, + { + "queryName": "Public Storage Account", + "severity": "HIGH", + "line": 48, + "fileName": "positive1.tf", + "resourceType": "azurerm_storage_account_network_rules", + "resourceName": "positive4", + "searchKey": "azurerm_storage_account_network_rules[positive4]", + "searchValue": "", + "expectedValue": "'ip_rules' should be defined and not null", + "actualValue": "'default_action' is set to 'Allow' and 'ip_rules' is undefined or null", + "issueType": "MissingAttribute", + "similarityID": "91c23147a3e7ef807773f9f7d5cff2fdf09bf9d940e0d055b059c6cd09ab7b8c", + "search_line": 48 + }, + { + "queryName": "Public Storage Account", + "severity": "HIGH", + "line": 8, + "fileName": "positive2.tf", + "resourceType": "azurerm_storage_account", + "resourceName": "storageaccountname", + "searchKey": "azurerm_storage_account[positive5].allow_blob_public_access", + "searchValue": "", + "expectedValue": "'allow_blob_public_access' should be set to false or undefined", + "actualValue": "'allow_blob_public_access' is set to true", + "issueType": "IncorrectValue", + "similarityID": "2a60e24c8adbb65d72bb53620efbf396a7e55dd5b181b2785683578918cb4ed7", + "search_line": 8 + } ] diff --git a/assets/queries/terraform/azure/rdp_is_exposed_to_the_internet/test/positive_expected_result.json b/assets/queries/terraform/azure/rdp_is_exposed_to_the_internet/test/positive_expected_result.json index ebd333666de..3c100643741 100644 --- a/assets/queries/terraform/azure/rdp_is_exposed_to_the_internet/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/rdp_is_exposed_to_the_internet/test/positive_expected_result.json @@ -1,102 +1,302 @@ [ - { - "queryName": "RDP Is Exposed To The Internet", - "severity": "HIGH", - "line": 8 - }, - { - "queryName": "RDP Is Exposed To The Internet", - "severity": "HIGH", - "line": 22 - }, - { - "queryName": "RDP Is Exposed To The Internet", - "severity": "HIGH", - "line": 36 - }, - { - "queryName": "RDP Is Exposed To The Internet", - "severity": "HIGH", - "line": 50 - }, - { - "queryName": "RDP Is Exposed To The Internet", - "severity": "HIGH", - "line": 64 - }, - { - "queryName": "RDP Is Exposed To The Internet", - "severity": "HIGH", - "line": 78 - }, - { - "queryName": "RDP Is Exposed To The Internet", - "severity": "HIGH", - "line": 92 - }, - { - "queryName": "RDP Is Exposed To The Internet", - "severity": "HIGH", - "line": 106 - }, - { - "queryName": "RDP Is Exposed To The Internet", - "severity": "HIGH", - "line": 120 - }, - { - "queryName": "RDP Is Exposed To The Internet", - "severity": "HIGH", - "line": 134 - }, - { - "queryName": "RDP Is Exposed To The Internet", - "severity": "HIGH", - "line": 153 - }, - { - "queryName": "RDP Is Exposed To The Internet", - "severity": "HIGH", - "line": 165 - }, - { - "queryName": "RDP Is Exposed To The Internet", - "severity": "HIGH", - "line": 177 - }, - { - "queryName": "RDP Is Exposed To The Internet", - "severity": "HIGH", - "line": 189 - }, - { - "queryName": "RDP Is Exposed To The Internet", - "severity": "HIGH", - "line": 201 - }, - { - "queryName": "RDP Is Exposed To The Internet", - "severity": "HIGH", - "line": 213 - }, - { - "queryName": "RDP Is Exposed To The Internet", - "severity": "HIGH", - "line": 225 - }, - { - "queryName": "RDP Is Exposed To The Internet", - "severity": "HIGH", - "line": 237 - }, - { - "queryName": "RDP Is Exposed To The Internet", - "severity": "HIGH", - "line": 249 - }, - { - "queryName": "RDP Is Exposed To The Internet", - "severity": "HIGH", - "line": 261 - } -] \ No newline at end of file + { + "queryName": "RDP Is Exposed To The Internet", + "severity": "HIGH", + "line": 8, + "fileName": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive1].destination_port_range", + "searchValue": "", + "expectedValue": "'azurerm_network_security_rule.positive1.destination_port_range' cannot be 3389", + "actualValue": "'azurerm_network_security_rule.positive1.destination_port_range' might be 3389", + "issueType": "IncorrectValue", + "similarityID": "e6657a646f990be2cf34cfa97f80845bf6a5f64459557a3fcba0c7e9e9d46dab", + "search_line": -1 + }, + { + "queryName": "RDP Is Exposed To The Internet", + "severity": "HIGH", + "line": 22, + "fileName": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive2].destination_port_range", + "searchValue": "", + "expectedValue": "'azurerm_network_security_rule.positive2.destination_port_range' cannot be 3389", + "actualValue": "'azurerm_network_security_rule.positive2.destination_port_range' might be 3389", + "issueType": "IncorrectValue", + "similarityID": "aee5df28688a69f18f8bc992b5fabdeaf28bce6e9e0ad3019d63be8d4483418d", + "search_line": -1 + }, + { + "queryName": "RDP Is Exposed To The Internet", + "severity": "HIGH", + "line": 36, + "fileName": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive3].destination_port_range", + "searchValue": "", + "expectedValue": "'azurerm_network_security_rule.positive3.destination_port_range' cannot be 3389", + "actualValue": "'azurerm_network_security_rule.positive3.destination_port_range' might be 3389", + "issueType": "IncorrectValue", + "similarityID": "b19f814635a3fa63bb27c770ce9c508ad85bb815631b799d7da15ece80c272bc", + "search_line": -1 + }, + { + "queryName": "RDP Is Exposed To The Internet", + "severity": "HIGH", + "line": 50, + "fileName": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive4].destination_port_range", + "searchValue": "", + "expectedValue": "'azurerm_network_security_rule.positive4.destination_port_range' cannot be 3389", + "actualValue": "'azurerm_network_security_rule.positive4.destination_port_range' might be 3389", + "issueType": "IncorrectValue", + "similarityID": "425c7d6cb6c47c17b02c6b4c3037fc9a69236f8d339781cb5357a408db267c1e", + "search_line": -1 + }, + { + "queryName": "RDP Is Exposed To The Internet", + "severity": "HIGH", + "line": 64, + "fileName": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive5].destination_port_range", + "searchValue": "", + "expectedValue": "'azurerm_network_security_rule.positive5.destination_port_range' cannot be 3389", + "actualValue": "'azurerm_network_security_rule.positive5.destination_port_range' might be 3389", + "issueType": "IncorrectValue", + "similarityID": "80c9ccae7fdad6c5468463b2446b13b424cf552c0cad221d1dfafe624d8bae57", + "search_line": -1 + }, + { + "queryName": "RDP Is Exposed To The Internet", + "severity": "HIGH", + "line": 78, + "fileName": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive6].destination_port_range", + "searchValue": "", + "expectedValue": "'azurerm_network_security_rule.positive6.destination_port_range' cannot be 3389", + "actualValue": "'azurerm_network_security_rule.positive6.destination_port_range' might be 3389", + "issueType": "IncorrectValue", + "similarityID": "aa5d969142f701ef50ece84c786357efc74df95e73b539817d1e4aa03c759553", + "search_line": -1 + }, + { + "queryName": "RDP Is Exposed To The Internet", + "severity": "HIGH", + "line": 92, + "fileName": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive7].destination_port_range", + "searchValue": "", + "expectedValue": "'azurerm_network_security_rule.positive7.destination_port_range' cannot be 3389", + "actualValue": "'azurerm_network_security_rule.positive7.destination_port_range' might be 3389", + "issueType": "IncorrectValue", + "similarityID": "2736e6f865b5d62eafcee589fe521b4768d9cdb49089b456f464fb2cc1b458c9", + "search_line": -1 + }, + { + "queryName": "RDP Is Exposed To The Internet", + "severity": "HIGH", + "line": 106, + "fileName": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive8].destination_port_range", + "searchValue": "", + "expectedValue": "'azurerm_network_security_rule.positive8.destination_port_range' cannot be 3389", + "actualValue": "'azurerm_network_security_rule.positive8.destination_port_range' might be 3389", + "issueType": "IncorrectValue", + "similarityID": "6d5b09bdde63304baa81e1c71e657fbb8aa719a6059271b16c9fd8d58ea87633", + "search_line": -1 + }, + { + "queryName": "RDP Is Exposed To The Internet", + "severity": "HIGH", + "line": 120, + "fileName": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive9].destination_port_range", + "searchValue": "", + "expectedValue": "'azurerm_network_security_rule.positive9.destination_port_range' cannot be 3389", + "actualValue": "'azurerm_network_security_rule.positive9.destination_port_range' might be 3389", + "issueType": "IncorrectValue", + "similarityID": "444db1e77955a844e03bf90a5f850bdc3648984ca5bffa1c3b244fd543092922", + "search_line": -1 + }, + { + "queryName": "RDP Is Exposed To The Internet", + "severity": "HIGH", + "line": 134, + "fileName": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", + "searchValue": "", + "expectedValue": "'azurerm_network_security_rule.positive10.destination_port_range' cannot be 3389", + "actualValue": "'azurerm_network_security_rule.positive10.destination_port_range' might be 3389", + "issueType": "IncorrectValue", + "similarityID": "32da6a00bbe28929435ce405beb43e9e2db9ae258d6450e1cc55d9f5842fa250", + "search_line": -1 + }, + { + "queryName": "RDP Is Exposed To The Internet", + "severity": "HIGH", + "line": 153, + "fileName": "positive.tf", + "resourceType": "azurerm_network_security_group", + "resourceName": "positive11", + "searchKey": "azurerm_network_security_group[positive11-20].security_rule.name={{positive11}}.destination_port_range", + "searchValue": "", + "expectedValue": "'destination_port_range' cannot be 3389", + "actualValue": "'destination_port_range' might be 3389", + "issueType": "IncorrectValue", + "similarityID": "213e5cb5ebfdedbca2590ac4ab8e1df67ce609cc3602c797d5cb51f72817f3ce", + "search_line": -1 + }, + { + "queryName": "RDP Is Exposed To The Internet", + "severity": "HIGH", + "line": 165, + "fileName": "positive.tf", + "resourceType": "azurerm_network_security_group", + "resourceName": "positive12", + "searchKey": "azurerm_network_security_group[positive11-20].security_rule.name={{positive12}}.destination_port_range", + "searchValue": "", + "expectedValue": "'destination_port_range' cannot be 3389", + "actualValue": "'destination_port_range' might be 3389", + "issueType": "IncorrectValue", + "similarityID": "ac1dd1bd3b760410d4c9dfa5acc9ae34fb1b8c3c18d02f09fa967d4628c00a3c", + "search_line": -1 + }, + { + "queryName": "RDP Is Exposed To The Internet", + "severity": "HIGH", + "line": 177, + "fileName": "positive.tf", + "resourceType": "azurerm_network_security_group", + "resourceName": "positive13", + "searchKey": "azurerm_network_security_group[positive11-20].security_rule.name={{positive13}}.destination_port_range", + "searchValue": "", + "expectedValue": "'destination_port_range' cannot be 3389", + "actualValue": "'destination_port_range' might be 3389", + "issueType": "IncorrectValue", + "similarityID": "a72ffd56144c6630cb64037a91a91551a54af6d11d941bc95ea2a50e4f9da942", + "search_line": -1 + }, + { + "queryName": "RDP Is Exposed To The Internet", + "severity": "HIGH", + "line": 189, + "fileName": "positive.tf", + "resourceType": "azurerm_network_security_group", + "resourceName": "positive14", + "searchKey": "azurerm_network_security_group[positive11-20].security_rule.name={{positive14}}.destination_port_range", + "searchValue": "", + "expectedValue": "'destination_port_range' cannot be 3389", + "actualValue": "'destination_port_range' might be 3389", + "issueType": "IncorrectValue", + "similarityID": "9060f5326439affd73315b63806c0f6859df271e0bfea182dc203cde3aca12c2", + "search_line": -1 + }, + { + "queryName": "RDP Is Exposed To The Internet", + "severity": "HIGH", + "line": 201, + "fileName": "positive.tf", + "resourceType": "azurerm_network_security_group", + "resourceName": "positive15", + "searchKey": "azurerm_network_security_group[positive11-20].security_rule.name={{positive15}}.destination_port_range", + "searchValue": "", + "expectedValue": "'destination_port_range' cannot be 3389", + "actualValue": "'destination_port_range' might be 3389", + "issueType": "IncorrectValue", + "similarityID": "8a9ed4901ee7a3f3c3cd485674eb44025e17fe4c4e28a44acd9c37f7167a95e3", + "search_line": -1 + }, + { + "queryName": "RDP Is Exposed To The Internet", + "severity": "HIGH", + "line": 213, + "fileName": "positive.tf", + "resourceType": "azurerm_network_security_group", + "resourceName": "positive16", + "searchKey": "azurerm_network_security_group[positive11-20].security_rule.name={{positive16}}.destination_port_range", + "searchValue": "", + "expectedValue": "'destination_port_range' cannot be 3389", + "actualValue": "'destination_port_range' might be 3389", + "issueType": "IncorrectValue", + "similarityID": "69e7d28fd89b97bb8d98500f0ab3b1048b4fd49a68b97366a426259f60304fcb", + "search_line": -1 + }, + { + "queryName": "RDP Is Exposed To The Internet", + "severity": "HIGH", + "line": 225, + "fileName": "positive.tf", + "resourceType": "azurerm_network_security_group", + "resourceName": "positive17", + "searchKey": "azurerm_network_security_group[positive11-20].security_rule.name={{positive17}}.destination_port_range", + "searchValue": "", + "expectedValue": "'destination_port_range' cannot be 3389", + "actualValue": "'destination_port_range' might be 3389", + "issueType": "IncorrectValue", + "similarityID": "fee1be46fac239aa822663ef433dab6712c707814ff33e26ff397e2e2e2db68a", + "search_line": -1 + }, + { + "queryName": "RDP Is Exposed To The Internet", + "severity": "HIGH", + "line": 237, + "fileName": "positive.tf", + "resourceType": "azurerm_network_security_group", + "resourceName": "positive18", + "searchKey": "azurerm_network_security_group[positive11-20].security_rule.name={{positive18}}.destination_port_range", + "searchValue": "", + "expectedValue": "'destination_port_range' cannot be 3389", + "actualValue": "'destination_port_range' might be 3389", + "issueType": "IncorrectValue", + "similarityID": "ab9cb4d4c7fddcdecbb48de119fb8453174bfa7fbf729736c8c49a2294f9c4ae", + "search_line": -1 + }, + { + "queryName": "RDP Is Exposed To The Internet", + "severity": "HIGH", + "line": 249, + "fileName": "positive.tf", + "resourceType": "azurerm_network_security_group", + "resourceName": "positive19", + "searchKey": "azurerm_network_security_group[positive11-20].security_rule.name={{positive19}}.destination_port_range", + "searchValue": "", + "expectedValue": "'destination_port_range' cannot be 3389", + "actualValue": "'destination_port_range' might be 3389", + "issueType": "IncorrectValue", + "similarityID": "b8bb95b44bf8568b8c771e54fd0eb1c66f3d096ace83187738f904a31cfe1175", + "search_line": -1 + }, + { + "queryName": "RDP Is Exposed To The Internet", + "severity": "HIGH", + "line": 261, + "fileName": "positive.tf", + "resourceType": "azurerm_network_security_group", + "resourceName": "positive20", + "searchKey": "azurerm_network_security_group[positive11-20].security_rule.name={{positive20}}.destination_port_range", + "searchValue": "", + "expectedValue": "'destination_port_range' cannot be 3389", + "actualValue": "'destination_port_range' might be 3389", + "issueType": "IncorrectValue", + "similarityID": "f4c86fa2edd75e8b6366289d13fcc45b037b0c7e5fdb172e01aebffac363d496", + "search_line": -1 + } +] diff --git a/assets/queries/terraform/azure/recovery_services_vaut_with_public_network_access/test/positive_expected_result.json b/assets/queries/terraform/azure/recovery_services_vaut_with_public_network_access/test/positive_expected_result.json index e36c55b3819..f241a73ee76 100644 --- a/assets/queries/terraform/azure/recovery_services_vaut_with_public_network_access/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/recovery_services_vaut_with_public_network_access/test/positive_expected_result.json @@ -2,11 +2,31 @@ { "queryName": "Beta - Recovery Services Vault With Public Network Access", "severity": "HIGH", - "line": 1 + "line": 1, + "fileName": "positive.tf", + "resourceType": "azurerm_recovery_services_vault", + "resourceName": "positive1-recovery-vault", + "searchKey": "azurerm_recovery_services_vault[positive1]", + "searchValue": "", + "expectedValue": "'azurerm_recovery_services_vault[positive1].public_network_access_enabled' should be defined and set to false", + "actualValue": "'azurerm_recovery_services_vault[positive1].public_network_access_enabled' is undefined or null", + "issueType": "MissingAttribute", + "similarityID": "73bbd8602efe4565032eaac9f343b043b67d8200a8734e451640a99403137ff7", + "search_line": 1 }, { "queryName": "Beta - Recovery Services Vault With Public Network Access", "severity": "HIGH", - "line": 16 + "line": 16, + "fileName": "positive.tf", + "resourceType": "azurerm_recovery_services_vault", + "resourceName": "positive2-recovery-vault", + "searchKey": "azurerm_recovery_services_vault[positive2].public_network_access_enabled", + "searchValue": "", + "expectedValue": "'azurerm_recovery_services_vault[positive2].public_network_access_enabled' should be defined and set to false", + "actualValue": "'azurerm_recovery_services_vault[positive2].public_network_access_enabled' is set to true", + "issueType": "IncorrectValue", + "similarityID": "f73d88051bb15315068c5bfa6458ef929ab422d43600d7660f4636d87c75b083", + "search_line": 16 } ] diff --git a/assets/queries/terraform/azure/recovery_services_vaut_without_immutability/test/positive_expected_result.json b/assets/queries/terraform/azure/recovery_services_vaut_without_immutability/test/positive_expected_result.json index 3a18b5b238f..1d6c99efb53 100644 --- a/assets/queries/terraform/azure/recovery_services_vaut_without_immutability/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/recovery_services_vaut_without_immutability/test/positive_expected_result.json @@ -2,11 +2,31 @@ { "queryName": "Beta - Recovery Services Vault Without Immutability", "severity": "HIGH", - "line": 1 + "line": 1, + "fileName": "positive.tf", + "resourceType": "azurerm_recovery_services_vault", + "resourceName": "positive1-recovery-vault", + "searchKey": "azurerm_recovery_services_vault[positive1]", + "searchValue": "", + "expectedValue": "'azurerm_recovery_services_vault[positive1].immutability' should be set and enabled", + "actualValue": "'azurerm_recovery_services_vault[positive1].immutability' is undefined or null", + "issueType": "MissingAttribute", + "similarityID": "1a300469308a8699f9324103a5113d76b2af22ebac56c16684f1a3496f677962", + "search_line": 1 }, { "queryName": "Beta - Recovery Services Vault Without Immutability", "severity": "HIGH", - "line": 16 + "line": 16, + "fileName": "positive.tf", + "resourceType": "azurerm_recovery_services_vault", + "resourceName": "positive2-recovery-vault", + "searchKey": "azurerm_recovery_services_vault[positive2].immutability", + "searchValue": "", + "expectedValue": "'azurerm_recovery_services_vault[positive2].immutability' should be set and enabled", + "actualValue": "'azurerm_recovery_services_vault[positive2].immutability' is set to 'Disabled'", + "issueType": "IncorrectValue", + "similarityID": "3c37bf4409bc5f3ae02e85d43ad35a66daa81d3011bf29928068b314736121c6", + "search_line": 16 } ] diff --git a/assets/queries/terraform/azure/recovery_services_vaut_without_soft_delete/test/positive_expected_result.json b/assets/queries/terraform/azure/recovery_services_vaut_without_soft_delete/test/positive_expected_result.json index e5d1b57eeb7..67dd11206e2 100644 --- a/assets/queries/terraform/azure/recovery_services_vaut_without_soft_delete/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/recovery_services_vaut_without_soft_delete/test/positive_expected_result.json @@ -2,6 +2,16 @@ { "queryName": "Beta - Recovery Services Vault Without Soft Delete", "severity": "HIGH", - "line": 7 + "line": 7, + "fileName": "positive.tf", + "resourceType": "azurerm_recovery_services_vault", + "resourceName": "positive-recovery-vault", + "searchKey": "azurerm_recovery_services_vault[positive].soft_delete_enabled", + "searchValue": "", + "expectedValue": "'azurerm_recovery_services_vault[positive].soft_delete_enabled' should not be set to false", + "actualValue": "'azurerm_recovery_services_vault[positive].soft_delete_enabled' is set to false", + "issueType": "IncorrectValue", + "similarityID": "237180724b0e83b16a6b22b111a29bf2da72d463b384c4526b165a53864eeb2d", + "search_line": 7 } ] diff --git a/assets/queries/terraform/azure/redis_cache_allows_non_ssl_connections/test/positive_expected_result.json b/assets/queries/terraform/azure/redis_cache_allows_non_ssl_connections/test/positive_expected_result.json index c06ca607b78..aab4b4559f6 100644 --- a/assets/queries/terraform/azure/redis_cache_allows_non_ssl_connections/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/redis_cache_allows_non_ssl_connections/test/positive_expected_result.json @@ -1,7 +1,17 @@ [ - { - "queryName": "Redis Cache Allows Non SSL Connections", - "severity": "MEDIUM", - "line": 8 - } + { + "queryName": "Redis Cache Allows Non SSL Connections", + "severity": "MEDIUM", + "line": 8, + "fileName": "positive.tf", + "resourceType": "azurerm_redis_cache", + "resourceName": "example-cache", + "searchKey": "azurerm_redis_cache[positive1].enable_non_ssl_port", + "searchValue": "", + "expectedValue": "'azurerm_redis_cache[positive1].enable_non_ssl_port' should be set to false or undefined (false as default)", + "actualValue": "'azurerm_redis_cache[positive1].enable_non_ssl_port' is true", + "issueType": "IncorrectValue", + "similarityID": "94f3d8776dd62e9e49398557a1b87632b060716d96f7e729fa9ea077d954341b", + "search_line": 8 + } ] diff --git a/assets/queries/terraform/azure/redis_cache_managed_identity_is_not_set_to_system_assigned/test/positive_expected_result.json b/assets/queries/terraform/azure/redis_cache_managed_identity_is_not_set_to_system_assigned/test/positive_expected_result.json index 1aacb551ed4..cf5708954f0 100644 --- a/assets/queries/terraform/azure/redis_cache_managed_identity_is_not_set_to_system_assigned/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/redis_cache_managed_identity_is_not_set_to_system_assigned/test/positive_expected_result.json @@ -3,12 +3,30 @@ "queryName": "Beta - Redis Cache Managed Identity Is Not Set To System Assigned", "severity": "MEDIUM", "line": 1, - "fileName": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "azurerm_redis_cache", + "resourceName": "example-cache-positive1", + "searchKey": "azurerm_redis_cache[positive1]", + "searchValue": "", + "expectedValue": "'identity' block should have 'SystemAssigned' defined on 'type' field", + "actualValue": "'identity' block is not defined", + "issueType": "MissingAttribute", + "similarityID": "2a8fb37f747bfb3a682531681add988549409df3f8dafca40a7e9136de012905", + "search_line": 1 }, { "queryName": "Beta - Redis Cache Managed Identity Is Not Set To System Assigned", "severity": "MEDIUM", "line": 10, - "fileName": "positive2.tf" + "fileName": "positive2.tf", + "resourceType": "azurerm_redis_cache", + "resourceName": "example-cache-negative2", + "searchKey": "azurerm_redis_cache[positive2]", + "searchValue": "", + "expectedValue": "'identity' block should have 'SystemAssigned' defined on 'type' field", + "actualValue": "'identity' block does not have 'SystemAssigned' defined on 'type' field", + "issueType": "MissingAttribute", + "similarityID": "0fa0a4b4c6efcf044df66244eb9f79ab9ef7f67754366b7d0df1e68e51bdbc1a", + "search_line": 10 } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/azure/redis_cache_not_using_latest_tls_encryption_version/test/positive_expected_result.json b/assets/queries/terraform/azure/redis_cache_not_using_latest_tls_encryption_version/test/positive_expected_result.json index 3d4cbf732c2..2b1df9afeb0 100644 --- a/assets/queries/terraform/azure/redis_cache_not_using_latest_tls_encryption_version/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/redis_cache_not_using_latest_tls_encryption_version/test/positive_expected_result.json @@ -3,12 +3,30 @@ "queryName": "Beta - Redis Cache Not Using Latest TLS Encryption Version", "severity": "MEDIUM", "line": 9, - "fileName": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "azurerm_redis_cache", + "resourceName": "example-cache", + "searchKey": "azurerm_redis_cache[positive1].minimum_tls_version", + "searchValue": "", + "expectedValue": "'minimum_tls_version' should be defined and set to '1.2'", + "actualValue": "'minimum_tls_version' is defined to '1.1'", + "issueType": "IncorrectValue", + "similarityID": "8363411ed63a930f5862b481910a2a02a7af454d7524275a7d833b506755ad72", + "search_line": 9 }, { "queryName": "Beta - Redis Cache Not Using Latest TLS Encryption Version", "severity": "MEDIUM", "line": 1, - "fileName": "positive2.tf" + "fileName": "positive2.tf", + "resourceType": "azurerm_redis_cache", + "resourceName": "example-cache", + "searchKey": "azurerm_redis_cache[positive2]", + "searchValue": "", + "expectedValue": "'minimum_tls_version' should be defined and set to '1.2'", + "actualValue": "'minimum_tls_version' is not defined", + "issueType": "IncorrectValue", + "similarityID": "1a4e5386061a7b0357d7dd60d1120c925c7d4970b13f808ae5f0c4e5e6cbb763", + "search_line": 1 } ] diff --git a/assets/queries/terraform/azure/redis_entirely_accessible/test/positive_expected_result.json b/assets/queries/terraform/azure/redis_entirely_accessible/test/positive_expected_result.json index 102713534e5..1df4320b198 100644 --- a/assets/queries/terraform/azure/redis_entirely_accessible/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/redis_entirely_accessible/test/positive_expected_result.json @@ -2,6 +2,16 @@ { "queryName": "Redis Entirely Accessible", "severity": "CRITICAL", - "line": 22 + "line": 22, + "fileName": "positive.tf", + "resourceType": "azurerm_redis_firewall_rule", + "resourceName": "someIPrange", + "searchKey": "azurerm_redis_firewall_rule[positive2].start_ip", + "searchValue": "", + "expectedValue": "'azurerm_redis_firewall_rule[positive2]' start_ip and end_ip should not equal to '0.0.0.0'", + "actualValue": "'azurerm_redis_firewall_rule[positive2]' start_ip and end_ip are equal to '0.0.0.0'", + "issueType": "IncorrectValue", + "similarityID": "21a01fea40e0127f38463127b54c3902ebd2b54064b57c3cda1654503a37a3e0", + "search_line": -1 } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/azure/redis_not_updated_regularly/test/positive_expected_result.json b/assets/queries/terraform/azure/redis_not_updated_regularly/test/positive_expected_result.json index 01189c2c454..dbc24eb6f1a 100644 --- a/assets/queries/terraform/azure/redis_not_updated_regularly/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/redis_not_updated_regularly/test/positive_expected_result.json @@ -2,6 +2,16 @@ { "queryName": "Redis Not Updated Regularly", "severity": "MEDIUM", - "line": 1 + "line": 1, + "fileName": "positive.tf", + "resourceType": "azurerm_redis_cache", + "resourceName": "timeout-redis", + "searchKey": "azurerm_redis_cache[positive1]", + "searchValue": "", + "expectedValue": "'azurerm_redis_cache[positive1].patch_schedule' should be defined and not null", + "actualValue": "'azurerm_redis_cache[positive1].patch_schedule' is undefined or null", + "issueType": "MissingAttribute", + "similarityID": "11a990f105cce543130a2015c7fde0efffab2b190b57b313c58d470664516485", + "search_line": -1 } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/azure/redis_publicly_accessible/test/positive_expected_result.json b/assets/queries/terraform/azure/redis_publicly_accessible/test/positive_expected_result.json index 9786674c7d7..6fcad04f977 100644 --- a/assets/queries/terraform/azure/redis_publicly_accessible/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/redis_publicly_accessible/test/positive_expected_result.json @@ -2,6 +2,16 @@ { "queryName": "Redis Publicly Accessible", "severity": "CRITICAL", - "line": 22 + "line": 22, + "fileName": "positive.tf", + "resourceType": "azurerm_redis_firewall_rule", + "resourceName": "someIPrange", + "searchKey": "azurerm_redis_firewall_rule[positive2].start_ip", + "searchValue": "", + "expectedValue": "'azurerm_redis_firewall_rule[positive2]' ip range should be private", + "actualValue": "'azurerm_redis_firewall_rule[positive2]' ip range is not private", + "issueType": "IncorrectValue", + "similarityID": "b362bdfafe2539cdbf1a2a446b37ba4cbf291584df329ab2e6bbb3196b8308e9", + "search_line": -1 } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/azure/resource_without_diagnostic_settings/test/positive_expected_result.json b/assets/queries/terraform/azure/resource_without_diagnostic_settings/test/positive_expected_result.json index 4df38e6a9f5..41215d1a20f 100644 --- a/assets/queries/terraform/azure/resource_without_diagnostic_settings/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/resource_without_diagnostic_settings/test/positive_expected_result.json @@ -3,156 +3,390 @@ "queryName": "Beta - Resource Without Diagnostic Settings", "severity": "MEDIUM", "line": 1, - "filename": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "azurerm_subscription", + "resourceName": "positive1_1", + "searchKey": "azurerm_subscription[positive1_1]", + "searchValue": "", + "expectedValue": "'azurerm_subscription[positive1_1]' should be associated with a 'azurerm_monitor_diagnostic_setting' resource", + "actualValue": "'azurerm_subscription[positive1_1]' is not associated with a 'azurerm_monitor_diagnostic_setting' resource", + "issueType": "MissingAttribute", + "similarityID": "bb4fad08c6d90c7852e566a322432fa5c64d4b56632dcadb0331a815a47d1996", + "search_line": 1 }, { "queryName": "Beta - Resource Without Diagnostic Settings", "severity": "MEDIUM", "line": 5, - "filename": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "azurerm_subscription", + "resourceName": "positive1_2", + "searchKey": "azurerm_subscription[positive1_2]", + "searchValue": "", + "expectedValue": "'azurerm_subscription[positive1_2]' should be associated with a 'azurerm_monitor_diagnostic_setting' resource", + "actualValue": "'azurerm_subscription[positive1_2]' is not associated with a 'azurerm_monitor_diagnostic_setting' resource", + "issueType": "MissingAttribute", + "similarityID": "5e6c3168e3b37500e2064ee98eae3dc06795fa5f6299db27b8736ee0ae67e9fd", + "search_line": 5 }, { "queryName": "Beta - Resource Without Diagnostic Settings", "severity": "MEDIUM", "line": 1, - "filename": "positive2.tf" + "fileName": "positive2.tf", + "resourceType": "azurerm_key_vault", + "resourceName": "example-keyvault", + "searchKey": "azurerm_key_vault[pos_example]", + "searchValue": "", + "expectedValue": "'azurerm_key_vault[pos_example]' should be associated with a 'azurerm_monitor_diagnostic_setting' resource", + "actualValue": "'azurerm_key_vault[pos_example]' is not associated with a 'azurerm_monitor_diagnostic_setting' resource", + "issueType": "MissingAttribute", + "similarityID": "457ceb4696478dff52a0e20fd242e2f4e68e11e8b63c5067ef497ab79bc2dc84", + "search_line": 1 }, { "queryName": "Beta - Resource Without Diagnostic Settings", "severity": "MEDIUM", "line": 9, - "filename": "positive2.tf" + "fileName": "positive2.tf", + "resourceType": "azurerm_application_gateway", + "resourceName": "example-appgateway", + "searchKey": "azurerm_application_gateway[pos_example]", + "searchValue": "", + "expectedValue": "'azurerm_application_gateway[pos_example]' should be associated with a 'azurerm_monitor_diagnostic_setting' resource", + "actualValue": "'azurerm_application_gateway[pos_example]' is not associated with a 'azurerm_monitor_diagnostic_setting' resource", + "issueType": "MissingAttribute", + "similarityID": "0a0e2f5f567bb3a3653e935e74e62dc938121df6119882194f895d36e2222cf6", + "search_line": 9 }, { "queryName": "Beta - Resource Without Diagnostic Settings", "severity": "MEDIUM", "line": 15, - "filename": "positive2.tf" + "fileName": "positive2.tf", + "resourceType": "azurerm_firewall", + "resourceName": "testfirewall", + "searchKey": "azurerm_firewall[pos_example]", + "searchValue": "", + "expectedValue": "'azurerm_firewall[pos_example]' should be associated with a 'azurerm_monitor_diagnostic_setting' resource", + "actualValue": "'azurerm_firewall[pos_example]' is not associated with a 'azurerm_monitor_diagnostic_setting' resource", + "issueType": "MissingAttribute", + "similarityID": "9656e2d818dfb2f484a0638f597b3d19cd80b55985f873e009ec6b8f02a318ee", + "search_line": 15 }, { "queryName": "Beta - Resource Without Diagnostic Settings", "severity": "MEDIUM", "line": 23, - "filename": "positive2.tf" + "fileName": "positive2.tf", + "resourceType": "azurerm_lb", + "resourceName": "TestLoadBalancer", + "searchKey": "azurerm_lb[pos_example]", + "searchValue": "", + "expectedValue": "'azurerm_lb[pos_example]' should be associated with a 'azurerm_monitor_diagnostic_setting' resource", + "actualValue": "'azurerm_lb[pos_example]' is not associated with a 'azurerm_monitor_diagnostic_setting' resource", + "issueType": "MissingAttribute", + "similarityID": "3cad942ecf3b51f776ba091fac8b0b07a16a07a7aca6a07fa39ac117ccfff7f1", + "search_line": 23 }, { "queryName": "Beta - Resource Without Diagnostic Settings", "severity": "MEDIUM", "line": 29, - "filename": "positive2.tf" + "fileName": "positive2.tf", + "resourceType": "azurerm_public_ip", + "resourceName": "acceptanceTestPublicIp1", + "searchKey": "azurerm_public_ip[pos_example]", + "searchValue": "", + "expectedValue": "'azurerm_public_ip[pos_example]' should be associated with a 'azurerm_monitor_diagnostic_setting' resource", + "actualValue": "'azurerm_public_ip[pos_example]' is not associated with a 'azurerm_monitor_diagnostic_setting' resource", + "issueType": "MissingAttribute", + "similarityID": "0009ea3a94a33ae143aa3123bf7a5a3fe8ae0ac1b00fa94b7f6ad31934e0680f", + "search_line": 29 }, { "queryName": "Beta - Resource Without Diagnostic Settings", "severity": "MEDIUM", "line": 36, - "filename": "positive2.tf" + "fileName": "positive2.tf", + "resourceType": "azurerm_frontdoor", + "resourceName": "example-FrontDoor", + "searchKey": "azurerm_frontdoor[pos_example]", + "searchValue": "", + "expectedValue": "'azurerm_frontdoor[pos_example]' should be associated with a 'azurerm_monitor_diagnostic_setting' resource", + "actualValue": "'azurerm_frontdoor[pos_example]' is not associated with a 'azurerm_monitor_diagnostic_setting' resource", + "issueType": "MissingAttribute", + "similarityID": "07109de0c84c33e7b2c4bdfa38487f2b221acda5ec7541ed4e65dc1106a039f3", + "search_line": 36 }, { "queryName": "Beta - Resource Without Diagnostic Settings", "severity": "MEDIUM", "line": 41, - "filename": "positive2.tf" + "fileName": "positive2.tf", + "resourceType": "azurerm_cdn_frontdoor_profile", + "resourceName": "example-cdn-profile", + "searchKey": "azurerm_cdn_frontdoor_profile[pos_example]", + "searchValue": "", + "expectedValue": "'azurerm_cdn_frontdoor_profile[pos_example]' should be associated with a 'azurerm_monitor_diagnostic_setting' resource", + "actualValue": "'azurerm_cdn_frontdoor_profile[pos_example]' is not associated with a 'azurerm_monitor_diagnostic_setting' resource", + "issueType": "MissingAttribute", + "similarityID": "b8e4e3db9e7203c61cfab478695e28882f35433b545fe12eae810f3c1529ce91", + "search_line": 41 }, { "queryName": "Beta - Resource Without Diagnostic Settings", "severity": "MEDIUM", "line": 48, - "filename": "positive2.tf" + "fileName": "positive2.tf", + "resourceType": "azurerm_cdn_frontdoor_endpoint", + "resourceName": "example-endpoint", + "searchKey": "azurerm_cdn_frontdoor_endpoint[pos_example]", + "searchValue": "", + "expectedValue": "'azurerm_cdn_frontdoor_endpoint[pos_example]' should be associated with a 'azurerm_monitor_diagnostic_setting' resource", + "actualValue": "'azurerm_cdn_frontdoor_endpoint[pos_example]' is not associated with a 'azurerm_monitor_diagnostic_setting' resource", + "issueType": "MissingAttribute", + "similarityID": "00ca034844554edcfba669d1de01baed716db6ac6acec60c2531d2cfa27d2202", + "search_line": 48 }, { "queryName": "Beta - Resource Without Diagnostic Settings", "severity": "MEDIUM", "line": 53, - "filename": "positive2.tf" + "fileName": "positive2.tf", + "resourceType": "azurerm_cdn_profile", + "resourceName": "exampleCdnProfile", + "searchKey": "azurerm_cdn_profile[pos_example]", + "searchValue": "", + "expectedValue": "'azurerm_cdn_profile[pos_example]' should be associated with a 'azurerm_monitor_diagnostic_setting' resource", + "actualValue": "'azurerm_cdn_profile[pos_example]' is not associated with a 'azurerm_monitor_diagnostic_setting' resource", + "issueType": "MissingAttribute", + "similarityID": "97fdd0576e2aff4fcf6708132ca347afae7221230afacd35fbe1297208e1499b", + "search_line": 53 }, { "queryName": "Beta - Resource Without Diagnostic Settings", "severity": "MEDIUM", "line": 60, - "filename": "positive2.tf" + "fileName": "positive2.tf", + "resourceType": "azurerm_cdn_endpoint", + "resourceName": "pos_example", + "searchKey": "azurerm_cdn_endpoint[pos_example]", + "searchValue": "", + "expectedValue": "'azurerm_cdn_endpoint[pos_example]' should be associated with a 'azurerm_monitor_diagnostic_setting' resource", + "actualValue": "'azurerm_cdn_endpoint[pos_example]' is not associated with a 'azurerm_monitor_diagnostic_setting' resource", + "issueType": "MissingAttribute", + "similarityID": "ebf5f77082f8051ad0cda7118d7eeb013114b4ed5495cd2eff17ed903eb83547", + "search_line": 60 }, { "queryName": "Beta - Resource Without Diagnostic Settings", "severity": "MEDIUM", "line": 67, - "filename": "positive2.tf" + "fileName": "positive2.tf", + "resourceType": "azurerm_storage_account", + "resourceName": "storageaccountname", + "searchKey": "azurerm_storage_account[pos_example]", + "searchValue": "", + "expectedValue": "'azurerm_storage_account[pos_example]' should be associated with a 'azurerm_monitor_diagnostic_setting' resource", + "actualValue": "'azurerm_storage_account[pos_example]' is not associated with a 'azurerm_monitor_diagnostic_setting' resource", + "issueType": "MissingAttribute", + "similarityID": "dde18af485df7b880efb0868f3a4ffe3680d9dd8665dac3b9fe22fdc8d02e57a", + "search_line": 67 }, { "queryName": "Beta - Resource Without Diagnostic Settings", "severity": "MEDIUM", "line": 75, - "filename": "positive2.tf" + "fileName": "positive2.tf", + "resourceType": "azurerm_mssql_server", + "resourceName": "mssqlserver", + "searchKey": "azurerm_mssql_server[pos_example]", + "searchValue": "", + "expectedValue": "'azurerm_mssql_server[pos_example]' should be associated with a 'azurerm_monitor_diagnostic_setting' resource", + "actualValue": "'azurerm_mssql_server[pos_example]' is not associated with a 'azurerm_monitor_diagnostic_setting' resource", + "issueType": "MissingAttribute", + "similarityID": "46abafd6fe3b0f9efab1e381767c887461460cb72caf497ab4863a75b874ae94", + "search_line": 75 }, { "queryName": "Beta - Resource Without Diagnostic Settings", "severity": "MEDIUM", "line": 85, - "filename": "positive2.tf" + "fileName": "positive2.tf", + "resourceType": "azurerm_mssql_managed_instance", + "resourceName": "managedsqlinstance", + "searchKey": "azurerm_mssql_managed_instance[pos_example]", + "searchValue": "", + "expectedValue": "'azurerm_mssql_managed_instance[pos_example]' should be associated with a 'azurerm_monitor_diagnostic_setting' resource", + "actualValue": "'azurerm_mssql_managed_instance[pos_example]' is not associated with a 'azurerm_monitor_diagnostic_setting' resource", + "issueType": "MissingAttribute", + "similarityID": "d4fbbcf7de207459679438c1344833b8bd8f5b83b9757818d45d1c83c2513065", + "search_line": 85 }, { "queryName": "Beta - Resource Without Diagnostic Settings", "severity": "MEDIUM", "line": 91, - "filename": "positive2.tf" + "fileName": "positive2.tf", + "resourceType": "azurerm_mssql_database", + "resourceName": "example-db", + "searchKey": "azurerm_mssql_database[pos_example]", + "searchValue": "", + "expectedValue": "'azurerm_mssql_database[pos_example]' should be associated with a 'azurerm_monitor_diagnostic_setting' resource", + "actualValue": "'azurerm_mssql_database[pos_example]' is not associated with a 'azurerm_monitor_diagnostic_setting' resource", + "issueType": "MissingAttribute", + "similarityID": "d2b8dfca3ff3c6cd64cbaac9ffe6c79234eb33e69948d50de3981937a7ea02f3", + "search_line": 91 }, { "queryName": "Beta - Resource Without Diagnostic Settings", "severity": "MEDIUM", "line": 101, - "filename": "positive2.tf" + "fileName": "positive2.tf", + "resourceType": "azurerm_cosmosdb_account", + "resourceName": "tfex-cosmos-db-${random_integer.ri.result}", + "searchKey": "azurerm_cosmosdb_account[pos_example]", + "searchValue": "", + "expectedValue": "'azurerm_cosmosdb_account[pos_example]' should be associated with a 'azurerm_monitor_diagnostic_setting' resource", + "actualValue": "'azurerm_cosmosdb_account[pos_example]' is not associated with a 'azurerm_monitor_diagnostic_setting' resource", + "issueType": "MissingAttribute", + "similarityID": "219e69cbaaf6aebfc97159b5d607dc1c4945c060263feaf1542f55d9221e1240", + "search_line": 101 }, { "queryName": "Beta - Resource Without Diagnostic Settings", "severity": "MEDIUM", "line": 109, - "filename": "positive2.tf" + "fileName": "positive2.tf", + "resourceType": "azurerm_linux_web_app", + "resourceName": "pos_example", + "searchKey": "azurerm_linux_web_app[pos_example]", + "searchValue": "", + "expectedValue": "'azurerm_linux_web_app[pos_example]' should be associated with a 'azurerm_monitor_diagnostic_setting' resource", + "actualValue": "'azurerm_linux_web_app[pos_example]' is not associated with a 'azurerm_monitor_diagnostic_setting' resource", + "issueType": "MissingAttribute", + "similarityID": "6fd0445b77044ddc1737f0e4c99b6f93a9c10de424daa80ecca51fcc49c0c9f3", + "search_line": 109 }, { "queryName": "Beta - Resource Without Diagnostic Settings", "severity": "MEDIUM", "line": 118, - "filename": "positive2.tf" + "fileName": "positive2.tf", + "resourceType": "azurerm_windows_web_app", + "resourceName": "pos_example", + "searchKey": "azurerm_windows_web_app[pos_example]", + "searchValue": "", + "expectedValue": "'azurerm_windows_web_app[pos_example]' should be associated with a 'azurerm_monitor_diagnostic_setting' resource", + "actualValue": "'azurerm_windows_web_app[pos_example]' is not associated with a 'azurerm_monitor_diagnostic_setting' resource", + "issueType": "MissingAttribute", + "similarityID": "8c4cb932ec8b7311a23e56db43adc24f83a318b7d2f0b0cde4a117d08a5e0639", + "search_line": 118 }, { "queryName": "Beta - Resource Without Diagnostic Settings", "severity": "MEDIUM", "line": 127, - "filename": "positive2.tf" + "fileName": "positive2.tf", + "resourceType": "azurerm_linux_function_app", + "resourceName": "example-linux-function-app", + "searchKey": "azurerm_linux_function_app[pos_example]", + "searchValue": "", + "expectedValue": "'azurerm_linux_function_app[pos_example]' should be associated with a 'azurerm_monitor_diagnostic_setting' resource", + "actualValue": "'azurerm_linux_function_app[pos_example]' is not associated with a 'azurerm_monitor_diagnostic_setting' resource", + "issueType": "MissingAttribute", + "similarityID": "297b30c1de28b216bbbcaf707c84ecf653ba9c85ad196ae6b22627ee64e74bb3", + "search_line": 127 }, { "queryName": "Beta - Resource Without Diagnostic Settings", "severity": "MEDIUM", "line": 139, - "filename": "positive2.tf" + "fileName": "positive2.tf", + "resourceType": "azurerm_windows_function_app", + "resourceName": "example-windows-function-app", + "searchKey": "azurerm_windows_function_app[pos_example]", + "searchValue": "", + "expectedValue": "'azurerm_windows_function_app[pos_example]' should be associated with a 'azurerm_monitor_diagnostic_setting' resource", + "actualValue": "'azurerm_windows_function_app[pos_example]' is not associated with a 'azurerm_monitor_diagnostic_setting' resource", + "issueType": "MissingAttribute", + "similarityID": "2dbd5c26a2175520d3c3ee234f2e222dacb071d9170785e298dd20f8e63971cd", + "search_line": 139 }, { "queryName": "Beta - Resource Without Diagnostic Settings", "severity": "MEDIUM", "line": 151, - "filename": "positive2.tf" + "fileName": "positive2.tf", + "resourceType": "azurerm_kubernetes_cluster", + "resourceName": "example-aks1", + "searchKey": "azurerm_kubernetes_cluster[pos_example]", + "searchValue": "", + "expectedValue": "'azurerm_kubernetes_cluster[pos_example]' should be associated with a 'azurerm_monitor_diagnostic_setting' resource", + "actualValue": "'azurerm_kubernetes_cluster[pos_example]' is not associated with a 'azurerm_monitor_diagnostic_setting' resource", + "issueType": "MissingAttribute", + "similarityID": "3e9bf071b2e8b3fad02c4b64aa4b957bb5647981188bc7569d21a50f4e89c9f6", + "search_line": 151 }, { "queryName": "Beta - Resource Without Diagnostic Settings", "severity": "MEDIUM", "line": 158, - "filename": "positive2.tf" + "fileName": "positive2.tf", + "resourceType": "azurerm_eventhub_namespace", + "resourceName": "example-namespace", + "searchKey": "azurerm_eventhub_namespace[pos_example]", + "searchValue": "", + "expectedValue": "'azurerm_eventhub_namespace[pos_example]' should be associated with a 'azurerm_monitor_diagnostic_setting' resource", + "actualValue": "'azurerm_eventhub_namespace[pos_example]' is not associated with a 'azurerm_monitor_diagnostic_setting' resource", + "issueType": "MissingAttribute", + "similarityID": "38ed2f619451d0d95e5c5429d1214eda35658b0d8d4950ccacdc2de4bb8f4c0a", + "search_line": 158 }, { "queryName": "Beta - Resource Without Diagnostic Settings", "severity": "MEDIUM", "line": 166, - "filename": "positive2.tf" + "fileName": "positive2.tf", + "resourceType": "azurerm_servicebus_namespace", + "resourceName": "tfex-servicebus-namespace", + "searchKey": "azurerm_servicebus_namespace[pos_example]", + "searchValue": "", + "expectedValue": "'azurerm_servicebus_namespace[pos_example]' should be associated with a 'azurerm_monitor_diagnostic_setting' resource", + "actualValue": "'azurerm_servicebus_namespace[pos_example]' is not associated with a 'azurerm_monitor_diagnostic_setting' resource", + "issueType": "MissingAttribute", + "similarityID": "f9bd2e94490c0da785f4338ba7282dd671fea9f7a9a17f3169c1e5a4cc00e788", + "search_line": 166 }, { "queryName": "Beta - Resource Without Diagnostic Settings", "severity": "MEDIUM", "line": 173, - "filename": "positive2.tf" + "fileName": "positive2.tf", + "resourceType": "azurerm_container_registry", + "resourceName": "containerRegistry1", + "searchKey": "azurerm_container_registry[pos_example]", + "searchValue": "", + "expectedValue": "'azurerm_container_registry[pos_example]' should be associated with a 'azurerm_monitor_diagnostic_setting' resource", + "actualValue": "'azurerm_container_registry[pos_example]' is not associated with a 'azurerm_monitor_diagnostic_setting' resource", + "issueType": "MissingAttribute", + "similarityID": "004d178e242ad9e0dc23bdf34fdf1a6295419f3394af577e6e44b923089ca6d9", + "search_line": 173 }, { "queryName": "Beta - Resource Without Diagnostic Settings", "severity": "MEDIUM", "line": 181, - "filename": "positive2.tf" + "fileName": "positive2.tf", + "resourceType": "azurerm_api_management", + "resourceName": "example-apim", + "searchKey": "azurerm_api_management[pos_example]", + "searchValue": "", + "expectedValue": "'azurerm_api_management[pos_example]' should be associated with a 'azurerm_monitor_diagnostic_setting' resource", + "actualValue": "'azurerm_api_management[pos_example]' is not associated with a 'azurerm_monitor_diagnostic_setting' resource", + "issueType": "MissingAttribute", + "similarityID": "211a6853e8b17bf6e57e727065fa2141524aba91281edecd87a61b8e4a6f61c1", + "search_line": 181 } ] diff --git a/assets/queries/terraform/azure/role_assignment_not_limit_guest_users_permissions/test/positive_expected_result.json b/assets/queries/terraform/azure/role_assignment_not_limit_guest_users_permissions/test/positive_expected_result.json index f1c73a909a0..f0e8edcb496 100644 --- a/assets/queries/terraform/azure/role_assignment_not_limit_guest_users_permissions/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/role_assignment_not_limit_guest_users_permissions/test/positive_expected_result.json @@ -2,6 +2,16 @@ { "queryName": "Role Assignment Not Limit Guest User Permissions", "severity": "MEDIUM", - "line": 20 + "line": 20, + "fileName": "positive.tf", + "resourceType": "azurerm_role_assignment", + "resourceName": "00000000-0000-0000-0000-000000000000", + "searchKey": "azurerm_role_assignment[example].role_definition_id", + "searchValue": "", + "expectedValue": "azurerm_role_assignment[example].role_definition_id limits guest user permissions", + "actualValue": "azurerm_role_assignment[example].role_definition_id does not limit guest user permissions", + "issueType": "IncorrectValue", + "similarityID": "62087862f8348fe5848e2298c5b525f9a7e29dc589711194b3d4c6725bddf3b1", + "search_line": -1 } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/azure/role_definition_allows_custom_role_creation/test/positive_expected_result.json b/assets/queries/terraform/azure/role_definition_allows_custom_role_creation/test/positive_expected_result.json index 023084640e8..bdaa4785464 100644 --- a/assets/queries/terraform/azure/role_definition_allows_custom_role_creation/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/role_definition_allows_custom_role_creation/test/positive_expected_result.json @@ -3,12 +3,30 @@ "queryName": "Role Definition Allows Custom Role Creation", "severity": "MEDIUM", "line": 7, - "fileName": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "azurerm_role_definition", + "resourceName": "my-custom-role-definition", + "searchKey": "azurerm_role_definition[example2].permissions.actions", + "searchValue": "", + "expectedValue": "azurerm_role_definition[example2].permissions.actions should not allow custom role creation", + "actualValue": "azurerm_role_definition[example2].permissions.actions allows custom role creation", + "issueType": "IncorrectValue", + "similarityID": "7814d16a772c71fa4d1b0fcd54a8897976cd375dd26d0590d65099475452296c", + "search_line": -1 }, { "queryName": "Role Definition Allows Custom Role Creation", "severity": "MEDIUM", "line": 7, - "fileName": "positive2.tf" + "fileName": "positive2.tf", + "resourceType": "azurerm_role_definition", + "resourceName": "my-custom-role", + "searchKey": "azurerm_role_definition[example].permissions.actions", + "searchValue": "", + "expectedValue": "azurerm_role_definition[example].permissions.actions should not allow custom role creation", + "actualValue": "azurerm_role_definition[example].permissions.actions allows custom role creation", + "issueType": "IncorrectValue", + "similarityID": "01aced7eec11d777e3699465ae5d41c326bff8730bd824136918c1473b49db05", + "search_line": -1 } ] diff --git a/assets/queries/terraform/azure/secret_expiration_not_set/test/positive_expected_result.json b/assets/queries/terraform/azure/secret_expiration_not_set/test/positive_expected_result.json index cfc5b5902ae..174351582e8 100644 --- a/assets/queries/terraform/azure/secret_expiration_not_set/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/secret_expiration_not_set/test/positive_expected_result.json @@ -2,6 +2,16 @@ { "queryName": "Secret Expiration Not Set", "severity": "MEDIUM", - "line": 1 + "line": 1, + "fileName": "positive.tf", + "resourceType": "azurerm_key_vault_secret", + "resourceName": "secret-sauce", + "searchKey": "azurerm_key_vault_secret[positive1]", + "searchValue": "", + "expectedValue": "'expiration_date' should exist", + "actualValue": "'expiration_date' is missing", + "issueType": "MissingAttribute", + "similarityID": "d391327de1c86428b421724cd1a3e7cb01d916edcb44b23508a82f7f361d409a", + "search_line": -1 } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/azure/security_center_pricing_tier_is_not_standard/test/positive_expected_result.json b/assets/queries/terraform/azure/security_center_pricing_tier_is_not_standard/test/positive_expected_result.json index d3bb1c8c36f..901d934c899 100644 --- a/assets/queries/terraform/azure/security_center_pricing_tier_is_not_standard/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/security_center_pricing_tier_is_not_standard/test/positive_expected_result.json @@ -2,6 +2,16 @@ { "queryName": "Security Center Pricing Tier Is Not Standard", "severity": "MEDIUM", - "line": 2 + "line": 2, + "fileName": "positive.tf", + "resourceType": "azurerm_security_center_subscription_pricing", + "resourceName": "positive1", + "searchKey": "azurerm_security_center_subscription_pricing[positive1].tier", + "searchValue": "", + "expectedValue": "'azurerm_security_center_subscription_pricing.positive1.tier' is 'Standard'", + "actualValue": "'azurerm_security_center_subscription_pricing.positive1.tier' is 'Free'", + "issueType": "IncorrectValue", + "similarityID": "973eef75b61a4bc523614d04baa96f3097140fb80494616dc458e6dc113288a2", + "search_line": 2 } ] diff --git a/assets/queries/terraform/azure/security_contact_email/test/positive_expected_result.json b/assets/queries/terraform/azure/security_contact_email/test/positive_expected_result.json index 69e048d540b..dde7809797c 100644 --- a/assets/queries/terraform/azure/security_contact_email/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/security_contact_email/test/positive_expected_result.json @@ -3,6 +3,15 @@ "queryName": "Security Contact Email", "severity": "MEDIUM", "line": 1, - "fileName": "positive.tf" + "fileName": "positive.tf", + "resourceType": "azurerm_security_center_contact", + "resourceName": "positive", + "searchKey": "azurerm_security_center_contact[positive]", + "searchValue": "", + "expectedValue": "'azurerm_security_center_contact[positive].email' should be defined and not null", + "actualValue": "'azurerm_security_center_contact[positive].email' is undefined or null", + "issueType": "MissingAttribute", + "similarityID": "a7da8d11606369bbdcff9c529e91a6e4632340e9dcec1c03ff9b0858fee44d66", + "search_line": 1 } ] diff --git a/assets/queries/terraform/azure/security_group_is_not_configured/test/positive_expected_result.json b/assets/queries/terraform/azure/security_group_is_not_configured/test/positive_expected_result.json index ed4b49e11b4..8cf628946ed 100644 --- a/assets/queries/terraform/azure/security_group_is_not_configured/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/security_group_is_not_configured/test/positive_expected_result.json @@ -2,11 +2,31 @@ { "queryName": "Security Group is Not Configured", "severity": "HIGH", - "line": 7 + "line": 7, + "fileName": "positive.tf", + "resourceType": "azure_virtual_network", + "resourceName": "test-network", + "searchKey": "azure_virtual_network[positive1].subnet", + "searchValue": "", + "expectedValue": "'azure_virtual_network[positive1].subnet.security_group' should be defined and not null", + "actualValue": "'azure_virtual_network[positive1].subnet.security_group' is undefined or null", + "issueType": "MissingAttribute", + "similarityID": "7c2729b851dd6d996c2e1928c5be92701255e67e3069ab4d28d0852eed19ec25", + "search_line": -1 }, { "queryName": "Security Group is Not Configured", "severity": "HIGH", - "line": 21 + "line": 21, + "fileName": "positive.tf", + "resourceType": "azure_virtual_network", + "resourceName": "test-network", + "searchKey": "azure_virtual_network[positive2].subnet.security_group", + "searchValue": "", + "expectedValue": "'azure_virtual_network[positive2].subnet.security_group' should not be empty", + "actualValue": "'azure_virtual_network[positive2].subnet.security_group' is empty", + "issueType": "IncorrectValue", + "similarityID": "a7acb3f4fbaefeeeb4245d124fef5e863a5ac9f22b2f7fc265925eab15b442cd", + "search_line": -1 } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/azure/sensitive_port_is_exposed_to_entire_network/test/positive_expected_result.json b/assets/queries/terraform/azure/sensitive_port_is_exposed_to_entire_network/test/positive_expected_result.json index 15e0b4e60c0..58da71e351c 100644 --- a/assets/queries/terraform/azure/sensitive_port_is_exposed_to_entire_network/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/sensitive_port_is_exposed_to_entire_network/test/positive_expected_result.json @@ -2,221 +2,661 @@ { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 8 + "line": 8, + "fileName": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive1].destination_port_range", + "searchValue": "UDP,61621", + "expectedValue": "Cassandra OpsCenter (UDP:61621) should not be allowed", + "actualValue": "Cassandra OpsCenter (UDP61621) is allowed", + "issueType": "IncorrectValue", + "similarityID": "e17135a6151100c3470c013bff388fac2404989a3005596ce9c15196e5f018f7", + "search_line": -1 }, { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 22 + "line": 22, + "fileName": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive2].destination_port_range", + "searchValue": "TCP,23", + "expectedValue": "Telnet (TCP:23) should not be allowed", + "actualValue": "Telnet (TCP23) is allowed", + "issueType": "IncorrectValue", + "similarityID": "78467b07822bb2634540d0dd15c9d15e19bdb28e88b7fda543cfddee412097c8", + "search_line": -1 }, { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 22 + "line": 22, + "fileName": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive2].destination_port_range", + "searchValue": "TCP,25", + "expectedValue": "SMTP (TCP:25) should not be allowed", + "actualValue": "SMTP (TCP25) is allowed", + "issueType": "IncorrectValue", + "similarityID": "ed95b96502cea05933bac973a12d6592ac382999a2c642b01e772a90f8d63891", + "search_line": -1 }, { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 36 + "line": 36, + "fileName": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive3].destination_port_range", + "searchValue": "TCP,21", + "expectedValue": "FTP (TCP:21) should not be allowed", + "actualValue": "FTP (TCP21) is allowed", + "issueType": "IncorrectValue", + "similarityID": "5017321fde74a4161a035c71f28f6d295a29a7210ed02181a300ea44bd1e9784", + "search_line": -1 }, { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 36 + "line": 36, + "fileName": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive3].destination_port_range", + "searchValue": "TCP,22", + "expectedValue": "SSH (TCP:22) should not be allowed", + "actualValue": "SSH (TCP22) is allowed", + "issueType": "IncorrectValue", + "similarityID": "90d8aec38afa05c1bda7a7931a6c57b7b53e1fc42e43d07297b23ff0557db536", + "search_line": -1 }, { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 36 + "line": 36, + "fileName": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive3].destination_port_range", + "searchValue": "TCP,23", + "expectedValue": "Telnet (TCP:23) should not be allowed", + "actualValue": "Telnet (TCP23) is allowed", + "issueType": "IncorrectValue", + "similarityID": "13c8e32138730f65c800e70e3084f83925cd6008ab66841679b4d0fce270f651", + "search_line": -1 }, { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 36 + "line": 36, + "fileName": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive3].destination_port_range", + "searchValue": "UDP,21", + "expectedValue": "FTP (UDP:21) should not be allowed", + "actualValue": "FTP (UDP21) is allowed", + "issueType": "IncorrectValue", + "similarityID": "0b2e71037157f66691ed7ca076c07d28005a711b3361b69662f898fc8ce3deed", + "search_line": -1 }, { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 36 + "line": 36, + "fileName": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive3].destination_port_range", + "searchValue": "UDP,22", + "expectedValue": "SSH (UDP:22) should not be allowed", + "actualValue": "SSH (UDP22) is allowed", + "issueType": "IncorrectValue", + "similarityID": "74eccf07a3bcd13c6ba6c3d0172597f842568aa3d71900caece3de3b655507c7", + "search_line": -1 }, { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 36 + "line": 36, + "fileName": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive3].destination_port_range", + "searchValue": "UDP,23", + "expectedValue": "Telnet (UDP:23) should not be allowed", + "actualValue": "Telnet (UDP23) is allowed", + "issueType": "IncorrectValue", + "similarityID": "717febca4e65f3a9b8631b45d7706782165503c7b53765d73399e7748c6d892b", + "search_line": -1 }, { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 50 + "line": 50, + "fileName": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive4].destination_port_range", + "searchValue": "TCP,23", + "expectedValue": "Telnet (TCP:23) should not be allowed", + "actualValue": "Telnet (TCP23) is allowed", + "issueType": "IncorrectValue", + "similarityID": "2bb2450b3c29d1f3dd5b24ec8256a821623d04684de7c54e22d6d7dabc0f2c6e", + "search_line": -1 }, { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 50 + "line": 50, + "fileName": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive4].destination_port_range", + "searchValue": "UDP,23", + "expectedValue": "Telnet (UDP:23) should not be allowed", + "actualValue": "Telnet (UDP23) is allowed", + "issueType": "IncorrectValue", + "similarityID": "1125912ec40d6b9629dffecede6feffa7a84967c7de4eb6230981776583cf2a6", + "search_line": -1 }, { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 64 + "line": 64, + "fileName": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive5].destination_port_range", + "searchValue": "UDP,23", + "expectedValue": "Telnet (UDP:23) should not be allowed", + "actualValue": "Telnet (UDP23) is allowed", + "issueType": "IncorrectValue", + "similarityID": "41f17a9f138db75edab45acf81fa53b38b38efabe29bd916fce5c83a708dde2e", + "search_line": -1 }, { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 78 + "line": 78, + "fileName": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive6].destination_port_range", + "searchValue": "TCP,23", + "expectedValue": "Telnet (TCP:23) should not be allowed", + "actualValue": "Telnet (TCP23) is allowed", + "issueType": "IncorrectValue", + "similarityID": "c0a2c574d75f5a4e3c5c1a0a681dfbcd41b2f96fe6934f4aee0aefb06b1a7826", + "search_line": -1 }, { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 92 + "line": 92, + "fileName": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive7].destination_port_range", + "searchValue": "UDP,22", + "expectedValue": "SSH (UDP:22) should not be allowed", + "actualValue": "SSH (UDP22) is allowed", + "issueType": "IncorrectValue", + "similarityID": "3747656238604d8b733d38213f8b54a39dd3239649eb514db875f96c5c725811", + "search_line": -1 }, { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 92 + "line": 92, + "fileName": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive7].destination_port_range", + "searchValue": "UDP,23", + "expectedValue": "Telnet (UDP:23) should not be allowed", + "actualValue": "Telnet (UDP23) is allowed", + "issueType": "IncorrectValue", + "similarityID": "eb034a4a49a5b02b406065461b095d3f48e5910301b8d7fef8184322817fc831", + "search_line": -1 }, { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 92 + "line": 92, + "fileName": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive7].destination_port_range", + "searchValue": "UDP,25", + "expectedValue": "SMTP (UDP:25) should not be allowed", + "actualValue": "SMTP (UDP25) is allowed", + "issueType": "IncorrectValue", + "similarityID": "b46851138d10ea12165960aa8b38cb8b4f9851810e82a61fa88646e5091edd5d", + "search_line": -1 }, { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 92 + "line": 92, + "fileName": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive7].destination_port_range", + "searchValue": "UDP,53", + "expectedValue": "DNS (UDP:53) should not be allowed", + "actualValue": "DNS (UDP53) is allowed", + "issueType": "IncorrectValue", + "similarityID": "e9235c965e05cfc358291b59bf2ce3ae500e3ed1eb9e6b03c891c6603b390cfb", + "search_line": -1 }, { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 106 + "line": 106, + "fileName": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive8].destination_port_range", + "searchValue": "TCP,23", + "expectedValue": "Telnet (TCP:23) should not be allowed", + "actualValue": "Telnet (TCP23) is allowed", + "issueType": "IncorrectValue", + "similarityID": "ef58e4e6d86905e6da87314cfff3e1c45bfa3b1ee074a44bf6955a9249510a90", + "search_line": -1 }, { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 120 + "line": 120, + "fileName": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive9].destination_port_range", + "searchValue": "TCP,23", + "expectedValue": "Telnet (TCP:23) should not be allowed", + "actualValue": "Telnet (TCP23) is allowed", + "issueType": "IncorrectValue", + "similarityID": "a9b1bd545be88e17880f9e0260098d0be0d6682e979aaefdfd01a9298365ddfb", + "search_line": -1 }, { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 120 + "line": 120, + "fileName": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive9].destination_port_range", + "searchValue": "UDP,23", + "expectedValue": "Telnet (UDP:23) should not be allowed", + "actualValue": "Telnet (UDP23) is allowed", + "issueType": "IncorrectValue", + "similarityID": "bd303a0af3bba83a6a43ce70eba0beeffed34dae494994fa94933ab75fce3aac", + "search_line": -1 }, { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 134 + "line": 134, + "fileName": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", + "searchValue": "TCP,110", + "expectedValue": "POP3 (TCP:110) should not be allowed", + "actualValue": "POP3 (TCP110) is allowed", + "issueType": "IncorrectValue", + "similarityID": "7994dbe869fa064d9d02ee202727a03c8ecd667ce83783b5a764ff3d9aa23afe", + "search_line": -1 }, { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 134 + "line": 134, + "fileName": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", + "searchValue": "TCP,135", + "expectedValue": "MSSQL Debugger (TCP:135) should not be allowed", + "actualValue": "MSSQL Debugger (TCP135) is allowed", + "issueType": "IncorrectValue", + "similarityID": "2be891b4ffea551e04aea5ec524424861d2b0866fd7efeea3caaeb5e5f29b3d1", + "search_line": -1 }, { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 134 + "line": 134, + "fileName": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", + "searchValue": "TCP,137", + "expectedValue": "NetBIOS Name Service (TCP:137) should not be allowed", + "actualValue": "NetBIOS Name Service (TCP137) is allowed", + "issueType": "IncorrectValue", + "similarityID": "947644e8b0b785bbd601618bed4743cd6c6f33d4a5f504b4ea8d47baf1ebb1c3", + "search_line": -1 }, { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 134 + "line": 134, + "fileName": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", + "searchValue": "TCP,138", + "expectedValue": "NetBIOS Datagram Service (TCP:138) should not be allowed", + "actualValue": "NetBIOS Datagram Service (TCP138) is allowed", + "issueType": "IncorrectValue", + "similarityID": "c1126d61ed8499766b48d6c3b15d732351f4c4765c32efcb6bc6a2fcbd8d7154", + "search_line": -1 }, { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 134 + "line": 134, + "fileName": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", + "searchValue": "TCP,139", + "expectedValue": "NetBIOS Session Service (TCP:139) should not be allowed", + "actualValue": "NetBIOS Session Service (TCP139) is allowed", + "issueType": "IncorrectValue", + "similarityID": "7c84a528196e4520938275a543a4170bc51ca60e46f7b0aac1aba0113ed02279", + "search_line": -1 }, { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 134 + "line": 134, + "fileName": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", + "searchValue": "TCP,20", + "expectedValue": "FTP (TCP:20) should not be allowed", + "actualValue": "FTP (TCP20) is allowed", + "issueType": "IncorrectValue", + "similarityID": "6ccb7d5ffb1703611fae756ccbb4724c16f3411d693979774c93f798a0f17ff8", + "search_line": -1 }, { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 134 + "line": 134, + "fileName": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", + "searchValue": "TCP,21", + "expectedValue": "FTP (TCP:21) should not be allowed", + "actualValue": "FTP (TCP21) is allowed", + "issueType": "IncorrectValue", + "similarityID": "721a8f8caeef6502d6151604cf46d0f1ce554f80117348a9e98089df164dcf47", + "search_line": -1 }, { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 134 + "line": 134, + "fileName": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", + "searchValue": "TCP,22", + "expectedValue": "SSH (TCP:22) should not be allowed", + "actualValue": "SSH (TCP22) is allowed", + "issueType": "IncorrectValue", + "similarityID": "ad547da463890320d6ee5376c5f4dd9b739917b288f18b93a97ceedef791502d", + "search_line": -1 }, { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 134 + "line": 134, + "fileName": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", + "searchValue": "TCP,23", + "expectedValue": "Telnet (TCP:23) should not be allowed", + "actualValue": "Telnet (TCP23) is allowed", + "issueType": "IncorrectValue", + "similarityID": "bf1c4c9de9d042e197911a730ff8e339c2f25de14f50dd645b1727063a5ef334", + "search_line": -1 }, { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 134 + "line": 134, + "fileName": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", + "searchValue": "TCP,25", + "expectedValue": "SMTP (TCP:25) should not be allowed", + "actualValue": "SMTP (TCP25) is allowed", + "issueType": "IncorrectValue", + "similarityID": "c68c5c9cc2f03e3a1191ab4ef90d0dc56bc00e43ba5f67e75cdb89ae1169c755", + "search_line": -1 }, { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 134 + "line": 134, + "fileName": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", + "searchValue": "TCP,53", + "expectedValue": "DNS (TCP:53) should not be allowed", + "actualValue": "DNS (TCP53) is allowed", + "issueType": "IncorrectValue", + "similarityID": "e2cd6093ff83b04b415b46ef5761d69b9354fab0b56c2d903e0b3c4787267c78", + "search_line": -1 }, { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 134 + "line": 134, + "fileName": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", + "searchValue": "TCP,80", + "expectedValue": "HTTP (TCP:80) should not be allowed", + "actualValue": "HTTP (TCP80) is allowed", + "issueType": "IncorrectValue", + "similarityID": "86e1b1e2a23ea2d3d821b421d65f5e342b61b76bf8c1f7e8ad696421cf3a65b6", + "search_line": -1 }, { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 134 + "line": 134, + "fileName": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", + "searchValue": "UDP,110", + "expectedValue": "POP3 (UDP:110) should not be allowed", + "actualValue": "POP3 (UDP110) is allowed", + "issueType": "IncorrectValue", + "similarityID": "2456936385deb477466471d6a5cbe32e51062950308e829e9c4aa7b2c02fb6a8", + "search_line": -1 }, { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 134 + "line": 134, + "fileName": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", + "searchValue": "UDP,135", + "expectedValue": "MSSQL Debugger (UDP:135) should not be allowed", + "actualValue": "MSSQL Debugger (UDP135) is allowed", + "issueType": "IncorrectValue", + "similarityID": "f95ed1c7d322725aa1eec8b524dcdca4001476111b48ca4049476a556c4bcf89", + "search_line": -1 }, { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 134 + "line": 134, + "fileName": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", + "searchValue": "UDP,137", + "expectedValue": "NetBIOS Name Service (UDP:137) should not be allowed", + "actualValue": "NetBIOS Name Service (UDP137) is allowed", + "issueType": "IncorrectValue", + "similarityID": "9607c280e432953903184962e60bb65a880ed32500fce326cde20820038bd5ad", + "search_line": -1 }, { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 134 + "line": 134, + "fileName": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", + "searchValue": "UDP,138", + "expectedValue": "NetBIOS Datagram Service (UDP:138) should not be allowed", + "actualValue": "NetBIOS Datagram Service (UDP138) is allowed", + "issueType": "IncorrectValue", + "similarityID": "3b9cda13d6cd42943ef59e6ef8a1ff89f8e53a7985bb56f1467ff25e905eb54e", + "search_line": -1 }, { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 134 + "line": 134, + "fileName": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", + "searchValue": "UDP,139", + "expectedValue": "NetBIOS Session Service (UDP:139) should not be allowed", + "actualValue": "NetBIOS Session Service (UDP139) is allowed", + "issueType": "IncorrectValue", + "similarityID": "c6d28c4de0bbd5ac551692bf74c321649bcba2b45b44c4baa704f8d496d37140", + "search_line": -1 }, { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 134 + "line": 134, + "fileName": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", + "searchValue": "UDP,20", + "expectedValue": "FTP (UDP:20) should not be allowed", + "actualValue": "FTP (UDP20) is allowed", + "issueType": "IncorrectValue", + "similarityID": "4420d121be306e738672e826582ba583cd5ca29afd0a0372c91c890ca5d1449d", + "search_line": -1 }, { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 134 + "line": 134, + "fileName": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", + "searchValue": "UDP,21", + "expectedValue": "FTP (UDP:21) should not be allowed", + "actualValue": "FTP (UDP21) is allowed", + "issueType": "IncorrectValue", + "similarityID": "3512d823be715947622eaafdaceda14d7c8b89720d30bcd20cbf95b066cb6ea1", + "search_line": -1 }, { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 134 + "line": 134, + "fileName": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", + "searchValue": "UDP,22", + "expectedValue": "SSH (UDP:22) should not be allowed", + "actualValue": "SSH (UDP22) is allowed", + "issueType": "IncorrectValue", + "similarityID": "6eace73574cec39bf306678ea0c3913cee2fd097862e5accb2ae7d74ef4d9bfe", + "search_line": -1 }, { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 134 + "line": 134, + "fileName": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", + "searchValue": "UDP,23", + "expectedValue": "Telnet (UDP:23) should not be allowed", + "actualValue": "Telnet (UDP23) is allowed", + "issueType": "IncorrectValue", + "similarityID": "8c08bbef0f3f7a28a2128cf7d49ed0d165a863b1f1ebc9c8374f5f704ca57e8a", + "search_line": -1 }, { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 134 + "line": 134, + "fileName": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", + "searchValue": "UDP,25", + "expectedValue": "SMTP (UDP:25) should not be allowed", + "actualValue": "SMTP (UDP25) is allowed", + "issueType": "IncorrectValue", + "similarityID": "49aa7b4e4009765ab9d09af3e1b24a8b9fa8c343fc7d8875156ce6c8669b5632", + "search_line": -1 }, { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 134 + "line": 134, + "fileName": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", + "searchValue": "UDP,53", + "expectedValue": "DNS (UDP:53) should not be allowed", + "actualValue": "DNS (UDP53) is allowed", + "issueType": "IncorrectValue", + "similarityID": "b814f358753c558dfacfeb0a74550dd32fa84f3bf0dcafe19a9d1c6bd4a3254f", + "search_line": -1 }, { "queryName": "Sensitive Port Is Exposed To Entire Network", "severity": "HIGH", - "line": 134 + "line": 134, + "fileName": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", + "searchValue": "UDP,80", + "expectedValue": "HTTP (UDP:80) should not be allowed", + "actualValue": "HTTP (UDP80) is allowed", + "issueType": "IncorrectValue", + "similarityID": "e65a0c830c8e381e5594d2d0fd4ca10814f934a3edd2936e7244e7c252b4870b", + "search_line": -1 } ] diff --git a/assets/queries/terraform/azure/sensitive_port_is_exposed_to_small_public_network/test/positive_expected_result.json b/assets/queries/terraform/azure/sensitive_port_is_exposed_to_small_public_network/test/positive_expected_result.json index 896720bbcf2..d314737367b 100644 --- a/assets/queries/terraform/azure/sensitive_port_is_exposed_to_small_public_network/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/sensitive_port_is_exposed_to_small_public_network/test/positive_expected_result.json @@ -2,221 +2,661 @@ { "queryName": "Sensitive Port Is Exposed To Small Public Network", "severity": "MEDIUM", - "line": 8 + "line": 8, + "fileName": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive1].destination_port_range", + "searchValue": "UDP,61621", + "expectedValue": "Cassandra OpsCenter (UDP:61621) should not be allowed", + "actualValue": "Cassandra OpsCenter (UDP:61621) is allowed", + "issueType": "IncorrectValue", + "similarityID": "1e5e38be890da5f667f92485fc1c6470db49e124640bd1dd0c5d573b64330d9e", + "search_line": -1 }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", "severity": "MEDIUM", - "line": 22 + "line": 22, + "fileName": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive2].destination_port_range", + "searchValue": "TCP,23", + "expectedValue": "Telnet (TCP:23) should not be allowed", + "actualValue": "Telnet (TCP:23) is allowed", + "issueType": "IncorrectValue", + "similarityID": "e6b7f125549a2fc607f5916407198e13e28b74a7f54d0f528e7520f8000c4225", + "search_line": -1 }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", "severity": "MEDIUM", - "line": 22 + "line": 22, + "fileName": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive2].destination_port_range", + "searchValue": "TCP,25", + "expectedValue": "SMTP (TCP:25) should not be allowed", + "actualValue": "SMTP (TCP:25) is allowed", + "issueType": "IncorrectValue", + "similarityID": "df8a2a0d64d4e7c8f882266aae4920748de3a94c4526a4ae31c882b5ca46851d", + "search_line": -1 }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", "severity": "MEDIUM", - "line": 36 + "line": 36, + "fileName": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive3].destination_port_range", + "searchValue": "TCP,21", + "expectedValue": "FTP (TCP:21) should not be allowed", + "actualValue": "FTP (TCP:21) is allowed", + "issueType": "IncorrectValue", + "similarityID": "979f271c7a5b29869e8af858c1f1dbf39a173f3c21d40a75af15adc5ce1f1d8d", + "search_line": -1 }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", "severity": "MEDIUM", - "line": 36 + "line": 36, + "fileName": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive3].destination_port_range", + "searchValue": "TCP,22", + "expectedValue": "SSH (TCP:22) should not be allowed", + "actualValue": "SSH (TCP:22) is allowed", + "issueType": "IncorrectValue", + "similarityID": "b69df1b4c18a00ee85984432016f5702542c69c66c05f609babb0d975af47594", + "search_line": -1 }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", "severity": "MEDIUM", - "line": 36 + "line": 36, + "fileName": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive3].destination_port_range", + "searchValue": "TCP,23", + "expectedValue": "Telnet (TCP:23) should not be allowed", + "actualValue": "Telnet (TCP:23) is allowed", + "issueType": "IncorrectValue", + "similarityID": "2e569228f4e7029d5bc99777cc3796c992ae9aabb66a82647e7e4771c51c33b0", + "search_line": -1 }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", "severity": "MEDIUM", - "line": 36 + "line": 36, + "fileName": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive3].destination_port_range", + "searchValue": "UDP,21", + "expectedValue": "FTP (UDP:21) should not be allowed", + "actualValue": "FTP (UDP:21) is allowed", + "issueType": "IncorrectValue", + "similarityID": "88b52c1e54af92cc71b88107d348538bc111d691daebab3e5bd1e4d3e5ec0cef", + "search_line": -1 }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", "severity": "MEDIUM", - "line": 36 + "line": 36, + "fileName": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive3].destination_port_range", + "searchValue": "UDP,22", + "expectedValue": "SSH (UDP:22) should not be allowed", + "actualValue": "SSH (UDP:22) is allowed", + "issueType": "IncorrectValue", + "similarityID": "792e11ff272c363c383665d7046f36676299461cbace58390941db0a8f6ff9c9", + "search_line": -1 }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", "severity": "MEDIUM", - "line": 36 + "line": 36, + "fileName": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive3].destination_port_range", + "searchValue": "UDP,23", + "expectedValue": "Telnet (UDP:23) should not be allowed", + "actualValue": "Telnet (UDP:23) is allowed", + "issueType": "IncorrectValue", + "similarityID": "1fd03de6a6dc7b529bce7a779ef3223792a8937fc7feb4fb2c69dfaa06e32238", + "search_line": -1 }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", "severity": "MEDIUM", - "line": 50 + "line": 50, + "fileName": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive4].destination_port_range", + "searchValue": "TCP,23", + "expectedValue": "Telnet (TCP:23) should not be allowed", + "actualValue": "Telnet (TCP:23) is allowed", + "issueType": "IncorrectValue", + "similarityID": "a5445f17dad34d60b3637447c40ca120a64606afc8b31b1b070d3c55ab330d34", + "search_line": -1 }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", "severity": "MEDIUM", - "line": 50 + "line": 50, + "fileName": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive4].destination_port_range", + "searchValue": "UDP,23", + "expectedValue": "Telnet (UDP:23) should not be allowed", + "actualValue": "Telnet (UDP:23) is allowed", + "issueType": "IncorrectValue", + "similarityID": "52a72165c621c597077feb62ad894b6c7c93a53d5856ce2684effd13cec8fb17", + "search_line": -1 }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", "severity": "MEDIUM", - "line": 64 + "line": 64, + "fileName": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive5].destination_port_range", + "searchValue": "UDP,23", + "expectedValue": "Telnet (UDP:23) should not be allowed", + "actualValue": "Telnet (UDP:23) is allowed", + "issueType": "IncorrectValue", + "similarityID": "db5d98ead962e3f4239824d0896f51d15567b8a7c31380e7f7232403bb1345e2", + "search_line": -1 }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", "severity": "MEDIUM", - "line": 78 + "line": 78, + "fileName": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive6].destination_port_range", + "searchValue": "TCP,23", + "expectedValue": "Telnet (TCP:23) should not be allowed", + "actualValue": "Telnet (TCP:23) is allowed", + "issueType": "IncorrectValue", + "similarityID": "8946f8d67ed510cfdfc3bb41f339adbcd5c9b50ea124709854c8935da27501ab", + "search_line": -1 }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", "severity": "MEDIUM", - "line": 92 + "line": 92, + "fileName": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive7].destination_port_range", + "searchValue": "UDP,22", + "expectedValue": "SSH (UDP:22) should not be allowed", + "actualValue": "SSH (UDP:22) is allowed", + "issueType": "IncorrectValue", + "similarityID": "3c5677f8f22592a45a8e08c86ccfc4a69090f6d425bbf66bdaffbafb84dd3823", + "search_line": -1 }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", "severity": "MEDIUM", - "line": 92 + "line": 92, + "fileName": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive7].destination_port_range", + "searchValue": "UDP,23", + "expectedValue": "Telnet (UDP:23) should not be allowed", + "actualValue": "Telnet (UDP:23) is allowed", + "issueType": "IncorrectValue", + "similarityID": "5ec50aaf961f8d08b7ca66026a54d6fb02ba4e34e29f9ea476e41131644766fe", + "search_line": -1 }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", "severity": "MEDIUM", - "line": 92 + "line": 92, + "fileName": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive7].destination_port_range", + "searchValue": "UDP,25", + "expectedValue": "SMTP (UDP:25) should not be allowed", + "actualValue": "SMTP (UDP:25) is allowed", + "issueType": "IncorrectValue", + "similarityID": "6ffb14818b53d595d15ef45ce6b55f890c971655d7958a6239b44b5cdaf044b6", + "search_line": -1 }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", "severity": "MEDIUM", - "line": 92 + "line": 92, + "fileName": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive7].destination_port_range", + "searchValue": "UDP,53", + "expectedValue": "DNS (UDP:53) should not be allowed", + "actualValue": "DNS (UDP:53) is allowed", + "issueType": "IncorrectValue", + "similarityID": "9575d6897a7d97689d0ba6813c2ec0052a4ccf7ad5d701f4f3387362fc21c094", + "search_line": -1 }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", "severity": "MEDIUM", - "line": 106 + "line": 106, + "fileName": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive8].destination_port_range", + "searchValue": "TCP,23", + "expectedValue": "Telnet (TCP:23) should not be allowed", + "actualValue": "Telnet (TCP:23) is allowed", + "issueType": "IncorrectValue", + "similarityID": "e2e53a9efe8b9524caa2bd2d8a8cbaa9be967cd471cf7d83aad547ee02d3d555", + "search_line": -1 }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", "severity": "MEDIUM", - "line": 120 + "line": 120, + "fileName": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive9].destination_port_range", + "searchValue": "TCP,23", + "expectedValue": "Telnet (TCP:23) should not be allowed", + "actualValue": "Telnet (TCP:23) is allowed", + "issueType": "IncorrectValue", + "similarityID": "fc8502200aca86076803aa2f2d3e50e0ffca72d3ddf9ef316f4f02537ca0c877", + "search_line": -1 }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", "severity": "MEDIUM", - "line": 120 + "line": 120, + "fileName": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive9].destination_port_range", + "searchValue": "UDP,23", + "expectedValue": "Telnet (UDP:23) should not be allowed", + "actualValue": "Telnet (UDP:23) is allowed", + "issueType": "IncorrectValue", + "similarityID": "32465fbe229b9413dbf36d010e79b762a599a3ee2c927431d0936d9b086c654a", + "search_line": -1 }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", "severity": "MEDIUM", - "line": 134 + "line": 134, + "fileName": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", + "searchValue": "TCP,110", + "expectedValue": "POP3 (TCP:110) should not be allowed", + "actualValue": "POP3 (TCP:110) is allowed", + "issueType": "IncorrectValue", + "similarityID": "9ae20b9acec04b5eb86ce00cfdcdde5f759780372a15fbbea0bdf6b04c12d1b5", + "search_line": -1 }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", "severity": "MEDIUM", - "line": 134 + "line": 134, + "fileName": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", + "searchValue": "TCP,135", + "expectedValue": "MSSQL Debugger (TCP:135) should not be allowed", + "actualValue": "MSSQL Debugger (TCP:135) is allowed", + "issueType": "IncorrectValue", + "similarityID": "fea0d66fcd9250161c2854124467b555333e780b77990bb23f92935f32d96ad0", + "search_line": -1 }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", "severity": "MEDIUM", - "line": 134 + "line": 134, + "fileName": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", + "searchValue": "TCP,137", + "expectedValue": "NetBIOS Name Service (TCP:137) should not be allowed", + "actualValue": "NetBIOS Name Service (TCP:137) is allowed", + "issueType": "IncorrectValue", + "similarityID": "28523505ad415f627ea39a25a1f6cff8d5fa663f23fccd0b5b6239f9e08a07c5", + "search_line": -1 }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", "severity": "MEDIUM", - "line": 134 + "line": 134, + "fileName": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", + "searchValue": "TCP,138", + "expectedValue": "NetBIOS Datagram Service (TCP:138) should not be allowed", + "actualValue": "NetBIOS Datagram Service (TCP:138) is allowed", + "issueType": "IncorrectValue", + "similarityID": "0fc5880a4288f4df0c46bfe5d33731fa0703192d0b9926935db7d8180d08c776", + "search_line": -1 }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", "severity": "MEDIUM", - "line": 134 + "line": 134, + "fileName": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", + "searchValue": "TCP,139", + "expectedValue": "NetBIOS Session Service (TCP:139) should not be allowed", + "actualValue": "NetBIOS Session Service (TCP:139) is allowed", + "issueType": "IncorrectValue", + "similarityID": "a3c73064582520f4bb54000d23ea90d71601c27510f41929bdbe0cb86c557e05", + "search_line": -1 }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", "severity": "MEDIUM", - "line": 134 + "line": 134, + "fileName": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", + "searchValue": "TCP,20", + "expectedValue": "FTP (TCP:20) should not be allowed", + "actualValue": "FTP (TCP:20) is allowed", + "issueType": "IncorrectValue", + "similarityID": "e4f9e4f2a607ac2d292fe570cee153296fceb3264594775084b00992490d498c", + "search_line": -1 }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", "severity": "MEDIUM", - "line": 134 + "line": 134, + "fileName": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", + "searchValue": "TCP,21", + "expectedValue": "FTP (TCP:21) should not be allowed", + "actualValue": "FTP (TCP:21) is allowed", + "issueType": "IncorrectValue", + "similarityID": "b09df2e6306ae21a57ac584a3d6251629f1447e2365bf86bb43d9aa8274b3004", + "search_line": -1 }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", "severity": "MEDIUM", - "line": 134 + "line": 134, + "fileName": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", + "searchValue": "TCP,22", + "expectedValue": "SSH (TCP:22) should not be allowed", + "actualValue": "SSH (TCP:22) is allowed", + "issueType": "IncorrectValue", + "similarityID": "8a9ab7476f9014c1a0a64f4bd7d98b682dd9a19457ac193aff5be393e07a35fd", + "search_line": -1 }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", "severity": "MEDIUM", - "line": 134 + "line": 134, + "fileName": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", + "searchValue": "TCP,23", + "expectedValue": "Telnet (TCP:23) should not be allowed", + "actualValue": "Telnet (TCP:23) is allowed", + "issueType": "IncorrectValue", + "similarityID": "8baa84202210a90ab436c9bbbd4c1f439e27738fd0bfcb409fa4d4a69aa77c4b", + "search_line": -1 }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", "severity": "MEDIUM", - "line": 134 + "line": 134, + "fileName": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", + "searchValue": "TCP,25", + "expectedValue": "SMTP (TCP:25) should not be allowed", + "actualValue": "SMTP (TCP:25) is allowed", + "issueType": "IncorrectValue", + "similarityID": "2dded542c0ed9de34d2fee2b454e76b6f542991423c463cb6598f476a304b095", + "search_line": -1 }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", "severity": "MEDIUM", - "line": 134 + "line": 134, + "fileName": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", + "searchValue": "TCP,53", + "expectedValue": "DNS (TCP:53) should not be allowed", + "actualValue": "DNS (TCP:53) is allowed", + "issueType": "IncorrectValue", + "similarityID": "0773f1cd076daadecde823a3b3d0b54aab1b4262357eb708ceba583fa1f6b689", + "search_line": -1 }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", "severity": "MEDIUM", - "line": 134 + "line": 134, + "fileName": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", + "searchValue": "TCP,80", + "expectedValue": "HTTP (TCP:80) should not be allowed", + "actualValue": "HTTP (TCP:80) is allowed", + "issueType": "IncorrectValue", + "similarityID": "053fece9c773f7cb11d931d4640097d852998e57779ce0887cd08d64aff0c006", + "search_line": -1 }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", "severity": "MEDIUM", - "line": 134 + "line": 134, + "fileName": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", + "searchValue": "UDP,110", + "expectedValue": "POP3 (UDP:110) should not be allowed", + "actualValue": "POP3 (UDP:110) is allowed", + "issueType": "IncorrectValue", + "similarityID": "9200214696c72b8de152d8afbeb4815d4cff05af067debea642db8ea603078fb", + "search_line": -1 }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", "severity": "MEDIUM", - "line": 134 + "line": 134, + "fileName": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", + "searchValue": "UDP,135", + "expectedValue": "MSSQL Debugger (UDP:135) should not be allowed", + "actualValue": "MSSQL Debugger (UDP:135) is allowed", + "issueType": "IncorrectValue", + "similarityID": "233e58702caf3372e2905340d525e397e03c38f337fdd033f0d58274731538ab", + "search_line": -1 }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", "severity": "MEDIUM", - "line": 134 + "line": 134, + "fileName": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", + "searchValue": "UDP,137", + "expectedValue": "NetBIOS Name Service (UDP:137) should not be allowed", + "actualValue": "NetBIOS Name Service (UDP:137) is allowed", + "issueType": "IncorrectValue", + "similarityID": "e0c1bbe2ec2e305055dc20dc2cebe83bc3c2d152cb9f79a8103056ce77d6741f", + "search_line": -1 }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", "severity": "MEDIUM", - "line": 134 + "line": 134, + "fileName": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", + "searchValue": "UDP,138", + "expectedValue": "NetBIOS Datagram Service (UDP:138) should not be allowed", + "actualValue": "NetBIOS Datagram Service (UDP:138) is allowed", + "issueType": "IncorrectValue", + "similarityID": "fa12c6d403d2a51c87ce31961c274c792aa8d249ae25aada86db38e2bc711f1f", + "search_line": -1 }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", "severity": "MEDIUM", - "line": 134 + "line": 134, + "fileName": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", + "searchValue": "UDP,139", + "expectedValue": "NetBIOS Session Service (UDP:139) should not be allowed", + "actualValue": "NetBIOS Session Service (UDP:139) is allowed", + "issueType": "IncorrectValue", + "similarityID": "1eb0cd2682528ce2678775c0aef974e54b93b9dd11040d2b1ec68b997b3c1f43", + "search_line": -1 }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", "severity": "MEDIUM", - "line": 134 + "line": 134, + "fileName": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", + "searchValue": "UDP,20", + "expectedValue": "FTP (UDP:20) should not be allowed", + "actualValue": "FTP (UDP:20) is allowed", + "issueType": "IncorrectValue", + "similarityID": "556413c32ce4a9a6b4688da78a1ca4fd614a38dbad126df7e295c7efe324a225", + "search_line": -1 }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", "severity": "MEDIUM", - "line": 134 + "line": 134, + "fileName": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", + "searchValue": "UDP,21", + "expectedValue": "FTP (UDP:21) should not be allowed", + "actualValue": "FTP (UDP:21) is allowed", + "issueType": "IncorrectValue", + "similarityID": "6c09b7afa239e42e4d541060a0753061391b2ac225db1e303554d52113c2d309", + "search_line": -1 }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", "severity": "MEDIUM", - "line": 134 + "line": 134, + "fileName": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", + "searchValue": "UDP,22", + "expectedValue": "SSH (UDP:22) should not be allowed", + "actualValue": "SSH (UDP:22) is allowed", + "issueType": "IncorrectValue", + "similarityID": "1c7ec2ea8a2108c59a4bd4c23ce20b64fa3b52155326fa4a142f86325681ccab", + "search_line": -1 }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", "severity": "MEDIUM", - "line": 134 + "line": 134, + "fileName": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", + "searchValue": "UDP,23", + "expectedValue": "Telnet (UDP:23) should not be allowed", + "actualValue": "Telnet (UDP:23) is allowed", + "issueType": "IncorrectValue", + "similarityID": "ea473e7cb9ab4f1edfffb9134c5d2d1de1d1ba56fddeb4033795dcc15308bba4", + "search_line": -1 }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", "severity": "MEDIUM", - "line": 134 + "line": 134, + "fileName": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", + "searchValue": "UDP,25", + "expectedValue": "SMTP (UDP:25) should not be allowed", + "actualValue": "SMTP (UDP:25) is allowed", + "issueType": "IncorrectValue", + "similarityID": "fc6c675595d87a90094e3e8e5a8e9188f77fc9ec8bf8d89ebbb3a39da5863e92", + "search_line": -1 }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", "severity": "MEDIUM", - "line": 134 + "line": 134, + "fileName": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", + "searchValue": "UDP,53", + "expectedValue": "DNS (UDP:53) should not be allowed", + "actualValue": "DNS (UDP:53) is allowed", + "issueType": "IncorrectValue", + "similarityID": "14e3de6d1731de26deafbb6df84ad4881b9e92ea6de6fa31074f9848a028381d", + "search_line": -1 }, { "queryName": "Sensitive Port Is Exposed To Small Public Network", "severity": "MEDIUM", - "line": 134 + "line": 134, + "fileName": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", + "searchValue": "UDP,80", + "expectedValue": "HTTP (UDP:80) should not be allowed", + "actualValue": "HTTP (UDP:80) is allowed", + "issueType": "IncorrectValue", + "similarityID": "69d6cdbe12ceb6ed0cd7eb7d180c6b80e87319e465671383777541c98d2772d5", + "search_line": -1 } ] diff --git a/assets/queries/terraform/azure/sensitive_port_is_exposed_to_wide_private_network/test/positive_expected_result.json b/assets/queries/terraform/azure/sensitive_port_is_exposed_to_wide_private_network/test/positive_expected_result.json index 39b9174ff5a..aec53f13ac1 100644 --- a/assets/queries/terraform/azure/sensitive_port_is_exposed_to_wide_private_network/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/sensitive_port_is_exposed_to_wide_private_network/test/positive_expected_result.json @@ -2,221 +2,661 @@ { "queryName": "Sensitive Port Is Exposed To Wide Private Network", "severity": "LOW", - "line": 8 + "line": 8, + "fileName": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive1].destination_port_range", + "searchValue": "UDP:61621", + "expectedValue": "Cassandra OpsCenter (UDP:61621) should not be allowed", + "actualValue": "Cassandra OpsCenter (UDP:61621) is allowed", + "issueType": "IncorrectValue", + "similarityID": "9c9bab0381c224cd7a5a668da601bc01b01f911ff8a04b3b19ac0e3574194fc6", + "search_line": 8 }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", "severity": "LOW", - "line": 22 + "line": 22, + "fileName": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive2].destination_port_range", + "searchValue": "TCP:23", + "expectedValue": "Telnet (TCP:23) should not be allowed", + "actualValue": "Telnet (TCP:23) is allowed", + "issueType": "IncorrectValue", + "similarityID": "a246a43634d7135c8a66c8383af6901bd1fb395765cc4961cb76bfbbb9889bd1", + "search_line": 22 }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", "severity": "LOW", - "line": 22 + "line": 22, + "fileName": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive2].destination_port_range", + "searchValue": "TCP:25", + "expectedValue": "SMTP (TCP:25) should not be allowed", + "actualValue": "SMTP (TCP:25) is allowed", + "issueType": "IncorrectValue", + "similarityID": "0676ec9f80d1f238ed861a86c820397c0dfa438343248c070c69a1beff044a4d", + "search_line": 22 }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", "severity": "LOW", - "line": 36 + "line": 36, + "fileName": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive3].destination_port_range", + "searchValue": "TCP:21", + "expectedValue": "FTP (TCP:21) should not be allowed", + "actualValue": "FTP (TCP:21) is allowed", + "issueType": "IncorrectValue", + "similarityID": "f5c71548c103741e66771b4f0e6bebe4968fc4cf2cfdf9cd8bc154930a7fd2c5", + "search_line": 36 }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", "severity": "LOW", - "line": 36 + "line": 36, + "fileName": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive3].destination_port_range", + "searchValue": "TCP:22", + "expectedValue": "SSH (TCP:22) should not be allowed", + "actualValue": "SSH (TCP:22) is allowed", + "issueType": "IncorrectValue", + "similarityID": "b925e337d3906ca1d00e68531809df683b1b4facd9b303f3b5041983d9885a49", + "search_line": 36 }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", "severity": "LOW", - "line": 36 + "line": 36, + "fileName": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive3].destination_port_range", + "searchValue": "TCP:23", + "expectedValue": "Telnet (TCP:23) should not be allowed", + "actualValue": "Telnet (TCP:23) is allowed", + "issueType": "IncorrectValue", + "similarityID": "f4a151e49c0bca3fe4fc14b16ea65520271e939680049e95fc98b50449f4e682", + "search_line": 36 }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", "severity": "LOW", - "line": 36 + "line": 36, + "fileName": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive3].destination_port_range", + "searchValue": "UDP:21", + "expectedValue": "FTP (UDP:21) should not be allowed", + "actualValue": "FTP (UDP:21) is allowed", + "issueType": "IncorrectValue", + "similarityID": "d8c42862de36cea6240376178a5016878fcf2a59157572927c929e3e9cf09506", + "search_line": 36 }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", "severity": "LOW", - "line": 36 + "line": 36, + "fileName": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive3].destination_port_range", + "searchValue": "UDP:22", + "expectedValue": "SSH (UDP:22) should not be allowed", + "actualValue": "SSH (UDP:22) is allowed", + "issueType": "IncorrectValue", + "similarityID": "8f21aadc7c62e3c035be8f7359f60dd51a1114bfd7accc60e9eab5fbbf0d7798", + "search_line": 36 }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", "severity": "LOW", - "line": 36 + "line": 36, + "fileName": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive3].destination_port_range", + "searchValue": "UDP:23", + "expectedValue": "Telnet (UDP:23) should not be allowed", + "actualValue": "Telnet (UDP:23) is allowed", + "issueType": "IncorrectValue", + "similarityID": "1df61e707eb862b1ede155841cd7fbd16eadbee261cbce51cda388641c15d002", + "search_line": 36 }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", "severity": "LOW", - "line": 50 + "line": 50, + "fileName": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive4].destination_port_range", + "searchValue": "TCP:23", + "expectedValue": "Telnet (TCP:23) should not be allowed", + "actualValue": "Telnet (TCP:23) is allowed", + "issueType": "IncorrectValue", + "similarityID": "486f6404c9821b9e61e566e67bf48a2d918c5c416b9bd31db0994d26430c8e17", + "search_line": 50 }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", "severity": "LOW", - "line": 50 + "line": 50, + "fileName": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive4].destination_port_range", + "searchValue": "UDP:23", + "expectedValue": "Telnet (UDP:23) should not be allowed", + "actualValue": "Telnet (UDP:23) is allowed", + "issueType": "IncorrectValue", + "similarityID": "ff735a631d960c4afe36b0a33e2b34142a5dbe9be6dbbf5183d23b5cd754830e", + "search_line": 50 }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", "severity": "LOW", - "line": 64 + "line": 64, + "fileName": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive5].destination_port_range", + "searchValue": "UDP:23", + "expectedValue": "Telnet (UDP:23) should not be allowed", + "actualValue": "Telnet (UDP:23) is allowed", + "issueType": "IncorrectValue", + "similarityID": "c42866a6074eba5aa51a6d5ebc6e46146878d4b5033a576771fb00088b7f3b9e", + "search_line": 64 }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", "severity": "LOW", - "line": 78 + "line": 78, + "fileName": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive6].destination_port_range", + "searchValue": "TCP:23", + "expectedValue": "Telnet (TCP:23) should not be allowed", + "actualValue": "Telnet (TCP:23) is allowed", + "issueType": "IncorrectValue", + "similarityID": "df7d49e40128c39af38702908e939ed9be08624484e662aedc42d8a2718db9f6", + "search_line": 78 }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", "severity": "LOW", - "line": 92 + "line": 92, + "fileName": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive7].destination_port_range", + "searchValue": "UDP:22", + "expectedValue": "SSH (UDP:22) should not be allowed", + "actualValue": "SSH (UDP:22) is allowed", + "issueType": "IncorrectValue", + "similarityID": "70ca60bcc2e3720e2d49537b160148700f78e2c4fa8962241e3b41e22602185c", + "search_line": 92 }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", "severity": "LOW", - "line": 92 + "line": 92, + "fileName": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive7].destination_port_range", + "searchValue": "UDP:23", + "expectedValue": "Telnet (UDP:23) should not be allowed", + "actualValue": "Telnet (UDP:23) is allowed", + "issueType": "IncorrectValue", + "similarityID": "722f1eead439be17d6d3844f82fd2466143435b667955116bb13c31e901e1e0f", + "search_line": 92 }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", "severity": "LOW", - "line": 92 + "line": 92, + "fileName": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive7].destination_port_range", + "searchValue": "UDP:25", + "expectedValue": "SMTP (UDP:25) should not be allowed", + "actualValue": "SMTP (UDP:25) is allowed", + "issueType": "IncorrectValue", + "similarityID": "acd0d14fbdc254a69cb8922af8e21eac1cd5ebc08848996ba076e10f87213fd7", + "search_line": 92 }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", "severity": "LOW", - "line": 92 + "line": 92, + "fileName": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive7].destination_port_range", + "searchValue": "UDP:53", + "expectedValue": "DNS (UDP:53) should not be allowed", + "actualValue": "DNS (UDP:53) is allowed", + "issueType": "IncorrectValue", + "similarityID": "efb08e0e6f993b134168995e9af37875d5e1579816b29ce55b2ae2f012be2662", + "search_line": 92 }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", "severity": "LOW", - "line": 106 + "line": 106, + "fileName": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive8].destination_port_range", + "searchValue": "TCP:23", + "expectedValue": "Telnet (TCP:23) should not be allowed", + "actualValue": "Telnet (TCP:23) is allowed", + "issueType": "IncorrectValue", + "similarityID": "cdd3f7d27ca71682543344c692a9a2ae140c1f20458d0fce536b47d840f75eae", + "search_line": 106 }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", "severity": "LOW", - "line": 120 + "line": 120, + "fileName": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive9].destination_port_range", + "searchValue": "TCP:23", + "expectedValue": "Telnet (TCP:23) should not be allowed", + "actualValue": "Telnet (TCP:23) is allowed", + "issueType": "IncorrectValue", + "similarityID": "e651922a9816dc488455a541840120a93b2a153501b0bde8ce31a0741a411017", + "search_line": 120 }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", "severity": "LOW", - "line": 120 + "line": 120, + "fileName": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive9].destination_port_range", + "searchValue": "UDP:23", + "expectedValue": "Telnet (UDP:23) should not be allowed", + "actualValue": "Telnet (UDP:23) is allowed", + "issueType": "IncorrectValue", + "similarityID": "46162a34db985b3c2c1417eeb44c89677e4a1b446b3b6428cc4635a41c0fd8d7", + "search_line": 120 }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", "severity": "LOW", - "line": 134 + "line": 134, + "fileName": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", + "searchValue": "TCP:110", + "expectedValue": "POP3 (TCP:110) should not be allowed", + "actualValue": "POP3 (TCP:110) is allowed", + "issueType": "IncorrectValue", + "similarityID": "0363f8bac175897a649acc0910acbbe95af4562755efd75012f86f40f3be9b5c", + "search_line": 134 }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", "severity": "LOW", - "line": 134 + "line": 134, + "fileName": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", + "searchValue": "TCP:135", + "expectedValue": "MSSQL Debugger (TCP:135) should not be allowed", + "actualValue": "MSSQL Debugger (TCP:135) is allowed", + "issueType": "IncorrectValue", + "similarityID": "6340bcae67c14834f0b061c65b9eb616d9d3fb5aba14d6b972a516d0c42bdb33", + "search_line": 134 }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", "severity": "LOW", - "line": 134 + "line": 134, + "fileName": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", + "searchValue": "TCP:137", + "expectedValue": "NetBIOS Name Service (TCP:137) should not be allowed", + "actualValue": "NetBIOS Name Service (TCP:137) is allowed", + "issueType": "IncorrectValue", + "similarityID": "8a1eb2f5616f62e5e9215bedaebf2fdd8d57eaf1de7f6ab7fdc2a1d5f674d81b", + "search_line": 134 }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", "severity": "LOW", - "line": 134 + "line": 134, + "fileName": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", + "searchValue": "TCP:138", + "expectedValue": "NetBIOS Datagram Service (TCP:138) should not be allowed", + "actualValue": "NetBIOS Datagram Service (TCP:138) is allowed", + "issueType": "IncorrectValue", + "similarityID": "a3d80ace3f68b344bd7de9c60e44e76a8d23d50f7a206477c3104a9deab952da", + "search_line": 134 }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", "severity": "LOW", - "line": 134 + "line": 134, + "fileName": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", + "searchValue": "TCP:139", + "expectedValue": "NetBIOS Session Service (TCP:139) should not be allowed", + "actualValue": "NetBIOS Session Service (TCP:139) is allowed", + "issueType": "IncorrectValue", + "similarityID": "9da2ecde61a9b0486c6c0983f69e23b27bd89381bf04d3659337cf7ecf6de867", + "search_line": 134 }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", "severity": "LOW", - "line": 134 + "line": 134, + "fileName": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", + "searchValue": "TCP:20", + "expectedValue": "FTP (TCP:20) should not be allowed", + "actualValue": "FTP (TCP:20) is allowed", + "issueType": "IncorrectValue", + "similarityID": "0b11e6a3c3fd9df91316b8247e83085df93bfc34849640088d4644cf9cd4b193", + "search_line": 134 }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", "severity": "LOW", - "line": 134 + "line": 134, + "fileName": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", + "searchValue": "TCP:21", + "expectedValue": "FTP (TCP:21) should not be allowed", + "actualValue": "FTP (TCP:21) is allowed", + "issueType": "IncorrectValue", + "similarityID": "65fc00f4d9f49e552c9b8fc099d7070828f56670db5cba59c51b72800ea509fe", + "search_line": 134 }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", "severity": "LOW", - "line": 134 + "line": 134, + "fileName": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", + "searchValue": "TCP:22", + "expectedValue": "SSH (TCP:22) should not be allowed", + "actualValue": "SSH (TCP:22) is allowed", + "issueType": "IncorrectValue", + "similarityID": "00c53c15da98c255c001c5d4081e5e1ad58d9fab047f57f0243e574cfd1ccfc5", + "search_line": 134 }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", "severity": "LOW", - "line": 134 + "line": 134, + "fileName": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", + "searchValue": "TCP:23", + "expectedValue": "Telnet (TCP:23) should not be allowed", + "actualValue": "Telnet (TCP:23) is allowed", + "issueType": "IncorrectValue", + "similarityID": "479f9ace1658138d1b1de970e7b709f2c02b8c67a2829282cce42f0adab48c28", + "search_line": 134 }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", "severity": "LOW", - "line": 134 + "line": 134, + "fileName": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", + "searchValue": "TCP:25", + "expectedValue": "SMTP (TCP:25) should not be allowed", + "actualValue": "SMTP (TCP:25) is allowed", + "issueType": "IncorrectValue", + "similarityID": "92b011737feb776876516316f1dd5d947eb34aeaeadf44cf49d2fc17ff8bd69e", + "search_line": 134 }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", "severity": "LOW", - "line": 134 + "line": 134, + "fileName": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", + "searchValue": "TCP:53", + "expectedValue": "DNS (TCP:53) should not be allowed", + "actualValue": "DNS (TCP:53) is allowed", + "issueType": "IncorrectValue", + "similarityID": "4a73afd2e079a1bf58565f685c45b1fa300213a7ab050e1d813c0b50f7a9a63b", + "search_line": 134 }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", "severity": "LOW", - "line": 134 + "line": 134, + "fileName": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", + "searchValue": "TCP:80", + "expectedValue": "HTTP (TCP:80) should not be allowed", + "actualValue": "HTTP (TCP:80) is allowed", + "issueType": "IncorrectValue", + "similarityID": "004a8f4c8b084dd601c9173dac3e946ac226e9324ce3d51b2dd53bfc72c7ac30", + "search_line": 134 }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", "severity": "LOW", - "line": 134 + "line": 134, + "fileName": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", + "searchValue": "UDP:110", + "expectedValue": "POP3 (UDP:110) should not be allowed", + "actualValue": "POP3 (UDP:110) is allowed", + "issueType": "IncorrectValue", + "similarityID": "dbf4b0f819b1e6779991e5787b9271c9b32dd4a94e7e9c579abd70fe845d1a96", + "search_line": 134 }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", "severity": "LOW", - "line": 134 + "line": 134, + "fileName": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", + "searchValue": "UDP:135", + "expectedValue": "MSSQL Debugger (UDP:135) should not be allowed", + "actualValue": "MSSQL Debugger (UDP:135) is allowed", + "issueType": "IncorrectValue", + "similarityID": "90ea6b00325bb1cf140103e8916aeab9e73e1a2e010afb533e985fad1d44723b", + "search_line": 134 }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", "severity": "LOW", - "line": 134 + "line": 134, + "fileName": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", + "searchValue": "UDP:137", + "expectedValue": "NetBIOS Name Service (UDP:137) should not be allowed", + "actualValue": "NetBIOS Name Service (UDP:137) is allowed", + "issueType": "IncorrectValue", + "similarityID": "78f27356a9ed4975029c8a20975a696a9c58b76e3d8fb004e2db99f0ae579f22", + "search_line": 134 }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", "severity": "LOW", - "line": 134 + "line": 134, + "fileName": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", + "searchValue": "UDP:138", + "expectedValue": "NetBIOS Datagram Service (UDP:138) should not be allowed", + "actualValue": "NetBIOS Datagram Service (UDP:138) is allowed", + "issueType": "IncorrectValue", + "similarityID": "2e96a2a24ce9d948c50a9712dcc02d2408099ed5e3a2f64376478d7a32385ff9", + "search_line": 134 }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", "severity": "LOW", - "line": 134 + "line": 134, + "fileName": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", + "searchValue": "UDP:139", + "expectedValue": "NetBIOS Session Service (UDP:139) should not be allowed", + "actualValue": "NetBIOS Session Service (UDP:139) is allowed", + "issueType": "IncorrectValue", + "similarityID": "6ae883cdb0aa50ea00c7968d73b343639f55420f4dc86615167e7fdea5251b79", + "search_line": 134 }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", "severity": "LOW", - "line": 134 + "line": 134, + "fileName": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", + "searchValue": "UDP:20", + "expectedValue": "FTP (UDP:20) should not be allowed", + "actualValue": "FTP (UDP:20) is allowed", + "issueType": "IncorrectValue", + "similarityID": "293f729df683a581d151c78d4455d4d9ef417af3ca1657bfb90709d618d8f969", + "search_line": 134 }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", "severity": "LOW", - "line": 134 + "line": 134, + "fileName": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", + "searchValue": "UDP:21", + "expectedValue": "FTP (UDP:21) should not be allowed", + "actualValue": "FTP (UDP:21) is allowed", + "issueType": "IncorrectValue", + "similarityID": "df5bed7aa4e90d2f92969debebb62bd1d48e27bee68eb8e9fef9c4ba6a2ebe22", + "search_line": 134 }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", "severity": "LOW", - "line": 134 + "line": 134, + "fileName": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", + "searchValue": "UDP:22", + "expectedValue": "SSH (UDP:22) should not be allowed", + "actualValue": "SSH (UDP:22) is allowed", + "issueType": "IncorrectValue", + "similarityID": "02c98edefc416a6211a5648e80713bb4a0fb46b6767aa91242d576802d89927c", + "search_line": 134 }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", "severity": "LOW", - "line": 134 + "line": 134, + "fileName": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", + "searchValue": "UDP:23", + "expectedValue": "Telnet (UDP:23) should not be allowed", + "actualValue": "Telnet (UDP:23) is allowed", + "issueType": "IncorrectValue", + "similarityID": "d573e92dbadf1237d60f1c13edca7c1f6f1160238bc3134743ccd4d689737647", + "search_line": 134 }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", "severity": "LOW", - "line": 134 + "line": 134, + "fileName": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", + "searchValue": "UDP:25", + "expectedValue": "SMTP (UDP:25) should not be allowed", + "actualValue": "SMTP (UDP:25) is allowed", + "issueType": "IncorrectValue", + "similarityID": "766d1a9f989da0de1c25bba0161905b7249239c55a49009e56943afc2c135ed3", + "search_line": 134 }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", "severity": "LOW", - "line": 134 + "line": 134, + "fileName": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", + "searchValue": "UDP:53", + "expectedValue": "DNS (UDP:53) should not be allowed", + "actualValue": "DNS (UDP:53) is allowed", + "issueType": "IncorrectValue", + "similarityID": "0ff7b94622aa5d28edd588ccd8d5669414ec34d6238929f64d0411d3db198ac5", + "search_line": 134 }, { "queryName": "Sensitive Port Is Exposed To Wide Private Network", "severity": "LOW", - "line": 134 + "line": 134, + "fileName": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", + "searchValue": "UDP:80", + "expectedValue": "HTTP (UDP:80) should not be allowed", + "actualValue": "HTTP (UDP:80) is allowed", + "issueType": "IncorrectValue", + "similarityID": "809503eaf3b3ad973e6fe4f50b6b2e3b135e7aa175a017641730ec76615f0166", + "search_line": 134 } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/azure/service_without_resource_logging/test/positive_expected_result.json b/assets/queries/terraform/azure/service_without_resource_logging/test/positive_expected_result.json index 2781952c731..257756049ab 100644 --- a/assets/queries/terraform/azure/service_without_resource_logging/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/service_without_resource_logging/test/positive_expected_result.json @@ -3,84 +3,210 @@ "queryName": "Beta - Service Without Resource Logging", "severity": "MEDIUM", "line": 1, - "fileName": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "azurerm_app_service", + "resourceName": "positive1_1-app-service", + "searchKey": "azurerm_app_service[positive1_1]", + "searchValue": "", + "expectedValue": "'azurerm_app_service' should be associated with a 'azurerm_monitor_diagnostic_setting' resource", + "actualValue": "'azurerm_app_service' is not associated with a 'azurerm_monitor_diagnostic_setting' resource", + "issueType": "MissingAttribute", + "similarityID": "3034864f49b7a001e3d76397c109ad6d260f5fb50103ae82665b7d91b3e92347", + "search_line": 1 }, { "queryName": "Beta - Service Without Resource Logging", "severity": "MEDIUM", "line": 8, - "fileName": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "azurerm_windows_web_app", + "resourceName": "positive1_2", + "searchKey": "azurerm_windows_web_app[positive1_2]", + "searchValue": "", + "expectedValue": "'azurerm_windows_web_app' should be associated with a 'azurerm_monitor_diagnostic_setting' resource", + "actualValue": "'azurerm_windows_web_app' is not associated with a 'azurerm_monitor_diagnostic_setting' resource", + "issueType": "MissingAttribute", + "similarityID": "f79b35178707a88af013921127cca67e6eefa44a564d86df274cb64589f6c3b2", + "search_line": 8 }, { "queryName": "Beta - Service Without Resource Logging", "severity": "MEDIUM", "line": 17, - "fileName": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "azurerm_linux_web_app", + "resourceName": "positive1_3", + "searchKey": "azurerm_linux_web_app[positive1_3]", + "searchValue": "", + "expectedValue": "'azurerm_linux_web_app' should be associated with a 'azurerm_monitor_diagnostic_setting' resource", + "actualValue": "'azurerm_linux_web_app' is not associated with a 'azurerm_monitor_diagnostic_setting' resource", + "issueType": "MissingAttribute", + "similarityID": "ad12406829227f9c4fe4e1b41f6445c84fefd282704ca9f7b5e6ced9212c7ab3", + "search_line": 17 }, { "queryName": "Beta - Service Without Resource Logging", "severity": "MEDIUM", "line": 26, - "fileName": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "azurerm_batch_account", + "resourceName": "testbatchaccount", + "searchKey": "azurerm_batch_account[positive1_4]", + "searchValue": "", + "expectedValue": "'azurerm_batch_account' should be associated with a 'azurerm_monitor_diagnostic_setting' resource", + "actualValue": "'azurerm_batch_account' is not associated with a 'azurerm_monitor_diagnostic_setting' resource", + "issueType": "MissingAttribute", + "similarityID": "59328c0af78b05bb510e61b0542ed58d7a57e64009ca396c211320a7967a7ad7", + "search_line": 26 }, { "queryName": "Beta - Service Without Resource Logging", "severity": "MEDIUM", "line": 35, - "fileName": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "azurerm_eventhub", + "resourceName": "acceptanceTestEventHub", + "searchKey": "azurerm_eventhub[positive1_5]", + "searchValue": "", + "expectedValue": "'azurerm_eventhub' should be associated with a 'azurerm_monitor_diagnostic_setting' resource", + "actualValue": "'azurerm_eventhub' is not associated with a 'azurerm_monitor_diagnostic_setting' resource", + "issueType": "MissingAttribute", + "similarityID": "4ee9016fbe83775e4df8bff9e20309f8d1014d2122513b36d03bbd2c5bfa5ad8", + "search_line": 35 }, { "queryName": "Beta - Service Without Resource Logging", "severity": "MEDIUM", "line": 42, - "fileName": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "azurerm_storage_account", + "resourceName": "storageaccountname", + "searchKey": "azurerm_storage_account[positive1_6]", + "searchValue": "", + "expectedValue": "'azurerm_storage_account' should be associated with a 'azurerm_monitor_diagnostic_setting' resource", + "actualValue": "'azurerm_storage_account' is not associated with a 'azurerm_monitor_diagnostic_setting' resource", + "issueType": "MissingAttribute", + "similarityID": "69877a86f56062d9e679f905e670fb22dc4264f9341fbdb0f36a128cd9be499e", + "search_line": 42 }, { "queryName": "Beta - Service Without Resource Logging", "severity": "MEDIUM", "line": 55, - "fileName": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "azurerm_iothub", + "resourceName": "positive1_7-IoTHub", + "searchKey": "azurerm_iothub[positive1_7]", + "searchValue": "", + "expectedValue": "'azurerm_iothub' should be associated with a 'azurerm_monitor_diagnostic_setting' resource", + "actualValue": "'azurerm_iothub' is not associated with a 'azurerm_monitor_diagnostic_setting' resource", + "issueType": "MissingAttribute", + "similarityID": "978daadc77d327bff69ed122eaf51fb2611b8f7f85bd46431df9ef89949b96bd", + "search_line": 55 }, { "queryName": "Beta - Service Without Resource Logging", "severity": "MEDIUM", "line": 66, - "fileName": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "azurerm_search_service", + "resourceName": "positive1_8-resource", + "searchKey": "azurerm_search_service[positive1_8]", + "searchValue": "", + "expectedValue": "'azurerm_search_service' should be associated with a 'azurerm_monitor_diagnostic_setting' resource", + "actualValue": "'azurerm_search_service' is not associated with a 'azurerm_monitor_diagnostic_setting' resource", + "issueType": "MissingAttribute", + "similarityID": "177f40e2bdaf89a248dbd39dc33b730806bf466181a32df27eb67b36c4ffcc11", + "search_line": 66 }, { "queryName": "Beta - Service Without Resource Logging", "severity": "MEDIUM", "line": 73, - "fileName": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "azurerm_servicebus_namespace", + "resourceName": "tfex-servicebus-namespace", + "searchKey": "azurerm_servicebus_namespace[positive1_9]", + "searchValue": "", + "expectedValue": "'azurerm_servicebus_namespace' should be associated with a 'azurerm_monitor_diagnostic_setting' resource", + "actualValue": "'azurerm_servicebus_namespace' is not associated with a 'azurerm_monitor_diagnostic_setting' resource", + "issueType": "MissingAttribute", + "similarityID": "3e5cf03f6480b8d4163ea9326c3ce99c138a4c446ddfeb95c2be330146e5aea4", + "search_line": 73 }, { "queryName": "Beta - Service Without Resource Logging", "severity": "MEDIUM", "line": 80, - "fileName": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "azurerm_stream_analytics_job", + "resourceName": "positive1_10-job", + "searchKey": "azurerm_stream_analytics_job[positive1_10]", + "searchValue": "", + "expectedValue": "'azurerm_stream_analytics_job' should be associated with a 'azurerm_monitor_diagnostic_setting' resource", + "actualValue": "'azurerm_stream_analytics_job' is not associated with a 'azurerm_monitor_diagnostic_setting' resource", + "issueType": "MissingAttribute", + "similarityID": "943ea2c8164b466c8f20c5eb97f58a28fd0a7d838e5991323f33e1c9a4e6cce3", + "search_line": 80 }, { "queryName": "Beta - Service Without Resource Logging", "severity": "MEDIUM", "line": 87, - "fileName": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "azurerm_application_gateway", + "resourceName": "positive1_11-appgateway", + "searchKey": "azurerm_application_gateway[positive1_11]", + "searchValue": "", + "expectedValue": "'azurerm_application_gateway' should be associated with a 'azurerm_monitor_diagnostic_setting' resource", + "actualValue": "'azurerm_application_gateway' is not associated with a 'azurerm_monitor_diagnostic_setting' resource", + "issueType": "MissingAttribute", + "similarityID": "c6de62f7ad21a11e4a27332a734265619fe693bd4a1494e462b465e1d895d61e", + "search_line": 87 }, { "queryName": "Beta - Service Without Resource Logging", "severity": "MEDIUM", "line": 99, - "fileName": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "azurerm_logic_app_standard", + "resourceName": "positive1_12-logic-app", + "searchKey": "azurerm_logic_app_standard[positive1_12]", + "searchValue": "", + "expectedValue": "'azurerm_logic_app_standard' should be associated with a 'azurerm_monitor_diagnostic_setting' resource", + "actualValue": "'azurerm_logic_app_standard' is not associated with a 'azurerm_monitor_diagnostic_setting' resource", + "issueType": "MissingAttribute", + "similarityID": "e4a31d059d5b424f7a7838bfbae2ee5139b9c88084b275e1790c126e8d49c764", + "search_line": 99 }, { "queryName": "Beta - Service Without Resource Logging", "severity": "MEDIUM", "line": 1, - "fileName": "positive2.tf" + "fileName": "positive2.tf", + "resourceType": "azurerm_data_lake_analytics_account", + "resourceName": "${var.name}", + "searchKey": "azurerm_data_lake_analytics_account[positive2_1]", + "searchValue": "", + "expectedValue": "'azurerm_data_lake_analytics_account' should be associated with a 'azurerm_monitor_diagnostic_setting' resource", + "actualValue": "'azurerm_data_lake_analytics_account' is not associated with a 'azurerm_monitor_diagnostic_setting' resource", + "issueType": "MissingAttribute", + "similarityID": "f8cd84a7b70f1c283af137aff7ced5493e4f28db2bb9a98cc19ecf02b4a075f8", + "search_line": 1 }, { "queryName": "Beta - Service Without Resource Logging", "severity": "MEDIUM", "line": 9, - "fileName": "positive2.tf" + "fileName": "positive2.tf", + "resourceType": "azurerm_data_lake_store", + "resourceName": "consumptiondatalake", + "searchKey": "azurerm_data_lake_store[positive2_2]", + "searchValue": "", + "expectedValue": "'azurerm_data_lake_store' should be associated with a 'azurerm_monitor_diagnostic_setting' resource", + "actualValue": "'azurerm_data_lake_store' is not associated with a 'azurerm_monitor_diagnostic_setting' resource", + "issueType": "MissingAttribute", + "similarityID": "2e20e849132c9a8dca7b73997d26c23c28845bcd5079b2d28d8dcae277054343", + "search_line": 9 } ] diff --git a/assets/queries/terraform/azure/small_activity_log_retention_period/test/positive_expected_result.json b/assets/queries/terraform/azure/small_activity_log_retention_period/test/positive_expected_result.json index 25015f4c442..f070c920ba3 100644 --- a/assets/queries/terraform/azure/small_activity_log_retention_period/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/small_activity_log_retention_period/test/positive_expected_result.json @@ -2,16 +2,46 @@ { "queryName": "Small Activity Log Retention Period", "severity": "LOW", - "line": 20 + "line": 20, + "fileName": "positive.tf", + "resourceType": "azurerm_monitor_log_profile", + "resourceName": "default", + "searchKey": "azurerm_monitor_log_profile[positive1].retention_policy.days", + "searchValue": "", + "expectedValue": "'azurerm_monitor_log_profile[positive1].retention_policy.days' should be greater than or equal to 365 days or 0 (indefinitely)", + "actualValue": "'azurerm_monitor_log_profile[positive1].retention_policy.days' is less than 365 days or different than 0 (indefinitely)", + "issueType": "IncorrectValue", + "similarityID": "dc903c6d0679b6d9dd466a717187ef5ad80657219285e672f0ba7f30c64b4147", + "search_line": 20 }, { "queryName": "Small Activity Log Retention Period", "severity": "LOW", - "line": 41 + "line": 41, + "fileName": "positive.tf", + "resourceType": "azurerm_monitor_log_profile", + "resourceName": "default", + "searchKey": "azurerm_monitor_log_profile[positive2].retention_policy", + "searchValue": "", + "expectedValue": "'azurerm_monitor_log_profile[positive2].retention_policy.days' should be defined and not null", + "actualValue": "'azurerm_monitor_log_profile[positive2].retention_policy.days' is undefined or null", + "issueType": "MissingAttribute", + "similarityID": "150c0d1fb2c77f8528b87ea5b6b023abe73ca4ca2a7f4d00df3d042330464154", + "search_line": 41 }, { "queryName": "Small Activity Log Retention Period", "severity": "LOW", - "line": 64 + "line": 64, + "fileName": "positive.tf", + "resourceType": "azurerm_monitor_log_profile", + "resourceName": "default", + "searchKey": "azurerm_monitor_log_profile[positive3].retention_policy.enabled", + "searchValue": "", + "expectedValue": "'azurerm_monitor_log_profile[positive3].retention_policy.enabled' should be set to true", + "actualValue": "'azurerm_monitor_log_profile[positive3].retention_policy.enabled' is set to false", + "issueType": "IncorrectValue", + "similarityID": "c01bb677a151fa6cd715ad4aa502f9daf8834ebf3f7053f2d16d89fe9d5e68ef", + "search_line": 64 } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/azure/small_flow_logs_retention_period/test/positive_expected_result.json b/assets/queries/terraform/azure/small_flow_logs_retention_period/test/positive_expected_result.json index 357ca0c6436..90a330c9474 100644 --- a/assets/queries/terraform/azure/small_flow_logs_retention_period/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/small_flow_logs_retention_period/test/positive_expected_result.json @@ -2,21 +2,61 @@ { "queryName": "Small Flow Logs Retention Period", "severity": "MEDIUM", - "line": 10 + "line": 10, + "fileName": "positive.tf", + "resourceType": "azurerm_network_watcher_flow_log", + "resourceName": "positive1", + "searchKey": "azurerm_network_watcher_flow_log[positive1].retention_policy.days", + "searchValue": "", + "expectedValue": "'positive1.retention_policy.days' should be bigger than 90)", + "actualValue": "'retention_policy.days' is less than 90 [89])", + "issueType": "IncorrectValue", + "similarityID": "01118e8124317ac34e4572cc3c15caa3f9df1201f01d596cdd2dadb5ce171835", + "search_line": 10 }, { "queryName": "Small Flow Logs Retention Period", "severity": "MEDIUM", - "line": 23 + "line": 23, + "fileName": "positive.tf", + "resourceType": "azurerm_network_watcher_flow_log", + "resourceName": "positive2", + "searchKey": "azurerm_network_watcher_flow_log[positive2].retention_policy.days", + "searchValue": "", + "expectedValue": "'positive2.retention_policy.days' should be bigger than 90)", + "actualValue": "'retention_policy.days' is less than 90 [3])", + "issueType": "IncorrectValue", + "similarityID": "b14d41bbc384cc91ad2233652ae0153699b347616cd1da8cee5209b9179cdbab", + "search_line": 23 }, { "queryName": "Small Flow Logs Retention Period", "severity": "MEDIUM", - "line": 27 + "line": 27, + "fileName": "positive.tf", + "resourceType": "azurerm_network_watcher_flow_log", + "resourceName": "positive3", + "searchKey": "azurerm_network_watcher_flow_log[positive3]", + "searchValue": "", + "expectedValue": "'positive3.retention_policy' should exist)", + "actualValue": "'positive3.retention_policy' doesn't exist)", + "issueType": "MissingAttribute", + "similarityID": "5497a01a186ddd6b8146e38742bfc8341f53bc3ce0c9c09c944a0d74a21870f5", + "search_line": 27 }, { "queryName": "Small Flow Logs Retention Period", "severity": "MEDIUM", - "line": 43 + "line": 43, + "fileName": "positive.tf", + "resourceType": "azurerm_network_watcher_flow_log", + "resourceName": "positive4", + "searchKey": "azurerm_network_watcher_flow_log[positive4].retention_policy.enabled", + "searchValue": "", + "expectedValue": "'positive4.retention_policy' should be enabled)", + "actualValue": "'positive4.retention_policy' is disabled)", + "issueType": "IncorrectValue", + "similarityID": "9d8ec9503994deb75b326d6d08f8f92f6f27ca6d5ccdac2d2f4097bc9c09e42a", + "search_line": 43 } ] diff --git a/assets/queries/terraform/azure/small_msql_server_audit_retention/test/positive_expected_result.json b/assets/queries/terraform/azure/small_msql_server_audit_retention/test/positive_expected_result.json index 904c4f524c5..1cff43ad9b5 100644 --- a/assets/queries/terraform/azure/small_msql_server_audit_retention/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/small_msql_server_audit_retention/test/positive_expected_result.json @@ -2,21 +2,61 @@ { "queryName": "Small MSSQL Server Audit Retention", "severity": "LOW", - "line": 7 + "line": 7, + "fileName": "positive.tf", + "resourceType": "azurerm_sql_database", + "resourceName": "myexamplesqldatabase", + "searchKey": "azurerm_sql_database[positive1].extended_auditing_policy", + "searchValue": "", + "expectedValue": "extended_auditing_policy.retention_in_days should be defined and bigger than 90", + "actualValue": "extended_auditing_policy.retention_in_days is not defined", + "issueType": "MissingAttribute", + "similarityID": "4e8566b3d2092334f1f735b3c7f2bc4bcb84428c26c6451a7c59661ecba6df60", + "search_line": 7 }, { "queryName": "Small MSSQL Server Audit Retention", "severity": "LOW", - "line": 28 + "line": 28, + "fileName": "positive.tf", + "resourceType": "azurerm_sql_database", + "resourceName": "myexamplesqldatabase", + "searchKey": "azurerm_sql_database[positive2].extended_auditing_policy.retention_in_days", + "searchValue": "", + "expectedValue": "'positive2.extended_auditing_policy.retention_in_days' should be bigger than 90", + "actualValue": "'extended_auditing_policy.retention_in_days' is 90", + "issueType": "MissingAttribute", + "similarityID": "3b6f108638a6532a0d32d5a4023fbe5c246983a630ba48291595185b1412fac9", + "search_line": 28 }, { "queryName": "Small MSSQL Server Audit Retention", "severity": "LOW", - "line": 46 + "line": 46, + "fileName": "positive.tf", + "resourceType": "azurerm_sql_database", + "resourceName": "myexamplesqldatabase", + "searchKey": "azurerm_sql_database[positive3].extended_auditing_policy.retention_in_days", + "searchValue": "", + "expectedValue": "'positive3.extended_auditing_policy.retention_in_days' should be bigger than 90", + "actualValue": "'extended_auditing_policy.retention_in_days' is 0", + "issueType": "MissingAttribute", + "similarityID": "54b5a0dc8ccb338ef97bcbe0b787e1af238c9701e0e22bdb6a1c10ca16d7edc9", + "search_line": 46 }, { "queryName": "Small MSSQL Server Audit Retention", "severity": "LOW", - "line": 66 + "line": 66, + "fileName": "positive.tf", + "resourceType": "azurerm_sql_server", + "resourceName": "sqlserver", + "searchKey": "azurerm_sql_server[positive4].extended_auditing_policy.retention_in_days", + "searchValue": "", + "expectedValue": "'positive4.extended_auditing_policy.retention_in_days' should be bigger than 90", + "actualValue": "'extended_auditing_policy.retention_in_days' is 20", + "issueType": "MissingAttribute", + "similarityID": "f0188ce025ae6639bdbf11daee1328eef809320f60d11d1c59bcd58ed34cacb7", + "search_line": 66 } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/azure/small_mssql_audit_retention_period/test/positive_expected_result.json b/assets/queries/terraform/azure/small_mssql_audit_retention_period/test/positive_expected_result.json index ac111615ad6..7b3a02d55ec 100644 --- a/assets/queries/terraform/azure/small_mssql_audit_retention_period/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/small_mssql_audit_retention_period/test/positive_expected_result.json @@ -2,21 +2,61 @@ { "queryName": "Small MSSQL Audit Retention Period", "severity": "LOW", - "line": 11 + "line": 11, + "fileName": "positive.tf", + "resourceType": "azurerm_mssql_database", + "resourceName": "myexamplesqldatabase", + "searchKey": "azurerm_mssql_database[positive1].extended_auditing_policy.retention_in_days", + "searchValue": "", + "expectedValue": "'positive1.extended_auditing_policy.retention_in_days' should be bigger than 90", + "actualValue": "'extended_auditing_policy.retention_in_days' is 6", + "issueType": "IncorrectValue", + "similarityID": "d64b55c37652f05422143d7d3860932881b1ce9c7175fa8dbfa058beef76fb3b", + "search_line": 11 }, { "queryName": "Small MSSQL Audit Retention Period", "severity": "LOW", - "line": 29 + "line": 29, + "fileName": "positive.tf", + "resourceType": "azurerm_mssql_database", + "resourceName": "myexamplesqldatabase", + "searchKey": "azurerm_mssql_database[positive2].extended_auditing_policy.retention_in_days", + "searchValue": "", + "expectedValue": "'positive2.extended_auditing_policy.retention_in_days' should be bigger than 90", + "actualValue": "'extended_auditing_policy.retention_in_days' is 90", + "issueType": "IncorrectValue", + "similarityID": "de6aabe1476869baccd7cb310e0bfbbb5af781187bac7fdf312e5d4ef8feedf9", + "search_line": 29 }, { "queryName": "Small MSSQL Audit Retention Period", "severity": "LOW", - "line": 47 + "line": 47, + "fileName": "positive.tf", + "resourceType": "azurerm_mssql_database", + "resourceName": "myexamplesqldatabase", + "searchKey": "azurerm_mssql_database[positive3].extended_auditing_policy.retention_in_days", + "searchValue": "", + "expectedValue": "'positive3.extended_auditing_policy.retention_in_days' should be bigger than 90", + "actualValue": "'extended_auditing_policy.retention_in_days' is 0", + "issueType": "IncorrectValue", + "similarityID": "e460b8b87331833ea79e0d9ca9b3f03fbd8a4cdc84477af83343fb20b15df023", + "search_line": 47 }, { "queryName": "Small MSSQL Audit Retention Period", "severity": "LOW", - "line": 67 + "line": 67, + "fileName": "positive.tf", + "resourceType": "azurerm_mssql_server", + "resourceName": "mssqlserver", + "searchKey": "azurerm_mssql_server[positive4].extended_auditing_policy.retention_in_days", + "searchValue": "", + "expectedValue": "'positive4.extended_auditing_policy.retention_in_days' should be bigger than 90", + "actualValue": "'extended_auditing_policy.retention_in_days' is 20", + "issueType": "IncorrectValue", + "similarityID": "c643ac80e1675d00eefcc043d02400f55a89ecd9841eae1dfaa6d4c1d56a10d3", + "search_line": 67 } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/azure/small_postgresql_db_server_log_retention_period/test/positive_expected_result.json b/assets/queries/terraform/azure/small_postgresql_db_server_log_retention_period/test/positive_expected_result.json index 5bf802a4381..93529177cf0 100644 --- a/assets/queries/terraform/azure/small_postgresql_db_server_log_retention_period/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/small_postgresql_db_server_log_retention_period/test/positive_expected_result.json @@ -2,6 +2,16 @@ { "queryName": "Small PostgreSQL DB Server Log Retention Period", "severity": "LOW", - "line": 5 + "line": 5, + "fileName": "positive.tf", + "resourceType": "azurerm_postgresql_configuration", + "resourceName": "log_retention_days", + "searchKey": "azurerm_postgresql_configuration[positive1].value", + "searchValue": "", + "expectedValue": "'azurerm_postgresql_configuration[positive1].value' is greater than 3 and less than 8", + "actualValue": "'azurerm_postgresql_configuration[positive1].value' is %!s(int=2)", + "issueType": "IncorrectValue", + "similarityID": "96f52aa2508350a9a890d6003211bb248ca3e1d84b818ae9f945cb29f8f5e7a5", + "search_line": 5 } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/azure/sql_database_audit_disabled/test/positive_expected_result.json b/assets/queries/terraform/azure/sql_database_audit_disabled/test/positive_expected_result.json index f29978bdc55..0085cc29eb1 100644 --- a/assets/queries/terraform/azure/sql_database_audit_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/sql_database_audit_disabled/test/positive_expected_result.json @@ -2,11 +2,31 @@ { "queryName": "SQL Database Audit Disabled", "severity": "MEDIUM", - "line": 50 + "line": 34, + "fileName": "positive.tf", + "resourceType": "azurerm_sql_database", + "resourceName": "myexamplesqldatabase", + "searchKey": "azurerm_sql_database[positive4].threat_detection_policy.state", + "searchValue": "", + "expectedValue": "'threat_detection_policy.state' equal 'Enabled'", + "actualValue": "'threat_detection_policy.state' equal 'Disabled'", + "issueType": "IncorrectValue", + "similarityID": "c94f95a84232a32788354c5ec07ec26ebc1f44283aaba706974cbd693bac16f1", + "search_line": 34 }, { "queryName": "SQL Database Audit Disabled", "severity": "MEDIUM", - "line": 34 + "line": 50, + "fileName": "positive.tf", + "resourceType": "azurerm_sql_database", + "resourceName": "myexamplesqldatabase", + "searchKey": "azurerm_sql_database[positive5].threat_detection_policy", + "searchValue": "", + "expectedValue": "'threat_detection_policy' should exist", + "actualValue": "'threat_detection_policy' is missing", + "issueType": "MissingAttribute", + "similarityID": "e88c3c3ffc4ad70ad23505b51745fa2e2158970717fb3270e97c3260ae8ce4cb", + "search_line": -1 } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/azure/sql_database_without_data_encryption/test/positive_expected_result.json b/assets/queries/terraform/azure/sql_database_without_data_encryption/test/positive_expected_result.json index 93f9af90d07..5b9c6e6d86f 100644 --- a/assets/queries/terraform/azure/sql_database_without_data_encryption/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/sql_database_without_data_encryption/test/positive_expected_result.json @@ -2,6 +2,16 @@ { "queryName": "Beta - SQL Database Without Data Encryption", "severity": "HIGH", - "line": 12 + "line": 12, + "fileName": "positive.tf", + "resourceType": "azurerm_mssql_database", + "resourceName": "example-db", + "searchKey": "azurerm_mssql_database[example].transparent_data_encryption_enabled", + "searchValue": "", + "expectedValue": "'azurerm_mssql_database[example].transparent_data_encryption_enabled' should be set to 'true'", + "actualValue": "'azurerm_mssql_database[example].transparent_data_encryption_enabled' is set to 'false'", + "issueType": "IncorrectValue", + "similarityID": "7a478abea4c636c768928953d23cd21edd3fef8b051834b9a9cee40b769eb89f", + "search_line": 12 } ] diff --git a/assets/queries/terraform/azure/sql_server_alert_email_disabled/test/positive_expected_result.json b/assets/queries/terraform/azure/sql_server_alert_email_disabled/test/positive_expected_result.json index 829b77ac1d8..894fa07cb46 100644 --- a/assets/queries/terraform/azure/sql_server_alert_email_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/sql_server_alert_email_disabled/test/positive_expected_result.json @@ -3,12 +3,30 @@ "queryName": "SQL Server Alert Email Disabled", "severity": "INFO", "line": 1, - "fileName": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "azurerm_mssql_server_security_alert_policy", + "resourceName": "positive1", + "searchKey": "azurerm_mssql_server_security_alert_policy[positive1]", + "searchValue": "", + "expectedValue": "'azurerm_mssql_server_security_alert_policy[positive1].email_account_admins' should be defined", + "actualValue": "'azurerm_mssql_server_security_alert_policy[positive1].email_account_admins' is undefined", + "issueType": "MissingAttribute", + "similarityID": "4bbcaefe88eb0d0499f021b2163478beac45f5c4386be2fae74109776bfc59fa", + "search_line": 1 }, { "queryName": "SQL Server Alert Email Disabled", "severity": "INFO", "line": 12, - "fileName": "positive2.tf" + "fileName": "positive2.tf", + "resourceType": "azurerm_mssql_server_security_alert_policy", + "resourceName": "positive2", + "searchKey": "azurerm_mssql_server_security_alert_policy[positive2].email_account_admins", + "searchValue": "", + "expectedValue": "'azurerm_mssql_server_security_alert_policy[positive2].email_account_admins' should be true", + "actualValue": "'azurerm_mssql_server_security_alert_policy[positive2].email_account_admins' is false", + "issueType": "IncorrectValue", + "similarityID": "80ca0af4991cc6a919413c5690804cd1e380e332ca023b379ba13e209b909030", + "search_line": 12 } ] diff --git a/assets/queries/terraform/azure/sql_server_auditing_disabled/test/positive_expected_result.json b/assets/queries/terraform/azure/sql_server_auditing_disabled/test/positive_expected_result.json index 558004dd187..b827a804ddc 100644 --- a/assets/queries/terraform/azure/sql_server_auditing_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/sql_server_auditing_disabled/test/positive_expected_result.json @@ -2,6 +2,16 @@ { "queryName": "SQL Server Auditing Disabled", "severity": "MEDIUM", - "line": 1 + "line": 1, + "fileName": "positive.tf", + "resourceType": "azurerm_sql_server", + "resourceName": "mssqlserver", + "searchKey": "azurerm_sql_server[positive1]", + "searchValue": "", + "expectedValue": "'azurerm_sql_server.positive1.extended_auditing_policy' should exist", + "actualValue": "'azurerm_sql_server.positive1.extended_auditing_policy' does not exist", + "issueType": "MissingAttribute", + "similarityID": "06ce40694319dae1b71804c04120cfee18b46ce59a43604b17ff3bd3277421b8", + "search_line": -1 } ] diff --git a/assets/queries/terraform/azure/sql_server_ingress_from_any_ip/test/positive_expected_result.json b/assets/queries/terraform/azure/sql_server_ingress_from_any_ip/test/positive_expected_result.json index 7c1b06e5a73..fdcd56ad2f4 100644 --- a/assets/queries/terraform/azure/sql_server_ingress_from_any_ip/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/sql_server_ingress_from_any_ip/test/positive_expected_result.json @@ -3,36 +3,90 @@ "queryName": "SQLServer Ingress From Any IP", "severity": "CRITICAL", "line": 1, - "fileName": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "azurerm_sql_firewall_rule", + "resourceName": "FirewallRule1", + "searchKey": "azurerm_sql_firewall_rule[positive1]", + "searchValue": "", + "expectedValue": "azurerm_sql_firewall_rule.start_ip_address different from 0.0.0.0 and end_ip_address different from 0.0.0.0 or 255.255.255.255", + "actualValue": "azurerm_sql_firewall_rule.start_ip_address equal to 0.0.0.0 and end_ip_address equal to 0.0.0.0 or 255.255.255.255", + "issueType": "IncorrectValue", + "similarityID": "5d316141345ee33eb7d6f1e66e8284fb3b9d2e53ab7ba7db0b05b9b18d771831", + "search_line": 1 }, { "queryName": "SQLServer Ingress From Any IP", "severity": "CRITICAL", "line": 1, - "fileName": "positive2.tf" + "fileName": "positive2.tf", + "resourceType": "azurerm_mssql_firewall_rule", + "resourceName": "FirewallRule1", + "searchKey": "azurerm_mssql_firewall_rule[positive1]", + "searchValue": "", + "expectedValue": "azurerm_mssql_firewall_rule.start_ip_address different from 0.0.0.0 and end_ip_address different from 0.0.0.0 or 255.255.255.255", + "actualValue": "azurerm_mssql_firewall_rule.start_ip_address equal to 0.0.0.0 and end_ip_address equal to 0.0.0.0 or 255.255.255.255", + "issueType": "IncorrectValue", + "similarityID": "8de388398008a9aa3150398b71d65bd13285d3462d600bbbbad0b904cb1e8ab3", + "search_line": 1 }, { "queryName": "SQLServer Ingress From Any IP", "severity": "CRITICAL", "line": 1, - "fileName": "positive3.tf" + "fileName": "positive3.tf", + "resourceType": "azurerm_mariadb_firewall_rule", + "resourceName": "test-rule", + "searchKey": "azurerm_mariadb_firewall_rule[example]", + "searchValue": "", + "expectedValue": "azurerm_mariadb_firewall_rule.start_ip_address different from 0.0.0.0 and end_ip_address different from 0.0.0.0 or 255.255.255.255", + "actualValue": "azurerm_mariadb_firewall_rule.start_ip_address equal to 0.0.0.0 and end_ip_address equal to 0.0.0.0 or 255.255.255.255", + "issueType": "IncorrectValue", + "similarityID": "fcd8fb1aeb00ab44037188349b013c90fc06eabcb89443355c3b2a4251020597", + "search_line": 1 }, { "queryName": "SQLServer Ingress From Any IP", "severity": "CRITICAL", "line": 1, - "fileName": "positive4.tf" + "fileName": "positive4.tf", + "resourceType": "azurerm_postgresql_firewall_rule", + "resourceName": "office", + "searchKey": "azurerm_postgresql_firewall_rule[example]", + "searchValue": "", + "expectedValue": "azurerm_postgresql_firewall_rule.start_ip_address different from 0.0.0.0 and end_ip_address different from 0.0.0.0 or 255.255.255.255", + "actualValue": "azurerm_postgresql_firewall_rule.start_ip_address equal to 0.0.0.0 and end_ip_address equal to 0.0.0.0 or 255.255.255.255", + "issueType": "IncorrectValue", + "similarityID": "7d2a95e74d417f47ae34703413df73f9912c8627e567638c68731b68c43cc99e", + "search_line": 1 }, { "queryName": "SQLServer Ingress From Any IP", "severity": "CRITICAL", "line": 1, - "fileName": "positive5.tf" + "fileName": "positive5.tf", + "resourceType": "azurerm_postgresql_flexible_server_firewall_rule", + "resourceName": "example-fw", + "searchKey": "azurerm_postgresql_flexible_server_firewall_rule[example]", + "searchValue": "", + "expectedValue": "azurerm_postgresql_flexible_server_firewall_rule.start_ip_address different from 0.0.0.0 and end_ip_address different from 0.0.0.0 or 255.255.255.255", + "actualValue": "azurerm_postgresql_flexible_server_firewall_rule.start_ip_address equal to 0.0.0.0 and end_ip_address equal to 0.0.0.0 or 255.255.255.255", + "issueType": "IncorrectValue", + "similarityID": "f39b8109e40e211e92a40b71557ade11035b9cfa16faa3cc601b80bc1b74d5b9", + "search_line": 1 }, { "queryName": "SQLServer Ingress From Any IP", "severity": "CRITICAL", "line": 1, - "fileName": "positive6.tf" + "fileName": "positive6.tf", + "resourceType": "azurerm_mysql_flexible_server_firewall_rule", + "resourceName": "office", + "searchKey": "azurerm_mysql_flexible_server_firewall_rule[example]", + "searchValue": "", + "expectedValue": "azurerm_mysql_flexible_server_firewall_rule.start_ip_address different from 0.0.0.0 and end_ip_address different from 0.0.0.0 or 255.255.255.255", + "actualValue": "azurerm_mysql_flexible_server_firewall_rule.start_ip_address equal to 0.0.0.0 and end_ip_address equal to 0.0.0.0 or 255.255.255.255", + "issueType": "IncorrectValue", + "similarityID": "2e115ead69bba5336d4aec6a5f580a5fb360c43a04d4770ae6769a32a138a01d", + "search_line": 1 } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/azure/sql_server_predictable_active_directory_admin_account_name/test/positive_expected_result.json b/assets/queries/terraform/azure/sql_server_predictable_active_directory_admin_account_name/test/positive_expected_result.json index f1a0a9de803..9493d8b4ec0 100644 --- a/assets/queries/terraform/azure/sql_server_predictable_active_directory_admin_account_name/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/sql_server_predictable_active_directory_admin_account_name/test/positive_expected_result.json @@ -2,11 +2,31 @@ { "queryName": "SQL Server Predictable Active Directory Account Name", "severity": "LOW", - "line": 21 + "line": 21, + "fileName": "positive.tf", + "resourceType": "azurerm_sql_active_directory_administrator", + "resourceName": "positive3", + "searchKey": "azurerm_sql_active_directory_administrator[positive3].login", + "searchValue": "", + "expectedValue": "'azurerm_sql_active_directory_administrator[positive3].login' should not be empty'", + "actualValue": "'azurerm_sql_active_directory_administrator[positive3].login' is empty", + "issueType": "IncorrectValue", + "similarityID": "09b44c85485ee678689abdc8075711a71ee66395d30e0075df12942077c49105", + "search_line": -1 }, { "queryName": "SQL Server Predictable Active Directory Account Name", "severity": "LOW", - "line": 29 + "line": 29, + "fileName": "positive.tf", + "resourceType": "azurerm_sql_active_directory_administrator", + "resourceName": "positive4", + "searchKey": "azurerm_sql_active_directory_administrator[positive4].login", + "searchValue": "", + "expectedValue": "'azurerm_sql_active_directory_administrator[positive4].login' should not be predictable'", + "actualValue": "'azurerm_sql_active_directory_administrator[positive4].login' is predictable", + "issueType": "IncorrectValue", + "similarityID": "6c7bd9c9a6d35e5070821159047acb71541b78982926342dc889e5d07d3266bc", + "search_line": -1 } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/azure/sql_server_predictable_admin_account_name/test/positive_expected_result.json b/assets/queries/terraform/azure/sql_server_predictable_admin_account_name/test/positive_expected_result.json index 6c2df2f3069..7c47e1453cd 100644 --- a/assets/queries/terraform/azure/sql_server_predictable_admin_account_name/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/sql_server_predictable_admin_account_name/test/positive_expected_result.json @@ -2,11 +2,31 @@ { "queryName": "SQL Server Predictable Admin Account Name", "severity": "LOW", - "line": 20 + "line": 20, + "fileName": "positive.tf", + "resourceType": "azurerm_sql_server", + "resourceName": "mssqlserver", + "searchKey": "azurerm_sql_server[positive3].administrator_login", + "searchValue": "", + "expectedValue": "'azurerm_sql_server[positive3].administrator_login' should not be empty'", + "actualValue": "'azurerm_sql_server[positive3].administrator_login' is empty", + "issueType": "IncorrectValue", + "similarityID": "52e9dbca8d6e15557a2e926c784ef60441578e445e4ea025246b3a05f28829ff", + "search_line": -1 }, { "queryName": "SQL Server Predictable Admin Account Name", "severity": "LOW", - "line": 40 + "line": 40, + "fileName": "positive.tf", + "resourceType": "azurerm_sql_server", + "resourceName": "mssqlserver", + "searchKey": "azurerm_sql_server[positive4].administrator_login", + "searchValue": "", + "expectedValue": "'azurerm_sql_server[positive4].administrator_login' should not be predictable'", + "actualValue": "'azurerm_sql_server[positive4].administrator_login' is predictable", + "issueType": "IncorrectValue", + "similarityID": "aefa50e23ca9d5638dfd4105f3ace622fcedb7f3384882a835505e017d87130f", + "search_line": -1 } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/azure/ssh_is_exposed_to_the_internet/test/positive_expected_result.json b/assets/queries/terraform/azure/ssh_is_exposed_to_the_internet/test/positive_expected_result.json index 8c0a501291d..606eee11bd9 100644 --- a/assets/queries/terraform/azure/ssh_is_exposed_to_the_internet/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/ssh_is_exposed_to_the_internet/test/positive_expected_result.json @@ -2,101 +2,301 @@ { "queryName": "SSH Is Exposed To The Internet", "severity": "MEDIUM", - "line": 8 + "line": 8, + "fileName": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive1].destination_port_range", + "searchValue": "", + "expectedValue": "'azurerm_network_security_rule.positive1.destination_port_range' cannot be 22", + "actualValue": "'azurerm_network_security_rule.positive1.destination_port_range' might be 22", + "issueType": "IncorrectValue", + "similarityID": "801f4f50719da8dcd504f477589d9efe640d5d0c84196acf79b208d9f86c5b30", + "search_line": -1 }, { "queryName": "SSH Is Exposed To The Internet", "severity": "MEDIUM", - "line": 22 + "line": 22, + "fileName": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive2].destination_port_range", + "searchValue": "", + "expectedValue": "'azurerm_network_security_rule.positive2.destination_port_range' cannot be 22", + "actualValue": "'azurerm_network_security_rule.positive2.destination_port_range' might be 22", + "issueType": "IncorrectValue", + "similarityID": "544704bd0f0548fe821a47d0dc6dacee42ded6e39426a23fa702c3c8a371f379", + "search_line": -1 }, { "queryName": "SSH Is Exposed To The Internet", "severity": "MEDIUM", - "line": 36 + "line": 36, + "fileName": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive3].destination_port_range", + "searchValue": "", + "expectedValue": "'azurerm_network_security_rule.positive3.destination_port_range' cannot be 22", + "actualValue": "'azurerm_network_security_rule.positive3.destination_port_range' might be 22", + "issueType": "IncorrectValue", + "similarityID": "5a6adc551fa1c518576c6b9b24c464b8a267bfb719438b0e41d26112897fddc0", + "search_line": -1 }, { "queryName": "SSH Is Exposed To The Internet", "severity": "MEDIUM", - "line": 50 + "line": 50, + "fileName": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive4].destination_port_range", + "searchValue": "", + "expectedValue": "'azurerm_network_security_rule.positive4.destination_port_range' cannot be 22", + "actualValue": "'azurerm_network_security_rule.positive4.destination_port_range' might be 22", + "issueType": "IncorrectValue", + "similarityID": "9c032dc53278a80154ccba9e1760d5ada5185b5ff2d7a4262a7451d3ee8e8b3d", + "search_line": -1 }, { "queryName": "SSH Is Exposed To The Internet", "severity": "MEDIUM", - "line": 64 + "line": 64, + "fileName": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive5].destination_port_range", + "searchValue": "", + "expectedValue": "'azurerm_network_security_rule.positive5.destination_port_range' cannot be 22", + "actualValue": "'azurerm_network_security_rule.positive5.destination_port_range' might be 22", + "issueType": "IncorrectValue", + "similarityID": "676353e823c1bf67d643c2f89b72c058af7d9018fab056704998236d0fcc7855", + "search_line": -1 }, { "queryName": "SSH Is Exposed To The Internet", "severity": "MEDIUM", - "line": 78 + "line": 78, + "fileName": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive6].destination_port_range", + "searchValue": "", + "expectedValue": "'azurerm_network_security_rule.positive6.destination_port_range' cannot be 22", + "actualValue": "'azurerm_network_security_rule.positive6.destination_port_range' might be 22", + "issueType": "IncorrectValue", + "similarityID": "f5132d7237e2249f80c8ac3a6f515e488d6a15e78ef0cc154f509bf656cdf6ff", + "search_line": -1 }, { "queryName": "SSH Is Exposed To The Internet", "severity": "MEDIUM", - "line": 92 + "line": 92, + "fileName": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive7].destination_port_range", + "searchValue": "", + "expectedValue": "'azurerm_network_security_rule.positive7.destination_port_range' cannot be 22", + "actualValue": "'azurerm_network_security_rule.positive7.destination_port_range' might be 22", + "issueType": "IncorrectValue", + "similarityID": "cf254e1f5e0b244eb994ab848f2c2c21390bc4b1b50b361486cfe6ffddb90949", + "search_line": -1 }, { "queryName": "SSH Is Exposed To The Internet", "severity": "MEDIUM", - "line": 106 + "line": 106, + "fileName": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive8].destination_port_range", + "searchValue": "", + "expectedValue": "'azurerm_network_security_rule.positive8.destination_port_range' cannot be 22", + "actualValue": "'azurerm_network_security_rule.positive8.destination_port_range' might be 22", + "issueType": "IncorrectValue", + "similarityID": "538db163a2deb1631b798da0d35eb4c78e0ee1e3ad2aeab0b702e44dfa47c5da", + "search_line": -1 }, { "queryName": "SSH Is Exposed To The Internet", "severity": "MEDIUM", - "line": 120 + "line": 120, + "fileName": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive9].destination_port_range", + "searchValue": "", + "expectedValue": "'azurerm_network_security_rule.positive9.destination_port_range' cannot be 22", + "actualValue": "'azurerm_network_security_rule.positive9.destination_port_range' might be 22", + "issueType": "IncorrectValue", + "similarityID": "03ebd168927aa8adb35fd4624c495a5b465235e24e218aee1229b7c84dddfe6d", + "search_line": -1 }, { "queryName": "SSH Is Exposed To The Internet", "severity": "MEDIUM", - "line": 134 + "line": 134, + "fileName": "positive.tf", + "resourceType": "azurerm_network_security_rule", + "resourceName": "example", + "searchKey": "azurerm_network_security_rule[positive10].destination_port_range", + "searchValue": "", + "expectedValue": "'azurerm_network_security_rule.positive10.destination_port_range' cannot be 22", + "actualValue": "'azurerm_network_security_rule.positive10.destination_port_range' might be 22", + "issueType": "IncorrectValue", + "similarityID": "0272e43dd379fa4795a9607c71dcf42a5ae6d24e93fd3346f278ee9c48dcf2fd", + "search_line": -1 }, { "queryName": "SSH Is Exposed To The Internet", "severity": "MEDIUM", - "line": 153 + "line": 153, + "fileName": "positive.tf", + "resourceType": "azurerm_network_security_group", + "resourceName": "positive11", + "searchKey": "azurerm_network_security_group[positive11-20].security_rule.name={{positive11}}.destination_port_range", + "searchValue": "", + "expectedValue": "'destination_port_range' cannot be 22", + "actualValue": "'destination_port_range' might be 22", + "issueType": "IncorrectValue", + "similarityID": "934d7a39cfc8e9692537b85de294552300466979f579975547a3c458ba0bf14e", + "search_line": -1 }, { "queryName": "SSH Is Exposed To The Internet", "severity": "MEDIUM", - "line": 165 + "line": 165, + "fileName": "positive.tf", + "resourceType": "azurerm_network_security_group", + "resourceName": "positive12", + "searchKey": "azurerm_network_security_group[positive11-20].security_rule.name={{positive12}}.destination_port_range", + "searchValue": "", + "expectedValue": "'destination_port_range' cannot be 22", + "actualValue": "'destination_port_range' might be 22", + "issueType": "IncorrectValue", + "similarityID": "e665ed913976279223a559b234204783bd026243e6dc41dd556ed767a2550d04", + "search_line": -1 }, { "queryName": "SSH Is Exposed To The Internet", "severity": "MEDIUM", - "line": 177 + "line": 177, + "fileName": "positive.tf", + "resourceType": "azurerm_network_security_group", + "resourceName": "positive13", + "searchKey": "azurerm_network_security_group[positive11-20].security_rule.name={{positive13}}.destination_port_range", + "searchValue": "", + "expectedValue": "'destination_port_range' cannot be 22", + "actualValue": "'destination_port_range' might be 22", + "issueType": "IncorrectValue", + "similarityID": "44b5c4f4c0b7d16fe4aaeaf7dac795434339d90c77e30f5931333801da6da127", + "search_line": -1 }, { "queryName": "SSH Is Exposed To The Internet", "severity": "MEDIUM", - "line": 189 + "line": 189, + "fileName": "positive.tf", + "resourceType": "azurerm_network_security_group", + "resourceName": "positive14", + "searchKey": "azurerm_network_security_group[positive11-20].security_rule.name={{positive14}}.destination_port_range", + "searchValue": "", + "expectedValue": "'destination_port_range' cannot be 22", + "actualValue": "'destination_port_range' might be 22", + "issueType": "IncorrectValue", + "similarityID": "5fa740fd51d262d712a8d2c81e351efe0d54913ead9b69c724a2814d281ac8e0", + "search_line": -1 }, { "queryName": "SSH Is Exposed To The Internet", "severity": "MEDIUM", - "line": 201 + "line": 201, + "fileName": "positive.tf", + "resourceType": "azurerm_network_security_group", + "resourceName": "positive15", + "searchKey": "azurerm_network_security_group[positive11-20].security_rule.name={{positive15}}.destination_port_range", + "searchValue": "", + "expectedValue": "'destination_port_range' cannot be 22", + "actualValue": "'destination_port_range' might be 22", + "issueType": "IncorrectValue", + "similarityID": "53d168d4d1b3c276278bb7f93287fdec266aad6ff7751959803efae0c6805032", + "search_line": -1 }, { "queryName": "SSH Is Exposed To The Internet", "severity": "MEDIUM", - "line": 213 + "line": 213, + "fileName": "positive.tf", + "resourceType": "azurerm_network_security_group", + "resourceName": "positive16", + "searchKey": "azurerm_network_security_group[positive11-20].security_rule.name={{positive16}}.destination_port_range", + "searchValue": "", + "expectedValue": "'destination_port_range' cannot be 22", + "actualValue": "'destination_port_range' might be 22", + "issueType": "IncorrectValue", + "similarityID": "1e33bb0b3c183a1b04466e94c712998d288e52d5bd67e669e3db42e59a51c2c1", + "search_line": -1 }, { "queryName": "SSH Is Exposed To The Internet", "severity": "MEDIUM", - "line": 225 + "line": 225, + "fileName": "positive.tf", + "resourceType": "azurerm_network_security_group", + "resourceName": "positive17", + "searchKey": "azurerm_network_security_group[positive11-20].security_rule.name={{positive17}}.destination_port_range", + "searchValue": "", + "expectedValue": "'destination_port_range' cannot be 22", + "actualValue": "'destination_port_range' might be 22", + "issueType": "IncorrectValue", + "similarityID": "e1c4e16fe385ea0d5e3d3337fc93f78971d6e978b64d4135b21e989c8aa62bd4", + "search_line": -1 }, { "queryName": "SSH Is Exposed To The Internet", "severity": "MEDIUM", - "line": 237 + "line": 237, + "fileName": "positive.tf", + "resourceType": "azurerm_network_security_group", + "resourceName": "positive18", + "searchKey": "azurerm_network_security_group[positive11-20].security_rule.name={{positive18}}.destination_port_range", + "searchValue": "", + "expectedValue": "'destination_port_range' cannot be 22", + "actualValue": "'destination_port_range' might be 22", + "issueType": "IncorrectValue", + "similarityID": "fc39411275919c5c8747515c87927e8b71c07de42b44eed1780a5116af492134", + "search_line": -1 }, { "queryName": "SSH Is Exposed To The Internet", "severity": "MEDIUM", - "line": 249 + "line": 249, + "fileName": "positive.tf", + "resourceType": "azurerm_network_security_group", + "resourceName": "positive19", + "searchKey": "azurerm_network_security_group[positive11-20].security_rule.name={{positive19}}.destination_port_range", + "searchValue": "", + "expectedValue": "'destination_port_range' cannot be 22", + "actualValue": "'destination_port_range' might be 22", + "issueType": "IncorrectValue", + "similarityID": "6d51b29e9232682887239dc2187a4960a02d90d521245bcc8598eab16e7a450c", + "search_line": -1 }, { "queryName": "SSH Is Exposed To The Internet", "severity": "MEDIUM", - "line": 261 + "line": 261, + "fileName": "positive.tf", + "resourceType": "azurerm_network_security_group", + "resourceName": "positive20", + "searchKey": "azurerm_network_security_group[positive11-20].security_rule.name={{positive20}}.destination_port_range", + "searchValue": "", + "expectedValue": "'destination_port_range' cannot be 22", + "actualValue": "'destination_port_range' might be 22", + "issueType": "IncorrectValue", + "similarityID": "0342aea69057f61e9a4d79451f17b904692414b4f32f9c2ef91002a7e96cf6aa", + "search_line": -1 } ] diff --git a/assets/queries/terraform/azure/ssl_enforce_is_disabled/test/positive_expected_result.json b/assets/queries/terraform/azure/ssl_enforce_is_disabled/test/positive_expected_result.json index e62b1c19066..ef252be57c9 100644 --- a/assets/queries/terraform/azure/ssl_enforce_is_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/ssl_enforce_is_disabled/test/positive_expected_result.json @@ -2,11 +2,31 @@ { "queryName": "SSL Enforce Disabled", "severity": "MEDIUM", - "line": 18 + "line": 18, + "fileName": "positive.tf", + "resourceType": "azurerm_postgresql_server", + "resourceName": "example-psqlserver", + "searchKey": "azurerm_postgresql_server[positive1].ssl_enforcement_enabled", + "searchValue": "", + "expectedValue": "'azurerm_postgresql_server.positive1.ssl_enforcement_enabled' should equal 'true'", + "actualValue": "'azurerm_postgresql_server.positive1.ssl_enforcement_enabled' is equal 'false'", + "issueType": "IncorrectValue", + "similarityID": "af5c718558c4c0fde8bdddb16a55c8140e0d88a7995c074aa7628bd478767313", + "search_line": 18 }, { "queryName": "SSL Enforce Disabled", "severity": "MEDIUM", - "line": 22 + "line": 22, + "fileName": "positive.tf", + "resourceType": "azurerm_postgresql_server", + "resourceName": "example-psqlserver", + "searchKey": "azurerm_postgresql_server[positive2].ssl_enforcement_enabled", + "searchValue": "", + "expectedValue": "'azurerm_postgresql_server.positive2.ssl_enforcement_enabled' should equal 'true'", + "actualValue": "'azurerm_postgresql_server.positive2.ssl_enforcement_enabled' is not defined", + "issueType": "MissingAttribute", + "similarityID": "478b127988907b8d33df2bfc12bd419d0511f2f04b726749dcc00ca25cd188f1", + "search_line": -1 } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/azure/storage_account_not_forcing_https/test/positive_expected_result.json b/assets/queries/terraform/azure/storage_account_not_forcing_https/test/positive_expected_result.json index 87ed2953656..8d21c05a2dc 100644 --- a/assets/queries/terraform/azure/storage_account_not_forcing_https/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/storage_account_not_forcing_https/test/positive_expected_result.json @@ -3,24 +3,60 @@ "queryName": "Storage Account Not Forcing HTTPS", "severity": "MEDIUM", "line": 8, - "fileName": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "azurerm_storage_account", + "resourceName": "example1", + "searchKey": "azurerm_storage_account[example1].enable_https_traffic_only", + "searchValue": "", + "expectedValue": "'azurerm_storage_account.example1.enable_https_traffic_only' equals 'true'", + "actualValue": "'azurerm_storage_account.example1.enable_https_traffic_only' equals 'false'", + "issueType": "IncorrectValue", + "similarityID": "9bb567a0af2609886339f994d9814560ed44b94d7dfdaa77ff96ff1cac3ba298", + "search_line": 8 }, { "queryName": "Storage Account Not Forcing HTTPS", "severity": "MEDIUM", "line": 12, - "fileName": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "azurerm_storage_account", + "resourceName": "example2", + "searchKey": "azurerm_storage_account[example2]", + "searchValue": "", + "expectedValue": "'azurerm_storage_account.example2.enable_https_traffic_only' equals 'true', or (since Terraform v4.0) 'azurerm_storage_account.example2.https_traffic_only_enabled' equals 'true'", + "actualValue": "Neither 'azurerm_storage_account.example2.enable_https_traffic_only' nor 'azurerm_storage_account.example2.https_traffic_only_enabled' exists", + "issueType": "MissingAttribute", + "similarityID": "4dd9e8184ad96debfbe725e683b4778ce7c11563e07274b44e80d547260d760a", + "search_line": 12 }, { "queryName": "Storage Account Not Forcing HTTPS", "severity": "MEDIUM", "line": 8, - "fileName": "positive2.tf" + "fileName": "positive2.tf", + "resourceType": "azurerm_storage_account", + "resourceName": "example1", + "searchKey": "azurerm_storage_account[example1].https_traffic_only_enabled", + "searchValue": "", + "expectedValue": "'azurerm_storage_account.example1.https_traffic_only_enabled' equals 'true'", + "actualValue": "'azurerm_storage_account.example1.https_traffic_only_enabled' equals 'false'", + "issueType": "IncorrectValue", + "similarityID": "ef97693fd7ff94a43be6b68b1ed9af6a6ef02d88fcd919c5aaaa7281498d9f75", + "search_line": 8 }, { "queryName": "Storage Account Not Forcing HTTPS", "severity": "MEDIUM", "line": 12, - "fileName": "positive2.tf" + "fileName": "positive2.tf", + "resourceType": "azurerm_storage_account", + "resourceName": "example2", + "searchKey": "azurerm_storage_account[example2]", + "searchValue": "", + "expectedValue": "'azurerm_storage_account.example2.enable_https_traffic_only' equals 'true', or (since Terraform v4.0) 'azurerm_storage_account.example2.https_traffic_only_enabled' equals 'true'", + "actualValue": "Neither 'azurerm_storage_account.example2.enable_https_traffic_only' nor 'azurerm_storage_account.example2.https_traffic_only_enabled' exists", + "issueType": "MissingAttribute", + "similarityID": "83ea308befb97003e681d6b7f92f0f50a5ed156f35ddac1e5cedf4f223b19241", + "search_line": 12 } ] diff --git a/assets/queries/terraform/azure/storage_account_not_using_latest_smb_protocol_version/test/positive_expected_result.json b/assets/queries/terraform/azure/storage_account_not_using_latest_smb_protocol_version/test/positive_expected_result.json index 13b4ae0d843..44e1013da38 100644 --- a/assets/queries/terraform/azure/storage_account_not_using_latest_smb_protocol_version/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/storage_account_not_using_latest_smb_protocol_version/test/positive_expected_result.json @@ -2,31 +2,91 @@ { "queryName": "Beta - Storage Account Not Using Latest SMB Protocol Version", "severity": "HIGH", - "line": 1 + "line": 1, + "fileName": "positive.tf", + "resourceType": "azurerm_storage_account", + "resourceName": "positive1", + "searchKey": "azurerm_storage_account[positive1]", + "searchValue": "", + "expectedValue": "'azurerm_storage_account[positive1].share_properties.smb.versions' should be defined and exclusively include 'SMB3.1.1'", + "actualValue": "'azurerm_storage_account[positive1].share_properties' is undefined or null", + "issueType": "MissingAttribute", + "similarityID": "33f2bc8b54f7bae08ca7c76c0b6c2bdef1b555b407dfc9095b3ee88e443ba544", + "search_line": 1 }, { "queryName": "Beta - Storage Account Not Using Latest SMB Protocol Version", "severity": "HIGH", - "line": 18 + "line": 18, + "fileName": "positive.tf", + "resourceType": "azurerm_storage_account", + "resourceName": "positive2", + "searchKey": "azurerm_storage_account[positive2].share_properties", + "searchValue": "", + "expectedValue": "'azurerm_storage_account[positive2].share_properties.smb.versions' should be defined and exclusively include 'SMB3.1.1'", + "actualValue": "'azurerm_storage_account[positive2].share_properties.smb' is undefined or null", + "issueType": "MissingAttribute", + "similarityID": "9ee08eac6c00de4f2f7a26bc688adf119aea4fad71b36243c774664be3ff4fe5", + "search_line": 18 }, { "queryName": "Beta - Storage Account Not Using Latest SMB Protocol Version", "severity": "HIGH", - "line": 32 + "line": 32, + "fileName": "positive.tf", + "resourceType": "azurerm_storage_account", + "resourceName": "positive3", + "searchKey": "azurerm_storage_account[positive3].share_properties.smb", + "searchValue": "", + "expectedValue": "'azurerm_storage_account[positive3].share_properties.smb.versions' should be defined and exclusively include 'SMB3.1.1'", + "actualValue": "'azurerm_storage_account[positive3].share_properties.smb.versions' is undefined or null", + "issueType": "MissingAttribute", + "similarityID": "d4590688fc286f6e4f3526a49f970d906fa1e5f5cb5d8d84f4e73c0f6f76b67a", + "search_line": 32 }, { "queryName": "Beta - Storage Account Not Using Latest SMB Protocol Version", "severity": "HIGH", - "line": 47 + "line": 47, + "fileName": "positive.tf", + "resourceType": "azurerm_storage_account", + "resourceName": "positive4", + "searchKey": "azurerm_storage_account[positive4].share_properties.smb.versions", + "searchValue": "", + "expectedValue": "'azurerm_storage_account[positive4].share_properties.smb.versions' should be defined and exclusively include 'SMB3.1.1'", + "actualValue": "'azurerm_storage_account[positive4].share_properties.smb.versions' is empty or null", + "issueType": "IncorrectValue", + "similarityID": "9c016741f31f9fc3901b534d8eca4b97145e1d1f1f8edd4a1d307b40fab9356c", + "search_line": 47 }, { "queryName": "Beta - Storage Account Not Using Latest SMB Protocol Version", "severity": "HIGH", - "line": 61 + "line": 61, + "fileName": "positive.tf", + "resourceType": "azurerm_storage_account", + "resourceName": "positive5", + "searchKey": "azurerm_storage_account[positive5].share_properties.smb.versions", + "searchValue": "", + "expectedValue": "'azurerm_storage_account[positive5].share_properties.smb.versions' should be defined and exclusively include 'SMB3.1.1'", + "actualValue": "'azurerm_storage_account[positive5].share_properties.smb.versions' does not include 'SMB3.1.1' and instead includes 2 outdated version(s)", + "issueType": "IncorrectValue", + "similarityID": "c27f45adfa417b19b52b3ce21ce8ad68d2254a1eb80caeb724018978494bef51", + "search_line": 61 }, { "queryName": "Beta - Storage Account Not Using Latest SMB Protocol Version", "severity": "HIGH", - "line": 75 + "line": 75, + "fileName": "positive.tf", + "resourceType": "azurerm_storage_account", + "resourceName": "positive6", + "searchKey": "azurerm_storage_account[positive6].share_properties.smb.versions", + "searchValue": "", + "expectedValue": "'azurerm_storage_account[positive6].share_properties.smb.versions' should be defined and exclusively include 'SMB3.1.1'", + "actualValue": "'azurerm_storage_account[positive6].share_properties.smb.versions' includes 'SMB3.1.1' but also includes 1 outdated version(s)", + "issueType": "IncorrectValue", + "similarityID": "7de33e3bb3174ac2900dbc2187a20151bfe5cdd3cc28fb1ddb4c9a12fd996cf0", + "search_line": 75 } ] diff --git a/assets/queries/terraform/azure/storage_account_not_using_latest_tls_encryption_version/test/positive_expected_result.json b/assets/queries/terraform/azure/storage_account_not_using_latest_tls_encryption_version/test/positive_expected_result.json index f58b0acc496..814f9287aef 100644 --- a/assets/queries/terraform/azure/storage_account_not_using_latest_tls_encryption_version/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/storage_account_not_using_latest_tls_encryption_version/test/positive_expected_result.json @@ -3,6 +3,15 @@ "queryName": "Storage Account Not Using Latest TLS Encryption Version", "severity": "MEDIUM", "line": 7, - "fileName": "positive.tf" + "fileName": "positive.tf", + "resourceType": "azurerm_storage_account", + "resourceName": "storageaccountname", + "searchKey": "azurerm_storage_account[positive2].min_tls_version", + "searchValue": "", + "expectedValue": "'azurerm_storage_account[positive2].min_tls_version' is 'TLS1_2'", + "actualValue": "'azurerm_storage_account[positive2].min_tls_version' is not 'TLS1_2'", + "issueType": "IncorrectValue", + "similarityID": "34a1080965a15fc11ce0a5fd143f1e3c8e546a20b66eddcaad4ac9463f8b457b", + "search_line": 7 } ] diff --git a/assets/queries/terraform/azure/storage_account_using_unsafe_smb_channel_encryption/test/positive_expected_result.json b/assets/queries/terraform/azure/storage_account_using_unsafe_smb_channel_encryption/test/positive_expected_result.json index b938673842c..140c3212f1a 100644 --- a/assets/queries/terraform/azure/storage_account_using_unsafe_smb_channel_encryption/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/storage_account_using_unsafe_smb_channel_encryption/test/positive_expected_result.json @@ -2,31 +2,91 @@ { "queryName": "Beta - Storage Account Using Unsafe SMB Channel Encryption", "severity": "HIGH", - "line": 1 + "line": 1, + "fileName": "positive.tf", + "resourceType": "azurerm_storage_account", + "resourceName": "positive1", + "searchKey": "azurerm_storage_account[positive1]", + "searchValue": "", + "expectedValue": "'azurerm_storage_account[positive1].share_properties.smb.channel_encryption_type' should be defined and exclusively include 'AES-256-GCM'", + "actualValue": "'azurerm_storage_account[positive1].share_properties' is undefined or null", + "issueType": "MissingAttribute", + "similarityID": "a5f051dcf3367471c669d9953b496e9f96ff2e0409b960f4c45cf850995d5eda", + "search_line": 1 }, { "queryName": "Beta - Storage Account Using Unsafe SMB Channel Encryption", "severity": "HIGH", - "line": 18 + "line": 18, + "fileName": "positive.tf", + "resourceType": "azurerm_storage_account", + "resourceName": "positive2", + "searchKey": "azurerm_storage_account[positive2].share_properties", + "searchValue": "", + "expectedValue": "'azurerm_storage_account[positive2].share_properties.smb.channel_encryption_type' should be defined and exclusively include 'AES-256-GCM'", + "actualValue": "'azurerm_storage_account[positive2].share_properties.smb' is undefined or null", + "issueType": "MissingAttribute", + "similarityID": "72d3acfeb66415b0399dfe6eacc08216e0fa3d9371dcd3e1a7414923257d6e86", + "search_line": 18 }, { "queryName": "Beta - Storage Account Using Unsafe SMB Channel Encryption", "severity": "HIGH", - "line": 31 + "line": 31, + "fileName": "positive.tf", + "resourceType": "azurerm_storage_account", + "resourceName": "positive3", + "searchKey": "azurerm_storage_account[positive3].share_properties.smb", + "searchValue": "", + "expectedValue": "'azurerm_storage_account[positive3].share_properties.smb.channel_encryption_type' should be defined and exclusively include 'AES-256-GCM'", + "actualValue": "'azurerm_storage_account[positive3].share_properties.smb.channel_encryption_type' is undefined or null", + "issueType": "MissingAttribute", + "similarityID": "9712191c0c338ec70711835747498f43c24d3c299d23ea5a22026a7a5dd77219", + "search_line": 31 }, { "queryName": "Beta - Storage Account Using Unsafe SMB Channel Encryption", "severity": "HIGH", - "line": 46 + "line": 46, + "fileName": "positive.tf", + "resourceType": "azurerm_storage_account", + "resourceName": "positive4", + "searchKey": "azurerm_storage_account[positive4].share_properties.smb.channel_encryption_type", + "searchValue": "", + "expectedValue": "'azurerm_storage_account[positive4].share_properties.smb.channel_encryption_type' should be defined and exclusively include 'AES-256-GCM'", + "actualValue": "'azurerm_storage_account[positive4].share_properties.smb.channel_encryption_type' is empty or null", + "issueType": "IncorrectValue", + "similarityID": "3354069fc81e400f1fe292c1aa7b0fa31d2b40fac69761acff17ce8217bc31ca", + "search_line": 46 }, { "queryName": "Beta - Storage Account Using Unsafe SMB Channel Encryption", "severity": "HIGH", - "line": 60 + "line": 60, + "fileName": "positive.tf", + "resourceType": "azurerm_storage_account", + "resourceName": "positive5", + "searchKey": "azurerm_storage_account[positive5].share_properties.smb.channel_encryption_type", + "searchValue": "", + "expectedValue": "'azurerm_storage_account[positive5].share_properties.smb.channel_encryption_type' should be defined and exclusively include 'AES-256-GCM'", + "actualValue": "'azurerm_storage_account[positive5].share_properties.smb.channel_encryption_type' does not include 'AES-256-GCM' and instead includes 2 weaker encryption standard(s)", + "issueType": "IncorrectValue", + "similarityID": "4db8f06a147babfa14f1f02aac3aa3bfbbb899cfd4dbe8a39d0e7a2bf471e2b7", + "search_line": 60 }, { "queryName": "Beta - Storage Account Using Unsafe SMB Channel Encryption", "severity": "HIGH", - "line": 74 + "line": 74, + "fileName": "positive.tf", + "resourceType": "azurerm_storage_account", + "resourceName": "positive6", + "searchKey": "azurerm_storage_account[positive6].share_properties.smb.channel_encryption_type", + "searchValue": "", + "expectedValue": "'azurerm_storage_account[positive6].share_properties.smb.channel_encryption_type' should be defined and exclusively include 'AES-256-GCM'", + "actualValue": "'azurerm_storage_account[positive6].share_properties.smb.channel_encryption_type' includes 'AES-256-GCM' but also includes 1 weaker encryption standard(s)", + "issueType": "IncorrectValue", + "similarityID": "0902234fd1f7c2f6a32b61885f7819097f8645f42cc865245d4013e7ecd4628f", + "search_line": 74 } ] diff --git a/assets/queries/terraform/azure/storage_account_with_cross_tenant_replication_enabled/test/positive_expected_result.json b/assets/queries/terraform/azure/storage_account_with_cross_tenant_replication_enabled/test/positive_expected_result.json index 232f7ba3365..e4d1f92b9c7 100644 --- a/assets/queries/terraform/azure/storage_account_with_cross_tenant_replication_enabled/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/storage_account_with_cross_tenant_replication_enabled/test/positive_expected_result.json @@ -2,6 +2,16 @@ { "queryName": "Beta - Storage Account With Cross Tenant Replication Enabled", "severity": "MEDIUM", - "line": 8 + "line": 8, + "fileName": "positive.tf", + "resourceType": "azurerm_storage_account", + "resourceName": "positive1", + "searchKey": "azurerm_storage_account[positive1].cross_tenant_replication_enabled", + "searchValue": "", + "expectedValue": "'azurerm_storage_account[positive1].cross_tenant_replication_enabled' should be set to false", + "actualValue": "'azurerm_storage_account[positive1].cross_tenant_replication_enabled' is set to true", + "issueType": "IncorrectValue", + "similarityID": "544665403aeb95ec2f3bbaad2d21afc80f8ba868bbf64c8313bc75816f0fc208", + "search_line": 8 } ] diff --git a/assets/queries/terraform/azure/storage_account_with_shared_access_key/test/positive_expected_result.json b/assets/queries/terraform/azure/storage_account_with_shared_access_key/test/positive_expected_result.json index 3aabd7181b9..0a51a1c0c7e 100644 --- a/assets/queries/terraform/azure/storage_account_with_shared_access_key/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/storage_account_with_shared_access_key/test/positive_expected_result.json @@ -2,11 +2,31 @@ { "queryName": "Beta - Storage Account With Shared Access Key", "severity": "MEDIUM", - "line": 1 + "line": 1, + "fileName": "positive.tf", + "resourceType": "azurerm_storage_account", + "resourceName": "positive1", + "searchKey": "azurerm_storage_account[positive1]", + "searchValue": "", + "expectedValue": "'azurerm_storage_account[positive1].shared_access_key_enabled' should be defined and set to false", + "actualValue": "'azurerm_storage_account[positive1].shared_access_key_enabled' is undefined or null", + "issueType": "MissingAttribute", + "similarityID": "938dce08769c4f197198b1581a0befd47eb7c424a52e914d8ad50aa4b34604f2", + "search_line": 1 }, { "queryName": "Beta - Storage Account With Shared Access Key", "severity": "MEDIUM", - "line": 18 + "line": 18, + "fileName": "positive.tf", + "resourceType": "azurerm_storage_account", + "resourceName": "positive2", + "searchKey": "azurerm_storage_account[positive2].shared_access_key_enabled", + "searchValue": "", + "expectedValue": "'azurerm_storage_account[positive2].shared_access_key_enabled' should be defined and set to false", + "actualValue": "'azurerm_storage_account[positive2].shared_access_key_enabled' is set to 'true'", + "issueType": "IncorrectValue", + "similarityID": "b777a806c7b67eaf455ffd5dae3e36d997729aeb96f55baba23b4324c3d20d55", + "search_line": 18 } ] diff --git a/assets/queries/terraform/azure/storage_account_without_cmk/test/positive_expected_result.json b/assets/queries/terraform/azure/storage_account_without_cmk/test/positive_expected_result.json index 12468537f01..1f4e216da29 100644 --- a/assets/queries/terraform/azure/storage_account_without_cmk/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/storage_account_without_cmk/test/positive_expected_result.json @@ -3,6 +3,15 @@ "queryName": "Beta - Storage Account Without CMK", "severity": "MEDIUM", "line": 1, - "fileName": "positive.tf" + "fileName": "positive.tf", + "resourceType": "azurerm_storage_account", + "resourceName": "storageaccountname", + "searchKey": "azurerm_storage_account[positive1_1]", + "searchValue": "", + "expectedValue": "'azurerm_storage_account[positive1_1] must be associated with a 'azurerm_storage_account_customer_managed_key' resource and the block 'customer_managed_key' should be set", + "actualValue": "'azurerm_storage_account[positive1_1] is not associated with a 'azurerm_storage_account_customer_managed_key' resource and the 'customer_managed_key' block is undefined or null", + "issueType": "MissingAttribute", + "similarityID": "a94971bff04c2d91de3fc2681910a39243dd4ab1fd2afee1859d294ffcf48fee", + "search_line": 1 } ] diff --git a/assets/queries/terraform/azure/storage_account_without_delete_lock/test/positive_expected_result.json b/assets/queries/terraform/azure/storage_account_without_delete_lock/test/positive_expected_result.json index 940bf434657..feba30317c6 100644 --- a/assets/queries/terraform/azure/storage_account_without_delete_lock/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/storage_account_without_delete_lock/test/positive_expected_result.json @@ -3,30 +3,75 @@ "queryName": "Beta - Storage Account Without Delete Lock", "severity": "LOW", "line": 1, - "fileName": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "azurerm_storage_account", + "resourceName": "examplestorageacct", + "searchKey": "azurerm_storage_account[example_pos1]", + "searchValue": "", + "expectedValue": "'azurerm_storage_account[example_pos1]' should be associated with an 'azurerm_management_lock' where lock_level is set to 'CanNotDelete'", + "actualValue": "'azurerm_storage_account[example_pos1]' is not associated with an 'azurerm_management_lock'", + "issueType": "MissingAttribute", + "similarityID": "06f69ac377e84a25146195c18511a06f7529f4883794bcd6b10ba7a201bd01a0", + "search_line": 1 }, { "queryName": "Beta - Storage Account Without Delete Lock", "severity": "LOW", "line": 1, - "fileName": "positive2.tf" + "fileName": "positive2.tf", + "resourceType": "azurerm_storage_account", + "resourceName": "examplestorageacct", + "searchKey": "azurerm_storage_account[example_pos2]", + "searchValue": "", + "expectedValue": "'azurerm_storage_account[example_pos2]' should be associated with an 'azurerm_management_lock' where lock_level is set to 'CanNotDelete'", + "actualValue": "'azurerm_storage_account[example_pos2]' is not associated with an 'azurerm_management_lock'", + "issueType": "MissingAttribute", + "similarityID": "1674a4de84f8f64d9c921451ae3f3525de2376a232e2111e8446bfc4420a2254", + "search_line": 1 }, { "queryName": "Beta - Storage Account Without Delete Lock", "severity": "LOW", "line": 6, - "fileName": "positive3.tf" + "fileName": "positive3.tf", + "resourceType": "azurerm_storage_account", + "resourceName": "examplestorageacct", + "searchKey": "azurerm_storage_account[example_pos3]", + "searchValue": "", + "expectedValue": "'azurerm_storage_account[example_pos3]' should be associated with an 'azurerm_management_lock' where lock_level is set to 'CanNotDelete'", + "actualValue": "'azurerm_storage_account[example_pos3]' is associated with 'azurerm_management_lock[storage_delete_lock_pos3]' but lock_level is 'ReadOnly'", + "issueType": "IncorrectValue", + "similarityID": "6c1255172b1290341056213dd0cb3b6c94ec798afdc0366788b3b8a2ea1f7ba0", + "search_line": 6 }, { "queryName": "Beta - Storage Account Without Delete Lock", "severity": "LOW", "line": 6, - "fileName": "positive4.tf" + "fileName": "positive4.tf", + "resourceType": "azurerm_storage_account", + "resourceName": "examplestorageacct", + "searchKey": "azurerm_storage_account[example_pos4]", + "searchValue": "", + "expectedValue": "'azurerm_storage_account[example_pos4]' should be associated with an 'azurerm_management_lock' where lock_level is set to 'CanNotDelete'", + "actualValue": "'azurerm_storage_account[example_pos4]' is not associated with an 'azurerm_management_lock'", + "issueType": "MissingAttribute", + "similarityID": "dd9c3de0df314f06811c65d388e36f4b0995f23caede8e9570f8650ab4924c44", + "search_line": 6 }, { "queryName": "Beta - Storage Account Without Delete Lock", "severity": "LOW", "line": 6, - "fileName": "positive5.tf" + "fileName": "positive5.tf", + "resourceType": "azurerm_storage_account", + "resourceName": "examplestorageacct", + "searchKey": "azurerm_storage_account[example_pos5]", + "searchValue": "", + "expectedValue": "'azurerm_storage_account[example_pos5]' should be associated with an 'azurerm_management_lock' where lock_level is set to 'CanNotDelete'", + "actualValue": "'azurerm_storage_account[example_pos5]' is not associated with an 'azurerm_management_lock'", + "issueType": "MissingAttribute", + "similarityID": "3315a72d285709c73e93f28d196fb048f4b8113702314c3c37351b6a242bf55e", + "search_line": 6 } ] diff --git a/assets/queries/terraform/azure/storage_container_is_publicly_accessible/test/positive_expected_result.json b/assets/queries/terraform/azure/storage_container_is_publicly_accessible/test/positive_expected_result.json index 680aa200d65..5cb4ce2d99f 100644 --- a/assets/queries/terraform/azure/storage_container_is_publicly_accessible/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/storage_container_is_publicly_accessible/test/positive_expected_result.json @@ -2,6 +2,16 @@ { "queryName": "Storage Container Is Publicly Accessible", "severity": "HIGH", - "line": 4 + "line": 4, + "fileName": "positive.tf", + "resourceType": "azurerm_storage_container", + "resourceName": "vhds", + "searchKey": "azurerm_storage_container[positive1].container_access_type", + "searchValue": "", + "expectedValue": "'container_access_type' should equal to 'private'", + "actualValue": "'container_access_type' is not equal to 'private'", + "issueType": "IncorrectValue", + "similarityID": "03487cb7645e763a3ade4a55dfd006ed65c01407758439ee62776208748ade51", + "search_line": 4 } ] diff --git a/assets/queries/terraform/azure/storage_share_allows_all_acl_permissions/test/positive_expected_result.json b/assets/queries/terraform/azure/storage_share_allows_all_acl_permissions/test/positive_expected_result.json index 61688033065..d9b93e4e570 100644 --- a/assets/queries/terraform/azure/storage_share_allows_all_acl_permissions/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/storage_share_allows_all_acl_permissions/test/positive_expected_result.json @@ -3,6 +3,15 @@ "queryName": "Storage Share Allows All ACL Permissions", "severity": "MEDIUM", "line": 16, - "filename": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "azurerm_storage_share", + "resourceName": "my-awesome-content.zip", + "searchKey": "azurerm_storage_share[default_storage_share].acl.access_policy.permissions", + "searchValue": "", + "expectedValue": "azurerm_storage_share[default_storage_share].acl.access_policy.permissions should not allow all ACL permissions", + "actualValue": "azurerm_storage_share[default_storage_share].acl.access_policy.permissions allows all ACL permissions", + "issueType": "IncorrectValue", + "similarityID": "2f13a1956a7069173852f03b062e8d1194085cef99870ac334392c291831cd09", + "search_line": -1 } ] diff --git a/assets/queries/terraform/azure/storage_table_allows_all_acl_permissions/test/positive_expected_result.json b/assets/queries/terraform/azure/storage_table_allows_all_acl_permissions/test/positive_expected_result.json index 533a2db0fd7..cd9a38b400c 100644 --- a/assets/queries/terraform/azure/storage_table_allows_all_acl_permissions/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/storage_table_allows_all_acl_permissions/test/positive_expected_result.json @@ -2,6 +2,16 @@ { "queryName": "Storage Table Allows All ACL Permissions", "severity": "MEDIUM", - "line": 8 + "line": 8, + "fileName": "positive.tf", + "resourceType": "azurerm_storage_table", + "resourceName": "my_table_name", + "searchKey": "azurerm_storage_table[table_resource].acl.permissions", + "searchValue": "", + "expectedValue": "azurerm_storage_table[table_resource].acl.permissions should not allow all ACL permissions", + "actualValue": "azurerm_storage_table[table_resource].acl.permissions allows all ACL permissions", + "issueType": "IncorrectValue", + "similarityID": "18a36012dcaa29fc3379d395c718442da0ea3007aae64b4282f63d65538fed2c", + "search_line": -1 } ] diff --git a/assets/queries/terraform/azure/trusted_microsoft_services_not_enabled/test/positive_expected_result.json b/assets/queries/terraform/azure/trusted_microsoft_services_not_enabled/test/positive_expected_result.json index 923845f4cad..3907aa534d0 100644 --- a/assets/queries/terraform/azure/trusted_microsoft_services_not_enabled/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/trusted_microsoft_services_not_enabled/test/positive_expected_result.json @@ -2,11 +2,31 @@ { "queryName": "Trusted Microsoft Services Not Enabled", "severity": "MEDIUM", - "line": 8 + "line": 8, + "fileName": "positive.tf", + "resourceType": "azurerm_storage_account_network_rules", + "resourceName": "positive1", + "searchKey": "azurerm_storage_account_network_rules[positive1].bypass", + "searchValue": "", + "expectedValue": "'bypass' should contain 'AzureServices'", + "actualValue": "'bypass' does not contain 'AzureServices'", + "issueType": "IncorrectValue", + "similarityID": "c13bc1c879b66021487c85a53c167ca1a19994d89598d82c8504e146efd9dee3", + "search_line": -1 }, { "queryName": "Trusted Microsoft Services Not Enabled", "severity": "MEDIUM", - "line": 21 + "line": 21, + "fileName": "positive.tf", + "resourceType": "azurerm_storage_account", + "resourceName": "storageaccountname", + "searchKey": "azurerm_storage_account[positive2].network_rules.bypass", + "searchValue": "", + "expectedValue": "'network_rules.bypass' should contain 'AzureServices'", + "actualValue": "'network_rules.bypass' does not contain 'AzureServices'", + "issueType": "IncorrectValue", + "similarityID": "1d54ac0eb9ead4af59bc8c11559ceadfb2844eb42f689ac256ddd6a5181c5e6f", + "search_line": -1 } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/azure/unrestricted_sql_server_access/test/positive_expected_result.json b/assets/queries/terraform/azure/unrestricted_sql_server_access/test/positive_expected_result.json index 2bb3208cf1d..91b6ea5e6e0 100644 --- a/assets/queries/terraform/azure/unrestricted_sql_server_access/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/unrestricted_sql_server_access/test/positive_expected_result.json @@ -3,108 +3,270 @@ "queryName": "Unrestricted SQL Server Access", "severity": "CRITICAL", "line": 19, - "fileName": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "azurerm_sql_firewall_rule", + "resourceName": "FirewallRule1", + "searchKey": "azurerm_sql_firewall_rule[positive3-legacy].start_ip_address", + "searchValue": "", + "expectedValue": "'azurerm_sql_firewall_rule[positive3-legacy].start_ip_address' The difference between the value of the 'end_ip_address' and 'start_ip_address' should be less than 256", + "actualValue": "'azurerm_sql_firewall_rule[positive3-legacy].start_ip_address' The difference between the value of the 'end_ip_address' and 'start_ip_address' is greater than or equal to 256", + "issueType": "IncorrectValue", + "similarityID": "a3c668e6fee0626af61d4de7914028722c071565094849943f51f236b9566a11", + "search_line": 19 }, { "queryName": "Unrestricted SQL Server Access", "severity": "CRITICAL", "line": 27, - "fileName": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "azurerm_sql_firewall_rule", + "resourceName": "FirewallRule1", + "searchKey": "azurerm_sql_firewall_rule[positive4-legacy].start_ip_address", + "searchValue": "", + "expectedValue": "'azurerm_sql_firewall_rule[positive4-legacy].start_ip_address' The difference between the value of the 'end_ip_address' and 'start_ip_address' should be less than 256", + "actualValue": "'azurerm_sql_firewall_rule[positive4-legacy].start_ip_address' The difference between the value of the 'end_ip_address' and 'start_ip_address' is greater than or equal to 256", + "issueType": "IncorrectValue", + "similarityID": "d9390cd094cd5ff64eab4607b98402cba0d28bcc026098cfcae29aab0be1317f", + "search_line": 27 }, { "queryName": "Unrestricted SQL Server Access", "severity": "CRITICAL", "line": 35, - "fileName": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "azurerm_sql_firewall_rule", + "resourceName": "positive5-legacy", + "searchKey": "azurerm_sql_firewall_rule[positive5-legacy].start_ip_address", + "searchValue": "", + "expectedValue": "'azurerm_sql_firewall_rule[positive5-legacy].start_ip_address' Firewall rules should not have both 'start_ip_address' and 'end_ip_address' set to '0.0.0.0'.", + "actualValue": "'azurerm_sql_firewall_rule[positive5-legacy].start_ip_address' Both 'start_ip_address' and 'end_ip_address' are set to '0.0.0.0'", + "issueType": "IncorrectValue", + "similarityID": "ba280b5923b30398a3ad151d65e9c919041728944f7db74cdd6376c57d02fba1", + "search_line": 35 }, { "queryName": "Unrestricted SQL Server Access", "severity": "CRITICAL", "line": 19, - "fileName": "positive2.tf" + "fileName": "positive2.tf", + "resourceType": "azurerm_mssql_firewall_rule", + "resourceName": "FirewallRule1", + "searchKey": "azurerm_mssql_firewall_rule[positive3].start_ip_address", + "searchValue": "", + "expectedValue": "'azurerm_mssql_firewall_rule[positive3].start_ip_address' The difference between the value of the 'end_ip_address' and 'start_ip_address' should be less than 256", + "actualValue": "'azurerm_mssql_firewall_rule[positive3].start_ip_address' The difference between the value of the 'end_ip_address' and 'start_ip_address' is greater than or equal to 256", + "issueType": "IncorrectValue", + "similarityID": "39b961aa4692cba0446bb895da428f1d398d9820b8ae226af2c6362e3f9ffa77", + "search_line": 19 }, { "queryName": "Unrestricted SQL Server Access", "severity": "CRITICAL", "line": 26, - "fileName": "positive2.tf" + "fileName": "positive2.tf", + "resourceType": "azurerm_mssql_firewall_rule", + "resourceName": "FirewallRule2", + "searchKey": "azurerm_mssql_firewall_rule[positive4].start_ip_address", + "searchValue": "", + "expectedValue": "'azurerm_mssql_firewall_rule[positive4].start_ip_address' The difference between the value of the 'end_ip_address' and 'start_ip_address' should be less than 256", + "actualValue": "'azurerm_mssql_firewall_rule[positive4].start_ip_address' The difference between the value of the 'end_ip_address' and 'start_ip_address' is greater than or equal to 256", + "issueType": "IncorrectValue", + "similarityID": "eea3a37d82188cbda6f2d140518658e10b824a7e5308a5e00c703124abce2244", + "search_line": 26 }, { "queryName": "Unrestricted SQL Server Access", "severity": "CRITICAL", "line": 33, - "fileName": "positive2.tf" + "fileName": "positive2.tf", + "resourceType": "azurerm_mssql_firewall_rule", + "resourceName": "positive5", + "searchKey": "azurerm_mssql_firewall_rule[positive5].start_ip_address", + "searchValue": "", + "expectedValue": "'azurerm_mssql_firewall_rule[positive5].start_ip_address' Firewall rules should not have both 'start_ip_address' and 'end_ip_address' set to '0.0.0.0'.", + "actualValue": "'azurerm_mssql_firewall_rule[positive5].start_ip_address' Both 'start_ip_address' and 'end_ip_address' are set to '0.0.0.0'", + "issueType": "IncorrectValue", + "similarityID": "c8b17859ff99b1ac96b9678cdb13442895eff5d81e00e7f299217d7bc18b3625", + "search_line": 33 }, { "queryName": "Unrestricted SQL Server Access", "severity": "CRITICAL", "line": 25, - "fileName": "positive3.tf" + "fileName": "positive3.tf", + "resourceType": "azurerm_mariadb_firewall_rule", + "resourceName": "FirewallRule1", + "searchKey": "azurerm_mariadb_firewall_rule[mariadb_fw1].start_ip_address", + "searchValue": "", + "expectedValue": "'azurerm_mariadb_firewall_rule[mariadb_fw1].start_ip_address' The difference between the value of the 'end_ip_address' and 'start_ip_address' should be less than 256", + "actualValue": "'azurerm_mariadb_firewall_rule[mariadb_fw1].start_ip_address' The difference between the value of the 'end_ip_address' and 'start_ip_address' is greater than or equal to 256", + "issueType": "IncorrectValue", + "similarityID": "13036d499d9a136c0a446767805f6244ec707614dc00982139c24de6d490ad7e", + "search_line": 25 }, { "queryName": "Unrestricted SQL Server Access", "severity": "CRITICAL", "line": 33, - "fileName": "positive3.tf" + "fileName": "positive3.tf", + "resourceType": "azurerm_mariadb_firewall_rule", + "resourceName": "FirewallRule2", + "searchKey": "azurerm_mariadb_firewall_rule[mariadb_fw2].start_ip_address", + "searchValue": "", + "expectedValue": "'azurerm_mariadb_firewall_rule[mariadb_fw2].start_ip_address' The difference between the value of the 'end_ip_address' and 'start_ip_address' should be less than 256", + "actualValue": "'azurerm_mariadb_firewall_rule[mariadb_fw2].start_ip_address' The difference between the value of the 'end_ip_address' and 'start_ip_address' is greater than or equal to 256", + "issueType": "IncorrectValue", + "similarityID": "344904ac54507804ea85a49e9ef4a2711a7893781798cb35893614cf5ccbcf80", + "search_line": 33 }, { "queryName": "Unrestricted SQL Server Access", "severity": "CRITICAL", "line": 41, - "fileName": "positive3.tf" + "fileName": "positive3.tf", + "resourceType": "azurerm_mariadb_firewall_rule", + "resourceName": "AllowAzure", + "searchKey": "azurerm_mariadb_firewall_rule[mariadb_fw3].start_ip_address", + "searchValue": "", + "expectedValue": "'azurerm_mariadb_firewall_rule[mariadb_fw3].start_ip_address' Firewall rules should not have both 'start_ip_address' and 'end_ip_address' set to '0.0.0.0'.", + "actualValue": "'azurerm_mariadb_firewall_rule[mariadb_fw3].start_ip_address' Both 'start_ip_address' and 'end_ip_address' are set to '0.0.0.0'", + "issueType": "IncorrectValue", + "similarityID": "19279243020d17db5d823b2a854ae7d31992a3824a52b728e26824a54c626776", + "search_line": 41 }, { "queryName": "Unrestricted SQL Server Access", "severity": "CRITICAL", "line": 24, - "fileName": "positive4.tf" + "fileName": "positive4.tf", + "resourceType": "azurerm_postgresql_firewall_rule", + "resourceName": "FirewallRule1", + "searchKey": "azurerm_postgresql_firewall_rule[psql_fw1].start_ip_address", + "searchValue": "", + "expectedValue": "'azurerm_postgresql_firewall_rule[psql_fw1].start_ip_address' The difference between the value of the 'end_ip_address' and 'start_ip_address' should be less than 256", + "actualValue": "'azurerm_postgresql_firewall_rule[psql_fw1].start_ip_address' The difference between the value of the 'end_ip_address' and 'start_ip_address' is greater than or equal to 256", + "issueType": "IncorrectValue", + "similarityID": "8d13529ee00145fb772f893d23fe2a604af0f0757fb27b5961b850308a60b0f6", + "search_line": 24 }, { "queryName": "Unrestricted SQL Server Access", "severity": "CRITICAL", "line": 32, - "fileName": "positive4.tf" + "fileName": "positive4.tf", + "resourceType": "azurerm_postgresql_firewall_rule", + "resourceName": "FirewallRule2", + "searchKey": "azurerm_postgresql_firewall_rule[psql_fw2].start_ip_address", + "searchValue": "", + "expectedValue": "'azurerm_postgresql_firewall_rule[psql_fw2].start_ip_address' The difference between the value of the 'end_ip_address' and 'start_ip_address' should be less than 256", + "actualValue": "'azurerm_postgresql_firewall_rule[psql_fw2].start_ip_address' The difference between the value of the 'end_ip_address' and 'start_ip_address' is greater than or equal to 256", + "issueType": "IncorrectValue", + "similarityID": "b01f3c3342861d23d0e1f22227f332f22f186e2be215eb36781bb470f382b421", + "search_line": 32 }, { "queryName": "Unrestricted SQL Server Access", "severity": "CRITICAL", "line": 41, - "fileName": "positive4.tf" + "fileName": "positive4.tf", + "resourceType": "azurerm_postgresql_firewall_rule", + "resourceName": "AllowAzure", + "searchKey": "azurerm_postgresql_firewall_rule[psql_fw3].start_ip_address", + "searchValue": "", + "expectedValue": "'azurerm_postgresql_firewall_rule[psql_fw3].start_ip_address' Firewall rules should not have both 'start_ip_address' and 'end_ip_address' set to '0.0.0.0'.", + "actualValue": "'azurerm_postgresql_firewall_rule[psql_fw3].start_ip_address' Both 'start_ip_address' and 'end_ip_address' are set to '0.0.0.0'", + "issueType": "IncorrectValue", + "similarityID": "bf7df495660e8fbb32c6496820c27206815c5ee2c8edf9918662cad41e2012ba", + "search_line": 41 }, { "queryName": "Unrestricted SQL Server Access", "severity": "CRITICAL", "line": 20, - "fileName": "positive5.tf" + "fileName": "positive5.tf", + "resourceType": "azurerm_postgresql_flexible_server_firewall_rule", + "resourceName": "FirewallRule1", + "searchKey": "azurerm_postgresql_flexible_server_firewall_rule[psqlflex_fw1].start_ip_address", + "searchValue": "", + "expectedValue": "'azurerm_postgresql_flexible_server_firewall_rule[psqlflex_fw1].start_ip_address' The difference between the value of the 'end_ip_address' and 'start_ip_address' should be less than 256", + "actualValue": "'azurerm_postgresql_flexible_server_firewall_rule[psqlflex_fw1].start_ip_address' The difference between the value of the 'end_ip_address' and 'start_ip_address' is greater than or equal to 256", + "issueType": "IncorrectValue", + "similarityID": "fd42ae7f61b3572b89df3d55722f7687df0d289c8444fa9987c72e4be350fcb6", + "search_line": 20 }, { "queryName": "Unrestricted SQL Server Access", "severity": "CRITICAL", "line": 27, - "fileName": "positive5.tf" + "fileName": "positive5.tf", + "resourceType": "azurerm_postgresql_flexible_server_firewall_rule", + "resourceName": "FirewallRule2", + "searchKey": "azurerm_postgresql_flexible_server_firewall_rule[psqlflex_fw2].start_ip_address", + "searchValue": "", + "expectedValue": "'azurerm_postgresql_flexible_server_firewall_rule[psqlflex_fw2].start_ip_address' The difference between the value of the 'end_ip_address' and 'start_ip_address' should be less than 256", + "actualValue": "'azurerm_postgresql_flexible_server_firewall_rule[psqlflex_fw2].start_ip_address' The difference between the value of the 'end_ip_address' and 'start_ip_address' is greater than or equal to 256", + "issueType": "IncorrectValue", + "similarityID": "3031ed52504522316ba6cf2acf6841f7c7d6e1dd2a4849c6307e79d61b86eb80", + "search_line": 27 }, { "queryName": "Unrestricted SQL Server Access", "severity": "CRITICAL", "line": 35, - "fileName": "positive5.tf" + "fileName": "positive5.tf", + "resourceType": "azurerm_postgresql_flexible_server_firewall_rule", + "resourceName": "AllowAzure", + "searchKey": "azurerm_postgresql_flexible_server_firewall_rule[psqlflex_fw3].start_ip_address", + "searchValue": "", + "expectedValue": "'azurerm_postgresql_flexible_server_firewall_rule[psqlflex_fw3].start_ip_address' Firewall rules should not have both 'start_ip_address' and 'end_ip_address' set to '0.0.0.0'.", + "actualValue": "'azurerm_postgresql_flexible_server_firewall_rule[psqlflex_fw3].start_ip_address' Both 'start_ip_address' and 'end_ip_address' are set to '0.0.0.0'", + "issueType": "IncorrectValue", + "similarityID": "b9971d5a4d8ffd3f73142d9b0cc1441c9d41f0c3904bc46accb5241fbc55e77f", + "search_line": 35 }, { "queryName": "Unrestricted SQL Server Access", "severity": "CRITICAL", "line": 20, - "fileName": "positive6.tf" + "fileName": "positive6.tf", + "resourceType": "azurerm_mysql_flexible_server_firewall_rule", + "resourceName": "FirewallRule1", + "searchKey": "azurerm_mysql_flexible_server_firewall_rule[mysqlflex_fw1].start_ip_address", + "searchValue": "", + "expectedValue": "'azurerm_mysql_flexible_server_firewall_rule[mysqlflex_fw1].start_ip_address' The difference between the value of the 'end_ip_address' and 'start_ip_address' should be less than 256", + "actualValue": "'azurerm_mysql_flexible_server_firewall_rule[mysqlflex_fw1].start_ip_address' The difference between the value of the 'end_ip_address' and 'start_ip_address' is greater than or equal to 256", + "issueType": "IncorrectValue", + "similarityID": "216c400dfdd362758ee1a7b7ead76ac57d9bb7c83ef4cb4a2f17199910df4c5d", + "search_line": 20 }, { "queryName": "Unrestricted SQL Server Access", "severity": "CRITICAL", "line": 27, - "fileName": "positive6.tf" + "fileName": "positive6.tf", + "resourceType": "azurerm_mysql_flexible_server_firewall_rule", + "resourceName": "FirewallRule2", + "searchKey": "azurerm_mysql_flexible_server_firewall_rule[mysqlflex_fw2].start_ip_address", + "searchValue": "", + "expectedValue": "'azurerm_mysql_flexible_server_firewall_rule[mysqlflex_fw2].start_ip_address' The difference between the value of the 'end_ip_address' and 'start_ip_address' should be less than 256", + "actualValue": "'azurerm_mysql_flexible_server_firewall_rule[mysqlflex_fw2].start_ip_address' The difference between the value of the 'end_ip_address' and 'start_ip_address' is greater than or equal to 256", + "issueType": "IncorrectValue", + "similarityID": "7b2d56aa8057bf474ab1ab92fb4b960d7812b6fa637d9125d7b77c6362bae3db", + "search_line": 27 }, { "queryName": "Unrestricted SQL Server Access", "severity": "CRITICAL", "line": 35, - "fileName": "positive6.tf" + "fileName": "positive6.tf", + "resourceType": "azurerm_mysql_flexible_server_firewall_rule", + "resourceName": "AllowAzure", + "searchKey": "azurerm_mysql_flexible_server_firewall_rule[mysqlflex_fw3].start_ip_address", + "searchValue": "", + "expectedValue": "'azurerm_mysql_flexible_server_firewall_rule[mysqlflex_fw3].start_ip_address' Firewall rules should not have both 'start_ip_address' and 'end_ip_address' set to '0.0.0.0'.", + "actualValue": "'azurerm_mysql_flexible_server_firewall_rule[mysqlflex_fw3].start_ip_address' Both 'start_ip_address' and 'end_ip_address' are set to '0.0.0.0'", + "issueType": "IncorrectValue", + "similarityID": "761fb459b0a372532cb65edb78854f7a0ae98fd55150fe7b4aee2a62b7fc2dfa", + "search_line": 35 } ] diff --git a/assets/queries/terraform/azure/use_of_user_access_administrator_role_is_not_restricted/test/positive_expected_result.json b/assets/queries/terraform/azure/use_of_user_access_administrator_role_is_not_restricted/test/positive_expected_result.json index 9201445fe72..27cd4ef73ae 100644 --- a/assets/queries/terraform/azure/use_of_user_access_administrator_role_is_not_restricted/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/use_of_user_access_administrator_role_is_not_restricted/test/positive_expected_result.json @@ -3,36 +3,90 @@ "queryName": "Beta - Use Of User Access Administrator Role Is Not Restricted", "severity": "MEDIUM", "line": 2, - "fileName": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "azurerm_role_assignment", + "resourceName": "positive1", + "searchKey": "azurerm_role_assignment[positive1].role_definition_name", + "searchValue": "", + "expectedValue": "'role_definition_name' field should not be defined to 'User Access Administrator'", + "actualValue": "'role_definition_name' field is defined with 'User Access Administrator'", + "issueType": "IncorrectValue", + "similarityID": "60db4ebdd27b773d9bc25c4582d40add85df4b7d82a0ce1960aa34b0a7d546c9", + "search_line": 2 }, { "queryName": "Beta - Use Of User Access Administrator Role Is Not Restricted", "severity": "MEDIUM", "line": 2, - "fileName": "positive2.tf" + "fileName": "positive2.tf", + "resourceType": "azurerm_role_assignment", + "resourceName": "positive2", + "searchKey": "azurerm_role_assignment[positive2].role_definition_id", + "searchValue": "", + "expectedValue": "'role_definition_id' field should not have an id associated with the 'User Access Administrator' role.", + "actualValue": "'role_definition_id' field have an id associated with the 'User Access Administrator' role.", + "issueType": "IncorrectValue", + "similarityID": "461c0d7e570564a73e67591c60b0d69810a66477b2e4b9aa3605bb7525399f58", + "search_line": 2 }, { "queryName": "Beta - Use Of User Access Administrator Role Is Not Restricted", "severity": "MEDIUM", "line": 2, - "fileName": "positive3.tf" + "fileName": "positive3.tf", + "resourceType": "azurerm_role_assignment", + "resourceName": "positive3", + "searchKey": "azurerm_role_assignment[positive3].role_definition_name", + "searchValue": "", + "expectedValue": "'role_definition_name' field should not be defined to 'User Access Administrator'", + "actualValue": "'role_definition_name' field is defined with 'User Access Administrator'", + "issueType": "IncorrectValue", + "similarityID": "7c1ebee666341f8440dc021a14f7232b6c50f6a6ce229bccbbf1b0dbce22a497", + "search_line": 2 }, { "queryName": "Beta - Use Of User Access Administrator Role Is Not Restricted", "severity": "MEDIUM", "line": 2, - "fileName": "positive4.tf" + "fileName": "positive4.tf", + "resourceType": "azurerm_role_assignment", + "resourceName": "positive4", + "searchKey": "azurerm_role_assignment[positive4].role_definition_id", + "searchValue": "", + "expectedValue": "'role_definition_id' field should not have an id associated with the 'User Access Administrator' role.", + "actualValue": "'role_definition_id' field have an id associated with the 'User Access Administrator' role.", + "issueType": "IncorrectValue", + "similarityID": "a65f56a238b075ac9eacf1ed7eaa3b24159241bb80d146b37719fcc68c713e43", + "search_line": 2 }, { "queryName": "Beta - Use Of User Access Administrator Role Is Not Restricted", "severity": "MEDIUM", "line": 2, - "fileName": "positive5.tf" + "fileName": "positive5.tf", + "resourceType": "azurerm_role_assignment", + "resourceName": "positive5", + "searchKey": "azurerm_role_assignment[positive5].role_definition_name", + "searchValue": "", + "expectedValue": "'role_definition_name' field should not be defined to 'User Access Administrator'", + "actualValue": "'role_definition_name' field is defined with 'User Access Administrator'", + "issueType": "IncorrectValue", + "similarityID": "85900f9804eeaa1cc8d01c7e2d1c2df74f222b432a9530a6eab77e56868b9e6a", + "search_line": 2 }, { "queryName": "Beta - Use Of User Access Administrator Role Is Not Restricted", "severity": "MEDIUM", "line": 2, - "fileName": "positive6.tf" + "fileName": "positive6.tf", + "resourceType": "azurerm_role_assignment", + "resourceName": "positive6", + "searchKey": "azurerm_role_assignment[positive6].role_definition_id", + "searchValue": "", + "expectedValue": "'role_definition_id' field should not have an id associated with the 'User Access Administrator' role.", + "actualValue": "'role_definition_id' field have an id associated with the 'User Access Administrator' role.", + "issueType": "IncorrectValue", + "similarityID": "86b4410ede95b61446b36d6ca32a61276219157c06e67c4142a65d21e94343e3", + "search_line": 2 } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/azure/vault_auditing_disabled/test/positive_expected_result.json b/assets/queries/terraform/azure/vault_auditing_disabled/test/positive_expected_result.json index 5b955eb3023..e51eb8c5532 100644 --- a/assets/queries/terraform/azure/vault_auditing_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/vault_auditing_disabled/test/positive_expected_result.json @@ -2,6 +2,16 @@ { "queryName": "Vault Auditing Disabled", "severity": "MEDIUM", - "line": 16 + "line": 16, + "fileName": "positive.tf", + "resourceType": "azurerm_key_vault", + "resourceName": "testvault", + "searchKey": "azurerm_key_vault[example1]", + "searchValue": "", + "expectedValue": "'azurerm_key_vault' should be associated with 'azurerm_monitor_diagnostic_setting'", + "actualValue": "'azurerm_key_vault' is not associated with 'azurerm_monitor_diagnostic_setting'", + "issueType": "MissingAttribute", + "similarityID": "71ec5c2cf5067cbd7afb7e693561d1971abcb9498b9012af8b58b94ef1f4955c", + "search_line": -1 } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/azure/virtual_network_with_ddos_protection_plan_disabled/test/positive_expected_result.json b/assets/queries/terraform/azure/virtual_network_with_ddos_protection_plan_disabled/test/positive_expected_result.json index e47a40f00a2..286fd124719 100644 --- a/assets/queries/terraform/azure/virtual_network_with_ddos_protection_plan_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/virtual_network_with_ddos_protection_plan_disabled/test/positive_expected_result.json @@ -3,12 +3,30 @@ "queryName": "Virtual Network with DDoS Protection Plan disabled", "severity": "LOW", "line": 18, - "fileName": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "azurerm_virtual_network", + "resourceName": "virtualNetwork1", + "searchKey": "azurerm_virtual_network[positive1]", + "searchValue": "", + "expectedValue": "'azurerm_virtual_network[positive1].ddos_protection_plan' should be defined and not null", + "actualValue": "'azurerm_virtual_network[positive1].ddos_protection_plan' is undefined or null", + "issueType": "MissingAttribute", + "similarityID": "9711e4832b8254fce33e46122af864d830d03f386dadcb8f46703f1181823afa", + "search_line": 18 }, { "queryName": "Virtual Network with DDoS Protection Plan disabled", "severity": "LOW", "line": 27, - "fileName": "positive2.tf" + "fileName": "positive2.tf", + "resourceType": "azurerm_virtual_network", + "resourceName": "virtualNetwork1", + "searchKey": "azurerm_virtual_network[positive1].ddos_protection_plan.enable", + "searchValue": "", + "expectedValue": "'azurerm_virtual_network[positive1].ddos_protection_plan.enable' should be set to true", + "actualValue": "'azurerm_virtual_network[positive1].ddos_protection_plan.enable' is set to false", + "issueType": "IncorrectValue", + "similarityID": "99491bfaedd66a6dfa779817520997fef8c0f401e17b4e88ae52bbf4b664ab81", + "search_line": 27 } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/azure/vm_not_attached_to_network/test/positive_expected_result.json b/assets/queries/terraform/azure/vm_not_attached_to_network/test/positive_expected_result.json index 344ed2f15ef..6afc08f0072 100644 --- a/assets/queries/terraform/azure/vm_not_attached_to_network/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/vm_not_attached_to_network/test/positive_expected_result.json @@ -2,6 +2,16 @@ { "queryName": "VM Not Attached To Network", "severity": "MEDIUM", - "line": 5 + "line": 5, + "fileName": "positive.tf", + "resourceType": "azurerm_virtual_machine", + "resourceName": "${var.prefix}-vm", + "searchKey": "azurerm_virtual_machine[positive1].network_interface_ids", + "searchValue": "", + "expectedValue": "'azurerm_virtual_machine[positive1].network_interface_ids' list should not be empty", + "actualValue": "'azurerm_virtual_machine[positive1].network_interface_ids' list is empty", + "issueType": "IncorrectValue", + "similarityID": "acba253bba57628ec78c2c32b33ed3b193901a59502c8692c34fadb2e10c7200", + "search_line": -1 } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/azure/vm_with_automatic_updates_disabled/test/positive_expected_result.json b/assets/queries/terraform/azure/vm_with_automatic_updates_disabled/test/positive_expected_result.json index 2370f2b2431..027e4b404a1 100644 --- a/assets/queries/terraform/azure/vm_with_automatic_updates_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/vm_with_automatic_updates_disabled/test/positive_expected_result.json @@ -2,16 +2,46 @@ { "queryName": "Beta - VM With Automatic Updates Disabled", "severity": "MEDIUM", - "line": 11 + "line": 11, + "fileName": "positive.tf", + "resourceType": "azurerm_windows_virtual_machine", + "resourceName": "positive1-machine", + "searchKey": "azurerm_windows_virtual_machine[positive1].enable_automatic_updates", + "searchValue": "", + "expectedValue": "'azurerm_windows_virtual_machine[positive1].enable_automatic_updates' should be set to 'true'", + "actualValue": "'azurerm_windows_virtual_machine[positive1].enable_automatic_updates' is set to 'false'", + "issueType": "IncorrectValue", + "similarityID": "1f25f187721663c3a636edee034690ef7c3084f116a21a715f7bdda3bcdfef4a", + "search_line": 11 }, { "queryName": "Beta - VM With Automatic Updates Disabled", "severity": "MEDIUM", - "line": 24 + "line": 24, + "fileName": "positive.tf", + "resourceType": "azurerm_windows_virtual_machine", + "resourceName": "positive2-machine", + "searchKey": "azurerm_windows_virtual_machine[positive2].automatic_updates_enabled", + "searchValue": "", + "expectedValue": "'azurerm_windows_virtual_machine[positive2].automatic_updates_enabled' should be set to 'true'", + "actualValue": "'azurerm_windows_virtual_machine[positive2].automatic_updates_enabled' is set to 'false'", + "issueType": "IncorrectValue", + "similarityID": "9bdda8c50ff313d8871c63b8e13951872a6adb1daee0f86ddaf535b1c02ac1a7", + "search_line": 24 }, { "queryName": "Beta - VM With Automatic Updates Disabled", "severity": "MEDIUM", - "line": 37 + "line": 37, + "fileName": "positive.tf", + "resourceType": "azurerm_windows_virtual_machine_scale_set", + "resourceName": "positive3-vmss", + "searchKey": "azurerm_windows_virtual_machine_scale_set[positive3].enable_automatic_updates", + "searchValue": "", + "expectedValue": "'azurerm_windows_virtual_machine_scale_set[positive3].enable_automatic_updates' should be set to 'true'", + "actualValue": "'azurerm_windows_virtual_machine_scale_set[positive3].enable_automatic_updates' is set to 'false'", + "issueType": "IncorrectValue", + "similarityID": "5397414fb0198048d7e859dbbbd24164f464d1bcd5635f62e22a8e08c2d117bf", + "search_line": 37 } ] diff --git a/assets/queries/terraform/azure/vm_with_extension_operations_enabled/test/positive_expected_result.json b/assets/queries/terraform/azure/vm_with_extension_operations_enabled/test/positive_expected_result.json index 10913b2c611..fbfaea4d66f 100644 --- a/assets/queries/terraform/azure/vm_with_extension_operations_enabled/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/vm_with_extension_operations_enabled/test/positive_expected_result.json @@ -3,48 +3,120 @@ "queryName": "Beta - VM With Extension Operations Enabled", "severity": "MEDIUM", "line": 1, - "fileName": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "azurerm_linux_virtual_machine", + "resourceName": "positive1_1-machine", + "searchKey": "azurerm_linux_virtual_machine[positive1_1]", + "searchValue": "", + "expectedValue": "'azurerm_linux_virtual_machine[positive1_1].allow_extension_operations' should be defined and set to 'false'", + "actualValue": "'azurerm_linux_virtual_machine[positive1_1].allow_extension_operations' is undefined or null", + "issueType": "MissingAttribute", + "similarityID": "193e11fd1bf74c4b2013282e48a4ec38b48eb74f22360adc0889b93108f86dc2", + "search_line": 1 }, { "queryName": "Beta - VM With Extension Operations Enabled", "severity": "MEDIUM", "line": 24, - "fileName": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "azurerm_linux_virtual_machine", + "resourceName": "positive1_2-machine", + "searchKey": "azurerm_linux_virtual_machine[positive1_2].allow_extension_operations", + "searchValue": "", + "expectedValue": "'azurerm_linux_virtual_machine[positive1_2].allow_extension_operations' should be defined and set to 'false'", + "actualValue": "'azurerm_linux_virtual_machine[positive1_2].allow_extension_operations' is set to 'true'", + "issueType": "IncorrectValue", + "similarityID": "28ab49418c20ee065d0c8bc3e862b67e695ba1ebcf802ace9519d19c176457fb", + "search_line": 24 }, { "queryName": "Beta - VM With Extension Operations Enabled", "severity": "MEDIUM", "line": 1, - "fileName": "positive2.tf" + "fileName": "positive2.tf", + "resourceType": "azurerm_linux_virtual_machine_scale_set", + "resourceName": "positive2_1-vmss", + "searchKey": "azurerm_linux_virtual_machine_scale_set[positive2_1]", + "searchValue": "", + "expectedValue": "'azurerm_linux_virtual_machine_scale_set[positive2_1].extension_operations_enabled' should be defined and set to 'false'", + "actualValue": "'azurerm_linux_virtual_machine_scale_set[positive2_1].extension_operations_enabled' is undefined or null", + "issueType": "MissingAttribute", + "similarityID": "57003f2fb67bd7e46bca38a19a34477efd4fb1f0b58e31064ae99e091ec5fcf9", + "search_line": 1 }, { "queryName": "Beta - VM With Extension Operations Enabled", "severity": "MEDIUM", "line": 20, - "fileName": "positive2.tf" + "fileName": "positive2.tf", + "resourceType": "azurerm_linux_virtual_machine_scale_set", + "resourceName": "positive2_2-vmss", + "searchKey": "azurerm_linux_virtual_machine_scale_set[positive2_2].extension_operations_enabled", + "searchValue": "", + "expectedValue": "'azurerm_linux_virtual_machine_scale_set[positive2_2].extension_operations_enabled' should be defined and set to 'false'", + "actualValue": "'azurerm_linux_virtual_machine_scale_set[positive2_2].extension_operations_enabled' is set to 'true'", + "issueType": "IncorrectValue", + "similarityID": "57e70e3f111f0f68993683e8369584843fbae329021748568c46d43b02555d7f", + "search_line": 20 }, { "queryName": "Beta - VM With Extension Operations Enabled", "severity": "MEDIUM", "line": 1, - "fileName": "positive3.tf" + "fileName": "positive3.tf", + "resourceType": "azurerm_windows_virtual_machine", + "resourceName": "positive3_1-machine", + "searchKey": "azurerm_windows_virtual_machine[positive3_1]", + "searchValue": "", + "expectedValue": "'azurerm_windows_virtual_machine[positive3_1].allow_extension_operations' should be defined and set to 'false'", + "actualValue": "'azurerm_windows_virtual_machine[positive3_1].allow_extension_operations' is undefined or null", + "issueType": "MissingAttribute", + "similarityID": "05098d1f981350d4e74e76f7ac20689ed7ed080aec1b3cff59cf04ac80dd97fa", + "search_line": 1 }, { "queryName": "Beta - VM With Extension Operations Enabled", "severity": "MEDIUM", "line": 22, - "fileName": "positive3.tf" + "fileName": "positive3.tf", + "resourceType": "azurerm_windows_virtual_machine", + "resourceName": "positive3_2-machine", + "searchKey": "azurerm_windows_virtual_machine[positive3_2].allow_extension_operations", + "searchValue": "", + "expectedValue": "'azurerm_windows_virtual_machine[positive3_2].allow_extension_operations' should be defined and set to 'false'", + "actualValue": "'azurerm_windows_virtual_machine[positive3_2].allow_extension_operations' is set to 'true'", + "issueType": "IncorrectValue", + "similarityID": "dfa972d598b0c8115066157d9ff2944f0559fef50fb5aa1af9fa295cd042f38f", + "search_line": 22 }, { "queryName": "Beta - VM With Extension Operations Enabled", "severity": "MEDIUM", "line": 1, - "fileName": "positive4.tf" + "fileName": "positive4.tf", + "resourceType": "azurerm_windows_virtual_machine_scale_set", + "resourceName": "positive4_1-vmss", + "searchKey": "azurerm_windows_virtual_machine_scale_set[positive4_1]", + "searchValue": "", + "expectedValue": "'azurerm_windows_virtual_machine_scale_set[positive4_1].extension_operations_enabled' should be defined and set to 'false'", + "actualValue": "'azurerm_windows_virtual_machine_scale_set[positive4_1].extension_operations_enabled' is undefined or null", + "issueType": "MissingAttribute", + "similarityID": "cdfd5c2e1d000d30f2cbfece322ead43560e7aef17c3f2cd1920d014f4bfcdad", + "search_line": 1 }, { "queryName": "Beta - VM With Extension Operations Enabled", "severity": "MEDIUM", "line": 20, - "fileName": "positive4.tf" + "fileName": "positive4.tf", + "resourceType": "azurerm_windows_virtual_machine_scale_set", + "resourceName": "positive4_2-machine", + "searchKey": "azurerm_windows_virtual_machine_scale_set[positive4_2].extension_operations_enabled", + "searchValue": "", + "expectedValue": "'azurerm_windows_virtual_machine_scale_set[positive4_2].extension_operations_enabled' should be defined and set to 'false'", + "actualValue": "'azurerm_windows_virtual_machine_scale_set[positive4_2].extension_operations_enabled' is set to 'true'", + "issueType": "IncorrectValue", + "similarityID": "9324b66a9389b8080761bc401e534dbfc1c4447c4baa45276d767af8acf807e0", + "search_line": 20 } ] diff --git a/assets/queries/terraform/azure/vm_without_admin_ssh_public_key_set/test/positive_expected_result.json b/assets/queries/terraform/azure/vm_without_admin_ssh_public_key_set/test/positive_expected_result.json index e7c8041e0ee..c78cd9fefb3 100644 --- a/assets/queries/terraform/azure/vm_without_admin_ssh_public_key_set/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/vm_without_admin_ssh_public_key_set/test/positive_expected_result.json @@ -3,54 +3,135 @@ "queryName": "Beta - VM Without Admin SSH Public Key Set", "severity": "MEDIUM", "line": 1, - "fileName": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "azurerm_linux_virtual_machine", + "resourceName": "positive1_1-machine", + "searchKey": "azurerm_linux_virtual_machine[positive1_1]", + "searchValue": "", + "expectedValue": "'azurerm_linux_virtual_machine[positive1_1].admin_ssh_key.public_key' should be defined and not null", + "actualValue": "'azurerm_linux_virtual_machine[positive1_1].admin_ssh_key' is undefined or null", + "issueType": "MissingAttribute", + "similarityID": "762217b276d9bf55972203d0d87b6e9e90ad10b533e85a190813637049626e9b", + "search_line": 1 }, { "queryName": "Beta - VM Without Admin SSH Public Key Set", "severity": "MEDIUM", "line": 24, - "fileName": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "azurerm_linux_virtual_machine", + "resourceName": "positive1_2-machine", + "searchKey": "azurerm_linux_virtual_machine[positive1_2].admin_ssh_key", + "searchValue": "", + "expectedValue": "'azurerm_linux_virtual_machine[positive1_2].admin_ssh_key.public_key' should be defined and not null", + "actualValue": "'azurerm_linux_virtual_machine[positive1_2].admin_ssh_key.public_key' is undefined or null", + "issueType": "MissingAttribute", + "similarityID": "1eb827f93afdb465eb6abf0569aa230c5b0fac3efe76c948206be2b5fa57f48a", + "search_line": 24 }, { "queryName": "Beta - VM Without Admin SSH Public Key Set", "severity": "MEDIUM", "line": 40, - "fileName": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "azurerm_linux_virtual_machine", + "resourceName": "positive1_3-machine", + "searchKey": "azurerm_linux_virtual_machine[positive1_3].admin_ssh_key[0]", + "searchValue": "", + "expectedValue": "'azurerm_linux_virtual_machine[positive1_3].admin_ssh_key.public_key' should be defined and not null", + "actualValue": "'azurerm_linux_virtual_machine[positive1_3].admin_ssh_key[0].public_key' is undefined or null", + "issueType": "MissingAttribute", + "similarityID": "aa854a9ef2d57ce4542a02cee84a2d7e8fb5b5ed16266944b2ccafe6dfad2e17", + "search_line": 40 }, { "queryName": "Beta - VM Without Admin SSH Public Key Set", "severity": "MEDIUM", "line": 45, - "fileName": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "azurerm_linux_virtual_machine", + "resourceName": "positive1_3-machine", + "searchKey": "azurerm_linux_virtual_machine[positive1_3].admin_ssh_key[1]", + "searchValue": "", + "expectedValue": "'azurerm_linux_virtual_machine[positive1_3].admin_ssh_key.public_key' should be defined and not null", + "actualValue": "'azurerm_linux_virtual_machine[positive1_3].admin_ssh_key[1].public_key' is undefined or null", + "issueType": "MissingAttribute", + "similarityID": "5d450ada39f79531aeefbe7a3d6e78892319e754d3c83818b0c8c27f4f696987", + "search_line": 45 }, { "queryName": "Beta - VM Without Admin SSH Public Key Set", "severity": "MEDIUM", "line": 1, - "fileName": "positive2.tf" + "fileName": "positive2.tf", + "resourceType": "azurerm_linux_virtual_machine_scale_set", + "resourceName": "positive2_1-machine", + "searchKey": "azurerm_linux_virtual_machine_scale_set[positive2_1]", + "searchValue": "", + "expectedValue": "'azurerm_linux_virtual_machine_scale_set[positive2_1].admin_ssh_key.public_key' should be defined and not null", + "actualValue": "'azurerm_linux_virtual_machine_scale_set[positive2_1].admin_ssh_key' is undefined or null", + "issueType": "MissingAttribute", + "similarityID": "fbdad954a777d3cc6be09d87ee13224ab88c9b3a5ee9f1e9285571a3b67f2981", + "search_line": 1 }, { "queryName": "Beta - VM Without Admin SSH Public Key Set", "severity": "MEDIUM", "line": 24, - "fileName": "positive2.tf" + "fileName": "positive2.tf", + "resourceType": "azurerm_linux_virtual_machine_scale_set", + "resourceName": "positive2_2-machine", + "searchKey": "azurerm_linux_virtual_machine_scale_set[positive2_2].admin_ssh_key", + "searchValue": "", + "expectedValue": "'azurerm_linux_virtual_machine_scale_set[positive2_2].admin_ssh_key.public_key' should be defined and not null", + "actualValue": "'azurerm_linux_virtual_machine_scale_set[positive2_2].admin_ssh_key.public_key' is undefined or null", + "issueType": "MissingAttribute", + "similarityID": "9ff8eebac1a981d4304b3ce68a60c246cd4d20f2d79c23793df99b54931b5fe0", + "search_line": 24 }, { "queryName": "Beta - VM Without Admin SSH Public Key Set", "severity": "MEDIUM", "line": 40, - "fileName": "positive2.tf" + "fileName": "positive2.tf", + "resourceType": "azurerm_linux_virtual_machine_scale_set", + "resourceName": "positive2_3-machine", + "searchKey": "azurerm_linux_virtual_machine_scale_set[positive2_3].admin_ssh_key[0]", + "searchValue": "", + "expectedValue": "'azurerm_linux_virtual_machine_scale_set[positive2_3].admin_ssh_key.public_key' should be defined and not null", + "actualValue": "'azurerm_linux_virtual_machine_scale_set[positive2_3].admin_ssh_key[0].public_key' is undefined or null", + "issueType": "MissingAttribute", + "similarityID": "41e80c417fe4e290bf97963fc621bbf8a311223694296a0ad8d3f5ad55a492a4", + "search_line": 40 }, { "queryName": "Beta - VM Without Admin SSH Public Key Set", "severity": "MEDIUM", "line": 45, - "fileName": "positive2.tf" + "fileName": "positive2.tf", + "resourceType": "azurerm_linux_virtual_machine_scale_set", + "resourceName": "positive2_3-machine", + "searchKey": "azurerm_linux_virtual_machine_scale_set[positive2_3].admin_ssh_key[1]", + "searchValue": "", + "expectedValue": "'azurerm_linux_virtual_machine_scale_set[positive2_3].admin_ssh_key.public_key' should be defined and not null", + "actualValue": "'azurerm_linux_virtual_machine_scale_set[positive2_3].admin_ssh_key[1].public_key' is undefined or null", + "issueType": "MissingAttribute", + "similarityID": "849c6299d6c23ef205c79a6b06cee5e18a717693d5e2a0527d9311389c03deb8", + "search_line": 45 }, { "queryName": "Beta - VM Without Admin SSH Public Key Set", "severity": "MEDIUM", "line": 20, - "fileName": "positive3.json" + "fileName": "positive3.json", + "resourceType": "azurerm_linux_virtual_machine", + "resourceName": "example-vm", + "searchKey": "azurerm_linux_virtual_machine[module.example_module.azurerm_linux_virtual_machine.example_vm[0]].admin_ssh_key", + "searchValue": "", + "expectedValue": "'azurerm_linux_virtual_machine[module.example_module.azurerm_linux_virtual_machine.example_vm[0]].admin_ssh_key.public_key' should be defined and not null", + "actualValue": "'azurerm_linux_virtual_machine[module.example_module.azurerm_linux_virtual_machine.example_vm[0]].admin_ssh_key' is undefined or null", + "issueType": "MissingAttribute", + "similarityID": "292c2a386979d0dfaa415301fc95360cbecb6b76b500c52c831223aab17860c3", + "search_line": 20 } ] diff --git a/assets/queries/terraform/azure/vm_without_encryption_at_host/test/positive_expected_result.json b/assets/queries/terraform/azure/vm_without_encryption_at_host/test/positive_expected_result.json index 96ca9c2ebfc..2a3ec6d11ea 100644 --- a/assets/queries/terraform/azure/vm_without_encryption_at_host/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/vm_without_encryption_at_host/test/positive_expected_result.json @@ -3,48 +3,120 @@ "queryName": "Beta - VM Without Encryption At Host", "severity": "LOW", "line": 1, - "fileName": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "azurerm_linux_virtual_machine", + "resourceName": "positive1_1-machine", + "searchKey": "azurerm_linux_virtual_machine[positive1_1]", + "searchValue": "", + "expectedValue": "'azurerm_linux_virtual_machine[positive1_1].encryption_at_host_enabled' should be defined and set to 'true'", + "actualValue": "'azurerm_linux_virtual_machine[positive1_1].encryption_at_host_enabled' is undefined or null", + "issueType": "MissingAttribute", + "similarityID": "1bb0e0a766750baf7a267590f152dc432fbbfc6573e678dfb0100109ca562eb0", + "search_line": 1 }, { "queryName": "Beta - VM Without Encryption At Host", "severity": "LOW", "line": 24, - "fileName": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "azurerm_linux_virtual_machine", + "resourceName": "positive1_2-machine", + "searchKey": "azurerm_linux_virtual_machine[positive1_2].encryption_at_host_enabled", + "searchValue": "", + "expectedValue": "'azurerm_linux_virtual_machine[positive1_2].encryption_at_host_enabled' should be defined and set to 'true'", + "actualValue": "'azurerm_linux_virtual_machine[positive1_2].encryption_at_host_enabled' is set to 'false'", + "issueType": "IncorrectValue", + "similarityID": "1dc680d562cd633aba18addd8c8fe2ffebf2ddf638d90ce5fa85dff05cfccbc7", + "search_line": 24 }, { "queryName": "Beta - VM Without Encryption At Host", "severity": "LOW", "line": 1, - "fileName": "positive2.tf" + "fileName": "positive2.tf", + "resourceType": "azurerm_linux_virtual_machine_scale_set", + "resourceName": "positive2_1-vmss", + "searchKey": "azurerm_linux_virtual_machine_scale_set[positive2_1]", + "searchValue": "", + "expectedValue": "'azurerm_linux_virtual_machine_scale_set[positive2_1].encryption_at_host_enabled' should be defined and set to 'true'", + "actualValue": "'azurerm_linux_virtual_machine_scale_set[positive2_1].encryption_at_host_enabled' is undefined or null", + "issueType": "MissingAttribute", + "similarityID": "f9e8f071bf5fe55414f05affc30674e08e2306ff84098e09b4f7600440a542c3", + "search_line": 1 }, { "queryName": "Beta - VM Without Encryption At Host", "severity": "LOW", "line": 20, - "fileName": "positive2.tf" + "fileName": "positive2.tf", + "resourceType": "azurerm_linux_virtual_machine_scale_set", + "resourceName": "positive2_2-vmss", + "searchKey": "azurerm_linux_virtual_machine_scale_set[positive2_2].encryption_at_host_enabled", + "searchValue": "", + "expectedValue": "'azurerm_linux_virtual_machine_scale_set[positive2_2].encryption_at_host_enabled' should be defined and set to 'true'", + "actualValue": "'azurerm_linux_virtual_machine_scale_set[positive2_2].encryption_at_host_enabled' is set to 'false'", + "issueType": "IncorrectValue", + "similarityID": "74225d05537607dfdc10d9f0df20f9b688b581b6fb1b917e4b37eb62d94c0c0d", + "search_line": 20 }, { "queryName": "Beta - VM Without Encryption At Host", "severity": "LOW", "line": 1, - "fileName": "positive3.tf" + "fileName": "positive3.tf", + "resourceType": "azurerm_windows_virtual_machine", + "resourceName": "positive3_1-machine", + "searchKey": "azurerm_windows_virtual_machine[positive3_1]", + "searchValue": "", + "expectedValue": "'azurerm_windows_virtual_machine[positive3_1].encryption_at_host_enabled' should be defined and set to 'true'", + "actualValue": "'azurerm_windows_virtual_machine[positive3_1].encryption_at_host_enabled' is undefined or null", + "issueType": "MissingAttribute", + "similarityID": "98a64db7f54a2c1e09f677fca1b505fcc9514c1f335d783cd1535e06eb324f8a", + "search_line": 1 }, { "queryName": "Beta - VM Without Encryption At Host", "severity": "LOW", "line": 22, - "fileName": "positive3.tf" + "fileName": "positive3.tf", + "resourceType": "azurerm_windows_virtual_machine", + "resourceName": "positive3_2-machine", + "searchKey": "azurerm_windows_virtual_machine[positive3_2].encryption_at_host_enabled", + "searchValue": "", + "expectedValue": "'azurerm_windows_virtual_machine[positive3_2].encryption_at_host_enabled' should be defined and set to 'true'", + "actualValue": "'azurerm_windows_virtual_machine[positive3_2].encryption_at_host_enabled' is set to 'false'", + "issueType": "IncorrectValue", + "similarityID": "47af2052da63c3e8e8307e65cbad226a713bc778e077edf8fd4ec33c7ef4e711", + "search_line": 22 }, { "queryName": "Beta - VM Without Encryption At Host", "severity": "LOW", "line": 1, - "fileName": "positive4.tf" + "fileName": "positive4.tf", + "resourceType": "azurerm_windows_virtual_machine_scale_set", + "resourceName": "positive4_1-vmss", + "searchKey": "azurerm_windows_virtual_machine_scale_set[positive4_1]", + "searchValue": "", + "expectedValue": "'azurerm_windows_virtual_machine_scale_set[positive4_1].encryption_at_host_enabled' should be defined and set to 'true'", + "actualValue": "'azurerm_windows_virtual_machine_scale_set[positive4_1].encryption_at_host_enabled' is undefined or null", + "issueType": "MissingAttribute", + "similarityID": "831833ff20616303a71f920b36b4ddcafef9a111da4c34337cbddfbe3d55ee62", + "search_line": 1 }, { "queryName": "Beta - VM Without Encryption At Host", "severity": "LOW", "line": 20, - "fileName": "positive4.tf" + "fileName": "positive4.tf", + "resourceType": "azurerm_windows_virtual_machine_scale_set", + "resourceName": "positive4_2-machine", + "searchKey": "azurerm_windows_virtual_machine_scale_set[positive4_2].encryption_at_host_enabled", + "searchValue": "", + "expectedValue": "'azurerm_windows_virtual_machine_scale_set[positive4_2].encryption_at_host_enabled' should be defined and set to 'true'", + "actualValue": "'azurerm_windows_virtual_machine_scale_set[positive4_2].encryption_at_host_enabled' is set to 'false'", + "issueType": "IncorrectValue", + "similarityID": "2e6520a0879378fe64f3c968ac61b470a02b3cfbfdb38b9193760595981c7ea6", + "search_line": 20 } ] diff --git a/assets/queries/terraform/azure/vm_without_managed_disk/test/positive_expected_result.json b/assets/queries/terraform/azure/vm_without_managed_disk/test/positive_expected_result.json index f38283bec56..ba8a6f71624 100644 --- a/assets/queries/terraform/azure/vm_without_managed_disk/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/vm_without_managed_disk/test/positive_expected_result.json @@ -3,54 +3,135 @@ "queryName": "Beta - VM Without Managed Disk", "severity": "MEDIUM", "line": 1, - "filename": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "azurerm_virtual_machine", + "resourceName": "${var.prefix}-vm", + "searchKey": "azurerm_virtual_machine[positive1]", + "searchValue": "", + "expectedValue": "'azurerm_virtual_machine[positive1].storage_os_disk' should be defined and not null", + "actualValue": "'azurerm_virtual_machine[positive1].storage_os_disk' is undefined or null", + "issueType": "MissingAttribute", + "similarityID": "7232f4debfe1f9b1683484f38243bc22acafecc5268aacc37c5fa672841e6a7e", + "search_line": 1 }, { "queryName": "Beta - VM Without Managed Disk", "severity": "MEDIUM", "line": 21, - "filename": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "azurerm_virtual_machine", + "resourceName": "${var.prefix}-vm", + "searchKey": "azurerm_virtual_machine[positive1_2].storage_os_disk.vhd_uri", + "searchValue": "", + "expectedValue": "'azurerm_virtual_machine[positive1_2].storage_os_disk.vhd_uri' should not be set", + "actualValue": "'azurerm_virtual_machine[positive1_2].storage_os_disk.vhd_uri' is set", + "issueType": "IncorrectValue", + "similarityID": "d2121b01e38f4d40651c237b74b5cf01e6e4d576644364349877eadbd59fde50", + "search_line": 21 }, { "queryName": "Beta - VM Without Managed Disk", "severity": "MEDIUM", "line": 34, - "filename": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "azurerm_virtual_machine", + "resourceName": "${var.prefix}-vm", + "searchKey": "azurerm_virtual_machine[positive1_3].storage_os_disk", + "searchValue": "", + "expectedValue": "'azurerm_virtual_machine[positive1_3].storage_os_disk' should define a 'managed_disk_id' or 'managed_disk_type'", + "actualValue": "'azurerm_virtual_machine[positive1_3].storage_os_disk' does not define or sets to null 'managed_disk_id' and 'managed_disk_type'", + "issueType": "MissingAttribute", + "similarityID": "6d07bfed77f93fc410b9296bd9220da386cff13c7772a6bb74c75d03c2d9e632", + "search_line": 34 }, { "queryName": "Beta - VM Without Managed Disk", "severity": "MEDIUM", "line": 1, - "filename": "positive2.tf" + "fileName": "positive2.tf", + "resourceType": "azurerm_linux_virtual_machine", + "resourceName": "positive2-machine", + "searchKey": "azurerm_linux_virtual_machine[positive2]", + "searchValue": "", + "expectedValue": "'azurerm_linux_virtual_machine[positive2].os_managed_disk_id' should be defined and not null", + "actualValue": "'azurerm_linux_virtual_machine[positive2].os_managed_disk_id' is undefined or null", + "issueType": "MissingAttribute", + "similarityID": "9e2fad1d31683146f33c4ca2677bda298a260daf866afe59c73aa2d0df9a6e2e", + "search_line": 1 }, { "queryName": "Beta - VM Without Managed Disk", "severity": "MEDIUM", "line": 1, - "filename": "positive3.tf" + "fileName": "positive3.tf", + "resourceType": "azurerm_windows_virtual_machine", + "resourceName": "positive3-machine", + "searchKey": "azurerm_windows_virtual_machine[positive3]", + "searchValue": "", + "expectedValue": "'azurerm_windows_virtual_machine[positive3].os_managed_disk_id' should be defined and not null", + "actualValue": "'azurerm_windows_virtual_machine[positive3].os_managed_disk_id' is undefined or null", + "issueType": "MissingAttribute", + "similarityID": "7a4566290802734960f4f4a5875c1111d7177397418a8b713c49c7501f552576", + "search_line": 1 }, { "queryName": "Beta - VM Without Managed Disk", "severity": "MEDIUM", "line": 10, - "filename": "positive4.tf" + "fileName": "positive4.tf", + "resourceType": "azurerm_virtual_machine_scale_set", + "resourceName": "vmss-premium-positive4_1", + "searchKey": "azurerm_virtual_machine_scale_set[positive4_1].storage_profile_os_disk.vhd_containers", + "searchValue": "", + "expectedValue": "'azurerm_virtual_machine_scale_set[positive4_1].storage_profile_os_disk.vhd_containers' should not be set", + "actualValue": "'azurerm_virtual_machine_scale_set[positive4_1].storage_profile_os_disk.vhd_containers' is set", + "issueType": "IncorrectValue", + "similarityID": "af9a1dd82e340b1c0b4e146d162b02e24b544f18b938384754e71d2734773867", + "search_line": 10 }, { "queryName": "Beta - VM Without Managed Disk", "severity": "MEDIUM", "line": 23, - "filename": "positive4.tf" + "fileName": "positive4.tf", + "resourceType": "azurerm_virtual_machine_scale_set", + "resourceName": "vmss-premium-positive4_2", + "searchKey": "azurerm_virtual_machine_scale_set[positive4_2].storage_profile_os_disk", + "searchValue": "", + "expectedValue": "'azurerm_virtual_machine_scale_set[positive4_2].storage_profile_os_disk.managed_disk_type' should be defined and not null", + "actualValue": "'azurerm_virtual_machine_scale_set[positive4_2].storage_profile_os_disk.managed_disk_type' is undefined or null", + "issueType": "MissingAttribute", + "similarityID": "d8ad82ffe0d9dc847e4dae3c82ac2f343394ece4af511176dcdd2c0027eda8dc", + "search_line": 23 }, { "queryName": "Beta - VM Without Managed Disk", "severity": "MEDIUM", "line": 18, - "filename": "positive5.tf" + "fileName": "positive5.tf", + "resourceType": "azurerm_virtual_machine", + "resourceName": "${var.prefix}-vm", + "searchKey": "azurerm_virtual_machine[positive5].storage_os_disk.vhd_uri", + "searchValue": "", + "expectedValue": "'azurerm_virtual_machine[positive5].storage_os_disk.vhd_uri' should not be set", + "actualValue": "'azurerm_virtual_machine[positive5].storage_os_disk.vhd_uri' is set", + "issueType": "IncorrectValue", + "similarityID": "45b5e9e0cbfc29d012678c54efc6cdad905712e673d6225b823f456b18215020", + "search_line": 18 }, { "queryName": "Beta - VM Without Managed Disk", "severity": "MEDIUM", "line": 16, - "filename": "positive6.tf" + "fileName": "positive6.tf", + "resourceType": "azurerm_virtual_machine", + "resourceName": "${var.prefix}-vm", + "searchKey": "azurerm_virtual_machine[positive6].storage_os_disk", + "searchValue": "", + "expectedValue": "'azurerm_virtual_machine[positive6].storage_os_disk' should define a 'managed_disk_id' or 'managed_disk_type'", + "actualValue": "'azurerm_virtual_machine[positive6].storage_os_disk' does not define or sets to null 'managed_disk_id' and 'managed_disk_type'", + "issueType": "MissingAttribute", + "similarityID": "443431512ff68e73ce9d7c09ddca36072a6fabeb24945c5a622b408255167c9d", + "search_line": 16 } ] diff --git a/assets/queries/terraform/azure/waf_is_disabled_for_azure_application_gateway/test/positive_expected_result.json b/assets/queries/terraform/azure/waf_is_disabled_for_azure_application_gateway/test/positive_expected_result.json index ed082b15181..26fee1a5034 100644 --- a/assets/queries/terraform/azure/waf_is_disabled_for_azure_application_gateway/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/waf_is_disabled_for_azure_application_gateway/test/positive_expected_result.json @@ -2,11 +2,31 @@ { "queryName": "WAF Is Disabled For Azure Application Gateway", "severity": "MEDIUM", - "line": 7 + "line": 7, + "fileName": "positive.tf", + "resourceType": "azurerm_application_gateway", + "resourceName": "example-appgateway", + "searchKey": "azurerm_application_gateway[positive1].waf_configuration.enabled", + "searchValue": "", + "expectedValue": "'azurerm_application_gateway[positive1].waf_configuration.enabled' is true", + "actualValue": "'azurerm_application_gateway[positive1].waf_configuration.enabled' is false", + "issueType": "IncorrectValue", + "similarityID": "62ac3c60860adc0aa5ad7b62ee3c3d0d4b7136b704496ecb3efb2c3d4141ee02", + "search_line": 7 }, { "queryName": "WAF Is Disabled For Azure Application Gateway", "severity": "MEDIUM", - "line": 11 + "line": 11, + "fileName": "positive.tf", + "resourceType": "azurerm_application_gateway", + "resourceName": "example-appgateway", + "searchKey": "azurerm_application_gateway[positive2]", + "searchValue": "", + "expectedValue": "'azurerm_application_gateway[positive2]' should be set", + "actualValue": "'azurerm_application_gateway[positive2]' is undefined", + "issueType": "MissingAttribute", + "similarityID": "acc2871ee81c3c02b692b3e7313e03de8bd0d1fecd27b86050e99ec84c0d138d", + "search_line": 11 } ] diff --git a/assets/queries/terraform/azure/web_app_accepting_traffic_other_than_https/test/positive_expected_result.json b/assets/queries/terraform/azure/web_app_accepting_traffic_other_than_https/test/positive_expected_result.json index a85ef677c82..2c208b40bb9 100644 --- a/assets/queries/terraform/azure/web_app_accepting_traffic_other_than_https/test/positive_expected_result.json +++ b/assets/queries/terraform/azure/web_app_accepting_traffic_other_than_https/test/positive_expected_result.json @@ -3,36 +3,90 @@ "queryName": "Web App Accepting Traffic Other Than HTTPS", "severity": "MEDIUM", "line": 12, - "fileName": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "azurerm_app_service", + "resourceName": "example-app-service", + "searchKey": "azurerm_app_service[positive1-1].https_only", + "searchValue": "", + "expectedValue": "'azurerm_app_service[positive1-1].https_only' should be set to true", + "actualValue": "'azurerm_app_service[positive1-1].https_only' is not set to true", + "issueType": "IncorrectValue", + "similarityID": "1c8847b9b4e0c1687e17e8d21e1f890a426a76e8ea8fcf8c998819c68626d877", + "search_line": 12 }, { "queryName": "Web App Accepting Traffic Other Than HTTPS", "severity": "MEDIUM", "line": 15, - "fileName": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "azurerm_app_service", + "resourceName": "example-app-service", + "searchKey": "azurerm_app_service[positive1-2]", + "searchValue": "", + "expectedValue": "'azurerm_app_service[positive1-2].https_only' should be defined and set to true", + "actualValue": "'azurerm_app_service[positive1-2].https_only' is undefined", + "issueType": "MissingAttribute", + "similarityID": "76946e5a8bfab64ea0d9d99cff761967162108123d6cee4662c88fcccdcef16b", + "search_line": 15 }, { "queryName": "Web App Accepting Traffic Other Than HTTPS", "severity": "MEDIUM", "line": 12, - "fileName": "positive2.tf" + "fileName": "positive2.tf", + "resourceType": "azurerm_linux_web_app", + "resourceName": "example-app-service", + "searchKey": "azurerm_linux_web_app[positive2-1].https_only", + "searchValue": "", + "expectedValue": "'azurerm_linux_web_app[positive2-1].https_only' should be set to true", + "actualValue": "'azurerm_linux_web_app[positive2-1].https_only' is not set to true", + "issueType": "IncorrectValue", + "similarityID": "6955692058da13968d1eb0740055544efc59d255a7d15da998ffacd17e841429", + "search_line": 12 }, { "queryName": "Web App Accepting Traffic Other Than HTTPS", "severity": "MEDIUM", "line": 15, - "fileName": "positive2.tf" + "fileName": "positive2.tf", + "resourceType": "azurerm_linux_web_app", + "resourceName": "example-app-service", + "searchKey": "azurerm_linux_web_app[positive2-2]", + "searchValue": "", + "expectedValue": "'azurerm_linux_web_app[positive2-2].https_only' should be defined and set to true", + "actualValue": "'azurerm_linux_web_app[positive2-2].https_only' is undefined", + "issueType": "MissingAttribute", + "similarityID": "bd4f39db8cafd75253cb97de09713bbbf798a05fff32290102ba199c75959c9d", + "search_line": 15 }, { "queryName": "Web App Accepting Traffic Other Than HTTPS", "severity": "MEDIUM", "line": 12, - "fileName": "positive3.tf" + "fileName": "positive3.tf", + "resourceType": "azurerm_windows_web_app", + "resourceName": "example-app-service", + "searchKey": "azurerm_windows_web_app[positive3-1].https_only", + "searchValue": "", + "expectedValue": "'azurerm_windows_web_app[positive3-1].https_only' should be set to true", + "actualValue": "'azurerm_windows_web_app[positive3-1].https_only' is not set to true", + "issueType": "IncorrectValue", + "similarityID": "ed8e7340d4f07407b4f789a9195dfac95699839c0eaac005ec0c18d360597e4b", + "search_line": 12 }, { "queryName": "Web App Accepting Traffic Other Than HTTPS", "severity": "MEDIUM", "line": 15, - "fileName": "positive3.tf" + "fileName": "positive3.tf", + "resourceType": "azurerm_windows_web_app", + "resourceName": "example-app-service", + "searchKey": "azurerm_windows_web_app[positive3-2]", + "searchValue": "", + "expectedValue": "'azurerm_windows_web_app[positive3-2].https_only' should be defined and set to true", + "actualValue": "'azurerm_windows_web_app[positive3-2].https_only' is undefined", + "issueType": "MissingAttribute", + "similarityID": "bd47a2b887224e3d265c00510062599afee6c3c4fedc5e45314040bf2e0a0603", + "search_line": 15 } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/databricks/autoscale_badly_setup/test/positive_expected_result.json b/assets/queries/terraform/databricks/autoscale_badly_setup/test/positive_expected_result.json index 7b122be2d1e..07a9b05ca29 100644 --- a/assets/queries/terraform/databricks/autoscale_badly_setup/test/positive_expected_result.json +++ b/assets/queries/terraform/databricks/autoscale_badly_setup/test/positive_expected_result.json @@ -1,14 +1,32 @@ [ - { - "queryName": "Databricks Autoscale Badly Setup", - "severity": "MEDIUM", - "line": 6, - "fileName": "positive1.tf" - }, - { - "queryName": "Databricks Autoscale Badly Setup", - "severity": "MEDIUM", - "line": 6, - "fileName": "positive2.tf" - } + { + "queryName": "Databricks Autoscale Badly Setup", + "severity": "MEDIUM", + "line": 6, + "fileName": "positive1.tf", + "resourceType": "databricks_cluster", + "resourceName": "positive1", + "searchKey": "databricks_cluster[positive1].autoscale", + "searchValue": "max_workers", + "expectedValue": "'databricks_cluster[positive1].autoscale.max_workers' should not be empty", + "actualValue": "'databricks_cluster[positive1].autoscale.max_workers' is not setup'", + "issueType": "MissingAttribute", + "similarityID": "eee03c9d9dad1b724bbef6795578aa8591db43c880242f72250ae4545b77565b", + "search_line": 6 + }, + { + "queryName": "Databricks Autoscale Badly Setup", + "severity": "MEDIUM", + "line": 6, + "fileName": "positive2.tf", + "resourceType": "databricks_cluster", + "resourceName": "positive2", + "searchKey": "databricks_cluster[positive2].autoscale", + "searchValue": "min_workers", + "expectedValue": "'databricks_cluster[positive2].autoscale.min_workers' should not be empty", + "actualValue": "'databricks_cluster[positive2].autoscale.min_workers' is not setup'", + "issueType": "MissingAttribute", + "similarityID": "72c247b564ccf8f857874ffe2e9b37c294fa041bce7c0daf563ccc0f285b1a3c", + "search_line": 6 + } ] diff --git a/assets/queries/terraform/databricks/cluster_aws_attributes/test/positive_expected_result.json b/assets/queries/terraform/databricks/cluster_aws_attributes/test/positive_expected_result.json index aecb1ae2f97..f1b02409d52 100644 --- a/assets/queries/terraform/databricks/cluster_aws_attributes/test/positive_expected_result.json +++ b/assets/queries/terraform/databricks/cluster_aws_attributes/test/positive_expected_result.json @@ -3,24 +3,60 @@ "queryName": "Check Databricks Cluster AWS Attribute Best Practices", "severity": "LOW", "line": 11, - "fileName": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "databricks_cluster", + "resourceName": "positive1", + "searchKey": "databricks_cluster[positive1].aws_attributes.availability", + "searchValue": "", + "expectedValue": "'databricks_cluster[positive1].aws_attributes.availability' should not be equal to 'SPOT'", + "actualValue": "'databricks_cluster[positive1].aws_attributes.availability' is equal to 'SPOT'", + "issueType": "IncorrectValue", + "similarityID": "36f1eedc78ff1d9cc61667858178ee88a6564e66985b85c3e7bf52ba1f07b03d", + "search_line": -1 }, { "queryName": "Check Databricks Cluster AWS Attribute Best Practices", "severity": "LOW", "line": 13, - "fileName": "positive2.tf" + "fileName": "positive2.tf", + "resourceType": "databricks_cluster", + "resourceName": "positive2", + "searchKey": "databricks_cluster[positive2].aws_attributes.first_on_demand", + "searchValue": "", + "expectedValue": "'databricks_cluster[positive2].aws_attributes.first_on_demand' should not be equal to '0'", + "actualValue": "'databricks_cluster[positive2].aws_attributes.first_on_demand' is equal to '0'", + "issueType": "IncorrectValue", + "similarityID": "4e6d7db5d794d342b5e8d85d8efe50201f58ff6bbfad923514825ef05a8f126d", + "search_line": -1 }, { "queryName": "Check Databricks Cluster AWS Attribute Best Practices", "severity": "LOW", "line": 10, - "fileName": "positive3.tf" + "fileName": "positive3.tf", + "resourceType": "databricks_cluster", + "resourceName": "positive3", + "searchKey": "databricks_cluster[positive3].aws_attributes.first_on_demand", + "searchValue": "", + "expectedValue": "'databricks_cluster[positive3].aws_attributes.first_on_demand' should present", + "actualValue": "'databricks_cluster[positive3].aws_attributes.first_on_demand' is not present", + "issueType": "IncorrectValue", + "similarityID": "e79a4553c7379a417351c1414697b8e529a321eaa5fc2d623cb272054c020bf2", + "search_line": -1 }, { "queryName": "Check Databricks Cluster AWS Attribute Best Practices", "severity": "LOW", "line": 12, - "fileName": "positive4.tf" + "fileName": "positive4.tf", + "resourceType": "databricks_cluster", + "resourceName": "positive4", + "searchKey": "databricks_cluster[positive4].aws_attributes.zone_id", + "searchValue": "", + "expectedValue": "'databricks_cluster[positive4].aws_attributes.zone_id' should be egal to 'auto'", + "actualValue": "'databricks_cluster[positive4].aws_attributes.zone_id' is not equal to 'auto'", + "issueType": "IncorrectValue", + "similarityID": "e44b41d597063d3b7257c4628713016c9fe3ffa9f65bcc1639c04564aa2bb25a", + "search_line": -1 } ] diff --git a/assets/queries/terraform/databricks/cluster_azure_attributes/test/positive_expected_result.json b/assets/queries/terraform/databricks/cluster_azure_attributes/test/positive_expected_result.json index 088648d2169..70d571d6148 100644 --- a/assets/queries/terraform/databricks/cluster_azure_attributes/test/positive_expected_result.json +++ b/assets/queries/terraform/databricks/cluster_azure_attributes/test/positive_expected_result.json @@ -3,18 +3,45 @@ "queryName": "Check Databricks Cluster Azure Attribute Best Practices", "severity": "LOW", "line": 11, - "fileName": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "databricks_cluster", + "resourceName": "positive1", + "searchKey": "databricks_cluster[positive1].azure_attributes.availability", + "searchValue": "", + "expectedValue": "'databricks_cluster[positive1].azure_attributes.availability' should not be equal to 'SPOT'", + "actualValue": "'databricks_cluster[positive1].azure_attributes.availability' is equal to 'SPOT'", + "issueType": "IncorrectValue", + "similarityID": "b52c56883a3a4393d03fab52d7045f092187c27e5fbef5060b959e3a02762f65", + "search_line": -1 }, { "queryName": "Check Databricks Cluster Azure Attribute Best Practices", "severity": "LOW", "line": 12, - "fileName": "positive2.tf" + "fileName": "positive2.tf", + "resourceType": "databricks_cluster", + "resourceName": "positive2", + "searchKey": "databricks_cluster[positive2].azure_attributes.first_on_demand", + "searchValue": "", + "expectedValue": "'databricks_cluster[positive2].azure_attributes.first_on_demand' should not be equal to '0'", + "actualValue": "'databricks_cluster[positive2].azure_attributes.first_on_demand' is equal to '0'", + "issueType": "IncorrectValue", + "similarityID": "ae5cad3144cb5354754899e460756d3df75468ba4339f1863e341f3a8ae315b8", + "search_line": -1 }, { "queryName": "Check Databricks Cluster Azure Attribute Best Practices", "severity": "LOW", "line": 10, - "fileName": "positive3.tf" + "fileName": "positive3.tf", + "resourceType": "databricks_cluster", + "resourceName": "positive3", + "searchKey": "databricks_cluster[positive3].azure_attributes.first_on_demand", + "searchValue": "", + "expectedValue": "'databricks_cluster[positive3].azure_attributes.first_on_demand' should present", + "actualValue": "'databricks_cluster[positive3].azure_attributes.first_on_demand' is not present", + "issueType": "IncorrectValue", + "similarityID": "167d6b840ae1de416e0b56f65b3e7a161ce2f13e0fe91f43762480206f3f5f8b", + "search_line": -1 } ] diff --git a/assets/queries/terraform/databricks/cluster_gcp_attributes/test/positive_expected_result.json b/assets/queries/terraform/databricks/cluster_gcp_attributes/test/positive_expected_result.json index 25a6cb6b10d..98718b705a1 100644 --- a/assets/queries/terraform/databricks/cluster_gcp_attributes/test/positive_expected_result.json +++ b/assets/queries/terraform/databricks/cluster_gcp_attributes/test/positive_expected_result.json @@ -3,6 +3,15 @@ "queryName": "Check Databricks Cluster GCP Attribute Best Practices", "severity": "LOW", "line": 11, - "fileName": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "databricks_cluster", + "resourceName": "positive", + "searchKey": "databricks_cluster[positive].gcp_attributes.availability", + "searchValue": "", + "expectedValue": "'databricks_cluster[positive].gcp_attributes.availability' should not be equal to 'SPOT'", + "actualValue": "'databricks_cluster[positive].gcp_attributes.availability' is equal to 'SPOT'", + "issueType": "IncorrectValue", + "similarityID": "c818d11a74b07b0ab82819f991e7faf386c2924e624af9ba8b9b00388ab97192", + "search_line": -1 } ] diff --git a/assets/queries/terraform/databricks/databricks_permissions/test/positive_expected_result.json b/assets/queries/terraform/databricks/databricks_permissions/test/positive_expected_result.json index fa8ae3b3161..e336418e60e 100755 --- a/assets/queries/terraform/databricks/databricks_permissions/test/positive_expected_result.json +++ b/assets/queries/terraform/databricks/databricks_permissions/test/positive_expected_result.json @@ -3,24 +3,60 @@ "queryName": "Databricks Cluster or Job With None Or Insecure Permission(s)", "severity": "HIGH", "line": 16, - "fileName": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "databricks_job", + "resourceName": "Featurization", + "searchKey": "databricks_job[positive1_error]", + "searchValue": "", + "expectedValue": "'databricks_job[positive1_error]' should have permissions", + "actualValue": "'databricks_job[positive1_error]' doesn't have permission associated", + "issueType": "MissingAttribute", + "similarityID": "1ddf5ba943f3d7a9084347f15974247ac5359bf571b534147967f79ae58b19ed", + "search_line": -1 }, { "queryName": "Databricks Cluster or Job With None Or Insecure Permission(s)", "severity": "HIGH", "line": 12, - "fileName": "positive2.tf" + "fileName": "positive2.tf", + "resourceType": "databricks_cluster", + "resourceName": "positive2_error", + "searchKey": "databricks_cluster[positive2_error]", + "searchValue": "", + "expectedValue": "'databricks_cluster[positive2_error]' should have permissions", + "actualValue": "'databricks_cluster[positive2_error]' doesn't have permission associated", + "issueType": "MissingAttribute", + "similarityID": "f08df77247d7d982f5a1cf7cd28cc1200d88e58abe274ab8a9569beb7cb7e183", + "search_line": -1 }, { "queryName": "Databricks Cluster or Job With None Or Insecure Permission(s)", "severity": "HIGH", "line": 16, - "fileName": "positive3.tf" + "fileName": "positive3.tf", + "resourceType": "databricks_permissions", + "resourceName": "positive3", + "searchKey": "databricks_permissions.[positive3]", + "searchValue": "", + "expectedValue": "'databricks_permissions[positive3]' should not have permission_level == 'IS_OWNER' without service_principal_name associated", + "actualValue": "'databricks_permissions[positive3]' have permission_level == 'IS_OWNER' without service_principal_name associated", + "issueType": "IncorrectValue", + "similarityID": "9f253e06b42b4359599bbe23ba6adf6fc9cb18fef6c750603042b1f9f2f53aa6", + "search_line": -1 }, { "queryName": "Databricks Cluster or Job With None Or Insecure Permission(s)", "severity": "HIGH", "line": 16, - "fileName": "positive4.tf" + "fileName": "positive4.tf", + "resourceType": "databricks_permissions", + "resourceName": "positive4", + "searchKey": "databricks_permissions.[positive4]", + "searchValue": "", + "expectedValue": "'databricks_permissions[positive4]' should not have permission_level == 'IS_OWNER' without service_principal_name associated", + "actualValue": "'databricks_permissions[positive4]' have permission_level == 'IS_OWNER' without service_principal_name associated", + "issueType": "IncorrectValue", + "similarityID": "2b997cf934211734f5e6e4d0827b138e5fa6ea54bdd24e55da9b83763a63d0fc", + "search_line": -1 } ] diff --git a/assets/queries/terraform/databricks/group_without_user_or_instance_profile/test/positive_expected_result.json b/assets/queries/terraform/databricks/group_without_user_or_instance_profile/test/positive_expected_result.json index 0fadf818ea4..0567e88205c 100644 --- a/assets/queries/terraform/databricks/group_without_user_or_instance_profile/test/positive_expected_result.json +++ b/assets/queries/terraform/databricks/group_without_user_or_instance_profile/test/positive_expected_result.json @@ -1,14 +1,32 @@ [ - { - "queryName": "Databricks Group Without User Or Instance Profile", - "severity": "LOW", - "line": 16, - "fileName": "positive1.tf" - }, - { - "queryName": "Databricks Group Without User Or Instance Profile", - "severity": "LOW", - "line": 14, - "fileName": "positive2.tf" - } + { + "queryName": "Databricks Group Without User Or Instance Profile", + "severity": "LOW", + "line": 16, + "fileName": "positive1.tf", + "resourceType": "aws_databricks_group", + "resourceName": "Some Group", + "searchKey": "databricks_group[positive_group_2]", + "searchValue": "", + "expectedValue": "aws_databricks_group[positive_group_2] should be associated with an databricks_group_member that has at least one user set", + "actualValue": "aws_databricks_group[positive_group_2] is not associated with an databricks_group_member that has at least one user set", + "issueType": "MissingAttribute", + "similarityID": "a5dd85b4aa3f4558a88d3475562e1e547f0512135c9e8d07790c365f9da37fdd", + "search_line": -1 + }, + { + "queryName": "Databricks Group Without User Or Instance Profile", + "severity": "LOW", + "line": 14, + "fileName": "positive2.tf", + "resourceType": "aws_databricks_group", + "resourceName": "my_group_name", + "searchKey": "databricks_group[positive_group2]", + "searchValue": "", + "expectedValue": "aws_databricks_group[positive_group2] should be associated with an databricks_group_member that has at least one user set", + "actualValue": "aws_databricks_group[positive_group2] is not associated with an databricks_group_member that has at least one user set", + "issueType": "MissingAttribute", + "similarityID": "294baab60f97d9821d49292234c67f82b6ca3fccd74c655eb64ad984f393e193", + "search_line": -1 + } ] diff --git a/assets/queries/terraform/databricks/indefinitely_obo_token/test/positive_expected_result.json b/assets/queries/terraform/databricks/indefinitely_obo_token/test/positive_expected_result.json index cc134659b5a..bc7d14e3e82 100644 --- a/assets/queries/terraform/databricks/indefinitely_obo_token/test/positive_expected_result.json +++ b/assets/queries/terraform/databricks/indefinitely_obo_token/test/positive_expected_result.json @@ -1,8 +1,17 @@ [ - { - "queryName": "Indefinitely Databricks OBO Token Lifetime", - "severity": "MEDIUM", - "line": 1, - "fileName": "positive.tf" - } + { + "queryName": "Indefinitely Databricks OBO Token Lifetime", + "severity": "MEDIUM", + "line": 1, + "fileName": "positive.tf", + "resourceType": "databricks_obo_token", + "resourceName": "positive", + "searchKey": "databricks_obo_token[positive]", + "searchValue": "", + "expectedValue": "'databricks_obo_token[positive]' should not have indefinitely lifetime", + "actualValue": "'databricks_obo_token[positive]' have an indefinitely lifetime", + "issueType": "MissingAttribute", + "similarityID": "65d5590b11a59afc019ff3543254dcee9347ef905c8cd9711976043bb04ab374", + "search_line": -1 + } ] diff --git a/assets/queries/terraform/databricks/indefinitely_token/test/positive_expected_result.json b/assets/queries/terraform/databricks/indefinitely_token/test/positive_expected_result.json index 804551b008f..b0d29d1f54e 100644 --- a/assets/queries/terraform/databricks/indefinitely_token/test/positive_expected_result.json +++ b/assets/queries/terraform/databricks/indefinitely_token/test/positive_expected_result.json @@ -1,8 +1,17 @@ [ - { - "queryName": "Indefinitely Databricks Token Lifetime", - "severity": "MEDIUM", - "line": 1, - "fileName": "positive.tf" - } + { + "queryName": "Indefinitely Databricks Token Lifetime", + "severity": "MEDIUM", + "line": 1, + "fileName": "positive.tf", + "resourceType": "databricks_token", + "resourceName": "positive", + "searchKey": "databricks_token[positive]", + "searchValue": "", + "expectedValue": "'databricks_token[positive]' should not have indefinitely lifetime", + "actualValue": "'databricks_token[positive]' have an indefinitely lifetime", + "issueType": "MissingAttribute", + "similarityID": "6a729d320a2b88dd383197d70cc3dc3bdb5b711970ad481bc08ece6d62873ace", + "search_line": -1 + } ] diff --git a/assets/queries/terraform/databricks/unrestricted_acl/test/positive_expected_result.json b/assets/queries/terraform/databricks/unrestricted_acl/test/positive_expected_result.json index a70c25b0fd1..879d10b9330 100644 --- a/assets/queries/terraform/databricks/unrestricted_acl/test/positive_expected_result.json +++ b/assets/queries/terraform/databricks/unrestricted_acl/test/positive_expected_result.json @@ -1,14 +1,32 @@ [ - { - "queryName": "Unrestricted Databricks ACL", - "severity": "HIGH", - "line": 10, - "fileName": "positive1.tf" - }, - { - "queryName": "Unrestricted Databricks ACL", - "severity": "HIGH", - "line": 10, - "fileName": "positive2.tf" - } + { + "queryName": "Unrestricted Databricks ACL", + "severity": "HIGH", + "line": 10, + "fileName": "positive1.tf", + "resourceType": "databricks_ip_access_list", + "resourceName": "positive1", + "searchKey": "databricks_ip_access_list[positive1].ip_addresses", + "searchValue": "", + "expectedValue": "'databricks_ip_access_list[positive1].ip_addresses' should not be equal to '0.0.0.0/0' or '::/0'", + "actualValue": "'databricks_ip_access_list[positive1].ip_addresses' is equal to '0.0.0.0/0' or '::/0'", + "issueType": "IncorrectValue", + "similarityID": "fa90e4c6edd8d47ce308883dd8eea6b997318c1e7a729c6003b644e637a49cef", + "search_line": -1 + }, + { + "queryName": "Unrestricted Databricks ACL", + "severity": "HIGH", + "line": 10, + "fileName": "positive2.tf", + "resourceType": "databricks_ip_access_list", + "resourceName": "positive2", + "searchKey": "databricks_ip_access_list[positive2].ip_addresses", + "searchValue": "", + "expectedValue": "'databricks_ip_access_list[positive2].ip_addresses' should not be equal to '0.0.0.0/0' or '::/0'", + "actualValue": "'databricks_ip_access_list[positive2].ip_addresses' is equal to '0.0.0.0/0' or '::/0'", + "issueType": "IncorrectValue", + "similarityID": "1b5a8de1c701302e1972ad682114d7df425c948092f617bd48711bea542eb95c", + "search_line": -1 + } ] diff --git a/assets/queries/terraform/databricks/use_lts_spark_version/test/positive_expected_result.json b/assets/queries/terraform/databricks/use_lts_spark_version/test/positive_expected_result.json index 470a1b1b315..2306cffe89b 100644 --- a/assets/queries/terraform/databricks/use_lts_spark_version/test/positive_expected_result.json +++ b/assets/queries/terraform/databricks/use_lts_spark_version/test/positive_expected_result.json @@ -3,18 +3,45 @@ "queryName": "Check use no LTS Spark Version", "severity": "LOW", "line": 8, - "fileName": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "databricks_spark_version", + "resourceName": "postive1_gpu_ml", + "searchKey": "databricks_spark_version[postive1_gpu_ml].long_term_support", + "searchValue": "", + "expectedValue": "'databricks_spark_version[postive1_gpu_ml]' should be a LTS version'", + "actualValue": "'databricks_spark_version[postive1_gpu_ml]' is not a LTS version'", + "issueType": "IncorrectValue", + "similarityID": "8ef421bb2376d5ba63abeba9abd416da4595f355ef8d2f6a19888a030d5d9a39", + "search_line": -1 }, { "queryName": "Check use no LTS Spark Version", "severity": "LOW", "line": 11, - "fileName": "positive2.tf" + "fileName": "positive2.tf", + "resourceType": "databricks_spark_version", + "resourceName": "positive2_gpu_ml", + "searchKey": "databricks_spark_version[positive2_gpu_ml].long_term_support", + "searchValue": "", + "expectedValue": "'databricks_spark_version[positive2_gpu_ml]' should be a LTS version'", + "actualValue": "'databricks_spark_version[positive2_gpu_ml]' is not a LTS version'", + "issueType": "IncorrectValue", + "similarityID": "d1587df99a081102d958eaf758e544969be19273f3e12a420ffa2c795a201012", + "search_line": -1 }, { "queryName": "Check use no LTS Spark Version", "severity": "LOW", "line": 10, - "fileName": "positive3.tf" + "fileName": "positive3.tf", + "resourceType": "databricks_spark_version", + "resourceName": "positive3_research", + "searchKey": "databricks_cluster[positive3_research].spark_version", + "searchValue": "", + "expectedValue": "'databricks_cluster[positive3_research].spark_version' should be a LTS version'", + "actualValue": "'databricks_cluster[positive3_research].spark_version' is not a LTS version'", + "issueType": "IncorrectValue", + "similarityID": "464c2203a00ff8ef75439895ccf6a6632add2b3a0c64e51b6d64d07fbbfd5dd7", + "search_line": -1 } ] diff --git a/assets/queries/terraform/databricks/use_spark_submit_task/test/positive_expected_result.json b/assets/queries/terraform/databricks/use_spark_submit_task/test/positive_expected_result.json index 435ab8cd80c..058aea3eb9a 100644 --- a/assets/queries/terraform/databricks/use_spark_submit_task/test/positive_expected_result.json +++ b/assets/queries/terraform/databricks/use_spark_submit_task/test/positive_expected_result.json @@ -1,14 +1,32 @@ [ - { - "queryName": "Job's Task is Legacy (spark_submit_task)", - "severity": "MEDIUM", - "line": 36, - "fileName": "positive1.tf" - }, - { - "queryName": "Job's Task is Legacy (spark_submit_task)", - "severity": "MEDIUM", - "line": 18, - "fileName": "positive2.tf" - } + { + "queryName": "Job's Task is Legacy (spark_submit_task)", + "severity": "MEDIUM", + "line": 36, + "fileName": "positive1.tf", + "resourceType": "databricks_job", + "resourceName": "Job with multiple tasks", + "searchKey": "databricks_job[positive].task.spark_submit_task", + "searchValue": "", + "expectedValue": "'databricks_job[positive].task.spark_submit_task' should not contains to 'spark_submit_task'", + "actualValue": "'databricks_job[positive].task.spark_submit_task' contains to 'spark_submit_task'", + "issueType": "IncorrectValue", + "similarityID": "cd62e9c47e3b8bc91a1f3e8742b0b39975afb508392c87582e538cbad4fb8902", + "search_line": -1 + }, + { + "queryName": "Job's Task is Legacy (spark_submit_task)", + "severity": "MEDIUM", + "line": 18, + "fileName": "positive2.tf", + "resourceType": "databricks_job", + "resourceName": "Job with multiple tasks", + "searchKey": "databricks_job[positive].task.spark_submit_task", + "searchValue": "", + "expectedValue": "'databricks_job[positive].task.spark_submit_task' should not contains to 'spark_submit_task'", + "actualValue": "'databricks_job[positive].task.spark_submit_task' contains to 'spark_submit_task'", + "issueType": "IncorrectValue", + "similarityID": "003f5fe221e6f7de530591292a949bfc28fa9235971b91e3ef63aa2097da1ce6", + "search_line": -1 + } ] diff --git a/assets/queries/terraform/gcp/bigquery_dataset_is_public/test/positive_expected_result.json b/assets/queries/terraform/gcp/bigquery_dataset_is_public/test/positive_expected_result.json index 227af76ed82..bf70bc992e0 100644 --- a/assets/queries/terraform/gcp/bigquery_dataset_is_public/test/positive_expected_result.json +++ b/assets/queries/terraform/gcp/bigquery_dataset_is_public/test/positive_expected_result.json @@ -1,7 +1,17 @@ [ - { - "queryName": "BigQuery Dataset Is Public", - "severity": "HIGH", - "line": 14 - } + { + "queryName": "BigQuery Dataset Is Public", + "severity": "HIGH", + "line": 14, + "fileName": "positive.tf", + "resourceType": "google_bigquery_dataset", + "resourceName": "test", + "searchKey": "google_bigquery_dataset[positive1].access.special_group", + "searchValue": "", + "expectedValue": "'access.special_group' should not equal to 'allAuthenticatedUsers'", + "actualValue": "'access.special_group' is equal to 'allAuthenticatedUsers'", + "issueType": "IncorrectValue", + "similarityID": "6fa7f2ed6cf90b1e2521603ad41c1197b0d957e3d379761cf8fecf3c0260094a", + "search_line": -1 + } ] diff --git a/assets/queries/terraform/gcp/cloud_asset_inventory_disabled/test/positive_expected_result.json b/assets/queries/terraform/gcp/cloud_asset_inventory_disabled/test/positive_expected_result.json index bc92565213d..01b02825d71 100644 --- a/assets/queries/terraform/gcp/cloud_asset_inventory_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/gcp/cloud_asset_inventory_disabled/test/positive_expected_result.json @@ -3,42 +3,105 @@ "queryName": "Beta - Cloud Asset Inventory Disabled", "severity": "MEDIUM", "line": 2, - "filename": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "google_project_service", + "resourceName": "positive1_1", + "searchKey": "google_project_service[positive1_1].service", + "searchValue": "", + "expectedValue": "At least one 'google_project_service.service' field should contain or be equal to 'cloudasset.googleapis.com'", + "actualValue": "No 'google_project_service.service' field contains or is equal to 'cloudasset.googleapis.com'", + "issueType": "IncorrectValue", + "similarityID": "569268c9884d5e0ef5b4ad14b7b46e0e59d399d632153400562f0c093929f27f", + "search_line": 2 }, { "queryName": "Beta - Cloud Asset Inventory Disabled", "severity": "MEDIUM", "line": 6, - "filename": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "google_project_service", + "resourceName": "positive1_2", + "searchKey": "google_project_service[positive1_2].service", + "searchValue": "", + "expectedValue": "At least one 'google_project_service.service' field should contain or be equal to 'cloudasset.googleapis.com'", + "actualValue": "No 'google_project_service.service' field contains or is equal to 'cloudasset.googleapis.com'", + "issueType": "IncorrectValue", + "similarityID": "3d88ca76e41f8cc225eb7543598ce299a68be719ccec8393703405881f7a3681", + "search_line": 6 }, { "queryName": "Beta - Cloud Asset Inventory Disabled", "severity": "MEDIUM", "line": 6, - "filename": "positive2.tf" + "fileName": "positive2.tf", + "resourceType": "google_project_service", + "resourceName": "positive_2", + "searchKey": "google_project_service[positive_2].service", + "searchValue": "", + "expectedValue": "At least one 'google_project_service.service' field should contain or be equal to 'cloudasset.googleapis.com'", + "actualValue": "No 'google_project_service.service' field contains or is equal to 'cloudasset.googleapis.com'", + "issueType": "IncorrectValue", + "similarityID": "0eb5efd2fede6c6431422a9d4f68324d3067c0ece2b7392014cdd0a2f992fbc3", + "search_line": 6 }, { "queryName": "Beta - Cloud Asset Inventory Disabled", "severity": "MEDIUM", "line": 6, - "filename": "positive3.tf" + "fileName": "positive3.tf", + "resourceType": "google_project_service", + "resourceName": "positive_3", + "searchKey": "google_project_service[positive_3].service", + "searchValue": "", + "expectedValue": "At least one 'google_project_service.service' field should contain or be equal to 'cloudasset.googleapis.com'", + "actualValue": "No 'google_project_service.service' field contains or is equal to 'cloudasset.googleapis.com'", + "issueType": "IncorrectValue", + "similarityID": "6ac5f87ac21ee7ff09316a6d61e2049a5bdf9c8ea8b2589bc72f3df33aa9293b", + "search_line": 6 }, { "queryName": "Beta - Cloud Asset Inventory Disabled", "severity": "MEDIUM", "line": 7, - "filename": "positive4.tf" + "fileName": "positive4.tf", + "resourceType": "google_project_service", + "resourceName": "positive_4", + "searchKey": "google_project_service[positive_4].service", + "searchValue": "", + "expectedValue": "At least one 'google_project_service.service' field should contain or be equal to 'cloudasset.googleapis.com'", + "actualValue": "No 'google_project_service.service' field contains or is equal to 'cloudasset.googleapis.com'", + "issueType": "IncorrectValue", + "similarityID": "aeaeeb082b5fea87b72ac72bbd6074f280a2c4acf489953f4913b3fd857a36b0", + "search_line": 7 }, { "queryName": "Beta - Cloud Asset Inventory Disabled", "severity": "MEDIUM", "line": 10, - "filename": "positive5.tf" + "fileName": "positive5.tf", + "resourceType": "google_project_service", + "resourceName": "positive_5", + "searchKey": "google_project_service[positive_5].service", + "searchValue": "", + "expectedValue": "At least one 'google_project_service.service' field should contain or be equal to 'cloudasset.googleapis.com'", + "actualValue": "No 'google_project_service.service' field contains or is equal to 'cloudasset.googleapis.com'", + "issueType": "IncorrectValue", + "similarityID": "2ad01585c3c65eb3d29ac7d2bfc077ffc749003cbce2d5ba60e6a976dc29ae8b", + "search_line": 10 }, { "queryName": "Beta - Cloud Asset Inventory Disabled", "severity": "MEDIUM", "line": 10, - "filename": "positive6.tf" + "fileName": "positive6.tf", + "resourceType": "google_project_service", + "resourceName": "positive_6", + "searchKey": "google_project_service[positive_6].service", + "searchValue": "", + "expectedValue": "At least one 'google_project_service.service' field should contain or be equal to 'cloudasset.googleapis.com'", + "actualValue": "No 'google_project_service.service' field contains or is equal to 'cloudasset.googleapis.com'", + "issueType": "IncorrectValue", + "similarityID": "4f8d7438bc5a7cfd871d34efd08f103d311a6bfd76ad0426ec91e85120e35027", + "search_line": 10 } ] diff --git a/assets/queries/terraform/gcp/cloud_dns_without_dnssec/test/positive_expected_result.json b/assets/queries/terraform/gcp/cloud_dns_without_dnssec/test/positive_expected_result.json index 331cfe387e7..7d7ef220f0e 100755 --- a/assets/queries/terraform/gcp/cloud_dns_without_dnssec/test/positive_expected_result.json +++ b/assets/queries/terraform/gcp/cloud_dns_without_dnssec/test/positive_expected_result.json @@ -1,7 +1,17 @@ [ - { - "queryName": "Cloud DNS Without DNSSEC", - "severity": "MEDIUM", - "line": 10 - } + { + "queryName": "Cloud DNS Without DNSSEC", + "severity": "MEDIUM", + "line": 10, + "fileName": "positive.tf", + "resourceType": "google_dns_managed_zone", + "resourceName": "foobar", + "searchKey": "google_dns_managed_zone[positive1].dnssec_config.state", + "searchValue": "", + "expectedValue": "'dnssec_config.state' should equal to 'on'", + "actualValue": "'dnssec_config.state' is not equal to 'on'", + "issueType": "IncorrectValue", + "similarityID": "05aa68fb56e32f56beb80fefde6d736e92bf8561597813d3572dd931a9fa86a7", + "search_line": 10 + } ] diff --git a/assets/queries/terraform/gcp/cloud_storage_anonymous_or_publicly_accessible/test/positive_expected_result.json b/assets/queries/terraform/gcp/cloud_storage_anonymous_or_publicly_accessible/test/positive_expected_result.json index 37abd5f3a06..c7bab4b6354 100644 --- a/assets/queries/terraform/gcp/cloud_storage_anonymous_or_publicly_accessible/test/positive_expected_result.json +++ b/assets/queries/terraform/gcp/cloud_storage_anonymous_or_publicly_accessible/test/positive_expected_result.json @@ -2,16 +2,46 @@ { "queryName": "Cloud Storage Anonymous or Publicly Accessible", "severity": "CRITICAL", - "line": 5 + "line": 5, + "fileName": "positive.tf", + "resourceType": "google_storage_bucket_iam_binding", + "resourceName": "positive1", + "searchKey": "google_storage_bucket_iam_binding[positive1].members", + "searchValue": "", + "expectedValue": "'google_storage_bucket_iam_binding[positive1].members' should not be null", + "actualValue": "'google_storage_bucket_iam_binding[positive1].members' is null", + "issueType": "IncorrectValue", + "similarityID": "46f9cc3e9530d0b2b54aff72ad596edc59ee7e6c3ddda714285664d935fa67dd", + "search_line": -1 }, { "queryName": "Cloud Storage Anonymous or Publicly Accessible", "severity": "CRITICAL", - "line": 11 + "line": 11, + "fileName": "positive.tf", + "resourceType": "google_storage_bucket_iam_binding", + "resourceName": "positive2", + "searchKey": "google_storage_bucket_iam_binding[positive2].members", + "searchValue": "", + "expectedValue": "'google_storage_bucket_iam_binding[positive2].members' should not have 'allUsers'", + "actualValue": "'google_storage_bucket_iam_binding[positive2].members' has 'allUsers'", + "issueType": "IncorrectValue", + "similarityID": "5f4dc8983fba28166b17220a206503e268c2cc6d854bcf404f011165066e9de4", + "search_line": -1 }, { "queryName": "Cloud Storage Anonymous or Publicly Accessible", "severity": "CRITICAL", - "line": 17 + "line": 17, + "fileName": "positive.tf", + "resourceType": "google_storage_bucket_iam_binding", + "resourceName": "positive3", + "searchKey": "google_storage_bucket_iam_binding[positive3].members", + "searchValue": "", + "expectedValue": "'google_storage_bucket_iam_binding[positive3].members' should not have 'allAuthenticatedUsers'", + "actualValue": "'google_storage_bucket_iam_binding[positive3].members' has 'allAuthenticatedUsers'", + "issueType": "IncorrectValue", + "similarityID": "3cf9151787a91833019957994c8501912d7d9a425965ad887aca9f26784320e1", + "search_line": -1 } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/gcp/cloud_storage_bucket_is_publicly_accessible/test/positive_expected_result.json b/assets/queries/terraform/gcp/cloud_storage_bucket_is_publicly_accessible/test/positive_expected_result.json index e6f735ed5d3..fb77d7ec551 100644 --- a/assets/queries/terraform/gcp/cloud_storage_bucket_is_publicly_accessible/test/positive_expected_result.json +++ b/assets/queries/terraform/gcp/cloud_storage_bucket_is_publicly_accessible/test/positive_expected_result.json @@ -2,11 +2,31 @@ { "queryName": "Cloud Storage Bucket Is Publicly Accessible", "severity": "MEDIUM", - "line": 4 + "line": 4, + "fileName": "positive.tf", + "resourceType": "google_storage_bucket_iam_member", + "resourceName": "positive1", + "searchKey": "google_storage_bucket_iam_member[positive1].member", + "searchValue": "", + "expectedValue": "'member' not equal to 'allUsers' nor 'allAuthenticatedUsers'", + "actualValue": "'member' equal to 'allUsers'", + "issueType": "IncorrectValue", + "similarityID": "1d17171c18b20b36083dac51d95266a1602e1df4c65bb6457199b404a750684c", + "search_line": -1 }, { "queryName": "Cloud Storage Bucket Is Publicly Accessible", "severity": "MEDIUM", - "line": 17 + "line": 17, + "fileName": "positive.tf", + "resourceType": "google_storage_bucket_iam_member", + "resourceName": "positive2", + "searchKey": "google_storage_bucket_iam_member[positive2].members", + "searchValue": "", + "expectedValue": "None of the 'members' equal to 'allUsers' nor 'allAuthenticatedUsers'", + "actualValue": "One of the 'members' equal to 'allUsers' or 'allAuthenticatedUsers'", + "issueType": "IncorrectValue", + "similarityID": "c05b3a5dda1c89aacc93c0e213fa925372f1cc8c368123e7a42a889756b66468", + "search_line": -1 } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/gcp/cloud_storage_bucket_logging_not_enabled/test/positive_expected_result.json b/assets/queries/terraform/gcp/cloud_storage_bucket_logging_not_enabled/test/positive_expected_result.json index 01998d13ef7..04824e1b01f 100644 --- a/assets/queries/terraform/gcp/cloud_storage_bucket_logging_not_enabled/test/positive_expected_result.json +++ b/assets/queries/terraform/gcp/cloud_storage_bucket_logging_not_enabled/test/positive_expected_result.json @@ -2,6 +2,16 @@ { "queryName": "Cloud Storage Bucket Logging Not Enabled", "severity": "MEDIUM", - "line": 1 + "line": 1, + "fileName": "positive.tf", + "resourceType": "google_storage_bucket", + "resourceName": "auto-expiring-bucket", + "searchKey": "google_storage_bucket[positive1]", + "searchValue": "", + "expectedValue": "'google_storage_bucket.logging' should be set", + "actualValue": "'google_storage_bucket.logging' is undefined", + "issueType": "MissingAttribute", + "similarityID": "1b88e96832d3ba86cc161031054bbd15788a733f9beed64d989663c35f142653", + "search_line": -1 } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/gcp/cloud_storage_bucket_versioning_disabled/test/positive_expected_result.json b/assets/queries/terraform/gcp/cloud_storage_bucket_versioning_disabled/test/positive_expected_result.json index af8d756621b..aacba75659c 100644 --- a/assets/queries/terraform/gcp/cloud_storage_bucket_versioning_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/gcp/cloud_storage_bucket_versioning_disabled/test/positive_expected_result.json @@ -2,11 +2,31 @@ { "queryName": "Cloud Storage Bucket Versioning Disabled", "severity": "MEDIUM", - "line": 6 + "line": 6, + "fileName": "positive.tf", + "resourceType": "google_storage_bucket", + "resourceName": "foo", + "searchKey": "google_storage_bucket[positive1].versioning.enabled", + "searchValue": "", + "expectedValue": "'versioning.enabled' should be true", + "actualValue": "'versioning.enabled' is false", + "issueType": "IncorrectValue", + "similarityID": "2899ea3ba237818d1a31b2386501e9ab5175f8fe944435c7f569ea338ea4aa44", + "search_line": -1 }, { "queryName": "Cloud Storage Bucket Versioning Disabled", "severity": "MEDIUM", - "line": 10 + "line": 10, + "fileName": "positive.tf", + "resourceType": "google_storage_bucket", + "resourceName": "foo", + "searchKey": "google_storage_bucket[positive2]", + "searchValue": "", + "expectedValue": "'versioning' should be defined and not null", + "actualValue": "'versioning' it undefined or null", + "issueType": "MissingAttribute", + "similarityID": "dacc501958515d88d26db5715946a688b647aac62882b162baa16a3120117a89", + "search_line": 10 } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/gcp/cluster_labels_disabled/test/positive_expected_result.json b/assets/queries/terraform/gcp/cluster_labels_disabled/test/positive_expected_result.json index 42d70de1c7a..62d0ffb757a 100644 --- a/assets/queries/terraform/gcp/cluster_labels_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/gcp/cluster_labels_disabled/test/positive_expected_result.json @@ -2,6 +2,16 @@ { "queryName": "Cluster Labels Disabled", "severity": "LOW", - "line": 2 + "line": 2, + "fileName": "positive.tf", + "resourceType": "google_container_cluster", + "resourceName": "marcellus-wallace", + "searchKey": "google_container_cluster[positive1]", + "searchValue": "", + "expectedValue": "Attribute 'resource_labels' should be defined", + "actualValue": "Attribute 'resource_labels' is undefined", + "issueType": "MissingAttribute", + "similarityID": "77c078b2e2976e3e1a22703da90b673bfe30dc48fa1f56f954e718d9329aaf8f", + "search_line": -1 } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/gcp/cluster_without_network_policy_support_enabled/test/positive_expected_result.json b/assets/queries/terraform/gcp/cluster_without_network_policy_support_enabled/test/positive_expected_result.json index 58bbf39ea53..fb00aa77521 100644 --- a/assets/queries/terraform/gcp/cluster_without_network_policy_support_enabled/test/positive_expected_result.json +++ b/assets/queries/terraform/gcp/cluster_without_network_policy_support_enabled/test/positive_expected_result.json @@ -2,11 +2,31 @@ { "queryName": "Beta - Cluster Without Network Policy Support Enabled", "severity": "MEDIUM", - "line": 1 + "line": 1, + "fileName": "positive.tf", + "resourceType": "google_container_cluster", + "resourceName": "gke-network-policy-cluster", + "searchKey": "google_container_cluster[positive1]", + "searchValue": "", + "expectedValue": "'google_container_cluster[positive1].network_policy' should be defined and not null", + "actualValue": "'google_container_cluster[positive1].network_policy' is undefined or null", + "issueType": "MissingAttribute", + "similarityID": "7ccf20a9aeb869b7c23670e5861465e70ec3d0801b32d48d6610aa9ae615bec7", + "search_line": 1 }, { "queryName": "Beta - Cluster Without Network Policy Support Enabled", "severity": "MEDIUM", - "line": 17 + "line": 17, + "fileName": "positive.tf", + "resourceType": "google_container_cluster", + "resourceName": "gke-network-policy-cluster", + "searchKey": "google_container_cluster[positive2].network_policy.enabled", + "searchValue": "", + "expectedValue": "'google_container_cluster[positive2].network_policy.enabled' should be set to 'true'", + "actualValue": "'google_container_cluster[positive2].network_policy.enabled' is set to 'false'", + "issueType": "IncorrectValue", + "similarityID": "7dfeb1d72f535bc6dc804b6ba278b8ccf2c7ddf10915da1c5b98c4c507520db8", + "search_line": 17 } ] diff --git a/assets/queries/terraform/gcp/cos_node_image_not_used/test/positive_expected_result.json b/assets/queries/terraform/gcp/cos_node_image_not_used/test/positive_expected_result.json index 893e73a5d31..6aa7d41914e 100644 --- a/assets/queries/terraform/gcp/cos_node_image_not_used/test/positive_expected_result.json +++ b/assets/queries/terraform/gcp/cos_node_image_not_used/test/positive_expected_result.json @@ -2,6 +2,16 @@ { "queryName": "COS Node Image Not Used", "severity": "LOW", - "line": 16 + "line": 16, + "fileName": "positive.tf", + "resourceType": "google_container_node_pool", + "resourceName": "primary-pool", + "searchKey": "google_container_node_pool[positive2].node_config.image_type", + "searchValue": "", + "expectedValue": "'node_config.image_type' should start with 'COS'", + "actualValue": "'node_config.image_type' does not start with 'COS'", + "issueType": "IncorrectValue", + "similarityID": "6c7e979f9b05c369572d7c72b68918f2c1ca0f8090fcd644691ef23d1c7f7ac8", + "search_line": -1 } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/gcp/disk_encryption_disabled/test/positive_expected_result.json b/assets/queries/terraform/gcp/disk_encryption_disabled/test/positive_expected_result.json index db3426b9872..841b4a87b1f 100644 --- a/assets/queries/terraform/gcp/disk_encryption_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/gcp/disk_encryption_disabled/test/positive_expected_result.json @@ -3,24 +3,60 @@ "queryName": "Disk Encryption Disabled", "severity": "MEDIUM", "line": 1, - "filename": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "google_compute_disk", + "resourceName": "test-disk", + "searchKey": "google_compute_disk[positive1]", + "searchValue": "", + "expectedValue": "'google_compute_disk[positive1].disk_encryption_key' should be defined and not null", + "actualValue": "'google_compute_disk[positive1].disk_encryption_key' is undefined or null", + "issueType": "MissingAttribute", + "similarityID": "9a190a36c6f4abbcf2ceb6b94c4a5809f1d358aff257d1e454f9d25e116ccf9f", + "search_line": -1 }, { "queryName": "Disk Encryption Disabled", "severity": "MEDIUM", "line": 22, - "filename": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "google_compute_disk", + "resourceName": "test-disk", + "searchKey": "google_compute_disk[positive2].disk_encryption_key", + "searchValue": "", + "expectedValue": "'google_compute_disk[positive2].disk_encryption_key.raw_key' or 'google_compute_disk[%!s(MISSING)].disk_encryption_key.kms_key_self_link' should be defined and not null", + "actualValue": "'google_compute_disk[positive2].disk_encryption_key.raw_key' and 'google_compute_disk[%!s(MISSING)].disk_encryption_key.kms_key_self_link' are undefined or null", + "issueType": "MissingAttribute", + "similarityID": "ea1ed5a3f1ad37f142fcc78d71df8cf9f12905dde1401dde26fc9ddf7d1c2199", + "search_line": -1 }, { "queryName": "Disk Encryption Disabled", "severity": "MEDIUM", "line": 12, - "filename": "positive2.tf" + "fileName": "positive2.tf", + "resourceType": "google_compute_disk", + "resourceName": "test-disk", + "searchKey": "google_compute_disk[positive3].disk_encryption_key.raw_key", + "searchValue": "", + "expectedValue": "'google_compute_disk[positive3].disk_encryption_key.raw_key' should not be empty or null", + "actualValue": "'google_compute_disk[positive3].disk_encryption_key.raw_key' is not empty or null", + "issueType": "IncorrectValue", + "similarityID": "242f8e1cbb318d50923537f831c1fddce7fb060caea72fdc2f465b6be2d6e569", + "search_line": -1 }, { "queryName": "Disk Encryption Disabled", "severity": "MEDIUM", "line": 12, - "filename": "positive3.tf" + "fileName": "positive3.tf", + "resourceType": "google_compute_disk", + "resourceName": "test-disk", + "searchKey": "google_compute_disk[positive4].disk_encryption_key.kms_key_self_link", + "searchValue": "", + "expectedValue": "'google_compute_disk[positive4].disk_encryption_key.kms_key_self_link' should not be empty or null", + "actualValue": "'google_compute_disk[positive4].disk_encryption_key.kms_key_self_link' is not empty or null", + "issueType": "IncorrectValue", + "similarityID": "578f6c1fd21352d95402cc32af11a8f123ee4f6edce985028a34a845f66a92a7", + "search_line": -1 } ] diff --git a/assets/queries/terraform/gcp/dnssec_using_rsasha1/test/positive_expected_result.json b/assets/queries/terraform/gcp/dnssec_using_rsasha1/test/positive_expected_result.json index e62c82567da..14413a0a0a2 100644 --- a/assets/queries/terraform/gcp/dnssec_using_rsasha1/test/positive_expected_result.json +++ b/assets/queries/terraform/gcp/dnssec_using_rsasha1/test/positive_expected_result.json @@ -2,6 +2,16 @@ { "queryName": "DNSSEC Using RSASHA1", "severity": "MEDIUM", - "line": 11 + "line": 11, + "fileName": "positive.tf", + "resourceType": "google_dns_managed_zone", + "resourceName": "positive1", + "searchKey": "google_dns_managed_zone[positive1].dnssec_config.default_key_specs.algorithm", + "searchValue": "", + "expectedValue": "dnssec_config.default_key_specs.algorithm shouldn't be 'rsasha1'", + "actualValue": "dnssec_config.default_key_specs.algorithm is 'rsasha1'", + "issueType": "IncorrectValue", + "similarityID": "aad2719a4ff8175d67ac75e964c1445c0507e69ffc206b6104950f35791a0bae", + "search_line": 11 } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/gcp/ensure_essential_contacts_is_configured_for_organization/test/positive_expected_result.json b/assets/queries/terraform/gcp/ensure_essential_contacts_is_configured_for_organization/test/positive_expected_result.json index 7d7a85318de..c7cbdc197b8 100644 --- a/assets/queries/terraform/gcp/ensure_essential_contacts_is_configured_for_organization/test/positive_expected_result.json +++ b/assets/queries/terraform/gcp/ensure_essential_contacts_is_configured_for_organization/test/positive_expected_result.json @@ -3,24 +3,60 @@ "queryName": "Beta - Ensure Essential Contacts Is Configured For Organization", "severity": "LOW", "line": 10, - "fileName": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "google_essential_contacts_contact", + "resourceName": "positive1", + "searchKey": "google_essential_contacts_contact[positive1].notification_category_subscription_field", + "searchValue": "", + "expectedValue": "'notification_category_subscription_field' should have 'ALL' value or all 'LEGAL', 'SUSPENSION', 'TECHNICAL' and 'SECURITY' values defined", + "actualValue": "'notification_category_subscription_field' does not have 'ALL' value or all 'LEGAL', 'SUSPENSION', 'TECHNICAL' and 'SECURITY' values defined", + "issueType": "IncorrectValue", + "similarityID": "982992f547c060b1557a078d15885df9255cbaf5edace0ab998cd41ff4f83937", + "search_line": 10 }, { "queryName": "Beta - Ensure Essential Contacts Is Configured For Organization", "severity": "LOW", "line": 10, - "fileName": "positive2.tf" + "fileName": "positive2.tf", + "resourceType": "google_essential_contacts_contact", + "resourceName": "positive2", + "searchKey": "google_essential_contacts_contact[positive2].notification_category_subscription_field", + "searchValue": "", + "expectedValue": "'notification_category_subscription_field' should have 'ALL' value or all 'LEGAL', 'SUSPENSION', 'TECHNICAL' and 'SECURITY' values defined", + "actualValue": "'notification_category_subscription_field' does not have 'ALL' value or all 'LEGAL', 'SUSPENSION', 'TECHNICAL' and 'SECURITY' values defined", + "issueType": "IncorrectValue", + "similarityID": "1ec1c6afa7974c0233e24dd435e98e958d2eb9cd9942a8ac26adc4458a0abb2f", + "search_line": 10 }, { "queryName": "Beta - Ensure Essential Contacts Is Configured For Organization", "severity": "LOW", "line": 6, - "fileName": "positive3.tf" + "fileName": "positive3.tf", + "resourceType": "google_essential_contacts_contact", + "resourceName": "positive3", + "searchKey": "google_essential_contacts_contact[positive3].notification_category_subscription_field", + "searchValue": "", + "expectedValue": "'notification_category_subscription_field' should have 'ALL' value or all 'LEGAL', 'SUSPENSION', 'TECHNICAL' and 'SECURITY' values defined", + "actualValue": "'notification_category_subscription_field' does not have 'ALL' value or all 'LEGAL', 'SUSPENSION', 'TECHNICAL' and 'SECURITY' values defined", + "issueType": "IncorrectValue", + "similarityID": "e44f92448ae6c533105dc6913f6888b4bdb1f60d1880e8db5ca2761b845012e6", + "search_line": 6 }, { "queryName": "Beta - Ensure Essential Contacts Is Configured For Organization", "severity": "LOW", "line": 6, - "fileName": "positive4.tf" + "fileName": "positive4.tf", + "resourceType": "google_essential_contacts_contact", + "resourceName": "positive4", + "searchKey": "google_essential_contacts_contact[positive4].notification_category_subscription_field", + "searchValue": "", + "expectedValue": "'notification_category_subscription_field' should have 'ALL' value or all 'LEGAL', 'SUSPENSION', 'TECHNICAL' and 'SECURITY' values defined", + "actualValue": "'notification_category_subscription_field' does not have 'ALL' value or all 'LEGAL', 'SUSPENSION', 'TECHNICAL' and 'SECURITY' values defined", + "issueType": "IncorrectValue", + "similarityID": "b8ef769d59303851b438e95c1f250d722143666aa3bd876b2c1d7a3303d7476d", + "search_line": 6 } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/gcp/ensure_gke_version_management_is_automated_using_release_channels/test/positive_expected_result.json b/assets/queries/terraform/gcp/ensure_gke_version_management_is_automated_using_release_channels/test/positive_expected_result.json index aecabd2ef92..1c2899ae61b 100644 --- a/assets/queries/terraform/gcp/ensure_gke_version_management_is_automated_using_release_channels/test/positive_expected_result.json +++ b/assets/queries/terraform/gcp/ensure_gke_version_management_is_automated_using_release_channels/test/positive_expected_result.json @@ -3,24 +3,60 @@ "queryName": "Beta - Ensure GKE Version Management Is Automated Using Release Channels", "severity": "LOW", "line": 1, - "fileName": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "google_container_cluster", + "resourceName": "my-gke-cluster", + "searchKey": "google_container_cluster[positive1]", + "searchValue": "", + "expectedValue": "'channel' should be defined to 'STABLE' or 'REGULAR' inside the 'release_channel' block", + "actualValue": "'release_channel' block is not defined", + "issueType": "MissingAttribute", + "similarityID": "7e8425095eec73527113aa3f12ef1e9b028ac380b1366d2e92503716d61f6e0a", + "search_line": 1 }, { "queryName": "Beta - Ensure GKE Version Management Is Automated Using Release Channels", "severity": "LOW", "line": 6, - "fileName": "positive2.tf" + "fileName": "positive2.tf", + "resourceType": "google_container_cluster", + "resourceName": "my-gke-cluster", + "searchKey": "google_container_cluster[positive2].release_channel.channel", + "searchValue": "", + "expectedValue": "'channel' should be defined to 'STABLE' or 'REGULAR' inside the 'release_channel' block", + "actualValue": "'release_channel.channel' is defined to 'UNSPECIFIED'", + "issueType": "IncorrectValue", + "similarityID": "23fbf2a944fe76145f2f44e2e351a5ab32cf1d8f98e00641973d93b3eb18ae05", + "search_line": 6 }, { "queryName": "Beta - Ensure GKE Version Management Is Automated Using Release Channels", "severity": "LOW", "line": 6, - "fileName": "positive3.tf" + "fileName": "positive3.tf", + "resourceType": "google_container_cluster", + "resourceName": "my-gke-cluster", + "searchKey": "google_container_cluster[positive3].release_channel.channel", + "searchValue": "", + "expectedValue": "'channel' should be defined to 'STABLE' or 'REGULAR' inside the 'release_channel' block", + "actualValue": "'release_channel.channel' is defined to 'RAPID'", + "issueType": "IncorrectValue", + "similarityID": "55dd0fa412100440994d6e515d87c1e83641372867d80b261187de76140a43cd", + "search_line": 6 }, { "queryName": "Beta - Ensure GKE Version Management Is Automated Using Release Channels", "severity": "LOW", "line": 6, - "fileName": "positive4.tf" + "fileName": "positive4.tf", + "resourceType": "google_container_cluster", + "resourceName": "my-gke-cluster", + "searchKey": "google_container_cluster[positive4].release_channel.channel", + "searchValue": "", + "expectedValue": "'channel' should be defined to 'STABLE' or 'REGULAR' inside the 'release_channel' block", + "actualValue": "'release_channel.channel' is defined to 'EXTENDED'", + "issueType": "IncorrectValue", + "similarityID": "7bcfd4aeb9d02cea16d9794b3e76837854502e9adf896cabdd7a6aaf4b948302", + "search_line": 6 } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/gcp/gke_legacy_authorization_enabled/test/positive_expected_result.json b/assets/queries/terraform/gcp/gke_legacy_authorization_enabled/test/positive_expected_result.json index d36000f3652..0c6197bdae6 100644 --- a/assets/queries/terraform/gcp/gke_legacy_authorization_enabled/test/positive_expected_result.json +++ b/assets/queries/terraform/gcp/gke_legacy_authorization_enabled/test/positive_expected_result.json @@ -2,6 +2,16 @@ { "queryName": "GKE Legacy Authorization Enabled", "severity": "HIGH", - "line": 6 + "line": 6, + "fileName": "positive.tf", + "resourceType": "google_container_cluster", + "resourceName": "marcellus-wallace", + "searchKey": "google_container_cluster[positive1].enable_legacy_abac", + "searchValue": "", + "expectedValue": "Attribute 'enable_legacy_abac' should be set to false", + "actualValue": "Attribute 'enable_legacy_abac' is true", + "issueType": "IncorrectValue", + "similarityID": "da5849f20dc9ac3a791438d49020c3f9993f216af59e64b76dcad08e080c58f4", + "search_line": 6 } ] diff --git a/assets/queries/terraform/gcp/gke_using_default_service_account/test/positive_expected_result.json b/assets/queries/terraform/gcp/gke_using_default_service_account/test/positive_expected_result.json index e781a03f475..094100cce94 100644 --- a/assets/queries/terraform/gcp/gke_using_default_service_account/test/positive_expected_result.json +++ b/assets/queries/terraform/gcp/gke_using_default_service_account/test/positive_expected_result.json @@ -3,12 +3,30 @@ "queryName": "GKE Using Default Service Account", "severity": "MEDIUM", "line": 7, - "fileName": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "google_container_cluster", + "resourceName": "my-gke-cluster", + "searchKey": "google_container_cluster[positive1].node_config", + "searchValue": "", + "expectedValue": "'service_account' should not be default", + "actualValue": "'service_account' is default", + "issueType": "IncorrectValue", + "similarityID": "1267c5923ce0deac64bd5c5de91e2d1785ff8788dbc015a9a22cb6d6078ca64a", + "search_line": 7 }, { "queryName": "GKE Using Default Service Account", "severity": "MEDIUM", "line": 8, - "fileName": "positive2.tf" + "fileName": "positive2.tf", + "resourceType": "google_container_cluster", + "resourceName": "my-gke-cluster", + "searchKey": "google_container_cluster[positive2].node_config.service_account", + "searchValue": "", + "expectedValue": "'service_account' should not be default", + "actualValue": "'service_account' is default", + "issueType": "IncorrectValue", + "similarityID": "39142a73ef818331d0d6404dcbc276c125331ce9c423f3e1018be03c6226001e", + "search_line": 8 } ] diff --git a/assets/queries/terraform/gcp/google_compute_network_using_default_firewall_rule/test/positive_expected_result.json b/assets/queries/terraform/gcp/google_compute_network_using_default_firewall_rule/test/positive_expected_result.json index 9366231c0bb..05b288bee04 100644 --- a/assets/queries/terraform/gcp/google_compute_network_using_default_firewall_rule/test/positive_expected_result.json +++ b/assets/queries/terraform/gcp/google_compute_network_using_default_firewall_rule/test/positive_expected_result.json @@ -1,8 +1,17 @@ [ - { - "queryName": "Google Compute Network Using Default Firewall Rule", - "severity": "MEDIUM", - "line": 6, - "fileName": "positive.tf" - } + { + "queryName": "Google Compute Network Using Default Firewall Rule", + "severity": "MEDIUM", + "line": 6, + "fileName": "positive.tf", + "resourceType": "google_compute_network", + "resourceName": "test-network", + "searchKey": "google_compute_network[positive1]", + "searchValue": "", + "expectedValue": "'google_compute_network[positive1]' should not be using a default firewall rule", + "actualValue": "'google_compute_network[positive1]' is using a default firewall rule", + "issueType": "IncorrectValue", + "similarityID": "4a4a3013fd106d23d5bea028471a857b9d560b44614c7bef6269cde912d6529b", + "search_line": 6 + } ] diff --git a/assets/queries/terraform/gcp/google_compute_network_using_firewall_rule_allows_all_ports/test/positive_expected_result.json b/assets/queries/terraform/gcp/google_compute_network_using_firewall_rule_allows_all_ports/test/positive_expected_result.json index 6a20d45ece2..ff66b2bacc1 100644 --- a/assets/queries/terraform/gcp/google_compute_network_using_firewall_rule_allows_all_ports/test/positive_expected_result.json +++ b/assets/queries/terraform/gcp/google_compute_network_using_firewall_rule_allows_all_ports/test/positive_expected_result.json @@ -1,8 +1,17 @@ [ - { - "queryName": "Google Compute Network Using Firewall Rule that Allows All Ports", - "severity": "MEDIUM", - "line": 17, - "fileName": "positive.tf" - } + { + "queryName": "Google Compute Network Using Firewall Rule that Allows All Ports", + "severity": "MEDIUM", + "line": 17, + "fileName": "positive.tf", + "resourceType": "google_compute_network", + "resourceName": "test-network", + "searchKey": "google_compute_network[positive1]", + "searchValue": "", + "expectedValue": "'google_compute_network[positive1]' should not be using a firewall rule that allows access to all ports", + "actualValue": "'google_compute_network[positive1]' is using a firewall rule that allows access to all ports", + "issueType": "IncorrectValue", + "similarityID": "680af2837ab4db7c5b71f558f8bd60aad0787bdb30061dddb23419a9545d01d3", + "search_line": 17 + } ] diff --git a/assets/queries/terraform/gcp/google_compute_network_using_firewall_rule_allows_port_range/test/positive_expected_result.json b/assets/queries/terraform/gcp/google_compute_network_using_firewall_rule_allows_port_range/test/positive_expected_result.json index 0aca9fb3041..0ff2a3414fe 100644 --- a/assets/queries/terraform/gcp/google_compute_network_using_firewall_rule_allows_port_range/test/positive_expected_result.json +++ b/assets/queries/terraform/gcp/google_compute_network_using_firewall_rule_allows_port_range/test/positive_expected_result.json @@ -3,6 +3,15 @@ "queryName": "Google Compute Network Using Firewall Rule that Allows Port Range", "severity": "LOW", "line": 17, - "fileName": "positive.tf" + "fileName": "positive.tf", + "resourceType": "google_compute_network", + "resourceName": "test-network", + "searchKey": "google_compute_network[positive1]", + "searchValue": "", + "expectedValue": "'google_compute_network[positive1]' should not be using a firewall rule that allows access to port range", + "actualValue": "'google_compute_network[positive1]' is using a firewall rule that allows access to port range", + "issueType": "IncorrectValue", + "similarityID": "2ce9b3593e687974814577b62966d75558ca535f26be05832ddb14afc60e33a5", + "search_line": 17 } ] diff --git a/assets/queries/terraform/gcp/google_compute_ssl_policy_weak_cipher_in_use/test/positive_expected_result.json b/assets/queries/terraform/gcp/google_compute_ssl_policy_weak_cipher_in_use/test/positive_expected_result.json index f00a4dda68f..dd74a81e715 100644 --- a/assets/queries/terraform/gcp/google_compute_ssl_policy_weak_cipher_in_use/test/positive_expected_result.json +++ b/assets/queries/terraform/gcp/google_compute_ssl_policy_weak_cipher_in_use/test/positive_expected_result.json @@ -2,11 +2,31 @@ { "queryName": "Google Compute SSL Policy Weak Cipher In Use", "severity": "MEDIUM", - "line": 3 + "line": 3, + "fileName": "positive.tf", + "resourceType": "google_compute_ssl_policy", + "resourceName": "custom-ssl-policy", + "searchKey": "google_compute_ssl_policy[positive1].min_tls_version", + "searchValue": "", + "expectedValue": "google_compute_ssl_policy[positive1].min_tls_version should be TLS_1_2", + "actualValue": "google_compute_ssl_policy[positive1].min_tls_version is not TLS_1_2", + "issueType": "IncorrectValue", + "similarityID": "2f8a0a39544ed5f379b3ace5054866c71c8bbf07583e2488c59c6711779b417c", + "search_line": 3 }, { "queryName": "Google Compute SSL Policy Weak Cipher In Use", "severity": "MEDIUM", - "line": 8 + "line": 8, + "fileName": "positive.tf", + "resourceType": "google_compute_ssl_policy", + "resourceName": "custom-ssl-policy", + "searchKey": "google_compute_ssl_policy[positive2].min_tls_version", + "searchValue": "", + "expectedValue": "google_compute_ssl_policy[positive2].min_tls_version should be TLS_1_2", + "actualValue": "google_compute_ssl_policy[positive2].min_tls_version is undefined", + "issueType": "MissingAttribute", + "similarityID": "575183554f4c4547477f803a9d45111bef36e827df938563c3c7f111cd679c3e", + "search_line": 8 } ] diff --git a/assets/queries/terraform/gcp/google_compute_subnetwork_logging_disabled/test/positive_expected_result.json b/assets/queries/terraform/gcp/google_compute_subnetwork_logging_disabled/test/positive_expected_result.json index 22bb34d3a69..c52b7b5184a 100644 --- a/assets/queries/terraform/gcp/google_compute_subnetwork_logging_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/gcp/google_compute_subnetwork_logging_disabled/test/positive_expected_result.json @@ -2,6 +2,16 @@ { "queryName": "Google Compute Subnetwork Logging Disabled", "severity": "MEDIUM", - "line": 1 + "line": 1, + "fileName": "positive.tf", + "resourceType": "google_compute_subnetwork", + "resourceName": "log-test-subnetwork", + "searchKey": "google_compute_subnetwork[positive1]", + "searchValue": "", + "expectedValue": "'google_compute_subnetwork[positive1].log_config' should be defined and not null", + "actualValue": "'google_compute_subnetwork[positive1].log_config' is undefined or null", + "issueType": "MissingAttribute", + "similarityID": "32d30be9a3acd05b16ab28cd74dbf01aca1c23ff2fc58f1cefd7e1178b61ae2a", + "search_line": -1 } ] diff --git a/assets/queries/terraform/gcp/google_compute_subnetwork_with_private_google_access_disabled/test/positive_expected_result.json b/assets/queries/terraform/gcp/google_compute_subnetwork_with_private_google_access_disabled/test/positive_expected_result.json index 3f44181858e..413b82a5ec9 100644 --- a/assets/queries/terraform/gcp/google_compute_subnetwork_with_private_google_access_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/gcp/google_compute_subnetwork_with_private_google_access_disabled/test/positive_expected_result.json @@ -3,12 +3,30 @@ "queryName": "Google Compute Subnetwork with Private Google Access Disabled", "severity": "LOW", "line": 1, - "fileName": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "google_compute_subnetwork", + "resourceName": "test-subnetwork", + "searchKey": "google_compute_subnetwork[positive1]", + "searchValue": "", + "expectedValue": "'google_compute_subnetwork[positive1].private_ip_google_access' should be defined and not null", + "actualValue": "'google_compute_subnetwork[positive1].private_ip_google_access' is undefined or null", + "issueType": "MissingAttribute", + "similarityID": "36efceebb207a17f407313380f8cdfe06605fa0b8c846aafacd1ede1cd5ad7ca", + "search_line": 1 }, { "queryName": "Google Compute Subnetwork with Private Google Access Disabled", "severity": "LOW", "line": 10, - "fileName": "positive2.tf" + "fileName": "positive2.tf", + "resourceType": "google_compute_subnetwork", + "resourceName": "test-subnetwork", + "searchKey": "google_compute_subnetwork[positive2].private_ip_google_access", + "searchValue": "", + "expectedValue": "'google_compute_subnetwork[positive2].private_ip_google_access' should be set to true", + "actualValue": "'google_compute_subnetwork[positive2].private_ip_google_access' is set to false", + "issueType": "IncorrectValue", + "similarityID": "6e63deea6da6a870dd2603eb0158128b6fcea587a5e755e0359ecae31e3500b7", + "search_line": 10 } ] diff --git a/assets/queries/terraform/gcp/google_container_node_pool_auto_repair_disabled/test/positive_expected_result.json b/assets/queries/terraform/gcp/google_container_node_pool_auto_repair_disabled/test/positive_expected_result.json index c65451aec83..b880b179c10 100644 --- a/assets/queries/terraform/gcp/google_container_node_pool_auto_repair_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/gcp/google_container_node_pool_auto_repair_disabled/test/positive_expected_result.json @@ -2,11 +2,31 @@ { "queryName": "Google Container Node Pool Auto Repair Disabled", "severity": "MEDIUM", - "line": 15 + "line": 15, + "fileName": "positive.tf", + "resourceType": "google_container_node_pool", + "resourceName": "my-node-pool", + "searchKey": "google_container_node_pool[positive2].management.auto_repair", + "searchValue": "", + "expectedValue": "google_container_node_pool[positive2].management.auto_repair should be true", + "actualValue": "google_container_node_pool[positive2].management.auto_repair is false", + "issueType": "IncorrectValue", + "similarityID": "96c383d426ea6224c5b1d326e53e00b2f787617b76a785f8e380d39039368ec6", + "search_line": 15 }, { "queryName": "Google Container Node Pool Auto Repair Disabled", "severity": "MEDIUM", - "line": 19 + "line": 19, + "fileName": "positive.tf", + "resourceType": "google_container_node_pool", + "resourceName": "my-node-pool", + "searchKey": "google_container_node_pool[positive3].management", + "searchValue": "", + "expectedValue": "google_container_node_pool[positive3].management.auto_repair should be defined and not null", + "actualValue": "google_container_node_pool[positive3].management.auto_repair is undefined or null", + "issueType": "MissingAttribute", + "similarityID": "5c0aebb1efcb7aea923d56a6323d7d1f2980de83a2fc92d7344b4a286727a3f2", + "search_line": -1 } ] diff --git a/assets/queries/terraform/gcp/google_dns_policy_logging_disabled/test/positive_expected_result.json b/assets/queries/terraform/gcp/google_dns_policy_logging_disabled/test/positive_expected_result.json index 437c9a69345..507d7a5d66d 100644 --- a/assets/queries/terraform/gcp/google_dns_policy_logging_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/gcp/google_dns_policy_logging_disabled/test/positive_expected_result.json @@ -2,11 +2,31 @@ { "queryName": "Beta - Google DNS Policy Logging Disabled", "severity": "MEDIUM", - "line": 1 + "line": 1, + "fileName": "positive.tf", + "resourceType": "google_dns_policy", + "resourceName": "example-policy", + "searchKey": "google_dns_policy[example-policy]", + "searchValue": "", + "expectedValue": "'google_dns_policy[example-policy].enable_logging' should be defined and set to true", + "actualValue": "'google_dns_policy[example-policy].enable_logging' is undefined or null", + "issueType": "MissingAttribute", + "similarityID": "002e65879768d1bc83215b7016a3e3851de05f331bb2aa53c4448682643b7a54", + "search_line": 1 }, { "queryName": "Beta - Google DNS Policy Logging Disabled", "severity": "MEDIUM", - "line": 11 + "line": 11, + "fileName": "positive.tf", + "resourceType": "google_dns_policy", + "resourceName": "example-policy-2", + "searchKey": "google_dns_policy[example-policy-2].enable_logging", + "searchValue": "", + "expectedValue": "'google_dns_policy[example-policy-2].enable_logging' should be defined and set to true", + "actualValue": "'google_dns_policy[example-policy-2].enable_logging' is set to false", + "issueType": "IncorrectValue", + "similarityID": "99a6bfa8fb840671294f1a73d87a2c09e772f36ce81940b21c54acfa02d7fc48", + "search_line": 11 } ] diff --git a/assets/queries/terraform/gcp/google_kubernetes_engine_cluster_has_alpha_features_enabled/test/positive_expected_result.json b/assets/queries/terraform/gcp/google_kubernetes_engine_cluster_has_alpha_features_enabled/test/positive_expected_result.json index e3d8c46a398..03eae0a385d 100644 --- a/assets/queries/terraform/gcp/google_kubernetes_engine_cluster_has_alpha_features_enabled/test/positive_expected_result.json +++ b/assets/queries/terraform/gcp/google_kubernetes_engine_cluster_has_alpha_features_enabled/test/positive_expected_result.json @@ -3,6 +3,15 @@ "queryName": "Beta - Google Kubernetes Engine Cluster Has Alpha Features Enabled", "severity": "LOW", "line": 4, - "fileName": "positive.tf" + "fileName": "positive.tf", + "resourceType": "google_container_cluster", + "resourceName": "pud-example-rg", + "searchKey": "google_container_cluster[positive].enable_kubernetes_alpha", + "searchValue": "", + "expectedValue": "'enable_kubernetes_alpha' should only be defined to 'false'", + "actualValue": "'enable_kubernetes_alpha' is defined to 'true'", + "issueType": "IncorrectValue", + "similarityID": "4a05cf5bf490b5928427e2dcc2c7d44e63b546adc8ee23e6ae042f8bc76fa8a2", + "search_line": 4 } ] diff --git a/assets/queries/terraform/gcp/google_project_auto_create_network_disabled/test/positive_expected_result.json b/assets/queries/terraform/gcp/google_project_auto_create_network_disabled/test/positive_expected_result.json index 20775ac6816..5a9c2c3395b 100644 --- a/assets/queries/terraform/gcp/google_project_auto_create_network_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/gcp/google_project_auto_create_network_disabled/test/positive_expected_result.json @@ -2,11 +2,31 @@ { "queryName": "Google Project Auto Create Network Disabled", "severity": "MEDIUM", - "line": 8 + "line": 5, + "fileName": "positive.tf", + "resourceType": "google_project", + "resourceName": "My Project", + "searchKey": "google_project[positive1].auto_create_network", + "searchValue": "", + "expectedValue": "google_project[positive1].auto_create_network should be set to false", + "actualValue": "google_project[positive1].auto_create_network is true", + "issueType": "IncorrectValue", + "similarityID": "1f87c6558055c4bad9cbb26387399e0b63d798a4424ae926754c52891e9f8aaf", + "search_line": 5 }, { "queryName": "Google Project Auto Create Network Disabled", "severity": "MEDIUM", - "line": 5 + "line": 8, + "fileName": "positive.tf", + "resourceType": "google_project", + "resourceName": "My Project", + "searchKey": "google_project[positive2]", + "searchValue": "", + "expectedValue": "google_project[positive2].auto_create_network should be set to false", + "actualValue": "google_project[positive2].auto_create_network is undefined", + "issueType": "MissingAttribute", + "similarityID": "33b72733d4501a0e0d6834d69364faeac7d1f8454ca58aa948cc0dd378aaac27", + "search_line": 8 } ] diff --git a/assets/queries/terraform/gcp/google_project_iam_binding_service_account_has_token_creator_or_account_user_role/test/positive_expected_result.json b/assets/queries/terraform/gcp/google_project_iam_binding_service_account_has_token_creator_or_account_user_role/test/positive_expected_result.json index 9879c8c4b8b..cf99937c031 100644 --- a/assets/queries/terraform/gcp/google_project_iam_binding_service_account_has_token_creator_or_account_user_role/test/positive_expected_result.json +++ b/assets/queries/terraform/gcp/google_project_iam_binding_service_account_has_token_creator_or_account_user_role/test/positive_expected_result.json @@ -2,21 +2,61 @@ { "queryName": "Google Project IAM Binding Service Account has Token Creator or Account User Role", "severity": "HIGH", - "line": 3 + "line": 3, + "fileName": "positive.tf", + "resourceType": "google_project_iam_binding", + "resourceName": "positive1", + "searchKey": "google_project_iam_binding[positive1].role", + "searchValue": "", + "expectedValue": "google_project_iam_binding[positive1].role should not be Service Account Token Creator", + "actualValue": "google_project_iam_binding[positive1].role is Service Account Token Creator", + "issueType": "IncorrectValue", + "similarityID": "7db9ebef4dfb676d54309936ab4db4ff45e6ed9f5d778649415b9d3511f35e0d", + "search_line": -1 }, { "queryName": "Google Project IAM Binding Service Account has Token Creator or Account User Role", "severity": "HIGH", - "line": 13 + "line": 13, + "fileName": "positive.tf", + "resourceType": "google_project_iam_binding", + "resourceName": "positive2", + "searchKey": "google_project_iam_binding[positive2].role", + "searchValue": "", + "expectedValue": "google_project_iam_binding[positive2].role should not be Service Account Token Creator", + "actualValue": "google_project_iam_binding[positive2].role is Service Account Token Creator", + "issueType": "IncorrectValue", + "similarityID": "a0cfc6da77d4bcc1977ef4464e5f11869f5b7b4547cbcd5a533c47065158f7b4", + "search_line": -1 }, { "queryName": "Google Project IAM Binding Service Account has Token Creator or Account User Role", "severity": "HIGH", - "line": 19 + "line": 19, + "fileName": "positive.tf", + "resourceType": "google_project_iam_binding", + "resourceName": "positive3", + "searchKey": "google_project_iam_binding[positive3].role", + "searchValue": "", + "expectedValue": "google_project_iam_binding[positive3].role should not be Service Account User", + "actualValue": "google_project_iam_binding[positive3].role is Service Account User", + "issueType": "IncorrectValue", + "similarityID": "8c56149e2223826932851221d5ab392ae6f3b8ee6420dcf5a139898836e8cf1f", + "search_line": -1 }, { "queryName": "Google Project IAM Binding Service Account has Token Creator or Account User Role", "severity": "HIGH", - "line": 29 + "line": 29, + "fileName": "positive.tf", + "resourceType": "google_project_iam_binding", + "resourceName": "positive4", + "searchKey": "google_project_iam_binding[positive4].role", + "searchValue": "", + "expectedValue": "google_project_iam_binding[positive4].role should not be Service Account User", + "actualValue": "google_project_iam_binding[positive4].role is Service Account User", + "issueType": "IncorrectValue", + "similarityID": "3629395c0d2e33a906e49a7405f69874dda7e24b6de87b61a7c237ae4c8b87bc", + "search_line": -1 } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/gcp/google_project_iam_member_service_account_has_admin_role/test/positive_expected_result.json b/assets/queries/terraform/gcp/google_project_iam_member_service_account_has_admin_role/test/positive_expected_result.json index 74849105787..a9d180bcd91 100644 --- a/assets/queries/terraform/gcp/google_project_iam_member_service_account_has_admin_role/test/positive_expected_result.json +++ b/assets/queries/terraform/gcp/google_project_iam_member_service_account_has_admin_role/test/positive_expected_result.json @@ -2,11 +2,31 @@ { "queryName": "Google Project IAM Member Service Account Has Admin Role", "severity": "HIGH", - "line": 3 + "line": 3, + "fileName": "positive.tf", + "resourceType": "google_project_iam_member", + "resourceName": "positive1", + "searchKey": "google_project_iam_member[positive1].role", + "searchValue": "", + "expectedValue": "google_project_iam_member[positive1].role should not be admin", + "actualValue": "google_project_iam_member[positive1].role is admin", + "issueType": "IncorrectValue", + "similarityID": "e277478ddeb67265253edd47f1ec110811b91ebeda7cea287f35b96f914dfa5e", + "search_line": -1 }, { "queryName": "Google Project IAM Member Service Account Has Admin Role", "severity": "HIGH", - "line": 9 + "line": 9, + "fileName": "positive.tf", + "resourceType": "google_project_iam_member", + "resourceName": "positive2", + "searchKey": "google_project_iam_member[positive2].role", + "searchValue": "", + "expectedValue": "google_project_iam_member[positive2].role should not be admin", + "actualValue": "google_project_iam_member[positive2].role is admin", + "issueType": "IncorrectValue", + "similarityID": "4683307d598f19ed6b0366c04aeeb8f5f2e00c2c4e83d0dd308595ae3b1d4525", + "search_line": -1 } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/gcp/google_project_iam_member_service_account_has_token_creator_or_account_user_role/test/positive_expected_result.json b/assets/queries/terraform/gcp/google_project_iam_member_service_account_has_token_creator_or_account_user_role/test/positive_expected_result.json index 1c8cd5e2d32..94afd4b212a 100644 --- a/assets/queries/terraform/gcp/google_project_iam_member_service_account_has_token_creator_or_account_user_role/test/positive_expected_result.json +++ b/assets/queries/terraform/gcp/google_project_iam_member_service_account_has_token_creator_or_account_user_role/test/positive_expected_result.json @@ -2,11 +2,31 @@ { "queryName": "Google Project IAM Member Service Account has Token Creator or Account User Role", "severity": "HIGH", - "line": 3 + "line": 3, + "fileName": "positive.tf", + "resourceType": "google_project_iam_member", + "resourceName": "positive1", + "searchKey": "google_project_iam_member[positive1].role", + "searchValue": "", + "expectedValue": "google_project_iam_member[positive1].role should be Service Account Token Creator", + "actualValue": "google_project_iam_member[positive1].role is not Service Account Token Creator", + "issueType": "IncorrectValue", + "similarityID": "3604bcf6b42e4200722927071c7d90bf02901e3a0518a1191a733d5b49b69a0d", + "search_line": -1 }, { "queryName": "Google Project IAM Member Service Account has Token Creator or Account User Role", "severity": "HIGH", - "line": 9 + "line": 9, + "fileName": "positive.tf", + "resourceType": "google_project_iam_member", + "resourceName": "positive2", + "searchKey": "google_project_iam_member[positive2].role", + "searchValue": "", + "expectedValue": "google_project_iam_member[positive2].role should be Service Account User", + "actualValue": "google_project_iam_member[positive2].role is not Service Account User", + "issueType": "IncorrectValue", + "similarityID": "5c604d30ba0c6e9963f9027de6ebe8fa200019da5586fa129ee44835b6c59ab9", + "search_line": -1 } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/gcp/google_storage_bucket_level_access_disabled/test/positive_expected_result.json b/assets/queries/terraform/gcp/google_storage_bucket_level_access_disabled/test/positive_expected_result.json index dfbb79594bf..0ecba472a22 100644 --- a/assets/queries/terraform/gcp/google_storage_bucket_level_access_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/gcp/google_storage_bucket_level_access_disabled/test/positive_expected_result.json @@ -2,11 +2,31 @@ { "queryName": "Google Storage Bucket Level Access Disabled", "severity": "HIGH", - "line": 6 + "line": 6, + "fileName": "positive.tf", + "resourceType": "google_storage_bucket", + "resourceName": "image-store.com", + "searchKey": "google_storage_bucket[positive1].uniform_bucket_level_access", + "searchValue": "", + "expectedValue": "google_storage_bucket[positive1].uniform_bucket_level_access should be true", + "actualValue": "google_storage_bucket[positive1].uniform_bucket_level_access is false", + "issueType": "IncorrectValue", + "similarityID": "1d05855e8c12ba6b24568001ce8571aa837f993fd41a992beb113cce53338ee5", + "search_line": 6 }, { "queryName": "Google Storage Bucket Level Access Disabled", "severity": "HIGH", - "line": 20 + "line": 20, + "fileName": "positive.tf", + "resourceType": "google_storage_bucket", + "resourceName": "image-store.com", + "searchKey": "google_storage_bucket[positive2]", + "searchValue": "", + "expectedValue": "google_storage_bucket[positive2].uniform_bucket_level_access should be defined and not null", + "actualValue": "google_storage_bucket[positive2].uniform_bucket_level_access is undefined or null", + "issueType": "MissingAttribute", + "similarityID": "c887224f8e46044a8e7c0907d50607bbe28b471b045e888cd9f6d59244bab1cd", + "search_line": 20 } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/gcp/high_google_kms_crypto_key_rotation_period/test/positive_expected_result.json b/assets/queries/terraform/gcp/high_google_kms_crypto_key_rotation_period/test/positive_expected_result.json index 748598a9f3a..a3f2ffe3425 100644 --- a/assets/queries/terraform/gcp/high_google_kms_crypto_key_rotation_period/test/positive_expected_result.json +++ b/assets/queries/terraform/gcp/high_google_kms_crypto_key_rotation_period/test/positive_expected_result.json @@ -2,11 +2,31 @@ { "queryName": "High Google KMS Crypto Key Rotation Period", "severity": "MEDIUM", - "line": 4 + "line": 4, + "fileName": "positive.tf", + "resourceType": "google_kms_crypto_key", + "resourceName": "crypto-key-example", + "searchKey": "google_kms_crypto_key[positive1].rotation_period", + "searchValue": "", + "expectedValue": "'google_kms_crypto_key.rotation_period' should be less or equal to 7776000", + "actualValue": "'google_kms_crypto_key.rotation_period' exceeds 7776000", + "issueType": "IncorrectValue", + "similarityID": "b3a3882d5be2bfe9b83fbe30d9622abc77ecea0b8ef66b804f6d0f64d16bb11f", + "search_line": 4 }, { "queryName": "High Google KMS Crypto Key Rotation Period", "severity": "MEDIUM", - "line": 10 + "line": 10, + "fileName": "positive.tf", + "resourceType": "google_kms_crypto_key", + "resourceName": "crypto-key-example", + "searchKey": "google_kms_crypto_key[positive2]", + "searchValue": "", + "expectedValue": "'google_kms_crypto_key.rotation_period' should be defined with a value less or equal to 7776000", + "actualValue": "'google_kms_crypto_key.rotation_period' is undefined", + "issueType": "MissingAttribute", + "similarityID": "3354f89a04e46bb5216bfc05d1924d882e68d55cf66d98a09b1d04908f3b19de", + "search_line": 10 } ] diff --git a/assets/queries/terraform/gcp/iam_audit_not_properly_configured/test/positive_expected_result.json b/assets/queries/terraform/gcp/iam_audit_not_properly_configured/test/positive_expected_result.json index c22fd7d0919..2a46982c3eb 100644 --- a/assets/queries/terraform/gcp/iam_audit_not_properly_configured/test/positive_expected_result.json +++ b/assets/queries/terraform/gcp/iam_audit_not_properly_configured/test/positive_expected_result.json @@ -2,21 +2,61 @@ { "queryName": "IAM Audit Not Properly Configured", "severity": "LOW", - "line": 3 + "line": 3, + "fileName": "positive.tf", + "resourceType": "google_project_iam_audit_config", + "resourceName": "positive1", + "searchKey": "google_project_iam_audit_config[positive1].service", + "searchValue": "", + "expectedValue": "'service' must be 'allServices'", + "actualValue": "'service' is 'some_specific_service'", + "issueType": "IncorrectValue", + "similarityID": "74fa72f0533345a3f54c907e7c28b298013105f82e7caa3716c94cd109829f23", + "search_line": -1 }, { "queryName": "IAM Audit Not Properly Configured", "severity": "LOW", - "line": 9 + "line": 9, + "fileName": "positive.tf", + "resourceType": "google_project_iam_audit_config", + "resourceName": "positive1", + "searchKey": "google_project_iam_audit_config[positive1].audit_log_config.exempted_members", + "searchValue": "", + "expectedValue": "'exempted_members' should be empty", + "actualValue": "'exempted_members' is not empty", + "issueType": "IncorrectValue", + "similarityID": "899c6d7d34c21f6487e25d0f10eaa3c33e4dea9b043d7cd6fdaf7b75f428004a", + "search_line": -1 }, { "queryName": "IAM Audit Not Properly Configured", "severity": "LOW", - "line": 19 + "line": 19, + "fileName": "positive.tf", + "resourceType": "google_project_iam_audit_config", + "resourceName": "positive2", + "searchKey": "google_project_iam_audit_config[positive2].audit_log_config.log_type", + "searchValue": "", + "expectedValue": "'log_type' must be one of 'DATA_READ', 'DATA_WRITE', or 'ADMIN_READ'", + "actualValue": "'log_type' is INVALID_TYPE", + "issueType": "IncorrectValue", + "similarityID": "79f8f3d56d982ed9667009653f4c1042c617486e7d6b88ff35d0cf7809a37e2c", + "search_line": -1 }, { "queryName": "IAM Audit Not Properly Configured", "severity": "LOW", - "line": 23 + "line": 23, + "fileName": "positive.tf", + "resourceType": "google_project_iam_audit_config", + "resourceName": "positive2", + "searchKey": "google_project_iam_audit_config[positive2].audit_log_config.exempted_members", + "searchValue": "", + "expectedValue": "'exempted_members' should be empty", + "actualValue": "'exempted_members' is not empty", + "issueType": "IncorrectValue", + "similarityID": "0f2ab19c0c666d8ff72402852b331cbccb4a84ed5b63540756b2f05554cbe7a0", + "search_line": -1 } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/gcp/ip_aliasing_disabled/test/positive_expected_result.json b/assets/queries/terraform/gcp/ip_aliasing_disabled/test/positive_expected_result.json index 7aeca99b89a..007214d6e1a 100644 --- a/assets/queries/terraform/gcp/ip_aliasing_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/gcp/ip_aliasing_disabled/test/positive_expected_result.json @@ -2,16 +2,46 @@ { "queryName": "IP Aliasing Disabled", "severity": "MEDIUM", - "line": 2 + "line": 2, + "fileName": "positive.tf", + "resourceType": "google_container_cluster", + "resourceName": "marcellus-wallace", + "searchKey": "google_container_cluster[positive1]", + "searchValue": "", + "expectedValue": "Attributes 'ip_allocation_policy' and 'networking_mode' should be defined", + "actualValue": "Attributes 'ip_allocation_policy' and 'networking_mode' are undefined", + "issueType": "MissingAttribute", + "similarityID": "eda024c6109958733760a5badf118983ce179dcaf22bdc6d00cc6321bc2c7ed1", + "search_line": -1 }, { "queryName": "IP Aliasing Disabled", "severity": "MEDIUM", - "line": 13 + "line": 13, + "fileName": "positive.tf", + "resourceType": "google_container_cluster", + "resourceName": "marcellus-wallace", + "searchKey": "google_container_cluster[positive2]", + "searchValue": "", + "expectedValue": "Attribute 'ip_allocation_policy' should be defined", + "actualValue": "Attribute 'ip_allocation_policy' is undefined", + "issueType": "MissingAttribute", + "similarityID": "5d93149d456b3b9b942e93c2504cd46f67f2206ed1aa457c2a0b69e6bf4bd3b9", + "search_line": -1 }, { "queryName": "IP Aliasing Disabled", "severity": "MEDIUM", - "line": 26 + "line": 26, + "fileName": "positive.tf", + "resourceType": "google_container_cluster", + "resourceName": "marcellus-wallace", + "searchKey": "google_container_cluster[positive3]", + "searchValue": "", + "expectedValue": "Attribute 'networking_mode' should be VPC_NATIVE", + "actualValue": "Attribute 'networking_mode' is ROUTES", + "issueType": "IncorrectValue", + "similarityID": "803089d69f97701ad280287f85a9f102798aba6b3494eed6e3e7bdfdeda70a75", + "search_line": -1 } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/gcp/ip_forwarding_enabled/test/positive_expected_result.json b/assets/queries/terraform/gcp/ip_forwarding_enabled/test/positive_expected_result.json index e88a3bf1ab4..4e3ad56d4a9 100644 --- a/assets/queries/terraform/gcp/ip_forwarding_enabled/test/positive_expected_result.json +++ b/assets/queries/terraform/gcp/ip_forwarding_enabled/test/positive_expected_result.json @@ -2,6 +2,16 @@ { "queryName": "IP Forwarding Enabled", "severity": "MEDIUM", - "line": 4 + "line": 4, + "fileName": "positive.tf", + "resourceType": "google_compute_instance", + "resourceName": "primary-application-server", + "searchKey": "google_compute_instance[appserver].can_ip_forward", + "searchValue": "", + "expectedValue": "Attribute 'can_ip_forward' should be set to false or Attribute 'can_ip_forward' should be undefined", + "actualValue": "Attribute 'can_ip_forward' is true", + "issueType": "IncorrectValue", + "similarityID": "7e325ba821308c4d8b3a27aa973a8f04f4af82d340e42a0bf555ba8ebf445c41", + "search_line": 4 } ] diff --git a/assets/queries/terraform/gcp/kms_admin_and_crypto_key_roles_in_use/test/positive_expected_result.json b/assets/queries/terraform/gcp/kms_admin_and_crypto_key_roles_in_use/test/positive_expected_result.json index e42c4e728af..37fd8b76ffc 100644 --- a/assets/queries/terraform/gcp/kms_admin_and_crypto_key_roles_in_use/test/positive_expected_result.json +++ b/assets/queries/terraform/gcp/kms_admin_and_crypto_key_roles_in_use/test/positive_expected_result.json @@ -3,6 +3,15 @@ "queryName": "KMS Admin and CryptoKey Roles In Use", "severity": "MEDIUM", "line": 3, - "fileName": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "google_project_iam_policy", + "resourceName": "positive1", + "searchKey": "google_project_iam_policy[positive1].policy_data", + "searchValue": "", + "expectedValue": "google_iam_policy[positive1].policy_data should not assign a KMS admin role and CryptoKey role to the same member", + "actualValue": "google_iam_policy[positive1].policy_data assigns a KMS admin role and CryptoKey role to the same member", + "issueType": "IncorrectValue", + "similarityID": "f119ac9708363d4d047267e5f5172da560f82ffdd71137244542b0bd177bf0f1", + "search_line": 3 } ] diff --git a/assets/queries/terraform/gcp/kms_crypto_key_publicly_accessible/test/positive_expected_result.json b/assets/queries/terraform/gcp/kms_crypto_key_publicly_accessible/test/positive_expected_result.json index ae82865f667..77e02a8a053 100644 --- a/assets/queries/terraform/gcp/kms_crypto_key_publicly_accessible/test/positive_expected_result.json +++ b/assets/queries/terraform/gcp/kms_crypto_key_publicly_accessible/test/positive_expected_result.json @@ -3,12 +3,30 @@ "queryName": "KMS Crypto Key is Publicly Accessible", "severity": "HIGH", "line": 24, - "fileName": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "google_kms_crypto_key_iam_policy", + "resourceName": "positive1", + "searchKey": "google_kms_crypto_key_iam_policy[positive1].policy_data", + "searchValue": "", + "expectedValue": "KMS crypto key should not be publicly accessible", + "actualValue": "KMS crypto key is publicly accessible", + "issueType": "IncorrectValue", + "similarityID": "a27772f80e360d391f3342e6d437c0f7c5754b44c43977fc3ee04ee3c5f5c61a", + "search_line": 24 }, { "queryName": "KMS Crypto Key is Publicly Accessible", "severity": "HIGH", "line": 24, - "fileName": "positive2.tf" + "fileName": "positive2.tf", + "resourceType": "google_kms_crypto_key_iam_policy", + "resourceName": "positive2", + "searchKey": "google_kms_crypto_key_iam_policy[positive2].policy_data", + "searchValue": "", + "expectedValue": "KMS crypto key should not be publicly accessible", + "actualValue": "KMS crypto key is publicly accessible", + "issueType": "IncorrectValue", + "similarityID": "87f9ca3ee58573283400ed3fa7d5bdf61e794a92d19adec4af95bbaa1e3d463a", + "search_line": 24 } ] diff --git a/assets/queries/terraform/gcp/kubernetes_web_ui_is_not_disabled/test/positive_expected_result.json b/assets/queries/terraform/gcp/kubernetes_web_ui_is_not_disabled/test/positive_expected_result.json index caebb0a4b0c..85b803decd8 100644 --- a/assets/queries/terraform/gcp/kubernetes_web_ui_is_not_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/gcp/kubernetes_web_ui_is_not_disabled/test/positive_expected_result.json @@ -3,30 +3,75 @@ "queryName": "Beta - Kubernetes Web UI Is Not Disabled", "severity": "LOW", "line": 8, - "fileName": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "google_container_cluster", + "resourceName": "marcellus-wallace", + "searchKey": "google_container_cluster[positive1].addons_config.kubernetes_dashboard.disabled", + "searchValue": "", + "expectedValue": "'kuberneters_dashboard' should not be enabled inside the 'addons_config block'", + "actualValue": "'kuberneters_dashboard' is enabled inside the 'addons_config block'", + "issueType": "IncorrectValue", + "similarityID": "6679c333d5d25144060faae89d96c18bd94a554837824cfa9cf89a20c1b83fee", + "search_line": 8 }, { "queryName": "Beta - Kubernetes Web UI Is Not Disabled", "severity": "LOW", "line": 1, - "fileName": "positive2.tf" + "fileName": "positive2.tf", + "resourceType": "google_container_cluster", + "resourceName": "marcellus-wallace", + "searchKey": "google_container_cluster[positive2]", + "searchValue": "", + "expectedValue": "'kubernetes_dashboard' should be defined and disabled inside the 'addons_config_version' block for GKE versions below 1.10", + "actualValue": "'addons_config' block is not defined with the 'kubernetes_dashboard' disabled", + "issueType": "MissingAttribute", + "similarityID": "55a1043bfa449434aa955355b7b1c4f62be49cb99e311ea8d1faa42de55a312f", + "search_line": 1 }, { "queryName": "Beta - Kubernetes Web UI Is Not Disabled", "severity": "LOW", "line": 6, - "fileName": "positive3.tf" + "fileName": "positive3.tf", + "resourceType": "google_container_cluster", + "resourceName": "marcellus-wallace", + "searchKey": "google_container_cluster[positive3].addons_config", + "searchValue": "", + "expectedValue": "'kubernetes_dashboard' should be defined and disabled inside the 'addons_config_version' block for GKE versions below 1.10", + "actualValue": "'kubernetes_dashboard' is not defined inside the 'addons_config_version' block", + "issueType": "MissingAttribute", + "similarityID": "2dd924673b1b3f8240e44444314bdb9a4fd1d934d4f905467bf08fa2e1a35fc3", + "search_line": 6 }, { "queryName": "Beta - Kubernetes Web UI Is Not Disabled", "severity": "LOW", "line": 8, - "fileName": "positive4.tf" + "fileName": "positive4.tf", + "resourceType": "google_container_cluster", + "resourceName": "marcellus-wallace", + "searchKey": "google_container_cluster[positive4].addons_config.kubernetes_dashboard.disabled", + "searchValue": "", + "expectedValue": "'kuberneters_dashboard' should not be enabled inside the 'addons_config block'", + "actualValue": "'kuberneters_dashboard' is enabled inside the 'addons_config block'", + "issueType": "IncorrectValue", + "similarityID": "d8c7617d65403d3b1e6d94c34c8e9f0c6b3aa52763618f940fa15b21b9a15deb", + "search_line": 8 }, { "queryName": "Beta - Kubernetes Web UI Is Not Disabled", "severity": "LOW", "line": 9, - "fileName": "positive5.tf" + "fileName": "positive5.tf", + "resourceType": "google_container_cluster", + "resourceName": "marcellus-wallace", + "searchKey": "google_container_cluster[positive5].addons_config.kubernetes_dashboard.disabled", + "searchValue": "", + "expectedValue": "'kuberneters_dashboard' should not be enabled inside the 'addons_config block'", + "actualValue": "'kuberneters_dashboard' is enabled inside the 'addons_config block'", + "issueType": "IncorrectValue", + "similarityID": "b40b0800f3d9700ec960818202939afd45333e51c3acfed06c5d218c28ebb6ea", + "search_line": 9 } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/gcp/legacy_client_certificate_auth_enabled/test/positive_expected_result.json b/assets/queries/terraform/gcp/legacy_client_certificate_auth_enabled/test/positive_expected_result.json index c979a788738..69314c13caa 100644 --- a/assets/queries/terraform/gcp/legacy_client_certificate_auth_enabled/test/positive_expected_result.json +++ b/assets/queries/terraform/gcp/legacy_client_certificate_auth_enabled/test/positive_expected_result.json @@ -3,12 +3,30 @@ "queryName": "Legacy Client Certificate Auth Enabled", "severity": "LOW", "line": 7, - "fileName": "positive.tf" + "fileName": "positive.tf", + "resourceType": "google_container_cluster", + "resourceName": "marcellus-wallace", + "searchKey": "google_container_cluster[positive1].master_auth", + "searchValue": "", + "expectedValue": "If 'master_auth' is defined, subattribute 'client_certificate_config' should be defined", + "actualValue": "Attribute 'client_certificate_config' in 'master_auth' is undefined", + "issueType": "MissingAttribute", + "similarityID": "45c2f59762d9f17a08ecc30af8179ed9011c1b5e971bcb4788e01b286d18beab", + "search_line": -1 }, { "queryName": "Legacy Client Certificate Auth Enabled", "severity": "LOW", "line": 24, - "fileName": "positive.tf" + "fileName": "positive.tf", + "resourceType": "google_container_cluster", + "resourceName": "marcellus-wallace", + "searchKey": "google_container_cluster[positive2].master_auth.client_certificate_config.issue_client_certificate", + "searchValue": "", + "expectedValue": "Attribute 'issue_client_certificate' in 'client_certificate_config' should be false", + "actualValue": "Attribute 'issue_client_certificate' in 'client_certificate_config' is true", + "issueType": "IncorrectValue", + "similarityID": "311237ae7532e600d7b82bebdb7717157b5da72396bf26488a8be28cf5b15c44", + "search_line": -1 } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/gcp/legacy_networks_do_not_exist_for_older_google_projects/test/positive_expected_result.json b/assets/queries/terraform/gcp/legacy_networks_do_not_exist_for_older_google_projects/test/positive_expected_result.json index 5bac758f86c..000ab39f8ed 100644 --- a/assets/queries/terraform/gcp/legacy_networks_do_not_exist_for_older_google_projects/test/positive_expected_result.json +++ b/assets/queries/terraform/gcp/legacy_networks_do_not_exist_for_older_google_projects/test/positive_expected_result.json @@ -3,36 +3,90 @@ "queryName": "Beta - Legacy Networks Do Not Exist For Older Google Projects", "severity": "MEDIUM", "line": 9, - "fileName": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "google_compute_network", + "resourceName": "vpc-legacy", + "searchKey": "google_compute_network[vpc_network_network].auto_create_subnetworks", + "searchValue": "", + "expectedValue": "'auto_create_subnetworks' should be defined to false", + "actualValue": "'auto_create_subnetworks' is defined to true", + "issueType": "IncorrectValue", + "similarityID": "cba67f103431d169b9cb5d6e37306df618bbdd336aafdd744fa83041ab64a1de", + "search_line": -1 }, { "queryName": "Beta - Legacy Networks Do Not Exist For Older Google Projects", "severity": "MEDIUM", "line": 14, - "fileName": "positive2.tf" + "fileName": "positive2.tf", + "resourceType": "google_compute_network", + "resourceName": "legacy-network", + "searchKey": "google_compute_network[legacy_network].auto_create_subnetworks", + "searchValue": "", + "expectedValue": "'auto_create_subnetworks' should be defined to false", + "actualValue": "'auto_create_subnetworks' is defined to true", + "issueType": "IncorrectValue", + "similarityID": "e9239e32d338014a391097eede56d256d35c309158fb8c968fc739f8f0623d90", + "search_line": -1 }, { "queryName": "Beta - Legacy Networks Do Not Exist For Older Google Projects", "severity": "MEDIUM", "line": 14, - "fileName": "positive3.tf" + "fileName": "positive3.tf", + "resourceType": "google_compute_network", + "resourceName": "legacy-network", + "searchKey": "google_compute_network[legacy_network].auto_create_subnetworks", + "searchValue": "", + "expectedValue": "'auto_create_subnetworks' should be defined to false", + "actualValue": "'auto_create_subnetworks' is defined to true", + "issueType": "IncorrectValue", + "similarityID": "86229b79f6acd8b9ca78c137550c4df137923dd531eb3b9de88c20fdbda6f003", + "search_line": -1 }, { "queryName": "Beta - Legacy Networks Do Not Exist For Older Google Projects", "severity": "MEDIUM", "line": 7, - "fileName": "positive4.tf" + "fileName": "positive4.tf", + "resourceType": "google_compute_network", + "resourceName": "vpc-legacy", + "searchKey": "google_compute_network[vpc_network_network]", + "searchValue": "", + "expectedValue": "'auto_create_subnetworks' should be defined to false", + "actualValue": "'auto_create_subnetworks' is not defined", + "issueType": "MissingAttribute", + "similarityID": "1d6b5eecd7b47685154c4d0f2d81ac60b7b43e4a5bc614b6b11425395cf176df", + "search_line": 7 }, { "queryName": "Beta - Legacy Networks Do Not Exist For Older Google Projects", "severity": "MEDIUM", "line": 12, - "fileName": "positive5.tf" + "fileName": "positive5.tf", + "resourceType": "google_compute_network", + "resourceName": "legacy-network", + "searchKey": "google_compute_network[legacy_network]", + "searchValue": "", + "expectedValue": "'auto_create_subnetworks' should be defined to false", + "actualValue": "'auto_create_subnetworks' is not defined", + "issueType": "MissingAttribute", + "similarityID": "23d551b5efa09f0164b7fef91616fa21de19571065b35610896d6ff96bcf0d2f", + "search_line": 12 }, { "queryName": "Beta - Legacy Networks Do Not Exist For Older Google Projects", "severity": "MEDIUM", "line": 12, - "fileName": "positive6.tf" + "fileName": "positive6.tf", + "resourceType": "google_compute_network", + "resourceName": "legacy-network", + "searchKey": "google_compute_network[legacy_network]", + "searchValue": "", + "expectedValue": "'auto_create_subnetworks' should be defined to false", + "actualValue": "'auto_create_subnetworks' is not defined", + "issueType": "MissingAttribute", + "similarityID": "60534e967b11c49718ce2b063d0735720220c7370a37894e2a2944268db55e53", + "search_line": 12 } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/gcp/logs_and_alerts_missing_audit_configuration_changes/test/positive_expected_result.json b/assets/queries/terraform/gcp/logs_and_alerts_missing_audit_configuration_changes/test/positive_expected_result.json index 31f830c43f3..cec2ab3786b 100644 --- a/assets/queries/terraform/gcp/logs_and_alerts_missing_audit_configuration_changes/test/positive_expected_result.json +++ b/assets/queries/terraform/gcp/logs_and_alerts_missing_audit_configuration_changes/test/positive_expected_result.json @@ -3,66 +3,165 @@ "queryName": "Beta - Logs And Alerts Missing Audit Configuration Changes", "severity": "MEDIUM", "line": 1, - "fileName": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "google_logging_metric", + "resourceName": "audit_config_change", + "searchKey": "google_logging_metric[audit_config_change].filter", + "searchValue": "", + "expectedValue": "At least one 'google_logging_metric' resource should capture all audit configuration changes", + "actualValue": "No 'google_logging_metric' resource captures all audit configuration changes", + "issueType": "IncorrectValue", + "similarityID": "b96f9b8e01d61f3a1071faaa63020df1e8ee0a5383b605c07b21ac5fc5f87523", + "search_line": 1 }, { "queryName": "Beta - Logs And Alerts Missing Audit Configuration Changes", "severity": "MEDIUM", "line": 7, - "fileName": "positive2.tf" + "fileName": "positive2.tf", + "resourceType": "google_monitoring_alert_policy", + "resourceName": "Audit Config Change Alert", + "searchKey": "google_monitoring_alert_policy[audit_config_alert].conditions.condition_threshold.filter", + "searchValue": "", + "expectedValue": "At least one 'google_monitoring_alert_policy' resource should capture all audit configuration changes", + "actualValue": "No 'google_monitoring_alert_policy' resource captures all audit configuration changes", + "issueType": "IncorrectValue", + "similarityID": "2725246d65804708827bba8e6ceb9ac9197256215ce8f2de76177f6077773180", + "search_line": 7 }, { "queryName": "Beta - Logs And Alerts Missing Audit Configuration Changes", "severity": "MEDIUM", "line": 7, - "fileName": "positive3.tf" + "fileName": "positive3.tf", + "resourceType": "google_monitoring_alert_policy", + "resourceName": "Audit Config Change Alert (Log Match)", + "searchKey": "google_monitoring_alert_policy[audit_config_alert].conditions.condition_matched_log.filter", + "searchValue": "", + "expectedValue": "At least one 'google_monitoring_alert_policy' resource should capture all audit configuration changes", + "actualValue": "No 'google_monitoring_alert_policy' resource captures all audit configuration changes", + "issueType": "IncorrectValue", + "similarityID": "04f64bb44b9a87fe078b80360d5d7277923bbfb639177debae94bd9158133253", + "search_line": 7 }, { "queryName": "Beta - Logs And Alerts Missing Audit Configuration Changes", "severity": "MEDIUM", "line": 7, - "fileName": "positive4.tf" + "fileName": "positive4.tf", + "resourceType": "google_monitoring_alert_policy", + "resourceName": "Audit Config Change Alert", + "searchKey": "google_monitoring_alert_policy[audit_config_alert]", + "searchValue": "", + "expectedValue": "At least one 'google_monitoring_alert_policy' resource should capture all audit configuration changes", + "actualValue": "The 'google_monitoring_alert_policy[audit_config_alert]' resource captures all audit configuration changes but does not define a proper 'notification_channels'", + "issueType": "IncorrectValue", + "similarityID": "0c83447c8fe170fac02821929167bd8bc59a43ceced28cf17fa3891d1f5fc436", + "search_line": 7 }, { "queryName": "Beta - Logs And Alerts Missing Audit Configuration Changes", "severity": "MEDIUM", "line": 1, - "fileName": "positive5.tf" + "fileName": "positive5.tf", + "resourceType": "google_monitoring_alert_policy", + "resourceName": "Audit Config Change Alert (Log Match)", + "searchKey": "google_monitoring_alert_policy[audit_config_alert]", + "searchValue": "", + "expectedValue": "At least one 'google_monitoring_alert_policy' resource should capture all audit configuration changes", + "actualValue": "The 'google_monitoring_alert_policy[audit_config_alert]' resource captures all audit configuration changes but does not define a proper 'notification_channels'", + "issueType": "IncorrectValue", + "similarityID": "905f7e5078e40a3625385d9ec1709c5bd0f4860440e731303c150dfafc3b4d5d", + "search_line": 1 }, { "queryName": "Beta - Logs And Alerts Missing Audit Configuration Changes", "severity": "MEDIUM", "line": 1, - "fileName": "positive6.tf" + "fileName": "positive6.tf", + "resourceType": "google_monitoring_alert_policy", + "resourceName": "Audit Config Change Alert", + "searchKey": "google_monitoring_alert_policy[audit_config_alert].conditions.condition_threshold.filter", + "searchValue": "", + "expectedValue": "At least one 'google_monitoring_alert_policy' resource should capture all audit configuration changes", + "actualValue": "No 'google_monitoring_alert_policy' resource captures all audit configuration changes", + "issueType": "IncorrectValue", + "similarityID": "67ec9aa01a1434240b1fe1164e21a0c615e220ba2e22003b9f1633c36424282e", + "search_line": 1 }, { "queryName": "Beta - Logs And Alerts Missing Audit Configuration Changes", "severity": "MEDIUM", "line": 1, - "fileName": "positive7.tf" + "fileName": "positive7.tf", + "resourceType": "google_logging_metric", + "resourceName": "audit_config_change", + "searchKey": "google_logging_metric[audit_config_change].filter", + "searchValue": "", + "expectedValue": "At least one 'google_logging_metric' resource should capture all audit configuration changes", + "actualValue": "No 'google_logging_metric' resource captures all audit configuration changes", + "issueType": "IncorrectValue", + "similarityID": "226931baaa6dcc469551fcac41ce805adaa19332d2e96ddf3df41568d11c843a", + "search_line": 1 }, { "queryName": "Beta - Logs And Alerts Missing Audit Configuration Changes", "severity": "MEDIUM", "line": 1, - "fileName": "positive8.tf" + "fileName": "positive8.tf", + "resourceType": "google_logging_metric", + "resourceName": "audit_config_change", + "searchKey": "google_logging_metric[audit_config_change].filter", + "searchValue": "", + "expectedValue": "At least one 'google_logging_metric' resource should capture all audit configuration changes", + "actualValue": "No 'google_logging_metric' resource captures all audit configuration changes", + "issueType": "IncorrectValue", + "similarityID": "57073943611b312f996dc1cd8260c25e3cc7d463d4a7f0826653b9b79b3590d8", + "search_line": 1 }, { "queryName": "Beta - Logs And Alerts Missing Audit Configuration Changes", "severity": "MEDIUM", "line": 1, - "fileName": "positive9.tf" + "fileName": "positive9.tf", + "resourceType": "google_logging_metric", + "resourceName": "audit_config_change", + "searchKey": "google_logging_metric[audit_config_change].filter", + "searchValue": "", + "expectedValue": "At least one 'google_logging_metric' resource should capture all audit configuration changes", + "actualValue": "No 'google_logging_metric' resource captures all audit configuration changes", + "issueType": "IncorrectValue", + "similarityID": "4ec1140b1c0bc23c7f56b456dc1fbdd160e7aef8349c3777a7bb24052074639c", + "search_line": 1 }, { "queryName": "Beta - Logs And Alerts Missing Audit Configuration Changes", "severity": "MEDIUM", "line": 1, - "fileName": "positive10.tf" + "fileName": "positive10.tf", + "resourceType": "google_logging_metric", + "resourceName": "audit_config_change", + "searchKey": "google_logging_metric[audit_config_change].filter", + "searchValue": "", + "expectedValue": "At least one 'google_logging_metric' resource should capture all audit configuration changes", + "actualValue": "No 'google_logging_metric' resource captures all audit configuration changes", + "issueType": "IncorrectValue", + "similarityID": "3214d7b8b1ea9958a984f1ead33390df6230a8cda5de1ab2e19fc1485af4fb1c", + "search_line": 1 }, { "queryName": "Beta - Logs And Alerts Missing Audit Configuration Changes", "severity": "MEDIUM", "line": 1, - "fileName": "positive11.tf" + "fileName": "positive11.tf", + "resourceType": "google_logging_metric", + "resourceName": "audit_config_change", + "searchKey": "google_logging_metric[audit_config_change].filter", + "searchValue": "", + "expectedValue": "At least one 'google_logging_metric' resource should capture all audit configuration changes", + "actualValue": "No 'google_logging_metric' resource captures all audit configuration changes", + "issueType": "IncorrectValue", + "similarityID": "1a8cddb19cbb7fb87b96f297f7529fd11eb0ceb656a278828d121ba032243ec2", + "search_line": 1 } ] diff --git a/assets/queries/terraform/gcp/logs_and_alerts_missing_custom_role_changes/test/positive_expected_result.json b/assets/queries/terraform/gcp/logs_and_alerts_missing_custom_role_changes/test/positive_expected_result.json index 9e27031c977..6cda9057ade 100644 --- a/assets/queries/terraform/gcp/logs_and_alerts_missing_custom_role_changes/test/positive_expected_result.json +++ b/assets/queries/terraform/gcp/logs_and_alerts_missing_custom_role_changes/test/positive_expected_result.json @@ -3,54 +3,135 @@ "queryName": "Beta - Logs And Alerts Missing Custom Role Changes", "severity": "MEDIUM", "line": 1, - "fileName": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "google_logging_metric", + "resourceName": "audit_config_change", + "searchKey": "google_logging_metric[audit_config_change].filter", + "searchValue": "", + "expectedValue": "At least one 'google_logging_metric' resource should capture all custom role changes", + "actualValue": "'google_logging_metric[audit_config_change].filter' is applied to the wrong resource type", + "issueType": "IncorrectValue", + "similarityID": "3f35d038cd3c038f9c6e59fccca1ae885724537d7aca0f1509b7517a8bb673d7", + "search_line": 1 }, { "queryName": "Beta - Logs And Alerts Missing Custom Role Changes", "severity": "MEDIUM", "line": 13, - "fileName": "positive2.tf" + "fileName": "positive2.tf", + "resourceType": "google_monitoring_alert_policy", + "resourceName": "Audit Config Change Alert", + "searchKey": "google_monitoring_alert_policy[audit_config_alert].conditions.condition_threshold.filter", + "searchValue": "", + "expectedValue": "At least one 'google_monitoring_alert_policy' resource should capture all custom role changes", + "actualValue": "No 'google_monitoring_alert_policy' resource captures all custom role changes", + "issueType": "IncorrectValue", + "similarityID": "8ade09f4677e1ea2743531ae83abbbb0653ec03737edcc3e71aa8a3258f257e5", + "search_line": 13 }, { "queryName": "Beta - Logs And Alerts Missing Custom Role Changes", "severity": "MEDIUM", "line": 13, - "fileName": "positive3.tf" + "fileName": "positive3.tf", + "resourceType": "google_monitoring_alert_policy", + "resourceName": "Audit Config Change Alert (Log Match)", + "searchKey": "google_monitoring_alert_policy[audit_config_alert].conditions.condition_matched_log.filter", + "searchValue": "", + "expectedValue": "At least one 'google_monitoring_alert_policy' resource should capture all custom role changes", + "actualValue": "No 'google_monitoring_alert_policy' resource captures all custom role changes", + "issueType": "IncorrectValue", + "similarityID": "38667e2c330a46d23978d3fb7e877d96f7935a9877f6bddc508476e762aa6c02", + "search_line": 13 }, { "queryName": "Beta - Logs And Alerts Missing Custom Role Changes", "severity": "MEDIUM", "line": 13, - "fileName": "positive4.tf" + "fileName": "positive4.tf", + "resourceType": "google_monitoring_alert_policy", + "resourceName": "Audit Config Change Alert", + "searchKey": "google_monitoring_alert_policy[audit_config_alert]", + "searchValue": "", + "expectedValue": "At least one 'google_monitoring_alert_policy' resource should capture all custom role changes", + "actualValue": "The 'google_monitoring_alert_policy[audit_config_alert]' resource captures all custom role changes but does not define a proper 'notification_channels'", + "issueType": "IncorrectValue", + "similarityID": "a8ee4834ff81df38c06e932cb1d050b1b1f7533594f2bf78fd30641ef2748e1a", + "search_line": 13 }, { "queryName": "Beta - Logs And Alerts Missing Custom Role Changes", "severity": "MEDIUM", "line": 1, - "fileName": "positive5.tf" + "fileName": "positive5.tf", + "resourceType": "google_monitoring_alert_policy", + "resourceName": "Audit Config Change Alert (Log Match)", + "searchKey": "google_monitoring_alert_policy[audit_config_alert]", + "searchValue": "", + "expectedValue": "At least one 'google_monitoring_alert_policy' resource should capture all custom role changes", + "actualValue": "The 'google_monitoring_alert_policy[audit_config_alert]' resource captures all custom role changes but does not define a proper 'notification_channels'", + "issueType": "IncorrectValue", + "similarityID": "8b7991d0e9deba870db5f6e7d35ae44c1d62dc6003c9ebad105b9e52d839cb9e", + "search_line": 1 }, { "queryName": "Beta - Logs And Alerts Missing Custom Role Changes", "severity": "MEDIUM", "line": 1, - "fileName": "positive6.tf" + "fileName": "positive6.tf", + "resourceType": "google_monitoring_alert_policy", + "resourceName": "Audit Config Change Alert", + "searchKey": "google_monitoring_alert_policy[audit_config_alert].conditions.condition_threshold.filter", + "searchValue": "", + "expectedValue": "At least one 'google_monitoring_alert_policy' resource should capture all custom role changes", + "actualValue": "No 'google_monitoring_alert_policy' resource captures all custom role changes", + "issueType": "IncorrectValue", + "similarityID": "926d3a114a1765c81df1f3bb1dd1bffd9e6e46da3fbf940a892e08a8a2eeddc6", + "search_line": 1 }, { "queryName": "Beta - Logs And Alerts Missing Custom Role Changes", "severity": "MEDIUM", "line": 1, - "fileName": "positive7.tf" + "fileName": "positive7.tf", + "resourceType": "google_logging_metric", + "resourceName": "audit_config_change", + "searchKey": "google_logging_metric[audit_config_change].filter", + "searchValue": "", + "expectedValue": "At least one 'google_logging_metric' resource should capture all custom role changes", + "actualValue": "'google_logging_metric[audit_config_change].filter' is applied to the wrong resource type", + "issueType": "IncorrectValue", + "similarityID": "8da380d00e46ae45efe895f254adc75dbe16444bbcd5b0a9c8bdbd78feaf26da", + "search_line": 1 }, { "queryName": "Beta - Logs And Alerts Missing Custom Role Changes", "severity": "MEDIUM", "line": 1, - "fileName": "positive8.tf" + "fileName": "positive8.tf", + "resourceType": "google_logging_metric", + "resourceName": "audit_config_change_1", + "searchKey": "google_logging_metric[audit_config_change].filter", + "searchValue": "", + "expectedValue": "At least one 'google_logging_metric' resource should capture all custom role changes", + "actualValue": "'google_logging_metric[audit_config_change].filter' does not capture all custom role changes for resource type 'iam_role'", + "issueType": "IncorrectValue", + "similarityID": "ff7f1a863a9c1593b74adb4895a53e7f7f512715a989d9043de3d3fb24fcd951", + "search_line": 1 }, { "queryName": "Beta - Logs And Alerts Missing Custom Role Changes", "severity": "MEDIUM", "line": 1, - "fileName": "positive9.tf" + "fileName": "positive9.tf", + "resourceType": "google_logging_metric", + "resourceName": "audit_config_change", + "searchKey": "google_logging_metric[audit_config_change].filter", + "searchValue": "", + "expectedValue": "At least one 'google_logging_metric' resource should capture all custom role changes", + "actualValue": "'google_logging_metric[audit_config_change].filter' does not capture all custom role changes for resource type 'iam_role'", + "issueType": "IncorrectValue", + "similarityID": "fc3e5a739d5118e2eecafd4bc5f046b0db12a5e568ad6ae02fd3f0c3266af76f", + "search_line": 1 } ] diff --git a/assets/queries/terraform/gcp/logs_and_alerts_missing_project_ownership_assignment_and_changes/test/positive_expected_result.json b/assets/queries/terraform/gcp/logs_and_alerts_missing_project_ownership_assignment_and_changes/test/positive_expected_result.json index 3b5d13ac9cb..5cdd8674f99 100644 --- a/assets/queries/terraform/gcp/logs_and_alerts_missing_project_ownership_assignment_and_changes/test/positive_expected_result.json +++ b/assets/queries/terraform/gcp/logs_and_alerts_missing_project_ownership_assignment_and_changes/test/positive_expected_result.json @@ -3,84 +3,210 @@ "queryName": "Beta - Logs And Alerts Missing Project Ownership Assignment And Changes", "severity": "MEDIUM", "line": 1, - "fileName": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "google_logging_metric", + "resourceName": "audit_config_change", + "searchKey": "google_logging_metric[audit_config_change].filter", + "searchValue": "", + "expectedValue": "At least one 'google_logging_metric' resource should capture project ownership assignment and changes", + "actualValue": "No 'google_logging_metric' resource captures project ownership assignment and changes", + "issueType": "IncorrectValue", + "similarityID": "d11b952989f43609b14a24dfd607dc2edce33ef03d7a9640b0e1d212f40c4275", + "search_line": 1 }, { "queryName": "Beta - Logs And Alerts Missing Project Ownership Assignment And Changes", "severity": "MEDIUM", "line": 14, - "fileName": "positive2.tf" + "fileName": "positive2.tf", + "resourceType": "google_monitoring_alert_policy", + "resourceName": "Audit Config Change Alert", + "searchKey": "google_monitoring_alert_policy[audit_config_alert].conditions.condition_threshold.filter", + "searchValue": "", + "expectedValue": "At least one 'google_monitoring_alert_policy' resource should capture project ownership assignment and changes", + "actualValue": "No 'google_monitoring_alert_policy' resource captures project ownership assignment and changes", + "issueType": "IncorrectValue", + "similarityID": "73e05b144b4a907bdad77cabe6ce7af6ac7716d2ea8bc261913643a587ff9f8a", + "search_line": 14 }, { "queryName": "Beta - Logs And Alerts Missing Project Ownership Assignment And Changes", "severity": "MEDIUM", "line": 14, - "fileName": "positive3.tf" + "fileName": "positive3.tf", + "resourceType": "google_monitoring_alert_policy", + "resourceName": "Audit Config Change Alert (Log Match)", + "searchKey": "google_monitoring_alert_policy[audit_config_alert].conditions.condition_matched_log.filter", + "searchValue": "", + "expectedValue": "At least one 'google_monitoring_alert_policy' resource should capture project ownership assignment and changes", + "actualValue": "No 'google_monitoring_alert_policy' resource captures project ownership assignment and changes", + "issueType": "IncorrectValue", + "similarityID": "8857fced5115c2df4bfc0bd06018e33974f5851631f7017a095892a3e4b57293", + "search_line": 14 }, { "queryName": "Beta - Logs And Alerts Missing Project Ownership Assignment And Changes", "severity": "MEDIUM", "line": 14, - "fileName": "positive4.tf" + "fileName": "positive4.tf", + "resourceType": "google_monitoring_alert_policy", + "resourceName": "Audit Config Change Alert", + "searchKey": "google_monitoring_alert_policy[audit_config_alert]", + "searchValue": "", + "expectedValue": "At least one 'google_monitoring_alert_policy' resource should capture project ownership assignment and changes", + "actualValue": "The 'google_monitoring_alert_policy[audit_config_alert]' resource captures project ownership assignment and changes but does not define a proper 'notification_channels'", + "issueType": "IncorrectValue", + "similarityID": "32bdc3073908c5928446db890519161ed541271d90db32db1a9766de05f765fb", + "search_line": 14 }, { "queryName": "Beta - Logs And Alerts Missing Project Ownership Assignment And Changes", "severity": "MEDIUM", "line": 1, - "fileName": "positive5.tf" + "fileName": "positive5.tf", + "resourceType": "google_monitoring_alert_policy", + "resourceName": "Audit Config Change Alert (Log Match)", + "searchKey": "google_monitoring_alert_policy[audit_config_alert]", + "searchValue": "", + "expectedValue": "At least one 'google_monitoring_alert_policy' resource should capture project ownership assignment and changes", + "actualValue": "The 'google_monitoring_alert_policy[audit_config_alert]' resource captures project ownership assignment and changes but does not define a proper 'notification_channels'", + "issueType": "IncorrectValue", + "similarityID": "0fe4e674ca54b15edc09248f07e0f1d42052ea01a33793cefc1420805c7245ec", + "search_line": 1 }, { "queryName": "Beta - Logs And Alerts Missing Project Ownership Assignment And Changes", "severity": "MEDIUM", "line": 1, - "fileName": "positive6.tf" + "fileName": "positive6.tf", + "resourceType": "google_monitoring_alert_policy", + "resourceName": "Audit Config Change Alert", + "searchKey": "google_monitoring_alert_policy[audit_config_alert].conditions.condition_threshold.filter", + "searchValue": "", + "expectedValue": "At least one 'google_monitoring_alert_policy' resource should capture project ownership assignment and changes", + "actualValue": "No 'google_monitoring_alert_policy' resource captures project ownership assignment and changes", + "issueType": "IncorrectValue", + "similarityID": "673a1a66bc36d1e46037a04d087c49d77615fbc2b0d41b522053656ce4e46ec0", + "search_line": 1 }, { "queryName": "Beta - Logs And Alerts Missing Project Ownership Assignment And Changes", "severity": "MEDIUM", "line": 1, - "fileName": "positive7.tf" + "fileName": "positive7.tf", + "resourceType": "google_logging_metric", + "resourceName": "audit_config_change", + "searchKey": "google_logging_metric[audit_config_change].filter", + "searchValue": "", + "expectedValue": "At least one 'google_logging_metric' resource should capture project ownership assignment and changes", + "actualValue": "No 'google_logging_metric' resource captures project ownership assignment and changes", + "issueType": "IncorrectValue", + "similarityID": "d212bb27db8469f2a75c88582ecf03eb06ef675715bbc5d44ecd49c3a1edd6db", + "search_line": 1 }, { "queryName": "Beta - Logs And Alerts Missing Project Ownership Assignment And Changes", "severity": "MEDIUM", "line": 1, - "fileName": "positive8.tf" + "fileName": "positive8.tf", + "resourceType": "google_logging_metric", + "resourceName": "project_ownership_with_not", + "searchKey": "google_logging_metric[positive8].filter", + "searchValue": "", + "expectedValue": "At least one 'google_logging_metric' resource should capture project ownership assignment and changes", + "actualValue": "No 'google_logging_metric' resource captures project ownership assignment and changes", + "issueType": "IncorrectValue", + "similarityID": "6342b9b657d7af85e8f0f20abab21746bd983d6a8208f00957dcf3950d141beb", + "search_line": 1 }, { "queryName": "Beta - Logs And Alerts Missing Project Ownership Assignment And Changes", "severity": "MEDIUM", "line": 1, - "fileName": "positive9.tf" + "fileName": "positive9.tf", + "resourceType": "google_logging_metric", + "resourceName": "project_ownership_with_not_remove", + "searchKey": "google_logging_metric[positive9].filter", + "searchValue": "", + "expectedValue": "At least one 'google_logging_metric' resource should capture project ownership assignment and changes", + "actualValue": "No 'google_logging_metric' resource captures project ownership assignment and changes", + "issueType": "IncorrectValue", + "similarityID": "08feb666f61a569cb4ce80dac40e3f6c06368c4bcc20b4cc27a17cae5ef27618", + "search_line": 1 }, { "queryName": "Beta - Logs And Alerts Missing Project Ownership Assignment And Changes", "severity": "MEDIUM", "line": 1, - "fileName": "positive10.tf" + "fileName": "positive10.tf", + "resourceType": "google_logging_metric", + "resourceName": "audit_config_change", + "searchKey": "google_logging_metric[audit_config_change].filter", + "searchValue": "", + "expectedValue": "At least one 'google_logging_metric' resource should capture project ownership assignment and changes", + "actualValue": "No 'google_logging_metric' resource captures project ownership assignment and changes", + "issueType": "IncorrectValue", + "similarityID": "8d49d793e3f32ccbefc2e2e0441dd6c18bc3596241572dd7bd8acd5cf10749f6", + "search_line": 1 }, { "queryName": "Beta - Logs And Alerts Missing Project Ownership Assignment And Changes", "severity": "MEDIUM", "line": 1, - "fileName": "positive11.tf" + "fileName": "positive11.tf", + "resourceType": "google_logging_metric", + "resourceName": "audit_config_change", + "searchKey": "google_logging_metric[audit_config_change].filter", + "searchValue": "", + "expectedValue": "At least one 'google_logging_metric' resource should capture project ownership assignment and changes", + "actualValue": "No 'google_logging_metric' resource captures project ownership assignment and changes", + "issueType": "IncorrectValue", + "similarityID": "ddb2f21aa8299e0377db396a4be9fbda7c4fa9aa76a77da061799837f8fbd636", + "search_line": 1 }, { "queryName": "Beta - Logs And Alerts Missing Project Ownership Assignment And Changes", "severity": "MEDIUM", "line": 1, - "fileName": "positive12.tf" + "fileName": "positive12.tf", + "resourceType": "google_logging_metric", + "resourceName": "audit_config_change", + "searchKey": "google_logging_metric[audit_config_change].filter", + "searchValue": "", + "expectedValue": "At least one 'google_logging_metric' resource should capture project ownership assignment and changes", + "actualValue": "No 'google_logging_metric' resource captures project ownership assignment and changes", + "issueType": "IncorrectValue", + "similarityID": "fb16055925abbdd8576bf104b72e616fb9d466dd75f6667cf6f51ad6d87b7199", + "search_line": 1 }, { "queryName": "Beta - Logs And Alerts Missing Project Ownership Assignment And Changes", "severity": "MEDIUM", "line": 1, - "fileName": "positive13.tf" + "fileName": "positive13.tf", + "resourceType": "google_logging_metric", + "resourceName": "audit_config_change", + "searchKey": "google_logging_metric[audit_config_change].filter", + "searchValue": "", + "expectedValue": "At least one 'google_logging_metric' resource should capture project ownership assignment and changes", + "actualValue": "No 'google_logging_metric' resource captures project ownership assignment and changes", + "issueType": "IncorrectValue", + "similarityID": "f3aed5b55fbab7d03215718164a22a4405f082d536587e9220cea8c96d0c3d97", + "search_line": 1 }, { "queryName": "Beta - Logs And Alerts Missing Project Ownership Assignment And Changes", "severity": "MEDIUM", "line": 1, - "fileName": "positive14.tf" + "fileName": "positive14.tf", + "resourceType": "google_logging_metric", + "resourceName": "audit_config_change", + "searchKey": "google_logging_metric[audit_config_change].filter", + "searchValue": "", + "expectedValue": "At least one 'google_logging_metric' resource should capture project ownership assignment and changes", + "actualValue": "No 'google_logging_metric' resource captures project ownership assignment and changes", + "issueType": "IncorrectValue", + "similarityID": "d2087e2835000df1b1bbce097befbbd4011694b26062507f331774a30cf181d8", + "search_line": 1 } ] diff --git a/assets/queries/terraform/gcp/network_policy_disabled/test/positive_expected_result.json b/assets/queries/terraform/gcp/network_policy_disabled/test/positive_expected_result.json index ff7d73107ec..01b061def22 100644 --- a/assets/queries/terraform/gcp/network_policy_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/gcp/network_policy_disabled/test/positive_expected_result.json @@ -2,31 +2,91 @@ { "queryName": "Network Policy Disabled", "severity": "MEDIUM", - "line": 2 + "line": 2, + "fileName": "positive.tf", + "resourceType": "google_container_cluster", + "resourceName": "marcellus-wallace", + "searchKey": "google_container_cluster[positive1]", + "searchValue": "", + "expectedValue": "Attribute 'network_policy' should be defined and Attribute 'addons_config' should be defined", + "actualValue": "Attribute 'network_policy' is undefined or Attribute 'addons_config' is undefined", + "issueType": "MissingAttribute", + "similarityID": "ef4b306a84308576e057b6e693b3e9ebfd57c8404055954b51a746ead9852751", + "search_line": 2 }, { "queryName": "Network Policy Disabled", "severity": "MEDIUM", - "line": 16 + "line": 16, + "fileName": "positive.tf", + "resourceType": "google_container_cluster", + "resourceName": "marcellus-wallace", + "searchKey": "google_container_cluster[positive2]", + "searchValue": "", + "expectedValue": "Attribute 'network_policy' should be defined and Attribute 'addons_config' should be defined", + "actualValue": "Attribute 'network_policy' is undefined or Attribute 'addons_config' is undefined", + "issueType": "MissingAttribute", + "similarityID": "586780fadaa44ca561e29194c331f4cf62efdb899500ba26608760c4f78801be", + "search_line": 16 }, { "queryName": "Network Policy Disabled", "severity": "MEDIUM", - "line": 30 + "line": 30, + "fileName": "positive.tf", + "resourceType": "google_container_cluster", + "resourceName": "marcellus-wallace", + "searchKey": "google_container_cluster[positive3]", + "searchValue": "", + "expectedValue": "Attribute 'network_policy' should be defined and Attribute 'addons_config' should be defined", + "actualValue": "Attribute 'network_policy' is undefined or Attribute 'addons_config' is undefined", + "issueType": "MissingAttribute", + "similarityID": "e12f0bd262c56865424473e136b599a5971f2e9951311837c204e9dd474c479b", + "search_line": 30 }, { "queryName": "Network Policy Disabled", "severity": "MEDIUM", - "line": 48 + "line": 48, + "fileName": "positive.tf", + "resourceType": "google_container_cluster", + "resourceName": "marcellus-wallace", + "searchKey": "google_container_cluster[positive4].addons_config", + "searchValue": "", + "expectedValue": "Attribute 'addons_config.network_policy_config' should be defined", + "actualValue": "Attribute 'addons_config.network_policy_config' is undefined", + "issueType": "MissingAttribute", + "similarityID": "bf13979fba63f0853354a8985d6f52af67bc4dd772023087ca92f4e53db94248", + "search_line": 48 }, { "queryName": "Network Policy Disabled", "severity": "MEDIUM", - "line": 63 + "line": 63, + "fileName": "positive.tf", + "resourceType": "google_container_cluster", + "resourceName": "marcellus-wallace", + "searchKey": "google_container_cluster[positive5].network_policy.enabled", + "searchValue": "", + "expectedValue": "Attribute 'network_policy.enabled' should be true", + "actualValue": "Attribute 'network_policy.enabled' is false", + "issueType": "IncorrectValue", + "similarityID": "cd6e0cd33f1404e755fdf84d25d612ebacd587a73a7d2de469e7024c5f78f90e", + "search_line": 63 }, { "queryName": "Network Policy Disabled", "severity": "MEDIUM", - "line": 86 + "line": 86, + "fileName": "positive.tf", + "resourceType": "google_container_cluster", + "resourceName": "marcellus-wallace", + "searchKey": "google_container_cluster[positive6].addons_config.network_policy_config.disabled", + "searchValue": "", + "expectedValue": "Attribute 'addons_config.network_policy_config.disabled' should be set to false", + "actualValue": "Attribute 'addons_config.network_policy_config.disabled' is true", + "issueType": "IncorrectValue", + "similarityID": "051e638a5223d7870afa9b2edc1f48a8df96ce5be5cb7f710d9d4ddf35c1ed2e", + "search_line": 86 } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/gcp/node_auto_upgrade_disabled/test/positive_expected_result.json b/assets/queries/terraform/gcp/node_auto_upgrade_disabled/test/positive_expected_result.json index 6f474f0d075..5396789eca9 100644 --- a/assets/queries/terraform/gcp/node_auto_upgrade_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/gcp/node_auto_upgrade_disabled/test/positive_expected_result.json @@ -2,16 +2,46 @@ { "queryName": "Node Auto Upgrade Disabled", "severity": "MEDIUM", - "line": 1 + "line": 1, + "fileName": "positive.tf", + "resourceType": "google_container_node_pool", + "resourceName": "my-node-pool", + "searchKey": "google_container_node_pool[positive1]", + "searchValue": "", + "expectedValue": "google_container_node_pool.management should be defined and not null", + "actualValue": "google_container_node_pool.management is undefined or null", + "issueType": "MissingAttribute", + "similarityID": "201b90a1c2d639da1f80901e4eeccaafeaa6b17350495d442d0b778969b5c388", + "search_line": 1 }, { "queryName": "Node Auto Upgrade Disabled", "severity": "MEDIUM", - "line": 19 + "line": 19, + "fileName": "positive.tf", + "resourceType": "google_container_node_pool", + "resourceName": "my-node-pool", + "searchKey": "google_container_node_pool[positive2].management", + "searchValue": "", + "expectedValue": "management.auto_upgrade should be defined and not null", + "actualValue": "management.auto_upgrade is undefined or null", + "issueType": "MissingAttribute", + "similarityID": "1e6bcfc6a38972f806ce417c8c3c5a86edad0016acf075b87488168d3179be15", + "search_line": 19 }, { "queryName": "Node Auto Upgrade Disabled", "severity": "MEDIUM", - "line": 36 + "line": 36, + "fileName": "positive.tf", + "resourceType": "google_container_node_pool", + "resourceName": "my-node-pool", + "searchKey": "google_container_node_pool[positive3].management.auto_upgrade", + "searchValue": "", + "expectedValue": "management.auto_upgrade should be true", + "actualValue": "management.auto_upgrade is false", + "issueType": "IncorrectValue", + "similarityID": "febc9519ccc233f65b9153e74f5eb0690bfa2af4cde35a79ecebf1262f4cacd6", + "search_line": 36 } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/gcp/not_proper_email_account_in_use/test/positive_expected_result.json b/assets/queries/terraform/gcp/not_proper_email_account_in_use/test/positive_expected_result.json index ef78f29a1c7..74ff128145c 100644 --- a/assets/queries/terraform/gcp/not_proper_email_account_in_use/test/positive_expected_result.json +++ b/assets/queries/terraform/gcp/not_proper_email_account_in_use/test/positive_expected_result.json @@ -2,6 +2,16 @@ { "queryName": "Not Proper Email Account In Use", "severity": "LOW", - "line": 6 + "line": 6, + "fileName": "positive.tf", + "resourceType": "google_project_iam_binding", + "resourceName": "positive1", + "searchKey": "google_project_iam_binding[positive1].members.user:jane@gmail.com", + "searchValue": "", + "expectedValue": "'members' cannot contain Gmail account addresses", + "actualValue": "'members' has email address: user:jane@gmail.com", + "issueType": "IncorrectValue", + "similarityID": "1b28191e4461889a2397b7dde51e2f971e0bfa1c9e997b1ee8944c11bc1e8fc3", + "search_line": -1 } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/gcp/os_login_disabled/test/positive_expected_result.json b/assets/queries/terraform/gcp/os_login_disabled/test/positive_expected_result.json index f8e4466defc..c4862d6d8d6 100644 --- a/assets/queries/terraform/gcp/os_login_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/gcp/os_login_disabled/test/positive_expected_result.json @@ -2,11 +2,31 @@ { "queryName": "OSLogin Disabled", "severity": "MEDIUM", - "line": 3 + "line": 3, + "fileName": "positive.tf", + "resourceType": "google_compute_project_metadata", + "resourceName": "positive1", + "searchKey": "google_compute_project_metadata[positive1].metadata.enable-oslogin", + "searchValue": "", + "expectedValue": "google_compute_project_metadata[positive1].metadata['enable-oslogin'] should be true", + "actualValue": "google_compute_project_metadata[positive1].metadata['enable-oslogin'] is false", + "issueType": "IncorrectValue", + "similarityID": "a11f4d7f45008b71e0c4afe3c8e01a2523322f1700a4ecbe7cd509b1855649e0", + "search_line": -1 }, { "queryName": "OSLogin Disabled", "severity": "MEDIUM", - "line": 8 + "line": 8, + "fileName": "positive.tf", + "resourceType": "google_compute_project_metadata", + "resourceName": "positive2", + "searchKey": "google_compute_project_metadata[positive2].metadata", + "searchValue": "", + "expectedValue": "google_compute_project_metadata[positive2].metadata['enable-oslogin'] should be true", + "actualValue": "google_compute_project_metadata[positive2].metadata['enable-oslogin'] is undefined", + "issueType": "MissingAttribute", + "similarityID": "ea452f59073ecf25b80fb56e07ab62801decf4bcea1331578b4a3e1a10f76435", + "search_line": 8 } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/gcp/os_login_is_disabled_for_vm_instance/test/positive_expected_result.json b/assets/queries/terraform/gcp/os_login_is_disabled_for_vm_instance/test/positive_expected_result.json index 901a453aacf..5104dad7d16 100644 --- a/assets/queries/terraform/gcp/os_login_is_disabled_for_vm_instance/test/positive_expected_result.json +++ b/assets/queries/terraform/gcp/os_login_is_disabled_for_vm_instance/test/positive_expected_result.json @@ -2,6 +2,16 @@ { "queryName": "OSLogin Is Disabled For VM Instance", "severity": "MEDIUM", - "line": 30 + "line": 30, + "fileName": "positive.tf", + "resourceType": "google_compute_instance", + "resourceName": "test", + "searchKey": "google_compute_instance[positive1].metadata.enable-oslogin", + "searchValue": "", + "expectedValue": "google_compute_instance[positive1].metadata.enable-oslogin should be true or undefined", + "actualValue": "google_compute_instance[positive1].metadata.enable-oslogin is false", + "issueType": "IncorrectValue", + "similarityID": "8bff87fd59e09c254713229da2cde5fde42dd537c6949da27beb7a9a9067dd93", + "search_line": -1 } ] diff --git a/assets/queries/terraform/gcp/outdated_gke_version/test/positive_expected_result.json b/assets/queries/terraform/gcp/outdated_gke_version/test/positive_expected_result.json index 94ec761d1b6..90101728e36 100644 --- a/assets/queries/terraform/gcp/outdated_gke_version/test/positive_expected_result.json +++ b/assets/queries/terraform/gcp/outdated_gke_version/test/positive_expected_result.json @@ -3,12 +3,30 @@ "queryName": "Outdated GKE Version", "severity": "LOW", "line": 2, - "fileName": "positive.tf" + "fileName": "positive.tf", + "resourceType": "google_container_cluster", + "resourceName": "marcellus-wallace", + "searchKey": "google_container_cluster[positive1]", + "searchValue": "", + "expectedValue": "GKE should not be using outated versions on min_master_version or node_version 1.25", + "actualValue": "GKE is using outated versions on min_master_version or node_version", + "issueType": "IncorrectValue", + "similarityID": "1d9b2a75325b98ce096f8cc9f90935bf60a46bb2e0d106ebf72620d62f57cea3", + "search_line": -1 }, { "queryName": "Outdated GKE Version", "severity": "LOW", "line": 25, - "fileName": "positive.tf" + "fileName": "positive.tf", + "resourceType": "google_container_cluster", + "resourceName": "marcellus-wallace", + "searchKey": "google_container_cluster[positive2]", + "searchValue": "", + "expectedValue": "GKE should not be using outated versions on min_master_version or node_version 1.25", + "actualValue": "GKE is using outated versions on min_master_version or node_version", + "issueType": "IncorrectValue", + "similarityID": "af2830ef6ffd9ff591e2e6303441d5f515414b2fb037354d397bc04a2f0fd123", + "search_line": -1 } ] diff --git a/assets/queries/terraform/gcp/pod_security_policy_disabled/test/positive_expected_result.json b/assets/queries/terraform/gcp/pod_security_policy_disabled/test/positive_expected_result.json index bcfcc520208..b1936ca1360 100644 --- a/assets/queries/terraform/gcp/pod_security_policy_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/gcp/pod_security_policy_disabled/test/positive_expected_result.json @@ -2,11 +2,31 @@ { "queryName": "Pod Security Policy Disabled", "severity": "MEDIUM", - "line": 2 + "line": 2, + "fileName": "positive.tf", + "resourceType": "google_container_cluster", + "resourceName": "marcellus-wallace", + "searchKey": "google_container_cluster[positive1]", + "searchValue": "", + "expectedValue": "Attribute 'pod_security_policy_config' should be defined", + "actualValue": "Attribute 'pod_security_policy_config' is undefined", + "issueType": "MissingAttribute", + "similarityID": "6b4a7853b29cd94f6731e0c561937f725b88a0059875f0de71d1171d99e2406f", + "search_line": 2 }, { "queryName": "Pod Security Policy Disabled", "severity": "MEDIUM", - "line": 18 + "line": 18, + "fileName": "positive.tf", + "resourceType": "google_container_cluster", + "resourceName": "marcellus-wallace", + "searchKey": "google_container_cluster[positive2].pod_security_policy_config.enabled", + "searchValue": "", + "expectedValue": "Attribute 'enabled' of 'pod_security_policy_config' should be true", + "actualValue": "Attribute 'enabled' of 'pod_security_policy_config' is false", + "issueType": "IncorrectValue", + "similarityID": "c2197b5305ae5874196239530c29b3f205579eca0903636eff1e8583c01a6b76", + "search_line": 18 } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/gcp/private_cluster_disabled/test/positive_expected_result.json b/assets/queries/terraform/gcp/private_cluster_disabled/test/positive_expected_result.json index c7baabbd4f9..eaffc83d48e 100644 --- a/assets/queries/terraform/gcp/private_cluster_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/gcp/private_cluster_disabled/test/positive_expected_result.json @@ -2,36 +2,106 @@ { "queryName": "Private Cluster Disabled", "severity": "MEDIUM", - "line": 1 + "line": 1, + "fileName": "positive.tf", + "resourceType": "google_container_cluster", + "resourceName": "marcellus-wallace", + "searchKey": "google_container_cluster[positive1]", + "searchValue": "", + "expectedValue": "Attribute 'private_cluster_config' should be defined and not null", + "actualValue": "Attribute 'private_cluster_config' is undefined or null", + "issueType": "MissingAttribute", + "similarityID": "c3de777501e16e4ec0c28d9bf88e406fc279d4bd74579ffed0a8aa033708c465", + "search_line": -1 }, { "queryName": "Private Cluster Disabled", "severity": "MEDIUM", - "line": 16 + "line": 16, + "fileName": "positive.tf", + "resourceType": "google_container_cluster", + "resourceName": "marcellus-wallace", + "searchKey": "google_container_cluster[positive2].private_cluster_config", + "searchValue": "", + "expectedValue": "Attribute 'private_cluster_config.enable_private_endpoint' should be defined and Attribute 'private_cluster_config.enable_private_nodes' should be defined", + "actualValue": "Attribute 'private_cluster_config.enable_private_endpoint' is undefined or Attribute 'private_cluster_config.enable_private_nodes' is undefined", + "issueType": "MissingAttribute", + "similarityID": "1a26e04f980704aa7b42f7a6a1a2f7e585f1295e3fe28aa4a02381ed8f825816", + "search_line": -1 }, { "queryName": "Private Cluster Disabled", "severity": "MEDIUM", - "line": 30 + "line": 30, + "fileName": "positive.tf", + "resourceType": "google_container_cluster", + "resourceName": "marcellus-wallace", + "searchKey": "google_container_cluster[positive3].private_cluster_config", + "searchValue": "", + "expectedValue": "Attribute 'private_cluster_config.enable_private_endpoint' should be defined and Attribute 'private_cluster_config.enable_private_nodes' should be defined", + "actualValue": "Attribute 'private_cluster_config.enable_private_endpoint' is undefined or Attribute 'private_cluster_config.enable_private_nodes' is undefined", + "issueType": "MissingAttribute", + "similarityID": "96f4c7713828ce8afda40048c89e4f3473ffa73c12dde03e36556073e0f8c430", + "search_line": -1 }, { "queryName": "Private Cluster Disabled", "severity": "MEDIUM", - "line": 44 + "line": 44, + "fileName": "positive.tf", + "resourceType": "google_container_cluster", + "resourceName": "marcellus-wallace", + "searchKey": "google_container_cluster[positive4].private_cluster_config", + "searchValue": "", + "expectedValue": "Attribute 'private_cluster_config.enable_private_endpoint' should be defined and Attribute 'private_cluster_config.enable_private_nodes' should be defined", + "actualValue": "Attribute 'private_cluster_config.enable_private_endpoint' is undefined or Attribute 'private_cluster_config.enable_private_nodes' is undefined", + "issueType": "MissingAttribute", + "similarityID": "e68dde8920994026242fbf22101f08b26aa1eb6dbbf43974adafda40533cb238", + "search_line": -1 }, { "queryName": "Private Cluster Disabled", "severity": "MEDIUM", - "line": 58 + "line": 58, + "fileName": "positive.tf", + "resourceType": "google_container_cluster", + "resourceName": "marcellus-wallace", + "searchKey": "google_container_cluster[positive5].private_cluster_config", + "searchValue": "", + "expectedValue": "Attribute 'private_cluster_config.enable_private_endpoint' should be true and Attribute 'private_cluster_config.enable_private_nodes' should be true", + "actualValue": "Attribute 'private_cluster_config.enable_private_endpoint' is false or Attribute 'private_cluster_config.enable_private_nodes' is false", + "issueType": "IncorrectValue", + "similarityID": "2bfba0648c7fd1360ce0780cd5046ac214419e3262fd1dd1e47b1dd5bbb79610", + "search_line": -1 }, { "queryName": "Private Cluster Disabled", "severity": "MEDIUM", - "line": 73 + "line": 73, + "fileName": "positive.tf", + "resourceType": "google_container_cluster", + "resourceName": "marcellus-wallace", + "searchKey": "google_container_cluster[positive6].private_cluster_config", + "searchValue": "", + "expectedValue": "Attribute 'private_cluster_config.enable_private_endpoint' should be true and Attribute 'private_cluster_config.enable_private_nodes' should be true", + "actualValue": "Attribute 'private_cluster_config.enable_private_endpoint' is false or Attribute 'private_cluster_config.enable_private_nodes' is false", + "issueType": "IncorrectValue", + "similarityID": "d034185d51c1577acd3f2752f91dce4426780b0b540e3a6835fa44917bbb98d6", + "search_line": -1 }, { "queryName": "Private Cluster Disabled", "severity": "MEDIUM", - "line": 88 + "line": 88, + "fileName": "positive.tf", + "resourceType": "google_container_cluster", + "resourceName": "marcellus-wallace", + "searchKey": "google_container_cluster[positive7].private_cluster_config", + "searchValue": "", + "expectedValue": "Attribute 'private_cluster_config.enable_private_endpoint' should be true and Attribute 'private_cluster_config.enable_private_nodes' should be true", + "actualValue": "Attribute 'private_cluster_config.enable_private_endpoint' is false or Attribute 'private_cluster_config.enable_private_nodes' is false", + "issueType": "IncorrectValue", + "similarityID": "2bc23dd16d8de593212a46c0d90902afddcb2735c4ac3af9d5199031801ab021", + "search_line": -1 } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/gcp/project_wide_ssh_keys_are_enabled_in_vm_instances/test/positive_expected_result.json b/assets/queries/terraform/gcp/project_wide_ssh_keys_are_enabled_in_vm_instances/test/positive_expected_result.json index a808b73efe3..961f655077d 100644 --- a/assets/queries/terraform/gcp/project_wide_ssh_keys_are_enabled_in_vm_instances/test/positive_expected_result.json +++ b/assets/queries/terraform/gcp/project_wide_ssh_keys_are_enabled_in_vm_instances/test/positive_expected_result.json @@ -1,12 +1,32 @@ [ - { - "queryName": "Project-wide SSH Keys Are Enabled In VM Instances", - "severity": "MEDIUM", - "line": 29 - }, - { - "queryName": "Project-wide SSH Keys Are Enabled In VM Instances", - "severity": "MEDIUM", - "line": 39 - } + { + "queryName": "Project-wide SSH Keys Are Enabled In VM Instances", + "severity": "MEDIUM", + "line": 29, + "fileName": "positive.tf", + "resourceType": "google_compute_instance", + "resourceName": "test", + "searchKey": "google_compute_instance[positive1].metadata.block-project-ssh-keys", + "searchValue": "", + "expectedValue": "google_compute_instance[positive1].metadata.block-project-ssh-keys should be true", + "actualValue": "google_compute_instance[positive1].metadata.block-project-ssh-keys is false", + "issueType": "IncorrectValue", + "similarityID": "75ab8f5d17d4c3ba0e0fa94223259aa4b40c75c9190807488c4d5e30685b8055", + "search_line": -1 + }, + { + "queryName": "Project-wide SSH Keys Are Enabled In VM Instances", + "severity": "MEDIUM", + "line": 39, + "fileName": "positive.tf", + "resourceType": "google_compute_instance", + "resourceName": "test", + "searchKey": "google_compute_instance[positive2]", + "searchValue": "", + "expectedValue": "google_compute_instance[positive2].metadata should be set", + "actualValue": "google_compute_instance[positive2].metadata is undefined", + "issueType": "MissingAttribute", + "similarityID": "ae571eb3f06fb5cd0f06d84e3f2633af2db0142834b01c44ae90836844572da8", + "search_line": -1 + } ] diff --git a/assets/queries/terraform/gcp/rdp_access_is_not_restricted/test/positive_expected_result.json b/assets/queries/terraform/gcp/rdp_access_is_not_restricted/test/positive_expected_result.json index 4f41a4dff84..66b9b58e911 100644 --- a/assets/queries/terraform/gcp/rdp_access_is_not_restricted/test/positive_expected_result.json +++ b/assets/queries/terraform/gcp/rdp_access_is_not_restricted/test/positive_expected_result.json @@ -2,16 +2,46 @@ { "queryName": "RDP Access Is Not Restricted", "severity": "HIGH", - "line": 12 + "line": 12, + "fileName": "positive.tf", + "resourceType": "google_compute_firewall", + "resourceName": "test-firewall", + "searchKey": "google_compute_firewall[positive1].allow.ports", + "searchValue": "", + "expectedValue": "'google_compute_firewall[positive1].allow.ports' should not include RDP port 3389", + "actualValue": "'google_compute_firewall[positive1].allow.ports' includes RDP port 3389", + "issueType": "IncorrectValue", + "similarityID": "f8f70db83d94123948b491b8e887489e407b7ab1642a7ed04fad6855c5ac4415", + "search_line": -1 }, { "queryName": "RDP Access Is Not Restricted", "severity": "HIGH", - "line": 25 + "line": 25, + "fileName": "positive.tf", + "resourceType": "google_compute_firewall", + "resourceName": "test-firewall", + "searchKey": "google_compute_firewall[positive2].allow.ports", + "searchValue": "", + "expectedValue": "'google_compute_firewall[positive2].allow.ports' should not include RDP port 3389", + "actualValue": "'google_compute_firewall[positive2].allow.ports' includes RDP port 3389", + "issueType": "IncorrectValue", + "similarityID": "2ed11e71ced2e23f1b19d4b0716ff0de95b4032484b91b445743fe8e4be69629", + "search_line": -1 }, { "queryName": "RDP Access Is Not Restricted", "severity": "HIGH", - "line": 36 + "line": 36, + "fileName": "positive.tf", + "resourceType": "google_compute_firewall", + "resourceName": "test-firewall", + "searchKey": "google_compute_firewall[positive3].allow.ports", + "searchValue": "", + "expectedValue": "'google_compute_firewall[positive3].allow.ports' should not include RDP port 3389", + "actualValue": "'google_compute_firewall[positive3].allow.ports' includes RDP port 3389", + "issueType": "IncorrectValue", + "similarityID": "01140835d0ee902d9707b82f9482d1d138c02cc0507853f1bf90bbb47b9c7e50", + "search_line": -1 } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/gcp/service_account_with_improper_privileges/test/positive_expected_result.json b/assets/queries/terraform/gcp/service_account_with_improper_privileges/test/positive_expected_result.json index e27bdc8039a..6def82ca72a 100644 --- a/assets/queries/terraform/gcp/service_account_with_improper_privileges/test/positive_expected_result.json +++ b/assets/queries/terraform/gcp/service_account_with_improper_privileges/test/positive_expected_result.json @@ -3,36 +3,90 @@ "queryName": "Service Account with Improper Privileges", "severity": "MEDIUM", "line": 3, - "fileName": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "google_iam_policy", + "resourceName": "admin", + "searchKey": "google_iam_policy[admin].binding.role", + "searchValue": "", + "expectedValue": "google_iam_policy[admin].binding.role should not have admin, editor, owner, or write privileges for service account member", + "actualValue": "google_iam_policy[admin].binding.role has admin, editor, owner, or write privilege for service account member", + "issueType": "IncorrectValue", + "similarityID": "09316df676803d36b66b59d4b08902ff77348693abf0146b829055056917e36a", + "search_line": -1 }, { "queryName": "Service Account with Improper Privileges", "severity": "MEDIUM", "line": 3, - "fileName": "positive2.tf" + "fileName": "positive2.tf", + "resourceType": "google_project_iam_binding", + "resourceName": "project1", + "searchKey": "google_project_iam_binding[project1].role", + "searchValue": "", + "expectedValue": "google_project_iam_binding[project1].role should not have admin, editor, owner, or write privileges for service account member", + "actualValue": "google_project_iam_binding[project1].role has admin, editor, owner, or write privilege for service account member", + "issueType": "IncorrectValue", + "similarityID": "de955ac3f03fa6a2f5289467a40924ca76e12de9a4ccce65c6c5447aab466399", + "search_line": 3 }, { "queryName": "Service Account with Improper Privileges", "severity": "MEDIUM", "line": 18, - "fileName": "positive2.tf" + "fileName": "positive2.tf", + "resourceType": "google_project_iam_member", + "resourceName": "project2", + "searchKey": "google_project_iam_member[project2].role", + "searchValue": "", + "expectedValue": "google_project_iam_member[project2].role should not have admin, editor, owner, or write privileges for service account member", + "actualValue": "google_project_iam_member[project2].role has admin, editor, owner, or write privilege for service account member", + "issueType": "IncorrectValue", + "similarityID": "d36592327170a726c8270dfd0914058f82c65e4ef1f68aa1b5b7bccd2b12ad4a", + "search_line": 18 }, { "queryName": "Service Account with Improper Privileges", "severity": "MEDIUM", "line": 10, - "fileName": "positive3.tf" + "fileName": "positive3.tf", + "resourceType": "google_iam_policy", + "resourceName": "admin", + "searchKey": "google_iam_policy[admin].binding[1].role", + "searchValue": "", + "expectedValue": "google_iam_policy[admin].binding[1].role should not have admin, editor, owner, or write privileges for service account member", + "actualValue": "google_iam_policy[admin].binding[1].role has admin, editor, owner, or write privilege for service account member", + "issueType": "IncorrectValue", + "similarityID": "df3a1ef0b8458c46e0283037ad2e645547ec7a66a8cd660059afe3f67179fdb0", + "search_line": 10 }, { "queryName": "Service Account with Improper Privileges", "severity": "MEDIUM", "line": 3, - "fileName": "positive4.tf" + "fileName": "positive4.tf", + "resourceType": "google_iam_policy", + "resourceName": "admin", + "searchKey": "google_iam_policy[admin].binding[0].role", + "searchValue": "", + "expectedValue": "google_iam_policy[admin].binding[0].role should not have admin, editor, owner, or write privileges for service account member", + "actualValue": "google_iam_policy[admin].binding[0].role has admin, editor, owner, or write privilege for service account member", + "issueType": "IncorrectValue", + "similarityID": "9efda5e110e46157ff6c54b3db028d343eb80e50dddf32cd1b155a7750aebbf7", + "search_line": 3 }, { "queryName": "Service Account with Improper Privileges", "severity": "MEDIUM", "line": 9, - "fileName": "positive4.tf" + "fileName": "positive4.tf", + "resourceType": "google_iam_policy", + "resourceName": "admin", + "searchKey": "google_iam_policy[admin].binding[1].role", + "searchValue": "", + "expectedValue": "google_iam_policy[admin].binding[1].role should not have admin, editor, owner, or write privileges for service account member", + "actualValue": "google_iam_policy[admin].binding[1].role has admin, editor, owner, or write privilege for service account member", + "issueType": "IncorrectValue", + "similarityID": "674a44468d7bb74099a40da629978fade62e81d97e7e378abd5a5d89928f696b", + "search_line": 9 } ] diff --git a/assets/queries/terraform/gcp/shielded_gke_node_do_not_have_integrity_monitoring_enabled/test/positive_expected_result.json b/assets/queries/terraform/gcp/shielded_gke_node_do_not_have_integrity_monitoring_enabled/test/positive_expected_result.json index 5a5da1c5c11..09a67cffc59 100644 --- a/assets/queries/terraform/gcp/shielded_gke_node_do_not_have_integrity_monitoring_enabled/test/positive_expected_result.json +++ b/assets/queries/terraform/gcp/shielded_gke_node_do_not_have_integrity_monitoring_enabled/test/positive_expected_result.json @@ -3,12 +3,30 @@ "queryName": "Beta - Shielded GKE Node Do Not Have Integrity Monitoring Enabled", "severity": "MEDIUM", "line": 8, - "fileName": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "google_container_cluster", + "resourceName": "marcellus-wallace", + "searchKey": "google_container_cluster[positive1].node_config.shielded_instance_config.enable_integrity_monitoring", + "searchValue": "", + "expectedValue": "'node_config.shielded_instance_config.enable_integrity_monitoring' should be defined to 'true'", + "actualValue": "'node_config.shielded_instance_config.enable_integrity_monitoring' is not defined to 'true'", + "issueType": "IncorrectValue", + "similarityID": "c82d5b77b9fe9d9d9aabc0c286a75b9d792b031b1881f47c175b0e73f03ab421", + "search_line": 8 }, { "queryName": "Beta - Shielded GKE Node Do Not Have Integrity Monitoring Enabled", "severity": "MEDIUM", "line": 11, - "fileName": "positive2.tf" + "fileName": "positive2.tf", + "resourceType": "google_container_node_pool", + "resourceName": "my-node-pool", + "searchKey": "google_container_node_pool[positive2].node_config.shielded_instance_config.enable_integrity_monitoring", + "searchValue": "", + "expectedValue": "'node_config.shielded_instance_config.enable_integrity_monitoring' should be defined to 'true'", + "actualValue": "'node_config.shielded_instance_config.enable_integrity_monitoring' is not defined to 'true'", + "issueType": "IncorrectValue", + "similarityID": "4e1991a8aa37922766bb900c24684e05b0c6d5b6c036ca8b5ef0044d8c6df259", + "search_line": 11 } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/gcp/shielded_gke_nodes_disabled/test/positive_expected_result.json b/assets/queries/terraform/gcp/shielded_gke_nodes_disabled/test/positive_expected_result.json index 220d7612bc8..fc808c4b258 100644 --- a/assets/queries/terraform/gcp/shielded_gke_nodes_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/gcp/shielded_gke_nodes_disabled/test/positive_expected_result.json @@ -3,6 +3,15 @@ "queryName": "Shielded GKE Nodes Disabled", "severity": "MEDIUM", "line": 4, - "fileName": "positive.tf" + "fileName": "positive.tf", + "resourceType": "google_container_cluster", + "resourceName": "my-gke-cluster", + "searchKey": "google_container_cluster[false].enable_shielded_nodes", + "searchValue": "", + "expectedValue": "google_container_cluster.enable_shielded_nodes should be set to true", + "actualValue": "google_container_cluster.enable_shielded_nodes is set to false", + "issueType": "IncorrectValue", + "similarityID": "53fa78491249cbae079da63b22abfc193febf654dc61a3a44d5dc191db71e6e5", + "search_line": -1 } ] diff --git a/assets/queries/terraform/gcp/shielded_vm_disabled/test/positive_expected_result.json b/assets/queries/terraform/gcp/shielded_vm_disabled/test/positive_expected_result.json index 79d4d0df9eb..5a69633d746 100644 --- a/assets/queries/terraform/gcp/shielded_vm_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/gcp/shielded_vm_disabled/test/positive_expected_result.json @@ -2,36 +2,106 @@ { "queryName": "Shielded VM Disabled", "severity": "MEDIUM", - "line": 2 + "line": 2, + "fileName": "positive.tf", + "resourceType": "google_compute_instance", + "resourceName": "primary-application-server", + "searchKey": "google_compute_instance[appserver1]", + "searchValue": "", + "expectedValue": "Attribute 'shielded_instance_config' should be defined and not null", + "actualValue": "Attribute 'shielded_instance_config' is undefined or null", + "issueType": "MissingAttribute", + "similarityID": "08412d59cab0a94d482382f3e54c236a5f4ee0cf721b1c63f30d4b81af8da490", + "search_line": -1 }, { "queryName": "Shielded VM Disabled", "severity": "MEDIUM", - "line": 10 + "line": 10, + "fileName": "positive.tf", + "resourceType": "google_compute_instance", + "resourceName": "primary-application-server", + "searchKey": "google_compute_instance[appserver2].shielded_instance_config", + "searchValue": "", + "expectedValue": "Attribute 'shielded_instance_config.enable_integrity_monitoring' should be defined", + "actualValue": "Attribute 'shielded_instance_config.enable_integrity_monitoring' is undefined", + "issueType": "MissingAttribute", + "similarityID": "5b8de654f551e8fff593c649b8163932229205876e7b02d37c67028bf330f58f", + "search_line": -1 }, { "queryName": "Shielded VM Disabled", "severity": "MEDIUM", - "line": 19 + "line": 19, + "fileName": "positive.tf", + "resourceType": "google_compute_instance", + "resourceName": "primary-application-server", + "searchKey": "google_compute_instance[appserver3].shielded_instance_config", + "searchValue": "", + "expectedValue": "Attribute 'shielded_instance_config.enable_vtpm' should be defined", + "actualValue": "Attribute 'shielded_instance_config.enable_vtpm' is undefined", + "issueType": "MissingAttribute", + "similarityID": "5ca6c51e4aa833f02b6ca1811f9b7ef342c3454ff403fddf5232093210a6ae39", + "search_line": -1 }, { "queryName": "Shielded VM Disabled", "severity": "MEDIUM", - "line": 28 + "line": 28, + "fileName": "positive.tf", + "resourceType": "google_compute_instance", + "resourceName": "primary-application-server", + "searchKey": "google_compute_instance[appserver4].shielded_instance_config", + "searchValue": "", + "expectedValue": "Attribute 'shielded_instance_config.enable_secure_boot' should be defined", + "actualValue": "Attribute 'shielded_instance_config.enable_secure_boot' is undefined", + "issueType": "MissingAttribute", + "similarityID": "6c3ece58b77ae100632de92cd5f2fd349aec70b17f6e995b4008926f1c675156", + "search_line": -1 }, { "queryName": "Shielded VM Disabled", "severity": "MEDIUM", - "line": 38 + "line": 38, + "fileName": "positive.tf", + "resourceType": "google_compute_instance", + "resourceName": "primary-application-server", + "searchKey": "google_compute_instance[appserver5].shielded_instance_config.enable_secure_boot", + "searchValue": "", + "expectedValue": "Attribute 'shielded_instance_config.enable_secure_boot' should be true", + "actualValue": "Attribute 'shielded_instance_config.enable_secure_boot' is false", + "issueType": "IncorrectValue", + "similarityID": "08fc8fee38b37e16097bb1e99a78d03ea1d17feca03d65e014ad472ed50216af", + "search_line": -1 }, { "queryName": "Shielded VM Disabled", "severity": "MEDIUM", - "line": 49 + "line": 49, + "fileName": "positive.tf", + "resourceType": "google_compute_instance", + "resourceName": "primary-application-server", + "searchKey": "google_compute_instance[appserver6].shielded_instance_config.enable_vtpm", + "searchValue": "", + "expectedValue": "Attribute 'shielded_instance_config.enable_vtpm' should be true", + "actualValue": "Attribute 'shielded_instance_config.enable_vtpm' is false", + "issueType": "IncorrectValue", + "similarityID": "d870f5078093fdf9f10b7ccdd7bb97a89c62d99203d8fe76ea3508c39de1b2b3", + "search_line": -1 }, { "queryName": "Shielded VM Disabled", "severity": "MEDIUM", - "line": 60 + "line": 60, + "fileName": "positive.tf", + "resourceType": "google_compute_instance", + "resourceName": "primary-application-server", + "searchKey": "google_compute_instance[appserver7].shielded_instance_config.enable_integrity_monitoring", + "searchValue": "", + "expectedValue": "Attribute 'shielded_instance_config.enable_integrity_monitoring' should be true", + "actualValue": "Attribute 'shielded_instance_config.enable_integrity_monitoring' is false", + "issueType": "IncorrectValue", + "similarityID": "2e9d74ba318af5a813b79809c8c8ada5def494bc8ff1a00b33ba05bb9d2a9b4d", + "search_line": -1 } ] diff --git a/assets/queries/terraform/gcp/sql_db_instance_backup_disabled/test/positive_expected_result.json b/assets/queries/terraform/gcp/sql_db_instance_backup_disabled/test/positive_expected_result.json index 393569dc81e..e19a5f192e6 100644 --- a/assets/queries/terraform/gcp/sql_db_instance_backup_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/gcp/sql_db_instance_backup_disabled/test/positive_expected_result.json @@ -2,16 +2,46 @@ { "queryName": "SQL DB Instance Backup Disabled", "severity": "MEDIUM", - "line": 6 + "line": 6, + "fileName": "positive.tf", + "resourceType": "google_sql_database_instance", + "resourceName": "master-instance", + "searchKey": "google_sql_database_instance[positive1].settings", + "searchValue": "", + "expectedValue": "settings.backup_configuration should be defined and not null", + "actualValue": "settings.backup_configuration is undefined or null", + "issueType": "MissingAttribute", + "similarityID": "9a31b93fa8f464debad6484a5cc9123bfcb41f01b6b4ef41a145e65a1f26eed4", + "search_line": 6 }, { "queryName": "SQL DB Instance Backup Disabled", "severity": "MEDIUM", - "line": 18 + "line": 18, + "fileName": "positive.tf", + "resourceType": "google_sql_database_instance", + "resourceName": "master-instance", + "searchKey": "google_sql_database_instance[positive2].settings.backup_configuration", + "searchValue": "", + "expectedValue": "settings.backup_configuration.enabled should be defined and not null", + "actualValue": "settings.backup_configuration.enabled is undefined or null", + "issueType": "MissingAttribute", + "similarityID": "45b53713c4fbddb532132d27e903a667f760388b0b2187dffd1d992cc1c08839", + "search_line": 18 }, { "queryName": "SQL DB Instance Backup Disabled", "severity": "MEDIUM", - "line": 31 + "line": 31, + "fileName": "positive.tf", + "resourceType": "google_sql_database_instance", + "resourceName": "master-instance", + "searchKey": "google_sql_database_instance[positive3].settings.backup_configuration.enabled", + "searchValue": "", + "expectedValue": "settings.backup_configuration.enabled should be true", + "actualValue": "settings.backup_configuration.enabled is false", + "issueType": "IncorrectValue", + "similarityID": "608c80865122c01611cbaa84432ead0f4523eca86462ac935fdcf5bb6efc1a6c", + "search_line": 31 } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/gcp/sql_db_instance_is_publicly_accessible/test/positive_expected_result.json b/assets/queries/terraform/gcp/sql_db_instance_is_publicly_accessible/test/positive_expected_result.json index 2806d2b8c15..93bd2c1690e 100644 --- a/assets/queries/terraform/gcp/sql_db_instance_is_publicly_accessible/test/positive_expected_result.json +++ b/assets/queries/terraform/gcp/sql_db_instance_is_publicly_accessible/test/positive_expected_result.json @@ -2,21 +2,61 @@ { "queryName": "SQL DB Instance Publicly Accessible", "severity": "CRITICAL", - "line": 6 + "line": 6, + "fileName": "positive.tf", + "resourceType": "google_sql_database_instance", + "resourceName": "master-instance", + "searchKey": "google_sql_database_instance[positive1].settings", + "searchValue": "", + "expectedValue": "'ip_configuration' should be defined and allow only trusted networks", + "actualValue": "'ip_configuration' is not defined", + "issueType": "MissingAttribute", + "similarityID": "35cfb2ddf9824ebc2891126425fc8a9437d04aa1fb6333c2af3747a9134db74a", + "search_line": -1 }, { "queryName": "SQL DB Instance Publicly Accessible", "severity": "CRITICAL", - "line": 24 + "line": 24, + "fileName": "positive.tf", + "resourceType": "google_sql_database_instance", + "resourceName": "postgres-instance-2", + "searchKey": "google_sql_database_instance[positive2].settings.ip_configuration.authorized_networks.value=0.0.0.0/0", + "searchValue": "", + "expectedValue": "'authorized_network' address should be trusted", + "actualValue": "'authorized_network' address is not restricted: '0.0.0.0/0'", + "issueType": "IncorrectValue", + "similarityID": "b637971af6893f22a02c394662b1528c4b0c0b8a1c9410a40b7da0b1c7280148", + "search_line": -1 }, { "queryName": "SQL DB Instance Publicly Accessible", "severity": "CRITICAL", - "line": 41 + "line": 41, + "fileName": "positive.tf", + "resourceType": "google_sql_database_instance", + "resourceName": "master-instance", + "searchKey": "google_sql_database_instance[positive3].settings.ip_configuration.ipv4_enabled", + "searchValue": "", + "expectedValue": "'ipv4_enabled' should be disabled and 'private_network' should be defined when there are no authorized networks", + "actualValue": "'ipv4_enabled' is enabled when there are no authorized networks", + "issueType": "IncorrectValue", + "similarityID": "2fbfd21ce3cccc987d7cb7c4ee8c1e8e7f15d3595fc00de20760d3590c6f8adc", + "search_line": -1 }, { "queryName": "SQL DB Instance Publicly Accessible", "severity": "CRITICAL", - "line": 56 + "line": 56, + "fileName": "positive.tf", + "resourceType": "google_sql_database_instance", + "resourceName": "master-instance", + "searchKey": "google_sql_database_instance[positive4].settings.ip_configuration", + "searchValue": "", + "expectedValue": "'ipv4_enabled' should be disabled and 'private_network' should be defined when there are no authorized networks", + "actualValue": "'private_network' is not defined when there are no authorized networks", + "issueType": "MissingAttribute", + "similarityID": "19ed98b6675f4a4a27f5dd29eb0cb5fbfe55c11bd1e244242aef150ddb03af11", + "search_line": -1 } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/gcp/sql_db_instance_with_contained_database_authentication/test/positive_expected_result.json b/assets/queries/terraform/gcp/sql_db_instance_with_contained_database_authentication/test/positive_expected_result.json index 420abab1a70..55ccc2569eb 100644 --- a/assets/queries/terraform/gcp/sql_db_instance_with_contained_database_authentication/test/positive_expected_result.json +++ b/assets/queries/terraform/gcp/sql_db_instance_with_contained_database_authentication/test/positive_expected_result.json @@ -2,11 +2,31 @@ { "queryName": "Beta - SQL DB Instance With Contained Database Authentication", "severity": "HIGH", - "line": 13 + "line": 13, + "fileName": "positive.tf", + "resourceType": "google_sql_database_instance", + "resourceName": "sqlserver-instance-with-flag", + "searchKey": "google_sql_database_instance[positive_1].settings.database_flags[1].name", + "searchValue": "", + "expectedValue": "'google_sql_database_instance[positive_1].settings.database_flags' should set 'contained database authentication' to 'off'", + "actualValue": "'google_sql_database_instance[positive_1].settings.database_flags' sets 'contained database authentication' to 'on'", + "issueType": "IncorrectValue", + "similarityID": "156d344a70b38cf8882e16297cef6f31c1405b148551504588070fe3cc9cbae6", + "search_line": 13 }, { "queryName": "Beta - SQL DB Instance With Contained Database Authentication", "severity": "HIGH", - "line": 31 + "line": 31, + "fileName": "positive.tf", + "resourceType": "google_sql_database_instance", + "resourceName": "sqlserver-instance-with-flag", + "searchKey": "google_sql_database_instance[positive_2].settings.database_flags.name", + "searchValue": "", + "expectedValue": "'google_sql_database_instance[positive_2].settings.database_flags' should set 'contained database authentication' to 'off'", + "actualValue": "'google_sql_database_instance[positive_2].settings.database_flags' sets 'contained database authentication' to 'on'", + "issueType": "IncorrectValue", + "similarityID": "65e503d4e4f23e7be4e0d12bdd663c7f1a01c47c53a121433dcece8d82770234", + "search_line": 31 } ] diff --git a/assets/queries/terraform/gcp/sql_db_instance_with_exposed_show_privileges/test/positive_expected_result.json b/assets/queries/terraform/gcp/sql_db_instance_with_exposed_show_privileges/test/positive_expected_result.json index e6bd2e4af21..3e53d349294 100644 --- a/assets/queries/terraform/gcp/sql_db_instance_with_exposed_show_privileges/test/positive_expected_result.json +++ b/assets/queries/terraform/gcp/sql_db_instance_with_exposed_show_privileges/test/positive_expected_result.json @@ -2,26 +2,76 @@ { "queryName": "Beta - SQL DB Instance With Exposed Show Privileges", "severity": "MEDIUM", - "line": 1 + "line": 1, + "fileName": "positive.tf", + "resourceType": "google_sql_database_instance", + "resourceName": "mysql-instance-without-flag", + "searchKey": "google_sql_database_instance[positive_1]", + "searchValue": "", + "expectedValue": "'google_sql_database_instance[positive_1].settings.database_flags' should be defined and set 'skip_show_database' to 'on'", + "actualValue": "'google_sql_database_instance[positive_1].settings' is undefined or null", + "issueType": "MissingAttribute", + "similarityID": "c62a3718506de782e71ee99138f27c9fbc4974063ce592796a00fd3dad482e65", + "search_line": 1 }, { "queryName": "Beta - SQL DB Instance With Exposed Show Privileges", "severity": "MEDIUM", - "line": 14 + "line": 14, + "fileName": "positive.tf", + "resourceType": "google_sql_database_instance", + "resourceName": "mysql-instance-without-flag", + "searchKey": "google_sql_database_instance[positive_2].settings", + "searchValue": "", + "expectedValue": "'google_sql_database_instance[positive_2].settings.database_flags' should be defined and set 'skip_show_database' to 'on'", + "actualValue": "'google_sql_database_instance[positive_2].settings.database_flags' is undefined or null", + "issueType": "MissingAttribute", + "similarityID": "534a40f30df99e1e7eb1f903f3cd6fbd65885439ecb352007bd640fce3fba8e1", + "search_line": 14 }, { "queryName": "Beta - SQL DB Instance With Exposed Show Privileges", "severity": "MEDIUM", - "line": 23 + "line": 23, + "fileName": "positive.tf", + "resourceType": "google_sql_database_instance", + "resourceName": "mysql-instance-without-flag", + "searchKey": "google_sql_database_instance[positive_3].settings.database_flags", + "searchValue": "", + "expectedValue": "'google_sql_database_instance[positive_3].settings.database_flags' should be defined and set 'skip_show_database' to 'on'", + "actualValue": "'google_sql_database_instance[positive_3].settings.database_flags' does not set 'skip_show_database'", + "issueType": "MissingAttribute", + "similarityID": "07f92c8b34fdcd0077e2115afd889851191a27b9e1cde3bbed56c8d65536d8c3", + "search_line": 23 }, { "queryName": "Beta - SQL DB Instance With Exposed Show Privileges", "severity": "MEDIUM", - "line": 42 + "line": 42, + "fileName": "positive.tf", + "resourceType": "google_sql_database_instance", + "resourceName": "mysql-instance-with-flag", + "searchKey": "google_sql_database_instance[positive_4].settings.database_flags[1].name", + "searchValue": "", + "expectedValue": "'google_sql_database_instance[positive_4].settings.database_flags' should be defined and set 'skip_show_database' to 'on'", + "actualValue": "'google_sql_database_instance[positive_4].settings.database_flags' sets 'skip_show_database' to 'off'", + "issueType": "IncorrectValue", + "similarityID": "9006bab04dfe6d2d55afa9ba0df348ed265e76ff742a033df8d298f621291f24", + "search_line": 42 }, { "queryName": "Beta - SQL DB Instance With Exposed Show Privileges", "severity": "MEDIUM", - "line": 60 + "line": 60, + "fileName": "positive.tf", + "resourceType": "google_sql_database_instance", + "resourceName": "mysql-instance-with-flag", + "searchKey": "google_sql_database_instance[positive_5].settings.database_flags.name", + "searchValue": "", + "expectedValue": "'google_sql_database_instance[positive_5].settings.database_flags' should be defined and set 'skip_show_database' to 'on'", + "actualValue": "'google_sql_database_instance[positive_5].settings.database_flags' sets 'skip_show_database' to 'off'", + "issueType": "IncorrectValue", + "similarityID": "18c8c7f15dd0a4a6430161301cd6d3f99acac7a57604d1702a3fab02f47eef02", + "search_line": 60 } ] diff --git a/assets/queries/terraform/gcp/sql_db_instance_with_exposed_trace_logs/test/positive_expected_result.json b/assets/queries/terraform/gcp/sql_db_instance_with_exposed_trace_logs/test/positive_expected_result.json index 02d611da5aa..4e78553b18a 100644 --- a/assets/queries/terraform/gcp/sql_db_instance_with_exposed_trace_logs/test/positive_expected_result.json +++ b/assets/queries/terraform/gcp/sql_db_instance_with_exposed_trace_logs/test/positive_expected_result.json @@ -2,26 +2,76 @@ { "queryName": "Beta - SQL DB Instance With Exposed Trace Logs", "severity": "MEDIUM", - "line": 1 + "line": 1, + "fileName": "positive.tf", + "resourceType": "google_sql_database_instance", + "resourceName": "mysql-instance-without-flag", + "searchKey": "google_sql_database_instance[positive_1]", + "searchValue": "", + "expectedValue": "'google_sql_database_instance[positive_1].settings.database_flags' should be defined and set '3625' to 'on'", + "actualValue": "'google_sql_database_instance[positive_1].settings' is undefined or null", + "issueType": "MissingAttribute", + "similarityID": "c1c075028dc1bded722cbdb67ad999e32f9188561ad81d47dbf605a2d16f70b2", + "search_line": 1 }, { "queryName": "Beta - SQL DB Instance With Exposed Trace Logs", "severity": "MEDIUM", - "line": 14 + "line": 14, + "fileName": "positive.tf", + "resourceType": "google_sql_database_instance", + "resourceName": "sqlserver-instance-without-flag", + "searchKey": "google_sql_database_instance[positive_2].settings", + "searchValue": "", + "expectedValue": "'google_sql_database_instance[positive_2].settings.database_flags' should be defined and set '3625' to 'on'", + "actualValue": "'google_sql_database_instance[positive_2].settings.database_flags' is undefined or null", + "issueType": "MissingAttribute", + "similarityID": "cca5bfb7186421d97d652230ef85ab2a8d46b34dea26e7fae54be9edd620e944", + "search_line": 14 }, { "queryName": "Beta - SQL DB Instance With Exposed Trace Logs", "severity": "MEDIUM", - "line": 23 + "line": 23, + "fileName": "positive.tf", + "resourceType": "google_sql_database_instance", + "resourceName": "sqlserver-instance-without-flag", + "searchKey": "google_sql_database_instance[positive_3].settings.database_flags", + "searchValue": "", + "expectedValue": "'google_sql_database_instance[positive_3].settings.database_flags' should be defined and set '3625' to 'on'", + "actualValue": "'google_sql_database_instance[positive_3].settings.database_flags' does not set '3625'", + "issueType": "MissingAttribute", + "similarityID": "c75aff5169f6640eefbad2a81349360254cb124048be939817ea125b0e0afda9", + "search_line": 23 }, { "queryName": "Beta - SQL DB Instance With Exposed Trace Logs", "severity": "MEDIUM", - "line": 42 + "line": 42, + "fileName": "positive.tf", + "resourceType": "google_sql_database_instance", + "resourceName": "sqlserver-instance-with-flag", + "searchKey": "google_sql_database_instance[positive_4].settings.database_flags[1].name", + "searchValue": "", + "expectedValue": "'google_sql_database_instance[positive_4].settings.database_flags' should be defined and set '3625' to 'on'", + "actualValue": "'google_sql_database_instance[positive_4].settings.database_flags' sets '3625' to 'off'", + "issueType": "IncorrectValue", + "similarityID": "cb866cf0f0f3b541b77868d9710b3d05c13847c8e3f4b2cb85659b65adde4569", + "search_line": 42 }, { "queryName": "Beta - SQL DB Instance With Exposed Trace Logs", "severity": "MEDIUM", - "line": 60 + "line": 60, + "fileName": "positive.tf", + "resourceType": "google_sql_database_instance", + "resourceName": "sqlserver-instance-with-flag", + "searchKey": "google_sql_database_instance[positive_5].settings.database_flags.name", + "searchValue": "", + "expectedValue": "'google_sql_database_instance[positive_5].settings.database_flags' should be defined and set '3625' to 'on'", + "actualValue": "'google_sql_database_instance[positive_5].settings.database_flags' sets '3625' to 'off'", + "issueType": "IncorrectValue", + "similarityID": "e8714ba3d021f455315fea8d7338fa42d86ab82456ab632c9febe3614bb2b009", + "search_line": 60 } ] diff --git a/assets/queries/terraform/gcp/sql_db_instance_with_external_scripts_enabled/test/positive_expected_result.json b/assets/queries/terraform/gcp/sql_db_instance_with_external_scripts_enabled/test/positive_expected_result.json index 207109252b2..6388e0940b6 100644 --- a/assets/queries/terraform/gcp/sql_db_instance_with_external_scripts_enabled/test/positive_expected_result.json +++ b/assets/queries/terraform/gcp/sql_db_instance_with_external_scripts_enabled/test/positive_expected_result.json @@ -2,11 +2,31 @@ { "queryName": "Beta - SQL DB Instance With External Scripts Enabled", "severity": "HIGH", - "line": 13 + "line": 13, + "fileName": "positive.tf", + "resourceType": "google_sql_database_instance", + "resourceName": "sqlserver-instance-with-flag", + "searchKey": "google_sql_database_instance[positive_1].settings.database_flags[1].name", + "searchValue": "", + "expectedValue": "'google_sql_database_instance[positive_1].settings.database_flags' should set 'external scripts enabled' to 'off'", + "actualValue": "'google_sql_database_instance[positive_1].settings.database_flags' sets 'external scripts enabled' to 'on'", + "issueType": "IncorrectValue", + "similarityID": "c6eeb73e91a27d027623ba463b84cebea474d424aefe8282ed775176653e8cf6", + "search_line": 13 }, { "queryName": "Beta - SQL DB Instance With External Scripts Enabled", "severity": "HIGH", - "line": 31 + "line": 31, + "fileName": "positive.tf", + "resourceType": "google_sql_database_instance", + "resourceName": "sqlserver-instance-with-flag", + "searchKey": "google_sql_database_instance[positive_2].settings.database_flags.name", + "searchValue": "", + "expectedValue": "'google_sql_database_instance[positive_2].settings.database_flags' should set 'external scripts enabled' to 'off'", + "actualValue": "'google_sql_database_instance[positive_2].settings.database_flags' sets 'external scripts enabled' to 'on'", + "issueType": "IncorrectValue", + "similarityID": "3f444eafef0f623484951980bd16be912186e7d7513647551dd0f5e3fa46ddce", + "search_line": 31 } ] diff --git a/assets/queries/terraform/gcp/sql_db_instance_with_global_user_options/test/positive_expected_result.json b/assets/queries/terraform/gcp/sql_db_instance_with_global_user_options/test/positive_expected_result.json index b435c637f0e..5a2de13ac7c 100644 --- a/assets/queries/terraform/gcp/sql_db_instance_with_global_user_options/test/positive_expected_result.json +++ b/assets/queries/terraform/gcp/sql_db_instance_with_global_user_options/test/positive_expected_result.json @@ -2,11 +2,31 @@ { "queryName": "Beta - SQL DB Instance With Global User Options", "severity": "MEDIUM", - "line": 13 + "line": 13, + "fileName": "positive.tf", + "resourceType": "google_sql_database_instance", + "resourceName": "sqlserver-instance-with-flag", + "searchKey": "google_sql_database_instance[positive_1].settings.database_flags[1].name", + "searchValue": "", + "expectedValue": "'google_sql_database_instance[positive_1].settings.database_flags' should set 'user options' to '0'", + "actualValue": "'google_sql_database_instance[positive_1].settings.database_flags' sets 'user options' to '32'", + "issueType": "IncorrectValue", + "similarityID": "6765a6f6c8360d74e4ca0b2ecd13dcdbd671f0b3aa9b6f579bf643d75621755a", + "search_line": 13 }, { "queryName": "Beta - SQL DB Instance With Global User Options", "severity": "MEDIUM", - "line": 31 + "line": 31, + "fileName": "positive.tf", + "resourceType": "google_sql_database_instance", + "resourceName": "sqlserver-instance-with-flag", + "searchKey": "google_sql_database_instance[positive_2].settings.database_flags.name", + "searchValue": "", + "expectedValue": "'google_sql_database_instance[positive_2].settings.database_flags' should set 'user options' to '0'", + "actualValue": "'google_sql_database_instance[positive_2].settings.database_flags' sets 'user options' to '16'", + "issueType": "IncorrectValue", + "similarityID": "5dd11874f46102af86df8a38706299d69d29ec5c5fa87fdd29cec027f06d8bd3", + "search_line": 31 } ] diff --git a/assets/queries/terraform/gcp/sql_db_instance_with_limited_user_connections/test/positive_expected_result.json b/assets/queries/terraform/gcp/sql_db_instance_with_limited_user_connections/test/positive_expected_result.json index 169c9cccca4..e7ae279359c 100644 --- a/assets/queries/terraform/gcp/sql_db_instance_with_limited_user_connections/test/positive_expected_result.json +++ b/assets/queries/terraform/gcp/sql_db_instance_with_limited_user_connections/test/positive_expected_result.json @@ -2,11 +2,31 @@ { "queryName": "Beta - SQL DB Instance With Limited User Connections", "severity": "MEDIUM", - "line": 13 + "line": 13, + "fileName": "positive.tf", + "resourceType": "google_sql_database_instance", + "resourceName": "sqlserver-instance-with-flag", + "searchKey": "google_sql_database_instance[positive_1].settings.database_flags[1].name", + "searchValue": "", + "expectedValue": "'google_sql_database_instance[positive_1].settings.database_flags' should be defined and set 'user connections' to '0'", + "actualValue": "'google_sql_database_instance[positive_1].settings.database_flags' sets 'user connections' to '1001'", + "issueType": "IncorrectValue", + "similarityID": "de80c980595a9b202c85841c239867b93ede33b692ed7642a37c447d637747ff", + "search_line": 13 }, { "queryName": "Beta - SQL DB Instance With Limited User Connections", "severity": "MEDIUM", - "line": 31 + "line": 31, + "fileName": "positive.tf", + "resourceType": "google_sql_database_instance", + "resourceName": "sqlserver-instance-with-flag", + "searchKey": "google_sql_database_instance[positive_2].settings.database_flags.name", + "searchValue": "", + "expectedValue": "'google_sql_database_instance[positive_2].settings.database_flags' should be defined and set 'user connections' to '0'", + "actualValue": "'google_sql_database_instance[positive_2].settings.database_flags' sets 'user connections' to '1000'", + "issueType": "IncorrectValue", + "similarityID": "623979e667f1e160e25f491e228b44c669808a86e3dae3fa80ded1d004f05afb", + "search_line": 31 } ] diff --git a/assets/queries/terraform/gcp/sql_db_instance_with_local_data_loading_enabled/test/positive_expected_result.json b/assets/queries/terraform/gcp/sql_db_instance_with_local_data_loading_enabled/test/positive_expected_result.json index 162410cf2b9..b80584feb8d 100644 --- a/assets/queries/terraform/gcp/sql_db_instance_with_local_data_loading_enabled/test/positive_expected_result.json +++ b/assets/queries/terraform/gcp/sql_db_instance_with_local_data_loading_enabled/test/positive_expected_result.json @@ -2,26 +2,76 @@ { "queryName": "Beta - SQL DB Instance With Local Data Loading Enabled", "severity": "MEDIUM", - "line": 1 + "line": 1, + "fileName": "positive.tf", + "resourceType": "google_sql_database_instance", + "resourceName": "mysql-instance-without-flag", + "searchKey": "google_sql_database_instance[positive_1]", + "searchValue": "", + "expectedValue": "'google_sql_database_instance[positive_1].settings.database_flags' should be defined and set 'local_infile' to 'off'", + "actualValue": "'google_sql_database_instance[positive_1].settings' is undefined or null", + "issueType": "MissingAttribute", + "similarityID": "5a8d225ab2a5c7635abe3ea16676c271479914bd721a74b3fe95c65524fdf9a2", + "search_line": 1 }, { "queryName": "Beta - SQL DB Instance With Local Data Loading Enabled", "severity": "MEDIUM", - "line": 14 + "line": 14, + "fileName": "positive.tf", + "resourceType": "google_sql_database_instance", + "resourceName": "mysql-instance-without-flag", + "searchKey": "google_sql_database_instance[positive_2].settings", + "searchValue": "", + "expectedValue": "'google_sql_database_instance[positive_2].settings.database_flags' should be defined and set 'local_infile' to 'off'", + "actualValue": "'google_sql_database_instance[positive_2].settings.database_flags' is undefined or null", + "issueType": "MissingAttribute", + "similarityID": "f28293753e65f4c3f6e1df35feec1e62df5d85cd93d2e54a5e08ba5b0ddd1faf", + "search_line": 14 }, { "queryName": "Beta - SQL DB Instance With Local Data Loading Enabled", "severity": "MEDIUM", - "line": 23 + "line": 23, + "fileName": "positive.tf", + "resourceType": "google_sql_database_instance", + "resourceName": "mysql-instance-without-flag", + "searchKey": "google_sql_database_instance[positive_3].settings.database_flags", + "searchValue": "", + "expectedValue": "'google_sql_database_instance[positive_3].settings.database_flags' should be defined and set 'local_infile' to 'off'", + "actualValue": "'google_sql_database_instance[positive_3].settings.database_flags' does not set 'local_infile'", + "issueType": "MissingAttribute", + "similarityID": "851307e613eb936ecd3f0327de1e8079040e872c482d5fdcfe65b81e288be3ff", + "search_line": 23 }, { "queryName": "Beta - SQL DB Instance With Local Data Loading Enabled", "severity": "MEDIUM", - "line": 42 + "line": 42, + "fileName": "positive.tf", + "resourceType": "google_sql_database_instance", + "resourceName": "mysql-instance-with-flag", + "searchKey": "google_sql_database_instance[positive_4].settings.database_flags[1].name", + "searchValue": "", + "expectedValue": "'google_sql_database_instance[positive_4].settings.database_flags' should be defined and set 'local_infile' to 'off'", + "actualValue": "'google_sql_database_instance[positive_4].settings.database_flags' sets 'local_infile' to 'on'", + "issueType": "IncorrectValue", + "similarityID": "9b72a057f1dbc3d191ed57e57469eeb0d79f6616aee4c48a1803452392011210", + "search_line": 42 }, { "queryName": "Beta - SQL DB Instance With Local Data Loading Enabled", "severity": "MEDIUM", - "line": 60 + "line": 60, + "fileName": "positive.tf", + "resourceType": "google_sql_database_instance", + "resourceName": "mysql-instance-with-flag", + "searchKey": "google_sql_database_instance[positive_5].settings.database_flags.name", + "searchValue": "", + "expectedValue": "'google_sql_database_instance[positive_5].settings.database_flags' should be defined and set 'local_infile' to 'off'", + "actualValue": "'google_sql_database_instance[positive_5].settings.database_flags' sets 'local_infile' to 'on'", + "issueType": "IncorrectValue", + "similarityID": "23a4c541b2fe7726b310370cb3e7050dbe6045f9c7672b81050ce98febdd6802", + "search_line": 60 } ] diff --git a/assets/queries/terraform/gcp/sql_db_instance_with_minimum_log_duration/test/positive_expected_result.json b/assets/queries/terraform/gcp/sql_db_instance_with_minimum_log_duration/test/positive_expected_result.json index 3838bb1e30e..b3a004f9cda 100644 --- a/assets/queries/terraform/gcp/sql_db_instance_with_minimum_log_duration/test/positive_expected_result.json +++ b/assets/queries/terraform/gcp/sql_db_instance_with_minimum_log_duration/test/positive_expected_result.json @@ -2,11 +2,31 @@ { "queryName": "Beta - SQL DB Instance With Minimum Log Duration", "severity": "MEDIUM", - "line": 13 + "line": 13, + "fileName": "positive.tf", + "resourceType": "google_sql_database_instance", + "resourceName": "postgres-instance-with-flag", + "searchKey": "google_sql_database_instance[positive_1].settings.database_flags[1].name", + "searchValue": "", + "expectedValue": "'google_sql_database_instance[positive_1].settings.database_flags' should set 'log_min_duration_statement' to '-1'", + "actualValue": "'google_sql_database_instance[positive_1].settings.database_flags' sets 'log_min_duration_statement' to '2'", + "issueType": "IncorrectValue", + "similarityID": "a965825e8c79811338f749241abce59eeb08933bdb1467b0e4134c0e980b778b", + "search_line": 13 }, { "queryName": "Beta - SQL DB Instance With Minimum Log Duration", "severity": "MEDIUM", - "line": 31 + "line": 31, + "fileName": "positive.tf", + "resourceType": "google_sql_database_instance", + "resourceName": "postgres-instance-with-flag", + "searchKey": "google_sql_database_instance[positive_2].settings.database_flags.name", + "searchValue": "", + "expectedValue": "'google_sql_database_instance[positive_2].settings.database_flags' should set 'log_min_duration_statement' to '-1'", + "actualValue": "'google_sql_database_instance[positive_2].settings.database_flags' sets 'log_min_duration_statement' to '3'", + "issueType": "IncorrectValue", + "similarityID": "32ee7ad2e11af071aa31a594ff5acecfe7cc6513ae25b6ec72375d04116f89fe", + "search_line": 31 } ] diff --git a/assets/queries/terraform/gcp/sql_db_instance_with_ownership_chaining_enabled/test/positive_expected_result.json b/assets/queries/terraform/gcp/sql_db_instance_with_ownership_chaining_enabled/test/positive_expected_result.json index 794a4aa3bf3..3a35615b070 100644 --- a/assets/queries/terraform/gcp/sql_db_instance_with_ownership_chaining_enabled/test/positive_expected_result.json +++ b/assets/queries/terraform/gcp/sql_db_instance_with_ownership_chaining_enabled/test/positive_expected_result.json @@ -2,11 +2,31 @@ { "queryName": "Beta - SQL DB Instance With Ownership Chaining Enabled", "severity": "MEDIUM", - "line": 13 + "line": 13, + "fileName": "positive.tf", + "resourceType": "google_sql_database_instance", + "resourceName": "sqlserver-instance-with-flag", + "searchKey": "google_sql_database_instance[positive_1].settings.database_flags[1].name", + "searchValue": "", + "expectedValue": "'google_sql_database_instance[positive_1].settings.database_flags' should set 'cross db ownership chaining' to 'off'", + "actualValue": "'google_sql_database_instance[positive_1].settings.database_flags' sets 'cross db ownership chaining' to 'on'", + "issueType": "IncorrectValue", + "similarityID": "8fb1f70e064bc03e9f72d698c0a69520de6a45d868b7183b3e6569f2f7a8646d", + "search_line": 13 }, { "queryName": "Beta - SQL DB Instance With Ownership Chaining Enabled", "severity": "MEDIUM", - "line": 31 + "line": 31, + "fileName": "positive.tf", + "resourceType": "google_sql_database_instance", + "resourceName": "sqlserver-instance-with-flag", + "searchKey": "google_sql_database_instance[positive_2].settings.database_flags.name", + "searchValue": "", + "expectedValue": "'google_sql_database_instance[positive_2].settings.database_flags' should set 'cross db ownership chaining' to 'off'", + "actualValue": "'google_sql_database_instance[positive_2].settings.database_flags' sets 'cross db ownership chaining' to 'on'", + "issueType": "IncorrectValue", + "similarityID": "2712cdf3d554bf9d9d7b9daa4681d50695b606767d3d4553e94e584521b8be4b", + "search_line": 31 } ] diff --git a/assets/queries/terraform/gcp/sql_db_instance_with_remote_access_enabled/test/positive_expected_result.json b/assets/queries/terraform/gcp/sql_db_instance_with_remote_access_enabled/test/positive_expected_result.json index 65ddff52d04..364b8df6514 100644 --- a/assets/queries/terraform/gcp/sql_db_instance_with_remote_access_enabled/test/positive_expected_result.json +++ b/assets/queries/terraform/gcp/sql_db_instance_with_remote_access_enabled/test/positive_expected_result.json @@ -2,26 +2,76 @@ { "queryName": "Beta - SQL DB Instance With Remote Access Enabled", "severity": "HIGH", - "line": 1 + "line": 1, + "fileName": "positive.tf", + "resourceType": "google_sql_database_instance", + "resourceName": "mysql-instance-without-flag", + "searchKey": "google_sql_database_instance[positive_1]", + "searchValue": "", + "expectedValue": "'google_sql_database_instance[positive_1].settings.database_flags' should be defined and set 'remote access' to 'off'", + "actualValue": "'google_sql_database_instance[positive_1].settings' is undefined or null", + "issueType": "MissingAttribute", + "similarityID": "f7a114245a005dbbf84224241b6ed30dfe871c8f81ad61d90e47081cf7f0343b", + "search_line": 1 }, { "queryName": "Beta - SQL DB Instance With Remote Access Enabled", "severity": "HIGH", - "line": 14 + "line": 14, + "fileName": "positive.tf", + "resourceType": "google_sql_database_instance", + "resourceName": "sqlserver-instance-without-flag", + "searchKey": "google_sql_database_instance[positive_2].settings", + "searchValue": "", + "expectedValue": "'google_sql_database_instance[positive_2].settings.database_flags' should be defined and set 'remote access' to 'off'", + "actualValue": "'google_sql_database_instance[positive_2].settings.database_flags' is undefined or null", + "issueType": "MissingAttribute", + "similarityID": "78881bd1513e38d01db5771db3629f0d7bcb4ee14223f61df99d68bdbf8f79d4", + "search_line": 14 }, { "queryName": "Beta - SQL DB Instance With Remote Access Enabled", "severity": "HIGH", - "line": 23 + "line": 23, + "fileName": "positive.tf", + "resourceType": "google_sql_database_instance", + "resourceName": "sqlserver-instance-without-flag", + "searchKey": "google_sql_database_instance[positive_3].settings.database_flags", + "searchValue": "", + "expectedValue": "'google_sql_database_instance[positive_3].settings.database_flags' should be defined and set 'remote access' to 'off'", + "actualValue": "'google_sql_database_instance[positive_3].settings.database_flags' does not set 'remote access'", + "issueType": "MissingAttribute", + "similarityID": "20e662aa13e1ee768c1701138983b143d57d19d52c1ca858e2dadd0287e1cb91", + "search_line": 23 }, { "queryName": "Beta - SQL DB Instance With Remote Access Enabled", "severity": "HIGH", - "line": 42 + "line": 42, + "fileName": "positive.tf", + "resourceType": "google_sql_database_instance", + "resourceName": "sqlserver-instance-with-flag", + "searchKey": "google_sql_database_instance[positive_4].settings.database_flags[1].name", + "searchValue": "", + "expectedValue": "'google_sql_database_instance[positive_4].settings.database_flags' should be defined and set 'remote access' to 'off'", + "actualValue": "'google_sql_database_instance[positive_4].settings.database_flags' sets 'remote access' to 'on'", + "issueType": "IncorrectValue", + "similarityID": "9d8b3fc67248681fb92fbb257483dfbe354294681eaddf6f0daeff8b12c46f16", + "search_line": 42 }, { "queryName": "Beta - SQL DB Instance With Remote Access Enabled", "severity": "HIGH", - "line": 60 + "line": 60, + "fileName": "positive.tf", + "resourceType": "google_sql_database_instance", + "resourceName": "sqlserver-instance-with-flag", + "searchKey": "google_sql_database_instance[positive_5].settings.database_flags.name", + "searchValue": "", + "expectedValue": "'google_sql_database_instance[positive_5].settings.database_flags' should be defined and set 'remote access' to 'off'", + "actualValue": "'google_sql_database_instance[positive_5].settings.database_flags' sets 'remote access' to 'on'", + "issueType": "IncorrectValue", + "similarityID": "96afaddd946a3a3573bf02f91cdb86bb22106f2b94dda2a37f93b2a6cd34de6d", + "search_line": 60 } ] diff --git a/assets/queries/terraform/gcp/sql_db_instance_with_ssl_disabled/test/positive_expected_result.json b/assets/queries/terraform/gcp/sql_db_instance_with_ssl_disabled/test/positive_expected_result.json index 842962c52cb..e988942e862 100644 --- a/assets/queries/terraform/gcp/sql_db_instance_with_ssl_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/gcp/sql_db_instance_with_ssl_disabled/test/positive_expected_result.json @@ -2,16 +2,46 @@ { "queryName": "SQL DB Instance With SSL Disabled", "severity": "HIGH", - "line": 9 + "line": 9, + "fileName": "positive.tf", + "resourceType": "google_sql_database_instance", + "resourceName": "positive1", + "searchKey": "google_sql_database_instance[positive1].settings", + "searchValue": "", + "expectedValue": "'settings.ip_configuration' should be defined and not null", + "actualValue": "'settings.ip_configuration' is undefined or null", + "issueType": "MissingAttribute", + "similarityID": "4850f248b2bf65bb85411bac8c0da5ba22c04919ebcd1ffb1321503deb8cf95a", + "search_line": 9 }, { "queryName": "SQL DB Instance With SSL Disabled", "severity": "HIGH", - "line": 24 + "line": 24, + "fileName": "positive.tf", + "resourceType": "google_sql_database_instance", + "resourceName": "positive2", + "searchKey": "google_sql_database_instance[positive2].settings.ip_configuration", + "searchValue": "", + "expectedValue": "'settings.ip_configuration.require_ssl' should be defined and not null", + "actualValue": "'settings.ip_configuration.require_ssl' is undefined or null", + "issueType": "MissingAttribute", + "similarityID": "a2484b8eeffaadf00605baac98810024e46605e3ee1c4eef3c3b5e45f0af2e61", + "search_line": 24 }, { "queryName": "SQL DB Instance With SSL Disabled", "severity": "HIGH", - "line": 44 + "line": 44, + "fileName": "positive.tf", + "resourceType": "google_sql_database_instance", + "resourceName": "positive3", + "searchKey": "google_sql_database_instance[positive3].settings.ip_configuration.require_ssl", + "searchValue": "", + "expectedValue": "'settings.ip_configuration.require_ssl' should be true", + "actualValue": "'settings.ip_configuration.require_ssl' is false", + "issueType": "IncorrectValue", + "similarityID": "642a1708b53cd497a669ffcbae2fe4beb2f777ec802b15c8efb1bca5cd54217a", + "search_line": 44 } ] diff --git a/assets/queries/terraform/gcp/sql_db_instance_with_unrecommended_error_logging_threshold/test/positive_expected_result.json b/assets/queries/terraform/gcp/sql_db_instance_with_unrecommended_error_logging_threshold/test/positive_expected_result.json index d80d2459e37..0d46c0c79c9 100644 --- a/assets/queries/terraform/gcp/sql_db_instance_with_unrecommended_error_logging_threshold/test/positive_expected_result.json +++ b/assets/queries/terraform/gcp/sql_db_instance_with_unrecommended_error_logging_threshold/test/positive_expected_result.json @@ -2,16 +2,46 @@ { "queryName": "Beta - SQL DB Instance With Unrecommended Error Logging Threshold", "severity": "LOW", - "line": 13 + "line": 13, + "fileName": "positive.tf", + "resourceType": "google_sql_database_instance", + "resourceName": "postgres-instance-with-flag", + "searchKey": "google_sql_database_instance[positive_1].settings.database_flags[1].name", + "searchValue": "", + "expectedValue": "'google_sql_database_instance[positive_1].settings.database_flags' should set 'log_min_error_statement' to 'ERROR' or a higher severity", + "actualValue": "'google_sql_database_instance[positive_1].settings.database_flags' sets 'log_min_error_statement' to 'NOTICE'", + "issueType": "IncorrectValue", + "similarityID": "2794d691c32db02970883f1b1e53032f4f735a6bfb9adf757b65675a8d0894e1", + "search_line": 13 }, { "queryName": "Beta - SQL DB Instance With Unrecommended Error Logging Threshold", "severity": "LOW", - "line": 31 + "line": 31, + "fileName": "positive.tf", + "resourceType": "google_sql_database_instance", + "resourceName": "postgres-instance-with-flag", + "searchKey": "google_sql_database_instance[positive_2].settings.database_flags.name", + "searchValue": "", + "expectedValue": "'google_sql_database_instance[positive_2].settings.database_flags' should set 'log_min_error_statement' to 'ERROR' or a higher severity", + "actualValue": "'google_sql_database_instance[positive_2].settings.database_flags' sets 'log_min_error_statement' to 'DEBUG5'", + "issueType": "IncorrectValue", + "similarityID": "9ebe705adbf7830502f70df585315ff1bb5cbdee170070c94524663236173156", + "search_line": 31 }, { "queryName": "Beta - SQL DB Instance With Unrecommended Error Logging Threshold", "severity": "LOW", - "line": 44 + "line": 44, + "fileName": "positive.tf", + "resourceType": "google_sql_database_instance", + "resourceName": "postgres-instance-with-flag", + "searchKey": "google_sql_database_instance[positive_3].settings.database_flags.name", + "searchValue": "", + "expectedValue": "'google_sql_database_instance[positive_3].settings.database_flags' should set 'log_min_error_statement' to 'ERROR' or a higher severity", + "actualValue": "'google_sql_database_instance[positive_3].settings.database_flags' sets 'log_min_error_statement' to 'DEBUG4'", + "issueType": "IncorrectValue", + "similarityID": "76a5f866b13c06ce16da7c0a6a63beca2310bf48d928f045b911b8884886ed78", + "search_line": 44 } ] diff --git a/assets/queries/terraform/gcp/sql_db_instance_with_unrecommended_logging_threshold/test/positive_expected_result.json b/assets/queries/terraform/gcp/sql_db_instance_with_unrecommended_logging_threshold/test/positive_expected_result.json index 970ae9b2077..1717303cb52 100644 --- a/assets/queries/terraform/gcp/sql_db_instance_with_unrecommended_logging_threshold/test/positive_expected_result.json +++ b/assets/queries/terraform/gcp/sql_db_instance_with_unrecommended_logging_threshold/test/positive_expected_result.json @@ -2,16 +2,46 @@ { "queryName": "Beta - SQL DB Instance With Unrecommended Logging Threshold", "severity": "LOW", - "line": 13 + "line": 13, + "fileName": "positive.tf", + "resourceType": "google_sql_database_instance", + "resourceName": "postgres-instance-with-flag", + "searchKey": "google_sql_database_instance[positive_1].settings.database_flags[1].name", + "searchValue": "", + "expectedValue": "'google_sql_database_instance[positive_1].settings.database_flags' should set 'log_min_messages' to 'WARNING' or a higher severity", + "actualValue": "'google_sql_database_instance[positive_1].settings.database_flags' sets 'log_min_messages' to 'NOTICE'", + "issueType": "IncorrectValue", + "similarityID": "1d23cb7d94c760ee9f9e048dfacba96b99321bba188a6cda97a4acf4bfef3e93", + "search_line": 13 }, { "queryName": "Beta - SQL DB Instance With Unrecommended Logging Threshold", "severity": "LOW", - "line": 31 + "line": 31, + "fileName": "positive.tf", + "resourceType": "google_sql_database_instance", + "resourceName": "postgres-instance-with-flag", + "searchKey": "google_sql_database_instance[positive_2].settings.database_flags.name", + "searchValue": "", + "expectedValue": "'google_sql_database_instance[positive_2].settings.database_flags' should set 'log_min_messages' to 'WARNING' or a higher severity", + "actualValue": "'google_sql_database_instance[positive_2].settings.database_flags' sets 'log_min_messages' to 'DEBUG5'", + "issueType": "IncorrectValue", + "similarityID": "b7eccedb9abeb77cda5ebb51500e1c89a6d1f4b90148e26730fd1ed3ef81a233", + "search_line": 31 }, { "queryName": "Beta - SQL DB Instance With Unrecommended Logging Threshold", "severity": "LOW", - "line": 44 + "line": 44, + "fileName": "positive.tf", + "resourceType": "google_sql_database_instance", + "resourceName": "postgres-instance-with-flag", + "searchKey": "google_sql_database_instance[positive_3].settings.database_flags.name", + "searchValue": "", + "expectedValue": "'google_sql_database_instance[positive_3].settings.database_flags' should set 'log_min_messages' to 'WARNING' or a higher severity", + "actualValue": "'google_sql_database_instance[positive_3].settings.database_flags' sets 'log_min_messages' to 'INFO'", + "issueType": "IncorrectValue", + "similarityID": "92b2af82e22164bec7481589dfc958cdb86c2871bb1ecc6741fe4ba3c130dc97", + "search_line": 44 } ] diff --git a/assets/queries/terraform/gcp/sql_db_instance_without_centralized_logging/test/positive_expected_result.json b/assets/queries/terraform/gcp/sql_db_instance_without_centralized_logging/test/positive_expected_result.json index 097504c3cca..08c3893125b 100644 --- a/assets/queries/terraform/gcp/sql_db_instance_without_centralized_logging/test/positive_expected_result.json +++ b/assets/queries/terraform/gcp/sql_db_instance_without_centralized_logging/test/positive_expected_result.json @@ -2,26 +2,76 @@ { "queryName": "Beta - SQL DB Instance Without Centralized Logging", "severity": "LOW", - "line": 1 + "line": 1, + "fileName": "positive.tf", + "resourceType": "google_sql_database_instance", + "resourceName": "mysql-instance-without-flag", + "searchKey": "google_sql_database_instance[positive_1]", + "searchValue": "", + "expectedValue": "'google_sql_database_instance[positive_1].settings.database_flags' should be defined and set 'cloudsql.enable_pgaudit' to 'on'", + "actualValue": "'google_sql_database_instance[positive_1].settings' is undefined or null", + "issueType": "MissingAttribute", + "similarityID": "a128eceee75c4669c2dc44bfc767d323a01289b081c2952113979fae21202e79", + "search_line": 1 }, { "queryName": "Beta - SQL DB Instance Without Centralized Logging", "severity": "LOW", - "line": 14 + "line": 14, + "fileName": "positive.tf", + "resourceType": "google_sql_database_instance", + "resourceName": "postgres-instance-without-flag", + "searchKey": "google_sql_database_instance[positive_2].settings", + "searchValue": "", + "expectedValue": "'google_sql_database_instance[positive_2].settings.database_flags' should be defined and set 'cloudsql.enable_pgaudit' to 'on'", + "actualValue": "'google_sql_database_instance[positive_2].settings.database_flags' is undefined or null", + "issueType": "MissingAttribute", + "similarityID": "831791e5156e33098db48b4eee6d58173a94a8bc387d11d63ff7e6db0ab5f25c", + "search_line": 14 }, { "queryName": "Beta - SQL DB Instance Without Centralized Logging", "severity": "LOW", - "line": 23 + "line": 23, + "fileName": "positive.tf", + "resourceType": "google_sql_database_instance", + "resourceName": "postgres-instance-without-flag", + "searchKey": "google_sql_database_instance[positive_3].settings.database_flags", + "searchValue": "", + "expectedValue": "'google_sql_database_instance[positive_3].settings.database_flags' should set 'cloudsql.enable_pgaudit' to 'on'", + "actualValue": "'google_sql_database_instance[positive_3].settings.database_flags' does not set 'cloudsql.enable_pgaudit'", + "issueType": "MissingAttribute", + "similarityID": "1fcfeac4ad5944357b4f7423d472aa5606f1e374eb8bc157cd2cd9990bdf5909", + "search_line": 23 }, { "queryName": "Beta - SQL DB Instance Without Centralized Logging", "severity": "LOW", - "line": 42 + "line": 42, + "fileName": "positive.tf", + "resourceType": "google_sql_database_instance", + "resourceName": "postgres-instance-with-flag", + "searchKey": "google_sql_database_instance[positive_4].settings.database_flags[1].name", + "searchValue": "", + "expectedValue": "'google_sql_database_instance[positive_4].settings.database_flags' should set 'cloudsql.enable_pgaudit' to 'on'", + "actualValue": "'google_sql_database_instance[positive_4].settings.database_flags' sets 'cloudsql.enable_pgaudit' to 'off'", + "issueType": "IncorrectValue", + "similarityID": "0012c9e50fb8baa6ea87fc02acdd18c4e0970de2ee239764165c42dd12250b74", + "search_line": 42 }, { "queryName": "Beta - SQL DB Instance Without Centralized Logging", "severity": "LOW", - "line": 60 + "line": 60, + "fileName": "positive.tf", + "resourceType": "google_sql_database_instance", + "resourceName": "postgres-instance-with-flag", + "searchKey": "google_sql_database_instance[positive_5].settings.database_flags.name", + "searchValue": "", + "expectedValue": "'google_sql_database_instance[positive_5].settings.database_flags' should set 'cloudsql.enable_pgaudit' to 'on'", + "actualValue": "'google_sql_database_instance[positive_5].settings.database_flags' sets 'cloudsql.enable_pgaudit' to 'off'", + "issueType": "IncorrectValue", + "similarityID": "6d9c8fc01ed816baa29709bc420deb15dff2f487dde107c6fe99296ea4c8f68a", + "search_line": 60 } ] diff --git a/assets/queries/terraform/gcp/sql_db_instance_without_connections_logging/test/positive_expected_result.json b/assets/queries/terraform/gcp/sql_db_instance_without_connections_logging/test/positive_expected_result.json index 35ce66f2aee..248bbb82bf8 100644 --- a/assets/queries/terraform/gcp/sql_db_instance_without_connections_logging/test/positive_expected_result.json +++ b/assets/queries/terraform/gcp/sql_db_instance_without_connections_logging/test/positive_expected_result.json @@ -2,26 +2,76 @@ { "queryName": "Beta - SQL DB Instance Without Connections Logging", "severity": "MEDIUM", - "line": 1 + "line": 1, + "fileName": "positive.tf", + "resourceType": "google_sql_database_instance", + "resourceName": "mysql-instance-without-flag", + "searchKey": "google_sql_database_instance[positive_1]", + "searchValue": "", + "expectedValue": "'google_sql_database_instance[positive_1].settings.database_flags' should be defined and set 'log_connections' to 'on'", + "actualValue": "'google_sql_database_instance[positive_1].settings' is undefined or null", + "issueType": "MissingAttribute", + "similarityID": "bc644467b7376333fd8a343768ef329efc937bcefba3d844a3838cb027549ef5", + "search_line": 1 }, { "queryName": "Beta - SQL DB Instance Without Connections Logging", "severity": "MEDIUM", - "line": 14 + "line": 14, + "fileName": "positive.tf", + "resourceType": "google_sql_database_instance", + "resourceName": "postgres-instance-without-flag", + "searchKey": "google_sql_database_instance[positive_2].settings", + "searchValue": "", + "expectedValue": "'google_sql_database_instance[positive_2].settings.database_flags' should be defined and set 'log_connections' to 'on'", + "actualValue": "'google_sql_database_instance[positive_2].settings.database_flags' is undefined or null", + "issueType": "MissingAttribute", + "similarityID": "771c3219238b4c2c1d4d19f4fdef87aeef6a37a92bef2ea3daf62e6a89598553", + "search_line": 14 }, { "queryName": "Beta - SQL DB Instance Without Connections Logging", "severity": "MEDIUM", - "line": 23 + "line": 23, + "fileName": "positive.tf", + "resourceType": "google_sql_database_instance", + "resourceName": "postgres-instance-without-flag", + "searchKey": "google_sql_database_instance[positive_3].settings.database_flags", + "searchValue": "", + "expectedValue": "'google_sql_database_instance[positive_3].settings.database_flags' should be defined and set 'log_connections' to 'on'", + "actualValue": "'google_sql_database_instance[positive_3].settings.database_flags' does not set 'log_connections'", + "issueType": "MissingAttribute", + "similarityID": "356cc595ba764d9fc828229d22fbb2fefa947a191a1e108d01ca1973fcb0d45a", + "search_line": 23 }, { "queryName": "Beta - SQL DB Instance Without Connections Logging", "severity": "MEDIUM", - "line": 42 + "line": 42, + "fileName": "positive.tf", + "resourceType": "google_sql_database_instance", + "resourceName": "postgres-instance-with-flag", + "searchKey": "google_sql_database_instance[positive_4].settings.database_flags[1].name", + "searchValue": "", + "expectedValue": "'google_sql_database_instance[positive_4].settings.database_flags' should be defined and set 'log_connections' to 'on'", + "actualValue": "'google_sql_database_instance[positive_4].settings.database_flags' sets 'log_connections' to 'off'", + "issueType": "IncorrectValue", + "similarityID": "779dd59784e24e131cb413fab1cd90d09d21372b6df654589120b2d8b7ab2f48", + "search_line": 42 }, { "queryName": "Beta - SQL DB Instance Without Connections Logging", "severity": "MEDIUM", - "line": 60 + "line": 60, + "fileName": "positive.tf", + "resourceType": "google_sql_database_instance", + "resourceName": "postgres-instance-with-flag", + "searchKey": "google_sql_database_instance[positive_5].settings.database_flags.name", + "searchValue": "", + "expectedValue": "'google_sql_database_instance[positive_5].settings.database_flags' should be defined and set 'log_connections' to 'on'", + "actualValue": "'google_sql_database_instance[positive_5].settings.database_flags' sets 'log_connections' to 'off'", + "issueType": "IncorrectValue", + "similarityID": "826c790a4ebbb48eabcafa2d92963e64fd9017bf13ff02b29a598d14ae78a9af", + "search_line": 60 } ] diff --git a/assets/queries/terraform/gcp/sql_db_instance_without_disconnections_logging/test/positive_expected_result.json b/assets/queries/terraform/gcp/sql_db_instance_without_disconnections_logging/test/positive_expected_result.json index bc25ddc5352..314f27606a8 100644 --- a/assets/queries/terraform/gcp/sql_db_instance_without_disconnections_logging/test/positive_expected_result.json +++ b/assets/queries/terraform/gcp/sql_db_instance_without_disconnections_logging/test/positive_expected_result.json @@ -2,26 +2,76 @@ { "queryName": "Beta - SQL DB Instance Without Disconnections Logging", "severity": "MEDIUM", - "line": 1 + "line": 1, + "fileName": "positive.tf", + "resourceType": "google_sql_database_instance", + "resourceName": "mysql-instance-without-flag", + "searchKey": "google_sql_database_instance[positive_1]", + "searchValue": "", + "expectedValue": "'google_sql_database_instance[positive_1].settings.database_flags' should be defined and set 'log_disconnections' to 'on'", + "actualValue": "'google_sql_database_instance[positive_1].settings' is undefined or null", + "issueType": "MissingAttribute", + "similarityID": "ccb5f58fd081e4b7e02f6493c18e1a2b586766582270e39227f2f5da0aeaa0af", + "search_line": 1 }, { "queryName": "Beta - SQL DB Instance Without Disconnections Logging", "severity": "MEDIUM", - "line": 14 + "line": 14, + "fileName": "positive.tf", + "resourceType": "google_sql_database_instance", + "resourceName": "postgres-instance-without-flag", + "searchKey": "google_sql_database_instance[positive_2].settings", + "searchValue": "", + "expectedValue": "'google_sql_database_instance[positive_2].settings.database_flags' should be defined and set 'log_disconnections' to 'on'", + "actualValue": "'google_sql_database_instance[positive_2].settings.database_flags' is undefined or null", + "issueType": "MissingAttribute", + "similarityID": "1f75dbf9609f3c52d4fc7ad45e21fddde9546fa9652a023ca5b53dfde5d2e68e", + "search_line": 14 }, { "queryName": "Beta - SQL DB Instance Without Disconnections Logging", "severity": "MEDIUM", - "line": 23 + "line": 23, + "fileName": "positive.tf", + "resourceType": "google_sql_database_instance", + "resourceName": "postgres-instance-without-flag", + "searchKey": "google_sql_database_instance[positive_3].settings.database_flags", + "searchValue": "", + "expectedValue": "'google_sql_database_instance[positive_3].settings.database_flags' should be defined and set 'log_disconnections' to 'on'", + "actualValue": "'google_sql_database_instance[positive_3].settings.database_flags' does not set 'log_disconnections'", + "issueType": "MissingAttribute", + "similarityID": "b9c706c5ac8fc6b3a12d7c488887fea16bd443b2ae7c109db1410b84ab0b931f", + "search_line": 23 }, { "queryName": "Beta - SQL DB Instance Without Disconnections Logging", "severity": "MEDIUM", - "line": 42 + "line": 42, + "fileName": "positive.tf", + "resourceType": "google_sql_database_instance", + "resourceName": "postgres-instance-with-flag", + "searchKey": "google_sql_database_instance[positive_4].settings.database_flags[1].name", + "searchValue": "", + "expectedValue": "'google_sql_database_instance[positive_4].settings.database_flags' should be defined and set 'log_disconnections' to 'on'", + "actualValue": "'google_sql_database_instance[positive_4].settings.database_flags' sets 'log_disconnections' to 'off'", + "issueType": "IncorrectValue", + "similarityID": "a0138d02176dd45aa30a72961737c728cd269a047da43a28a4661c310b761730", + "search_line": 42 }, { "queryName": "Beta - SQL DB Instance Without Disconnections Logging", "severity": "MEDIUM", - "line": 60 + "line": 60, + "fileName": "positive.tf", + "resourceType": "google_sql_database_instance", + "resourceName": "postgres-instance-with-flag", + "searchKey": "google_sql_database_instance[positive_5].settings.database_flags.name", + "searchValue": "", + "expectedValue": "'google_sql_database_instance[positive_5].settings.database_flags' should be defined and set 'log_disconnections' to 'on'", + "actualValue": "'google_sql_database_instance[positive_5].settings.database_flags' sets 'log_disconnections' to 'off'", + "issueType": "IncorrectValue", + "similarityID": "a06f3987eba663c5370a6c157806b18e8a459726f638a49629e8184ac4a30f11", + "search_line": 60 } ] diff --git a/assets/queries/terraform/gcp/ssh_access_is_not_restricted/test/positive_expected_result.json b/assets/queries/terraform/gcp/ssh_access_is_not_restricted/test/positive_expected_result.json index 20101062af0..36a15041a15 100644 --- a/assets/queries/terraform/gcp/ssh_access_is_not_restricted/test/positive_expected_result.json +++ b/assets/queries/terraform/gcp/ssh_access_is_not_restricted/test/positive_expected_result.json @@ -2,16 +2,46 @@ { "queryName": "SSH Access Is Not Restricted", "severity": "MEDIUM", - "line": 13 + "line": 13, + "fileName": "positive.tf", + "resourceType": "google_compute_firewall", + "resourceName": "test-firewall", + "searchKey": "google_compute_firewall[positive1].allow.ports=22", + "searchValue": "", + "expectedValue": "'google_compute_firewall[positive1].allow.ports' should not include SSH port 22", + "actualValue": "'google_compute_firewall[positive1].allow.ports' includes SSH port 22", + "issueType": "IncorrectValue", + "similarityID": "68acb4681a995b517da6c7efbb65aa07f22af9060ea0c46dc1162eb3c06cf4a6", + "search_line": -1 }, { "queryName": "SSH Access Is Not Restricted", "severity": "MEDIUM", - "line": 31 + "line": 31, + "fileName": "positive.tf", + "resourceType": "google_compute_firewall", + "resourceName": "test-firewall", + "searchKey": "google_compute_firewall[positive2].allow.ports=21-3390", + "searchValue": "", + "expectedValue": "'google_compute_firewall[positive2].allow.ports' should not include SSH port 22", + "actualValue": "'google_compute_firewall[positive2].allow.ports' includes SSH port 22", + "issueType": "IncorrectValue", + "similarityID": "6d541b8ff1a18d25310917a5f64da087f17b4372b00afcab2b6f215751ed5d5c", + "search_line": -1 }, { "queryName": "SSH Access Is Not Restricted", "severity": "MEDIUM", - "line": 43 + "line": 43, + "fileName": "positive.tf", + "resourceType": "google_compute_firewall", + "resourceName": "test-firewall", + "searchKey": "google_compute_firewall[positive3].allow.ports=0-65535", + "searchValue": "", + "expectedValue": "'google_compute_firewall[positive3].allow.ports' should not include SSH port 22", + "actualValue": "'google_compute_firewall[positive3].allow.ports' includes SSH port 22", + "issueType": "IncorrectValue", + "similarityID": "abfd86322dd388e1910cf5b762d19341f4b6e54dfc6d580cd8f72647091fdb6f", + "search_line": -1 } ] diff --git a/assets/queries/terraform/gcp/stackdriver_logging_disabled/test/positive_expected_result.json b/assets/queries/terraform/gcp/stackdriver_logging_disabled/test/positive_expected_result.json index 6977ed3614c..7184c99a25f 100644 --- a/assets/queries/terraform/gcp/stackdriver_logging_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/gcp/stackdriver_logging_disabled/test/positive_expected_result.json @@ -3,12 +3,30 @@ "queryName": "Stackdriver Logging Disabled", "severity": "MEDIUM", "line": 6, - "fileName": "positive.tf" + "fileName": "positive.tf", + "resourceType": "google_container_cluster", + "resourceName": "marcellus-wallace", + "searchKey": "google_container_cluster[positive1].logging_service", + "searchValue": "", + "expectedValue": "Attribute 'logging_service' should be undefined or 'logging.googleapis.com/kubernetes'", + "actualValue": "Attribute 'logging_service' is 'none'", + "issueType": "IncorrectValue", + "similarityID": "5cdce7aa4018948518a4a98ffdfc4dbcbf3f5d5e8056107eebafbd4eabef185d", + "search_line": -1 }, { "queryName": "Stackdriver Logging Disabled", "severity": "MEDIUM", "line": 18, - "fileName": "positive.tf" + "fileName": "positive.tf", + "resourceType": "google_container_cluster", + "resourceName": "marcellus-wallace", + "searchKey": "google_container_cluster[positive2].logging_service", + "searchValue": "", + "expectedValue": "Attribute 'logging_service' should be undefined or 'logging.googleapis.com/kubernetes'", + "actualValue": "Attribute 'logging_service' is 'logging.googleapis.com'", + "issueType": "IncorrectValue", + "similarityID": "8a2a3fed4ae67bd0d8db4120d7b4f558ce142447da54c64250a37efa54173553", + "search_line": -1 } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/gcp/stackdriver_monitoring_disabled/test/positive_expected_result.json b/assets/queries/terraform/gcp/stackdriver_monitoring_disabled/test/positive_expected_result.json index c36541dc9e3..4e65f77aa57 100644 --- a/assets/queries/terraform/gcp/stackdriver_monitoring_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/gcp/stackdriver_monitoring_disabled/test/positive_expected_result.json @@ -3,12 +3,30 @@ "queryName": "Stackdriver Monitoring Disabled", "severity": "MEDIUM", "line": 6, - "fileName": "positive.tf" + "fileName": "positive.tf", + "resourceType": "google_container_cluster", + "resourceName": "marcellus-wallace", + "searchKey": "google_container_cluster[positive1].monitoring_service", + "searchValue": "", + "expectedValue": "Attribute 'monitoring_service' should be undefined or 'monitoring.googleapis.com/kubernetes'", + "actualValue": "Attribute 'monitoring_service' is 'none'", + "issueType": "IncorrectValue", + "similarityID": "2344e0c5254fa61a734133a9414a49b3aad63c6dce754c8761e0769b09510d04", + "search_line": -1 }, { "queryName": "Stackdriver Monitoring Disabled", "severity": "MEDIUM", "line": 18, - "fileName": "positive.tf" + "fileName": "positive.tf", + "resourceType": "google_container_cluster", + "resourceName": "marcellus-wallace", + "searchKey": "google_container_cluster[positive2].monitoring_service", + "searchValue": "", + "expectedValue": "Attribute 'monitoring_service' should be undefined or 'monitoring.googleapis.com/kubernetes'", + "actualValue": "Attribute 'monitoring_service' is 'monitoring.googleapis.com'", + "issueType": "IncorrectValue", + "similarityID": "0bd6b2211966ed57163d3255341910cdd92b6674580ec8ddfd7df02d5dac69d3", + "search_line": -1 } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/gcp/user_with_iam_role/test/positive_expected_result.json b/assets/queries/terraform/gcp/user_with_iam_role/test/positive_expected_result.json index aeb24e47caa..8fbd2e0b8f1 100644 --- a/assets/queries/terraform/gcp/user_with_iam_role/test/positive_expected_result.json +++ b/assets/queries/terraform/gcp/user_with_iam_role/test/positive_expected_result.json @@ -3,18 +3,45 @@ "queryName": "User with IAM Role", "severity": "LOW", "line": 3, - "fileName": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "google_iam_policy", + "resourceName": "positive", + "searchKey": "google_iam_policy[positive].binding.role", + "searchValue": "", + "expectedValue": "google_iam_policy[positive].binding.role should not be set", + "actualValue": "google_iam_policy[positive].binding.role is set", + "issueType": "IncorrectValue", + "similarityID": "6acb11d58803f62abb8b7329357c88123c51ff656d6e9c16244c9a25440fd286", + "search_line": -1 }, { "queryName": "User with IAM Role", "severity": "LOW", "line": 3, - "fileName": "positive2.tf" + "fileName": "positive2.tf", + "resourceType": "google_project_iam_binding", + "resourceName": "positive2", + "searchKey": "google_project_iam_binding[positive2].role", + "searchValue": "", + "expectedValue": "google_project_iam_binding[positive2].role should not be set", + "actualValue": "google_project_iam_binding[positive2].role is set", + "issueType": "IncorrectValue", + "similarityID": "4fed7bdda171a2f33efa3fb3282195a54d287f13b02793ee54af7abf586b70b7", + "search_line": 3 }, { "queryName": "User with IAM Role", "severity": "LOW", "line": 18, - "fileName": "positive2.tf" + "fileName": "positive2.tf", + "resourceType": "google_project_iam_member", + "resourceName": "positive3", + "searchKey": "google_project_iam_member[positive3].role", + "searchValue": "", + "expectedValue": "google_project_iam_member[positive3].role should not be set", + "actualValue": "google_project_iam_member[positive3].role is set", + "issueType": "IncorrectValue", + "similarityID": "7c2098121d8e979366376c7e3e04c449fe018ea8bda552efd51ebb3c4551bc3e", + "search_line": 18 } ] diff --git a/assets/queries/terraform/gcp/using_default_service_account/test/positive_expected_result.json b/assets/queries/terraform/gcp/using_default_service_account/test/positive_expected_result.json index 1b71e217068..78701bfd5d3 100644 --- a/assets/queries/terraform/gcp/using_default_service_account/test/positive_expected_result.json +++ b/assets/queries/terraform/gcp/using_default_service_account/test/positive_expected_result.json @@ -1,27 +1,77 @@ [ - { - "queryName": "Using Default Service Account", - "severity": "MEDIUM", - "line": 2 - }, - { - "queryName": "Using Default Service Account", - "severity": "MEDIUM", - "line": 46 - }, - { - "queryName": "Using Default Service Account", - "severity": "MEDIUM", - "line": 73 - }, - { - "queryName": "Using Default Service Account", - "severity": "MEDIUM", - "line": 100 - }, - { - "queryName": "Using Default Service Account", - "severity": "MEDIUM", - "line": 127 - } + { + "queryName": "Using Default Service Account", + "severity": "MEDIUM", + "line": 2, + "fileName": "positive.tf", + "resourceType": "google_compute_instance", + "resourceName": "test", + "searchKey": "google_compute_instance[positive1]", + "searchValue": "", + "expectedValue": "'google_compute_instance[positive1].service_account' should be defined and not null", + "actualValue": "'google_compute_instance[positive1].service_account' is undefined or null", + "issueType": "MissingAttribute", + "similarityID": "44e877b5be25795e989eee62b617f6ea9b69f6d778c616a3425def14ddc75c2a", + "search_line": -1 + }, + { + "queryName": "Using Default Service Account", + "severity": "MEDIUM", + "line": 46, + "fileName": "positive.tf", + "resourceType": "google_compute_instance", + "resourceName": "test", + "searchKey": "google_compute_instance[positive2].service_account", + "searchValue": "", + "expectedValue": "'google_compute_instance[positive2].service_account.email' should be defined and not null", + "actualValue": "'google_compute_instance[positive2].service_account.email' is undefined or null", + "issueType": "MissingAttribute", + "similarityID": "0fb1ee2fcedaa3257c22d75a01843dbacd1cc70bb98a6321671dfcdf83738064", + "search_line": -1 + }, + { + "queryName": "Using Default Service Account", + "severity": "MEDIUM", + "line": 73, + "fileName": "positive.tf", + "resourceType": "google_compute_instance", + "resourceName": "test", + "searchKey": "google_compute_instance[positive3].service_account.email", + "searchValue": "", + "expectedValue": "'google_compute_instance[positive3].service_account.email' should not be empty", + "actualValue": "'google_compute_instance[positive3].service_account.email' is empty", + "issueType": "IncorrectValue", + "similarityID": "447ef9aadfd2f0a18138bc046615ca285fc4b8e630892fc6da7aaf734d4a58bf", + "search_line": -1 + }, + { + "queryName": "Using Default Service Account", + "severity": "MEDIUM", + "line": 100, + "fileName": "positive.tf", + "resourceType": "google_compute_instance", + "resourceName": "test", + "searchKey": "google_compute_instance[positive4].service_account.email", + "searchValue": "", + "expectedValue": "'google_compute_instance[positive4].service_account.email' should not be an email", + "actualValue": "'google_compute_instance[positive4].service_account.email' is an email", + "issueType": "IncorrectValue", + "similarityID": "e6238f62e1ab2c6872cd70f360446dbdfa40ca942105aab8a18c2271bf3660da", + "search_line": -1 + }, + { + "queryName": "Using Default Service Account", + "severity": "MEDIUM", + "line": 127, + "fileName": "positive.tf", + "resourceType": "google_compute_instance", + "resourceName": "test", + "searchKey": "google_compute_instance[positive5].service_account.email", + "searchValue": "", + "expectedValue": "'google_compute_instance[positive5].service_account.email' should not be a default Google Compute Engine service account", + "actualValue": "'google_compute_instance[positive5].service_account.email' is a default Google Compute Engine service account", + "issueType": "IncorrectValue", + "similarityID": "2595ce2a7bd3eea2b3c708e6275176ed4ba2636211a3e55f9779802303fd1cef", + "search_line": -1 + } ] diff --git a/assets/queries/terraform/gcp/vm_serial_ports_are_enabled_for_vm_instances/test/positive_expected_result.json b/assets/queries/terraform/gcp/vm_serial_ports_are_enabled_for_vm_instances/test/positive_expected_result.json index ff4d783bffd..c5079f82761 100644 --- a/assets/queries/terraform/gcp/vm_serial_ports_are_enabled_for_vm_instances/test/positive_expected_result.json +++ b/assets/queries/terraform/gcp/vm_serial_ports_are_enabled_for_vm_instances/test/positive_expected_result.json @@ -1,17 +1,47 @@ [ - { - "queryName": "Serial Ports Are Enabled For VM Instances", - "severity": "MEDIUM", - "line": 26 - }, - { - "queryName": "Serial Ports Are Enabled For VM Instances", - "severity": "MEDIUM", - "line": 38 - }, - { - "queryName": "Serial Ports Are Enabled For VM Instances", - "severity": "MEDIUM", - "line": 44 - } + { + "queryName": "Serial Ports Are Enabled For VM Instances", + "severity": "MEDIUM", + "line": 26, + "fileName": "positive.tf", + "resourceType": "google_compute_instance", + "resourceName": "test", + "searchKey": "google_compute_instance[positive1].metadata.serial-port-enable", + "searchValue": "", + "expectedValue": "google_compute_instance[positive1].metadata.serial-port-enable should be set to false or undefined", + "actualValue": "google_compute_instance[positive1].metadata.serial-port-enable is true", + "issueType": "IncorrectValue", + "similarityID": "c9c86d13770d795fbbef91d238cb07701951c8919df1112b95b7e7f35c02f343", + "search_line": -1 + }, + { + "queryName": "Serial Ports Are Enabled For VM Instances", + "severity": "MEDIUM", + "line": 38, + "fileName": "positive.tf", + "resourceType": "google_compute_project_metadata", + "resourceName": "positive2", + "searchKey": "google_compute_project_metadata[positive2].metadata.serial-port-enable", + "searchValue": "", + "expectedValue": "google_compute_project_metadata[positive2].metadata.serial-port-enable should be set to false or undefined", + "actualValue": "google_compute_project_metadata[positive2].metadata.serial-port-enable is true", + "issueType": "IncorrectValue", + "similarityID": "82e965959c37d4aeadac8e9748012c8849c5bb36231f25f9304d6da768e153d2", + "search_line": -1 + }, + { + "queryName": "Serial Ports Are Enabled For VM Instances", + "severity": "MEDIUM", + "line": 44, + "fileName": "positive.tf", + "resourceType": "google_compute_project_metadata_item", + "resourceName": "positive3", + "searchKey": "google_compute_project_metadata_item[positive3].value", + "searchValue": "", + "expectedValue": "google_compute_project_metadata[positive3].value should be set to false", + "actualValue": "google_compute_project_metadata[positive3].value is true", + "issueType": "IncorrectValue", + "similarityID": "97550b5c00fbe572679c16c5d41e56ac83e4ff8a311e6b9e17555473f094e192", + "search_line": -1 + } ] diff --git a/assets/queries/terraform/gcp/vm_with_full_cloud_access/test/positive_expected_result.json b/assets/queries/terraform/gcp/vm_with_full_cloud_access/test/positive_expected_result.json index ccabae58b6c..f2f1462df04 100644 --- a/assets/queries/terraform/gcp/vm_with_full_cloud_access/test/positive_expected_result.json +++ b/assets/queries/terraform/gcp/vm_with_full_cloud_access/test/positive_expected_result.json @@ -2,6 +2,16 @@ { "queryName": "VM With Full Cloud Access", "severity": "MEDIUM", - "line": 20 + "line": 20, + "fileName": "positive.tf", + "resourceType": "google_compute_instance", + "resourceName": "test", + "searchKey": "google_compute_instance[positive1].service_account.scopes", + "searchValue": "", + "expectedValue": "'service_account.scopes' should not contain 'cloud-platform'", + "actualValue": "'service_account.scopes' contains 'cloud-platform'", + "issueType": "IncorrectValue", + "similarityID": "4a1fd1326b99fef16793f753ca82f9079e7135a3187148d934322e2a8290a439", + "search_line": -1 } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/gcp_bom/dataflow/test/positive_expected_result.json b/assets/queries/terraform/gcp_bom/dataflow/test/positive_expected_result.json index 2af3f798c94..54180170ef6 100644 --- a/assets/queries/terraform/gcp_bom/dataflow/test/positive_expected_result.json +++ b/assets/queries/terraform/gcp_bom/dataflow/test/positive_expected_result.json @@ -1,14 +1,32 @@ [ - { - "queryName": "BOM - GCP Dataflow", - "severity": "TRACE", - "line": 1, - "fileName": "positive.tf" - }, - { - "queryName": "BOM - GCP Dataflow", - "severity": "TRACE", - "line": 17, - "fileName": "positive.tf" - } + { + "queryName": "BOM - GCP Dataflow", + "severity": "TRACE", + "line": 1, + "fileName": "positive.tf", + "resourceType": "", + "resourceName": "", + "searchKey": "google_dataflow_job[pubsub_stream]", + "searchValue": "", + "expectedValue": "", + "actualValue": "", + "issueType": "BillOfMaterials", + "similarityID": "622447c94949e17cea33d190d7d5e892121993254e1035e2e3f7398777b6f320", + "search_line": 1 + }, + { + "queryName": "BOM - GCP Dataflow", + "severity": "TRACE", + "line": 17, + "fileName": "positive.tf", + "resourceType": "", + "resourceName": "", + "searchKey": "google_dataflow_job[pubsub_stream2]", + "searchValue": "", + "expectedValue": "", + "actualValue": "", + "issueType": "BillOfMaterials", + "similarityID": "83ace12a4c1e05f315f3b6b573037828ad82c758f2ca129431a91fc8e07fc5a4", + "search_line": 17 + } ] diff --git a/assets/queries/terraform/gcp_bom/fi/test/positive_expected_result.json b/assets/queries/terraform/gcp_bom/fi/test/positive_expected_result.json index a404cecf273..32b9a2f56e4 100644 --- a/assets/queries/terraform/gcp_bom/fi/test/positive_expected_result.json +++ b/assets/queries/terraform/gcp_bom/fi/test/positive_expected_result.json @@ -1,20 +1,47 @@ [ - { - "queryName": "BOM - GCP FI", - "severity": "TRACE", - "line": 1, - "fileName": "positive.tf" - }, - { - "queryName": "BOM - GCP FI", - "severity": "TRACE", - "line": 32, - "fileName": "positive.tf" - }, - { - "queryName": "BOM - GCP FI", - "severity": "TRACE", - "line": 59, - "fileName": "positive.tf" - } + { + "queryName": "BOM - GCP FI", + "severity": "TRACE", + "line": 1, + "fileName": "positive.tf", + "resourceType": "", + "resourceName": "", + "searchKey": "google_filestore_instance[instance]", + "searchValue": "", + "expectedValue": "", + "actualValue": "", + "issueType": "BillOfMaterials", + "similarityID": "0d012118c429c35158a1c69d3d964ed4e044ec56de795c677332183b29844d1a", + "search_line": 1 + }, + { + "queryName": "BOM - GCP FI", + "severity": "TRACE", + "line": 32, + "fileName": "positive.tf", + "resourceType": "", + "resourceName": "", + "searchKey": "google_filestore_instance[instance2]", + "searchValue": "", + "expectedValue": "", + "actualValue": "", + "issueType": "BillOfMaterials", + "similarityID": "fd6f6ababa131ec8cd608ba3ecd59d9b8cf0cf4f0659005dcdc115275f4a4349", + "search_line": 32 + }, + { + "queryName": "BOM - GCP FI", + "severity": "TRACE", + "line": 59, + "fileName": "positive.tf", + "resourceType": "", + "resourceName": "", + "searchKey": "google_filestore_instance[instance3]", + "searchValue": "", + "expectedValue": "", + "actualValue": "", + "issueType": "BillOfMaterials", + "similarityID": "4fb95afbc504bcf4786a47b4acc06cefe49a2fffc23507c19b0e6a75ea699d17", + "search_line": 59 + } ] diff --git a/assets/queries/terraform/gcp_bom/pd/test/positive_expected_result.json b/assets/queries/terraform/gcp_bom/pd/test/positive_expected_result.json index 6a5425f770b..0bfeb388764 100644 --- a/assets/queries/terraform/gcp_bom/pd/test/positive_expected_result.json +++ b/assets/queries/terraform/gcp_bom/pd/test/positive_expected_result.json @@ -1,38 +1,92 @@ [ - { - "queryName": "BOM - GCP PD", - "severity": "TRACE", - "line": 1, - "fileName": "positive.tf" - }, - { - "queryName": "BOM - GCP PD", - "severity": "TRACE", - "line": 12, - "fileName": "positive.tf" - }, - { - "queryName": "BOM - GCP PD", - "severity": "TRACE", - "line": 28, - "fileName": "positive.tf" - }, - { - "queryName": "BOM - GCP PD", - "severity": "TRACE", - "line": 44, - "fileName": "positive.tf" - }, - { - "queryName": "BOM - GCP PD", - "severity": "TRACE", - "line": 60, - "fileName": "positive.tf" - }, - { - "queryName": "BOM - GCP PD", - "severity": "TRACE", - "line": 76, - "fileName": "positive.tf" - } + { + "queryName": "BOM - GCP PD", + "severity": "TRACE", + "line": 1, + "fileName": "positive.tf", + "resourceType": "", + "resourceName": "", + "searchKey": "google_compute_disk[positive1]", + "searchValue": "", + "expectedValue": "", + "actualValue": "", + "issueType": "BillOfMaterials", + "similarityID": "b291439751ddb2136adda3b8012dd1ef5fc8492ffe0ff8a7af6d79a2616c41e8", + "search_line": 1 + }, + { + "queryName": "BOM - GCP PD", + "severity": "TRACE", + "line": 12, + "fileName": "positive.tf", + "resourceType": "", + "resourceName": "", + "searchKey": "google_compute_disk[positive2]", + "searchValue": "", + "expectedValue": "", + "actualValue": "", + "issueType": "BillOfMaterials", + "similarityID": "79e802c22afa7c1a3217e3d0dd1e182d28fdb79516b343fd6dae89f74b767b29", + "search_line": 12 + }, + { + "queryName": "BOM - GCP PD", + "severity": "TRACE", + "line": 28, + "fileName": "positive.tf", + "resourceType": "", + "resourceName": "", + "searchKey": "google_compute_disk[positive3]", + "searchValue": "", + "expectedValue": "", + "actualValue": "", + "issueType": "BillOfMaterials", + "similarityID": "ee4159d16a8b84a0c0a7d4b2386a508e41b41a9617e9ca18e46400284cf49fa8", + "search_line": 28 + }, + { + "queryName": "BOM - GCP PD", + "severity": "TRACE", + "line": 44, + "fileName": "positive.tf", + "resourceType": "", + "resourceName": "", + "searchKey": "google_compute_disk[positive4]", + "searchValue": "", + "expectedValue": "", + "actualValue": "", + "issueType": "BillOfMaterials", + "similarityID": "e344287f3d71af1f6ff6b4d69dfa9ebfdfcf223fa30d1dc949ef05c3d4466176", + "search_line": 44 + }, + { + "queryName": "BOM - GCP PD", + "severity": "TRACE", + "line": 60, + "fileName": "positive.tf", + "resourceType": "", + "resourceName": "", + "searchKey": "google_compute_disk[negative1]", + "searchValue": "", + "expectedValue": "", + "actualValue": "", + "issueType": "BillOfMaterials", + "similarityID": "89c6b394e9c6d7619bf39224ee5d973efb1db5427811131921e17dfed64b09e6", + "search_line": 60 + }, + { + "queryName": "BOM - GCP PD", + "severity": "TRACE", + "line": 76, + "fileName": "positive.tf", + "resourceType": "", + "resourceName": "", + "searchKey": "google_compute_disk[negative2]", + "searchValue": "", + "expectedValue": "", + "actualValue": "", + "issueType": "BillOfMaterials", + "similarityID": "f377c3c6e423c2ecdd1e527869a55c2acea5ea766457313e8874dc1301634ba5", + "search_line": 76 + } ] diff --git a/assets/queries/terraform/gcp_bom/pst/test/positive_expected_result.json b/assets/queries/terraform/gcp_bom/pst/test/positive_expected_result.json index 10570b71914..95aa5906b68 100644 --- a/assets/queries/terraform/gcp_bom/pst/test/positive_expected_result.json +++ b/assets/queries/terraform/gcp_bom/pst/test/positive_expected_result.json @@ -1,26 +1,62 @@ [ - { - "queryName": "BOM - GCP PST", - "severity": "TRACE", - "line": 34, - "fileName": "positive.tf" - }, - { - "queryName": "BOM - GCP PST", - "severity": "TRACE", - "line": 39, - "fileName": "positive.tf" - }, - { - "queryName": "BOM - GCP PST", - "severity": "TRACE", - "line": 44, - "fileName": "positive.tf" - }, - { - "queryName": "BOM - GCP PST", - "severity": "TRACE", - "line": 54, - "fileName": "positive.tf" - } + { + "queryName": "BOM - GCP PST", + "severity": "TRACE", + "line": 34, + "fileName": "positive.tf", + "resourceType": "", + "resourceName": "", + "searchKey": "google_pubsub_topic[example1]", + "searchValue": "", + "expectedValue": "", + "actualValue": "", + "issueType": "BillOfMaterials", + "similarityID": "6b6a9a09aeaaa94fa5afe7213a36ed098a96696de998d2112ad2200fe434c5f7", + "search_line": 34 + }, + { + "queryName": "BOM - GCP PST", + "severity": "TRACE", + "line": 39, + "fileName": "positive.tf", + "resourceType": "", + "resourceName": "", + "searchKey": "google_pubsub_topic[example2]", + "searchValue": "", + "expectedValue": "", + "actualValue": "", + "issueType": "BillOfMaterials", + "similarityID": "265bccb785b56ea5528ebb8d949b2443b4c1d974719f06b62faf93a24c00232f", + "search_line": 39 + }, + { + "queryName": "BOM - GCP PST", + "severity": "TRACE", + "line": 44, + "fileName": "positive.tf", + "resourceType": "", + "resourceName": "", + "searchKey": "google_pubsub_topic[example3]", + "searchValue": "", + "expectedValue": "", + "actualValue": "", + "issueType": "BillOfMaterials", + "similarityID": "d66b8395fcfbbc5f6d14f9e100941f55cd602b2a426362f9d270b889d1a46ca5", + "search_line": 44 + }, + { + "queryName": "BOM - GCP PST", + "severity": "TRACE", + "line": 54, + "fileName": "positive.tf", + "resourceType": "", + "resourceName": "", + "searchKey": "google_pubsub_topic[example4]", + "searchValue": "", + "expectedValue": "", + "actualValue": "", + "issueType": "BillOfMaterials", + "similarityID": "78dd12a0eaee4fd52890fbf54ccfd8e16f764738b23c043066ce9d0ab3d9a6f6", + "search_line": 54 + } ] diff --git a/assets/queries/terraform/gcp_bom/redis/test/positive_expected_result.json b/assets/queries/terraform/gcp_bom/redis/test/positive_expected_result.json index d71c4801f0e..4a8a28a9ce5 100644 --- a/assets/queries/terraform/gcp_bom/redis/test/positive_expected_result.json +++ b/assets/queries/terraform/gcp_bom/redis/test/positive_expected_result.json @@ -1,14 +1,32 @@ [ - { - "queryName": "BOM - GCP Redis", - "severity": "TRACE", - "line": 1, - "fileName": "positive.tf" - }, - { - "queryName": "BOM - GCP Redis", - "severity": "TRACE", - "line": 20, - "fileName": "positive.tf" - } + { + "queryName": "BOM - GCP Redis", + "severity": "TRACE", + "line": 1, + "fileName": "positive.tf", + "resourceType": "", + "resourceName": "", + "searchKey": "google_redis_instance[cache]", + "searchValue": "", + "expectedValue": "", + "actualValue": "", + "issueType": "BillOfMaterials", + "similarityID": "9ee97d6020cabca093806d44f0b4ac352ac8be24b8befdb19d942fe56c19f994", + "search_line": 1 + }, + { + "queryName": "BOM - GCP Redis", + "severity": "TRACE", + "line": 20, + "fileName": "positive.tf", + "resourceType": "", + "resourceName": "", + "searchKey": "google_redis_instance[cache2]", + "searchValue": "", + "expectedValue": "", + "actualValue": "", + "issueType": "BillOfMaterials", + "similarityID": "505092e86459c3ebc4b2ac5df1e3fb81ffb1850b5574909adea0f903cd632ec0", + "search_line": 20 + } ] diff --git a/assets/queries/terraform/gcp_bom/sb/test/positive_expected_result.json b/assets/queries/terraform/gcp_bom/sb/test/positive_expected_result.json index 828876bd93d..1725b133450 100644 --- a/assets/queries/terraform/gcp_bom/sb/test/positive_expected_result.json +++ b/assets/queries/terraform/gcp_bom/sb/test/positive_expected_result.json @@ -1,20 +1,47 @@ [ - { - "queryName": "BOM - GCP SB", - "severity": "TRACE", - "line": 7, - "fileName": "positive.tf" - }, - { - "queryName": "BOM - GCP SB", - "severity": "TRACE", - "line": 21, - "fileName": "positive.tf" - }, - { - "queryName": "BOM - GCP SB", - "severity": "TRACE", - "line": 35, - "fileName": "positive.tf" - } + { + "queryName": "BOM - GCP SB", + "severity": "TRACE", + "line": 7, + "fileName": "positive.tf", + "resourceType": "", + "resourceName": "", + "searchKey": "google_storage_bucket[bucket]", + "searchValue": "", + "expectedValue": "", + "actualValue": "", + "issueType": "BillOfMaterials", + "similarityID": "f9d07c3105171a816438a018728b21b1fcc8268a4f9437406e53f5f87bd588b9", + "search_line": 7 + }, + { + "queryName": "BOM - GCP SB", + "severity": "TRACE", + "line": 21, + "fileName": "positive.tf", + "resourceType": "", + "resourceName": "", + "searchKey": "google_storage_bucket[bucket2]", + "searchValue": "", + "expectedValue": "", + "actualValue": "", + "issueType": "BillOfMaterials", + "similarityID": "0bbb09d0c555bd9f37813c0a883dcddde289b9cd3f1fbce4de67c082c38a74d7", + "search_line": 21 + }, + { + "queryName": "BOM - GCP SB", + "severity": "TRACE", + "line": 35, + "fileName": "positive.tf", + "resourceType": "", + "resourceName": "", + "searchKey": "google_storage_bucket[bucket3]", + "searchValue": "", + "expectedValue": "", + "actualValue": "", + "issueType": "BillOfMaterials", + "similarityID": "49a27120719a9b308c1e21f24d2777e78aa8ae397bdb5e4248ff0e15d92e7de6", + "search_line": 35 + } ] diff --git a/assets/queries/terraform/general/generic_git_module_without_revision/test/positive_expected_result.json b/assets/queries/terraform/general/generic_git_module_without_revision/test/positive_expected_result.json index 8aa4d1411b4..62f7b41dae9 100644 --- a/assets/queries/terraform/general/generic_git_module_without_revision/test/positive_expected_result.json +++ b/assets/queries/terraform/general/generic_git_module_without_revision/test/positive_expected_result.json @@ -3,6 +3,15 @@ "queryName": "Generic Git Module Without Revision", "severity": "INFO", "line": 8, - "filename": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module.{{acm}}.source", + "searchValue": "", + "expectedValue": "Module 'source' field should have a reference", + "actualValue": "Module 'source' field does not have reference", + "issueType": "IncorrectValue", + "similarityID": "5fd9491aa16ded5e6aa2d5f3c429739d8c4935e7c39d161ba1d9b6426c1d1c0a", + "search_line": -1 } ] diff --git a/assets/queries/terraform/general/name_is_not_snake_case/test/positive_expected_result.json b/assets/queries/terraform/general/name_is_not_snake_case/test/positive_expected_result.json index d0bdb653511..54739e668a6 100644 --- a/assets/queries/terraform/general/name_is_not_snake_case/test/positive_expected_result.json +++ b/assets/queries/terraform/general/name_is_not_snake_case/test/positive_expected_result.json @@ -3,12 +3,30 @@ "queryName": "Name Is Not Snake Case", "severity": "INFO", "line": 7, - "filename": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "aws_eks_cluster", + "resourceName": "positiveExample", + "searchKey": "resource.aws_eks_cluster.positiveExample", + "searchValue": "", + "expectedValue": "All names should be on snake case pattern", + "actualValue": "'positiveExample' is not in snake case", + "issueType": "IncorrectValue", + "similarityID": "46c4664263f5d5cb02a0b492f8d809cf6b4dc281198ad939feef51022a806de0", + "search_line": 7 }, { "queryName": "Name Is Not Snake Case", "severity": "INFO", "line": 14, - "filename": "positive2.tf" + "fileName": "positive2.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "module.ACMPositive2", + "searchValue": "", + "expectedValue": "All names should be on snake case pattern", + "actualValue": "'ACMPositive2' is not in snake case", + "issueType": "IncorrectValue", + "similarityID": "da69165f77e330cecb1601db91faeed63a5b14c5ad797b40ee91b11d87defe64", + "search_line": 14 } ] diff --git a/assets/queries/terraform/general/output_without_description/test/positive_expected_result.json b/assets/queries/terraform/general/output_without_description/test/positive_expected_result.json index 3e3b2d3dd02..8018131fbee 100644 --- a/assets/queries/terraform/general/output_without_description/test/positive_expected_result.json +++ b/assets/queries/terraform/general/output_without_description/test/positive_expected_result.json @@ -3,18 +3,45 @@ "queryName": "Output Without Description", "severity": "INFO", "line": 1, - "filename": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "output.{{cluster_name}}", + "searchValue": "", + "expectedValue": "'description' should be defined and not null", + "actualValue": "'description' is undefined or null", + "issueType": "MissingAttribute", + "similarityID": "f90244563fcc44ee124417d2a46f186d9b05d2aa0a29a25828f9b038716eed41", + "search_line": -1 }, { "queryName": "Output Without Description", "severity": "INFO", "line": 3, - "filename": "positive2.tf" + "fileName": "positive2.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "output.{{cluster_name}}.description", + "searchValue": "", + "expectedValue": "'description' should not be empty", + "actualValue": "'description' is empty", + "issueType": "IncorrectValue", + "similarityID": "b9ca614423988f31bc7f5f37d29908315a2bbfaccc854c4220a95664972c5bbf", + "search_line": -1 }, { "queryName": "Output Without Description", "severity": "INFO", "line": 3, - "filename": "positive3.tf" + "fileName": "positive3.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "output.{{cluster_name}}.description", + "searchValue": "", + "expectedValue": "'description' should not be empty", + "actualValue": "'description' is empty", + "issueType": "IncorrectValue", + "similarityID": "46e40cd11c4daec252460fab26deb01609b6d73da0ecc60527b20fd564fc1c8d", + "search_line": -1 } ] diff --git a/assets/queries/terraform/general/variable_without_description/test/positive_expected_result.json b/assets/queries/terraform/general/variable_without_description/test/positive_expected_result.json index 258a22c6d70..14b0c9e7ade 100644 --- a/assets/queries/terraform/general/variable_without_description/test/positive_expected_result.json +++ b/assets/queries/terraform/general/variable_without_description/test/positive_expected_result.json @@ -3,18 +3,45 @@ "queryName": "Variable Without Description", "severity": "INFO", "line": 1, - "filename": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "variable.{{cluster_name}}", + "searchValue": "", + "expectedValue": "'description' should be defined and not null", + "actualValue": "'description' is undefined or null", + "issueType": "MissingAttribute", + "similarityID": "beef837137abc2645e76cfa4b4e12fa48410b4fc6d16ecb232e9e2d9afebc250", + "search_line": -1 }, { "queryName": "Variable Without Description", "severity": "INFO", "line": 4, - "filename": "positive2.tf" + "fileName": "positive2.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "variable.{{cluster_name}}.description", + "searchValue": "", + "expectedValue": "'description' should not be empty", + "actualValue": "'description' is empty", + "issueType": "IncorrectValue", + "similarityID": "9603cb178c8e368770fb823fb287d420f119180ca92747134b657a9fc2972ab0", + "search_line": -1 }, { "queryName": "Variable Without Description", "severity": "INFO", "line": 4, - "filename": "positive3.tf" + "fileName": "positive3.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "variable.{{cluster_name}}.description", + "searchValue": "", + "expectedValue": "'description' should not be empty", + "actualValue": "'description' is empty", + "issueType": "IncorrectValue", + "similarityID": "fbe3d0dff6ad63671d72f2c64a8f7d9a9ff1261f1e35e88be9a09794cb584746", + "search_line": -1 } ] diff --git a/assets/queries/terraform/general/variable_without_type/test/positive_expected_result.json b/assets/queries/terraform/general/variable_without_type/test/positive_expected_result.json index 23a84ef45c7..0d0385d9810 100644 --- a/assets/queries/terraform/general/variable_without_type/test/positive_expected_result.json +++ b/assets/queries/terraform/general/variable_without_type/test/positive_expected_result.json @@ -3,18 +3,45 @@ "queryName": "Variable Without Type", "severity": "INFO", "line": 1, - "filename": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "variable.{{cluster_name}}", + "searchValue": "", + "expectedValue": "'type' should be defined and not null", + "actualValue": "'type' is undefined or null", + "issueType": "MissingAttribute", + "similarityID": "70144a3989f645c8fdcb7585c546b688c15496357fda19deffbf5e16b49909a8", + "search_line": -1 }, { "queryName": "Variable Without Type", "severity": "INFO", "line": 3, - "filename": "positive2.tf" + "fileName": "positive2.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "variable.{{cluster_name}}.type", + "searchValue": "", + "expectedValue": "'type' should not be empty", + "actualValue": "'type' is empty", + "issueType": "IncorrectValue", + "similarityID": "6b30a477169037e43086ece199ff03344744ac0a5608d1b6191af41816e3fbb4", + "search_line": -1 }, { "queryName": "Variable Without Type", "severity": "INFO", "line": 3, - "filename": "positive3.tf" + "fileName": "positive3.tf", + "resourceType": "n/a", + "resourceName": "n/a", + "searchKey": "variable.{{cluster_name}}.type", + "searchValue": "", + "expectedValue": "'type' should not be empty", + "actualValue": "'type' is empty", + "issueType": "IncorrectValue", + "similarityID": "0bfc8449c4b06f56de7f868d917f8155c0f4e52d2789dc602da10e4be5c78856", + "search_line": -1 } ] diff --git a/assets/queries/terraform/github/github_organization_webhook_with_ssl_disabled/test/positive_expected_result.json b/assets/queries/terraform/github/github_organization_webhook_with_ssl_disabled/test/positive_expected_result.json index 6805a9ad4ae..c1cf9bcffcb 100644 --- a/assets/queries/terraform/github/github_organization_webhook_with_ssl_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/github/github_organization_webhook_with_ssl_disabled/test/positive_expected_result.json @@ -2,6 +2,16 @@ { "queryName": "Github Organization Webhook With SSL Disabled", "severity": "MEDIUM", - "line": 7 + "line": 7, + "fileName": "positive.tf", + "resourceType": "github_organization_webhook", + "resourceName": "web", + "searchKey": "github_organization_webhook[positive1].configuration.insecure_ssl", + "searchValue": "", + "expectedValue": "github_organization_webhook[positive1].configuration.insecure_ssl should be set to false", + "actualValue": "github_organization_webhook[positive1].configuration.insecure_ssl is true", + "issueType": "IncorrectValue", + "similarityID": "30edc32f104a50a3ae1f6a4f97b94bdf0887b711867c8838f260ea581e995979", + "search_line": -1 } ] diff --git a/assets/queries/terraform/github/github_repository_set_to_public/test/positive_expected_result.json b/assets/queries/terraform/github/github_repository_set_to_public/test/positive_expected_result.json index 31ec489c64d..3afb7e94ba3 100644 --- a/assets/queries/terraform/github/github_repository_set_to_public/test/positive_expected_result.json +++ b/assets/queries/terraform/github/github_repository_set_to_public/test/positive_expected_result.json @@ -2,16 +2,46 @@ { "queryName": "GitHub Repository Set To Public", "severity": "MEDIUM", - "line": 1 + "line": 1, + "fileName": "positive.tf", + "resourceType": "github_repository", + "resourceName": "example", + "searchKey": "github_repository[positive1]", + "searchValue": "", + "expectedValue": "Attribute 'private' or Attribute 'visibility' should be defined and not null", + "actualValue": "Attribute 'private' and Attribute 'visibility' are undefined or null", + "issueType": "MissingAttribute", + "similarityID": "d61b5cf48ae2f2e855f412d64d349a1aedaa36c107eb22c06119911a8193502c", + "search_line": -1 }, { "queryName": "GitHub Repository Set To Public", "severity": "MEDIUM", - "line": 15 + "line": 15, + "fileName": "positive.tf", + "resourceType": "github_repository", + "resourceName": "example", + "searchKey": "github_repository[positive2].private", + "searchValue": "", + "expectedValue": "Attribute 'private' should be true", + "actualValue": "Attribute 'private' is false", + "issueType": "IncorrectValue", + "similarityID": "924778f64fed8c19417b247c029f7853f297f063fd4497b730ab60c19fafdf8e", + "search_line": -1 }, { "queryName": "GitHub Repository Set To Public", "severity": "MEDIUM", - "line": 28 + "line": 28, + "fileName": "positive.tf", + "resourceType": "github_repository", + "resourceName": "example", + "searchKey": "github_repository[positive3].visibility", + "searchValue": "", + "expectedValue": "Attribute 'visibility' should be 'private'", + "actualValue": "Attribute 'visibility' is 'public'", + "issueType": "IncorrectValue", + "similarityID": "94006e06e0fe7f1018adb80726238071dcc3fa39d7f68777e92374cb1a612d4d", + "search_line": -1 } ] diff --git a/assets/queries/terraform/kubernetes/cluster_admin_role_binding_with_super_user_permissions/test/positive_expected_result.json b/assets/queries/terraform/kubernetes/cluster_admin_role_binding_with_super_user_permissions/test/positive_expected_result.json index b65157cbf48..a0886f80cda 100644 --- a/assets/queries/terraform/kubernetes/cluster_admin_role_binding_with_super_user_permissions/test/positive_expected_result.json +++ b/assets/queries/terraform/kubernetes/cluster_admin_role_binding_with_super_user_permissions/test/positive_expected_result.json @@ -2,6 +2,16 @@ { "queryName": "Cluster Admin Rolebinding With Superuser Permissions", "severity": "LOW", - "line": 8 + "line": 8, + "fileName": "positive.tf", + "resourceType": "kubernetes_cluster_role_binding", + "resourceName": "terraform-example2", + "searchKey": "kubernetes_cluster_role_binding[example2].role_ref.name", + "searchValue": "", + "expectedValue": "Resource name 'example2' isn't binding 'cluster-admin' role with superuser permissions", + "actualValue": "Resource name 'example2' is binding 'cluster-admin' role with superuser permissions", + "issueType": "IncorrectValue", + "similarityID": "f90537d3c14536a3a7d9cb18a16e5134cb38bc63ee191f01dbda744ec579abfe", + "search_line": -1 } ] diff --git a/assets/queries/terraform/kubernetes/cluster_allows_unsafe_sysctls/test/positive_expected_result.json b/assets/queries/terraform/kubernetes/cluster_allows_unsafe_sysctls/test/positive_expected_result.json index d60af26b460..f81abcd30d7 100644 --- a/assets/queries/terraform/kubernetes/cluster_allows_unsafe_sysctls/test/positive_expected_result.json +++ b/assets/queries/terraform/kubernetes/cluster_allows_unsafe_sysctls/test/positive_expected_result.json @@ -3,12 +3,30 @@ "queryName": "Cluster Allows Unsafe Sysctls", "severity": "HIGH", "line": 6, - "fileName": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "kubernetes_pod_security_policy", + "resourceName": "terraform-example", + "searchKey": "kubernetes_pod_security_policy[example].spec.allowed_unsafe_sysctls", + "searchValue": "", + "expectedValue": "kubernetes_pod_security_policy[example].spec.allowed_unsafe_sysctls should be undefined", + "actualValue": "kubernetes_pod_security_policy[example].spec.allowed_unsafe_sysctls is set", + "issueType": "IncorrectValue", + "similarityID": "e13d8cd6d3953a2af4b1517687670a2cabeccc0004ca0fdc4feae7cf91cca213", + "search_line": -1 }, { "queryName": "Cluster Allows Unsafe Sysctls", "severity": "HIGH", "line": 9, - "fileName": "positive2.tf" + "fileName": "positive2.tf", + "resourceType": "kubernetes_pod", + "resourceName": "terraform-example", + "searchKey": "kubernetes_pod[test].spec.security_context.sysctl", + "searchValue": "", + "expectedValue": "kubernetes_pod[test].spec.security_context.sysctl[%!s(int=0)].name should not have an unsafe sysctl", + "actualValue": "kubernetes_pod[test].spec.security_context.sysctl[%!s(int=0)].name has an unsafe sysctl", + "issueType": "IncorrectValue", + "similarityID": "6631f5a140e7213576c6e7c1bcb00a312399d1426d8b7356ac4927be906058e3", + "search_line": -1 } ] diff --git a/assets/queries/terraform/kubernetes/container_host_pid_is_true/test/positive_expected_result.json b/assets/queries/terraform/kubernetes/container_host_pid_is_true/test/positive_expected_result.json index a17728b6472..05802fcc63e 100644 --- a/assets/queries/terraform/kubernetes/container_host_pid_is_true/test/positive_expected_result.json +++ b/assets/queries/terraform/kubernetes/container_host_pid_is_true/test/positive_expected_result.json @@ -1,7 +1,17 @@ [ - { - "queryName": "Container Host Pid Is True", - "severity": "MEDIUM", - "line": 8 - } + { + "queryName": "Container Host Pid Is True", + "severity": "MEDIUM", + "line": 8, + "fileName": "positive.tf", + "resourceType": "kubernetes_pod", + "resourceName": "positive1", + "searchKey": "kubernetes_pod[positive1].spec.host_pid", + "searchValue": "", + "expectedValue": "Attribute 'host_pid' should be undefined or false", + "actualValue": "Attribute 'host_pid' is true", + "issueType": "IncorrectValue", + "similarityID": "9543e8641dd901e98da2567ea7550bc9b36fd92856889cec06ab38ad11c18456", + "search_line": -1 + } ] diff --git a/assets/queries/terraform/kubernetes/container_is_privileged/test/positive_expected_result.json b/assets/queries/terraform/kubernetes/container_is_privileged/test/positive_expected_result.json index 5f763d57597..ffb7954eb1b 100644 --- a/assets/queries/terraform/kubernetes/container_is_privileged/test/positive_expected_result.json +++ b/assets/queries/terraform/kubernetes/container_is_privileged/test/positive_expected_result.json @@ -2,16 +2,46 @@ { "queryName": "Container Is Privileged", "severity": "HIGH", - "line": 14 + "line": 14, + "fileName": "positive.tf", + "resourceType": "kubernetes_pod", + "resourceName": "positive1", + "searchKey": "kubernetes_pod[positive1].spec.container.name={{example22}}.security_context.privileged", + "searchValue": "", + "expectedValue": "kubernetes_pod[positive1].spec.container[0].security_context.privileged should be set to false", + "actualValue": "kubernetes_pod[positive1].spec.container[0].security_context.privileged is set to true", + "issueType": "IncorrectValue", + "similarityID": "1c7673e4b997eb2240582f80877f8bbd3da974ffc0864e21742a47cea3449578", + "search_line": -1 }, { "queryName": "Container Is Privileged", "severity": "HIGH", - "line": 47 + "line": 47, + "fileName": "positive.tf", + "resourceType": "kubernetes_pod", + "resourceName": "positive1", + "searchKey": "kubernetes_pod[positive1].spec.container.name={{example22222}}.security_context.privileged", + "searchValue": "", + "expectedValue": "kubernetes_pod[positive1].spec.container[1].security_context.privileged should be set to false", + "actualValue": "kubernetes_pod[positive1].spec.container[1].security_context.privileged is set to true", + "issueType": "IncorrectValue", + "similarityID": "23886e7fb6765cb5ebbf864f7e379ec3d236994f4506235044407d53baaa3324", + "search_line": -1 }, { "queryName": "Container Is Privileged", "severity": "HIGH", - "line": 108 + "line": 108, + "fileName": "positive.tf", + "resourceType": "kubernetes_pod", + "resourceName": "positive2", + "searchKey": "kubernetes_pod[positive2].spec.container.security_context.privileged", + "searchValue": "", + "expectedValue": "kubernetes_pod[positive2].spec.container.security_context.privileged should not be set to true", + "actualValue": "kubernetes_pod[positive2].spec.container.security_context.privileged is set to true", + "issueType": "IncorrectValue", + "similarityID": "5d23cec1bf9498e33da5553b0177b46c6f68519936ae9776751c7340588f4aa8", + "search_line": -1 } ] diff --git a/assets/queries/terraform/kubernetes/container_resources_limits_undefined/test/positive_expected_result.json b/assets/queries/terraform/kubernetes/container_resources_limits_undefined/test/positive_expected_result.json index 4b76be95a1c..bce2307e19c 100644 --- a/assets/queries/terraform/kubernetes/container_resources_limits_undefined/test/positive_expected_result.json +++ b/assets/queries/terraform/kubernetes/container_resources_limits_undefined/test/positive_expected_result.json @@ -2,26 +2,76 @@ { "queryName": "Container Resources Limits Undefined", "severity": "MEDIUM", - "line": 8 + "line": 8, + "fileName": "positive.tf", + "resourceType": "kubernetes_pod", + "resourceName": "positive1", + "searchKey": "kubernetes_pod[positive1].spec.container", + "searchValue": "", + "expectedValue": "kubernetes_pod[positive1].spec.container[0].resources should be set", + "actualValue": "kubernetes_pod[positive1].spec.container[0].resources is undefined", + "issueType": "MissingAttribute", + "similarityID": "074f5a6cb833f3185c5e50248a38370d6a27150f19791c54b7561fe25950db86", + "search_line": 8 }, { "queryName": "Container Resources Limits Undefined", "severity": "MEDIUM", - "line": 42 + "line": 42, + "fileName": "positive.tf", + "resourceType": "kubernetes_pod", + "resourceName": "positive1", + "searchKey": "kubernetes_pod[positive1].spec.container", + "searchValue": "limits", + "expectedValue": "kubernetes_pod[positive1].spec.container[1].resources.limits should be set", + "actualValue": "kubernetes_pod[positive1].spec.container[1].resources.limits is undefined", + "issueType": "MissingAttribute", + "similarityID": "7e674266fe198ad1c7b372d21dd60a854e6fab4699663df9d1cd342293f7756c", + "search_line": 42 }, { "queryName": "Container Resources Limits Undefined", "severity": "MEDIUM", - "line": 106 + "line": 106, + "fileName": "positive.tf", + "resourceType": "kubernetes_pod", + "resourceName": "positive2", + "searchKey": "kubernetes_pod[positive2].spec.container.resources", + "searchValue": "requests", + "expectedValue": "kubernetes_pod[positive2].spec.container.resources.requests should be set", + "actualValue": "kubernetes_pod[positive2].spec.container.resources.requests is undefined", + "issueType": "MissingAttribute", + "similarityID": "9a1d7b7d766ea940d1ff0870649e49c99e9ec993a4f133c7cdce32309b54c247", + "search_line": 106 }, { "queryName": "Container Resources Limits Undefined", "severity": "MEDIUM", - "line": 167 + "line": 167, + "fileName": "positive.tf", + "resourceType": "kubernetes_pod", + "resourceName": "positive3", + "searchKey": "kubernetes_pod[positive3].spec.container.resources", + "searchValue": "limits", + "expectedValue": "kubernetes_pod[positive3].spec.container.resources.limits should be set", + "actualValue": "kubernetes_pod[positive3].spec.container.resources.limits is undefined", + "issueType": "MissingAttribute", + "similarityID": "6da9080f9ec17e4d04537a1ba23775afb162806e74ca5b8aa6afadb2d520e6c8", + "search_line": 167 }, { "queryName": "Container Resources Limits Undefined", "severity": "MEDIUM", - "line": 224 + "line": 224, + "fileName": "positive.tf", + "resourceType": "kubernetes_pod", + "resourceName": "positive4", + "searchKey": "kubernetes_pod[positive4].spec.container", + "searchValue": "", + "expectedValue": "kubernetes_pod[positive4].spec.container.resources should be set", + "actualValue": "kubernetes_pod[positive4].spec.container.resources is undefined", + "issueType": "MissingAttribute", + "similarityID": "214a446655b667bf616b9cd565474964ca0fab6bfbfdb071e54468363cc86824", + "search_line": 224 } ] diff --git a/assets/queries/terraform/kubernetes/container_runs_unmasked/test/positive_expected_result.json b/assets/queries/terraform/kubernetes/container_runs_unmasked/test/positive_expected_result.json index 5476f5249cd..2dc40d17bef 100644 --- a/assets/queries/terraform/kubernetes/container_runs_unmasked/test/positive_expected_result.json +++ b/assets/queries/terraform/kubernetes/container_runs_unmasked/test/positive_expected_result.json @@ -2,6 +2,16 @@ { "queryName": "Container Runs Unmasked", "severity": "HIGH", - "line": 8 + "line": 8, + "fileName": "positive.tf", + "resourceType": "kubernetes_pod_security_policy", + "resourceName": "terraform-example", + "searchKey": "kubernetes_pod_security_policy[example].spec.allowed_proc_mount_types", + "searchValue": "", + "expectedValue": "allowed_proc_mount_types should contain the value Default", + "actualValue": "allowed_proc_mount_types contains the value Unmasked", + "issueType": "IncorrectValue", + "similarityID": "a2c43963b652e57da3610a0aa409ecd75a8d83b8fd063df1f440d80e62745083", + "search_line": -1 } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/kubernetes/container_with_added_capabilities/test/positive_expected_result.json b/assets/queries/terraform/kubernetes/container_with_added_capabilities/test/positive_expected_result.json index e0511da2eca..6b673e55428 100644 --- a/assets/queries/terraform/kubernetes/container_with_added_capabilities/test/positive_expected_result.json +++ b/assets/queries/terraform/kubernetes/container_with_added_capabilities/test/positive_expected_result.json @@ -2,16 +2,46 @@ { "queryName": "Containers With Added Capabilities", "severity": "MEDIUM", - "line": 14 + "line": 14, + "fileName": "positive.tf", + "resourceType": "kubernetes_pod", + "resourceName": "positive1", + "searchKey": "kubernetes_pod[positive1].spec.container", + "searchValue": "", + "expectedValue": "kubernetes_pod[positive1].spec.container[0].security_context.capabilities.add should be undefined", + "actualValue": "kubernetes_pod[positive1].spec.container[0].security_context.capabilities.add is set", + "issueType": "IncorrectValue", + "similarityID": "c41f3e3c1ebe04b3a60ac2be6123a3bb04c836b77deb5558a86a61ca64ee7adc", + "search_line": 14 }, { "queryName": "Containers With Added Capabilities", "severity": "MEDIUM", - "line": 49 + "line": 49, + "fileName": "positive.tf", + "resourceType": "kubernetes_pod", + "resourceName": "positive1", + "searchKey": "kubernetes_pod[positive1].spec.container", + "searchValue": "", + "expectedValue": "kubernetes_pod[positive1].spec.container[1].security_context.capabilities.add should be undefined", + "actualValue": "kubernetes_pod[positive1].spec.container[1].security_context.capabilities.add is set", + "issueType": "IncorrectValue", + "similarityID": "8b175117583e30db3400f9139ddb6d1eb8f28a47e46a4cfde5b9fe017408b19c", + "search_line": 49 }, { "queryName": "Containers With Added Capabilities", "severity": "MEDIUM", - "line": 110 + "line": 110, + "fileName": "positive.tf", + "resourceType": "kubernetes_pod", + "resourceName": "positive2", + "searchKey": "kubernetes_pod[positive2].spec.container.security_context.capabilities.add", + "searchValue": "", + "expectedValue": "kubernetes_pod[positive2].spec.container.security_context.capabilities.add should be undefined", + "actualValue": "kkubernetes_pod[positive2].spec.container.security_context.capabilities.add is set", + "issueType": "IncorrectValue", + "similarityID": "8ecef6c86f6792337ef82dfa9c91484c1d514158cb80ef59f914e2d928f28cbf", + "search_line": 110 } ] diff --git a/assets/queries/terraform/kubernetes/containers_with_sys_admin_capabilities/test/positive_expected_result.json b/assets/queries/terraform/kubernetes/containers_with_sys_admin_capabilities/test/positive_expected_result.json index 1431edfff6d..0d65f825e2b 100644 --- a/assets/queries/terraform/kubernetes/containers_with_sys_admin_capabilities/test/positive_expected_result.json +++ b/assets/queries/terraform/kubernetes/containers_with_sys_admin_capabilities/test/positive_expected_result.json @@ -2,16 +2,46 @@ { "queryName": "Containers With Sys Admin Capabilities", "severity": "HIGH", - "line": 14 + "line": 14, + "fileName": "positive.tf", + "resourceType": "kubernetes_pod", + "resourceName": "positive1", + "searchKey": "kubernetes_pod[positive1].spec.container", + "searchValue": "", + "expectedValue": "kubernetes_pod[positive1].spec.container[0].security_context.capabilities.add should not have 'SYS_ADMIN'", + "actualValue": "kubernetes_pod[positive1].spec.container[0].security_context.capabilities.add has 'SYS_ADMIN'", + "issueType": "IncorrectValue", + "similarityID": "42d383be08d047eb676af5aef775f783df8238c7a589980c5418962b0d81491c", + "search_line": 14 }, { "queryName": "Containers With Sys Admin Capabilities", "severity": "HIGH", - "line": 49 + "line": 49, + "fileName": "positive.tf", + "resourceType": "kubernetes_pod", + "resourceName": "positive1", + "searchKey": "kubernetes_pod[positive1].spec.container", + "searchValue": "", + "expectedValue": "kubernetes_pod[positive1].spec.container[1].security_context.capabilities.add should not have 'SYS_ADMIN'", + "actualValue": "kubernetes_pod[positive1].spec.container[1].security_context.capabilities.add has 'SYS_ADMIN'", + "issueType": "IncorrectValue", + "similarityID": "146894a3c8700d8b11a8284d38a15c208235a768c1a12b2b10d1800edf9c715f", + "search_line": 49 }, { "queryName": "Containers With Sys Admin Capabilities", "severity": "HIGH", - "line": 110 + "line": 110, + "fileName": "positive.tf", + "resourceType": "kubernetes_pod", + "resourceName": "positive2", + "searchKey": "kubernetes_pod[positive2].spec.container.security_context.capabilities.add", + "searchValue": "", + "expectedValue": "kubernetes_pod[positive2].spec.container.security_context.capabilities.add should not have 'SYS_ADMIN'", + "actualValue": "kubernetes_pod[positive2].spec.container.security_context.capabilities.add has 'SYS_ADMIN'", + "issueType": "IncorrectValue", + "similarityID": "be5d24dddd7db4730ea1b09a5b10320b2858b4d9d6038bbfebbdd444724ee91e", + "search_line": 110 } ] diff --git a/assets/queries/terraform/kubernetes/cpu_limits_not_set/test/positive_expected_result.json b/assets/queries/terraform/kubernetes/cpu_limits_not_set/test/positive_expected_result.json index b7b26baf05f..98583317406 100644 --- a/assets/queries/terraform/kubernetes/cpu_limits_not_set/test/positive_expected_result.json +++ b/assets/queries/terraform/kubernetes/cpu_limits_not_set/test/positive_expected_result.json @@ -2,31 +2,91 @@ { "queryName": "CPU Limits Not Set", "severity": "LOW", - "line": 8 + "line": 8, + "fileName": "positive.tf", + "resourceType": "kubernetes_pod", + "resourceName": "positive1", + "searchKey": "kubernetes_pod[positive1].spec.container", + "searchValue": "", + "expectedValue": "kubernetes_pod[positive1].spec.container[0].resources should be set", + "actualValue": "kubernetes_pod[positive1].spec.container[0].resources is undefined", + "issueType": "MissingAttribute", + "similarityID": "3f6d7dc33dddea99c8b4f1281ac977620e9b6c137957abea8da71dfc26d21a46", + "search_line": 8 }, { "queryName": "CPU Limits Not Set", "severity": "LOW", - "line": 41 + "line": 41, + "fileName": "positive.tf", + "resourceType": "kubernetes_pod", + "resourceName": "positive1", + "searchKey": "kubernetes_pod[positive1].spec.container", + "searchValue": "", + "expectedValue": "kubernetes_pod[positive1].spec.container[1].resources.limits should be set", + "actualValue": "kubernetes_pod[positive1].spec.container[1].resources.limits is undefined", + "issueType": "MissingAttribute", + "similarityID": "d02c3638651901ca7d5540bf419b9d53fad8c2636144f66f13dab058674ee856", + "search_line": 41 }, { "queryName": "CPU Limits Not Set", "severity": "LOW", - "line": 80 + "line": 80, + "fileName": "positive.tf", + "resourceType": "kubernetes_pod", + "resourceName": "positive1", + "searchKey": "kubernetes_pod[positive1].spec.container", + "searchValue": "", + "expectedValue": "kubernetes_pod[positive1].spec.container[2].resources.limits.cpu should be set", + "actualValue": "kubernetes_pod[positive1].spec.container[2].resources.limits.cpu is undefined", + "issueType": "MissingAttribute", + "similarityID": "943a800adf2a6886c8714379b04bf43b6789b71c9988dea1ce5dc63f863f8576", + "search_line": 80 }, { "queryName": "CPU Limits Not Set", "severity": "LOW", - "line": 134 + "line": 134, + "fileName": "positive.tf", + "resourceType": "kubernetes_pod", + "resourceName": "positive2", + "searchKey": "kubernetes_pod[positive2].spec.container", + "searchValue": "", + "expectedValue": "kubernetes_pod[positive2].spec.container.resources should be set", + "actualValue": "kubernetes_pod[positive2].spec.container.resources is undefined", + "issueType": "MissingAttribute", + "similarityID": "274b7a62dacbc5874fd3e1125cc5b520482486093f08ec2edea7f1ec2a5f5249", + "search_line": 134 }, { "queryName": "CPU Limits Not Set", "severity": "LOW", - "line": 192 + "line": 192, + "fileName": "positive.tf", + "resourceType": "kubernetes_pod", + "resourceName": "positive3", + "searchKey": "kubernetes_pod[positive3].spec.container.resources", + "searchValue": "", + "expectedValue": "kubernetes_pod[positive3].spec.container.resources.limits should be set", + "actualValue": "kubernetes_pod[positive3].spec.container.resources.limits is undefined", + "issueType": "MissingAttribute", + "similarityID": "b0ccab49b9b2fae134cc0773af9fa33b8b19064a02f658ff8e802f13a44f51b4", + "search_line": 192 }, { "queryName": "CPU Limits Not Set", "severity": "LOW", - "line": 249 + "line": 249, + "fileName": "positive.tf", + "resourceType": "kubernetes_pod", + "resourceName": "positive4", + "searchKey": "kubernetes_pod[positive4].spec.container.resources.limits", + "searchValue": "", + "expectedValue": "kubernetes_pod[positive4].spec.container.resources.limits.cpu should be set", + "actualValue": "kubernetes_pod[positive4].spec.container.resources.limits.cpu is undefined", + "issueType": "MissingAttribute", + "similarityID": "b9004bcd6b45cd73e349a575dc8e24dd2c524b869a3f70976c7fed63b6fbeb25", + "search_line": 249 } ] diff --git a/assets/queries/terraform/kubernetes/cpu_requests_not_set/test/positive_expected_result.json b/assets/queries/terraform/kubernetes/cpu_requests_not_set/test/positive_expected_result.json index 49ffaaccfbb..77646ffe0ce 100644 --- a/assets/queries/terraform/kubernetes/cpu_requests_not_set/test/positive_expected_result.json +++ b/assets/queries/terraform/kubernetes/cpu_requests_not_set/test/positive_expected_result.json @@ -2,31 +2,91 @@ { "queryName": "CPU Requests Not Set", "severity": "LOW", - "line": 8 + "line": 8, + "fileName": "positive.tf", + "resourceType": "kubernetes_pod", + "resourceName": "positive1", + "searchKey": "kubernetes_pod[positive1].spec.container", + "searchValue": "", + "expectedValue": "kubernetes_pod[positive1].spec.container[0].resources should be set", + "actualValue": "kubernetes_pod[positive1].spec.container[0].resources is undefined", + "issueType": "MissingAttribute", + "similarityID": "6d3a9eac255f49ade181086dff0d465408ff931982235c8be3a439325f798d79", + "search_line": 8 }, { "queryName": "CPU Requests Not Set", "severity": "LOW", - "line": 42 + "line": 42, + "fileName": "positive.tf", + "resourceType": "kubernetes_pod", + "resourceName": "positive1", + "searchKey": "kubernetes_pod[positive1].spec.container", + "searchValue": "", + "expectedValue": "kubernetes_pod[positive1].spec.container[1].resources.requests.cpu should be set", + "actualValue": "kubernetes_pod[positive1].spec.container[1].resources.requests.cpu is undefined", + "issueType": "MissingAttribute", + "similarityID": "760d67d9f7f0c983685aa689b9bdfc38ee71111f8280384d3c279f8bd898d9d8", + "search_line": 42 }, { "queryName": "CPU Requests Not Set", "severity": "LOW", - "line": 77 + "line": 77, + "fileName": "positive.tf", + "resourceType": "kubernetes_pod", + "resourceName": "positive1", + "searchKey": "kubernetes_pod[positive1].spec.container", + "searchValue": "", + "expectedValue": "kubernetes_pod[positive1].spec.container[2].resources.requests.cpu should be set", + "actualValue": "kubernetes_pod[positive1].spec.container[2].resources.requests.cpu is undefined", + "issueType": "MissingAttribute", + "similarityID": "4c82df97431c6122766f412d8df8920229562b8037ed1c0c5f1678eca56d9bac", + "search_line": 77 }, { "queryName": "CPU Requests Not Set", "severity": "LOW", - "line": 134 + "line": 134, + "fileName": "positive.tf", + "resourceType": "kubernetes_pod", + "resourceName": "positive2", + "searchKey": "kubernetes_pod[positive2].spec.container", + "searchValue": "", + "expectedValue": "kubernetes_pod[positive2].spec.container.resources should be set", + "actualValue": "kubernetes_pod[positive2].spec.container.resources is undefined", + "issueType": "MissingAttribute", + "similarityID": "be2692ee323a23a75949adbed699bbdcfd2025da802d2ef4489b853bf69870a6", + "search_line": 134 }, { "queryName": "CPU Requests Not Set", "severity": "LOW", - "line": 192 + "line": 192, + "fileName": "positive.tf", + "resourceType": "kubernetes_pod", + "resourceName": "positive3", + "searchKey": "kubernetes_pod[positive3].spec.container.resources", + "searchValue": "", + "expectedValue": "kubernetes_pod[positive3].spec.container.resources.requests should be set", + "actualValue": "kubernetes_pod[positive3].spec.container.resources.requests is undefined", + "issueType": "MissingAttribute", + "similarityID": "630ba8769da3dec12facfef329cb35c990b63ebb857d2958d354105bfa09b9d1", + "search_line": 192 }, { "queryName": "CPU Requests Not Set", "severity": "LOW", - "line": 258 + "line": 258, + "fileName": "positive.tf", + "resourceType": "kubernetes_pod", + "resourceName": "positive4", + "searchKey": "kubernetes_pod[positive4].spec.container.resources.requests", + "searchValue": "", + "expectedValue": "kubernetes_pod[positive4].spec.container.resources.requests.cpu should be set", + "actualValue": "kubernetes_pod[positive4].spec.container.resources.requests.cpu is undefined", + "issueType": "MissingAttribute", + "similarityID": "a73e98822f931c0c977cf23987d2ef3a0e16891d5b751fd71e3f08c9e0c0a00b", + "search_line": 258 } ] diff --git a/assets/queries/terraform/kubernetes/cronjob_deadline_not_configured/test/positive_expected_result.json b/assets/queries/terraform/kubernetes/cronjob_deadline_not_configured/test/positive_expected_result.json index 7c8db3abbdc..cf695023bcf 100644 --- a/assets/queries/terraform/kubernetes/cronjob_deadline_not_configured/test/positive_expected_result.json +++ b/assets/queries/terraform/kubernetes/cronjob_deadline_not_configured/test/positive_expected_result.json @@ -2,6 +2,16 @@ { "queryName": "CronJob Deadline Not Configured", "severity": "LOW", - "line": 5 + "line": 5, + "fileName": "positive.tf", + "resourceType": "kubernetes_cron_job", + "resourceName": "demo", + "searchKey": "kubernetes_cron_job[demo].spec", + "searchValue": "", + "expectedValue": "kubernetes_cron_job[demo].spec.starting_deadline_seconds should be set", + "actualValue": "kubernetes_cron_job[demo].spec.starting_deadline_seconds is undefined", + "issueType": "MissingAttribute", + "similarityID": "252a589029fd7ed7f691abb8271070db14bd3dd9dea1ff6915509f4d7df41031", + "search_line": -1 } ] diff --git a/assets/queries/terraform/kubernetes/default_service_account_in_use/test/positive_expected_result.json b/assets/queries/terraform/kubernetes/default_service_account_in_use/test/positive_expected_result.json index d4612a934f1..4e7562e5e42 100644 --- a/assets/queries/terraform/kubernetes/default_service_account_in_use/test/positive_expected_result.json +++ b/assets/queries/terraform/kubernetes/default_service_account_in_use/test/positive_expected_result.json @@ -2,11 +2,31 @@ { "queryName": "Default Service Account In Use", "severity": "LOW", - "line": 1 + "line": 1, + "fileName": "positive.tf", + "resourceType": "kubernetes_service_account", + "resourceName": "default", + "searchKey": "kubernetes_service_account[example]", + "searchValue": "", + "expectedValue": "kubernetes_service_account[example].automount_service_account_token should be set", + "actualValue": "kubernetes_service_account[example].automount_service_account_token is undefined", + "issueType": "MissingAttribute", + "similarityID": "6c85fa3775081bbbca25f7edee254b40e593c4a8b8b1192863eb074b2a545120", + "search_line": 1 }, { "queryName": "Default Service Account In Use", "severity": "LOW", - "line": 12 + "line": 12, + "fileName": "positive.tf", + "resourceType": "kubernetes_service_account", + "resourceName": "default", + "searchKey": "kubernetes_service_account[example2].automount_service_account_token", + "searchValue": "", + "expectedValue": "kubernetes_service_account[example2].automount_service_account_token should be set to false", + "actualValue": "kubernetes_service_account[example2].automount_service_account_token is not set to false", + "issueType": "IncorrectValue", + "similarityID": "bddf8068acbeb1e7303308a853ed48d01f09df4873e5d7b8be1cfd35357d9383", + "search_line": 12 } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/kubernetes/deployment_has_no_pod_anti_affinity/test/positive_expected_result.json b/assets/queries/terraform/kubernetes/deployment_has_no_pod_anti_affinity/test/positive_expected_result.json index 403b8010754..23c452761e2 100644 --- a/assets/queries/terraform/kubernetes/deployment_has_no_pod_anti_affinity/test/positive_expected_result.json +++ b/assets/queries/terraform/kubernetes/deployment_has_no_pod_anti_affinity/test/positive_expected_result.json @@ -3,24 +3,60 @@ "queryName": "Deployment Has No PodAntiAffinity", "severity": "LOW", "line": 25, - "fileName": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "kubernetes_deployment", + "resourceName": "terraform-example", + "searchKey": "kubernetes_deployment[example].spec.template.spec", + "searchValue": "", + "expectedValue": "kubernetes_deployment[example].spec.template.spec.affinity should be set", + "actualValue": "kubernetes_deployment[example].spec.template.spec.affinity is undefined", + "issueType": "MissingAttribute", + "similarityID": "aa219c229c7c7dabee4c0e1c503b860be2124e7d4ec02011964fbfef0e409def", + "search_line": 25 }, { "queryName": "Deployment Has No PodAntiAffinity", "severity": "LOW", "line": 26, - "fileName": "positive2.tf" + "fileName": "positive2.tf", + "resourceType": "kubernetes_deployment", + "resourceName": "terraform-example", + "searchKey": "kubernetes_deployment[example2].spec.template.spec.affinity", + "searchValue": "", + "expectedValue": "kubernetes_deployment[example2].spec.template.spec.affinity.pod_anti_affinity should be set", + "actualValue": "kubernetes_deployment[example2].spec.template.spec.affinity.pod_anti_affinity is undefined", + "issueType": "MissingAttribute", + "similarityID": "42d741293ba8cd80725ee01b545ff75cdb08549df9756e3a7bb1954d8620559d", + "search_line": 26 }, { "queryName": "Deployment Has No PodAntiAffinity", "severity": "LOW", "line": 28, - "fileName": "positive3.tf" + "fileName": "positive3.tf", + "resourceType": "kubernetes_deployment", + "resourceName": "terraform-example", + "searchKey": "kubernetes_deployment[example3].spec.template.spec.affinity", + "searchValue": "", + "expectedValue": "kubernetes_deployment[example3].spec.template.spec.affinity.pod_anti_affinity.preferred_during_scheduling_ignored_during_execution.pod_affinity_term.topology_key should be set to 'kubernetes.io/hostname'", + "actualValue": "kubernetes_deployment[example3].spec.template.spec.affinity.pod_anti_affinity.preferred_during_scheduling_ignored_during_execution.pod_affinity_term.topology_key is invalid or undefined", + "issueType": "IncorrectValue", + "similarityID": "3fbaedc66d41e4879c5d2b00880b1311cf9d3015301dd2c1bcccba09229d0d08", + "search_line": 28 }, { "queryName": "Deployment Has No PodAntiAffinity", "severity": "LOW", "line": 33, - "fileName": "positive4.tf" + "fileName": "positive4.tf", + "resourceType": "kubernetes_deployment", + "resourceName": "terraform-example", + "searchKey": "kubernetes_deployment[example4].spec.template.spec.affinity", + "searchValue": "", + "expectedValue": "kubernetes_deployment[example4].spec.template.spec.affinity.pod_anti_affinity.preferred_during_scheduling_ignored_during_execution.pod_affinity_term.label_selector.match_labels match any label on template metadata", + "actualValue": "kubernetes_deployment[example4].spec.template.spec.affinity.pod_anti_affinity.preferred_during_scheduling_ignored_during_execution.pod_affinity_term.label_selector.match_labels don't match any label on template metadata", + "issueType": "IncorrectValue", + "similarityID": "80b73035e6664a7c1d909cc4527deb749a184fe38bdcae7695f2bc84514ae1d6", + "search_line": 33 } ] diff --git a/assets/queries/terraform/kubernetes/deployment_without_pod_disruption_budget/test/positive_expected_result.json b/assets/queries/terraform/kubernetes/deployment_without_pod_disruption_budget/test/positive_expected_result.json index 5d71a40a159..021395a4030 100644 --- a/assets/queries/terraform/kubernetes/deployment_without_pod_disruption_budget/test/positive_expected_result.json +++ b/assets/queries/terraform/kubernetes/deployment_without_pod_disruption_budget/test/positive_expected_result.json @@ -2,6 +2,16 @@ { "queryName": "Deployment Without PodDisruptionBudget", "severity": "LOW", - "line": 13 + "line": 13, + "fileName": "positive.tf", + "resourceType": "kubernetes_deployment", + "resourceName": "terraform-example", + "searchKey": "kubernetes_deployment[example].spec.selector.match_labels", + "searchValue": "", + "expectedValue": "kubernetes_deployment[example].spec.selector.match_labels is targeted by a PodDisruptionBudget", + "actualValue": "kubernetes_deployment[example].spec.selector.match_labels is not targeted by a PodDisruptionBudget", + "issueType": "MissingAttribute", + "similarityID": "c5afd5daddaf35eca028771c2617f5dee729ab872a96d3cea2b703790111afdf", + "search_line": -1 } ] diff --git a/assets/queries/terraform/kubernetes/docker_daemon_socket_is_exposed_to_containers/test/positive_expected_result.json b/assets/queries/terraform/kubernetes/docker_daemon_socket_is_exposed_to_containers/test/positive_expected_result.json index 396c3aff1e1..ecd61d205b0 100644 --- a/assets/queries/terraform/kubernetes/docker_daemon_socket_is_exposed_to_containers/test/positive_expected_result.json +++ b/assets/queries/terraform/kubernetes/docker_daemon_socket_is_exposed_to_containers/test/positive_expected_result.json @@ -2,31 +2,91 @@ { "queryName": "Docker Daemon Socket is Exposed to Containers", "severity": "MEDIUM", - "line": 9 + "line": 9, + "fileName": "positive.tf", + "resourceType": "kubernetes_pod", + "resourceName": "terraform-example", + "searchKey": "kubernetes_pod[test].spec.volume", + "searchValue": "", + "expectedValue": "spec.volume[0].host_path.path should not be '/var/run/docker.sock'", + "actualValue": "spec.volume[0].host_path.path is '/var/run/docker.sock'", + "issueType": "IncorrectValue", + "similarityID": "23436c58ef3e2f7cc3222bc1098de237621de07bd8cf8cbae3b42e7cc8856d9e", + "search_line": 9 }, { "queryName": "Docker Daemon Socket is Exposed to Containers", "severity": "MEDIUM", - "line": 16 + "line": 16, + "fileName": "positive.tf", + "resourceType": "kubernetes_pod", + "resourceName": "terraform-example", + "searchKey": "kubernetes_pod[test].spec.volume", + "searchValue": "", + "expectedValue": "spec.volume[1].host_path.path should not be '/var/run/docker.sock'", + "actualValue": "spec.volume[1].host_path.path is '/var/run/docker.sock'", + "issueType": "IncorrectValue", + "similarityID": "6669779ee94391590b46951dfe23c9a5135ba0970d387ba41a4418a6a33c7e56", + "search_line": 16 }, { "queryName": "Docker Daemon Socket is Exposed to Containers", "severity": "MEDIUM", - "line": 96 + "line": 96, + "fileName": "positive.tf", + "resourceType": "kubernetes_deployment", + "resourceName": "example", + "searchKey": "kubernetes_deployment[example].spec.template.spec.volume", + "searchValue": "", + "expectedValue": "spec.template.spec.volume[0].host_path.path should not be '/var/run/docker.sock'", + "actualValue": "spec.template.spec.volume[0].host_path.path is '/var/run/docker.sock'", + "issueType": "IncorrectValue", + "similarityID": "0492093cfcb491fba9653d027f9e8d92d0ef7b028382ac3ae7d8b38ca5885de2", + "search_line": 96 }, { "queryName": "Docker Daemon Socket is Exposed to Containers", "severity": "MEDIUM", - "line": 103 + "line": 103, + "fileName": "positive.tf", + "resourceType": "kubernetes_deployment", + "resourceName": "example", + "searchKey": "kubernetes_deployment[example].spec.template.spec.volume", + "searchValue": "", + "expectedValue": "spec.template.spec.volume[1].host_path.path should not be '/var/run/docker.sock'", + "actualValue": "spec.template.spec.volume[1].host_path.path is '/var/run/docker.sock'", + "issueType": "IncorrectValue", + "similarityID": "a252de2ef039c7fc18b4bca64f6c01753ccacc842e16b283659574cdde059694", + "search_line": 103 }, { "queryName": "Docker Daemon Socket is Exposed to Containers", "severity": "MEDIUM", - "line": 164 + "line": 164, + "fileName": "positive.tf", + "resourceType": "kubernetes_cron_job", + "resourceName": "demo", + "searchKey": "kubernetes_cron_job[demo2].spec.job_template.spec.template.spec.volume", + "searchValue": "", + "expectedValue": "spec.job_template.spec.template.spec.volume[0].host_path.path should not be '/var/run/docker.sock'", + "actualValue": "spec.job_template.spec.template.spec.volume[0].host_path.path is '/var/run/docker.sock'", + "issueType": "IncorrectValue", + "similarityID": "1bf3253fcf7aa2570750a0f6e650a62d60caa15facf4a6d3ee7c3a709404c45e", + "search_line": 164 }, { "queryName": "Docker Daemon Socket is Exposed to Containers", "severity": "MEDIUM", - "line": 171 + "line": 171, + "fileName": "positive.tf", + "resourceType": "kubernetes_cron_job", + "resourceName": "demo", + "searchKey": "kubernetes_cron_job[demo2].spec.job_template.spec.template.spec.volume", + "searchValue": "", + "expectedValue": "spec.job_template.spec.template.spec.volume[1].host_path.path should not be '/var/run/docker.sock'", + "actualValue": "spec.job_template.spec.template.spec.volume[1].host_path.path is '/var/run/docker.sock'", + "issueType": "IncorrectValue", + "similarityID": "881f616ad8b0008d7313e1f0ab370f0446d721a3ad8be3bf16357a983db294c5", + "search_line": 171 } ] diff --git a/assets/queries/terraform/kubernetes/hpa_targets_invalid_object/test/positive_expected_result.json b/assets/queries/terraform/kubernetes/hpa_targets_invalid_object/test/positive_expected_result.json index 6dbd73ffe61..2732fc6a8de 100644 --- a/assets/queries/terraform/kubernetes/hpa_targets_invalid_object/test/positive_expected_result.json +++ b/assets/queries/terraform/kubernetes/hpa_targets_invalid_object/test/positive_expected_result.json @@ -2,11 +2,31 @@ { "queryName": "HPA Targets Invalid Object", "severity": "LOW", - "line": 15 + "line": 15, + "fileName": "positive.tf", + "resourceType": "kubernetes_horizontal_pod_autoscaler", + "resourceName": "test", + "searchKey": "kubernetes_horizontal_pod_autoscaler[example].spec.metric", + "searchValue": "", + "expectedValue": "kubernetes_horizontal_pod_autoscaler[example].spec.metric is a valid object", + "actualValue": "kubernetes_horizontal_pod_autoscaler[example].spec.metric is a invalid object", + "issueType": "IncorrectValue", + "similarityID": "7c5890f3f0c94ec4ac7bd383be73a790ed0e2cb04003a28ee4c6778e7fd5ca93", + "search_line": -1 }, { "queryName": "HPA Targets Invalid Object", "severity": "LOW", - "line": 49 + "line": 49, + "fileName": "positive.tf", + "resourceType": "kubernetes_horizontal_pod_autoscaler", + "resourceName": "test", + "searchKey": "kubernetes_horizontal_pod_autoscaler[example2].spec.metric", + "searchValue": "", + "expectedValue": "kubernetes_horizontal_pod_autoscaler[example2].spec.metric is a valid object", + "actualValue": "kubernetes_horizontal_pod_autoscaler[example2].spec.metric is a invalid object", + "issueType": "IncorrectValue", + "similarityID": "bcc9350eedb143f2668a2e26258e2ebb146fbf3253616d4d50e08199aac7652a", + "search_line": -1 } ] diff --git a/assets/queries/terraform/kubernetes/image_pull_policy_of_container_is_not_always/test/positive_expected_result.json b/assets/queries/terraform/kubernetes/image_pull_policy_of_container_is_not_always/test/positive_expected_result.json index be0213dc98f..5648414255d 100644 --- a/assets/queries/terraform/kubernetes/image_pull_policy_of_container_is_not_always/test/positive_expected_result.json +++ b/assets/queries/terraform/kubernetes/image_pull_policy_of_container_is_not_always/test/positive_expected_result.json @@ -3,12 +3,30 @@ "queryName": "Image Pull Policy Of The Container Is Not Set To Always", "severity": "LOW", "line": 12, - "fileName": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "kubernetes_pod", + "resourceName": "busybox-tf", + "searchKey": "kubernetes_pod[busybox].spec.container.image_pull_policy", + "searchValue": "", + "expectedValue": "Attribute 'image_pull_policy' should be defined as 'Always'", + "actualValue": "Attribute 'image_pull_policy' is incorrect", + "issueType": "IncorrectValue", + "similarityID": "eb678b75804a70a2dd65a4319c81385eea84762910bc0d55c5e54b07a51734cd", + "search_line": -1 }, { "queryName": "Image Pull Policy Of The Container Is Not Set To Always", "severity": "LOW", "line": 30, - "fileName": "positive2.tf" + "fileName": "positive2.tf", + "resourceType": "kubernetes_deployment", + "resourceName": "terraform-example", + "searchKey": "kubernetes_deployment[example].spec.template.spec.container.image_pull_policy", + "searchValue": "", + "expectedValue": "Attribute 'image_pull_policy' should be defined as 'Always'", + "actualValue": "Attribute 'image_pull_policy' is incorrect", + "issueType": "IncorrectValue", + "similarityID": "7ea2d7e092d6bb3323e7f557589b2f6c8337e5688aa62ebc23ad4badafd7883e", + "search_line": -1 } ] diff --git a/assets/queries/terraform/kubernetes/image_without_digest/test/positive_expected_result.json b/assets/queries/terraform/kubernetes/image_without_digest/test/positive_expected_result.json index 95f2aae226c..932ab48a489 100644 --- a/assets/queries/terraform/kubernetes/image_without_digest/test/positive_expected_result.json +++ b/assets/queries/terraform/kubernetes/image_without_digest/test/positive_expected_result.json @@ -2,31 +2,91 @@ { "queryName": "Image Without Digest", "severity": "LOW", - "line": 9 + "line": 9, + "fileName": "positive.tf", + "resourceType": "kubernetes_pod", + "resourceName": "positive1", + "searchKey": "kubernetes_pod[positive1].spec.container", + "searchValue": "", + "expectedValue": "kubernetes_pod[positive1].spec.container[0].image should be set", + "actualValue": "kubernetes_pod[positive1].spec.container[0].image is undefined", + "issueType": "MissingAttribute", + "similarityID": "94bd7e74fa48b3c42a9b60eb6ee738fea23108ca14b5f8e4d583a1ef98117f27", + "search_line": 9 }, { "queryName": "Image Without Digest", "severity": "LOW", - "line": 36 + "line": 36, + "fileName": "positive.tf", + "resourceType": "kubernetes_pod", + "resourceName": "positive1", + "searchKey": "kubernetes_pod[positive1].spec.container", + "searchValue": "", + "expectedValue": "kubernetes_pod[positive1].spec.container[1].image should be set", + "actualValue": "kubernetes_pod[positive1].spec.container[1].image is undefined", + "issueType": "MissingAttribute", + "similarityID": "06a4a692925265116176ab20ba3d6c756051c4d4d457573eb844e884a4d6d97b", + "search_line": 36 }, { "queryName": "Image Without Digest", "severity": "LOW", - "line": 88 + "line": 88, + "fileName": "positive.tf", + "resourceType": "kubernetes_pod", + "resourceName": "positive2", + "searchKey": "kubernetes_pod[positive2].spec.container", + "searchValue": "", + "expectedValue": "kubernetes_pod[positive2].spec.container.image should be set", + "actualValue": "kubernetes_pod[positive2].spec.container.image is undefined", + "issueType": "MissingAttribute", + "similarityID": "903fb8df60fb7f00e552a610dd39f31db4ec757b2d2d2fd845ca4c75269c52cb", + "search_line": 88 }, { "queryName": "Image Without Digest", "severity": "LOW", - "line": 142 + "line": 142, + "fileName": "positive.tf", + "resourceType": "kubernetes_pod", + "resourceName": "positive3", + "searchKey": "kubernetes_pod[positive3].spec.container", + "searchValue": "", + "expectedValue": "kubernetes_pod[positive3].spec.container[0].image has '@'", + "actualValue": "kubernetes_pod[positive3].spec.container[0].image does not have '@'", + "issueType": "IncorrectValue", + "similarityID": "3e57a36e0b09e41c5ccaf4399d1464020a25ed648cedee32b191cea282fb53a7", + "search_line": 142 }, { "queryName": "Image Without Digest", "severity": "LOW", - "line": 170 + "line": 170, + "fileName": "positive.tf", + "resourceType": "kubernetes_pod", + "resourceName": "positive3", + "searchKey": "kubernetes_pod[positive3].spec.container", + "searchValue": "", + "expectedValue": "kubernetes_pod[positive3].spec.container[1].image has '@'", + "actualValue": "kubernetes_pod[positive3].spec.container[1].image does not have '@'", + "issueType": "IncorrectValue", + "similarityID": "db0233b806d5dd651c43198a6e786ee4ba162d09001d383df2c0385d69330d92", + "search_line": 170 }, { "queryName": "Image Without Digest", "severity": "LOW", - "line": 224 + "line": 224, + "fileName": "positive.tf", + "resourceType": "kubernetes_pod", + "resourceName": "positive4", + "searchKey": "kubernetes_pod[positive4].spec.container.image", + "searchValue": "", + "expectedValue": "kubernetes_pod[positive4].spec.container.image has '@'", + "actualValue": "kubernetes_pod[positive4].spec.container.image does not have '@'", + "issueType": "IncorrectValue", + "similarityID": "556bcabf4edfb36d2e5e68812bf6badc98baa1823615c0858c93e47d205d30ff", + "search_line": 224 } ] diff --git a/assets/queries/terraform/kubernetes/incorrect_volume_claim_access_mode_read_write_once/test/positive_expected_result.json b/assets/queries/terraform/kubernetes/incorrect_volume_claim_access_mode_read_write_once/test/positive_expected_result.json index 94f5dfadaaf..45d60193d4c 100644 --- a/assets/queries/terraform/kubernetes/incorrect_volume_claim_access_mode_read_write_once/test/positive_expected_result.json +++ b/assets/queries/terraform/kubernetes/incorrect_volume_claim_access_mode_read_write_once/test/positive_expected_result.json @@ -1,12 +1,32 @@ [ - { - "queryName": "Incorrect Volume Claim Access Mode ReadWriteOnce", - "severity": "MEDIUM", - "line": 166 + { + "queryName": "Incorrect Volume Claim Access Mode ReadWriteOnce", + "severity": "MEDIUM", + "line": 166, + "fileName": "positive.tf", + "resourceType": "kubernetes_stateful_set", + "resourceName": "prometheus", + "searchKey": "kubernetes_stateful_set[prometheus-1].spec.volume_claim_template", + "searchValue": "", + "expectedValue": "kubernetes_stateful_set[prometheus-1].spec.volume_claim_template has only one template with a 'ReadWriteOnce'", + "actualValue": "kubernetes_stateful_set[prometheus-1].spec.volume_claim_template has multiple templates with 'ReadWriteOnce'", + "issueType": "IncorrectValue", + "similarityID": "608cccdbb1c84f803f1742924f7ed96cbcf17808cff068d008d7d745d9638133", + "search_line": -1 }, { - "queryName": "Incorrect Volume Claim Access Mode ReadWriteOnce", - "severity": "MEDIUM", - "line": 367 + "queryName": "Incorrect Volume Claim Access Mode ReadWriteOnce", + "severity": "MEDIUM", + "line": 367, + "fileName": "positive.tf", + "resourceType": "kubernetes_stateful_set", + "resourceName": "prometheus", + "searchKey": "kubernetes_stateful_set[prometheus-2].spec.volume_claim_template", + "searchValue": "", + "expectedValue": "kubernetes_stateful_set[prometheus-2].spec.volume_claim_template has one template with a 'ReadWriteOnce'", + "actualValue": "kubernetes_stateful_set[prometheus-2].spec.volume_claim_template does not have a template with a 'ReadWriteOnce'", + "issueType": "MissingAttribute", + "similarityID": "94d52dedf5a78149078dfca59e2290fa7cc7b942a9f85983722f069794630c6c", + "search_line": -1 } ] diff --git a/assets/queries/terraform/kubernetes/ingress_controller_exposes_workload/test/positive_expected_result.json b/assets/queries/terraform/kubernetes/ingress_controller_exposes_workload/test/positive_expected_result.json index 65dc81ee597..c029aae6826 100644 --- a/assets/queries/terraform/kubernetes/ingress_controller_exposes_workload/test/positive_expected_result.json +++ b/assets/queries/terraform/kubernetes/ingress_controller_exposes_workload/test/positive_expected_result.json @@ -1,20 +1,47 @@ [ - { - "queryName": "Ingress Controller Exposes Workload", - "severity": "MEDIUM", - "line": 28, - "fileName": "positive1.tf" - }, { - "queryName": "Ingress Controller Exposes Workload", - "severity": "MEDIUM", - "line": 32, - "fileName": "positive2.tf" - }, + "queryName": "Ingress Controller Exposes Workload", + "severity": "MEDIUM", + "line": 28, + "fileName": "positive1.tf", + "resourceType": "kubernetes_ingress", + "resourceName": "example", + "searchKey": "kubernetes_ingress[example].spec.rule.http.path.backend", + "searchValue": "", + "expectedValue": "kubernetes_ingress[example] should not be exposing the workload", + "actualValue": "kubernetes_ingress[example] is exposing the workload", + "issueType": "IncorrectValue", + "similarityID": "0dfd538850f66817f2b65671315061f84e81dac9fa4ccc096ec3cf6b6b198f51", + "search_line": -1 + }, { - "queryName": "Ingress Controller Exposes Workload", - "severity": "MEDIUM", - "line": 28, - "fileName": "positive3.tf" - } + "queryName": "Ingress Controller Exposes Workload", + "severity": "MEDIUM", + "line": 32, + "fileName": "positive2.tf", + "resourceType": "kubernetes_ingress", + "resourceName": "example-ingress", + "searchKey": "kubernetes_ingress[example-ingress-2].spec.rule.http.path.backend", + "searchValue": "", + "expectedValue": "kubernetes_ingress[example-ingress-2] should not be exposing the workload", + "actualValue": "kubernetes_ingress[example-ingress-2] is exposing the workload", + "issueType": "IncorrectValue", + "similarityID": "c209b59b6a48fc5f02ce9017e8919416b6b54a243378b7166742e7fd2a851377", + "search_line": -1 + }, + { + "queryName": "Ingress Controller Exposes Workload", + "severity": "MEDIUM", + "line": 28, + "fileName": "positive3.tf", + "resourceType": "kubernetes_ingress", + "resourceName": "example-4", + "searchKey": "kubernetes_ingress[example-4].spec.rule.http.path.backend", + "searchValue": "", + "expectedValue": "kubernetes_ingress[example-4] should not be exposing the workload", + "actualValue": "kubernetes_ingress[example-4] is exposing the workload", + "issueType": "IncorrectValue", + "similarityID": "8cfa36b2c5a191933af21784c46d08b1d07cea9601595793a792c176cbf6576c", + "search_line": -1 + } ] diff --git a/assets/queries/terraform/kubernetes/invalid_image/test/positive_expected_result.json b/assets/queries/terraform/kubernetes/invalid_image/test/positive_expected_result.json index e716875d876..eaf2c5aad27 100644 --- a/assets/queries/terraform/kubernetes/invalid_image/test/positive_expected_result.json +++ b/assets/queries/terraform/kubernetes/invalid_image/test/positive_expected_result.json @@ -2,16 +2,46 @@ { "queryName": "Invalid Image", "severity": "LOW", - "line": 8 + "line": 8, + "fileName": "positive.tf", + "resourceType": "kubernetes_pod", + "resourceName": "positive1", + "searchKey": "kubernetes_pod[positive1].spec.container.image", + "searchValue": "", + "expectedValue": "kubernetes_pod[positive1].spec.container.image should not be empty or latest", + "actualValue": "kubernetes_pod[positive1].spec.container.image is empty or latest", + "issueType": "IncorrectValue", + "similarityID": "791f9982d658392d987dba8309142e0cc2001e9fe6d98a6a1d044d7e653e39f0", + "search_line": -1 }, { "queryName": "Invalid Image", "severity": "LOW", - "line": 60 + "line": 60, + "fileName": "positive.tf", + "resourceType": "kubernetes_pod", + "resourceName": "positive2", + "searchKey": "kubernetes_pod[positive2].spec.container", + "searchValue": "", + "expectedValue": "kubernetes_pod[positive2].spec.container.image should be set", + "actualValue": "kubernetes_pod[positive2].spec.container.image is undefined", + "issueType": "MissingAttribute", + "similarityID": "b565180f16e8091a574346bd45b99174ca5e90d1e58a97072dd02193c7c2dd4d", + "search_line": -1 }, { "queryName": "Invalid Image", "severity": "LOW", - "line": 113 + "line": 113, + "fileName": "positive.tf", + "resourceType": "kubernetes_pod", + "resourceName": "positive3", + "searchKey": "kubernetes_pod[positive3].spec.container", + "searchValue": "", + "expectedValue": "kubernetes_pod[positive3].spec.container[0].image should not be empty or latest", + "actualValue": "kubernetes_pod[positive3].spec.container[0].image is empty or latest", + "issueType": "IncorrectValue", + "similarityID": "b9e8526b33b76e684be1378344c6ea0eb86ebb67ba052abd5d71cb3c458faae1", + "search_line": -1 } ] diff --git a/assets/queries/terraform/kubernetes/liveness_probe_is_not_defined/test/positive_expected_result.json b/assets/queries/terraform/kubernetes/liveness_probe_is_not_defined/test/positive_expected_result.json index 85c9711ffc6..953cde62243 100644 --- a/assets/queries/terraform/kubernetes/liveness_probe_is_not_defined/test/positive_expected_result.json +++ b/assets/queries/terraform/kubernetes/liveness_probe_is_not_defined/test/positive_expected_result.json @@ -3,12 +3,30 @@ "queryName": "Liveness Probe Is Not Defined", "severity": "INFO", "line": 7, - "fileName": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "kubernetes_pod", + "resourceName": "terraform-example", + "searchKey": "kubernetes_pod[test].spec.container", + "searchValue": "", + "expectedValue": "Attribute 'livenessProbe' should be defined and not null", + "actualValue": "Attribute 'livenessProbe' is undefined or null", + "issueType": "MissingAttribute", + "similarityID": "95801e9affa022a04128e1b7cd42f293f7db12cfb3b1935a29f7c3c686037a67", + "search_line": -1 }, { "queryName": "Liveness Probe Is Not Defined", "severity": "INFO", "line": 27, - "fileName": "positive2.tf" + "fileName": "positive2.tf", + "resourceType": "kubernetes_deployment", + "resourceName": "terraform-example", + "searchKey": "kubernetes_deployment[example].spec.template.spec.container", + "searchValue": "", + "expectedValue": "Attribute 'livenessProbe' should be defined and not null", + "actualValue": "Attribute 'livenessProbe' is undefined or null", + "issueType": "MissingAttribute", + "similarityID": "ea5fd4fcf8d737a15f78be0fc0bc285457a41245db31df422ff87a09593530b1", + "search_line": -1 } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/kubernetes/memory_limits_not_defined/test/positive_expected_result.json b/assets/queries/terraform/kubernetes/memory_limits_not_defined/test/positive_expected_result.json index c597226e123..8ae62fbbc63 100644 --- a/assets/queries/terraform/kubernetes/memory_limits_not_defined/test/positive_expected_result.json +++ b/assets/queries/terraform/kubernetes/memory_limits_not_defined/test/positive_expected_result.json @@ -2,46 +2,136 @@ { "queryName": "Memory Limits Not Defined", "severity": "MEDIUM", - "line": 15 + "line": 15, + "fileName": "positive.tf", + "resourceType": "kubernetes_pod", + "resourceName": "positive1", + "searchKey": "kubernetes_pod[positive1].spec.container", + "searchValue": "", + "expectedValue": "kubernetes_pod[positive1].spec.container[0].resources.limits.memory should be set", + "actualValue": "kubernetes_pod[positive1].spec.container[0].resources.limits.memory is undefined", + "issueType": "MissingAttribute", + "similarityID": "6fbd44b90eb58f847ebc7758ebfa4cabdabc80cfb3e6d89f00c7d17870048e83", + "search_line": 15 }, { "queryName": "Memory Limits Not Defined", "severity": "MEDIUM", - "line": 53 + "line": 53, + "fileName": "positive.tf", + "resourceType": "kubernetes_pod", + "resourceName": "positive1", + "searchKey": "kubernetes_pod[positive1].spec.container", + "searchValue": "", + "expectedValue": "kubernetes_pod[positive1].spec.container[1].resources.limits.memory should be set", + "actualValue": "kubernetes_pod[positive1].spec.container[1].resources.limits.memory is undefined", + "issueType": "MissingAttribute", + "similarityID": "d8858e14932141fede1500a5644521584312c2a88b3673ed3ff39c676430f923", + "search_line": 53 }, { "queryName": "Memory Limits Not Defined", "severity": "MEDIUM", - "line": 107 + "line": 107, + "fileName": "positive.tf", + "resourceType": "kubernetes_pod", + "resourceName": "positive2", + "searchKey": "kubernetes_pod[positive2].spec.container", + "searchValue": "", + "expectedValue": "kubernetes_pod[positive2].spec.container[0].resources should be set", + "actualValue": "kubernetes_pod[positive2].spec.container[0].resources is undefined", + "issueType": "MissingAttribute", + "similarityID": "a993df8d08361ba31b98c6a7e3070a9f61a58b59327b17cb00cc228f57e92f83", + "search_line": 107 }, { "queryName": "Memory Limits Not Defined", "severity": "MEDIUM", - "line": 136 + "line": 136, + "fileName": "positive.tf", + "resourceType": "kubernetes_pod", + "resourceName": "positive2", + "searchKey": "kubernetes_pod[positive2].spec.container", + "searchValue": "", + "expectedValue": "kubernetes_pod[positive2].spec.container[1].resources should be set", + "actualValue": "kubernetes_pod[positive2].spec.container[1].resources is undefined", + "issueType": "MissingAttribute", + "similarityID": "1ebb7d9bef883c86bafedd561e8a72427283f969604bb818bfd1231201cdd801", + "search_line": 136 }, { "queryName": "Memory Limits Not Defined", "severity": "MEDIUM", - "line": 193 + "line": 193, + "fileName": "positive.tf", + "resourceType": "kubernetes_pod", + "resourceName": "positive3", + "searchKey": "kubernetes_pod[positive3].spec.container", + "searchValue": "", + "expectedValue": "kubernetes_pod[positive3].spec.container[0].resources.limits should be set", + "actualValue": "kubernetes_pod[positive3].spec.container[0].resources.limits is undefined", + "issueType": "MissingAttribute", + "similarityID": "27bf98271213641976275cdee426f43f9b83b40d1952e07fdb76105a58a5c98c", + "search_line": 193 }, { "queryName": "Memory Limits Not Defined", "severity": "MEDIUM", - "line": 228 + "line": 228, + "fileName": "positive.tf", + "resourceType": "kubernetes_pod", + "resourceName": "positive3", + "searchKey": "kubernetes_pod[positive3].spec.container", + "searchValue": "", + "expectedValue": "kubernetes_pod[positive3].spec.container[1].resources.limits should be set", + "actualValue": "kubernetes_pod[positive3].spec.container[1].resources.limits is undefined", + "issueType": "MissingAttribute", + "similarityID": "c61ded49929eb1959bc779c3edeccdfc11f3d7782b3255006a22416c0608fc01", + "search_line": 228 }, { "queryName": "Memory Limits Not Defined", "severity": "MEDIUM", - "line": 288 + "line": 288, + "fileName": "positive.tf", + "resourceType": "kubernetes_pod", + "resourceName": "positive4", + "searchKey": "kubernetes_pod[positive4].spec.container.resources.limits", + "searchValue": "", + "expectedValue": "kubernetes_pod[positive4].spec.container.resources.limits.memory should be set", + "actualValue": "kubernetes_pod[positive4].spec.container.resources.limits.memory is undefined", + "issueType": "MissingAttribute", + "similarityID": "70319b0d2929acd80c97cb099dc2e514fa0cfc17d12c258dc08fbfe121108dd2", + "search_line": 288 }, { "queryName": "Memory Limits Not Defined", "severity": "MEDIUM", - "line": 343 + "line": 343, + "fileName": "positive.tf", + "resourceType": "kubernetes_pod", + "resourceName": "positive5", + "searchKey": "kubernetes_pod[positive5].spec.container", + "searchValue": "", + "expectedValue": "kubernetes_pod[positive5].spec.container.resources should be set", + "actualValue": "kubernetes_pod[positive5].spec.container.resources is undefined", + "issueType": "MissingAttribute", + "similarityID": "09d5a0ad255d58fa3cbf382fa5e9f9084850212ca81d072e7b075dd308db1701", + "search_line": 343 }, { "queryName": "Memory Limits Not Defined", "severity": "MEDIUM", - "line": 400 + "line": 400, + "fileName": "positive.tf", + "resourceType": "kubernetes_pod", + "resourceName": "positive6", + "searchKey": "kubernetes_pod[positive6].spec.container.resources", + "searchValue": "", + "expectedValue": "kubernetes_pod[positive6].spec.container.resources.limits should be set", + "actualValue": "kubernetes_pod[positive6].spec.container.resources.limits is undefined", + "issueType": "MissingAttribute", + "similarityID": "b523770d73372ce8ffd6876aae3bbb462b12206ad93a3b820d9ed70c6275af3d", + "search_line": 400 } ] diff --git a/assets/queries/terraform/kubernetes/memory_requests_not_defined/test/positive_expected_result.json b/assets/queries/terraform/kubernetes/memory_requests_not_defined/test/positive_expected_result.json index 3c6c5a5ea26..492845d1af1 100644 --- a/assets/queries/terraform/kubernetes/memory_requests_not_defined/test/positive_expected_result.json +++ b/assets/queries/terraform/kubernetes/memory_requests_not_defined/test/positive_expected_result.json @@ -2,46 +2,136 @@ { "queryName": "Memory Requests Not Defined", "severity": "MEDIUM", - "line": 12 + "line": 12, + "fileName": "positive.tf", + "resourceType": "kubernetes_pod", + "resourceName": "positive1", + "searchKey": "kubernetes_pod[positive1].spec.container", + "searchValue": "", + "expectedValue": "kubernetes_pod[positive1].spec.container[0].resources.requests.memory should be set", + "actualValue": "kubernetes_pod[positive1].spec.container[0].resources.requests.memory is undefined", + "issueType": "MissingAttribute", + "similarityID": "e65f24d84605aa6c2c50b3196833c713cac151b2b05ce98dd1743fafda0da655", + "search_line": 12 }, { "queryName": "Memory Requests Not Defined", "severity": "MEDIUM", - "line": 51 + "line": 51, + "fileName": "positive.tf", + "resourceType": "kubernetes_pod", + "resourceName": "positive1", + "searchKey": "kubernetes_pod[positive1].spec.container", + "searchValue": "", + "expectedValue": "kubernetes_pod[positive1].spec.container[1].resources.requests.memory should be set", + "actualValue": "kubernetes_pod[positive1].spec.container[1].resources.requests.memory is undefined", + "issueType": "MissingAttribute", + "similarityID": "7819e1f88e6eca2d91a610a5c7dfcfa7d2b7eebd05b7d98d44f1e6a2487d8189", + "search_line": 51 }, { "queryName": "Memory Requests Not Defined", "severity": "MEDIUM", - "line": 109 + "line": 109, + "fileName": "positive.tf", + "resourceType": "kubernetes_pod", + "resourceName": "positive2", + "searchKey": "kubernetes_pod[positive2].spec.container", + "searchValue": "", + "expectedValue": "kubernetes_pod[positive2].spec.container[0].resources should be set", + "actualValue": "kubernetes_pod[positive2].spec.container[0].resources is undefined", + "issueType": "MissingAttribute", + "similarityID": "9024362c7abcdba3c9410d967c9a7c3f215ab8116e8153894284c5a90dea91f5", + "search_line": 109 }, { "queryName": "Memory Requests Not Defined", "severity": "MEDIUM", - "line": 138 + "line": 138, + "fileName": "positive.tf", + "resourceType": "kubernetes_pod", + "resourceName": "positive2", + "searchKey": "kubernetes_pod[positive2].spec.container", + "searchValue": "", + "expectedValue": "kubernetes_pod[positive2].spec.container[1].resources should be set", + "actualValue": "kubernetes_pod[positive2].spec.container[1].resources is undefined", + "issueType": "MissingAttribute", + "similarityID": "df57ed93f5924192c98ce041df76006f4ee6d486d1f23f2fe15e515726bcc02f", + "search_line": 138 }, { "queryName": "Memory Requests Not Defined", "severity": "MEDIUM", - "line": 195 + "line": 195, + "fileName": "positive.tf", + "resourceType": "kubernetes_pod", + "resourceName": "positive3", + "searchKey": "kubernetes_pod[positive3].spec.container", + "searchValue": "", + "expectedValue": "kubernetes_pod[positive3].spec.container[0].resources.requests should be set", + "actualValue": "kubernetes_pod[positive3].spec.container[0].resources.requests is undefined", + "issueType": "MissingAttribute", + "similarityID": "af077d33c454bc1157e0b6ee2f9d7a961a9441fa84ffa0639837c164ad357ae9", + "search_line": 195 }, { "queryName": "Memory Requests Not Defined", "severity": "MEDIUM", - "line": 231 + "line": 231, + "fileName": "positive.tf", + "resourceType": "kubernetes_pod", + "resourceName": "positive3", + "searchKey": "kubernetes_pod[positive3].spec.container", + "searchValue": "", + "expectedValue": "kubernetes_pod[positive3].spec.container[1].resources.requests should be set", + "actualValue": "kubernetes_pod[positive3].spec.container[1].resources.requests is undefined", + "issueType": "MissingAttribute", + "similarityID": "77e75c4f1d0e32139bde6d8be1d8ba615516c9c8e1985fd79260e32b8249aa13", + "search_line": 231 }, { "queryName": "Memory Requests Not Defined", "severity": "MEDIUM", - "line": 296 + "line": 296, + "fileName": "positive.tf", + "resourceType": "kubernetes_pod", + "resourceName": "positive4", + "searchKey": "kubernetes_pod[positive4].spec.container.resources.requests", + "searchValue": "", + "expectedValue": "kubernetes_pod[positive4].spec.container.resources.requests.memory should be set", + "actualValue": "kubernetes_pod[positive4].spec.container.resources.requests.memory is undefined", + "issueType": "MissingAttribute", + "similarityID": "fe5303eed69fe1542075de8c7372ce5b70ef4975c4c3187ef4f383d9b54ef307", + "search_line": 296 }, { "queryName": "Memory Requests Not Defined", "severity": "MEDIUM", - "line": 350 + "line": 350, + "fileName": "positive.tf", + "resourceType": "kubernetes_pod", + "resourceName": "positive5", + "searchKey": "kubernetes_pod[positive5].spec.container", + "searchValue": "", + "expectedValue": "kubernetes_pod[positive5].spec.container.resources should be set", + "actualValue": "kubernetes_pod[positive5].spec.container.resources is undefined", + "issueType": "MissingAttribute", + "similarityID": "5a35f28881a2503f5df81c41e89d9aa2744a05d56c8128b5ffb0ff5e4931bb97", + "search_line": 350 }, { "queryName": "Memory Requests Not Defined", "severity": "MEDIUM", - "line": 408 + "line": 408, + "fileName": "positive.tf", + "resourceType": "kubernetes_pod", + "resourceName": "positive6", + "searchKey": "kubernetes_pod[positive6].spec.container.resources", + "searchValue": "", + "expectedValue": "kubernetes_pod[positive6].spec.container.resources.requests should be set", + "actualValue": "kubernetes_pod[positive6].spec.container.resources.requests is undefined", + "issueType": "MissingAttribute", + "similarityID": "7f9ae424634559d08e32760d3100b9d121c2a5533d788f9a0c5ec8527ecdd4ae", + "search_line": 408 } ] diff --git a/assets/queries/terraform/kubernetes/metadata_label_is_invalid/test/positive_expected_result.json b/assets/queries/terraform/kubernetes/metadata_label_is_invalid/test/positive_expected_result.json index be2692d29e4..6041c25e0f8 100644 --- a/assets/queries/terraform/kubernetes/metadata_label_is_invalid/test/positive_expected_result.json +++ b/assets/queries/terraform/kubernetes/metadata_label_is_invalid/test/positive_expected_result.json @@ -2,6 +2,16 @@ { "queryName": "Metadata Label Is Invalid", "severity": "LOW", - "line": 5 + "line": 5, + "fileName": "positive.tf", + "resourceType": "kubernetes_pod", + "resourceName": "test", + "searchKey": "kubernetes_pod[test].metadata.labels", + "searchValue": "", + "expectedValue": "kubernetes_pod[test].metada.labels[app] has valid label", + "actualValue": "kubernetes_pod[test].metada.labels[app] has invalid label", + "issueType": "IncorrectValue", + "similarityID": "492229a77b8a5748549cb362058e5641aa077173997c84cfc013a4f3b294bd35", + "search_line": -1 } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/kubernetes/missing_app_armor_config/test/positive_expected_result.json b/assets/queries/terraform/kubernetes/missing_app_armor_config/test/positive_expected_result.json index c43d7e7304b..04efb3aaa3a 100644 --- a/assets/queries/terraform/kubernetes/missing_app_armor_config/test/positive_expected_result.json +++ b/assets/queries/terraform/kubernetes/missing_app_armor_config/test/positive_expected_result.json @@ -2,11 +2,31 @@ { "queryName": "Missing App Armor Config", "severity": "MEDIUM", - "line": 4 + "line": 4, + "fileName": "positive.tf", + "resourceType": "kubernetes_pod", + "resourceName": "terraform-example1", + "searchKey": "kubernetes_pod[example1].metadata.annotations", + "searchValue": "", + "expectedValue": "kubernetes_pod[example1].metadata.annotations should contain AppArmor profile config: 'container.apparmor.security.beta.kubernetes.io'", + "actualValue": "kubernetes_pod[example1].metadata.annotations doesn't contain AppArmor profile config: 'container.apparmor.security.beta.kubernetes.io'", + "issueType": "IncorrectValue", + "similarityID": "c0c121edfb2016fefd5773c16d37cb6090025b615abd618669481905367f36ae", + "search_line": -1 }, { "queryName": "Missing App Armor Config", "severity": "MEDIUM", - "line": 58 + "line": 58, + "fileName": "positive.tf", + "resourceType": "kubernetes_pod", + "resourceName": "terraform-example2", + "searchKey": "kubernetes_pod[example2].metadata", + "searchValue": "", + "expectedValue": "kubernetes_pod[example2].metadata should include annotations for AppArmor profile config", + "actualValue": "kubernetes_pod[example2].metadata doesn't contain AppArmor profile config in annotations", + "issueType": "MissingAttribute", + "similarityID": "90a0f73beac9b9fe3bbf7079dd3d1d3c7e8c49b1eb2afe56df60958e744fa2c9", + "search_line": -1 } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/kubernetes/net_raw_capabilities_disabled_for_psp/test/positive_expected_result.json b/assets/queries/terraform/kubernetes/net_raw_capabilities_disabled_for_psp/test/positive_expected_result.json index 5d875e4801c..4acdabc098b 100644 --- a/assets/queries/terraform/kubernetes/net_raw_capabilities_disabled_for_psp/test/positive_expected_result.json +++ b/assets/queries/terraform/kubernetes/net_raw_capabilities_disabled_for_psp/test/positive_expected_result.json @@ -2,6 +2,16 @@ { "queryName": "NET_RAW Capabilities Disabled for PSP", "severity": "MEDIUM", - "line": 17 + "line": 17, + "fileName": "positive.tf", + "resourceType": "kubernetes_pod_security_policy", + "resourceName": "terraform-example", + "searchKey": "kubernetes_pod_security_policy[example].spec.required_drop_capabilities", + "searchValue": "", + "expectedValue": "spec.required_drop_capabilities 'is ALL or NET_RAW'", + "actualValue": "spec.required_drop_capabilities 'is not ALL or NET_RAW'", + "issueType": "IncorrectValue", + "similarityID": "e9a174143e4dd66df924f7af82aeff336e94759adebaa60136d505a4138705ad", + "search_line": 17 } ] diff --git a/assets/queries/terraform/kubernetes/net_raw_capabilities_not_being_dropped/test/positive_expected_result.json b/assets/queries/terraform/kubernetes/net_raw_capabilities_not_being_dropped/test/positive_expected_result.json index 163f143b573..28f3bedb341 100644 --- a/assets/queries/terraform/kubernetes/net_raw_capabilities_not_being_dropped/test/positive_expected_result.json +++ b/assets/queries/terraform/kubernetes/net_raw_capabilities_not_being_dropped/test/positive_expected_result.json @@ -2,61 +2,181 @@ { "queryName": "NET_RAW Capabilities Not Being Dropped", "severity": "MEDIUM", - "line": 13 + "line": 13, + "fileName": "positive.tf", + "resourceType": "kubernetes_pod", + "resourceName": "positive1", + "searchKey": "kubernetes_pod[positive1].spec.container", + "searchValue": "", + "expectedValue": "kubernetes_pod[positive1].spec.container[0].security_context.capabilities.drop should be set", + "actualValue": "kkubernetes_pod[positive1].spec.container[0].security_context.capabilities.drop is undefined", + "issueType": "MissingAttribute", + "similarityID": "72db16c22bed11731511d093157771a7956ecc07733d30961de533d2b1c4dbef", + "search_line": 13 }, { "queryName": "NET_RAW Capabilities Not Being Dropped", "severity": "MEDIUM", - "line": 47 + "line": 47, + "fileName": "positive.tf", + "resourceType": "kubernetes_pod", + "resourceName": "positive1", + "searchKey": "kubernetes_pod[positive1].spec.container", + "searchValue": "", + "expectedValue": "kubernetes_pod[positive1].spec.container[1].security_context.capabilities.drop should be set", + "actualValue": "kkubernetes_pod[positive1].spec.container[1].security_context.capabilities.drop is undefined", + "issueType": "MissingAttribute", + "similarityID": "d15a25fdd5bd66f0d78c2a83f501715f1228b68ecc3a776259ecff7f39edd78c", + "search_line": 47 }, { "queryName": "NET_RAW Capabilities Not Being Dropped", "severity": "MEDIUM", - "line": 82 + "line": 82, + "fileName": "positive.tf", + "resourceType": "kubernetes_pod", + "resourceName": "positive1", + "searchKey": "kubernetes_pod[positive1].spec.container", + "searchValue": "", + "expectedValue": "kubernetes_pod[positive1].spec.container[2].security_context.capabilities.drop is ALL or NET_RAW", + "actualValue": "kubernetes_pod[positive1].spec.container[2].security_context.capabilities.drop is not ALL or NET_RAW", + "issueType": "IncorrectValue", + "similarityID": "2400743c2a8a72a6ee1d7446a184da79a2559bc044d188dd69f022a0b4dffb8b", + "search_line": 82 }, { "queryName": "NET_RAW Capabilities Not Being Dropped", "severity": "MEDIUM", - "line": 117 + "line": 117, + "fileName": "positive.tf", + "resourceType": "kubernetes_pod", + "resourceName": "positive1", + "searchKey": "kubernetes_pod[positive1].spec.container", + "searchValue": "", + "expectedValue": "kubernetes_pod[positive1].spec.container[3].security_context.capabilities.drop is ALL or NET_RAW", + "actualValue": "kubernetes_pod[positive1].spec.container[3].security_context.capabilities.drop is not ALL or NET_RAW", + "issueType": "IncorrectValue", + "similarityID": "31ca30bf1b9794cfe79d9f07b599baa480b4fcbe9e3bc8d376c8819ac2d70d07", + "search_line": 117 }, { "queryName": "NET_RAW Capabilities Not Being Dropped", "severity": "MEDIUM", - "line": 150 + "line": 150, + "fileName": "positive.tf", + "resourceType": "kubernetes_pod", + "resourceName": "positive1", + "searchKey": "kubernetes_pod[positive1].spec.container", + "searchValue": "", + "expectedValue": "kubernetes_pod[positive1].spec.container[4].security_context.capabilities should be set", + "actualValue": "kubernetes_pod[positive1].spec.container[4].security_context.capabilities is undefined", + "issueType": "MissingAttribute", + "similarityID": "063fbc38aeef8ecf4563366f3163261a6a11819ef8757cb533d6a0c032dd09c2", + "search_line": 150 }, { "queryName": "NET_RAW Capabilities Not Being Dropped", "severity": "MEDIUM", - "line": 183 + "line": 183, + "fileName": "positive.tf", + "resourceType": "kubernetes_pod", + "resourceName": "positive1", + "searchKey": "kubernetes_pod[positive1].spec.container", + "searchValue": "", + "expectedValue": "kubernetes_pod[positive1].spec.container[5].security_context.capabilities should be set", + "actualValue": "kubernetes_pod[positive1].spec.container[5].security_context.capabilities is undefined", + "issueType": "MissingAttribute", + "similarityID": "306a54a29c72adec5e36f85be81bdcfc7c39bae92b09c2cf27dc8cdff6262fe8", + "search_line": 183 }, { "queryName": "NET_RAW Capabilities Not Being Dropped", "severity": "MEDIUM", - "line": 212 + "line": 212, + "fileName": "positive.tf", + "resourceType": "kubernetes_pod", + "resourceName": "positive1", + "searchKey": "kubernetes_pod[positive1].spec.container", + "searchValue": "", + "expectedValue": "kubernetes_pod[positive1].spec.container[6].security_context should be set", + "actualValue": "kubernetes_pod[positive1].spec.container[6].security_context is undefined", + "issueType": "MissingAttribute", + "similarityID": "783106e15c9f0738c2b12d85c469e63d5faac552ee24f6c320484f70aeae7bcd", + "search_line": 212 }, { "queryName": "NET_RAW Capabilities Not Being Dropped", "severity": "MEDIUM", - "line": 241 + "line": 241, + "fileName": "positive.tf", + "resourceType": "kubernetes_pod", + "resourceName": "positive1", + "searchKey": "kubernetes_pod[positive1].spec.container", + "searchValue": "", + "expectedValue": "kubernetes_pod[positive1].spec.container[7].security_context should be set", + "actualValue": "kubernetes_pod[positive1].spec.container[7].security_context is undefined", + "issueType": "MissingAttribute", + "similarityID": "4c5f5616fdf512a3f0040373345a6b9601c5a35a6f09599e1c8649ba76aff9eb", + "search_line": 241 }, { "queryName": "NET_RAW Capabilities Not Being Dropped", "severity": "MEDIUM", - "line": 299 + "line": 299, + "fileName": "positive.tf", + "resourceType": "kubernetes_pod", + "resourceName": "positive2", + "searchKey": "kubernetes_pod[positive2].spec.container.security_context.capabilities", + "searchValue": "", + "expectedValue": "kubernetes_pod[positive2].spec.container.security_context.capabilities.drop should be set", + "actualValue": "kubernetes_pod[positive2].spec.container.security_context.capabilities.drop is undefined", + "issueType": "MissingAttribute", + "similarityID": "d0fad02a4bbdc9a89976458754a49f847d09cfa6aaf533445fc1b4dfa330bb3e", + "search_line": 299 }, { "queryName": "NET_RAW Capabilities Not Being Dropped", "severity": "MEDIUM", - "line": 358 + "line": 358, + "fileName": "positive.tf", + "resourceType": "kubernetes_pod", + "resourceName": "positive3", + "searchKey": "kubernetes_pod[positive3].spec.container.security_context.capabilities.drop", + "searchValue": "", + "expectedValue": "kubernetes_pod[positive3].spec.container.security_context.capabilities.drop is ALL or NET_RAW", + "actualValue": "kubernetes_pod[positive3].spec.container.security_context.capabilities.drop is not ALL or NET_RAW", + "issueType": "IncorrectValue", + "similarityID": "a093d7b7922e5e7350e645ba0f4a010c796e96b56cff8feeb0265b491eb8ec77", + "search_line": 358 }, { "queryName": "NET_RAW Capabilities Not Being Dropped", "severity": "MEDIUM", - "line": 415 + "line": 415, + "fileName": "positive.tf", + "resourceType": "kubernetes_pod", + "resourceName": "positive4", + "searchKey": "kubernetes_pod[positive4].spec.container.security_context", + "searchValue": "", + "expectedValue": "kubernetes_pod[positive4].spec.container.security_context.capabilities should be set", + "actualValue": "kubernetes_pod[positive4].spec.container.security_context.capabilities is undefined", + "issueType": "MissingAttribute", + "similarityID": "043b51c466641ff5f82c96f9296a319eee92719b7cf52e8aa4c87dfd0b628585", + "search_line": 415 }, { "queryName": "NET_RAW Capabilities Not Being Dropped", "severity": "MEDIUM", - "line": 467 + "line": 467, + "fileName": "positive.tf", + "resourceType": "kubernetes_pod", + "resourceName": "positive5", + "searchKey": "kubernetes_pod[positive5].spec.container", + "searchValue": "", + "expectedValue": "kubernetes_pod[positive5].spec.container.security_context should be set", + "actualValue": "kubernetes_pod[positive5].spec.container.security_context is undefined", + "issueType": "MissingAttribute", + "similarityID": "b647a72af70eda0a279185c79262cad6d30becf94834b1180fc73ba7d3c89e43", + "search_line": 467 } ] diff --git a/assets/queries/terraform/kubernetes/network_policy_is_not_targeting_any_pod/test/positive_expected_result.json b/assets/queries/terraform/kubernetes/network_policy_is_not_targeting_any_pod/test/positive_expected_result.json index 8db62c08375..d1d00ed97c4 100644 --- a/assets/queries/terraform/kubernetes/network_policy_is_not_targeting_any_pod/test/positive_expected_result.json +++ b/assets/queries/terraform/kubernetes/network_policy_is_not_targeting_any_pod/test/positive_expected_result.json @@ -2,6 +2,16 @@ { "queryName": "Network Policy Is Not Targeting Any Pod", "severity": "LOW", - "line": 14 + "line": 14, + "fileName": "positive.tf", + "resourceType": "kubernetes_network_policy", + "resourceName": "terraform-example-network-policy", + "searchKey": "kubernetes_network_policy[example].spec.pod_selector.match_labels", + "searchValue": "", + "expectedValue": "kubernetes_network_policy[example].spec.pod_selector.match_labels is targeting at least a pod", + "actualValue": "kubernetes_network_policy[example].spec.pod_selector.match_labels is not targeting any pod", + "issueType": "IncorrectValue", + "similarityID": "95fa12507f4f20997da2701846a1541d11c4f00f236e3a113a68a8caa9476f6c", + "search_line": -1 } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/kubernetes/no_drop_capabilities_for_containers/test/positive_expected_result.json b/assets/queries/terraform/kubernetes/no_drop_capabilities_for_containers/test/positive_expected_result.json index 27f74e88b00..1645e118e28 100644 --- a/assets/queries/terraform/kubernetes/no_drop_capabilities_for_containers/test/positive_expected_result.json +++ b/assets/queries/terraform/kubernetes/no_drop_capabilities_for_containers/test/positive_expected_result.json @@ -3,54 +3,135 @@ "queryName": "No Drop Capabilities for Containers", "severity": "LOW", "line": 12, - "fileName": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "kubernetes_pod", + "resourceName": "test10", + "searchKey": "kubernetes_pod[test10].spec.container", + "searchValue": "", + "expectedValue": "kubernetes_pod[test10].spec.container[0].security_context.capabilities.drop should be set", + "actualValue": "kubernetes_pod[test10].spec.container[0].security_context.capabilities.drop is undefined", + "issueType": "MissingAttribute", + "similarityID": "4a1a3664d5f8de0693e3ebe06803bed0891a17ac674537bd694a276690e2fabf", + "search_line": 12 }, { "queryName": "No Drop Capabilities for Containers", "severity": "LOW", "line": 47, - "fileName": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "kubernetes_pod", + "resourceName": "test10", + "searchKey": "kubernetes_pod[test10].spec.container", + "searchValue": "", + "expectedValue": "kubernetes_pod[test10].spec.container[1].security_context.capabilities.drop should be set", + "actualValue": "kubernetes_pod[test10].spec.container[1].security_context.capabilities.drop is undefined", + "issueType": "MissingAttribute", + "similarityID": "6c677d3c2d72d2ce16f6322b831c2a9d13bde47ea18c046fbd706a658a2dee29", + "search_line": 47 }, { "queryName": "No Drop Capabilities for Containers", "severity": "LOW", "line": 141, - "fileName": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "kubernetes_pod", + "resourceName": "test11", + "searchKey": "kubernetes_pod[test11].spec.container.security_context.capabilities", + "searchValue": "", + "expectedValue": "kubernetes_pod[test11].spec.container.security_context.capabilities.drop should be set", + "actualValue": "kubernetes_pod[test11].spec.container.security_context.capabilities.drop is undefined", + "issueType": "IncorrectValue", + "similarityID": "0a8c475ee3e6e4a98c2dee821374825fc2c547a8fa14c0f0d4d828adcf9e0997", + "search_line": 141 }, { "queryName": "No Drop Capabilities for Containers", "severity": "LOW", "line": 11, - "fileName": "positive2.tf" + "fileName": "positive2.tf", + "resourceType": "kubernetes_pod", + "resourceName": "test20", + "searchKey": "kubernetes_pod[test20].spec.container", + "searchValue": "", + "expectedValue": "kubernetes_pod[test20].spec.container[0].security_context.capabilities should be set", + "actualValue": "kubernetes_pod[test20].spec.container[0].security_context.capabilities is undefined", + "issueType": "MissingAttribute", + "similarityID": "c54dd682d68a78a9959da88fb994b984ec13e8729aacd21dba31231a9f353d51", + "search_line": 11 }, { "queryName": "No Drop Capabilities for Containers", "severity": "LOW", "line": 44, - "fileName": "positive2.tf" + "fileName": "positive2.tf", + "resourceType": "kubernetes_pod", + "resourceName": "test20", + "searchKey": "kubernetes_pod[test20].spec.container", + "searchValue": "", + "expectedValue": "kubernetes_pod[test20].spec.container[1].security_context.capabilities should be set", + "actualValue": "kubernetes_pod[test20].spec.container[1].security_context.capabilities is undefined", + "issueType": "MissingAttribute", + "similarityID": "6fc6667f7ea6951b52a55fb93b8440f7ca2e994d931b44fafb902bb9dd1b507a", + "search_line": 44 }, { "queryName": "No Drop Capabilities for Containers", "severity": "LOW", "line": 136, - "fileName": "positive2.tf" + "fileName": "positive2.tf", + "resourceType": "kubernetes_pod", + "resourceName": "test21", + "searchKey": "kubernetes_pod[test21].spec.container.security_context", + "searchValue": "", + "expectedValue": "kubernetes_pod[test21].spec.container.security_context.capabilities should be set", + "actualValue": "kubernetes_pod[test21].spec.container.security_context.capabilities is undefined", + "issueType": "MissingAttribute", + "similarityID": "a26e8346d3ed60978b8e29f1acd84ddda66520e8e3cf919cd2026c9c0bd26cb6", + "search_line": 136 }, { "queryName": "No Drop Capabilities for Containers", "severity": "LOW", "line": 7, - "fileName": "positive3.tf" + "fileName": "positive3.tf", + "resourceType": "kubernetes_pod", + "resourceName": "test30", + "searchKey": "kubernetes_pod[test30].spec.container", + "searchValue": "", + "expectedValue": "kubernetes_pod[test30].spec.container[0].security_context should be set", + "actualValue": "kubernetes_pod[test30].spec.container[0].security_context is undefined", + "issueType": "MissingAttribute", + "similarityID": "235e9b39a28dec1a81b6d1ba762e930f29be6e4b1975d8230ad809e5f038aadd", + "search_line": 7 }, { "queryName": "No Drop Capabilities for Containers", "severity": "LOW", "line": 36, - "fileName": "positive3.tf" + "fileName": "positive3.tf", + "resourceType": "kubernetes_pod", + "resourceName": "test30", + "searchKey": "kubernetes_pod[test30].spec.container", + "searchValue": "", + "expectedValue": "kubernetes_pod[test30].spec.container[1].security_context should be set", + "actualValue": "kubernetes_pod[test30].spec.container[1].security_context is undefined", + "issueType": "MissingAttribute", + "similarityID": "523df27e9835ae2bb32aa0905fbc6547c8598c46d84a457dadfb178fe4518078", + "search_line": 36 }, { "queryName": "No Drop Capabilities for Containers", "severity": "LOW", "line": 124, - "fileName": "positive3.tf" + "fileName": "positive3.tf", + "resourceType": "kubernetes_pod", + "resourceName": "test31", + "searchKey": "kubernetes_pod[test31].spec.container", + "searchValue": "", + "expectedValue": "kubernetes_pod[test31].spec.container.security_context should be set", + "actualValue": "kubernetes_pod[test31].spec.container.security_context is undefined", + "issueType": "MissingAttribute", + "similarityID": "22c4f78193fd7eff0d65559b0bbc2448ff01ccc6a37582acf4fcbed0385aa49c", + "search_line": 124 } ] diff --git a/assets/queries/terraform/kubernetes/non_kube_system_pod_with_host_mount/test/positive_expected_result.json b/assets/queries/terraform/kubernetes/non_kube_system_pod_with_host_mount/test/positive_expected_result.json index be69b39ed6f..19911af4769 100644 --- a/assets/queries/terraform/kubernetes/non_kube_system_pod_with_host_mount/test/positive_expected_result.json +++ b/assets/queries/terraform/kubernetes/non_kube_system_pod_with_host_mount/test/positive_expected_result.json @@ -2,21 +2,61 @@ { "queryName": "Non Kube System Pod With Host Mount", "severity": "HIGH", - "line": 53 + "line": 53, + "fileName": "positive.tf", + "resourceType": "kubernetes_pod", + "resourceName": "terraform-example", + "searchKey": "kubernetes_pod[test].spec.volume.host_path.path", + "searchValue": "", + "expectedValue": "Resource name 'terraform-example' in non kube-system namespace 'kube' should not have host_path '/var/log' mounted", + "actualValue": "Resource name 'terraform-example' in non kube-system namespace 'kube' has a host_path '/var/log' mounted", + "issueType": "IncorrectValue", + "similarityID": "b8f291c2488c493ad2420bbb1663da401e217dfbed45e1a9bdcce9515e114852", + "search_line": -1 }, { "queryName": "Non Kube System Pod With Host Mount", "severity": "HIGH", - "line": 113 + "line": 113, + "fileName": "positive.tf", + "resourceType": "kubernetes_pod", + "resourceName": "terraform-example2", + "searchKey": "kubernetes_pod[test2].spec.volume.host_path.path", + "searchValue": "", + "expectedValue": "Resource name 'terraform-example2' in non kube-system namespace 'default' should not have host_path '/var/log' mounted", + "actualValue": "Resource name 'terraform-example2' in non kube-system namespace 'default' has a host_path '/var/log' mounted", + "issueType": "IncorrectValue", + "similarityID": "bea33e8a813a991a3343553029612d56c7ec8359ad319f47c2ce3dfac17e4de4", + "search_line": -1 }, { "queryName": "Non Kube System Pod With Host Mount", "severity": "HIGH", - "line": 173 + "line": 173, + "fileName": "positive.tf", + "resourceType": "kubernetes_persistent_volume", + "resourceName": "terraform-example3", + "searchKey": "kubernetes_persistent_volume[test3].spec.volume.host_path.path", + "searchValue": "", + "expectedValue": "Resource name 'terraform-example3' in non kube-system namespace 'kube' should not have host_path '/var/log' mounted", + "actualValue": "Resource name 'terraform-example3' in non kube-system namespace 'kube' has a host_path '/var/log' mounted", + "issueType": "IncorrectValue", + "similarityID": "bb4e871024bc7f7862bca193dd109e9dc19e6f9c63d0d99954cc9dc80daa71de", + "search_line": -1 }, { "queryName": "Non Kube System Pod With Host Mount", "severity": "HIGH", - "line": 233 + "line": 233, + "fileName": "positive.tf", + "resourceType": "kubernetes_persistent_volume", + "resourceName": "terraform-example4", + "searchKey": "kubernetes_persistent_volume[test4].spec.volume.host_path.path", + "searchValue": "", + "expectedValue": "Resource name 'terraform-example4' in non kube-system namespace 'default' should not have host_path '/var/log' mounted", + "actualValue": "Resource name 'terraform-example4' in non kube-system namespace 'default' has a host_path '/var/log' mounted", + "issueType": "IncorrectValue", + "similarityID": "147f73a492757442c2d5b32225f5d956d348d21d924deb3fef12c256f6d5df4c", + "search_line": -1 } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/kubernetes/permissive_access_to_create_pods/test/positive_expected_result.json b/assets/queries/terraform/kubernetes/permissive_access_to_create_pods/test/positive_expected_result.json index 407515d5dbd..79464f0cec6 100644 --- a/assets/queries/terraform/kubernetes/permissive_access_to_create_pods/test/positive_expected_result.json +++ b/assets/queries/terraform/kubernetes/permissive_access_to_create_pods/test/positive_expected_result.json @@ -3,48 +3,120 @@ "queryName": "Permissive Access to Create Pods", "severity": "MEDIUM", "line": 13, - "fileName": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "kubernetes_role", + "resourceName": "terraform-example1", + "searchKey": "kubernetes_role[example1].rule.verbs.create", + "searchValue": "create/pods", + "expectedValue": "kubernetes_role[example1].rule.verbs should not contain the value 'create' when kubernetes_role[example1].rule.resources contains the value 'pods'", + "actualValue": "kubernetes_role[example1].rule.verbs contains the value 'create' and kubernetes_role[example1].rule.resources contains the value 'pods'", + "issueType": "IncorrectValue", + "similarityID": "bbe944e1b4e0c1f3fe27fbd973e97e487625d62a21baa9a7849112dd16ee59e7", + "search_line": 13 }, { "queryName": "Permissive Access to Create Pods", "severity": "MEDIUM", "line": 35, - "fileName": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "kubernetes_role", + "resourceName": "terraform-example2", + "searchKey": "kubernetes_role[example2].rule.verbs.create", + "searchValue": "create/*", + "expectedValue": "kubernetes_role[example2].rule.verbs should not contain the value 'create' when kubernetes_role[example2].rule.resources contains a wildcard value", + "actualValue": "kubernetes_role[example2].rule.verbs contains the value 'create' and kubernetes_role[example2].rule.resources contains a wildcard value", + "issueType": "IncorrectValue", + "similarityID": "6cf74cd3752a6b91a836f5dd54b5168f2f0d8b0deb7b789e7f13a75b7285a3d7", + "search_line": 35 }, { "queryName": "Permissive Access to Create Pods", "severity": "MEDIUM", "line": 57, - "fileName": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "kubernetes_role", + "resourceName": "terraform-example3", + "searchKey": "kubernetes_role[example3].rule.verbs.*", + "searchValue": "*/pods", + "expectedValue": "kubernetes_role[example3].rule.verbs should not contain a wildcard value when kubernetes_role[example3].rule.resources contains the value 'pods'", + "actualValue": "kubernetes_role[example3].rule.verbs contains a wildcard value and kubernetes_role[example3].rule.resources contains the value 'pods'", + "issueType": "IncorrectValue", + "similarityID": "be60ea8a30836cd3fea08832b6bfea81abee4f7934156bd680048ba23b227594", + "search_line": 57 }, { "queryName": "Permissive Access to Create Pods", "severity": "MEDIUM", "line": 79, - "fileName": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "kubernetes_role", + "resourceName": "terraform-example4", + "searchKey": "kubernetes_role[example4].rule.verbs.*", + "searchValue": "*/*", + "expectedValue": "kubernetes_role[example4].rule.verbs should not contain a wildcard value when kubernetes_role[example4].rule.resources contains a wildcard value", + "actualValue": "kubernetes_role[example4].rule.verbs contains a wildcard value and kubernetes_role[example4].rule.resources contains a wildcard value", + "issueType": "IncorrectValue", + "similarityID": "06a58fa51f3429db8475d9a50a6c07c2cc12a71e45f0e2474e773488ba02d9e3", + "search_line": 79 }, { "queryName": "Permissive Access to Create Pods", "severity": "MEDIUM", "line": 9, - "fileName": "positive2.tf" + "fileName": "positive2.tf", + "resourceType": "kubernetes_cluster_role", + "resourceName": "terraform-example1", + "searchKey": "kubernetes_cluster_role[example1].rule.verbs.create", + "searchValue": "create/pods", + "expectedValue": "kubernetes_cluster_role[example1].rule.verbs should not contain the value 'create' when kubernetes_cluster_role[example1].rule.resources contains the value 'pods'", + "actualValue": "kubernetes_cluster_role[example1].rule.verbs contains the value 'create' and kubernetes_cluster_role[example1].rule.resources contains the value 'pods'", + "issueType": "IncorrectValue", + "similarityID": "d69167234747da32f39c3ee8b835c1c325082d9e99124429564e928f43d3031f", + "search_line": 9 }, { "queryName": "Permissive Access to Create Pods", "severity": "MEDIUM", "line": 21, - "fileName": "positive2.tf" + "fileName": "positive2.tf", + "resourceType": "kubernetes_cluster_role", + "resourceName": "terraform-example2", + "searchKey": "kubernetes_cluster_role[example2].rule.verbs.create", + "searchValue": "create/*", + "expectedValue": "kubernetes_cluster_role[example2].rule.verbs should not contain the value 'create' when kubernetes_cluster_role[example2].rule.resources contains a wildcard value", + "actualValue": "kubernetes_cluster_role[example2].rule.verbs contains the value 'create' and kubernetes_cluster_role[example2].rule.resources contains a wildcard value", + "issueType": "IncorrectValue", + "similarityID": "dc9576dffb8edbfe10c45db741eecf9a251d837a2b96cf65e3229ee462f7c698", + "search_line": 21 }, { "queryName": "Permissive Access to Create Pods", "severity": "MEDIUM", "line": 33, - "fileName": "positive2.tf" + "fileName": "positive2.tf", + "resourceType": "kubernetes_cluster_role", + "resourceName": "terraform-example3", + "searchKey": "kubernetes_cluster_role[example3].rule.verbs.*", + "searchValue": "*/*", + "expectedValue": "kubernetes_cluster_role[example3].rule.verbs should not contain a wildcard value when kubernetes_cluster_role[example3].rule.resources contains a wildcard value", + "actualValue": "kubernetes_cluster_role[example3].rule.verbs contains a wildcard value and kubernetes_cluster_role[example3].rule.resources contains a wildcard value", + "issueType": "IncorrectValue", + "similarityID": "c3e1d5f3ac86a7ac8c95d068344604574ebbb0b940d470fe19e2fecf37423c94", + "search_line": 33 }, { "queryName": "Permissive Access to Create Pods", "severity": "MEDIUM", "line": 45, - "fileName": "positive2.tf" + "fileName": "positive2.tf", + "resourceType": "kubernetes_cluster_role", + "resourceName": "terraform-example4", + "searchKey": "kubernetes_cluster_role[example4].rule.verbs.*", + "searchValue": "*/pods", + "expectedValue": "kubernetes_cluster_role[example4].rule.verb should not contain a wildcard value when kubernetes_cluster_role[example4].rule.resources contains the value 'pods'", + "actualValue": "kubernetes_cluster_role[example4].rule.verb contains a wildcard value and kubernetes_cluster_role[example4].rule.resources contains the value 'pods'", + "issueType": "IncorrectValue", + "similarityID": "8ceb51f975e06d6564cbc2b79a1b2907adbfeef8bf50b2abac07c3c228d6c507", + "search_line": 45 } ] diff --git a/assets/queries/terraform/kubernetes/pod_or_container_without_security_context/test/positive_expected_result.json b/assets/queries/terraform/kubernetes/pod_or_container_without_security_context/test/positive_expected_result.json index 597ff9f41c0..e8fd2213938 100644 --- a/assets/queries/terraform/kubernetes/pod_or_container_without_security_context/test/positive_expected_result.json +++ b/assets/queries/terraform/kubernetes/pod_or_container_without_security_context/test/positive_expected_result.json @@ -2,26 +2,76 @@ { "queryName": "Pod or Container Without Security Context", "severity": "LOW", - "line": 6 + "line": 6, + "fileName": "positive.tf", + "resourceType": "kubernetes_pod", + "resourceName": "terraform-example", + "searchKey": "kubernetes_pod[positive1].spec", + "searchValue": "", + "expectedValue": "kubernetes_pod[positive1].spec.security_context should be set", + "actualValue": "kubernetes_pod[positive1].spec.security_context is undefined", + "issueType": "MissingAttribute", + "similarityID": "4e58ac7916664727e87f7119f284c5037a3e66480df3fe667e675afda8146428", + "search_line": 6 }, { "queryName": "Pod or Container Without Security Context", "severity": "LOW", - "line": 7 + "line": 7, + "fileName": "positive.tf", + "resourceType": "kubernetes_pod", + "resourceName": "positive1", + "searchKey": "kubernetes_pod[positive1].spec.container", + "searchValue": "", + "expectedValue": "kubernetes_pod[positive1].spec.container[0].security_context should be set", + "actualValue": "kubernetes_pod[positive1].spec.container[0].security_context is undefined", + "issueType": "MissingAttribute", + "similarityID": "81531b9d9a1141702143fa9b9fedb94cf8584efa826591cbb316ea052ea46f9f", + "search_line": 7 }, { "queryName": "Pod or Container Without Security Context", "severity": "LOW", - "line": 36 + "line": 36, + "fileName": "positive.tf", + "resourceType": "kubernetes_pod", + "resourceName": "positive1", + "searchKey": "kubernetes_pod[positive1].spec.container", + "searchValue": "", + "expectedValue": "kubernetes_pod[positive1].spec.container[1].security_context should be set", + "actualValue": "kubernetes_pod[positive1].spec.container[1].security_context is undefined", + "issueType": "MissingAttribute", + "similarityID": "e1adfe5e5cf9eebceb641fe514b8a1caddfb24d7e9fbc6d0da796b95b513402c", + "search_line": 36 }, { "queryName": "Pod or Container Without Security Context", "severity": "LOW", - "line": 88 + "line": 88, + "fileName": "positive.tf", + "resourceType": "kubernetes_pod", + "resourceName": "terraform-example", + "searchKey": "kubernetes_pod[positive2].spec", + "searchValue": "", + "expectedValue": "kubernetes_pod[positive2].spec.security_context should be set", + "actualValue": "kubernetes_pod[positive2].spec.security_context is undefined", + "issueType": "MissingAttribute", + "similarityID": "09d22c473f37f862930c6d68848a3d5771dceabb83d454947038c50d5c437791", + "search_line": 88 }, { "queryName": "Pod or Container Without Security Context", "severity": "LOW", - "line": 89 + "line": 89, + "fileName": "positive.tf", + "resourceType": "kubernetes_pod", + "resourceName": "positive2", + "searchKey": "kubernetes_pod[positive2].spec.container", + "searchValue": "", + "expectedValue": "kubernetes_pod[positive2].spec.container.security_context should be set", + "actualValue": "kubernetes_pod[positive2].spec.container.security_context is undefined", + "issueType": "MissingAttribute", + "similarityID": "88ffd12d4acf7b8872278c3435419a26b22d688c4708d307db21c10c21fed509", + "search_line": 89 } ] diff --git a/assets/queries/terraform/kubernetes/privilege_escalation_allowed/test/positive_expected_result.json b/assets/queries/terraform/kubernetes/privilege_escalation_allowed/test/positive_expected_result.json index 291dc7b524f..443b321f66f 100644 --- a/assets/queries/terraform/kubernetes/privilege_escalation_allowed/test/positive_expected_result.json +++ b/assets/queries/terraform/kubernetes/privilege_escalation_allowed/test/positive_expected_result.json @@ -2,16 +2,46 @@ { "queryName": "Privilege Escalation Allowed", "severity": "HIGH", - "line": 14 + "line": 14, + "fileName": "positive.tf", + "resourceType": "kubernetes_pod", + "resourceName": "positive1", + "searchKey": "kubernetes_pod[positive1].spec.container.name={{example22}}.security_context.allow_privilege_escalation", + "searchValue": "", + "expectedValue": "kubernetes_pod[positive1].spec.container[0].security_context.allow_privilege_escalation should not be set to true", + "actualValue": "kubernetes_pod[positive1].spec.container[0].security_context.allow_privilege_escalation is set to true", + "issueType": "IncorrectValue", + "similarityID": "05b6447f5a94eb0bffaedac78a5f22e831fe99f85c8b21d0d9c30cb177ccf7ee", + "search_line": -1 }, { "queryName": "Privilege Escalation Allowed", "severity": "HIGH", - "line": 47 + "line": 47, + "fileName": "positive.tf", + "resourceType": "kubernetes_pod", + "resourceName": "positive1", + "searchKey": "kubernetes_pod[positive1].spec.container.name={{example22222}}.security_context.allow_privilege_escalation", + "searchValue": "", + "expectedValue": "kubernetes_pod[positive1].spec.container[1].security_context.allow_privilege_escalation should not be set to true", + "actualValue": "kubernetes_pod[positive1].spec.container[1].security_context.allow_privilege_escalation is set to true", + "issueType": "IncorrectValue", + "similarityID": "e38da29402d9e73a2ad3175f9d547d0b84604bcae2a4941a86bdda49a52f77aa", + "search_line": -1 }, { "queryName": "Privilege Escalation Allowed", "severity": "HIGH", - "line": 108 + "line": 108, + "fileName": "positive.tf", + "resourceType": "kubernetes_pod", + "resourceName": "positive2", + "searchKey": "kubernetes_pod[positive2].spec.container.security_context.allow_privilege_escalation", + "searchValue": "", + "expectedValue": "kubernetes_pod[positive2].spec.container.security_context.allow_privilege_escalation should not be set to true", + "actualValue": "kubernetes_pod[positive2].spec.container.security_context.allow_privilege_escalation is set to true", + "issueType": "IncorrectValue", + "similarityID": "872baa43bd5bbb8b74db9de4968d87d3a199dccdc0b5f7946477f4944301f374", + "search_line": -1 } ] diff --git a/assets/queries/terraform/kubernetes/psp_allows_containers_to_share_the_host_network_namespace/test/positive_expected_result.json b/assets/queries/terraform/kubernetes/psp_allows_containers_to_share_the_host_network_namespace/test/positive_expected_result.json index 116cddb31d2..23bbfd59d1f 100644 --- a/assets/queries/terraform/kubernetes/psp_allows_containers_to_share_the_host_network_namespace/test/positive_expected_result.json +++ b/assets/queries/terraform/kubernetes/psp_allows_containers_to_share_the_host_network_namespace/test/positive_expected_result.json @@ -2,6 +2,16 @@ { "queryName": "PSP Allows Containers To Share The Host Network Namespace", "severity": "HIGH", - "line": 8 + "line": 8, + "fileName": "positive.tf", + "resourceType": "kubernetes_pod_security_policy", + "resourceName": "terraform-example", + "searchKey": "kubernetes_pod_security_policy[example].spec.host_network", + "searchValue": "", + "expectedValue": "'spec.hostNetwork' should be set to false or undefined", + "actualValue": "'spec.hostNetwork' is true", + "issueType": "IncorrectValue", + "similarityID": "03bd24bac5377450ee89daf7c57577834f49acac9ffd5b2716d623c2c20f9f01", + "search_line": -1 } ] diff --git a/assets/queries/terraform/kubernetes/psp_allows_privilege_escalation/test/positive_expected_result.json b/assets/queries/terraform/kubernetes/psp_allows_privilege_escalation/test/positive_expected_result.json index fb790fc97db..a684416496f 100644 --- a/assets/queries/terraform/kubernetes/psp_allows_privilege_escalation/test/positive_expected_result.json +++ b/assets/queries/terraform/kubernetes/psp_allows_privilege_escalation/test/positive_expected_result.json @@ -2,11 +2,31 @@ { "queryName": "PSP Allows Privilege Escalation", "severity": "HIGH", - "line": 7 + "line": 7, + "fileName": "positive.tf", + "resourceType": "kubernetes_pod_security_policy", + "resourceName": "terraform-example", + "searchKey": "kubernetes_pod_security_policy[example].spec.allow_privilege_escalation", + "searchValue": "", + "expectedValue": "kubernetes_pod_security_policy[example].spec.allow_privilege_escalation should be set to false", + "actualValue": "kubernetes_pod_security_policy[example].spec.allow_privilege_escalation is set to true", + "issueType": "IncorrectValue", + "similarityID": "827b83092ba3a52cfaf01d768afecacac84b7c836c535246d05c47c090faaeb9", + "search_line": 7 }, { "queryName": "PSP Allows Privilege Escalation", "severity": "HIGH", - "line": 50 + "line": 50, + "fileName": "positive.tf", + "resourceType": "kubernetes_pod_security_policy", + "resourceName": "terraform-example", + "searchKey": "kubernetes_pod_security_policy[example2].spec", + "searchValue": "", + "expectedValue": "kubernetes_pod_security_policy[example2].spec.allow_privilege_escalation should be set", + "actualValue": "kubernetes_pod_security_policy[example2].spec.allow_privilege_escalation is undefined", + "issueType": "MissingAttribute", + "similarityID": "c5de43955a6575b44450788b11577e99f124894104be31f86ef4d911c6865296", + "search_line": 50 } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/kubernetes/psp_allows_sharing_host_ipc/test/positive_expected_result.json b/assets/queries/terraform/kubernetes/psp_allows_sharing_host_ipc/test/positive_expected_result.json index 65f43ef0cb9..dd4f182cc98 100644 --- a/assets/queries/terraform/kubernetes/psp_allows_sharing_host_ipc/test/positive_expected_result.json +++ b/assets/queries/terraform/kubernetes/psp_allows_sharing_host_ipc/test/positive_expected_result.json @@ -2,6 +2,16 @@ { "queryName": "PSP Allows Sharing Host IPC", "severity": "HIGH", - "line": 8 + "line": 8, + "fileName": "positive.tf", + "resourceType": "kubernetes_pod_security_policy", + "resourceName": "terraform-example", + "searchKey": "kubernetes_pod_security_policy[example2].spec.host_ipc", + "searchValue": "", + "expectedValue": "Attribute 'host_ipc' should be undefined or false", + "actualValue": "Attribute 'host_ipc' is true", + "issueType": "IncorrectValue", + "similarityID": "fb60abd504b05c10cd80d2168385dffde3aa3ba238b1daec46ae8bc4d2155ef5", + "search_line": 8 } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/kubernetes/psp_set_to_privileged/test/positive_expected_result.json b/assets/queries/terraform/kubernetes/psp_set_to_privileged/test/positive_expected_result.json index 18055bdda6c..f4e647d3176 100644 --- a/assets/queries/terraform/kubernetes/psp_set_to_privileged/test/positive_expected_result.json +++ b/assets/queries/terraform/kubernetes/psp_set_to_privileged/test/positive_expected_result.json @@ -2,6 +2,16 @@ { "queryName": "PSP Set To Privileged", "severity": "HIGH", - "line": 6 + "line": 6, + "fileName": "positive.tf", + "resourceType": "kubernetes_pod_security_policy", + "resourceName": "terraform-example", + "searchKey": "kubernetes_pod_security_policy[example].spec.privileged", + "searchValue": "", + "expectedValue": "kubernetes_pod_security_policy[example].spec.privileged should be set to false", + "actualValue": "kubernetes_pod_security_policy[example].spec.privileged is not set to false", + "issueType": "IncorrectValue", + "similarityID": "441d726467f553fe3a43cc4043f7c2bf128df5f624492cfa728e632e45592ed0", + "search_line": 6 } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/kubernetes/psp_with_added_capabilities/test/positive_expected_result.json b/assets/queries/terraform/kubernetes/psp_with_added_capabilities/test/positive_expected_result.json index 9721fb8119a..3e97861e6e5 100644 --- a/assets/queries/terraform/kubernetes/psp_with_added_capabilities/test/positive_expected_result.json +++ b/assets/queries/terraform/kubernetes/psp_with_added_capabilities/test/positive_expected_result.json @@ -2,6 +2,16 @@ { "queryName": "PSP With Added Capabilities", "severity": "HIGH", - "line": 6 + "line": 6, + "fileName": "positive.tf", + "resourceType": "kubernetes_pod_security_policy", + "resourceName": "terraform-example", + "searchKey": "kubernetes_pod_security_policy[example].spec.allowed_capabilities", + "searchValue": "", + "expectedValue": "Pod Security Policy example should not have allowed capabilities", + "actualValue": "Pod Security Policy example has allowed capabilities", + "issueType": "IncorrectValue", + "similarityID": "6eb4c11d6012d9d0fa3e83580df9422f0355ce9b220b0ddb51509056b509cbb8", + "search_line": -1 } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/kubernetes/rbac_roles_with_read_secrets_permissions/test/positive_expected_result.json b/assets/queries/terraform/kubernetes/rbac_roles_with_read_secrets_permissions/test/positive_expected_result.json index 8a2bf2e74fc..620cf13fba6 100644 --- a/assets/queries/terraform/kubernetes/rbac_roles_with_read_secrets_permissions/test/positive_expected_result.json +++ b/assets/queries/terraform/kubernetes/rbac_roles_with_read_secrets_permissions/test/positive_expected_result.json @@ -2,21 +2,61 @@ { "queryName": "RBAC Roles with Read Secrets Permissions", "severity": "MEDIUM", - "line": 9 + "line": 9, + "fileName": "positive.tf", + "resourceType": "kubernetes_role", + "resourceName": "terraform-example1", + "searchKey": "kubernetes_role[example1].rule", + "searchValue": "", + "expectedValue": "Rules don't give access to 'secrets' resources", + "actualValue": "Some rule is giving access to 'secrets' resources", + "issueType": "IncorrectValue", + "similarityID": "76bd1ef4b30a8e2acf06fda77628a53c7fa6b30fd3a0b92b36632b3be235cf73", + "search_line": -1 }, { "queryName": "RBAC Roles with Read Secrets Permissions", "severity": "MEDIUM", - "line": 27 + "line": 27, + "fileName": "positive.tf", + "resourceType": "kubernetes_cluster_role", + "resourceName": "terraform-example2", + "searchKey": "kubernetes_cluster_role[example2].rule", + "searchValue": "", + "expectedValue": "Rules don't give access to 'secrets' resources", + "actualValue": "Some rule is giving access to 'secrets' resources", + "issueType": "IncorrectValue", + "similarityID": "b1eeeada0d0640e5cdbb1d8c9a1b1d56bfe8f704f90dcbe153da229faa671121", + "search_line": -1 }, { "queryName": "RBAC Roles with Read Secrets Permissions", "severity": "MEDIUM", - "line": 48 + "line": 48, + "fileName": "positive.tf", + "resourceType": "kubernetes_role", + "resourceName": "terraform-example3", + "searchKey": "kubernetes_role[example3].rule", + "searchValue": "", + "expectedValue": "Rules don't give access to 'secrets' resources", + "actualValue": "Some rule is giving access to 'secrets' resources", + "issueType": "IncorrectValue", + "similarityID": "6579a30240773605f8fa350a397d3957f6d093b6fdd7055bae2bc0fa19b361cc", + "search_line": -1 }, { "queryName": "RBAC Roles with Read Secrets Permissions", "severity": "MEDIUM", - "line": 62 + "line": 62, + "fileName": "positive.tf", + "resourceType": "kubernetes_cluster_role", + "resourceName": "terraform-example4", + "searchKey": "kubernetes_cluster_role[example4].rule", + "searchValue": "", + "expectedValue": "Rules don't give access to 'secrets' resources", + "actualValue": "Some rule is giving access to 'secrets' resources", + "issueType": "IncorrectValue", + "similarityID": "ef8cdace13272536712b9db8d7906a321a75e83c5b2d8f39c3ec951a4e697eea", + "search_line": -1 } ] diff --git a/assets/queries/terraform/kubernetes/readiness_probe_is_not_configured/test/positive_expected_result.json b/assets/queries/terraform/kubernetes/readiness_probe_is_not_configured/test/positive_expected_result.json index ffe1dad2b4d..a98f533ff4f 100644 --- a/assets/queries/terraform/kubernetes/readiness_probe_is_not_configured/test/positive_expected_result.json +++ b/assets/queries/terraform/kubernetes/readiness_probe_is_not_configured/test/positive_expected_result.json @@ -2,16 +2,46 @@ { "queryName": "Readiness Probe Is Not Configured", "severity": "MEDIUM", - "line": 7 + "line": 7, + "fileName": "positive.tf", + "resourceType": "kubernetes_pod", + "resourceName": "test", + "searchKey": "kubernetes_pod[test].spec.container", + "searchValue": "", + "expectedValue": "kubernetes_pod[test].spec.container.readiness_probe should be set", + "actualValue": "kubernetes_pod[test].spec.container.readiness_probe is undefined", + "issueType": "MissingAttribute", + "similarityID": "38a2749f1389aee6613ad399113f160603928bcdc51ad19dd8b60cb2219c0a08", + "search_line": 7 }, { "queryName": "Readiness Probe Is Not Configured", "severity": "MEDIUM", - "line": 60 + "line": 60, + "fileName": "positive.tf", + "resourceType": "kubernetes_pod", + "resourceName": "test2", + "searchKey": "kubernetes_pod[test2].spec.container", + "searchValue": "", + "expectedValue": "kubernetes_pod[test2].spec.container[0].readiness_probe should be set", + "actualValue": "kubernetes_pod[test2].spec.container[0].readiness_probe is undefined", + "issueType": "MissingAttribute", + "similarityID": "f0381154c7d290f0390998888231b1e80ddb0d54322d0c403e9f951e908cb2cd", + "search_line": 60 }, { "queryName": "Readiness Probe Is Not Configured", "severity": "MEDIUM", - "line": 89 + "line": 89, + "fileName": "positive.tf", + "resourceType": "kubernetes_pod", + "resourceName": "test2", + "searchKey": "kubernetes_pod[test2].spec.container", + "searchValue": "", + "expectedValue": "kubernetes_pod[test2].spec.container[1].readiness_probe should be set", + "actualValue": "kubernetes_pod[test2].spec.container[1].readiness_probe is undefined", + "issueType": "MissingAttribute", + "similarityID": "2f80a8c5e10752405ac0a79f22c4f388115c3d0aec90135d0a704c41df1ddec2", + "search_line": 89 } ] diff --git a/assets/queries/terraform/kubernetes/role_binding_to_default_service_account/test/positive_expected_result.json b/assets/queries/terraform/kubernetes/role_binding_to_default_service_account/test/positive_expected_result.json index 72f7c8c2f21..70ceab39305 100644 --- a/assets/queries/terraform/kubernetes/role_binding_to_default_service_account/test/positive_expected_result.json +++ b/assets/queries/terraform/kubernetes/role_binding_to_default_service_account/test/positive_expected_result.json @@ -2,6 +2,16 @@ { "queryName": "Role Binding To Default Service Account", "severity": "MEDIUM", - "line": 1 + "line": 1, + "fileName": "positive.tf", + "resourceType": "kubernetes_role_binding", + "resourceName": "terraform-example", + "searchKey": "resource.kubernetes_role_binding[example]", + "searchValue": "", + "expectedValue": "resource.kubernetes_role_binding[example].subject[1].name should not be default", + "actualValue": "resource.kubernetes_role_binding[example].subject[1].name is default", + "issueType": "IncorrectValue", + "similarityID": "f809e2dc1cc90f804e0f3be3efe0dc00b908128e849d644d73a82320add632c3", + "search_line": -1 } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/kubernetes/root_container_not_mounted_as_read_only/test/positive_expected_result.json b/assets/queries/terraform/kubernetes/root_container_not_mounted_as_read_only/test/positive_expected_result.json index 0bf69a1330c..19e4a8998f4 100644 --- a/assets/queries/terraform/kubernetes/root_container_not_mounted_as_read_only/test/positive_expected_result.json +++ b/assets/queries/terraform/kubernetes/root_container_not_mounted_as_read_only/test/positive_expected_result.json @@ -2,16 +2,46 @@ { "queryName": "Root Container Not Mounted As Read-only", "severity": "LOW", - "line": 14 + "line": 14, + "fileName": "positive.tf", + "resourceType": "kubernetes_pod", + "resourceName": "positive1", + "searchKey": "kubernetes_pod[positive1].spec.container.name={{example22}}.security_context.read_only_root_filesystem", + "searchValue": "", + "expectedValue": "kubernetes_pod[positive1].spec.container[0].security_context.read_only_root_filesystem should be set to true", + "actualValue": "kubernetes_pod[positive1].spec.container[0].security_context.read_only_root_filesystem is not set to true", + "issueType": "IncorrectValue", + "similarityID": "aa55113cbb30af5ce159353c82c22e0edd7747ed5bc60ee7fe5ee07422aeb140", + "search_line": -1 }, { "queryName": "Root Container Not Mounted As Read-only", "severity": "LOW", - "line": 44 + "line": 44, + "fileName": "positive.tf", + "resourceType": "kubernetes_pod", + "resourceName": "positive1", + "searchKey": "kubernetes_pod[positive1].spec.container.name={{example22222}}", + "searchValue": "", + "expectedValue": "kubernetes_pod[positive1].spec.container[%!d(string={\"env\": {\"name\": \"environment\", \"value\": \"test\"}, \"image\": \"nginx:1.7.9\", \"liveness_probe\": {\"http_get\": {\"http_header\": {\"name\": \"X-Custom-Header\", \"value\": \"Awesome\"}, \"path\": \"/nginx_status\", \"port\": 80}, \"initial_delay_seconds\": 3, \"period_seconds\": 3}, \"name\": \"example22222\", \"port\": {\"container_port\": 8080}})].security_context should be set", + "actualValue": "kkubernetes_pod[positive1].spec.container[%!d(string={\"env\": {\"name\": \"environment\", \"value\": \"test\"}, \"image\": \"nginx:1.7.9\", \"liveness_probe\": {\"http_get\": {\"http_header\": {\"name\": \"X-Custom-Header\", \"value\": \"Awesome\"}, \"path\": \"/nginx_status\", \"port\": 80}, \"initial_delay_seconds\": 3, \"period_seconds\": 3}, \"name\": \"example22222\", \"port\": {\"container_port\": 8080}})].security_context is undefined", + "issueType": "IncorrectValue", + "similarityID": "3f5a9446e1a3304ad2b102f433f7eb46f684d9c2c61464bf25d3caae24ecb6e3", + "search_line": -1 }, { "queryName": "Root Container Not Mounted As Read-only", "severity": "LOW", - "line": 103 + "line": 103, + "fileName": "positive.tf", + "resourceType": "kubernetes_pod", + "resourceName": "positive2", + "searchKey": "kubernetes_pod[positive2].spec.container.security_context", + "searchValue": "", + "expectedValue": "kubernetes_pod[positive2].spec.container.security_context.read_only_root_filesystem should be set", + "actualValue": "kubernetes_pod[positive2].spec.container.security_context.read_only_root_filesystem is undefined", + "issueType": "IncorrectValue", + "similarityID": "36cac963d18c51b41c6c39c4f43b0763f0f4781a77de390cf13e2f88cc1e8e42", + "search_line": -1 } ] diff --git a/assets/queries/terraform/kubernetes/root_containers_admitted/test/positive_expected_result.json b/assets/queries/terraform/kubernetes/root_containers_admitted/test/positive_expected_result.json index cef67ea3ebd..348b7657c9b 100644 --- a/assets/queries/terraform/kubernetes/root_containers_admitted/test/positive_expected_result.json +++ b/assets/queries/terraform/kubernetes/root_containers_admitted/test/positive_expected_result.json @@ -2,26 +2,76 @@ { "queryName": "Root Containers Admitted", "severity": "MEDIUM", - "line": 6 + "line": 6, + "fileName": "positive.tf", + "resourceType": "kubernetes_pod_security_policy", + "resourceName": "terraform-example", + "searchKey": "kubernetes_pod_security_policy[example].spec.privileged", + "searchValue": "", + "expectedValue": "kubernetes_pod_security_policy[example].spec.privileged should be set to false", + "actualValue": "kubernetes_pod_security_policy[example].spec.privileged is set to true", + "issueType": "IncorrectValue", + "similarityID": "bff4031c193e145ba852814619e4c3f6bfe78636a5d6e7500cfedf67b7279e2b", + "search_line": -1 }, { "queryName": "Root Containers Admitted", "severity": "MEDIUM", - "line": 7 + "line": 7, + "fileName": "positive.tf", + "resourceType": "kubernetes_pod_security_policy", + "resourceName": "terraform-example", + "searchKey": "kubernetes_pod_security_policy[example].spec.allow_privilege_escalation", + "searchValue": "", + "expectedValue": "kubernetes_pod_security_policy[example].spec.allow_privilege_escalation should be set to false", + "actualValue": "kubernetes_pod_security_policy[example].spec.allow_privilege_escalation is set to true", + "issueType": "IncorrectValue", + "similarityID": "73d5d950abaefbf573dd52ac33006b228304fd104b77aa21eb9ad994a9818bd8", + "search_line": -1 }, { "queryName": "Root Containers Admitted", "severity": "MEDIUM", - "line": 19 + "line": 19, + "fileName": "positive.tf", + "resourceType": "kubernetes_pod_security_policy", + "resourceName": "terraform-example", + "searchKey": "kubernetes_pod_security_policy[example].spec.run_as_user.rule", + "searchValue": "", + "expectedValue": "kubernetes_pod_security_policy[example].spec.run_as_user.rule is equal to 'MustRunAsNonRoot'", + "actualValue": "kubernetes_pod_security_policy[example].spec.run_as_user.rule is not equal to 'MustRunAsNonRoot'", + "issueType": "IncorrectValue", + "similarityID": "d627c90233ed62e363f78b77e5f90aae0b09a3f22471444aa3fa499b0feb07ac", + "search_line": -1 }, { "queryName": "Root Containers Admitted", "severity": "MEDIUM", - "line": 27 + "line": 27, + "fileName": "positive.tf", + "resourceType": "kubernetes_pod_security_policy", + "resourceName": "terraform-example", + "searchKey": "kubernetes_pod_security_policy[example].spec.supplemental_groups.rule", + "searchValue": "", + "expectedValue": "kubernetes_pod_security_policy[example].spec.supplemental_groups.rule limits its ranges", + "actualValue": "kubernetes_pod_security_policy[example].spec.supplemental_groups.rule does not limit its ranges", + "issueType": "IncorrectValue", + "similarityID": "91e108562df1861edddf29c0a4b1eb457c7d631e951f3a86380db4c49f2e2990", + "search_line": -1 }, { "queryName": "Root Containers Admitted", "severity": "MEDIUM", - "line": 37 + "line": 37, + "fileName": "positive.tf", + "resourceType": "kubernetes_pod_security_policy", + "resourceName": "terraform-example", + "searchKey": "kubernetes_pod_security_policy[example].spec.fs_group.range.min", + "searchValue": "", + "expectedValue": "kubernetes_pod_security_policy[example].spec.fs_group.range.min should not allow range '0' (root)", + "actualValue": "kubernetes_pod_security_policy[example].spec.fs_group.range.min allows range '0' (root)", + "issueType": "IncorrectValue", + "similarityID": "90107fc5e620aeb125c2b71031d75638e9f451104c540be42e72ee9248ddad45", + "search_line": -1 } ] diff --git a/assets/queries/terraform/kubernetes/secoomp_profile_is_not_configured/test/positive_expected_result.json b/assets/queries/terraform/kubernetes/secoomp_profile_is_not_configured/test/positive_expected_result.json index d0fae507cba..af93ace92e0 100644 --- a/assets/queries/terraform/kubernetes/secoomp_profile_is_not_configured/test/positive_expected_result.json +++ b/assets/queries/terraform/kubernetes/secoomp_profile_is_not_configured/test/positive_expected_result.json @@ -2,46 +2,136 @@ { "queryName": "Seccomp Profile Is Not Configured", "severity": "MEDIUM", - "line": 2 + "line": 2, + "fileName": "positive.tf", + "resourceType": "kubernetes_pod", + "resourceName": "terraform-example", + "searchKey": "kubernetes_pod[pod1].metadata", + "searchValue": "", + "expectedValue": "kubernetes_pod[pod1].metadata.annotations should be set", + "actualValue": "kubernetes_pod[pod1].metadata.annotations is undefined", + "issueType": "MissingAttribute", + "similarityID": "c29d0ec3294efde5e94c03d9c9d88219c35f628141811ea9e08d04832fb70415", + "search_line": -1 }, { "queryName": "Seccomp Profile Is Not Configured", "severity": "MEDIUM", - "line": 58 + "line": 58, + "fileName": "positive.tf", + "resourceType": "kubernetes_pod", + "resourceName": "terraform-example", + "searchKey": "kubernetes_pod[pod2].metadata.annotations", + "searchValue": "", + "expectedValue": "kubernetes_pod[pod2].metadata.annotations.seccomp.security.alpha.kubernetes.io/defaultProfileName should be set", + "actualValue": "kubernetes_pod[pod2].metadata.annotations.seccomp.security.alpha.kubernetes.io/defaultProfileName is undefined", + "issueType": "MissingAttribute", + "similarityID": "e830867148a53381dfe7ae3012174282fc7fa931e5f1edccbf06514e8d65c943", + "search_line": -1 }, { "queryName": "Seccomp Profile Is Not Configured", "severity": "MEDIUM", - "line": 115 + "line": 115, + "fileName": "positive.tf", + "resourceType": "kubernetes_pod", + "resourceName": "terraform-example", + "searchKey": "kubernetes_pod[pod3].metadata.annotations", + "searchValue": "", + "expectedValue": "kubernetes_pod[pod3].metadata.annotations.seccomp.security.alpha.kubernetes.io/defaultProfileName is 'runtime/default'", + "actualValue": "kubernetes_pod[pod3].metadata.annotations.seccomp.security.alpha.kubernetes.io/defaultProfileName is 'rntim/dfl'", + "issueType": "IncorrectValue", + "similarityID": "4441d1243c8fea067849d6b2aec2cfc2fc937fb8fbef738b3b3d7e5c2eca22b7", + "search_line": -1 }, { "queryName": "Seccomp Profile Is Not Configured", "severity": "MEDIUM", - "line": 184 + "line": 184, + "fileName": "positive.tf", + "resourceType": "kubernetes_cron_job", + "resourceName": "demo", + "searchKey": "kubernetes_cron_job[cron1].spec.job_template.spec.template.metadata", + "searchValue": "", + "expectedValue": "kubernetes_cron_job[cron1].spec.job_template.spec.template.metadata.annotations should be set", + "actualValue": "kubernetes_cron_job[cron1].spec.job_template.spec.template.metadata.annotations is undefined", + "issueType": "MissingAttribute", + "similarityID": "3b17645991f26c3b7ccfd030fcdbc6d57d07486e74aaa9a05490acb74e18a644", + "search_line": -1 }, { "queryName": "Seccomp Profile Is Not Configured", "severity": "MEDIUM", - "line": 215 + "line": 215, + "fileName": "positive.tf", + "resourceType": "kubernetes_cron_job", + "resourceName": "demo", + "searchKey": "kubernetes_cron_job[cron2].spec.job_template.spec.template.metadata.annotations", + "searchValue": "", + "expectedValue": "kubernetes_cron_job[cron2].spec.job_template.spec.template.metadata.annotations.seccomp.security.alpha.kubernetes.io/defaultProfileName should be set", + "actualValue": "kubernetes_cron_job[cron2].spec.job_template.spec.template.metadata.annotations.seccomp.security.alpha.kubernetes.io/defaultProfileName is undefined", + "issueType": "MissingAttribute", + "similarityID": "0a5d51b3911938fb0fc017238d11be6fd3e849855b3b323bb3e4275aec4e8e15", + "search_line": -1 }, { "queryName": "Seccomp Profile Is Not Configured", "severity": "MEDIUM", - "line": 249 + "line": 249, + "fileName": "positive.tf", + "resourceType": "kubernetes_cron_job", + "resourceName": "demo", + "searchKey": "kubernetes_cron_job[cron3].spec.job_template.spec.template.metadata.annotations", + "searchValue": "", + "expectedValue": "kubernetes_cron_job[cron3].spec.job_template.spec.template.metadata.annotations.seccomp.security.alpha.kubernetes.io/defaultProfileName is 'runtime/default'", + "actualValue": "kubernetes_cron_job[cron3].spec.job_template.spec.template.metadata.annotations.seccomp.security.alpha.kubernetes.io/defaultProfileName is 'rntim/dfl'", + "issueType": "IncorrectValue", + "similarityID": "f985353ce5911e54c3674bbf2ca2017897c2fb39c0754e14ffacb0684a7ba715", + "search_line": -1 }, { "queryName": "Seccomp Profile Is Not Configured", "severity": "MEDIUM", - "line": 284 + "line": 284, + "fileName": "positive.tf", + "resourceType": "kubernetes_deployment", + "resourceName": "deployment1", + "searchKey": "kubernetes_deployment[deployment1].spec.template.metadata", + "searchValue": "", + "expectedValue": "kubernetes_deployment[deployment1].spec.template.metadata.annotations should be set", + "actualValue": "kubernetes_deployment[deployment1].spec.template.metadata.annotations is undefined", + "issueType": "MissingAttribute", + "similarityID": "d0e5018a7e6a84d66125ce0ebe8da973d58f9c26daa15551f0ca3fc1189af799", + "search_line": -1 }, { "queryName": "Seccomp Profile Is Not Configured", "severity": "MEDIUM", - "line": 348 + "line": 348, + "fileName": "positive.tf", + "resourceType": "kubernetes_deployment", + "resourceName": "deployment2", + "searchKey": "kubernetes_deployment[deployment2].spec.template.metadata.annotations", + "searchValue": "", + "expectedValue": "kubernetes_deployment[deployment2].spec.template.metadata.annotations.seccomp.security.alpha.kubernetes.io/defaultProfileName should be set", + "actualValue": "kubernetes_deployment[deployment2].spec.template.metadata.annotations.seccomp.security.alpha.kubernetes.io/defaultProfileName is undefined", + "issueType": "MissingAttribute", + "similarityID": "eb3d01742b6346c7c6e9eb24e9bc426c242b416c6c662648ec6f8aae3399bcd0", + "search_line": -1 }, { "queryName": "Seccomp Profile Is Not Configured", "severity": "MEDIUM", - "line": 411 + "line": 411, + "fileName": "positive.tf", + "resourceType": "kubernetes_deployment", + "resourceName": "deployment3", + "searchKey": "kubernetes_deployment[deployment3].spec.template.metadata.annotations", + "searchValue": "", + "expectedValue": "kubernetes_deployment[deployment3].spec.template.metadata.annotations.seccomp.security.alpha.kubernetes.io/defaultProfileName is 'runtime/default'", + "actualValue": "kubernetes_deployment[deployment3].spec.template.metadata.annotations.seccomp.security.alpha.kubernetes.io/defaultProfileName is 'rntim/dfl'", + "issueType": "IncorrectValue", + "similarityID": "c6fa83d2f4294eba255837b25b1a5a28143f5ad94b134b3e8c8b94d2c401fcb3", + "search_line": -1 } ] diff --git a/assets/queries/terraform/kubernetes/secrets_as_environment_variables/test/positive_expected_result.json b/assets/queries/terraform/kubernetes/secrets_as_environment_variables/test/positive_expected_result.json index 369bb9a954f..98c8ebfb9cd 100644 --- a/assets/queries/terraform/kubernetes/secrets_as_environment_variables/test/positive_expected_result.json +++ b/assets/queries/terraform/kubernetes/secrets_as_environment_variables/test/positive_expected_result.json @@ -2,11 +2,31 @@ { "queryName": "Secrets As Environment Variables", "severity": "LOW", - "line": 11 + "line": 11, + "fileName": "positive.tf", + "resourceType": "kubernetes_pod", + "resourceName": "test", + "searchKey": "kubernetes_pod[test].spec.container.env", + "searchValue": "", + "expectedValue": "kubernetes_pod[test].spec.container.env.value_from.secret_key_ref should be undefined", + "actualValue": "kubernetes_pod[test].spec.container.env.value_from.secret_key_ref is set", + "issueType": "IncorrectValue", + "similarityID": "5990b242d182ea0fced3b2e79454b17f76a20a7c1148d449bc52034ce10274f3", + "search_line": -1 }, { "queryName": "Secrets As Environment Variables", "severity": "LOW", - "line": 20 + "line": 20, + "fileName": "positive.tf", + "resourceType": "kubernetes_pod", + "resourceName": "test", + "searchKey": "kubernetes_pod[test].spec.container.env_from", + "searchValue": "", + "expectedValue": "kubernetes_pod[test].spec.container.env_from.secret_ref should be undefined", + "actualValue": "kubernetes_pod[test].spec.container.env_from.secret_ref is set", + "issueType": "IncorrectValue", + "similarityID": "6b82d407bfaa84ecdf06a91cad2f56619a4eb168028835a498f770928cbc5fe9", + "search_line": -1 } ] diff --git a/assets/queries/terraform/kubernetes/service_account_allows_access_secrets/test/positive_expected_result.json b/assets/queries/terraform/kubernetes/service_account_allows_access_secrets/test/positive_expected_result.json index fe3d702c932..2ecc80ba6d2 100644 --- a/assets/queries/terraform/kubernetes/service_account_allows_access_secrets/test/positive_expected_result.json +++ b/assets/queries/terraform/kubernetes/service_account_allows_access_secrets/test/positive_expected_result.json @@ -1,12 +1,32 @@ [ - { - "queryName": "Service Account Allows Access Secrets", - "severity": "MEDIUM", - "line": 7 - }, { - "queryName": "Service Account Allows Access Secrets", - "severity": "MEDIUM", - "line": 49 - } + "queryName": "Service Account Allows Access Secrets", + "severity": "MEDIUM", + "line": 7, + "fileName": "positive.tf", + "resourceType": "kubernetes_cluster_role", + "resourceName": "cluster_role_name", + "searchKey": "kubernetes_cluster_role[cluster_role_name].rule", + "searchValue": "", + "expectedValue": "kubernetes_cluster_role[cluster_role_name].rule.verbs should not contain the following verbs: [\"get\", \"watch\", \"list\", \"*\"]", + "actualValue": "kubernetes_cluster_role[cluster_role_name].rule.verbs contain one of the following verbs: [\"get\", \"watch\", \"list\", \"*\"]", + "issueType": "IncorrectValue", + "similarityID": "5e721ceda86f7c23a9e22db50d67024ba16d258bf4270a6876ad01e53fd5b813", + "search_line": -1 + }, + { + "queryName": "Service Account Allows Access Secrets", + "severity": "MEDIUM", + "line": 49, + "fileName": "positive.tf", + "resourceType": "kubernetes_role", + "resourceName": "role_name", + "searchKey": "kubernetes_role[role_name].rule", + "searchValue": "", + "expectedValue": "kubernetes_role[role_name].rule.verbs should not contain the following verbs: [\"get\", \"watch\", \"list\", \"*\"]", + "actualValue": "kubernetes_role[role_name].rule.verbs contain one of the following verbs: [\"get\", \"watch\", \"list\", \"*\"]", + "issueType": "IncorrectValue", + "similarityID": "ef2ccb33604bd875ff6245212df3e1bca7e3a9e035dd658aaf9092ce2287b0f2", + "search_line": -1 + } ] diff --git a/assets/queries/terraform/kubernetes/service_account_name_undefined_or_empty/test/positive_expected_result.json b/assets/queries/terraform/kubernetes/service_account_name_undefined_or_empty/test/positive_expected_result.json index 27d1d3d2d7e..81c7592f3e8 100644 --- a/assets/queries/terraform/kubernetes/service_account_name_undefined_or_empty/test/positive_expected_result.json +++ b/assets/queries/terraform/kubernetes/service_account_name_undefined_or_empty/test/positive_expected_result.json @@ -1,20 +1,47 @@ [ - { - "queryName": "Service Account Name Undefined Or Empty", - "severity": "MEDIUM", - "line": 6, - "fileName": "positive1.tf" - }, { - "queryName": "Service Account Name Undefined Or Empty", - "severity": "MEDIUM", - "line": 6, - "fileName": "positive2.tf" - }, + "queryName": "Service Account Name Undefined Or Empty", + "severity": "MEDIUM", + "line": 6, + "fileName": "positive1.tf", + "resourceType": "kubernetes_pod", + "resourceName": "terraform-example", + "searchKey": "kubernetes_pod[test1].spec", + "searchValue": "", + "expectedValue": "kubernetes_pod[test1].spec.service_account_name should be defined and not null", + "actualValue": "kubernetes_pod[test1].spec.service_account_name is undefined or null", + "issueType": "MissingAttribute", + "similarityID": "e34f60a48bbeaf16b8b7190d1dc81141a7b6812ca8eadc15cfc28e129d797507", + "search_line": -1 + }, { - "queryName": "Service Account Name Undefined Or Empty", - "severity": "MEDIUM", - "line": 36, - "fileName": "positive3.tf" - } + "queryName": "Service Account Name Undefined Or Empty", + "severity": "MEDIUM", + "line": 6, + "fileName": "positive2.tf", + "resourceType": "kubernetes_pod", + "resourceName": "terraform-example", + "searchKey": "kubernetes_pod[test2].spec", + "searchValue": "", + "expectedValue": "kubernetes_pod[test2].spec.service_account_name should be defined and not null", + "actualValue": "kubernetes_pod[test2].spec.service_account_name is undefined or null", + "issueType": "MissingAttribute", + "similarityID": "bd9abd715947e5473e39e6331863a9266b7995062b73e3769b05a23be542b3a7", + "search_line": -1 + }, + { + "queryName": "Service Account Name Undefined Or Empty", + "severity": "MEDIUM", + "line": 36, + "fileName": "positive3.tf", + "resourceType": "kubernetes_pod", + "resourceName": "terraform-example", + "searchKey": "kubernetes_pod[test3].spec.service_account_name", + "searchValue": "", + "expectedValue": "kubernetes_pod[test3].spec.service_account_name is correct", + "actualValue": "kubernetes_pod[test3].spec.service_account_name is null or empty", + "issueType": "IncorrectValue", + "similarityID": "06aacb9776bddfb218db90f55c1a81acca8d4c4d6c12a5b25676a36a71ca857a", + "search_line": -1 + } ] diff --git a/assets/queries/terraform/kubernetes/service_account_token_automount_not_disabled/test/positive_expected_result.json b/assets/queries/terraform/kubernetes/service_account_token_automount_not_disabled/test/positive_expected_result.json index 426e5be9aa5..68ae53fd056 100644 --- a/assets/queries/terraform/kubernetes/service_account_token_automount_not_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/kubernetes/service_account_token_automount_not_disabled/test/positive_expected_result.json @@ -2,21 +2,61 @@ { "queryName": "Service Account Token Automount Not Disabled", "severity": "MEDIUM", - "line": 25 + "line": 25, + "fileName": "positive.tf", + "resourceType": "kubernetes_deployment", + "resourceName": "example", + "searchKey": "kubernetes_deployment[example].spec.template.spec", + "searchValue": "", + "expectedValue": "kubernetes_deployment[example].spec.template.spec.automount_service_account_token should be set", + "actualValue": "kubernetes_deployment[example].spec.template.spec.automount_service_account_token is undefined", + "issueType": "MissingAttribute", + "similarityID": "a3e8f630b5308d70c70bc84e55cd3e9e5c88c0c13395c4789432b0b3ab253480", + "search_line": 25 }, { "queryName": "Service Account Token Automount Not Disabled", "severity": "MEDIUM", - "line": 88 + "line": 88, + "fileName": "positive.tf", + "resourceType": "kubernetes_daemonset", + "resourceName": "example2", + "searchKey": "kubernetes_daemonset[example2].spec.template.spec.automount_service_account_token", + "searchValue": "", + "expectedValue": "kubernetes_daemonset[example2].spec.template.spec.automount_service_account_token should be set to false", + "actualValue": "kubernetes_daemonset[example2].spec.template.spec.automount_service_account_token is set to true", + "issueType": "IncorrectValue", + "similarityID": "13e64d62c0c28c45087567711d3ad38324271736b82ac4919436592e0c796f8a", + "search_line": 88 }, { "queryName": "Service Account Token Automount Not Disabled", "severity": "MEDIUM", - "line": 144 + "line": 144, + "fileName": "positive.tf", + "resourceType": "kubernetes_cron_job", + "resourceName": "demo", + "searchKey": "kubernetes_cron_job[demo3].spec.job_template.spec.template.spec.automount_service_account_token", + "searchValue": "", + "expectedValue": "kubernetes_cron_job[demo3].spec.job_template.spec.template.spec.automount_service_account_token should be set to false", + "actualValue": "kubernetes_cron_job[demo3].spec.job_template.spec.template.spec.automount_service_account_token is set to true", + "issueType": "IncorrectValue", + "similarityID": "a9e903f87afacd713a0f22bb577fd025f3ac741ec3ecfefd4ef6a354a0c64a8d", + "search_line": -1 }, { "queryName": "Service Account Token Automount Not Disabled", "severity": "MEDIUM", - "line": 162 + "line": 162, + "fileName": "positive.tf", + "resourceType": "kubernetes_pod", + "resourceName": "terraform-example", + "searchKey": "kubernetes_pod[test6].spec", + "searchValue": "", + "expectedValue": "kubernetes_pod[test6].spec.automount_service_account_token should be set", + "actualValue": "kubernetes_pod[test6].spec.automount_service_account_token is undefined", + "issueType": "MissingAttribute", + "similarityID": "49f3b5eea766be6e20ac45034f4a8b0dbd42b46bf5b1f5f1e54f48278e4d8343", + "search_line": 162 } ] diff --git a/assets/queries/terraform/kubernetes/service_type_is_nodeport/test/positive_expected_result.json b/assets/queries/terraform/kubernetes/service_type_is_nodeport/test/positive_expected_result.json index 2a1207f9ac7..c4a93a6fa4c 100644 --- a/assets/queries/terraform/kubernetes/service_type_is_nodeport/test/positive_expected_result.json +++ b/assets/queries/terraform/kubernetes/service_type_is_nodeport/test/positive_expected_result.json @@ -2,6 +2,16 @@ { "queryName": "Service Type is NodePort", "severity": "LOW", - "line": 15 + "line": 15, + "fileName": "positive.tf", + "resourceType": "kubernetes_service", + "resourceName": "terraform-example", + "searchKey": "kubernetes_service[example].spec.type", + "searchValue": "", + "expectedValue": "kubernetes_service[example].spec.type should not be 'NodePort'", + "actualValue": "kubernetes_service[example].spec.type is 'NodePort'", + "issueType": "IncorrectValue", + "similarityID": "1fd2d4b4558d6810f680c8389d5f8ec39ddd8dea950a7b73e44105dab9af4c4a", + "search_line": -1 } ] diff --git a/assets/queries/terraform/kubernetes/service_with_external_load_balancer/test/positive_expected_result.json b/assets/queries/terraform/kubernetes/service_with_external_load_balancer/test/positive_expected_result.json index 0dea266ccaf..edb7f2350e7 100644 --- a/assets/queries/terraform/kubernetes/service_with_external_load_balancer/test/positive_expected_result.json +++ b/assets/queries/terraform/kubernetes/service_with_external_load_balancer/test/positive_expected_result.json @@ -3,30 +3,75 @@ "queryName": "Service With External Load Balancer", "severity": "MEDIUM", "line": 4, - "fileName": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "kubernetes_service", + "resourceName": "terraform-example1", + "searchKey": "kubernetes_service[example1].metadata.name.annotations", + "searchValue": "", + "expectedValue": "metadata.annotations using an external Load Balancer provider by cloud provider%!(EXTRA string=example1)", + "actualValue": "metadata.annotations is exposing a workload, not using an external Load Balancer provider by cloud provider%!(EXTRA string=example1)", + "issueType": "IncorrectValue", + "similarityID": "cdefdc35f2f779dfd9624e085e9687424bc4680751fcf8d2c365b32ea0b98f15", + "search_line": -1 }, { "queryName": "Service With External Load Balancer", "severity": "MEDIUM", "line": 24, - "fileName": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "kubernetes_service", + "resourceName": "terraform-example2", + "searchKey": "kubernetes_service[example2].metadata.name", + "searchValue": "", + "expectedValue": "'metadata.annotations' should be set", + "actualValue": "'metadata.annotations' is undefined", + "issueType": "MissingAttribute", + "similarityID": "e0296c46103423ec4c7caabfcbf18a42b9eec1322090c3de47ad18fbbff0fa78", + "search_line": -1 }, { "queryName": "Service With External Load Balancer", "severity": "MEDIUM", "line": 4, - "fileName": "positive2.tf" + "fileName": "positive2.tf", + "resourceType": "kubernetes_service", + "resourceName": "terraform-example2", + "searchKey": "kubernetes_service[example2].metadata.name.annotations", + "searchValue": "", + "expectedValue": "metadata.annotations using an external Load Balancer provider by cloud provider%!(EXTRA string=example2)", + "actualValue": "metadata.annotations is exposing a workload, not using an external Load Balancer provider by cloud provider%!(EXTRA string=example2)", + "issueType": "IncorrectValue", + "similarityID": "904cc78e385255371b7e46a212208f4dcb2ddb2f5b34fbde979fc30a8d2faabd", + "search_line": -1 }, { "queryName": "Service With External Load Balancer", "severity": "MEDIUM", "line": 25, - "fileName": "positive2.tf" + "fileName": "positive2.tf", + "resourceType": "kubernetes_service", + "resourceName": "terraform-example3", + "searchKey": "kubernetes_service[example3].metadata.name.annotations", + "searchValue": "", + "expectedValue": "metadata.annotations using an external Load Balancer provider by cloud provider%!(EXTRA string=example3)", + "actualValue": "metadata.annotations is exposing a workload, not using an external Load Balancer provider by cloud provider%!(EXTRA string=example3)", + "issueType": "IncorrectValue", + "similarityID": "3d4678b12cfb230bf1a8b1cfccc6cd38b2bc9f3058f1e0ba2a6964d37a7cde21", + "search_line": -1 }, { "queryName": "Service With External Load Balancer", "severity": "MEDIUM", "line": 46, - "fileName": "positive2.tf" + "fileName": "positive2.tf", + "resourceType": "kubernetes_service", + "resourceName": "terraform-example4", + "searchKey": "kubernetes_service[example4].metadata.name.annotations", + "searchValue": "", + "expectedValue": "metadata.annotations using an external Load Balancer provider by cloud provider%!(EXTRA string=example4)", + "actualValue": "metadata.annotations is exposing a workload, not using an external Load Balancer provider by cloud provider%!(EXTRA string=example4)", + "issueType": "IncorrectValue", + "similarityID": "a21de6ac58438c0916ae6d2dbf45f38a1aea3e4948d22cbdc48f9de684f60c9b", + "search_line": -1 } ] diff --git a/assets/queries/terraform/kubernetes/shared_host_ipc_namespace/test/positive_expected_result.json b/assets/queries/terraform/kubernetes/shared_host_ipc_namespace/test/positive_expected_result.json index 31f178f754c..186f490e920 100644 --- a/assets/queries/terraform/kubernetes/shared_host_ipc_namespace/test/positive_expected_result.json +++ b/assets/queries/terraform/kubernetes/shared_host_ipc_namespace/test/positive_expected_result.json @@ -2,6 +2,16 @@ { "queryName": "Shared Host IPC Namespace", "severity": "MEDIUM", - "line": 8 + "line": 8, + "fileName": "positive.tf", + "resourceType": "kubernetes_pod", + "resourceName": "positive1", + "searchKey": "kubernetes_pod[positive1].spec.host_ipc", + "searchValue": "", + "expectedValue": "Attribute 'host_ipc' should be undefined or false", + "actualValue": "Attribute 'host_ipc' is true", + "issueType": "IncorrectValue", + "similarityID": "77831fcda9761a436d6f41803fa54b76267f6f903f97f1a6b4a8c3b72b8bc1ee", + "search_line": -1 } ] diff --git a/assets/queries/terraform/kubernetes/shared_host_network_namespace/test/positive_expected_result.json b/assets/queries/terraform/kubernetes/shared_host_network_namespace/test/positive_expected_result.json index 1b6b06fed37..9b70a1f4513 100644 --- a/assets/queries/terraform/kubernetes/shared_host_network_namespace/test/positive_expected_result.json +++ b/assets/queries/terraform/kubernetes/shared_host_network_namespace/test/positive_expected_result.json @@ -2,6 +2,16 @@ { "queryName": "Shared Host Network Namespace", "severity": "MEDIUM", - "line": 7 + "line": 7, + "fileName": "positive.tf", + "resourceType": "kubernetes_pod", + "resourceName": "test", + "searchKey": "kubernetes_pod[test].spec.host_network", + "searchValue": "", + "expectedValue": "kubernetes_pod[test].spec.host_network should be undefined or set to false", + "actualValue": "kubernetes_pod[test].spec.host_network is set to true", + "issueType": "IncorrectValue", + "similarityID": "07793eea552b33f12adda80d9a318ae0c230d9a9b6d779262caf853b1534c0a4", + "search_line": 7 } ] diff --git a/assets/queries/terraform/kubernetes/shared_service_account/test/positive_expected_result.json b/assets/queries/terraform/kubernetes/shared_service_account/test/positive_expected_result.json index e78930ea639..e26e2f3f21f 100644 --- a/assets/queries/terraform/kubernetes/shared_service_account/test/positive_expected_result.json +++ b/assets/queries/terraform/kubernetes/shared_service_account/test/positive_expected_result.json @@ -1,7 +1,17 @@ [ - { - "queryName": "Shared Service Account", - "severity": "MEDIUM", - "line": 46 - } + { + "queryName": "Shared Service Account", + "severity": "MEDIUM", + "line": 46, + "fileName": "positive.tf", + "resourceType": "kubernetes_pod", + "resourceName": "with_pod_affinity", + "searchKey": "kubernetes_pod[with_pod_affinity].spec.service_account_name", + "searchValue": "", + "expectedValue": "kubernetes_pod[with_pod_affinity].spec.service_account_name should not be shared with other workloads", + "actualValue": "kubernetes_pod[with_pod_affinity].spec.service_account_name is shared with other workloads", + "issueType": "IncorrectValue", + "similarityID": "f9841607f9deec32310b7d1de4f2b534b19fc3f5f8bb8dcfd318c10f0b367533", + "search_line": -1 + } ] diff --git a/assets/queries/terraform/kubernetes/statefulset_requests_storage/test/positive_expected_result.json b/assets/queries/terraform/kubernetes/statefulset_requests_storage/test/positive_expected_result.json index 6c3a8961b44..44956b80c10 100644 --- a/assets/queries/terraform/kubernetes/statefulset_requests_storage/test/positive_expected_result.json +++ b/assets/queries/terraform/kubernetes/statefulset_requests_storage/test/positive_expected_result.json @@ -1,7 +1,17 @@ [ - { - "queryName": "StatefulSet Requests Storage", - "severity": "LOW", - "line": 177 - } + { + "queryName": "StatefulSet Requests Storage", + "severity": "LOW", + "line": 177, + "fileName": "positive.tf", + "resourceType": "kubernetes_stateful_set", + "resourceName": "prometheus", + "searchKey": "kubernetes_stateful_set[prometheus].spec.volume_claim_template.spec.resources.requests.storage", + "searchValue": "", + "expectedValue": "kubernetes_stateful_set[prometheus].spec.volume_claim_template.spec.resources.requests.storage should not be set", + "actualValue": "kubernetes_stateful_set[prometheus].spec.volume_claim_template.spec.resources.requests.storage is set to 16Gi", + "issueType": "IncorrectValue", + "similarityID": "c6344b6715460ba93df6ec6edba42cca870c644a710ebf9330fc424f428aea9f", + "search_line": -1 + } ] diff --git a/assets/queries/terraform/kubernetes/statefulset_without_pod_disruption_budget/test/positive_expected_result.json b/assets/queries/terraform/kubernetes/statefulset_without_pod_disruption_budget/test/positive_expected_result.json index d73ea9ec410..51faed64b60 100644 --- a/assets/queries/terraform/kubernetes/statefulset_without_pod_disruption_budget/test/positive_expected_result.json +++ b/assets/queries/terraform/kubernetes/statefulset_without_pod_disruption_budget/test/positive_expected_result.json @@ -2,6 +2,16 @@ { "queryName": "StatefulSet Without PodDisruptionBudget", "severity": "LOW", - "line": 23 + "line": 23, + "fileName": "positive.tf", + "resourceType": "kubernetes_stateful_set", + "resourceName": "prometheus", + "searchKey": "kubernetes_stateful_set[prometheus].spec.selector.match_labels", + "searchValue": "", + "expectedValue": "kubernetes_stateful_set[prometheus].spec.selector.match_labels is targeted by a PodDisruptionBudget", + "actualValue": "kubernetes_stateful_set[prometheus].spec.selector.match_labels is not targeted by a PodDisruptionBudget", + "issueType": "MissingAttribute", + "similarityID": "e002b6f58efe519806c29ed4407545dfe9e4ad1c10f53ac00524be96e50f7419", + "search_line": -1 } ] diff --git a/assets/queries/terraform/kubernetes/statefulset_without_service_name/test/positive_expected_result.json b/assets/queries/terraform/kubernetes/statefulset_without_service_name/test/positive_expected_result.json index 027d6c8df6f..a9ade98dcdf 100644 --- a/assets/queries/terraform/kubernetes/statefulset_without_service_name/test/positive_expected_result.json +++ b/assets/queries/terraform/kubernetes/statefulset_without_service_name/test/positive_expected_result.json @@ -2,6 +2,16 @@ { "queryName": "StatefulSet Without Service Name", "severity": "LOW", - "line": 49 + "line": 49, + "fileName": "positive.tf", + "resourceType": "kubernetes_stateful_set", + "resourceName": "prometheus", + "searchKey": "kubernetes_stateful_set[prometheus].spec.service_name", + "searchValue": "", + "expectedValue": "kubernetes_stateful_set[prometheus].spec.service_name should refer to a Headless Service", + "actualValue": "kubernetes_stateful_set[prometheus].spec.service_name does not refer to a Headless Service", + "issueType": "IncorrectValue", + "similarityID": "8f995c8c0685290905a207ec01d71b023036bdc2e5e4479c131f0771e843b2d3", + "search_line": -1 } ] diff --git a/assets/queries/terraform/kubernetes/tiller_is_deployed/test/positive_expected_result.json b/assets/queries/terraform/kubernetes/tiller_is_deployed/test/positive_expected_result.json index 7c94b93083e..18709a11e78 100644 --- a/assets/queries/terraform/kubernetes/tiller_is_deployed/test/positive_expected_result.json +++ b/assets/queries/terraform/kubernetes/tiller_is_deployed/test/positive_expected_result.json @@ -2,26 +2,76 @@ { "queryName": "Tiller (Helm v2) Is Deployed", "severity": "HIGH", - "line": 3 + "line": 3, + "fileName": "positive.tf", + "resourceType": "kubernetes_pod", + "resourceName": "positive1", + "searchKey": "kubernetes_pod[positive1].metadata", + "searchValue": "", + "expectedValue": "kubernetes_pod[positive1].metadata should not refer any to a Tiller resource", + "actualValue": "kubernetes_pod[positive1].metadata refers to a Tiller resource", + "issueType": "IncorrectValue", + "similarityID": "a38a756fff59eccbfd1e6c8b0b07c3d9e0079bbd01b88769f3918ce469c9dde3", + "search_line": -1 }, { "queryName": "Tiller (Helm v2) Is Deployed", "severity": "HIGH", - "line": 8 + "line": 8, + "fileName": "positive.tf", + "resourceType": "kubernetes_pod", + "resourceName": "positive1", + "searchKey": "kubernetes_pod[positive1].spec.container", + "searchValue": "", + "expectedValue": "kubernetes_pod[positive1].spec.container[0].image shouldn't have any Tiller containers", + "actualValue": "kubernetes_pod[positive1].spec.container[0].image contains a Tiller container", + "issueType": "IncorrectValue", + "similarityID": "8d0b5adb2cef5c7ddeb976b358a1a22168d5fd236c85c4c396e39dde59c4ab2e", + "search_line": -1 }, { "queryName": "Tiller (Helm v2) Is Deployed", "severity": "HIGH", - "line": 103 + "line": 103, + "fileName": "positive.tf", + "resourceType": "kubernetes_pod", + "resourceName": "positive2", + "searchKey": "kubernetes_pod[positive2].spec.container.image", + "searchValue": "", + "expectedValue": "kubernetes_pod[positive2].spec.container.image shouldn't have any Tiller containers", + "actualValue": "kubernetes_pod[positive2].spec.container.image contains a Tiller container", + "issueType": "IncorrectValue", + "similarityID": "a3fd069ee2671dfea2d02702eadda9720b4ffd147e2d92e8dd751d53ee566a8c", + "search_line": -1 }, { "queryName": "Tiller (Helm v2) Is Deployed", "severity": "HIGH", - "line": 175 + "line": 175, + "fileName": "positive.tf", + "resourceType": "kubernetes_deployment", + "resourceName": "example", + "searchKey": "kubernetes_deployment[example].spec.template.metadata", + "searchValue": "", + "expectedValue": "kubernetes_deployment[example].spec.template.metadata should not refer to any Tiller resource", + "actualValue": "kubernetes_deployment[example].spec.template.metadata does not refer to any Tiller resource", + "issueType": "IncorrectValue", + "similarityID": "363b97da8397df1f2294063a0330a91fcd933d3a695eaffe4263d2a7156e23c7", + "search_line": -1 }, { "queryName": "Tiller (Helm v2) Is Deployed", "severity": "HIGH", - "line": 200 + "line": 200, + "fileName": "positive.tf", + "resourceType": "kubernetes_deployment", + "resourceName": "example", + "searchKey": "kubernetes_deployment[example].spec.template.spec.container.image", + "searchValue": "", + "expectedValue": "kubernetes_deployment[example].spec.template.spec.container.image shouldn't have any Tiller containers", + "actualValue": "kubernetes_deployment[example].spec.template.spec.container.image contains a Tiller container", + "issueType": "IncorrectValue", + "similarityID": "be039552f9513aacd0b34239733a7e85c3318dd6458e6ba1691943d1394daf79", + "search_line": -1 } ] diff --git a/assets/queries/terraform/kubernetes/using_default_namespace/test/positive_expected_result.json b/assets/queries/terraform/kubernetes/using_default_namespace/test/positive_expected_result.json index a87047d0ac8..a284857d7e9 100644 --- a/assets/queries/terraform/kubernetes/using_default_namespace/test/positive_expected_result.json +++ b/assets/queries/terraform/kubernetes/using_default_namespace/test/positive_expected_result.json @@ -2,11 +2,31 @@ { "queryName": "Using Default Namespace", "severity": "LOW", - "line": 4 + "line": 4, + "fileName": "positive.tf", + "resourceType": "kubernetes_pod", + "resourceName": "test", + "searchKey": "kubernetes_pod[test].metadata.namespace", + "searchValue": "", + "expectedValue": "kubernetes_pod[test].metadata.namespace should not be set to 'default'", + "actualValue": "kubernetes_pod[test].metadata.namespace is set to 'default'", + "issueType": "IncorrectValue", + "similarityID": "a053fbfafb8bf28d42a351be56238f5763780110e2e3f9be4aa6725fd3245e29", + "search_line": -1 }, { "queryName": "Using Default Namespace", "severity": "LOW", - "line": 9 + "line": 9, + "fileName": "positive.tf", + "resourceType": "kubernetes_cron_job", + "resourceName": "test2", + "searchKey": "kubernetes_cron_job[test2].metadata", + "searchValue": "", + "expectedValue": "kubernetes_cron_job[test2].metadata should be set", + "actualValue": "kubernetes_cron_job[test2].metadata is undefined", + "issueType": "MissingAttribute", + "similarityID": "d9eff41b884fcd725809792d8df4356df765fd5ccbb12cdfadc799625a005074", + "search_line": -1 } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/kubernetes/volume_mount_with_os_directory_write_permissions/test/positive_expected_result.json b/assets/queries/terraform/kubernetes/volume_mount_with_os_directory_write_permissions/test/positive_expected_result.json index 99f3567bd50..9f2d4fddc5c 100644 --- a/assets/queries/terraform/kubernetes/volume_mount_with_os_directory_write_permissions/test/positive_expected_result.json +++ b/assets/queries/terraform/kubernetes/volume_mount_with_os_directory_write_permissions/test/positive_expected_result.json @@ -3,84 +3,210 @@ "queryName": "Volume Mount With OS Directory Write Permissions", "severity": "HIGH", "line": 8, - "fileName": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "kubernetes_pod", + "resourceName": "test10", + "searchKey": "kubernetes_pod[test10].spec.container.volume_mount", + "searchValue": "", + "expectedValue": "kubernetes_pod[test10].spec.container.volume_mount.read_only should be set", + "actualValue": "kubernetes_pod[test10].spec.container.volume_mount.read_only is undefined", + "issueType": "MissingAttribute", + "similarityID": "14972c15ea79c28b9a4e0a25bc33dd4dbbba00b6a1c4dd9a4628f6bf98fb012e", + "search_line": 8 }, { "queryName": "Volume Mount With OS Directory Write Permissions", "severity": "HIGH", "line": 66, - "fileName": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "kubernetes_pod", + "resourceName": "test11", + "searchKey": "kubernetes_pod[test11].spec.container.volume_mount", + "searchValue": "", + "expectedValue": "kubernetes_pod[test11].spec.container[0].volume_mount.read_only should be set", + "actualValue": "kubernetes_pod[test11].spec.container[0].volume_mount.read_only is undefined", + "issueType": "MissingAttribute", + "similarityID": "8f3e14004d0ecac8a8dac7fb305b5c12f1ef9e9342512573fa6a5b5c0b344f6d", + "search_line": 66 }, { "queryName": "Volume Mount With OS Directory Write Permissions", "severity": "HIGH", "line": 100, - "fileName": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "kubernetes_pod", + "resourceName": "test11", + "searchKey": "kubernetes_pod[test11].spec.container.volume_mount", + "searchValue": "", + "expectedValue": "kubernetes_pod[test11].spec.container[1].volume_mount.read_only should be set", + "actualValue": "kubernetes_pod[test11].spec.container[1].volume_mount.read_only is undefined", + "issueType": "MissingAttribute", + "similarityID": "d49fd48b322e1041476cece0c25de64eec6b442ca1e9ef7395517093f2e89e64", + "search_line": 100 }, { "queryName": "Volume Mount With OS Directory Write Permissions", "severity": "HIGH", "line": 158, - "fileName": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "kubernetes_pod", + "resourceName": "test12", + "searchKey": "kubernetes_pod[test12].spec.container.volume_mount", + "searchValue": "", + "expectedValue": "kubernetes_pod[test12].spec.container[0].volume_mount[0].read_only should be set", + "actualValue": "kubernetes_pod[test12].spec.container[0].volume_mount[0].read_only is undefined", + "issueType": "MissingAttribute", + "similarityID": "bb1093e94d4dbb54d05e88bafac842c60842e2f73ecc611f0a24de731d0cddd8", + "search_line": 158 }, { "queryName": "Volume Mount With OS Directory Write Permissions", "severity": "HIGH", "line": 163, - "fileName": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "kubernetes_pod", + "resourceName": "test12", + "searchKey": "kubernetes_pod[test12].spec.container.volume_mount", + "searchValue": "", + "expectedValue": "kubernetes_pod[test12].spec.container[0].volume_mount[1].read_only should be set", + "actualValue": "kubernetes_pod[test12].spec.container[0].volume_mount[1].read_only is undefined", + "issueType": "MissingAttribute", + "similarityID": "f446b90bb8d25225472cf5bd4b4436039b050cbb461853ce8aecd6e871083ddd", + "search_line": 163 }, { "queryName": "Volume Mount With OS Directory Write Permissions", "severity": "HIGH", "line": 250, - "fileName": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "kubernetes_pod", + "resourceName": "test13", + "searchKey": "kubernetes_pod[test13].spec.container.volume_mount", + "searchValue": "", + "expectedValue": "kubernetes_pod[test13].spec.container.volume_mount[0].read_only should be set", + "actualValue": "kubernetes_pod[test13].spec.container.volume_mount[0].read_only is undefined", + "issueType": "MissingAttribute", + "similarityID": "4c79bb48387affb177f4b800a401f92d8fb23cff6c000ce3e35cac0c3307bdb7", + "search_line": 250 }, { "queryName": "Volume Mount With OS Directory Write Permissions", "severity": "HIGH", "line": 255, - "fileName": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "kubernetes_pod", + "resourceName": "test13", + "searchKey": "kubernetes_pod[test13].spec.container.volume_mount", + "searchValue": "", + "expectedValue": "kubernetes_pod[test13].spec.container.volume_mount[1].read_only should be set", + "actualValue": "kubernetes_pod[test13].spec.container.volume_mount[1].read_only is undefined", + "issueType": "MissingAttribute", + "similarityID": "8d77486bf5e463a81812bdfe0ea21a55d5e32386f0a16c650102e227fb71774d", + "search_line": 255 }, { "queryName": "Volume Mount With OS Directory Write Permissions", "severity": "HIGH", "line": 11, - "fileName": "positive2.tf" + "fileName": "positive2.tf", + "resourceType": "kubernetes_pod", + "resourceName": "test20", + "searchKey": "kubernetes_pod[test20].spec.container.volume_mount.read_only", + "searchValue": "", + "expectedValue": "kubernetes_pod[test20].spec.container.volume_mount.read_only should be set to true", + "actualValue": "kubernetes_pod[test20].spec.container.volume_mount.read_only is set to false", + "issueType": "IncorrectValue", + "similarityID": "a8f6b42c5be7175e16a7bedc1a442c5f47db30b90242b9dd39d6de941a411f17", + "search_line": 11 }, { "queryName": "Volume Mount With OS Directory Write Permissions", "severity": "HIGH", "line": 70, - "fileName": "positive2.tf" + "fileName": "positive2.tf", + "resourceType": "kubernetes_pod", + "resourceName": "test21", + "searchKey": "kubernetes_pod[test21].spec.container.volume_mount.read_only", + "searchValue": "", + "expectedValue": "kubernetes_pod[test21].spec.container[0].volume_mount.read_only should be set to true", + "actualValue": "kubernetes_pod[test21].spec.container[0].volume_mount.read_only is set to false", + "issueType": "IncorrectValue", + "similarityID": "0b024577c311c0ba5615e5a866c2eb2feb5ac054fb462a5b6292af51ac6be29c", + "search_line": 70 }, { "queryName": "Volume Mount With OS Directory Write Permissions", "severity": "HIGH", "line": 105, - "fileName": "positive2.tf" + "fileName": "positive2.tf", + "resourceType": "kubernetes_pod", + "resourceName": "test21", + "searchKey": "kubernetes_pod[test21].spec.container.volume_mount.read_only", + "searchValue": "", + "expectedValue": "kubernetes_pod[test21].spec.container[1].volume_mount.read_only should be set to true", + "actualValue": "kubernetes_pod[test21].spec.container[1].volume_mount.read_only is set to false", + "issueType": "IncorrectValue", + "similarityID": "5aad24af3236555268e27c1362963230cd09b6843ad9c4a65c58b6cad7c42919", + "search_line": 105 }, { "queryName": "Volume Mount With OS Directory Write Permissions", "severity": "HIGH", "line": 164, - "fileName": "positive2.tf" + "fileName": "positive2.tf", + "resourceType": "kubernetes_pod", + "resourceName": "test22", + "searchKey": "kubernetes_pod[test22].spec.container.volume_mount.read_only", + "searchValue": "", + "expectedValue": "kubernetes_pod[test22].spec.container[0].volume_mount[0].read_only should be set to true", + "actualValue": "kubernetes_pod[test22].spec.container[0].volume_mount[0].read_only is set to false", + "issueType": "IncorrectValue", + "similarityID": "62615514094cefd7282623ac731e83000381795cfcc7198d5fbae32cadf145be", + "search_line": 164 }, { "queryName": "Volume Mount With OS Directory Write Permissions", "severity": "HIGH", "line": 170, - "fileName": "positive2.tf" + "fileName": "positive2.tf", + "resourceType": "kubernetes_pod", + "resourceName": "test22", + "searchKey": "kubernetes_pod[test22].spec.container.volume_mount.read_only", + "searchValue": "", + "expectedValue": "kubernetes_pod[test22].spec.container[0].volume_mount[1].read_only should be set to true", + "actualValue": "kubernetes_pod[test22].spec.container[0].volume_mount[1].read_only is set to false", + "issueType": "IncorrectValue", + "similarityID": "0b3a2f2a60a548eb8d05aa2d6dfe79842277b1d9624fd17770206e93bc2e3ee7", + "search_line": 170 }, { "queryName": "Volume Mount With OS Directory Write Permissions", "severity": "HIGH", "line": 258, - "fileName": "positive2.tf" + "fileName": "positive2.tf", + "resourceType": "kubernetes_pod", + "resourceName": "test23", + "searchKey": "kubernetes_pod[test23].spec.container.volume_mount.read_only", + "searchValue": "", + "expectedValue": "kubernetes_pod[test23].spec.container.volume_mount[0].read_only should be set to true", + "actualValue": "kubernetes_pod[test23].spec.container.volume_mount[0].read_only is set to false", + "issueType": "IncorrectValue", + "similarityID": "deaa90b9ecf847bd281b435d9bfab7291e81dd6ff12bc0702c0b28d38d0bd2f3", + "search_line": 258 }, { "queryName": "Volume Mount With OS Directory Write Permissions", "severity": "HIGH", "line": 264, - "fileName": "positive2.tf" + "fileName": "positive2.tf", + "resourceType": "kubernetes_pod", + "resourceName": "test23", + "searchKey": "kubernetes_pod[test23].spec.container.volume_mount.read_only", + "searchValue": "", + "expectedValue": "kubernetes_pod[test23].spec.container.volume_mount[1].read_only should be set to true", + "actualValue": "kubernetes_pod[test23].spec.container.volume_mount[1].read_only is set to false", + "issueType": "IncorrectValue", + "similarityID": "0526f18f5b738a3ecd17ab5686fa7b0229c2df4c536d81c5302cee0f03534b52", + "search_line": 264 } ] diff --git a/assets/queries/terraform/kubernetes/workload_host_port_not_specified/test/positive_expected_result.json b/assets/queries/terraform/kubernetes/workload_host_port_not_specified/test/positive_expected_result.json index 980fe8919ff..b0655545989 100644 --- a/assets/queries/terraform/kubernetes/workload_host_port_not_specified/test/positive_expected_result.json +++ b/assets/queries/terraform/kubernetes/workload_host_port_not_specified/test/positive_expected_result.json @@ -3,12 +3,30 @@ "queryName": "Workload Host Port Not Specified", "severity": "LOW", "line": 16, - "fileName": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "kubernetes_pod", + "resourceName": "terraform-example", + "searchKey": "kubernetes_pod[test].spec.container.port", + "searchValue": "", + "expectedValue": "Attribute 'host_port' should be defined and not null", + "actualValue": "Attribute 'host_port' is undefined or null", + "issueType": "IncorrectValue", + "similarityID": "df9490f10799a7933a1f4c39a8ffd4ae95b09105b1fa93234406e8361dfdddde", + "search_line": -1 }, { "queryName": "Workload Host Port Not Specified", "severity": "LOW", "line": 41, - "fileName": "positive2.tf" + "fileName": "positive2.tf", + "resourceType": "kubernetes_deployment", + "resourceName": "terraform-example", + "searchKey": "kubernetes_deployment[example].spec.template.spec.container.port", + "searchValue": "", + "expectedValue": "Attribute 'host_port' should be defined and not null", + "actualValue": "Attribute 'host_port' is undefined or null", + "issueType": "IncorrectValue", + "similarityID": "896347def544ffa3ae35a41b777b570c912c47ee8a67de73cef171ab993669b1", + "search_line": -1 } ] diff --git a/assets/queries/terraform/kubernetes/workload_mounting_with_sensitive_os_directory/test/positive_expected_result.json b/assets/queries/terraform/kubernetes/workload_mounting_with_sensitive_os_directory/test/positive_expected_result.json index af7be5fa4ba..22686b2a29c 100644 --- a/assets/queries/terraform/kubernetes/workload_mounting_with_sensitive_os_directory/test/positive_expected_result.json +++ b/assets/queries/terraform/kubernetes/workload_mounting_with_sensitive_os_directory/test/positive_expected_result.json @@ -2,11 +2,31 @@ { "queryName": "Workload Mounting With Sensitive OS Directory", "severity": "HIGH", - "line": 53 + "line": 53, + "fileName": "positive.tf", + "resourceType": "kubernetes_pod", + "resourceName": "terraform-example1", + "searchKey": "kubernetes_pod[test1].spec.volume.host_path.path", + "searchValue": "", + "expectedValue": "Workload name 'terraform-example1' should not mount a host sensitive OS directory '/var/log' with host_path", + "actualValue": "Workload name 'terraform-example1' is mounting a host sensitive OS directory '/var/log' with host_path", + "issueType": "IncorrectValue", + "similarityID": "b39e6cc18beaa928225e9f3d34491b71dd605999cf6a6121ded187c1307b385c", + "search_line": -1 }, { "queryName": "Workload Mounting With Sensitive OS Directory", "severity": "HIGH", - "line": 112 + "line": 112, + "fileName": "positive.tf", + "resourceType": "kubernetes_persistent_volume", + "resourceName": "terraform-example2", + "searchKey": "kubernetes_persistent_volume[test2].spec.volume.host_path.path", + "searchValue": "", + "expectedValue": "Workload name 'terraform-example2' should not mount a host sensitive OS directory '/var/log' with host_path", + "actualValue": "Workload name 'terraform-example2' is mounting a host sensitive OS directory '/var/log' with host_path", + "issueType": "IncorrectValue", + "similarityID": "e63b92f6410d04c5f67b499e67c24563835211aeaf920fd1b1d1a40ffdbe15f9", + "search_line": -1 } -] \ No newline at end of file +] diff --git a/assets/queries/terraform/nifcloud/computing_instance_has_common_private/test/positive_expected_result.json b/assets/queries/terraform/nifcloud/computing_instance_has_common_private/test/positive_expected_result.json index 3b339c90f90..165a3c382a2 100644 --- a/assets/queries/terraform/nifcloud/computing_instance_has_common_private/test/positive_expected_result.json +++ b/assets/queries/terraform/nifcloud/computing_instance_has_common_private/test/positive_expected_result.json @@ -1,14 +1,32 @@ [ - { - "queryName": "Nifcloud Computing Has Common Private Network", - "severity": "LOW", - "line": 1, - "fileName": "positive1.tf" - }, - { - "queryName": "Nifcloud Computing Has Common Private Network", - "severity": "LOW", - "line": 1, - "fileName": "positive2.tf" - } + { + "queryName": "Nifcloud Computing Has Common Private Network", + "severity": "LOW", + "line": 1, + "fileName": "positive1.tf", + "resourceType": "nifcloud_instance", + "resourceName": "positive", + "searchKey": "nifcloud_instance[positive]", + "searchValue": "", + "expectedValue": "'nifcloud_instance[positive]' should use a private LAN to isolate the private side network from the shared network", + "actualValue": "'nifcloud_instance[positive]' has common private network", + "issueType": "IncorrectValue", + "similarityID": "440aea90c0585416d66529a92e1a16d0f7991220dab94271aeb19c9a5e1545f1", + "search_line": -1 + }, + { + "queryName": "Nifcloud Computing Has Common Private Network", + "severity": "LOW", + "line": 1, + "fileName": "positive2.tf", + "resourceType": "nifcloud_instance", + "resourceName": "positive", + "searchKey": "nifcloud_instance[positive]", + "searchValue": "", + "expectedValue": "'nifcloud_instance[positive]' should use a private LAN to isolate the private side network from the shared network", + "actualValue": "'nifcloud_instance[positive]' has common private network", + "issueType": "IncorrectValue", + "similarityID": "239b3c01f3dbdd29e4dbc48ea6dcd8da7f6d55d8748743764f443bcf3fa50fb2", + "search_line": -1 + } ] diff --git a/assets/queries/terraform/nifcloud/computing_instance_has_public_ingress_sgr/test/positive_expected_result.json b/assets/queries/terraform/nifcloud/computing_instance_has_public_ingress_sgr/test/positive_expected_result.json index c155888d657..4a892cd41ef 100644 --- a/assets/queries/terraform/nifcloud/computing_instance_has_public_ingress_sgr/test/positive_expected_result.json +++ b/assets/queries/terraform/nifcloud/computing_instance_has_public_ingress_sgr/test/positive_expected_result.json @@ -1,8 +1,17 @@ [ - { - "queryName": "Nifcloud Computing Has Public Ingress Security Group Rule", - "severity": "HIGH", - "line": 1, - "fileName": "positive.tf" - } + { + "queryName": "Nifcloud Computing Has Public Ingress Security Group Rule", + "severity": "HIGH", + "line": 1, + "fileName": "positive.tf", + "resourceType": "nifcloud_security_group_rule", + "resourceName": "positive", + "searchKey": "nifcloud_security_group_rule[positive]", + "searchValue": "", + "expectedValue": "'nifcloud_security_group_rule[positive]' set a more restrictive cidr range", + "actualValue": "'nifcloud_security_group_rule[positive]' allows traffic from /0", + "issueType": "IncorrectValue", + "similarityID": "610742077d6b3109a3e8605a9c4dd383b9f27c8f9284f4d3ad02d3740e852c39", + "search_line": -1 + } ] diff --git a/assets/queries/terraform/nifcloud/computing_instance_security_group_undefined/test/positive_expected_result.json b/assets/queries/terraform/nifcloud/computing_instance_security_group_undefined/test/positive_expected_result.json index 9aa880cd9a9..0177ca709bd 100644 --- a/assets/queries/terraform/nifcloud/computing_instance_security_group_undefined/test/positive_expected_result.json +++ b/assets/queries/terraform/nifcloud/computing_instance_security_group_undefined/test/positive_expected_result.json @@ -1,8 +1,17 @@ [ - { - "queryName": "Nifcloud Computing Undefined Security Group To Instance", - "severity": "HIGH", - "line": 1, - "fileName": "positive.tf" - } + { + "queryName": "Nifcloud Computing Undefined Security Group To Instance", + "severity": "HIGH", + "line": 1, + "fileName": "positive.tf", + "resourceType": "nifcloud_instance", + "resourceName": "positive", + "searchKey": "nifcloud_instance[positive]", + "searchValue": "", + "expectedValue": "'nifcloud_instance[positive]' should include a security_group for security purposes", + "actualValue": "'nifcloud_instance[positive]' does not have a security_group", + "issueType": "MissingAttribute", + "similarityID": "e98608652b4e21a68eac63a9f88a0676ff23ce58bc962c17e30b0d16a4e23302", + "search_line": -1 + } ] diff --git a/assets/queries/terraform/nifcloud/computing_security_group_description_undefined/test/positive_expected_result.json b/assets/queries/terraform/nifcloud/computing_security_group_description_undefined/test/positive_expected_result.json index 1b4ae154932..1e0186e91b0 100644 --- a/assets/queries/terraform/nifcloud/computing_security_group_description_undefined/test/positive_expected_result.json +++ b/assets/queries/terraform/nifcloud/computing_security_group_description_undefined/test/positive_expected_result.json @@ -1,8 +1,17 @@ [ - { - "queryName": "Nifcloud Computing Undefined Description To Security Group", - "severity": "INFO", - "line": 1, - "fileName": "positive.tf" - } + { + "queryName": "Nifcloud Computing Undefined Description To Security Group", + "severity": "INFO", + "line": 1, + "fileName": "positive.tf", + "resourceType": "nifcloud_security_group", + "resourceName": "positive", + "searchKey": "nifcloud_security_group[positive]", + "searchValue": "", + "expectedValue": "'nifcloud_security_group[positive]' should include a description for auditing purposes", + "actualValue": "'nifcloud_security_group[positive]' does not have a description", + "issueType": "MissingAttribute", + "similarityID": "a8d01e60417e7f6eb8b2ca488111cc119f5c69679080d701f23505dad022a84b", + "search_line": -1 + } ] diff --git a/assets/queries/terraform/nifcloud/computing_security_group_rule_description_undefined/test/positive_expected_result.json b/assets/queries/terraform/nifcloud/computing_security_group_rule_description_undefined/test/positive_expected_result.json index 9bd94917eb8..48a4b13d1bf 100644 --- a/assets/queries/terraform/nifcloud/computing_security_group_rule_description_undefined/test/positive_expected_result.json +++ b/assets/queries/terraform/nifcloud/computing_security_group_rule_description_undefined/test/positive_expected_result.json @@ -1,8 +1,17 @@ [ - { - "queryName": "Nifcloud Computing Undefined Description To Security Group Rule", - "severity": "INFO", - "line": 1, - "fileName": "positive.tf" - } + { + "queryName": "Nifcloud Computing Undefined Description To Security Group Rule", + "severity": "INFO", + "line": 1, + "fileName": "positive.tf", + "resourceType": "nifcloud_security_group_rule", + "resourceName": "positive", + "searchKey": "nifcloud_security_group_rule[positive]", + "searchValue": "", + "expectedValue": "'nifcloud_security_group_rule[positive]' should include a description for auditing purposes", + "actualValue": "'nifcloud_security_group_rule[positive]' does not have a description", + "issueType": "MissingAttribute", + "similarityID": "ac72907dc84a8a16da3e66835fb20dc6d9e8a9fa3904bc022472b20c81c2c66a", + "search_line": -1 + } ] diff --git a/assets/queries/terraform/nifcloud/db_does_not_have_long_backup_retention/test/positive_expected_result.json b/assets/queries/terraform/nifcloud/db_does_not_have_long_backup_retention/test/positive_expected_result.json index 27c28135d5e..af235236f7e 100644 --- a/assets/queries/terraform/nifcloud/db_does_not_have_long_backup_retention/test/positive_expected_result.json +++ b/assets/queries/terraform/nifcloud/db_does_not_have_long_backup_retention/test/positive_expected_result.json @@ -1,14 +1,32 @@ [ - { - "queryName": "Nifcloud Low RDB Backup Retention Period", - "severity": "LOW", - "line": 1, - "fileName": "positive1.tf" - }, - { - "queryName": "Nifcloud Low RDB Backup Retention Period", - "severity": "LOW", - "line": 1, - "fileName": "positive2.tf" - } + { + "queryName": "Nifcloud Low RDB Backup Retention Period", + "severity": "LOW", + "line": 1, + "fileName": "positive1.tf", + "resourceType": "nifcloud_db_instance", + "resourceName": "positive", + "searchKey": "nifcloud_db_instance[positive]", + "searchValue": "", + "expectedValue": "'nifcloud_db_instance[positive]' should have backup retention of at least 7 days", + "actualValue": "'nifcloud_db_instance[positive]' doesn't have a backup retention period defined", + "issueType": "MissingAttribute", + "similarityID": "cecfeb1ba89822e04afbacc1c814ebe63c930d55f160179808c20ab12d949451", + "search_line": -1 + }, + { + "queryName": "Nifcloud Low RDB Backup Retention Period", + "severity": "LOW", + "line": 1, + "fileName": "positive2.tf", + "resourceType": "nifcloud_db_instance", + "resourceName": "positive", + "searchKey": "nifcloud_db_instance[positive]", + "searchValue": "", + "expectedValue": "'nifcloud_db_instance[positive]' should have backup retention of at least 7 days", + "actualValue": "'nifcloud_db_instance[positive]' has backup retention period of '%!s(int=5)' which is less than minimum of 7 days", + "issueType": "IncorrectValue", + "similarityID": "c575a8e24eb8e5819c0a196a41fdd4d3559ab1280f059120cc11b427c07d745c", + "search_line": -1 + } ] diff --git a/assets/queries/terraform/nifcloud/db_has_public_access/test/positive_expected_result.json b/assets/queries/terraform/nifcloud/db_has_public_access/test/positive_expected_result.json index f1c041a3ef5..68821ddff18 100644 --- a/assets/queries/terraform/nifcloud/db_has_public_access/test/positive_expected_result.json +++ b/assets/queries/terraform/nifcloud/db_has_public_access/test/positive_expected_result.json @@ -1,8 +1,17 @@ [ - { - "queryName": "Nifcloud RDB Has Public DB Access", - "severity": "HIGH", - "line": 1, - "fileName": "positive.tf" - } + { + "queryName": "Nifcloud RDB Has Public DB Access", + "severity": "HIGH", + "line": 1, + "fileName": "positive.tf", + "resourceType": "nifcloud_db_instance", + "resourceName": "positive", + "searchKey": "nifcloud_db_instance[positive]", + "searchValue": "", + "expectedValue": "'nifcloud_db_instance[positive]' should not use publicly accessible set to true. You should limit all access to the minimum that is required for your application to function.", + "actualValue": "'nifcloud_db_instance[positive]' has publicly accessible set to true.", + "issueType": "IncorrectValue", + "similarityID": "9062d9469a7dd2710b33300cc8f7f8d5d5d30b1c33d04175af3e99896faeb25e", + "search_line": -1 + } ] diff --git a/assets/queries/terraform/nifcloud/db_instance_has_common_private/test/positive_expected_result.json b/assets/queries/terraform/nifcloud/db_instance_has_common_private/test/positive_expected_result.json index 0c41e6b1eb8..2a242697b84 100644 --- a/assets/queries/terraform/nifcloud/db_instance_has_common_private/test/positive_expected_result.json +++ b/assets/queries/terraform/nifcloud/db_instance_has_common_private/test/positive_expected_result.json @@ -1,8 +1,17 @@ [ - { - "queryName": "Nifcloud RDB Has Common Private Network", - "severity": "LOW", - "line": 1, - "fileName": "positive.tf" - } + { + "queryName": "Nifcloud RDB Has Common Private Network", + "severity": "LOW", + "line": 1, + "fileName": "positive.tf", + "resourceType": "nifcloud_db_instance", + "resourceName": "positive", + "searchKey": "nifcloud_db_instance[positive]", + "searchValue": "", + "expectedValue": "'nifcloud_db_instance[positive]' should use a private LAN to isolate the private side network from the shared network", + "actualValue": "'nifcloud_db_instance[positive]' has common private network", + "issueType": "IncorrectValue", + "similarityID": "fc1c7f5e040a897cff15891b44f1a73b4a378b33fc3c6ec279f50339446272b6", + "search_line": -1 + } ] diff --git a/assets/queries/terraform/nifcloud/db_security_group_description_undefined/test/positive_expected_result.json b/assets/queries/terraform/nifcloud/db_security_group_description_undefined/test/positive_expected_result.json index 547983c13bf..0906af45c1e 100644 --- a/assets/queries/terraform/nifcloud/db_security_group_description_undefined/test/positive_expected_result.json +++ b/assets/queries/terraform/nifcloud/db_security_group_description_undefined/test/positive_expected_result.json @@ -1,8 +1,17 @@ [ - { - "queryName": "Nifcloud RDB Undefined Description To DB Security Group", - "severity": "INFO", - "line": 1, - "fileName": "positive.tf" - } + { + "queryName": "Nifcloud RDB Undefined Description To DB Security Group", + "severity": "INFO", + "line": 1, + "fileName": "positive.tf", + "resourceType": "nifcloud_db_security_group", + "resourceName": "positive", + "searchKey": "nifcloud_db_security_group[positive]", + "searchValue": "", + "expectedValue": "'nifcloud_db_security_group[positive]' should include a description for auditing purposes.", + "actualValue": "'nifcloud_db_security_group[positive]' does not have a description.", + "issueType": "MissingAttribute", + "similarityID": "45d28b4a92701d3780a87bbb9cd4b5bf83a8d5b0bfd6130b3f27f849c8be5564", + "search_line": -1 + } ] diff --git a/assets/queries/terraform/nifcloud/db_security_group_has_public_ingress_sgr/test/positive_expected_result.json b/assets/queries/terraform/nifcloud/db_security_group_has_public_ingress_sgr/test/positive_expected_result.json index 425cc5d611a..384a8a31592 100644 --- a/assets/queries/terraform/nifcloud/db_security_group_has_public_ingress_sgr/test/positive_expected_result.json +++ b/assets/queries/terraform/nifcloud/db_security_group_has_public_ingress_sgr/test/positive_expected_result.json @@ -1,8 +1,17 @@ [ - { - "queryName": "Nifcloud RDB Has Public DB Ingress Security Group Rule", - "severity": "HIGH", - "line": 1, - "fileName": "positive.tf" - } + { + "queryName": "Nifcloud RDB Has Public DB Ingress Security Group Rule", + "severity": "HIGH", + "line": 1, + "fileName": "positive.tf", + "resourceType": "nifcloud_db_security_group", + "resourceName": "positive", + "searchKey": "nifcloud_db_security_group[positive]", + "searchValue": "", + "expectedValue": "'nifcloud_db_security_group[positive]' set a more restrictive cidr range", + "actualValue": "'nifcloud_db_security_group[positive]' allows traffic from /0", + "issueType": "IncorrectValue", + "similarityID": "eadc36d5f5d6bdcf9386819318cca2da5901e0686336f17b61feb1535eba91e5", + "search_line": -1 + } ] diff --git a/assets/queries/terraform/nifcloud/dns_has_verified_record/test/positive_expected_result.json b/assets/queries/terraform/nifcloud/dns_has_verified_record/test/positive_expected_result.json index b6523967215..6a372abb5c9 100644 --- a/assets/queries/terraform/nifcloud/dns_has_verified_record/test/positive_expected_result.json +++ b/assets/queries/terraform/nifcloud/dns_has_verified_record/test/positive_expected_result.json @@ -1,8 +1,17 @@ [ - { - "queryName": "Nifcloud DNS Has Verified Record", - "severity": "LOW", - "line": 1, - "fileName": "positive.tf" - } + { + "queryName": "Nifcloud DNS Has Verified Record", + "severity": "LOW", + "line": 1, + "fileName": "positive.tf", + "resourceType": "nifcloud_dns_record", + "resourceName": "test.example.test", + "searchKey": "nifcloud_dns_record[positive]", + "searchValue": "", + "expectedValue": "Verified records should be removed from 'nifcloud_dns_record[positive]'.", + "actualValue": "'nifcloud_dns_record[positive]' has risk of DNS records being used by others.", + "issueType": "IncorrectValue", + "similarityID": "37fd35c3a6c8789141270d3815253c1a7c28a226a4088710b7b3af1a8977e2bc", + "search_line": -1 + } ] diff --git a/assets/queries/terraform/nifcloud/elb_has_common_private/test/positive_expected_result.json b/assets/queries/terraform/nifcloud/elb_has_common_private/test/positive_expected_result.json index 93ef9fa8953..06cdfb6d602 100644 --- a/assets/queries/terraform/nifcloud/elb_has_common_private/test/positive_expected_result.json +++ b/assets/queries/terraform/nifcloud/elb_has_common_private/test/positive_expected_result.json @@ -1,14 +1,32 @@ [ - { - "queryName": "Nifcloud ELB Has Common Private Network", - "severity": "LOW", - "line": 1, - "fileName": "positive1.tf" - }, - { - "queryName": "Nifcloud ELB Has Common Private Network", - "severity": "LOW", - "line": 1, - "fileName": "positive2.tf" - } + { + "queryName": "Nifcloud ELB Has Common Private Network", + "severity": "LOW", + "line": 1, + "fileName": "positive1.tf", + "resourceType": "nifcloud_elb", + "resourceName": "positive", + "searchKey": "nifcloud_elb[positive]", + "searchValue": "", + "expectedValue": "'nifcloud_elb[positive]' should use a private LAN to isolate the private side network from the shared network", + "actualValue": "'nifcloud_elb[positive]' has common private network", + "issueType": "IncorrectValue", + "similarityID": "714cacc3ae5b4c5bdd82735aba2a5db543de6ec1b28c99b5798f00b3bfb66415", + "search_line": -1 + }, + { + "queryName": "Nifcloud ELB Has Common Private Network", + "severity": "LOW", + "line": 1, + "fileName": "positive2.tf", + "resourceType": "nifcloud_elb", + "resourceName": "positive", + "searchKey": "nifcloud_elb[positive]", + "searchValue": "", + "expectedValue": "'nifcloud_elb[positive]' should use a private LAN to isolate the private side network from the shared network", + "actualValue": "'nifcloud_elb[positive]' has common private network", + "issueType": "IncorrectValue", + "similarityID": "5a99248c8f0736e858b7f015e2020d70344f07a393f710b3843e6a5bbe305673", + "search_line": -1 + } ] diff --git a/assets/queries/terraform/nifcloud/elb_listener_use_http/test/positive_expected_result.json b/assets/queries/terraform/nifcloud/elb_listener_use_http/test/positive_expected_result.json index 1c910a5b611..9a00a62704c 100644 --- a/assets/queries/terraform/nifcloud/elb_listener_use_http/test/positive_expected_result.json +++ b/assets/queries/terraform/nifcloud/elb_listener_use_http/test/positive_expected_result.json @@ -1,14 +1,32 @@ [ - { - "queryName": "Nifcloud ELB Listener Using HTTP Protocol", - "severity": "MEDIUM", - "line": 1, - "fileName": "positive1.tf" - }, - { - "queryName": "Nifcloud ELB Listener Using HTTP Protocol", - "severity": "MEDIUM", - "line": 1, - "fileName": "positive2.tf" - } + { + "queryName": "Nifcloud ELB Listener Using HTTP Protocol", + "severity": "MEDIUM", + "line": 1, + "fileName": "positive1.tf", + "resourceType": "nifcloud_elb_listener", + "resourceName": "positive", + "searchKey": "nifcloud_elb_listener[positive]", + "searchValue": "", + "expectedValue": "'nifcloud_elb_listener[positive]' should switch to HTTPS to benefit from TLS security features.", + "actualValue": "'nifcloud_elb_listener[positive]' using HTTP protocol.", + "issueType": "IncorrectValue", + "similarityID": "913d576b459c65c5898528e14cc9dd795fa6348a1f190f3d0a891c758d8b246a", + "search_line": -1 + }, + { + "queryName": "Nifcloud ELB Listener Using HTTP Protocol", + "severity": "MEDIUM", + "line": 1, + "fileName": "positive2.tf", + "resourceType": "nifcloud_elb_listener", + "resourceName": "positive", + "searchKey": "nifcloud_elb_listener[positive]", + "searchValue": "", + "expectedValue": "'nifcloud_elb_listener[positive]' should switch to HTTPS to benefit from TLS security features.", + "actualValue": "'nifcloud_elb_listener[positive]' using HTTP protocol.", + "issueType": "IncorrectValue", + "similarityID": "8af8edadb75067601ac1f5d28e41e91989962f001ceed32ea289ea9ea63980fb", + "search_line": -1 + } ] diff --git a/assets/queries/terraform/nifcloud/elb_use_http/test/positive_expected_result.json b/assets/queries/terraform/nifcloud/elb_use_http/test/positive_expected_result.json index 8234db197e2..3db866862fa 100644 --- a/assets/queries/terraform/nifcloud/elb_use_http/test/positive_expected_result.json +++ b/assets/queries/terraform/nifcloud/elb_use_http/test/positive_expected_result.json @@ -1,14 +1,32 @@ [ - { - "queryName": "Nifcloud ELB Using HTTP Protocol", - "severity": "MEDIUM", - "line": 1, - "fileName": "positive1.tf" - }, - { - "queryName": "Nifcloud ELB Using HTTP Protocol", - "severity": "MEDIUM", - "line": 1, - "fileName": "positive2.tf" - } + { + "queryName": "Nifcloud ELB Using HTTP Protocol", + "severity": "MEDIUM", + "line": 1, + "fileName": "positive1.tf", + "resourceType": "nifcloud_elb", + "resourceName": "positive", + "searchKey": "nifcloud_elb[positive]", + "searchValue": "", + "expectedValue": "'nifcloud_elb[positive]' should switch to HTTPS to benefit from TLS security features.", + "actualValue": "'nifcloud_elb[positive]' using HTTP protocol.", + "issueType": "IncorrectValue", + "similarityID": "45a028d2ca893dd178501edad0fccf4160acf680419b39f8e4dc9d4bd8374064", + "search_line": -1 + }, + { + "queryName": "Nifcloud ELB Using HTTP Protocol", + "severity": "MEDIUM", + "line": 1, + "fileName": "positive2.tf", + "resourceType": "nifcloud_elb", + "resourceName": "positive", + "searchKey": "nifcloud_elb[positive]", + "searchValue": "", + "expectedValue": "'nifcloud_elb[positive]' should switch to HTTPS to benefit from TLS security features", + "actualValue": "'nifcloud_elb[positive]' use HTTP protocol", + "issueType": "IncorrectValue", + "similarityID": "17f8c82781b51f7375b32188fc5508322aeaf84d6ccfdeebc9e2def1ef168738", + "search_line": -1 + } ] diff --git a/assets/queries/terraform/nifcloud/load_balancer_listener_use_http/test/positive_expected_result.json b/assets/queries/terraform/nifcloud/load_balancer_listener_use_http/test/positive_expected_result.json index 2546d14e399..65b38c80bb0 100644 --- a/assets/queries/terraform/nifcloud/load_balancer_listener_use_http/test/positive_expected_result.json +++ b/assets/queries/terraform/nifcloud/load_balancer_listener_use_http/test/positive_expected_result.json @@ -1,8 +1,17 @@ [ - { - "queryName": "Nifcloud LB Listener Using HTTP Port", - "severity": "MEDIUM", - "line": 1, - "fileName": "positive.tf" - } + { + "queryName": "Nifcloud LB Listener Using HTTP Port", + "severity": "MEDIUM", + "line": 1, + "fileName": "positive.tf", + "resourceType": "nifcloud_load_balancer_listener", + "resourceName": "positive", + "searchKey": "nifcloud_load_balancer_listener[positive]", + "searchValue": "", + "expectedValue": "'nifcloud_load_balancer_listener[positive]' should switch to HTTPS to benefit from TLS security features.", + "actualValue": "'nifcloud_load_balancer_listener[positive]' using HTTP port.", + "issueType": "IncorrectValue", + "similarityID": "7788c2433ab0e3dcd227d73f1a83dbc8234adaf70d8c2dfde541bcf147f3bff6", + "search_line": -1 + } ] diff --git a/assets/queries/terraform/nifcloud/load_balancer_use_http/test/positive_expected_result.json b/assets/queries/terraform/nifcloud/load_balancer_use_http/test/positive_expected_result.json index 9e59261f27a..6d14335533f 100644 --- a/assets/queries/terraform/nifcloud/load_balancer_use_http/test/positive_expected_result.json +++ b/assets/queries/terraform/nifcloud/load_balancer_use_http/test/positive_expected_result.json @@ -1,8 +1,17 @@ [ - { - "queryName": "Nifcloud LB Using HTTP Port", - "severity": "MEDIUM", - "line": 1, - "fileName": "positive.tf" - } + { + "queryName": "Nifcloud LB Using HTTP Port", + "severity": "MEDIUM", + "line": 1, + "fileName": "positive.tf", + "resourceType": "nifcloud_load_balancer", + "resourceName": "positive", + "searchKey": "nifcloud_load_balancer[positive]", + "searchValue": "", + "expectedValue": "'nifcloud_load_balancer[positive]' should switch to HTTPS to benefit from TLS security features.", + "actualValue": "'nifcloud_load_balancer[positive]' using HTTP port.", + "issueType": "IncorrectValue", + "similarityID": "4a4db974d9810c5ab3ad00802b9d9a475ffc859c1284e81b5423b9f4887ed27c", + "search_line": -1 + } ] diff --git a/assets/queries/terraform/nifcloud/load_balancer_use_insecure_tls_policy_id/test/positive_expected_result.json b/assets/queries/terraform/nifcloud/load_balancer_use_insecure_tls_policy_id/test/positive_expected_result.json index 7cc8afe871c..c38efccf3db 100644 --- a/assets/queries/terraform/nifcloud/load_balancer_use_insecure_tls_policy_id/test/positive_expected_result.json +++ b/assets/queries/terraform/nifcloud/load_balancer_use_insecure_tls_policy_id/test/positive_expected_result.json @@ -1,14 +1,32 @@ [ - { - "queryName": "Nifcloud LB Using Insecure TLS Policy ID", - "severity": "MEDIUM", - "line": 1, - "fileName": "positive1.tf" - }, - { - "queryName": "Nifcloud LB Using Insecure TLS Policy ID", - "severity": "MEDIUM", - "line": 1, - "fileName": "positive2.tf" - } + { + "queryName": "Nifcloud LB Using Insecure TLS Policy ID", + "severity": "MEDIUM", + "line": 1, + "fileName": "positive1.tf", + "resourceType": "nifcloud_load_balancer", + "resourceName": "positive", + "searchKey": "nifcloud_load_balancer[positive]", + "searchValue": "", + "expectedValue": "'nifcloud_load_balancer[positive]' should not use outdated/insecure TLS versions for encryption. You should be using TLS v1.2+.", + "actualValue": "'nifcloud_load_balancer[positive]' using outdated SSL policy.", + "issueType": "MissingAttribute", + "similarityID": "aae1e195c7f4940fca14b1954bd86a87b5608d280753d4136149b0a0015087b8", + "search_line": -1 + }, + { + "queryName": "Nifcloud LB Using Insecure TLS Policy ID", + "severity": "MEDIUM", + "line": 1, + "fileName": "positive2.tf", + "resourceType": "nifcloud_load_balancer", + "resourceName": "positive", + "searchKey": "nifcloud_load_balancer[positive]", + "searchValue": "", + "expectedValue": "'nifcloud_load_balancer[positive]' should not use outdated/insecure TLS versions for encryption. You should be using TLS v1.2+.", + "actualValue": "'nifcloud_load_balancer[positive]' using outdated SSL policy.", + "issueType": "MissingAttribute", + "similarityID": "e9cdcd4c85756db1af995c673c81fef51afeef22440d9c006dbbfa12990844b9", + "search_line": -1 + } ] diff --git a/assets/queries/terraform/nifcloud/load_balancer_use_insecure_tls_policy_name/test/positive_expected_result.json b/assets/queries/terraform/nifcloud/load_balancer_use_insecure_tls_policy_name/test/positive_expected_result.json index 7bb192e65b9..02c160addd4 100644 --- a/assets/queries/terraform/nifcloud/load_balancer_use_insecure_tls_policy_name/test/positive_expected_result.json +++ b/assets/queries/terraform/nifcloud/load_balancer_use_insecure_tls_policy_name/test/positive_expected_result.json @@ -1,14 +1,32 @@ [ - { - "queryName": "Nifcloud LB Using Insecure TLS Policy Name", - "severity": "MEDIUM", - "line": 1, - "fileName": "positive1.tf" - }, - { - "queryName": "Nifcloud LB Using Insecure TLS Policy Name", - "severity": "MEDIUM", - "line": 1, - "fileName": "positive2.tf" - } + { + "queryName": "Nifcloud LB Using Insecure TLS Policy Name", + "severity": "MEDIUM", + "line": 1, + "fileName": "positive1.tf", + "resourceType": "nifcloud_load_balancer", + "resourceName": "positive", + "searchKey": "nifcloud_load_balancer[positive]", + "searchValue": "", + "expectedValue": "'nifcloud_load_balancer[positive]' should not use outdated/insecure TLS versions for encryption. You should be using TLS v1.2+.", + "actualValue": "'nifcloud_load_balancer[positive]' using outdated SSL policy.", + "issueType": "MissingAttribute", + "similarityID": "59e36572c578317d294999567a166de624f66c433e4a6d0d5341f2fe40e3157f", + "search_line": -1 + }, + { + "queryName": "Nifcloud LB Using Insecure TLS Policy Name", + "severity": "MEDIUM", + "line": 1, + "fileName": "positive2.tf", + "resourceType": "nifcloud_load_balancer", + "resourceName": "positive", + "searchKey": "nifcloud_load_balancer[positive]", + "searchValue": "", + "expectedValue": "'nifcloud_load_balancer[positive]' should not use outdated/insecure TLS versions for encryption. You should be using TLS v1.2+.", + "actualValue": "'nifcloud_load_balancer[positive]' using outdated SSL policy.", + "issueType": "IncorrectValue", + "similarityID": "c61245f58eed1150ed75f3284d15dd1fb3cd798e8bfd331f3dd38b3b0dac65de", + "search_line": -1 + } ] diff --git a/assets/queries/terraform/nifcloud/nas_instance_has_common_private/test/positive_expected_result.json b/assets/queries/terraform/nifcloud/nas_instance_has_common_private/test/positive_expected_result.json index 25d43939456..352f5fdb203 100644 --- a/assets/queries/terraform/nifcloud/nas_instance_has_common_private/test/positive_expected_result.json +++ b/assets/queries/terraform/nifcloud/nas_instance_has_common_private/test/positive_expected_result.json @@ -1,8 +1,17 @@ [ - { - "queryName": "Nifcloud NAS Has Common Private Network", - "severity": "LOW", - "line": 1, - "fileName": "positive.tf" - } + { + "queryName": "Nifcloud NAS Has Common Private Network", + "severity": "LOW", + "line": 1, + "fileName": "positive.tf", + "resourceType": "nifcloud_nas_instance", + "resourceName": "positive", + "searchKey": "nifcloud_nas_instance[positive]", + "searchValue": "", + "expectedValue": "'nifcloud_nas_instance[positive]' should use a private LAN to isolate the private side network from the shared network", + "actualValue": "'nifcloud_nas_instance[positive]' has common private network", + "issueType": "IncorrectValue", + "similarityID": "9f8c2281ea0680589fcc9cc33ae1792a367217ddf4bde4ed8464fab6f7f8d5cc", + "search_line": -1 + } ] diff --git a/assets/queries/terraform/nifcloud/nas_security_group_description_undefined/test/positive_expected_result.json b/assets/queries/terraform/nifcloud/nas_security_group_description_undefined/test/positive_expected_result.json index 7a29f969aee..bf9e5a83931 100644 --- a/assets/queries/terraform/nifcloud/nas_security_group_description_undefined/test/positive_expected_result.json +++ b/assets/queries/terraform/nifcloud/nas_security_group_description_undefined/test/positive_expected_result.json @@ -1,8 +1,17 @@ [ - { - "queryName": "Nifcloud NAS Undefined Description To NAS Security Group", - "severity": "INFO", - "line": 1, - "fileName": "positive.tf" - } + { + "queryName": "Nifcloud NAS Undefined Description To NAS Security Group", + "severity": "INFO", + "line": 1, + "fileName": "positive.tf", + "resourceType": "nifcloud_nas_security_group", + "resourceName": "positive", + "searchKey": "nifcloud_nas_security_group[positive]", + "searchValue": "", + "expectedValue": "'nifcloud_nas_security_group[positive]' should include a description for auditing purposes", + "actualValue": "'nifcloud_nas_security_group[positive]' does not have a description", + "issueType": "MissingAttribute", + "similarityID": "559f816a447046bf1255a7dd5f9d023794c55282050dd55d07173e0d03f48d49", + "search_line": -1 + } ] diff --git a/assets/queries/terraform/nifcloud/nas_security_group_has_public_ingress_sgr/test/positive_expected_result.json b/assets/queries/terraform/nifcloud/nas_security_group_has_public_ingress_sgr/test/positive_expected_result.json index 3aa266359bb..a4eaa14cdf4 100644 --- a/assets/queries/terraform/nifcloud/nas_security_group_has_public_ingress_sgr/test/positive_expected_result.json +++ b/assets/queries/terraform/nifcloud/nas_security_group_has_public_ingress_sgr/test/positive_expected_result.json @@ -1,8 +1,17 @@ [ - { - "queryName": "Nifcloud NAS Has Public Ingress NAS Security Group Rule", - "severity": "HIGH", - "line": 1, - "fileName": "positive.tf" - } + { + "queryName": "Nifcloud NAS Has Public Ingress NAS Security Group Rule", + "severity": "HIGH", + "line": 1, + "fileName": "positive.tf", + "resourceType": "nifcloud_nas_security_group", + "resourceName": "positive", + "searchKey": "nifcloud_nas_security_group[positive]", + "searchValue": "", + "expectedValue": "'nifcloud_nas_security_group[positive]' set a more restrictive cidr range", + "actualValue": "'nifcloud_nas_security_group[positive]' allows traffic from /0", + "issueType": "IncorrectValue", + "similarityID": "f735b71f3c28b8c12da55b16fc23ab85800fa8448fed1a11b8226495ea93199d", + "search_line": -1 + } ] diff --git a/assets/queries/terraform/nifcloud/router_has_common_private/test/positive_expected_result.json b/assets/queries/terraform/nifcloud/router_has_common_private/test/positive_expected_result.json index 4ee87233b90..5bbfbae0dea 100644 --- a/assets/queries/terraform/nifcloud/router_has_common_private/test/positive_expected_result.json +++ b/assets/queries/terraform/nifcloud/router_has_common_private/test/positive_expected_result.json @@ -1,14 +1,32 @@ [ - { - "queryName": "Nifcloud Router Has Common Private Network", - "severity": "LOW", - "line": 1, - "fileName": "positive1.tf" - }, - { - "queryName": "Nifcloud Router Has Common Private Network", - "severity": "LOW", - "line": 1, - "fileName": "positive2.tf" - } + { + "queryName": "Nifcloud Router Has Common Private Network", + "severity": "LOW", + "line": 1, + "fileName": "positive1.tf", + "resourceType": "nifcloud_router", + "resourceName": "positive", + "searchKey": "nifcloud_router[positive]", + "searchValue": "", + "expectedValue": "'nifcloud_router[positive]' should use a private LAN to isolate the private side network from the shared network.", + "actualValue": "'nifcloud_router[positive]' has common private network.", + "issueType": "IncorrectValue", + "similarityID": "8b81d72d1c614e3269a251f738dd92a5a568db8be7c716a627cd9cee33e0c723", + "search_line": -1 + }, + { + "queryName": "Nifcloud Router Has Common Private Network", + "severity": "LOW", + "line": 1, + "fileName": "positive2.tf", + "resourceType": "nifcloud_router", + "resourceName": "positive", + "searchKey": "nifcloud_router[positive]", + "searchValue": "", + "expectedValue": "'nifcloud_router[positive]' should use a private LAN to isolate the private side network from the shared network.", + "actualValue": "'nifcloud_router[positive]' has common private network.", + "issueType": "IncorrectValue", + "similarityID": "95b018c88a6d0b3ddcd61c258fc98902fe0ca17c1974d385932e084c60786d5d", + "search_line": -1 + } ] diff --git a/assets/queries/terraform/nifcloud/router_security_group_undefined/test/positive_expected_result.json b/assets/queries/terraform/nifcloud/router_security_group_undefined/test/positive_expected_result.json index 56e9ea411de..d2dc69b41b6 100644 --- a/assets/queries/terraform/nifcloud/router_security_group_undefined/test/positive_expected_result.json +++ b/assets/queries/terraform/nifcloud/router_security_group_undefined/test/positive_expected_result.json @@ -1,8 +1,17 @@ [ - { - "queryName": "Nifcloud Router Undefined Security Group", - "severity": "HIGH", - "line": 1, - "fileName": "positive.tf" - } + { + "queryName": "Nifcloud Router Undefined Security Group", + "severity": "HIGH", + "line": 1, + "fileName": "positive.tf", + "resourceType": "nifcloud_router", + "resourceName": "positive", + "searchKey": "nifcloud_router[positive]", + "searchValue": "", + "expectedValue": "'nifcloud_router[positive]' should include a security_group for security purposes", + "actualValue": "'nifcloud_router[positive]' does not have a security_group", + "issueType": "MissingAttribute", + "similarityID": "cbcf4f2d9b7e4cc387e82fab6c2c1b16835a1e6850da32a2c3f56d684cb8429c", + "search_line": -1 + } ] diff --git a/assets/queries/terraform/nifcloud/vpn_gateway_security_group_undefined/test/positive_expected_result.json b/assets/queries/terraform/nifcloud/vpn_gateway_security_group_undefined/test/positive_expected_result.json index 78ad7248b59..976a9d24535 100644 --- a/assets/queries/terraform/nifcloud/vpn_gateway_security_group_undefined/test/positive_expected_result.json +++ b/assets/queries/terraform/nifcloud/vpn_gateway_security_group_undefined/test/positive_expected_result.json @@ -1,8 +1,17 @@ [ - { - "queryName": "Nifcloud VPN Gateway Undefined Security Group", - "severity": "HIGH", - "line": 1, - "fileName": "positive.tf" - } + { + "queryName": "Nifcloud VPN Gateway Undefined Security Group", + "severity": "HIGH", + "line": 1, + "fileName": "positive.tf", + "resourceType": "nifcloud_vpn_gateway", + "resourceName": "positive", + "searchKey": "nifcloud_vpn_gateway[positive]", + "searchValue": "", + "expectedValue": "'nifcloud_vpn_gateway[positive]' should include a security_group for security purposes.", + "actualValue": "'nifcloud_vpn_gateway[positive]' does not have a security_group defined.", + "issueType": "MissingAttribute", + "similarityID": "6d050cad9e0faa59ffd83bfb5c1a59a4e1cdd97b45284844e0fedcf9637e5f63", + "search_line": -1 + } ] diff --git a/assets/queries/terraform/tencentcloud/cdb_instance_internet_service_enabled/test/positive_expected_result.json b/assets/queries/terraform/tencentcloud/cdb_instance_internet_service_enabled/test/positive_expected_result.json index b8625c07b33..5ebfcd6d94f 100644 --- a/assets/queries/terraform/tencentcloud/cdb_instance_internet_service_enabled/test/positive_expected_result.json +++ b/assets/queries/terraform/tencentcloud/cdb_instance_internet_service_enabled/test/positive_expected_result.json @@ -3,6 +3,15 @@ "queryName": "CDB Instance Internet Service Enabled", "severity": "HIGH", "line": 24, - "fileName": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "tencentcloud_mysql_instance", + "resourceName": "example", + "searchKey": "tencentcloud_mysql_instance[example].internet_service", + "searchValue": "", + "expectedValue": "[example] has 'internet_service' set to 0 or undefined", + "actualValue": "[example] has 'internet_service' set to 1", + "issueType": "IncorrectValue", + "similarityID": "9b4108ff8a3f05739f6d90238755d64f12c5a409bacd6006853783b719c4aee3", + "search_line": 24 } ] diff --git a/assets/queries/terraform/tencentcloud/cdb_instance_using_default_intranet_port/test/positive_expected_result.json b/assets/queries/terraform/tencentcloud/cdb_instance_using_default_intranet_port/test/positive_expected_result.json index 3cc7d62ea51..f1f7baadf51 100644 --- a/assets/queries/terraform/tencentcloud/cdb_instance_using_default_intranet_port/test/positive_expected_result.json +++ b/assets/queries/terraform/tencentcloud/cdb_instance_using_default_intranet_port/test/positive_expected_result.json @@ -3,12 +3,30 @@ "queryName": "CDB Instance Internet Using Default Intranet Port", "severity": "LOW", "line": 34, - "fileName": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "tencentcloud_mysql_instance", + "resourceName": "example", + "searchKey": "tencentcloud_mysql_instance[example].intranet_port", + "searchValue": "", + "expectedValue": "[example] has 'intranet_port' set to non 3306", + "actualValue": "[example] has 'intranet_port' set to 3306", + "issueType": "IncorrectValue", + "similarityID": "df986c7872ee01ee962d51ec2c977f25d03e6a084ca8830088ab3b2985b175a7", + "search_line": 34 }, { "queryName": "CDB Instance Internet Using Default Intranet Port", "severity": "LOW", "line": 23, - "fileName": "positive2.tf" + "fileName": "positive2.tf", + "resourceType": "tencentcloud_mysql_instance", + "resourceName": "example", + "searchKey": "tencentcloud_mysql_instance[example]", + "searchValue": "", + "expectedValue": "[example] 'intranet_port' should be set and the value should not be 3306", + "actualValue": "[example] does not set 'intranet_port'", + "issueType": "MissingAttribute", + "similarityID": "e4ef4980a3b0f284b4ad39dd9316204caaff6bce0ed3df9de3e20792e16ec451", + "search_line": 23 } ] diff --git a/assets/queries/terraform/tencentcloud/cdb_instance_without_backup_policy/test/positive_expected_result.json b/assets/queries/terraform/tencentcloud/cdb_instance_without_backup_policy/test/positive_expected_result.json index 7f87513f7f5..ff273b8daea 100644 --- a/assets/queries/terraform/tencentcloud/cdb_instance_without_backup_policy/test/positive_expected_result.json +++ b/assets/queries/terraform/tencentcloud/cdb_instance_without_backup_policy/test/positive_expected_result.json @@ -3,6 +3,15 @@ "queryName": "CDB Instance Without Backup Policy", "severity": "MEDIUM", "line": 23, - "fileName": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "tencentcloud_mysql_instance", + "resourceName": "none_backup_policy", + "searchKey": "tencentcloud_mysql_instance[none_backup_policy]", + "searchValue": "", + "expectedValue": "tencentcloud_mysql_instance[none_backup_policy] should have 'tencentcloud_mysql_backup_policy'", + "actualValue": "tencentcloud_mysql_instance[none_backup_policy] does not have 'tencentcloud_mysql_backup_policy'", + "issueType": "MissingAttribute", + "similarityID": "35cfd288307df2fed2cacd83e8e5770af5a210b108ba0b0cbdbbbc6e7ba1b04f", + "search_line": 23 } ] diff --git a/assets/queries/terraform/tencentcloud/clb_instance_log_setting_disabled/test/positive_expected_result.json b/assets/queries/terraform/tencentcloud/clb_instance_log_setting_disabled/test/positive_expected_result.json index 2ee3ae8ebaf..671f2a77371 100644 --- a/assets/queries/terraform/tencentcloud/clb_instance_log_setting_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/tencentcloud/clb_instance_log_setting_disabled/test/positive_expected_result.json @@ -3,6 +3,15 @@ "queryName": "CLB Instance Log Setting Disabled", "severity": "MEDIUM", "line": 19, - "fileName": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "tencentcloud_clb_instance", + "resourceName": "internal_clb", + "searchKey": "tencentcloud_clb_instance[internal_clb]", + "searchValue": "", + "expectedValue": "tencentcloud_clb_instance[internal_clb] should set 'log_set_id' and 'log_topic_id'", + "actualValue": "tencentcloud_clb_instance[internal_clb] not set 'log_set_id' and 'log_topic_id'", + "issueType": "MissingAttribute", + "similarityID": "3514263523c14a7da4f416e952440584e76ea91e7b6c8c1731ca25520af93ebd", + "search_line": 19 } ] diff --git a/assets/queries/terraform/tencentcloud/clb_listener_using_insecure_protocols/test/positive_expected_result.json b/assets/queries/terraform/tencentcloud/clb_listener_using_insecure_protocols/test/positive_expected_result.json index 6cce5eb28da..f4c6f076337 100644 --- a/assets/queries/terraform/tencentcloud/clb_listener_using_insecure_protocols/test/positive_expected_result.json +++ b/assets/queries/terraform/tencentcloud/clb_listener_using_insecure_protocols/test/positive_expected_result.json @@ -3,18 +3,45 @@ "queryName": "CLB Listener Using Insecure Protocols", "severity": "HIGH", "line": 4, - "fileName": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "tencentcloud_clb_listener", + "resourceName": "listener", + "searchKey": "tencentcloud_clb_listener[listener].protocol", + "searchValue": "", + "expectedValue": "tencentcloud_clb_listener[listener].protocol[HTTP] should not be an insecure protocol", + "actualValue": "tencentcloud_clb_listener[listener].protocol[HTTP] is an insecure protocol", + "issueType": "IncorrectValue", + "similarityID": "394d495f018f2d536221ada3879d8473f768be943680001db6d92849e0cfce29", + "search_line": 4 }, { "queryName": "CLB Listener Using Insecure Protocols", "severity": "HIGH", "line": 4, - "fileName": "positive2.tf" + "fileName": "positive2.tf", + "resourceType": "tencentcloud_clb_listener", + "resourceName": "listener", + "searchKey": "tencentcloud_clb_listener[listener].protocol", + "searchValue": "", + "expectedValue": "tencentcloud_clb_listener[listener].protocol[TCP] should not be an insecure protocol", + "actualValue": "tencentcloud_clb_listener[listener].protocol[TCP] is an insecure protocol", + "issueType": "IncorrectValue", + "similarityID": "4daa5aced1de17aa735cc9c2916b26f087bd71a5ad1423db211fdf17f4e6b231", + "search_line": 4 }, { "queryName": "CLB Listener Using Insecure Protocols", "severity": "HIGH", "line": 4, - "fileName": "positive3.tf" + "fileName": "positive3.tf", + "resourceType": "tencentcloud_clb_listener", + "resourceName": "listener", + "searchKey": "tencentcloud_clb_listener[listener].protocol", + "searchValue": "", + "expectedValue": "tencentcloud_clb_listener[listener].protocol[UDP] should not be an insecure protocol", + "actualValue": "tencentcloud_clb_listener[listener].protocol[UDP] is an insecure protocol", + "issueType": "IncorrectValue", + "similarityID": "f5cc914ce1c6683b6717d0d3d25e436835fb33ee1b7e6d25ef50914dd9db03c8", + "search_line": 4 } ] diff --git a/assets/queries/terraform/tencentcloud/cvm_instance_disable_monitor_service/test/positive_expected_result.json b/assets/queries/terraform/tencentcloud/cvm_instance_disable_monitor_service/test/positive_expected_result.json index b48c8f1787d..2ebfb543404 100644 --- a/assets/queries/terraform/tencentcloud/cvm_instance_disable_monitor_service/test/positive_expected_result.json +++ b/assets/queries/terraform/tencentcloud/cvm_instance_disable_monitor_service/test/positive_expected_result.json @@ -3,6 +3,15 @@ "queryName": "CVM Instance Disable Monitor Service", "severity": "INFO", "line": 13, - "fileName": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "tencentcloud_instance", + "resourceName": "cvm_postpaid", + "searchKey": "tencentcloud_instance[cvm_postpaid].disable_monitor_service", + "searchValue": "", + "expectedValue": "[cvm_postpaid] 'disable_monitor_service' should be set to false", + "actualValue": "[cvm_postpaid] 'disable_monitor_service' is true", + "issueType": "IncorrectValue", + "similarityID": "6ee027e72affbeb09d959c0f9be1f862c867bf43cbf68a6d5d94da441a38bbad", + "search_line": 13 } ] diff --git a/assets/queries/terraform/tencentcloud/cvm_instance_has_public_ip/test/positive_expected_result.json b/assets/queries/terraform/tencentcloud/cvm_instance_has_public_ip/test/positive_expected_result.json index a37d3770f89..94e20a26c1c 100644 --- a/assets/queries/terraform/tencentcloud/cvm_instance_has_public_ip/test/positive_expected_result.json +++ b/assets/queries/terraform/tencentcloud/cvm_instance_has_public_ip/test/positive_expected_result.json @@ -3,6 +3,15 @@ "queryName": "CVM Instance Has Public IP", "severity": "HIGH", "line": 13, - "fileName": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "tencentcloud_instance", + "resourceName": "cvm_postpaid", + "searchKey": "tencentcloud_instance[cvm_postpaid].allocate_public_ip", + "searchValue": "", + "expectedValue": "[cvm_postpaid] 'allocate_public_ip' should be set to false", + "actualValue": "[cvm_postpaid] 'allocate_public_ip' is true", + "issueType": "IncorrectValue", + "similarityID": "6b0812d4069ad83b433307eeb9cc8a807b2970926f06dd61fa2763b7118d8559", + "search_line": 13 } ] diff --git a/assets/queries/terraform/tencentcloud/cvm_instance_using_default_security_group/test/positive_expected_result.json b/assets/queries/terraform/tencentcloud/cvm_instance_using_default_security_group/test/positive_expected_result.json index 86122a808e3..97ca26a8386 100644 --- a/assets/queries/terraform/tencentcloud/cvm_instance_using_default_security_group/test/positive_expected_result.json +++ b/assets/queries/terraform/tencentcloud/cvm_instance_using_default_security_group/test/positive_expected_result.json @@ -3,12 +3,30 @@ "queryName": "CVM Instance Using Default Security Group", "severity": "LOW", "line": 18, - "fileName": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "tencentcloud_instance", + "resourceName": "cvm_postpaid", + "searchKey": "tencentcloud_instance[cvm_postpaid].orderly_security_groups", + "searchValue": "", + "expectedValue": "tencentcloud_instance[cvm_postpaid].orderly_security_groups should not contain 'default'", + "actualValue": "tencentcloud_instance[cvm_postpaid].orderly_security_groups contains 'default'", + "issueType": "IncorrectValue", + "similarityID": "4255bf625b2f25fe7f036646b08b434d39fae7bef8a357bd33ecb5e308513bf8", + "search_line": 18 }, { "queryName": "CVM Instance Using Default Security Group", "severity": "LOW", "line": 18, - "fileName": "positive2.tf" + "fileName": "positive2.tf", + "resourceType": "tencentcloud_instance", + "resourceName": "cvm_postpaid", + "searchKey": "tencentcloud_instance[cvm_postpaid].security_groups", + "searchValue": "", + "expectedValue": "tencentcloud_instance[cvm_postpaid].security_groups should not contain 'default'", + "actualValue": "tencentcloud_instance[cvm_postpaid].security_groups contains 'default'", + "issueType": "IncorrectValue", + "similarityID": "0d5e3459c5ce2552a5575b25fbc0cebcd4e1c06e097f7129c936922672023510", + "search_line": 18 } ] diff --git a/assets/queries/terraform/tencentcloud/cvm_instance_using_default_vpc/test/positive_expected_result.json b/assets/queries/terraform/tencentcloud/cvm_instance_using_default_vpc/test/positive_expected_result.json index 7f70cb7a4d3..ee7fb45bfa5 100644 --- a/assets/queries/terraform/tencentcloud/cvm_instance_using_default_vpc/test/positive_expected_result.json +++ b/assets/queries/terraform/tencentcloud/cvm_instance_using_default_vpc/test/positive_expected_result.json @@ -3,12 +3,30 @@ "queryName": "CVM Instance Using Default VPC", "severity": "LOW", "line": 22, - "fileName": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "tencentcloud_instance", + "resourceName": "cvm_postpaid", + "searchKey": "tencentcloud_instance[cvm_postpaid].vpc_id", + "searchValue": "", + "expectedValue": "tencentcloud_instance[cvm_postpaid].vpc_id should not contain 'default'", + "actualValue": "tencentcloud_instance[cvm_postpaid].vpc_id contains 'default'", + "issueType": "IncorrectValue", + "similarityID": "77eed246a60c4e48a446a8950e869310511684750e23706895c39b74b34b4b37", + "search_line": 22 }, { "queryName": "CVM Instance Using Default VPC", "severity": "LOW", "line": 23, - "fileName": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "tencentcloud_instance", + "resourceName": "cvm_postpaid", + "searchKey": "tencentcloud_instance[cvm_postpaid].subnet_id", + "searchValue": "", + "expectedValue": "tencentcloud_instance[cvm_postpaid].subnet_id should not be associated with a default Subnet", + "actualValue": "tencentcloud_instance[cvm_postpaid].subnet_id is associated with a default Subnet", + "issueType": "IncorrectValue", + "similarityID": "c82d862470294de103098a9cfa97793cde3e0b88033c3adda5d9e1553e4d163e", + "search_line": 23 } ] diff --git a/assets/queries/terraform/tencentcloud/cvm_instance_using_user_data/test/positive_expected_result.json b/assets/queries/terraform/tencentcloud/cvm_instance_using_user_data/test/positive_expected_result.json index b65024bc18b..d3373ff7fb7 100644 --- a/assets/queries/terraform/tencentcloud/cvm_instance_using_user_data/test/positive_expected_result.json +++ b/assets/queries/terraform/tencentcloud/cvm_instance_using_user_data/test/positive_expected_result.json @@ -3,24 +3,60 @@ "queryName": "CVM Instance Using User Data", "severity": "LOW", "line": 41, - "fileName": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "tencentcloud_instance", + "resourceName": "cvm_postpaid", + "searchKey": "tencentcloud_instance[cvm_postpaid].user_data", + "searchValue": "", + "expectedValue": "tencentcloud_instance[cvm_postpaid] should be using 'cam_role_name' to assign a role with permissions", + "actualValue": "tencentcloud_instance[cvm_postpaid].user_data is being used to configure API secret keys", + "issueType": "IncorrectValue", + "similarityID": "dc270f3e57a8a3091254a5f9c60772929435cb2a19e97446dea0769221c011eb", + "search_line": -1 }, { "queryName": "CVM Instance Using User Data", "severity": "LOW", "line": 41, - "fileName": "positive2.tf" + "fileName": "positive2.tf", + "resourceType": "tencentcloud_instance", + "resourceName": "cvm_postpaid", + "searchKey": "tencentcloud_instance[cvm_postpaid].user_data", + "searchValue": "", + "expectedValue": "tencentcloud_instance[cvm_postpaid] should be using 'cam_role_name' to assign a role with permissions", + "actualValue": "tencentcloud_instance[cvm_postpaid].user_data is being used to configure API secret keys", + "issueType": "IncorrectValue", + "similarityID": "b23462295941b4fa7ceb3b65b7d39dbfbc150649a5d722c587c9b48eb4b15faa", + "search_line": -1 }, { "queryName": "CVM Instance Using User Data", "severity": "LOW", "line": 41, - "fileName": "positive3.tf" + "fileName": "positive3.tf", + "resourceType": "tencentcloud_instance", + "resourceName": "cvm_postpaid", + "searchKey": "tencentcloud_instance[cvm_postpaid].user_data", + "searchValue": "", + "expectedValue": "tencentcloud_instance[cvm_postpaid] should be using 'cam_role_name' to assign a role with permissions", + "actualValue": "tencentcloud_instance[cvm_postpaid].user_data is being used to configure API secret keys", + "issueType": "IncorrectValue", + "similarityID": "e6d4eb288956e7f68ee52aed974b29cba7ad749e116ce1c24f3b997261b0f36c", + "search_line": -1 }, { "queryName": "CVM Instance Using User Data", "severity": "LOW", "line": 41, - "fileName": "positive4.tf" + "fileName": "positive4.tf", + "resourceType": "tencentcloud_instance", + "resourceName": "cvm_postpaid", + "searchKey": "tencentcloud_instance[cvm_postpaid].user_data", + "searchValue": "", + "expectedValue": "tencentcloud_instance[cvm_postpaid] should be using 'cam_role_name' to assign a role with permissions", + "actualValue": "tencentcloud_instance[cvm_postpaid].user_data is being used to configure API secret keys", + "issueType": "IncorrectValue", + "similarityID": "59338ca93845fe936a2b5e0edfaaa86943ced16e99a3b3af196cecbf916d798f", + "search_line": -1 } ] diff --git a/assets/queries/terraform/tencentcloud/disk_encryption_disabled/test/positive_expected_result.json b/assets/queries/terraform/tencentcloud/disk_encryption_disabled/test/positive_expected_result.json index 7ff48719112..5f2e6e8ce5b 100644 --- a/assets/queries/terraform/tencentcloud/disk_encryption_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/tencentcloud/disk_encryption_disabled/test/positive_expected_result.json @@ -2,13 +2,31 @@ { "queryName": "Disk Encryption Disabled", "severity": "MEDIUM", - "line": 6, - "fileName": "positive2.tf" + "line": 1, + "fileName": "positive1.tf", + "resourceType": "tencentcloud_cbs_storage", + "resourceName": "encrytion_positive1", + "searchKey": "tencentcloud_cbs_storage[encrytion_positive1]", + "searchValue": "", + "expectedValue": "[encrytion_positive1] has encryption enabled", + "actualValue": "[encrytion_positive1] does not have encryption enabled", + "issueType": "MissingAttribute", + "similarityID": "3887846af73414d52a22d6446f0ffa00b700d160be3455f6dc174ae39535b8f5", + "search_line": 1 }, { "queryName": "Disk Encryption Disabled", "severity": "MEDIUM", - "line": 1, - "fileName": "positive1.tf" + "line": 6, + "fileName": "positive2.tf", + "resourceType": "tencentcloud_cbs_storage", + "resourceName": "encrytion_positive2", + "searchKey": "tencentcloud_cbs_storage[encrytion_positive2].encrypt", + "searchValue": "", + "expectedValue": "[encrytion_positive2] has encryption set to true", + "actualValue": "[encrytion_positive2] has encryption set to false", + "issueType": "IncorrectValue", + "similarityID": "051d0e020a47bea1f5e58ca1c5931f0eea1dddcf3c8b9bdf3872ac9cacea9097", + "search_line": 6 } ] diff --git a/assets/queries/terraform/tencentcloud/security_group_rule_set_accepts_all_traffic/test/positive_expected_result.json b/assets/queries/terraform/tencentcloud/security_group_rule_set_accepts_all_traffic/test/positive_expected_result.json index d75322bb8b9..ac0667ea7c9 100644 --- a/assets/queries/terraform/tencentcloud/security_group_rule_set_accepts_all_traffic/test/positive_expected_result.json +++ b/assets/queries/terraform/tencentcloud/security_group_rule_set_accepts_all_traffic/test/positive_expected_result.json @@ -3,24 +3,60 @@ "queryName": "Security Group Rule Set Accepts All Traffic", "severity": "HIGH", "line": 9, - "fileName": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "tencentcloud_security_group_rule_set", + "resourceName": "base", + "searchKey": "tencentcloud_security_group_rule_set[base].ingress", + "searchValue": "", + "expectedValue": "tencentcloud_security_group_rule_set[base] ingress should not be set to accept all traffic", + "actualValue": "tencentcloud_security_group_rule_set[base] ingress is set to accept all traffic", + "issueType": "IncorrectValue", + "similarityID": "f79f0199dae607b84dd067ce4445c3e7d3b98ede725a34cfec282fe26d00c233", + "search_line": 9 }, { "queryName": "Security Group Rule Set Accepts All Traffic", "severity": "HIGH", "line": 9, - "fileName": "positive2.tf" + "fileName": "positive2.tf", + "resourceType": "tencentcloud_security_group_rule_set", + "resourceName": "base", + "searchKey": "tencentcloud_security_group_rule_set[base].ingress", + "searchValue": "", + "expectedValue": "tencentcloud_security_group_rule_set[base] ingress should not be set to accept all traffic", + "actualValue": "tencentcloud_security_group_rule_set[base] ingress accept all traffic", + "issueType": "IncorrectValue", + "similarityID": "757dff72cafab87a8163956e606fe9b015184f1a14caee97fe274af9d307aee4", + "search_line": 9 }, { "queryName": "Security Group Rule Set Accepts All Traffic", "severity": "HIGH", "line": 9, - "fileName": "positive3.tf" + "fileName": "positive3.tf", + "resourceType": "tencentcloud_security_group_rule_set", + "resourceName": "base", + "searchKey": "tencentcloud_security_group_rule_set[base].ingress", + "searchValue": "", + "expectedValue": "tencentcloud_security_group_rule_set[base] ingress should not set accept all traffic", + "actualValue": "tencentcloud_security_group_rule_set[base] ingress accept all traffic", + "issueType": "IncorrectValue", + "similarityID": "df3c26e5028677e9b4995a35e27a10d971d03772f41f9c1e7134829b7a50096c", + "search_line": 9 }, { "queryName": "Security Group Rule Set Accepts All Traffic", "severity": "HIGH", "line": 9, - "fileName": "positive4.tf" + "fileName": "positive4.tf", + "resourceType": "tencentcloud_security_group_rule_set", + "resourceName": "base", + "searchKey": "tencentcloud_security_group_rule_set[base].ingress", + "searchValue": "", + "expectedValue": "tencentcloud_security_group_rule_set[base] ingress should not be set to accept all traffic", + "actualValue": "tencentcloud_security_group_rule_set[base] ingress is set to accept all traffic", + "issueType": "IncorrectValue", + "similarityID": "e9a229e2b6074f01619b366c7ef54b93b93e044db409bcddf185e6c628bd37cb", + "search_line": 9 } ] diff --git a/assets/queries/terraform/tencentcloud/tke_cluster_encryption_protection_disabled/test/positive_expected_result.json b/assets/queries/terraform/tencentcloud/tke_cluster_encryption_protection_disabled/test/positive_expected_result.json index 836133453de..761d18d1590 100644 --- a/assets/queries/terraform/tencentcloud/tke_cluster_encryption_protection_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/tencentcloud/tke_cluster_encryption_protection_disabled/test/positive_expected_result.json @@ -3,6 +3,15 @@ "queryName": "TKE Cluster Encryption Protection Disabled", "severity": "HIGH", "line": 6, - "fileName": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "tencentcloud_kubernetes_cluster", + "resourceName": "none_encryption_protection", + "searchKey": "tencentcloud_kubernetes_cluster[none_encryption_protection]", + "searchValue": "", + "expectedValue": "tencentcloud_kubernetes_cluster[none_encryption_protection] should have 'tencentcloud_kubernetes_encryption_protection' enabled", + "actualValue": "tencentcloud_kubernetes_cluster[none_encryption_protection] does not have 'tencentcloud_kubernetes_encryption_protection' enabled or is undefined", + "issueType": "MissingAttribute", + "similarityID": "e0bc02c474a0e42ba6204f42d394558ab18c681dc3ebff43c387b6c643a743c5", + "search_line": 6 } ] diff --git a/assets/queries/terraform/tencentcloud/tke_cluster_has_public_access/test/positive_expected_result.json b/assets/queries/terraform/tencentcloud/tke_cluster_has_public_access/test/positive_expected_result.json index d1b2cf1e2a6..a84f5d46954 100644 --- a/assets/queries/terraform/tencentcloud/tke_cluster_has_public_access/test/positive_expected_result.json +++ b/assets/queries/terraform/tencentcloud/tke_cluster_has_public_access/test/positive_expected_result.json @@ -3,72 +3,180 @@ "queryName": "TKE Cluster Has Public Access", "severity": "MEDIUM", "line": 63, - "fileName": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "tencentcloud_kubernetes_cluster", + "resourceName": "example", + "searchKey": "tencentcloud_kubernetes_cluster[example].master_config.public_ip_assigned", + "searchValue": "", + "expectedValue": "tencentcloud_kubernetes_cluster[example].master_config.public_ip_assigned should be equal to 'false'", + "actualValue": "tencentcloud_kubernetes_cluster[example].master_config.public_ip_assigned is equal to 'true'", + "issueType": "IncorrectValue", + "similarityID": "828b538c5ac97b8f33a6777b500dbc7dca55e72ba6bdecc9f8bd982b24a92979", + "search_line": 63 }, { "queryName": "TKE Cluster Has Public Access", "severity": "MEDIUM", "line": 84, - "fileName": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "tencentcloud_kubernetes_cluster", + "resourceName": "example", + "searchKey": "tencentcloud_kubernetes_cluster[example].worker_config.public_ip_assigned", + "searchValue": "", + "expectedValue": "tencentcloud_kubernetes_cluster[example].worker_config.public_ip_assigned should equal 'false'", + "actualValue": "tencentcloud_kubernetes_cluster[example].worker_config.public_ip_assigned is equal 'true'", + "issueType": "IncorrectValue", + "similarityID": "852a11865d9994e9e983d2fcf3a8456e5e5aceeec6cadc4ded0289838bffbc1d", + "search_line": 84 }, { "queryName": "TKE Cluster Has Public Access", "severity": "MEDIUM", "line": 62, - "fileName": "positive2.tf" + "fileName": "positive2.tf", + "resourceType": "tencentcloud_kubernetes_cluster", + "resourceName": "example", + "searchKey": "tencentcloud_kubernetes_cluster[example].master_config.internet_max_bandwidth_out", + "searchValue": "", + "expectedValue": "tencentcloud_kubernetes_cluster[example].master_config.internet_max_bandwidth_out should equal '0' or undefined", + "actualValue": "tencentcloud_kubernetes_cluster[example].master_config.internet_max_bandwidth_out is not equal '0'", + "issueType": "IncorrectValue", + "similarityID": "c7d2c438c3e039d1684986a14fa3b2ab3dcafb180fb394db8c83eb3a3012cd53", + "search_line": 62 }, { "queryName": "TKE Cluster Has Public Access", "severity": "MEDIUM", "line": 83, - "fileName": "positive2.tf" + "fileName": "positive2.tf", + "resourceType": "tencentcloud_kubernetes_cluster", + "resourceName": "example", + "searchKey": "tencentcloud_kubernetes_cluster[example].worker_config.internet_max_bandwidth_out", + "searchValue": "", + "expectedValue": "tencentcloud_kubernetes_cluster[example].worker_config.internet_max_bandwidth_out should equal '0' or undefined", + "actualValue": "tencentcloud_kubernetes_cluster[example].worker_config.internet_max_bandwidth_out is defined and not equal to '0'", + "issueType": "IncorrectValue", + "similarityID": "d869818092f7f431ca944fb7990ae510cc41b507bc4246872594754d83ce28af", + "search_line": 83 }, { "queryName": "TKE Cluster Has Public Access", "severity": "MEDIUM", "line": 63, - "fileName": "positive3.tf" + "fileName": "positive3.tf", + "resourceType": "tencentcloud_kubernetes_cluster", + "resourceName": "example", + "searchKey": "tencentcloud_kubernetes_cluster[example].master_config.public_ip_assigned", + "searchValue": "", + "expectedValue": "tencentcloud_kubernetes_cluster[example].master_config.public_ip_assigned should be equal to 'false'", + "actualValue": "tencentcloud_kubernetes_cluster[example].master_config.public_ip_assigned is equal 'true'", + "issueType": "IncorrectValue", + "similarityID": "747fa47454523f2f97f32a7b46d574351b74fed890957720eefbfa884cce1b73", + "search_line": 63 }, { "queryName": "TKE Cluster Has Public Access", "severity": "MEDIUM", "line": 84, - "fileName": "positive3.tf" + "fileName": "positive3.tf", + "resourceType": "tencentcloud_kubernetes_cluster", + "resourceName": "example", + "searchKey": "tencentcloud_kubernetes_cluster[example].master_config.public_ip_assigned", + "searchValue": "", + "expectedValue": "tencentcloud_kubernetes_cluster[example].master_config.public_ip_assigned should be equal to 'false'", + "actualValue": "tencentcloud_kubernetes_cluster[example].master_config.public_ip_assigned is equal 'true'", + "issueType": "IncorrectValue", + "similarityID": "0cf7d0861b7fcbb8ebd04f982599228ffad9cba9bf9897f45696e67cf4af2c96", + "search_line": 84 }, { "queryName": "TKE Cluster Has Public Access", "severity": "MEDIUM", "line": 105, - "fileName": "positive3.tf" + "fileName": "positive3.tf", + "resourceType": "tencentcloud_kubernetes_cluster", + "resourceName": "example", + "searchKey": "tencentcloud_kubernetes_cluster[example].worker_config.public_ip_assigned", + "searchValue": "", + "expectedValue": "tencentcloud_kubernetes_cluster[example].worker_config.public_ip_assigned should equal 'false'", + "actualValue": "tencentcloud_kubernetes_cluster[example].worker_config.public_ip_assigned is equal 'true'", + "issueType": "IncorrectValue", + "similarityID": "eda8da2fd493c7f94b2b53c384f3546f0fbdd1bb1893fb9e8a4a294d9923f6e0", + "search_line": 105 }, { "queryName": "TKE Cluster Has Public Access", "severity": "MEDIUM", "line": 126, - "fileName": "positive3.tf" + "fileName": "positive3.tf", + "resourceType": "tencentcloud_kubernetes_cluster", + "resourceName": "example", + "searchKey": "tencentcloud_kubernetes_cluster[example].worker_config.public_ip_assigned", + "searchValue": "", + "expectedValue": "tencentcloud_kubernetes_cluster[example].worker_config.public_ip_assigned should equal 'false'", + "actualValue": "tencentcloud_kubernetes_cluster[example].worker_config.public_ip_assigned is equal 'true'", + "issueType": "IncorrectValue", + "similarityID": "c3682b0b36ce06178ac3d663317f0c26b206bf6faa300c1d0314822343b90092", + "search_line": 126 }, { "queryName": "TKE Cluster Has Public Access", "severity": "MEDIUM", "line": 62, - "fileName": "positive4.tf" + "fileName": "positive4.tf", + "resourceType": "tencentcloud_kubernetes_cluster", + "resourceName": "example", + "searchKey": "tencentcloud_kubernetes_cluster[example].master_config.internet_max_bandwidth_out", + "searchValue": "", + "expectedValue": "tencentcloud_kubernetes_cluster[example].master_config.internet_max_bandwidth_out should equal '0' or null", + "actualValue": "tencentcloud_kubernetes_cluster[example].master_config.internet_max_bandwidth_out is not equal '0'", + "issueType": "IncorrectValue", + "similarityID": "50067e6013c76288d563377a6579325ac044b19a32b63ea867d220fa2ab45abf", + "search_line": 62 }, { "queryName": "TKE Cluster Has Public Access", "severity": "MEDIUM", "line": 83, - "fileName": "positive4.tf" + "fileName": "positive4.tf", + "resourceType": "tencentcloud_kubernetes_cluster", + "resourceName": "example", + "searchKey": "tencentcloud_kubernetes_cluster[example].master_config.internet_max_bandwidth_out", + "searchValue": "", + "expectedValue": "tencentcloud_kubernetes_cluster[example].master_config.internet_max_bandwidth_out should equal '0' or null", + "actualValue": "tencentcloud_kubernetes_cluster[example].master_config.internet_max_bandwidth_out is not equal '0'", + "issueType": "IncorrectValue", + "similarityID": "3735ef22f028b8bd654065dd02c73a31896715b7fc91d833d444f61bfb44bf3d", + "search_line": 83 }, { "queryName": "TKE Cluster Has Public Access", "severity": "MEDIUM", "line": 104, - "fileName": "positive4.tf" + "fileName": "positive4.tf", + "resourceType": "tencentcloud_kubernetes_cluster", + "resourceName": "example", + "searchKey": "tencentcloud_kubernetes_cluster[example].worker_config.internet_max_bandwidth_out", + "searchValue": "", + "expectedValue": "tencentcloud_kubernetes_cluster[example].worker_config.internet_max_bandwidth_out should be equal to '0' or null", + "actualValue": "tencentcloud_kubernetes_cluster[example].worker_config.internet_max_bandwidth_out is defined and not equal to '0'", + "issueType": "IncorrectValue", + "similarityID": "2b10eb140cee1f280ad08ef8910f5bc3ab5ceec29ed224e796e5928514178ba3", + "search_line": 104 }, { "queryName": "TKE Cluster Has Public Access", "severity": "MEDIUM", "line": 124, - "fileName": "positive4.tf" + "fileName": "positive4.tf", + "resourceType": "tencentcloud_kubernetes_cluster", + "resourceName": "example", + "searchKey": "tencentcloud_kubernetes_cluster[example].worker_config.internet_max_bandwidth_out", + "searchValue": "", + "expectedValue": "tencentcloud_kubernetes_cluster[example].worker_config.internet_max_bandwidth_out should be equal to '0' or null", + "actualValue": "tencentcloud_kubernetes_cluster[example].worker_config.internet_max_bandwidth_out is defined and not equal to '0'", + "issueType": "IncorrectValue", + "similarityID": "aa507a6522fe60618eaba7ae40210dc62a843a231a8287920f0f79d9776cccde", + "search_line": 124 } ] diff --git a/assets/queries/terraform/tencentcloud/tke_cluster_log_disabled/test/positive_expected_result.json b/assets/queries/terraform/tencentcloud/tke_cluster_log_disabled/test/positive_expected_result.json index 70d98bf6e03..53fea8eda8b 100644 --- a/assets/queries/terraform/tencentcloud/tke_cluster_log_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/tencentcloud/tke_cluster_log_disabled/test/positive_expected_result.json @@ -3,12 +3,30 @@ "queryName": "TKE Cluster Log Agent Is Not Enabled", "severity": "LOW", "line": 39, - "filename": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "tencentcloud_kubernetes_cluster", + "resourceName": "managed_cluster", + "searchKey": "tencentcloud_kubernetes_cluster[managed_cluster].log_agent.enabled", + "searchValue": "", + "expectedValue": "tencentcloud_kubernetes_cluster[managed_cluster].log_agent.enabled should be set to 'true'", + "actualValue": "tencentcloud_kubernetes_cluster[managed_cluster].log_agent.enabled is not set to 'true'", + "issueType": "IncorrectValue", + "similarityID": "2f6dd3d887e71796c45a002a9bcc05ed76a4d9d973c3b67e7e776e5d55d2bd4b", + "search_line": 39 }, { "queryName": "TKE Cluster Log Agent Is Not Enabled", "severity": "LOW", "line": 6, - "filename": "positive2.tf" + "fileName": "positive2.tf", + "resourceType": "tencentcloud_kubernetes_cluster", + "resourceName": "managed_cluster", + "searchKey": "tencentcloud_kubernetes_cluster[managed_cluster]", + "searchValue": "", + "expectedValue": "'log_agent' should be defined and not null", + "actualValue": "'log_agent' is undefined or null", + "issueType": "MissingAttribute", + "similarityID": "3ee697a49b6407c599442bbc3a1a8eec6baa8a5742b8de5007885d08ee4e62c3", + "search_line": 6 } ] diff --git a/assets/queries/terraform/tencentcloud/vpc_flow_log_disabled/test/positive_expected_result.json b/assets/queries/terraform/tencentcloud/vpc_flow_log_disabled/test/positive_expected_result.json index db64c91d062..c5754948464 100644 --- a/assets/queries/terraform/tencentcloud/vpc_flow_log_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/tencentcloud/vpc_flow_log_disabled/test/positive_expected_result.json @@ -3,6 +3,15 @@ "queryName": "VPC Flow Logs Disabled", "severity": "LOW", "line": 97, - "filename": "positive1.tf" + "fileName": "positive1.tf", + "resourceType": "tencentcloud_vpc_flow_log_config", + "resourceName": "config", + "searchKey": "tencentcloud_vpc_flow_log_config[config].enable", + "searchValue": "", + "expectedValue": "[config] should have enable set to true", + "actualValue": "[config] has enable set to false", + "issueType": "IncorrectValue", + "similarityID": "302adf368b8d1db78043b2fa7f854b8e689d5b8f1d0f25a32877cff3ded69389", + "search_line": 97 } ] diff --git a/docs/creating-queries.md b/docs/creating-queries.md index 5471685e7ba..cacdf8ab640 100644 --- a/docs/creating-queries.md +++ b/docs/creating-queries.md @@ -297,6 +297,100 @@ If the **query.rego** file implements more than one query, the **metadata.json** } ``` +Filling positive_expected_result.json: + +The `positive_expected_result.json` file is a JSON array where each entry represents a single expected finding from a positive test file. Each entry supports the following fields: + +- `queryName` the name of the query as defined in `metadata.json` +- `severity` the severity level of the finding (`CRITICAL`, `HIGH`, `MEDIUM`, `LOW`, or `INFO`) +- `line` the line number in the positive test file where the vulnerability is detected +- `fileName` the name of the positive test file (e.g., `positive1.tf`, `positive.yaml`) +- `resourceType` the type of the resource flagged by the finding (e.g., `aws_cloudtrail`, `community.aws.elb_application_lb`) +- `resourceName` the name or label of the specific resource instance +- `searchKey` the search key path used by KICS to locate the vulnerability in the original document +- `searchValue` an additional value used to distinguish findings when multiple results point to the same line +- `expectedValue` a description of the expected (secure) value +- `actualValue` a description of the actual (insecure) value detected +- `issueType` the type of issue: `IncorrectValue`, `MissingAttribute`, or `RedundantAttribute` +- `similarityID` a hash that uniquely identifies the finding, used for deduplication and tracking +- `search_line` the search line path used by KICS for line detection; set to `-1` when not applicable + +Example: + +```json +[ + { + "queryName": "Authentication Without MFA", + "severity": "LOW", + "line": 2, + "fileName": "positive.yaml", + "resourceType": "community.aws.sts_assume_role", + "resourceName": "Assume an existing role", + "searchKey": "name={{Assume an existing role}}.{{community.aws.sts_assume_role}}", + "searchValue": "mfa_token", + "expectedValue": "sts_assume_role.mfa_token should be set", + "actualValue": "sts_assume_role.mfa_token is undefined", + "issueType": "MissingAttribute", + "similarityID": "0863129177e5f7d0f0fc55d63426f810f58f35c1270b64f4b57fbd1d8a3639cc", + "search_line": 2 + }, + { + "queryName": "Authentication Without MFA", + "severity": "LOW", + "line": 9, + "fileName": "positive.yaml", + "resourceType": "sts_assume_role", + "resourceName": "Hello", + "searchKey": "name={{Hello}}.{{sts_assume_role}}", + "searchValue": "mfa_serial_number", + "expectedValue": "sts_assume_role.mfa_serial_number should be set", + "actualValue": "sts_assume_role.mfa_serial_number is undefined", + "issueType": "MissingAttribute", + "similarityID": "89628f77eee62d856d5523656cdcbc1be1bfca9a1aaed79ffa9871979c947202", + "search_line": 9 + } +] +``` + +Instead of filling this file manually, you can use the helper script provided at `.github/scripts/generate-positive-expected-results/generate_positive_expected_result.py`. The script runs a KICS scan against each positive test file, collects the findings, and produces a correctly formatted `positive_expected_result.json`. + +**Important:** The script must be run from the **script's own directory** (`.github/scripts/generate-positive-expected-results/`), since it resolves the repository root and all other paths relative to its own location. It also requires **Go** to be installed and available in your `PATH`. + +The script supports two modes of operation: + +**Single query mode** — requires both `--queryID` and `--queryPath`: + +```bash +cd .github/scripts/generate-positive-expected-results/ +python generate_positive_expected_result.py \ + --queryID \ + --queryPath +``` + +For example: + +```bash +cd .github/scripts/generate-positive-expected-results/ +python generate_positive_expected_result.py \ + --queryID "8173d5eb-96b5-4aa6-a71b-ecfa153c123d" \ + --queryPath "assets/queries/terraform/aws/cloudtrail_multi_region_disabled" +``` + +**All queries mode** — scans every query under `assets/queries/`: + +```bash +cd .github/scripts/generate-positive-expected-results/ +python generate_positive_expected_result.py --run-all +``` + +| Flag | Required | Description | +|---|---|---| +| `--queryID` | Yes (unless `--run-all`) | The UUID of the query to scan, found in the query's `metadata.json` under the `id` field. | +| `--queryPath` | Yes (unless `--run-all`) | The relative path (from the repository root) to the query directory containing `query.rego` and `metadata.json`. | +| `--run-all` | No | Iterates over all queries under `assets/queries/`, reading each `metadata.json` to obtain the query ID automatically. Mutually exclusive with `--queryID`. | + +The script discovers positive test files in the query's `test/` directory, runs a KICS scan for each one, collects and merges the findings, sorts them by file name, line number, issue type, search key, and similarity ID, and writes the result to `test/positive_expected_result.json`. + Filling query.rego: - `documentId` id of the sample where the vulnerability occurs diff --git a/pkg/analyzer/analyzer.go b/pkg/analyzer/analyzer.go index 83ac9f8a359..f9d998a99c1 100644 --- a/pkg/analyzer/analyzer.go +++ b/pkg/analyzer/analyzer.go @@ -75,6 +75,9 @@ var ( blueprintRegexProperties = regexp.MustCompile(`("properties"|properties)\s*:`) buildahRegex = regexp.MustCompile(`buildah\s*from\s*\w+`) dockerComposeServicesRegex = regexp.MustCompile(`services\s*:[\w\W]+(image|build)\s*:`) + cniK8sNameRegex = regexp.MustCompile("\\s*\"?name\"?\\s*:") + cniK8sVersionRegex = regexp.MustCompile("\\s*\"?cniVersion\"?\\s*:") + cniK8sPluginsRegex = regexp.MustCompile("\\s*\"?plugins\"?\\s*:") crossPlaneRegex = regexp.MustCompile(`"?apiVersion"?\s*:\s*(\w+\.)+crossplane\.io/v\w+\s*`) knativeRegex = regexp.MustCompile(`"?apiVersion"?\s*:\s*(\w+\.)+knative\.dev/v\w+\s*`) pulumiNameRegex = regexp.MustCompile(`name\s*:`) @@ -123,7 +126,7 @@ var ( "crossplane": {"crossplane"}, "dockercompose": {"dockercompose"}, "knative": {"knative"}, - "kubernetes": {"kubernetes"}, + "kubernetes": {"kubernetes", "cniK8s"}, "openapi": {"openapi"}, "terraform": {"terraform", "cdkTf"}, "pulumi": {"pulumi"}, @@ -287,6 +290,13 @@ var types = map[string]regexSlice{ cicdStepsRegex, }, }, + "cniK8s": { + regex: []*regexp.Regexp{ + cniK8sNameRegex, + cniK8sVersionRegex, + cniK8sPluginsRegex, + }, + }, } // region blacklisted platforms @@ -597,6 +607,9 @@ func checkReturnType(path, returnType, ext string, content []byte) string { if returnType == "cdkTf" { return terraform } + if returnType == "cniK8s" { + return kubernetes + } if utils.Contains(returnType, armRegexTypes) { return arm } diff --git a/pkg/model/model.go b/pkg/model/model.go index c8cca5744a7..c826daa061d 100644 --- a/pkg/model/model.go +++ b/pkg/model/model.go @@ -178,7 +178,7 @@ type Vulnerability struct { ResourceName string `db:"resource_name" json:"resourceName"` IssueType IssueType `db:"issue_type" json:"issueType"` SearchKey string `db:"search_key" json:"searchKey"` - SearchLine int `db:"search_line" json:"searchLine"` + SearchLine int `db:"search_line" json:"search_line"` SearchValue string `db:"search_value" json:"searchValue"` KeyExpectedValue string `db:"key_expected_value" json:"expectedValue"` KeyActualValue string `db:"key_actual_value" json:"actualValue"` diff --git a/test/main_test.go b/test/main_test.go index f6df523dcfd..e8cdeb8de8d 100644 --- a/test/main_test.go +++ b/test/main_test.go @@ -199,7 +199,7 @@ func getFilesMetadatasWithContent(t testing.TB, filePath string, content []byte) for _, parser := range combinedParser { docs, err := parser.Parse(filePath, content, true, false, 15) - for _, document := range docs.Docs { + for idx, document := range docs.Docs { require.NoError(t, err) files = append(files, model.FileMetadata{ ID: uuid.NewString(), @@ -211,6 +211,7 @@ func getFilesMetadatasWithContent(t testing.TB, filePath string, content []byte) FilePath: filePath, LinesOriginalData: utils.SplitLines(docs.Content), ResolvedFiles: docs.ResolvedFiles, + SubDocumentIndex: idx, }) } } diff --git a/test/queries_test.go b/test/queries_test.go index 52d2d045c14..e6470c555fe 100644 --- a/test/queries_test.go +++ b/test/queries_test.go @@ -285,16 +285,46 @@ func testQuery(tb testing.TB, entry queryEntry, filesPath []string, expectedVuln } func vulnerabilityCompare(vulnerabilitySlice []model.Vulnerability, i, j int) bool { - if vulnerabilitySlice[i].FileName != "" { - compareFile := strings.Compare(filepath.Base(vulnerabilitySlice[i].FileName), filepath.Base(vulnerabilitySlice[j].FileName)) - if compareFile == 0 { - return vulnerabilitySlice[i].Line < vulnerabilitySlice[j].Line - } else if compareFile < 0 { - return true + a := vulnerabilitySlice[i] + b := vulnerabilitySlice[j] + + if a.FileName != "" { + compareFile := strings.Compare(filepath.Base(a.FileName), filepath.Base(b.FileName)) + if compareFile != 0 { + return compareFile < 0 } - return false } - return vulnerabilitySlice[i].Line < vulnerabilitySlice[j].Line + if a.Line != b.Line { + return a.Line < b.Line + } + if cmp := strings.Compare(a.SearchKey, b.SearchKey); cmp != 0 { + return cmp < 0 + } + if cmp := strings.Compare(a.SearchValue, b.SearchValue); cmp != 0 { + return cmp < 0 + } + if cmp := strings.Compare(a.ResourceType, b.ResourceType); cmp != 0 { + return cmp < 0 + } + if cmp := strings.Compare(a.ResourceName, b.ResourceName); cmp != 0 { + return cmp < 0 + } + if cmp := strings.Compare(a.QueryName, b.QueryName); cmp != 0 { + return cmp < 0 + } + if cmp := strings.Compare(a.KeyExpectedValue, b.KeyExpectedValue); cmp != 0 { + return cmp < 0 + } + if cmp := strings.Compare(a.KeyActualValue, b.KeyActualValue); cmp != 0 { + return cmp < 0 + } + if cmp := strings.Compare(string(a.IssueType), string(b.IssueType)); cmp != 0 { + return cmp < 0 + } + if cmp := strings.Compare(a.SimilarityID, b.SimilarityID); cmp != 0 { + return cmp < 0 + } + return a.SearchLine < b.SearchLine } func validateQueryResultFields(tb testing.TB, vulnerabilities []model.Vulnerability) { @@ -379,11 +409,20 @@ func requireEqualVulnerabilities(tb testing.TB, expected, actual []model.Vulnera require.Equal(tb, expectedItem.Line, actualItem.Line, "Incorrect detected line for query %s \n%v\n---\n%v", dir, filterFileNameAndLine(expected), filterFileNameAndLine(actual)) require.Equal(tb, expectedItem.Severity, actualItem.Severity, "Invalid severity for query %s", dir) - require.Equal(tb, expectedItem.QueryName, actualItem.QueryName, "Invalid query name for query %s :: %s", dir, actualItem.FileName) + require.Equal(tb, expectedItem.QueryName, actualItem.QueryName, "Invalid query name for query %s :: Actual: %s | Expected: %s", dir, actualItem.FileName) if expectedItem.Value != nil { require.NotNil(tb, actualItem.Value) require.Equal(tb, *expectedItem.Value, *actualItem.Value) } + require.Equal(tb, expectedItem.ResourceType, actualItem.ResourceType, "Invalid resource type for query %s\n Expected: %s\n Actual: %s", dir, expectedItem.ResourceType, actualItem.ResourceType) + require.Equal(tb, expectedItem.ResourceName, actualItem.ResourceName, "Invalid resource name for query %s\n Expected: %s\n Actual: %s", dir, expectedItem.ResourceName, actualItem.ResourceName) + require.Equal(tb, expectedItem.SearchKey, actualItem.SearchKey, "Invalid searchKey for query %s\n Expected: %s\n Actual: %s", dir, expectedItem.SearchKey, actualItem.SearchKey) + require.Equal(tb, expectedItem.SearchValue, actualItem.SearchValue, "Invalid searchValue for query %s\n Expected: %s\n Actual: %s", dir, expectedItem.SearchValue, actualItem.SearchValue) + require.Equal(tb, expectedItem.KeyExpectedValue, actualItem.KeyExpectedValue, "Invalid expected value for query: %s\n Expected: %s\n Actual: %s", dir, expectedItem.KeyExpectedValue, actualItem.KeyExpectedValue) + require.Equal(tb, expectedItem.KeyActualValue, actualItem.KeyActualValue, "Invalid actual value for query: %s\n Expected: %s\n Actual: %s", dir, expectedItem.KeyActualValue, actualItem.KeyActualValue) + require.Equal(tb, expectedItem.IssueType, actualItem.IssueType, "Invalid issue type for query %s\n Expected[%s]%s: %s\n Actual[%s]: %s\n Ex\n", dir, expectedItem.FileName, expectedItem.IssueType, actualItem.FileName, actualItem.IssueType) + require.Equal(tb, expectedItem.SimilarityID, actualItem.SimilarityID, "Invalid similarity id for query %s\n Expected: %s\n Actual: %s", dir, expectedItem.SimilarityID, actualItem.SimilarityID) + require.Equal(tb, expectedItem.SearchLine, actualItem.SearchLine, "Invalid search line for query %s\n Expected: %s\n Actual: %s", dir, expectedItem.SearchLine, actualItem.SearchLine) } } @@ -401,4 +440,4 @@ func filterFileNameAndLine(vulnerabilitySlice []model.Vulnerability) []ResultIte }) } return result -} +} \ No newline at end of file